Nmap Development mailing list archives
Re: Nmap Erros on URI using NSE
From: Robin Wood <robin@digi.ninja>
Date: Thu, 14 Aug 2014 18:34:28 +0100
On 14 Aug 2014 18:30, "Shritam Bhowmick" <shritam.bhowmick () gmail com> wrote:
Okay, I made this run, and I get this: NSE: Finished http-form-brute against pentesteracademylab.appspot.com ( 74.125.68.141:80). Completed NSE at 13:28, 5.97s elapsed Nmap scan report for pentesteracademylab.appspot.com (74.125.68.141) Host is up, received reset (0.00048s latency). Scanned at 2014-08-14 13:28:05 EDT for 6s PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | No valid accounts found | Statistics |_ Performed 0 guesses in 1 seconds, average tps: 0
No attempts were made for some reason. What command line did you use? Robin
Final times for host: srtt: 477 rttvar: 4096 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from /usr/bin/../share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 6.46 seconds Raw packets sent: 5 (196B) | Rcvd: 2 (84B) But, I see there were no accounts found while: username: (the email GET field): admin () pentesteracademy com password: zzzxy are the login credentials which were supposed to be authenticated. I tried this on string "Failure" set on onfailure. Regards Shritam Bhowmick Founder at OpenFire Technologies. Penetration Tester at+OpenFire Security. Web Application Analysis and Research. www.openfire-security.net http://forum.openfire-security.net The information contained herein (including any accompanying documents) is confidential and is intended solely for the addressee(s). It may contain proprietary, confidential, privileged information or other information subject to legal restrictions. If you are not the intended recipient of this message, please do not read, copy, use or disclose this message or
its
attachments. Please notify the sender immediately and delete all copies of this message and any attachments. This e-mail message including attachment(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure for absence of viruses. OpenFire Technologies shall not be held responsible nor does it accept any liability for any damage arising in any way from its use. On Thu, Aug 14, 2014 at 10:54 PM, Shritam Bhowmick < shritam.bhowmick () gmail com> wrote:Hi nmposter, That's great. Looking forward to the enhancements. On a side note,
could I
get the whole script because I manually changed your patch code to the original nmap script! Is there any way, I can update my nmap scrip db, I tried nmap --scrip-dbupdate on kali. It seems not to work. I need the code to make it work. I did common spell mistakes while changing the code as well. Regards Shritam Bhowmick Founder at OpenFire Technologies. Penetration Tester at+OpenFire Security. Web Application Analysis and Research. www.openfire-security.net http://forum.openfire-security.net The information contained herein (including any accompanying documents)
is
confidential and is intended solely for the addressee(s). It may contain proprietary, confidential, privileged information or other information subject to legal restrictions. If you are not the intended recipient of this message, please do not read, copy, use or disclose this message or its attachments. Please notify the sender immediately and delete all copies
of
this message and any attachments. This e-mail message including attachment(s), if any, is believed to be free of any virus. However, it
is
the responsibility of the recipient to ensure for absence of viruses. OpenFire Technologies shall not be held responsible nor does it accept any liability for any damage arising in any way from its use. On Thu, Aug 14, 2014 at 10:48 PM, <nnposter () users sourceforge net>
wrote:
Shritam Bhowmick wrote:nmap pentesteracademylab.appspot.com -n --script=http-form-brute --script-args 'http-form-brute.path="/lab/webapp/1", http-form-brute.hostname="pentesteracademylab.appspot.com", passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt", userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv<snip>But the script gave out no output still. I think there is an issue. Ihadtested using hydra, and this worked fine!?If you run your CLI with -d you would see: PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: |_ ERROR: Failed to retrieve path (/lab/webapp/1) from server Final times for host: srtt: 0 rttvar: 3750 to: 100000 The reason is that the server is configured to reject POST requests while your CLI is missing "http-form-brute.method=get". (As noted in my previous e-mail, the script still uses POST by default.) There is room for improvement of the auto-detection but I have not tried to address that with my patch. Cheers, nnposter _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Nmap Erros on URI using NSE, (continued)
- Re: Nmap Erros on URI using NSE Daniel Miller (Aug 10)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 10)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 10)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 11)
- Re: Nmap Erros on URI using NSE nnposter (Aug 12)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 13)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE nnposter (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE nnposter (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 15)
- Re: Nmap Erros on URI using NSE nnposter (Aug 18)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 19)