Nmap Development mailing list archives
Re: Nmap Erros on URI using NSE
From: Robin Wood <robin@digi.ninja>
Date: Thu, 14 Aug 2014 18:52:05 +0100
On 14 Aug 2014 18:42, "Shritam Bhowmick" <shritam.bhowmick () gmail com> wrote:
I used this: nmap pentesteracademylab.appspot.com -p80 -n --script=http-form-brute
--script-args 'http-form-brute.path="/lab/webapp/1", http-form-brute.method="get", http-form-brute.hostname=" pentesteracademylab.appspot.com", http-form-brute.onfailure="Failed!", passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt", userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv -d
which threw me this: Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-14 13:40 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.2. NSE: Script Arguments seen from CLI:
http-form-brute.path="/lab/webapp/1", http-form-brute.method="get", http-form-brute.hostname="pentesteracademylab.appspot.com", http-form-brute.onfailure="Failed!", passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt", userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-brute.passvar=password, http-form-brute.uservar=email
NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating Ping Scan at 13:40 Scanning pentesteracademylab.appspot.com (74.125.68.141) [4 ports] Packet capture filter (device eth0): dst host 192.168.119.128 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 74.125.68.141)))
We got a TCP ping packet back from 74.125.68.141 port 80 (trynum = 0) Completed Ping Scan at 13:40, 0.08s elapsed (1 total hosts) Overall sending rates: 52.41 packets / s, 1991.72 bytes / s. Initiating SYN Stealth Scan at 13:40 Scanning pentesteracademylab.appspot.com (74.125.68.141) [1 port] Packet capture filter (device eth0): dst host 192.168.119.128 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 74.125.68.141)))
Discovered open port 80/tcp on 74.125.68.141 Completed SYN Stealth Scan at 13:40, 0.11s elapsed (1 total ports) Overall sending rates: 8.86 packets / s, 389.84 bytes / s. NSE: Script scanning 74.125.68.141. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
Initiating NSE at 13:40 NSE: Starting http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
NSE: http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80) threw an error!
/usr/bin/../share/nmap/nselib/url.lua:366: bad argument #1 to 'pairs'
(table expected, got nil)
stack traceback: [C]: in function 'pairs' /usr/bin/../share/nmap/nselib/url.lua:366: in function 'build_query' /usr/bin/../share/nmap/scripts/http-form-brute.nse:164: in function
'sendLogin'
/usr/bin/../share/nmap/scripts/http-form-brute.nse:111: in function
'login'
/usr/bin/../share/nmap/nselib/brute.lua:539: in function
'doAuthenticate'
/usr/bin/../share/nmap/nselib/brute.lua:575: in function
</usr/bin/../share/nmap/nselib/brute.lua:566> I'll butt out again now as I can't debug that but without mentioning that error in your original mail you limited the help you would get. Always include all errors when reporting problems. Robin
NSE: Finished http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
Completed NSE at 13:40, 0.40s elapsed Nmap scan report for pentesteracademylab.appspot.com (74.125.68.141) Host is up, received reset (0.00069s latency). Scanned at 2014-08-14 13:40:28 EDT for 1s PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | No valid accounts found | Statistics |_ Performed 0 guesses in 1 seconds, average tps: 0 Final times for host: srtt: 695 rttvar: 4175 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from /usr/bin/../share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds Raw packets sent: 5 (196B) | Rcvd: 2 (84B) I need the working script to make it possible to brute the GET based
accounts. I am pretty sure it worked with crunch.
Regards Shritam Bhowmick Founder at OpenFire Technologies. Penetration Tester at+OpenFire Security. Web Application Analysis and Research. www.openfire-security.net http://forum.openfire-security.net The information contained herein (including any accompanying documents)
is
confidential and is intended solely for the addressee(s). It may contain proprietary, confidential, privileged information or other information subject to legal restrictions. If you are not the intended recipient of this message, please do not read, copy, use or disclose this message or
its
attachments. Please notify the sender immediately and delete all copies
of
this message and any attachments. This e-mail message including attachment(s), if any, is believed to be free of any virus. However, it
is
the responsibility of the recipient to ensure for absence of viruses. OpenFire Technologies shall not be held responsible nor does it accept any liability for any damage arising in any way from its use. On Thu, Aug 14, 2014 at 11:04 PM, Robin Wood <robin@digi.ninja> wrote:On 14 Aug 2014 18:30, "Shritam Bhowmick" <shritam.bhowmick () gmail com>
wrote:
Okay, I made this run, and I get this: NSE: Finished http-form-brute against pentesteracademylab.appspot.com ( 74.125.68.141:80). Completed NSE at 13:28, 5.97s elapsed Nmap scan report for pentesteracademylab.appspot.com (74.125.68.141) Host is up, received reset (0.00048s latency). Scanned at 2014-08-14 13:28:05 EDT for 6s PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | No valid accounts found | Statistics |_ Performed 0 guesses in 1 seconds, average tps: 0No attempts were made for some reason. What command line did you use? RobinFinal times for host: srtt: 477 rttvar: 4096 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from /usr/bin/../share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 6.46 seconds Raw packets sent: 5 (196B) | Rcvd: 2 (84B) But, I see there were no accounts found while: username: (the email GET field): admin () pentesteracademy com password: zzzxy are the login credentials which were supposed to be authenticated. I
tried
this on string "Failure" set on onfailure. Regards Shritam Bhowmick Founder at OpenFire Technologies. Penetration Tester at+OpenFire Security. Web Application Analysis and Research. www.openfire-security.net http://forum.openfire-security.net The information contained herein (including any accompanying
documents) is
confidential and is intended solely for the addressee(s). It may
contain
proprietary, confidential, privileged information or other information subject to legal restrictions. If you are not the intended recipient of this message, please do not read, copy, use or disclose this message
or its
attachments. Please notify the sender immediately and delete all
copies of
this message and any attachments. This e-mail message including attachment(s), if any, is believed to be free of any virus. However,
it is
the responsibility of the recipient to ensure for absence of viruses. OpenFire Technologies shall not be held responsible nor does it accept any liability for any damage arising in any way from its use. On Thu, Aug 14, 2014 at 10:54 PM, Shritam Bhowmick < shritam.bhowmick () gmail com> wrote:Hi nmposter, That's great. Looking forward to the enhancements. On a side note,
could I
get the whole script because I manually changed your patch code to
the
original nmap script! Is there any way, I can update my nmap scrip
db, I
tried nmap --scrip-dbupdate on kali. It seems not to work. I need the code to make it work. I did common spell mistakes while changing the code as well. Regards Shritam Bhowmick Founder at OpenFire Technologies. Penetration Tester at+OpenFire Security. Web Application Analysis and Research. www.openfire-security.net http://forum.openfire-security.net The information contained herein (including any accompanying
documents) is
confidential and is intended solely for the addressee(s). It may
contain
proprietary, confidential, privileged information or other
information
subject to legal restrictions. If you are not the intended recipient
of
this message, please do not read, copy, use or disclose this message
or
its attachments. Please notify the sender immediately and delete all
copies of
this message and any attachments. This e-mail message including attachment(s), if any, is believed to be free of any virus. However,
it is
the responsibility of the recipient to ensure for absence of viruses. OpenFire Technologies shall not be held responsible nor does it
accept
any liability for any damage arising in any way from its use. On Thu, Aug 14, 2014 at 10:48 PM, <nnposter () users sourceforge net>
wrote:
Shritam Bhowmick wrote:nmap pentesteracademylab.appspot.com -n --script=http-form-brute --script-args 'http-form-brute.path="/lab/webapp/1", http-form-brute.hostname="pentesteracademylab.appspot.com", passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt", userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-brute.passvar=password, http-form-brute.uservar=email'
-vvv
<snip>But the script gave out no output still. I think there is an
issue. I
hadtested using hydra, and this worked fine!?If you run your CLI with -d you would see: PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: |_ ERROR: Failed to retrieve path (/lab/webapp/1) from server Final times for host: srtt: 0 rttvar: 3750 to: 100000 The reason is that the server is configured to reject POST requests while your CLI is missing "http-form-brute.method=get". (As noted in my previous e-mail, the script still uses POST by default.) There is room for improvement of the auto-detection but I have not tried to address that with my patch. Cheers, nnposter _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Nmap Erros on URI using NSE, (continued)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 10)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 11)
- Re: Nmap Erros on URI using NSE nnposter (Aug 12)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 13)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE nnposter (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE nnposter (Aug 14)
- Re: Nmap Erros on URI using NSE Robin Wood (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 14)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 15)
- Re: Nmap Erros on URI using NSE nnposter (Aug 18)
- Re: Nmap Erros on URI using NSE Shritam Bhowmick (Aug 19)