nmap icon indicating copy to clipboard operation
nmap copied to clipboard
verified publisher icon nmap

http-userdir-enum usage example gives no results

Open h00die opened this issue 5 years ago • 4 comments

While working on the metasploit documentation for the equivalent module, we've been adding 'how to confirm' sections for other tools (usually nmap scripts). We attempted to use scripts/http-userdir-enum.nse based on the usage example from https://nmap.org/nsedoc/scripts/http-userdir-enum.html however it outputs nothing (no errors, no output from script). I've confirmed the setup is vulnerable through the metasploit module. See https://github.com/rapid7/metasploit-framework/pull/12706/files#r373152822

Example here is an Ubuntu 18.04 fresh apache install w/ only change being userdir enabled.

Metasploit

used as confirmation of vuln server.

msf5 auxiliary(scanner/http/apache_userdir_enum) > exploit

[*] http://1.1.1.1/~ - Trying UserDir: ''
[*] http://1.1.1.1/ - Apache UserDir: '' not found
[*] http://1.1.1.1/~4Dgifts - Trying UserDir: '4Dgifts'
[*] http://1.1.1.1/ - Apache UserDir: '4Dgifts' not found
[*] http://1.1.1.1/~EZsetup - Trying UserDir: 'EZsetup'
[*] http://1.1.1.1/ - Apache UserDir: 'EZsetup' not found
[*] http://1.1.1.1/~OutOfBox - Trying UserDir: 'OutOfBox'
[*] http://1.1.1.1/ - Apache UserDir: 'OutOfBox' not found
[*] http://1.1.1.1/~ROOT - Trying UserDir: 'ROOT'
[*] http://1.1.1.1/ - Apache UserDir: 'ROOT' not found
[*] http://1.1.1.1/~adm - Trying UserDir: 'adm'
[*] http://1.1.1.1/ - Apache UserDir: 'adm' not found
[*] http://1.1.1.1/~admin - Trying UserDir: 'admin'
[*] http://1.1.1.1/ - Apache UserDir: 'admin' not found
[*] http://1.1.1.1/~administrator - Trying UserDir: 'administrator'
[*] http://1.1.1.1/ - Apache UserDir: 'administrator' not found
[*] http://1.1.1.1/~anon - Trying UserDir: 'anon'
[*] http://1.1.1.1/ - Apache UserDir: 'anon' not found
[*] http://1.1.1.1/~auditor - Trying UserDir: 'auditor'
[*] http://1.1.1.1/ - Apache UserDir: 'auditor' not found
[*] http://1.1.1.1/~avahi - Trying UserDir: 'avahi'
[*] http://1.1.1.1/ - Apache UserDir: 'avahi' not found
[*] http://1.1.1.1/~avahi-autoipd - Trying UserDir: 'avahi-autoipd'
[*] http://1.1.1.1/ - Apache UserDir: 'avahi-autoipd' not found
[*] http://1.1.1.1/~backup - Trying UserDir: 'backup'
[+] http://1.1.1.1/ - Apache UserDir: 'backup' found 
[*] http://1.1.1.1/~bbs - Trying UserDir: 'bbs'
[*] http://1.1.1.1/ - Apache UserDir: 'bbs' not found
[*] http://1.1.1.1/~bin - Trying UserDir: 'bin'
[+] http://1.1.1.1/ - Apache UserDir: 'bin' found 
...clip...
[+] http://1.1.1.1/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nmap

/metasploit-framework# nmap -sV --script=http-userdir-enum -p 80 1.1.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-30 13:31 EST
Nmap scan report for ubuntu1804 (1.1.1.1)
Host is up (0.00064s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:0F:8A:9E (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

h00die avatar Jan 30 '20 19:01 h00die

The script is working as expected. The key difference is that Metasploit default user list, wordlists/unix_users.txt, has 113 entries, while the nmap equivalent, nselib/data/usernames.lst, has only 10.

Here is the output from Nmap when the Metasploit list is used instead:

Nmap scan report for 192.168.73.128
Host is up (0.0010s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-userdir-enum: Potential Users: avahi, avahi-autoipd, backup, bin, daemon, games, gdm, gnats, hplip, irc, kernoops, list, lp, mail, man, messagebus, news, nobody, proxy, pulse, saned, speech-dispatcher, sync, sys, syslog, uucp

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

When inspecting the actual default users in Ubuntu 18.04, the nmap list definitely deserves a refresh and the Metasploit one perhaps too.

nnposter avatar Jan 31 '20 02:01 nnposter

Ubuntu server 18.04 w/ lamp installed:

_apt
backup
bin
daemon
dnsmasq
games
gnats
irc
landscape
list
lp
lxd
mail
man
messagebus
mysql
news
nobody
pollinate
proxy
sshd
sync
sys
syslog
systemd-network
systemd-resolve
uucp
uuidd

Just tested w/ metasploit, will submit a PR to their side momentarily to update their list.

h00die avatar Feb 04 '20 01:02 h00die

This is turning out to require a little more thought:

Compared to file wordlists/unix_users.txt in Metasploit, file nselib/data/usernames.lst is used more broadly, including being the default username list for unpwdb, which is in turn used in various brute-forcing scripts.

For this reason it does not make a lot of sense to enrich this file with additional daemon usernames because they do not represent meaningful password cracking targets. To illustrate, I have collected usernames from recent versions of Ubuntu, RHEL, Oracle, Bitnami LAMP, Jetware LAMP, and Kali, which resulted in 89 entries. This would increase the original list roughly 9x, which in turn means that it would slow down password-cracking speed by the same factor for little benefit.

It seems that it might be more prudent to capture this list in a separate file, specifically to be used by by script http-userdir-enum.

@dmiller-nmap Thoughts?

nnposter avatar Feb 09 '20 03:02 nnposter

Be good to see this broken off to use a separate file. No point leaving the script ineffective when all that needs changing is a file path. Good catch h00die & nnposter, hopefully a quick win

Stefan-mcp avatar Mar 06 '20 00:03 Stefan-mcp