Lucene search

K
nmapHani BenhabilesNMAP:HTTP-APACHE-NEGOTIATION.NSE
HistoryDec 08, 2011 - 8:50 p.m.

http-apache-negotiation NSE Script

2011-12-0820:50:12
Hani Benhabiles
nmap.org
242

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.

The script works by sending requests for resources like index and home without specifying the extension. If mod_negotiate is enabled (default Apache configuration), the target would reply with content-location header containing target resource (such as index.html) and vary header containing β€œnegotiate” depending on the configuration.

For more information, see:

Script Arguments

http-apache-negotiation.root

target web site root. Defaults to /.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=http-apache-negotiation --script-args http-apache-negotiation.root=/root/ <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http
|_http-apache-negotiation: mod_negotiation enabled.

Requires


local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Checks if the target http server has mod_negotiation enabled.  This
feature can be leveraged to find hidden resources and spider a web
site using fewer requests.

The script works by sending requests for resources like index and home
without specifying the extension. If mod_negotiate is enabled (default
Apache configuration), the target would reply with content-location header
containing target resource (such as index.html) and vary header containing
"negotiate" depending on the configuration.

For more information, see:
* http://www.wisec.it/sectou.php?id=4698ebdc59d15
* Metasploit auxiliary module
    /modules/auxiliary/scanner/http/mod_negotiation_scanner.rb
]]

---
-- @usage
-- nmap --script=http-apache-negotiation --script-args http-apache-negotiation.root=/root/ <target>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- |_http-apache-negotiation: mod_negotiation enabled.
--
-- @args http-apache-negotiation.root target web site root.
--  Defaults to <code>/</code>.

author = "Hani Benhabiles"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"safe", "discovery"}


portrule = shortport.http

action = function(host, port)

  local root = stdnse.get_script_args("http-apache-negotiation.root") or "/"

  -- Common default file names. Could add a couple more.
  local files = {
    'robots',
    'index',
    'home',
    'blog'
  }

  for _, file in ipairs(files) do
    local header = http.get(host, port, root .. file).header

    -- Matching file. in content-location header
    --  or negotiate in vary header.
    if header["content-location"] and string.find(header["content-location"], file ..".")
      or header["vary"] and string.find(header["vary"], "negotiate")  then
      return "mod_negotiation enabled."
    end
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:HTTP-APACHE-NEGOTIATION.NSE