LabEx
Log InJoin Free

Enumerate HTTP Services in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, the goal is to learn how to enumerate HTTP services using Nmap. You'll start by running an HTTP enum on the localhost 127.0.0.1 with the http-enum script. Then, you'll scan port 80, add a user agent, and save the enum results. Finally, you'll review the HTTP findings and compare them with a banner scan in the Xfce terminal.

Remember, in real - world scenarios, you should only scan networks and systems with explicit permission.

Run HTTP enum with nmap --script http-enum 127.0.0.1

In this step, we will use Nmap with the http-enum script to enumerate HTTP services on localhost. This script helps identify potential vulnerabilities and misconfigurations by discovering common web server files and directories.

Before we begin, let's briefly discuss what Nmap and NSE scripts are. Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. NSE (Nmap Scripting Engine) allows users to write scripts to automate a wide variety of networking tasks. The http-enum script is one such NSE script designed to enumerate common HTTP resources.

For this lab, we will target the localhost IP address 127.0.0.1. This is a safe approach for learning as we're scanning our own local machine.

Now, let's execute the Nmap command:

sudo nmap --script http-enum 127.0.0.1

This command tells Nmap to:

  • sudo: Execute the command with superuser privileges, which may be required for certain Nmap operations.
  • nmap: Invoke the Nmap tool.
  • --script http-enum: Specify that we want to use the http-enum script.
  • 127.0.0.1: The target IP address to scan (localhost).

After running the command, you will see output similar to the following (the exact output will depend on the target system):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8080/tcp open  http-proxy
| http-enum:
|   /robots.txt: Robots file
|_  /session/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

The output shows that the http-enum script found a few interesting resources on port 8080:

  • /robots.txt: A file that specifies which parts of the website should not be crawled by web robots.
  • /session/: A potentially interesting directory that might contain session-related files or functionality.

These findings can be further investigated to identify potential vulnerabilities or misconfigurations.

Scan port 8080 with nmap --script http-enum -p 8080 127.0.0.1

In this step, we will focus our Nmap scan on a specific port, port 8080, using the http-enum script. Specifying a port can help narrow down the scan and provide more targeted results. We'll be scanning 127.0.0.1, which is the loopback address, representing the local machine. This is useful for testing services running on your own system.

Let's break down the command we'll be using:

sudo nmap --script http-enum -p 8080 127.0.0.1

Here's what each part of the command means:

  • sudo: Executes the command with superuser privileges. This might be necessary to get accurate results, especially on lower port numbers.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script to enumerate HTTP resources.
  • -p 8080: This option tells Nmap to only scan port 8080. Port 8080 is commonly used as an alternative HTTP port, often for development servers or proxy services.
  • 127.0.0.1: The target IP address, in this case, the loopback address, which refers to the local machine.

Now, execute the command in your terminal:

sudo nmap --script http-enum -p 8080 127.0.0.1

The output will look similar to this (the exact output depends on the services running on your local machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
| http-enum:
|   /robots.txt: Robots file
|_  /session/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

In this example, the http-enum script found /robots.txt and /session/. These are common resources on web servers, and further investigation might reveal more information about the server's configuration and potential vulnerabilities. By specifying port 8080, we focused the scan and received results specific to the HTTP service running on the local machine.

Add user agent with nmap --script http-enum --script-args http.useragent=Test 127.0.0.1

In this step, we will customize the User-Agent header used by the http-enum script. The User-Agent header is sent by the client (in this case, Nmap) to the server and identifies the client software. Modifying the User-Agent can be useful for several reasons, such as:

  • Bypassing basic security measures: Some servers might block requests from known scanning tools. Changing the User-Agent can help evade these blocks.
  • Testing server behavior: You can observe how the server responds to different User-Agent strings.
  • Stealth: Using a less common User-Agent can make your scans less conspicuous.

We will use the --script-args option to modify the http.useragent value.

Here's the command we'll be using:

sudo nmap --script http-enum --script-args http.useragent=Test 127.0.0.1

Let's break down this command:

  • sudo: Executes the command with superuser privileges.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script.
  • --script-args http.useragent=Test: This is the key part. It passes an argument to the http-enum script. Specifically, it sets the http.useragent variable to the value "Test". This means that when the script sends HTTP requests, it will use "Test" as the User-Agent header.
  • 127.0.0.1: The target IP address to scan (localhost).

Execute the command in your terminal:

sudo nmap --script http-enum --script-args http.useragent=Test 127.0.0.1

The output will be similar to the output from the first step, but the HTTP requests sent to the server will now include the User-Agent: Test header. You won't see the User-Agent directly in the Nmap output, but it will be used in the background during the scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8080/tcp open  http-proxy
| http-enum:
|   /robots.txt: Robots file
|_  /session/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

This step demonstrates how to customize Nmap scripts using the --script-args option. This allows you to fine-tune the behavior of the scripts and adapt them to specific situations.

Save enum results with nmap --script http-enum -oN http_enum.txt 127.0.0.1

In this step, we will save the results of the http-enum script to a file. This is crucial for later analysis and reporting. Nmap provides several options for saving scan results in different formats. We will use the -oN option, which saves the results in a "normal" human-readable format.

Here's the command we'll be using:

sudo nmap --script http-enum -oN http_enum.txt 127.0.0.1

Let's break down this command:

  • sudo: Executes the command with superuser privileges.
  • nmap: Invokes the Nmap tool.
  • --script http-enum: Specifies that we want to use the http-enum script.
  • -oN http_enum.txt: This option tells Nmap to save the results in normal format to the file named http_enum.txt. The file will be created in your current directory (~/project).
  • 127.0.0.1: The target IP address to scan (the loopback address).

Execute the command in your terminal:

sudo nmap --script http-enum -oN http_enum.txt 127.0.0.1

The output in the terminal will be similar to the output from the previous steps, but in addition to displaying the results on the screen, Nmap will also save them to the http_enum.txt file.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8080/tcp open  http-proxy
| http-enum:
|   /robots.txt: Robots file
|_  /session/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

To verify that the file has been created and contains the scan results, you can use the cat command to display the contents of the file:

cat http_enum.txt

You should see the Nmap scan results in the output. This file can now be used for further analysis, reporting, or as input to other tools.

Review HTTP findings in Xfce terminal

In this step, we will review the HTTP findings from the http_enum.txt file we created in the previous step. We'll use the Xfce terminal and the cat command to display the contents of the file and analyze the results.

First, ensure you are in the ~/project directory. This is where the http_enum.txt file should be located.

To view the contents of the http_enum.txt file, use the following command:

cat http_enum.txt

This command will print the contents of the file to your terminal.

Example output (the actual output may vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8080/tcp open  http-proxy
| http-enum:
|   /robots.txt: Robots file
|_  /session/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

Now, let's analyze the output. The http-enum script attempts to identify potentially interesting files and directories on the web server. In this example, it found:

  • /robots.txt: This file provides instructions to web robots (crawlers) about which parts of the website should not be indexed. It can sometimes reveal hidden or sensitive areas of the site.
  • /session/: This is a potentially interesting directory that might contain session-related files, configuration files, or other sensitive information.

By reviewing these findings, you can gain a better understanding of the web server's structure and identify potential areas for further investigation. For example, you might use a web browser to visit http://127.0.0.1:8080/robots.txt and http://127.0.0.1:8080/session/ to see what they contain.

This step demonstrates how to review the output of Nmap scripts and identify potentially interesting information. This is a crucial part of the reconnaissance process.

Compare results with banner scan in Xfce terminal

In this step, we will perform a banner scan using Nmap and compare its results with the findings from the http-enum script. Banner grabbing is a technique used to gather information about a service by examining the banner it presents when a connection is established. This can reveal the software version and other details.

First, let's perform a banner scan on port 8080 of the target (127.0.0.1) using Nmap. We'll use the -sV option, which enables version detection:

sudo nmap -sV -p 8080 127.0.0.1

This command will attempt to determine the service and version running on port 8080.

Example output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    SimpleHTTPServer 0.6 (Python 3.7.5)

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

In this example, the banner scan reveals that the web server is SimpleHTTPServer 0.6 running on Python 3.7.5.

Now, let's compare this information with the findings from the http-enum script, which we reviewed in the previous step. The http-enum script identified potential files and directories, such as /robots.txt and /session/.

By comparing the results of the banner scan and the http-enum script, we can build a more complete picture of the target system. The banner scan provides information about the software versions, while the http-enum script reveals potential files and directories. This combined information can be valuable for identifying vulnerabilities and planning further attacks.

For example, knowing the version of the web server software allows you to search for known vulnerabilities specific to that version. The identified files and directories can then be targeted for exploitation.

This step demonstrates the importance of combining different scanning techniques to gather comprehensive information about a target system.

Summary

In this lab, participants learned to enumerate HTTP services using Nmap's http-enum script. They executed commands to scan localhost (127.0.0.1), targeting port 8080, adding a custom user agent, and saving results to a text file. The lab emphasized using superuser privileges for certain operations and demonstrated safe scanning practices by using localhost.

After running the scans, participants reviewed the HTTP findings and compared the results with a banner scan in the Xfce terminal, helping them identify potential vulnerabilities and misconfigurations on the local web server. This hands-on approach provided practical experience with network reconnaissance techniques.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux