nmap -p 80 --script http-drupal-enum <target>nmap -p 80 --script http-drupal-enum-users <target>nmap -sV --script http-wordpress-enum <target>nmap -p80 --script http-wordpress-users <target>nmap -sV --script=http-userdir-enum <target>
http-drupal-enum.nse
Enumerates the installed Drupal modules/themes by using a list of known modules and themes. f the response status code is 200, it means that the module/theme is installed. By default, the script checks for the top 100 modules/themes (by downloads), given the huge number of existing modules (~18k) and themes(~1.4k).
script: sudo nmap -p 80 — script http-drupal-enum <target>
http-drupal-enum-users.nse
Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal’s most popular module.
scripts: sudo nmap -p 80 — script http-drupal-enum-users <target>
http-wordpress-enum.nse
Enumerates themes and plugins of Wordpress installations. The script can also detect outdated plugins by comparing version numbers with information. The script works with two separate databases for themes (wp-themes.lst) and plugins (wp-plugins.lst). The databases are sorted by popularity and the script will search only the top 100 entries by default. The theme database has around 32,000 entries while the plugin database has around 14,000 entries. The script determines the version number of a plugin by looking at the readme.txt file inside the plugin directory and it uses the file style.css inside a theme directory to determine the theme version. If the script argument check-latest is set to true, the script will query api.wordpress.org to obtain the latest version number available. This check is disabled by default since it queries an external service.
script: sudo nmap -sV -p 80 — script http-wordpress-enum <target>
http-wordpress-users.nse
Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
script: sudo nmap -p 80 — script http-wordpress-users <target>
http-userdir-enum.nse
Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.
The Apache mod_userdir module allows user-specific directories to be accessed using the http://example.com/~user/ syntax. This script makes http requests in order to discover valid user-specific directories and infer valid usernames. By default, the script will use Nmap’s nselib/data/usernames.lst. An HTTP response status of 200 or 403 means the username is likely a valid one and the username will be output in the script results along with the status code. This script makes an attempt to avoid false positives by requesting a directory which is unlikely to exist. If the server responds with 200 or 403 then the script will not continue testing it.
script: sudo nmap -sV — script=http-userdir-enum <target>
http-enum.nse
Enumerates directories used by popular web applications and servers.
script: sudo nmap -sV — script http-enum <target>
http-robots.txt.nse
Checks for disallowed entries in /robots.txt on a web server.
script: sudo nmap — script http-robots.txt <target>
http-backup-finder.nse
Spiders a website and attempts to identify backup copies of discovered files. It does so by requesting a number of different combinations of the filename (eg. index.bak, index.html~, copy of index.html).
script: sudo nmap — script http-backup-finder <target>
http-config-backup.nse
Checks for backups and swap files of common content management system and web server configuration files.
script: sudo nmap — script http-config-backup <target>
http-auth-finder.nse
Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the detected method.
script: sudo nmap — script http-auth-finder <target>
http-default-accounts.nse
Tests for access with default credentials used by a variety of web applications and devices.It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found. This script depends on a fingerprint file containing the target’s information: name, category, location paths, default credentials and login routine.
script: sudo nmap — script http-default-accounts <target>
http-waf-detect.nse , http-waf-fingerprint.nse
Attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.
Tries to detect the presence of a web application firewall and its type and version. This works by sending a number of requests and looking in the responses for known behavior and fingerprints such as Server header, cookies and headers values. Intensive mode works by sending additional WAF specific requests to detect certain behaviour.
script: sudo nmap -p 80,443 — script http-waf-detect,http-waf-fingerprint <target>
membase-http-info.nse
Retrieves information (hostname, OS, uptime, etc.) from the CouchBase Web Administration port. The information retrieved by this script does not require any credentials.
script: sudo nmap — script membase-http-info <target>
http-passwd.nse
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini. Generic directory traversal by requesting paths like ../../../../etc/passwd. Known specific traversals of several web servers. Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.
script: sudo nmap — script http-passwd <target>
http-frontpage-login.nse
Checks whether target machines are vulnerable to anonymous Frontpage login. Older, default configurations of Frontpage extensions allow remote user to login anonymously which may lead to server compromise.
script: sudo nmap -p 80 — script http-frontpage-login <target>
http-dlink-backdoor.nse
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router. The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240. In addition, several Planex routers also appear to use the same firmware: BRL-04UR, BRL-04CW.
script: sudo nmap — script http-dlink-backdoor <target>
http-tplink-dir-traversal.nse
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate any help confirming the vulnerability in other models.
script: sudo nmap — script http-tplink-dir-traversal <target>
for more Blog articles and Training Sessions click Here
