Re: Nmap Erros on URI using NSE

[Robin Wood <robin@digi.ninja>]

On 10 Aug 2014 16:44, "Shritam Bhowmick" <shritam.bhowmick () gmail com> wrote:
> Okay, so this worked, but it was supposed to give me these credentials:
>
> user: admin () pentesteracademy com
> password: zzzxy
>
> The query was:
>
> nmap pentesteracademylab.appspot.com -p 80 -n --script=http-form-brute
> --script-args 'http-form-brute.path="/lab/webapp/1",
> http-form-brute.hostname="pentesteracademylab.appspot.com",
> passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
> userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
> http-form-brute.passvar="password", http-form-brute.uservar="email",
> http-form-brute.onfailure="Failed!"' -vvv
>
>
> I 'did a http-form-brute.onfailure set to "Failed" because that's the
> string it is supposed to filter and log the unsuccessful attempts, any
> changes will be hence successful logins. This did not work either. But the
> errors from the previous ones were fixed. And as for the scenario, there
> are many tests where a form does not define any methods which is supposed
> to be inherited to the source. Which is by default I assume it's 'GET'.
> There are times in pentest I look at these vulnerable applications using
> form based GET but the problem is the right credentials, in such cases
it'd
> be good if we could test the authentication using a formulated attack.

I do a lot of web app tests and can't remember the last time I saw login
over GET. I'd say it is a rarity.

Robin

> Regards
> Shritam Bhowmick
> Founder at OpenFire Technologies.
> Penetration Tester at+OpenFire Security.
> Web Application Analysis and Research.
> www.openfire-security.net
> http://forum.openfire-security.net
>
> The information contained herein (including any accompanying documents) is
> confidential and is intended solely for the addressee(s). It may contain
> proprietary, confidential, privileged information or other information
> subject to legal restrictions. If you are not the intended recipient of
> this message, please do not read, copy, use or disclose this message or
its
> attachments. Please notify the sender immediately and delete all copies of
> this message and any attachments. This e-mail message including
> attachment(s), if any, is believed to be free of any virus. However, it is
> the responsibility of the recipient to ensure for absence of viruses.
> OpenFire Technologies shall not be held responsible nor does it accept
> any liability for any damage arising in any way from its use.
>
>
> On Sun, Aug 10, 2014 at 6:03 PM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
>
> > On Sat, Aug 9, 2014 at 11:04 PM, Shritam Bhowmick <
> > shritam.bhowmick () gmail com> wrote:
> >
> > > It's much easier when you look at the source and the default methods
are
> > > not declared. I take them as a GET since none such methods were
declared at
> > > the source.
> >
> > Shritam,
> >
> > The documentation for the script (
> > http://nmap.org/nsedoc/scripts/http-form-brute.html) states:
> >
> > "After attempting to authenticate using a HTTP POST request the script
> > analyzes the response"
> >
> > I suppose adding a script-arg "http-form-brute.verb" could be useful in
> > odd cases like this, but as I stated before, passing authentication
> > parameters in a GET request is unusual because of caching and logging
> > issues.
> >
> > Dan
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/