LabEx
Log InJoin For Free

Enumerate HTTP Services in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, the goal is to learn how to enumerate HTTP services using Nmap. You'll start by running an HTTP enum on a target IP address 192.168.1.1 with the http-enum script. Then, you'll scan port 80 on 127.0.0.1, add a user agent, and save the enum results. Finally, you'll review the HTTP findings and compare them with a banner scan in the Xfce terminal.

Remember, in real - world scenarios, you should only scan networks and systems with explicit permission.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/output_formats -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/save_output -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/port_scanning -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/target_specification -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/os_version_detection -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/service_detection -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/scripting_basics -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} nmap/script_management -.-> lab-547098{{"Enumerate HTTP Services in Nmap"}} end

Run HTTP enum with nmap --script http-enum 192.168.1.1

In this step, we will use Nmap with the http-enum script to enumerate HTTP services on a target machine. This script helps identify potential vulnerabilities and misconfigurations by discovering common web server files and directories.

Before we begin, let's briefly discuss what Nmap and NSE scripts are. Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. NSE (Nmap Scripting Engine) allows users to write scripts to automate a wide variety of networking tasks. The http-enum script is one such NSE script designed to enumerate common HTTP resources.

For this lab, we will target the IP address 192.168.1.1. Please note that in a real-world scenario, you should only scan networks and systems that you have explicit permission to test.

Now, let's execute the Nmap command:

sudo nmap --script http-enum 192.168.1.1

This command tells Nmap to:

  • sudo: Execute the command with superuser privileges, which may be required for certain Nmap operations.
  • nmap: Invoke the Nmap tool.
  • --script http-enum: Specify that we want to use the http-enum script.
  • 192.168.1.1: The target IP address to scan.

After running the command, you will see output similar to the following (the exact output will depend on the target system):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
|_http-enum:
|  /icons/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|  /robots.txt: Robots file
|_ /server-status/: Server status page

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

The output shows that the http-enum script found a few interesting resources:

  • /icons/: A directory that might contain icons and potentially reveal information about the web server.
  • /robots.txt: A file that specifies which parts of the website should not be crawled by web robots.
  • /server-status/: A page that displays server status information.

These findings can be further investigated to identify potential vulnerabilities or misconfigurations.

Scan port 80 with nmap --script http-enum -p 80 127.0.0.1

In this step, we will focus our Nmap scan on a specific port, port 80, using the http-enum script. Specifying a port can help narrow down the scan and provide more targeted results. We'll be scanning 127.0.0.1, which is the loopback address, representing the local machine. This is useful for testing services running on your own system.

Let's break down the command we'll be using:

sudo nmap --script http-enum -p 80 127.0.0.1

Here's what each part of the command means:

  • sudo: Executes the command with superuser privileges. This might be necessary to get accurate results, especially on lower port numbers.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script to enumerate HTTP resources.
  • -p 80: This option tells Nmap to only scan port 80. Port 80 is the standard port for HTTP (Hypertext Transfer Protocol), the protocol used for most websites.
  • 127.0.0.1: The target IP address, in this case, the loopback address, which refers to the local machine.

Now, execute the command in your terminal:

sudo nmap --script http-enum -p 80 127.0.0.1

The output will look similar to this (the exact output depends on the services running on your local machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-enum:
|  /index.html: Possible interesting file
|_ /robots.txt: Robots file

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

In this example, the http-enum script found /index.html and /robots.txt. These are common files on web servers, and further investigation might reveal more information about the server's configuration and potential vulnerabilities. By specifying port 80, we focused the scan and received results specific to the HTTP service running on the local machine.

Add user agent with nmap --script http-enum --script-args http.useragent=Test 192.168.1.1

In this step, we will customize the User-Agent header used by the http-enum script. The User-Agent header is sent by the client (in this case, Nmap) to the server and identifies the client software. Modifying the User-Agent can be useful for several reasons, such as:

  • Bypassing basic security measures: Some servers might block requests from known scanning tools. Changing the User-Agent can help evade these blocks.
  • Testing server behavior: You can observe how the server responds to different User-Agent strings.
  • Stealth: Using a less common User-Agent can make your scans less conspicuous.

We will use the --script-args option to modify the http.useragent value.

Here's the command we'll be using:

sudo nmap --script http-enum --script-args http.useragent=Test 192.168.1.1

Let's break down this command:

  • sudo: Executes the command with superuser privileges.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script.
  • --script-args http.useragent=Test: This is the key part. It passes an argument to the http-enum script. Specifically, it sets the http.useragent variable to the value "Test". This means that when the script sends HTTP requests, it will use "Test" as the User-Agent header.
  • 192.168.1.1: The target IP address to scan.

Execute the command in your terminal:

sudo nmap --script http-enum --script-args http.useragent=Test 192.168.1.1

The output will be similar to the output from the first step, but the HTTP requests sent to the server will now include the User-Agent: Test header. You won't see the User-Agent directly in the Nmap output, but it will be used in the background during the scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
|_http-enum:
|  /icons/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|  /robots.txt: Robots file
|_ /server-status/: Server status page

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

This step demonstrates how to customize Nmap scripts using the --script-args option. This allows you to fine-tune the behavior of the scripts and adapt them to specific situations.

Save enum results with nmap --script http-enum -oN http_enum.txt 127.0.0.1

In this step, we will save the results of the http-enum script to a file. This is crucial for later analysis and reporting. Nmap provides several options for saving scan results in different formats. We will use the -oN option, which saves the results in a "normal" human-readable format.

Here's the command we'll be using:

sudo nmap --script http-enum -oN http_enum.txt 127.0.0.1

Let's break down this command:

  • sudo: Executes the command with superuser privileges.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script.
  • -oN http_enum.txt: This option tells Nmap to save the results in normal format to the file named http_enum.txt. The file will be created in your current directory (~/project).
  • 127.0.0.1: The target IP address to scan (the loopback address).

Execute the command in your terminal:

sudo nmap --script http-enum -oN http_enum.txt 127.0.0.1

The output in the terminal will be similar to the output from the previous steps, but in addition to displaying the results on the screen, Nmap will also save them to the http_enum.txt file.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-enum:
|  /index.html: Possible interesting file
|_ /robots.txt: Robots file

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

To verify that the file has been created and contains the scan results, you can use the cat command to display the contents of the file:

cat http_enum.txt

You should see the Nmap scan results in the output. This file can now be used for further analysis, reporting, or as input to other tools.

Review HTTP findings in Xfce terminal

In this step, we will review the HTTP findings from the http_enum.txt file we created in the previous step. We'll use the Xfce terminal and the cat command to display the contents of the file and analyze the results.

First, ensure you are in the ~/project directory. This is where the http_enum.txt file should be located.

To view the contents of the http_enum.txt file, use the following command:

cat http_enum.txt

This command will print the contents of the file to your terminal.

Example output (the actual output may vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-enum:
|  /index.html: Possible interesting file
|_ /robots.txt: Robots file

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Now, let's analyze the output. The http-enum script attempts to identify potentially interesting files and directories on the web server. In this example, it found:

  • /index.html: This is a common default web page. It's worth investigating to see what content is being served.
  • /robots.txt: This file provides instructions to web robots (crawlers) about which parts of the website should not be indexed. It can sometimes reveal hidden or sensitive areas of the site.

By reviewing these findings, you can gain a better understanding of the web server's structure and identify potential areas for further investigation. For example, you might use a web browser to visit /index.html and /robots.txt to see what they contain.

This step demonstrates how to review the output of Nmap scripts and identify potentially interesting information. This is a crucial part of the reconnaissance process.

In this step, we will perform a banner scan using Nmap and compare its results with the findings from the http-enum script. Banner grabbing is a technique used to gather information about a service by examining the banner it presents when a connection is established. This can reveal the software version and other details.

First, let's perform a banner scan on port 80 of the target (127.0.0.1) using Nmap. We'll use the -sV option, which enables version detection:

sudo nmap -sV -p 80 127.0.0.1

This command will attempt to determine the service and version running on port 80.

Example output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    SimpleHTTPServer 0.6 (Python 3.7.5)

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

In this example, the banner scan reveals that the web server is SimpleHTTPServer 0.6 running on Python 3.7.5.

Now, let's compare this information with the findings from the http-enum script, which we reviewed in the previous step. The http-enum script identified potential files and directories, such as /index.html and /robots.txt.

By comparing the results of the banner scan and the http-enum script, we can build a more complete picture of the target system. The banner scan provides information about the software versions, while the http-enum script reveals potential files and directories. This combined information can be valuable for identifying vulnerabilities and planning further attacks.

For example, knowing the version of the web server software allows you to search for known vulnerabilities specific to that version. The identified files and directories can then be targeted for exploitation.

This step demonstrates the importance of combining different scanning techniques to gather comprehensive information about a target system.

Summary

In this lab, participants learned to enumerate HTTP services using Nmap's http-enum script. They executed commands to scan specific IP addresses like 192.168.1.1 and 127.0.0.1, targeting port 80, adding a custom user agent, and saving results to a text file. The lab also emphasized using superuser privileges for certain operations and the importance of obtaining permission for real - world scans.

After running the scans, participants were instructed to review the HTTP findings and compare the results with a banner scan in the Xfce terminal, helping them identify potential vulnerabilities and misconfigurations on the target web servers.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner