Re: Nmap Erros on URI using NSE

[Robin Wood <robin@digi.ninja>]

On 14 Aug 2014 18:42, "Shritam Bhowmick" <shritam.bhowmick () gmail com> wrote:
> I used this:
>
> nmap pentesteracademylab.appspot.com -p80 -n --script=http-form-brute
--script-args 'http-form-brute.path="/lab/webapp/1",
http-form-brute.method="get", http-form-brute.hostname="
pentesteracademylab.appspot.com", http-form-brute.onfailure="Failed!",
passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv -d
> which threw me this:
>
> Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-14 13:40 EDT
> --------------- Timing report ---------------
>   hostgroups: min 1, max 100000
>   rtt-timeouts: init 1000, min 100, max 10000
>   max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
>   parallelism: min 0, max 0
>   max-retries: 10, host-timeout: 0
>   min-rate: 0, max-rate: 0
> ---------------------------------------------
> NSE: Using Lua 5.2.
> NSE: Script Arguments seen from CLI:
http-form-brute.path="/lab/webapp/1", http-form-brute.method="get",
http-form-brute.hostname="pentesteracademylab.appspot.com",
http-form-brute.onfailure="Failed!",
passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
http-form-brute.passvar=password, http-form-brute.uservar=email
> NSE: Loaded 1 scripts for scanning.
> NSE: Script Pre-scanning.
>
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating Ping Scan at 13:40
> Scanning pentesteracademylab.appspot.com (74.125.68.141) [4 ports]
> Packet capture filter (device eth0): dst host 192.168.119.128 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 74.125.68.141)))
> We got a TCP ping packet back from 74.125.68.141 port 80 (trynum = 0)
> Completed Ping Scan at 13:40, 0.08s elapsed (1 total hosts)
> Overall sending rates: 52.41 packets / s, 1991.72 bytes / s.
> Initiating SYN Stealth Scan at 13:40
> Scanning pentesteracademylab.appspot.com (74.125.68.141) [1 port]
> Packet capture filter (device eth0): dst host 192.168.119.128 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 74.125.68.141)))
> Discovered open port 80/tcp on 74.125.68.141
> Completed SYN Stealth Scan at 13:40, 0.11s elapsed (1 total ports)
> Overall sending rates: 8.86 packets / s, 389.84 bytes / s.
> NSE: Script scanning 74.125.68.141.
>
> NSE: Starting runlevel 1 (of 1) scan.
> NSE: Starting http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
> Initiating NSE at 13:40
> NSE: Starting http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
> NSE: http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80) threw an error!
> /usr/bin/../share/nmap/nselib/url.lua:366: bad argument #1 to 'pairs'
(table expected, got nil)
> stack traceback:
>     [C]: in function 'pairs'
>     /usr/bin/../share/nmap/nselib/url.lua:366: in function 'build_query'
>     /usr/bin/../share/nmap/scripts/http-form-brute.nse:164: in function
'sendLogin'
>     /usr/bin/../share/nmap/scripts/http-form-brute.nse:111: in function
'login'
>     /usr/bin/../share/nmap/nselib/brute.lua:539: in function
'doAuthenticate'
>     /usr/bin/../share/nmap/nselib/brute.lua:575: in function
</usr/bin/../share/nmap/nselib/brute.lua:566>

I'll butt out again now as I can't debug that but without mentioning that
error in your original mail you limited the help you would get. Always
include all errors when reporting problems.

Robin

> NSE: Finished http-form-brute against pentesteracademylab.appspot.com (
74.125.68.141:80).
> Completed NSE at 13:40, 0.40s elapsed
>
> Nmap scan report for pentesteracademylab.appspot.com (74.125.68.141)
> Host is up, received reset (0.00069s latency).
> Scanned at 2014-08-14 13:40:28 EDT for 1s
>
> PORT   STATE SERVICE REASON
> 80/tcp open  http    syn-ack
> | http-form-brute:
> |   Accounts
> |     No valid accounts found
> |   Statistics
> |_    Performed 0 guesses in 1 seconds, average tps: 0
> Final times for host: srtt: 695 rttvar: 4175  to: 100000
>
>
> NSE: Script Post-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
> Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
>
>            Raw packets sent: 5 (196B) | Rcvd: 2 (84B)
>
>
>
> I need the working script to make it possible to brute the GET based
accounts. I am pretty sure it worked with crunch.
> Regards
> Shritam Bhowmick
> Founder at OpenFire Technologies.
> Penetration Tester at+OpenFire Security.
> Web Application Analysis and Research.
> www.openfire-security.net
> http://forum.openfire-security.net
>
> The information contained herein (including any accompanying documents)
is
> confidential and is intended solely for the addressee(s). It may contain
> proprietary, confidential, privileged information or other information
> subject to legal restrictions. If you are not the intended recipient of
> this message, please do not read, copy, use or disclose this message or
its
> attachments. Please notify the sender immediately and delete all copies
of
> this message and any attachments. This e-mail message including
> attachment(s), if any, is believed to be free of any virus. However, it
is
> the responsibility of the recipient to ensure for absence of viruses.
> OpenFire Technologies shall not be held responsible nor does it accept
> any liability for any damage arising in any way from its use.
>
>
> On Thu, Aug 14, 2014 at 11:04 PM, Robin Wood <robin@digi.ninja> wrote:
> > On 14 Aug 2014 18:30, "Shritam Bhowmick" <shritam.bhowmick () gmail com>
wrote:
> > > Okay, I made this run, and I get this:
> > >
> > > NSE: Finished http-form-brute against pentesteracademylab.appspot.com (
> > > 74.125.68.141:80).
> > > Completed NSE at 13:28, 5.97s elapsed
> > > Nmap scan report for pentesteracademylab.appspot.com (74.125.68.141)
> > > Host is up, received reset (0.00048s latency).
> > > Scanned at 2014-08-14 13:28:05 EDT for 6s
> > > PORT   STATE SERVICE REASON
> > > 80/tcp open  http    syn-ack
> > > | http-form-brute:
> > > |   Accounts
> > > |     No valid accounts found
> > > |   Statistics
> > > |_    Performed 0 guesses in 1 seconds, average tps: 0
> >
> > No attempts were made for some reason. What command line did you use?
> >
> > Robin
> >
> > > Final times for host: srtt: 477 rttvar: 4096  to: 100000
> > >
> > > NSE: Script Post-scanning.
> > > NSE: Starting runlevel 1 (of 1) scan.
> > > Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
> > > Nmap done: 1 IP address (1 host up) scanned in 6.46 seconds
> > >            Raw packets sent: 5 (196B) | Rcvd: 2 (84B)
> > >
> > >
> > > But, I see there were no accounts found while:
> > >
> > > username: (the email GET field): admin () pentesteracademy com
> > > password: zzzxy
> > >
> > > are the login credentials which were supposed to be authenticated. I
tried
> > > this on string "Failure" set on onfailure.
> > >
> > >
> > > Regards
> > > Shritam Bhowmick
> > > Founder at OpenFire Technologies.
> > > Penetration Tester at+OpenFire Security.
> > > Web Application Analysis and Research.
> > > www.openfire-security.net
> > > http://forum.openfire-security.net
> > >
> > > The information contained herein (including any accompanying
documents) is
> > > confidential and is intended solely for the addressee(s). It may
contain
> > > proprietary, confidential, privileged information or other information
> > > subject to legal restrictions. If you are not the intended recipient of
> > > this message, please do not read, copy, use or disclose this message
or its
> > > attachments. Please notify the sender immediately and delete all
copies of
> > > this message and any attachments. This e-mail message including
> > > attachment(s), if any, is believed to be free of any virus. However,
it is
> > > the responsibility of the recipient to ensure for absence of viruses.
> > > OpenFire Technologies shall not be held responsible nor does it accept
> > > any liability for any damage arising in any way from its use.
> > >
> > >
> > > On Thu, Aug 14, 2014 at 10:54 PM, Shritam Bhowmick <
> > > shritam.bhowmick () gmail com> wrote:
> > >
> > > > Hi nmposter,
> > > >
> > > > That's great. Looking forward to the enhancements. On a side note,
could I
> > > > get the whole script because I manually changed your patch code to
the
> > > > original nmap script! Is there any way, I can update my nmap scrip
db, I
> > > > tried nmap --scrip-dbupdate on kali. It seems not to work.
> > > >
> > > > I need the code to make it work. I did common spell mistakes while
> > > > changing the code as well.
> > > >
> > > > Regards
> > > > Shritam Bhowmick
> > > > Founder at OpenFire Technologies.
> > > > Penetration Tester at+OpenFire Security.
> > > > Web Application Analysis and Research.
> > > > www.openfire-security.net
> > > > http://forum.openfire-security.net
> > > >
> > > > The information contained herein (including any accompanying
documents) is
> > > > confidential and is intended solely for the addressee(s). It may
contain
> > > > proprietary, confidential, privileged information or other
information
> > > > subject to legal restrictions. If you are not the intended recipient
of
> > > > this message, please do not read, copy, use or disclose this message
or
> > > > its
> > > > attachments. Please notify the sender immediately and delete all
copies of
> > > > this message and any attachments. This e-mail message including
> > > > attachment(s), if any, is believed to be free of any virus. However,
it is
> > > > the responsibility of the recipient to ensure for absence of viruses.
> > > > OpenFire Technologies shall not be held responsible nor does it
accept
> > > > any liability for any damage arising in any way from its use.
> > > >
> > > >
> > > > On Thu, Aug 14, 2014 at 10:48 PM, <nnposter () users sourceforge net>
wrote:
> > > > > Shritam Bhowmick wrote:
> > > > > > nmap pentesteracademylab.appspot.com -n --script=http-form-brute
> > > > > > --script-args 'http-form-brute.path="/lab/webapp/1",
> > > > > > http-form-brute.hostname="pentesteracademylab.appspot.com",
> > > > > > passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
> > > > > > userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
> > > > > > http-form-brute.passvar=password, http-form-brute.uservar=email'
-vvv
> > > > > <snip>
> > > > > > But the script gave out no output still. I think there is an
issue. I
> > > > > had
> > > > > > tested using hydra, and this worked fine!?
> > > > >
> > > > > If you run your CLI with -d you would see:
> > > > >
> > > > > PORT   STATE SERVICE REASON
> > > > > 80/tcp open  http    syn-ack
> > > > > | http-form-brute:
> > > > > |_  ERROR: Failed to retrieve path (/lab/webapp/1) from server
> > > > > Final times for host: srtt: 0 rttvar: 3750  to: 100000
> > > > >
> > > > > The reason is that the server is configured to reject POST requests
> > > > > while your CLI is missing "http-form-brute.method=get". (As noted in
> > > > > my previous e-mail, the script still uses POST by default.)
> > > > >
> > > > > There is room for improvement of the auto-detection but I have not
> > > > > tried to address that with my patch.
> > > > >
> > > > >
> > > > > Cheers,
> > > > > nnposter
> > > > > _______________________________________________
> > > > > Sent through the dev mailing list
> > > > > http://nmap.org/mailman/listinfo/dev
> > > > > Archived at http://seclists.org/nmap-dev/
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/