HTTP Server Enumeration with NSE

NMAP%20for%20HTTP Nmap, short for Network Mapper, is a powerful open-source tool for network discovery and security auditing. While many are familiar with Nmap's basic scanning capabilities, such as port scanning or OS detection, its advanced features—particularly the Nmap Scripting Engine (NSE)—can dramatically extend its functionality. In this article, we’ll explore how to use Nmap scripts to enumerate HTTP servers, focusing on the http-enum script.

Why HTTP Enumeration?

Web servers often expose a variety of services, directories, and configurations that might provide attackers or security professionals with valuable insights. Enumerating these services allows you to gather information on:

  • Misconfigured web services
  • Hidden directories
  • Exposed administrative panels
  • Default installations
  • Application versions

By performing HTTP enumeration, we can assess what services are exposed and potentially identify weak points in a web server's security posture.

What is the Nmap Scripting Engine (NSE)?

NSE allows users to write and share custom scripts that extend Nmap’s functionality. These scripts can automate various tasks such as:

  • Vulnerability detection
  • Malware detection
  • Backdoor discovery
  • Web server enumeration

The scripts are categorized based on their purpose, such as “safe” (non-intrusive scans) or “vuln” (scans that may exploit vulnerabilities). You can find them in Nmap’s default scripts/ directory.

For our HTTP enumeration, we’ll be using the http-enum script, which probes HTTP services for common web applications, files, and directories.

Using http-enum for HTTP Server Enumeration

The http-enum script is designed to brute-force known directories, files, and applications on a target web server. It can reveal the existence of pages such as /admin, /login, /backup, or even known content management systems (CMS) like WordPress, Joomla, or Drupal.

Basic Syntax

To run the http-enum script, use the following command:

nmap -p 80 --script http-enum <target>

Breaking it down:

  • -p 80 specifies the port (in this case, HTTP default port 80).
  • --script http-enum tells Nmap to run the http-enum NSE script.
  • <target> is the IP or domain of the target server.

Example Usage

Let’s say we want to enumerate an HTTP server running at 192.168.1.10. The command would look like this:

nmap -p 80 --script http-enum 192.168.1.10

Output Example

The results might look something like this:

PORT   STATE SERVICE
80/tcp open  http
| http-enum:
|   /admin/: Admin login page
|   /backup/: Backup directory
|   /login.php: Login page
|   /wordpress/: WordPress installation
|_  /phpmyadmin/: phpMyAdmin interface

Here, we can see that the http-enum script has identified several directories and applications that might be worth further investigation.

Advanced Enumeration Techniques

While http-enum is useful, Nmap’s NSE can go much further when combined with other HTTP-related scripts. Let’s look at a few additional options for performing deeper HTTP enumeration.

Combining http-title and http-enum

The http-title script can fetch the title of a webpage, providing more context on what might be behind certain directories or endpoints.

Example:

nmap -p 80 --script http-title,http-enum 192.168.1.10

Detecting Web Technologies: http-headers and http-tech

To detect technologies in use (e.g., frameworks, programming languages, or platforms), you can use the http-headers and http-tech scripts. These scripts analyze HTTP response headers for clues about the underlying technologies.

nmap -p 80 --script http-headers,http-tech 192.168.1.10

Checking for Known Vulnerabilities: http-vuln-cve2017-5638

If you’re looking to detect specific vulnerabilities, Nmap scripts can help with that too. For example, the http-vuln-cve2017-5638 script looks for Apache Struts CVE-2017-5638 vulnerability:

nmap -p 80 --script http-vuln-cve2017-5638 192.168.1.10

Running Multiple HTTP Scripts Simultaneously

You can run multiple scripts in a single scan using a wildcard. For example, to run all HTTP-related scripts:

nmap -p 80 --script "http-*" 192.168.1.10

This will run all scripts that start with "http-" on the target.

Automating Enumeration with nmap and grep

For large-scale assessments, you can automate HTTP enumeration and extract key findings with tools like grep or awk. For example, you can save your Nmap results to a file:

nmap -p 80 --script http-enum 192.168.1.10 -oN output.txt

Then use grep to search for specific findings:

grep "/" output.txt

This command will extract all the directories and endpoints identified by http-enum.

Conclusion

Nmap’s http-enum script and other HTTP-related NSE scripts are powerful tools for enumerating web servers and discovering hidden directories, web applications, and potential security issues. By leveraging the Nmap Scripting Engine (NSE), you can perform thorough reconnaissance and strengthen your web security assessments.

For more advanced scenarios, consider writing custom NSE scripts to target specific applications or environments. Nmap's flexibility allows you to push the limits of network discovery and web server enumeration, making it an essential tool for any security professional.

Happy scanning!

Additional Resources

Previous Post