Nmap: hack password via http
File http-passwd
Script types: portrule Categories: intrusive, vuln Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse User Summary
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
The script uses several technique:
Generic directory traversal by requesting paths like ../../../../etc/passwd. Known specific traversals of several web servers. Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.
Script Arguments
http-passwd.root
Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt. slaxml.debug See the documentation for the slaxml library. http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent See the documentation for the http library. smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library.
Example Usage
nmap --script http-passwd --script-args http-passwd.root=/test/ <target>
Script Output
80/tcp open http | http-passwd: Directory traversal found. | Payload: "index.html?../../../../../boot.ini" | Printing first 250 bytes: | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
80/tcp open http | http-passwd: Directory traversal found. | Payload: "../../../../../../../../../../etc/passwd" | Printing first 250 bytes: | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh | sshd:*:65532:65534::/:/bin/false | ftp:*:65533:65534::/:/bin/false |_nobody:*:65534:65534::/:/bin/false
Requires
http shortport stdnse string
Authors:
Kris Katterjohn Ange Gutek
License: Same as Nmap--See https://nmap.org/book/man-legal.html