Many home routers, IP webcams, and web applications still rely on HTTP authentication these days, and we, as system administrators or penetration testers, need to make sure that the system or user accounts are not using weak credentials. Now, thanks to the NSE script http-brute, we can perform robust dictionary attacks against HTTP basic, digest, and NTLM authentication.
This article is an excerpt taken from the book Nmap: Network Exploration and Security Auditing Cookbook – Second Edition, written by Paulino Calderon. This book includes the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff, and Zenmap and much more.
In this article, we will learn how to perform brute force password auditing against web servers that are using HTTP authentication and also against popular and custom web applications with Nmap.
Brute forcing HTTP applications
How to do it…
Use the following Nmap command to perform brute force password auditing against a resource protected by HTTP’s basic authentication:
$ nmap -p80 --script http-brute
The results will return all the valid accounts that were found (if any):
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-brute: | Accounts | admin:secret => Valid credentials | Statistics |_ Perfomed 603 guesses in 7 seconds, average tps: 86
How it works…
The Nmap options -p80 --script http-brute tells Nmap to launch the http-brute script against the web server running on port 80. This script was originally committed by Patrik Karlsson, and it was created to launch dictionary attacks against URIs protected by HTTP authentication.
The http-brute script uses, by default, the database files usernames.lst and passwords.lst located at /nselib/data/ to try each password, for every user, to hopefully find a valid account.
The script http-brute depends on the NSE libraries unpwdb and brute. Read the Appendix B, Brute Force Password Auditing Options, for more information.
To use different username and password lists, set the arguments userdb and passdb:
$ nmap -p80 --script http-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt
To quit after finding one valid account, use the argument brute.firstOnly:
$ nmap -p80 --script http-brute --script-args brute.firstOnly
By default, http-brute uses Nmap’s timing template to set the following timeout limits:
- -T3,T2,T1: 10 minutes
- -T4: 5 minutes
- -T5: 3 minutes
For setting a different timeout limit, use the argument unpwd.timelimit. To run it indefinitely, set it to 0:
$ nmap -p80 --script http-brute --script-argsunpwdb.timelimit=0
$ nmap -p80 --script http-brute --script-args unpwdb.timelimit=60m
The brute library supports different modes that alter the combinations used in the attack. The available modes are:
- user: In this mode, for each user listed in userdb, every password in passdb will be tried:
$ nmap --script http-brute --script-args brute.mode=user
- pass: In this mode, for each password listed in passdb, every user in userdb will be tried:
$ nmap --script http-brute --script-args brute.mode=pass
- creds: This mode requires the additional argument brute.credfile:
$ nmap --script http-brute --script-args brute.mode=creds,brute.credfile=./creds.txt
Brute forcing web applications
Performing brute force password auditing against web applications is an essential step to evaluate the password strength of system accounts. There are powerful tools such as THC Hydra, but Nmap offers great flexibility as it is fully configurable and contains a database of popular web applications, such as WordPress, Joomla!, Django, Drupal, MediaWiki, and WebSphere.
How to do it…
Use the following Nmap command to perform brute force password auditing against web applications using forms:
$ nmap --script http-form-brute -p 80
If credentials are found, they will be shown in the results:
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | user:secret - Valid credentials | Statistics |_ Perfomed 60023 guesses in 467 seconds, average tps: 138
How it works…
The Nmap options -p80 --script http-form-brute tells Nmap to launch the http-form-brute script against the web server running on port 80. This script was originally committed by Patrik Karlsson, and it was created to launch dictionary attacks against authentication systems based on web forms. The script automatically attempts to detect the form fields required to authenticate, and it uses internally a database of popular web applications to help during the form detection phase.
The script http-form-brute depends on the correct detection of the form fields. Often you will be required to manually set via script arguments the name of the fields holding the username and password variables. If the script argument http-form-brute.passvar is set, form detection will not be performed:
$ nmap -p80 --script http-form-brute --script-args http-form-brute.passvar=contrasenia,http-form-brute.uservar=usuario
In a similar way, often you will need to set the script arguments http-form-brute.onsuccess or http-form-brute.onfailure to set the success/error messages returned when attempting to authenticate:
$nmap -p80 --script http-form-brute --script-args http-form-brute.onsuccess=Exito
Brute forcing WordPress installations
If you are targeting a popular application, remember to check whether there are any NSE scripts specialized on attacking them. For example, WordPress installations can be audited with the script http-wordpress-brute:
$ nmap -p80 --script http-wordpress-brute
To set the number of threads, use the script argument http-wordpress-brute.threads:
$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.threads=5
If the server has virtual hosting, set the host field using the argument http-wordpress-brute.hostname:
$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.hostname="ahostname.wordpress.com"
To set a different login URI, use the argument http-wordpress-brute.uri:
$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.uri="/hidden-wp-login.php"
To change the name of the POST variable that stores the usernames and passwords, set the arguments http-wordpress-brute.uservar and http-wordpress-brute.passvar:
$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.uservar=usuario,http-wordpress-brute.passvar=pasguord
Brute forcing WordPress installations
Another good example of a specialized NSE brute force script is http-joomla-brute. This script is designed to perform brute force password auditing against Joomla! installations. By default, our generic brute force script for HTTP will fail against Joomla! CMS since the application generates dynamically a security token, but this NSE script will automatically fetch it and include it in the login requests. Use the following Nmap command to launch the script:
$ nmap -p80 --script http-joomla-brute
To set the number of threads, use the script argument http-joomla-brute.threads:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.threads=5
To change the name of the POST variable that stores the login information, set the arguments http-joomla-brute.uservar and http-joomla-brute.passvar:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord
To summarize, we learned how to brute force password auditing against web servers custom web applications with Nmap. If you’ve enjoyed reading this post, do check out our book, Nmap: Network Exploration and Security Auditing Cookbook – Second Edition to know more to learn about Lua programming and NSE script development which will allow you to further extend the power of Nmap.