Friday, September 6, 2013



Using Nmap and Metasploit to query for possible vulnerable verb methods in HTTP protocol:




NMAP:  The http-methods script in Nmap can be used to determine
the http verbs allowed in a website. The Nmap syntax is “nmap –script
http-methods URL/domain name/IP address –n –p 80”.

METASPLOIT:  The syntax for Metasploit is: “msfconsole> use auxiliary/scanner/http/options; set RHOST IP address ;run.” Metasploit's auxiliary/scanner/http/options can accomplish about the same thing as Nmap.

METASPLOIT AUXILIARY SCAN:  The following shows the Metasploit script "auxiliary/scanner/http/options" script run against a website that allows
revealing the http verbs that the website http is allowed
to use. The text shows that my website www.butleritsec.com
allows GET, POST, OPTIONS, and HEAD.

The Metasploit scan against scanme.nmap.org
(74.207.244.221) also shows that the website allows the use of the following http verbs:  GET, POST, OPTIONS, HEAD

Next we ran a scan against www.google.com and the scan
shows that the methods are not revealed. The administrator
has chosen not to reveal the http verb methods the website
uses.  So we may conclude that only GET and POST methods
are allowed.

NMAP SCAN: Next we run the Nmap script http-methods against the same
websites and get the same results as Metasploit
*********************************************
snip....snip..........snip.........snip........

START OF METASPLOIT SCANS:

root@kali:~# msfconsole

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > show options

Module options (auxiliary/scanner/http/options):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host


msf auxiliary(options) > set rhosts 72.167.131.10

rhosts => 72.167.131.10 (butleritsec.com)
msf auxiliary(options) > run
[*] 72.167.131.10 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
*************************************************
snip....snip...........snip.........snip......

msf auxiliary(options) > set rhosts 74.207.244.221
rhosts => 74.207.244.221 (scanme.nmap.org)
msf auxiliary(options) > run

[*] 74.207.244.221 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(options) >
********************************
snip.......snip..........snip...

root@kali:~# nmap --script http-methods google.com -n -p 80

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-06 11:07 CDT
Nmap scan report for google.com (74.125.227.136)
Host is up (0.0034s latency).
Other addresses for google.com (not scanned): 74.125.227.130 74.125.227.142 74.125.227.134 74.125.227.129 74.125.227.133 74.125.227.137 74.125.227.135 74.125.227.131 74.125.227.132 74.125.227.128
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
root@kali:~#
***************************
snip............snip..............snip.........

root@kali:~# nmap --script http-methods scanme.nmap.org -n -p 80

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-06 11:10 CDT
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.0085s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: GET HEAD POST OPTIONS

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
root@kali:~#
***************
END OF SCANS:

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)