Nmap Development mailing list archives
Re: [NSE] apache-userdir-enum
From: Ron <ron () skullsecurity net>
Date: Sat, 22 Aug 2009 17:06:18 -0500
On 08/22/2009 04:59 PM, jah wrote:
Heh, I sometimes use purely random strings, but generally I don't hide the fact that it's Nmap. Originally, it was "Nmap404check", but I added a timestamp to the end to get a bit of randomness. Nothing Rewrite can't overcome, of course. Actually, I'm using Rewrite a great deal for testing, it's incredibly useful for simulating stupid 404 pages:Yes, good idea. I was looking at an apache log after using http-enum and saw that it did about 80 requests in under two seconds. http.lua pipelining has obviously improved speed enormously and so I think the userdir script should probably use HEAD requests once you've made the helper functions available. I think they should go in http.lua. Maybe the random string generation that apache-userdir-enum uses would be a good helper function too. I saw the "Nmap404Check1250849230" request and thought to myself, "hmm, think I'll add rewrite rule for requests like those".
http://test.skullsecurity.org/~ronObviously that's all fake data, but I wanted to make sure I could recognize/remove troublesome things that change between pageviews.
Maybe I'll switch to using your random string, though. It might be a good candidate for putting in stdnse (I've built random-string-generators a few times in the past).
I thought the same thing. In fact it's oversight on my part that I didn't do a name change when I removed the apache-only restriction from the userdir script. I think http-userdir-enum is a better fit. I'll do that now.
Thanks!
Regards, jah
Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] apache-userdir-enum jah (Jul 12)
- Re: [NSE] apache-userdir-enum David Fifield (Jul 27)
- Re: [NSE] apache-userdir-enum jah (Jul 28)
- Re: [NSE] apache-userdir-enum David Fifield (Aug 08)
- Re: [NSE] apache-userdir-enum jah (Aug 10)
- Re: [NSE] apache-userdir-enum Fyodor (Aug 11)
- Re: [NSE] apache-userdir-enum jah (Aug 17)
- Re: [NSE] apache-userdir-enum jah (Jul 28)
- Re: [NSE] apache-userdir-enum David Fifield (Jul 27)
- Re: [NSE] apache-userdir-enum Ron (Aug 22)
- Re: [NSE] apache-userdir-enum jah (Aug 22)
- Re: [NSE] apache-userdir-enum Ron (Aug 22)
- Re: [NSE] apache-userdir-enum Ron (Aug 22)
- Re: [NSE] apache-userdir-enum Fyodor (Aug 23)
- Re: [NSE] apache-userdir-enum Ron (Aug 22)
- Re: [NSE] apache-userdir-enum Sven Klemm (Jul 28)