Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap Erros on URI using NSE

From: Shritam Bhowmick <shritam.bhowmick () gmail com>
Date: Thu, 14 Aug 2014 22:54:14 +0530
Hi nmposter,

That's great. Looking forward to the enhancements. On a side note, could I
get the whole script because I manually changed your patch code to the
original nmap script! Is there any way, I can update my nmap scrip db, I
tried nmap --scrip-dbupdate on kali. It seems not to work.

I need the code to make it work. I did common spell mistakes while changing
the code as well.

Regards
Shritam Bhowmick
Founder at OpenFire Technologies.
Penetration Tester at+OpenFire Security.
Web Application Analysis and Research.
www.openfire-security.net
http://forum.openfire-security.net

The information contained herein (including any accompanying documents) is
confidential and is intended solely for the addressee(s). It may contain
proprietary, confidential, privileged information or other information
subject to legal restrictions. If you are not the intended recipient of
this message, please do not read, copy, use or disclose this message or its
attachments. Please notify the sender immediately and delete all copies of
this message and any attachments. This e-mail message including
attachment(s), if any, is believed to be free of any virus. However, it is
the responsibility of the recipient to ensure for absence of viruses.
OpenFire Technologies shall not be held responsible nor does it accept
any liability for any damage arising in any way from its use.


On Thu, Aug 14, 2014 at 10:48 PM, <nnposter () users sourceforge net> wrote:


Shritam Bhowmick wrote:

nmap pentesteracademylab.appspot.com -n --script=http-form-brute
--script-args 'http-form-brute.path="/lab/webapp/1",
http-form-brute.hostname="pentesteracademylab.appspot.com",
passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv

<snip>

But the script gave out no output still. I think there is an issue. I had
tested using hydra, and this worked fine!?


If you run your CLI with -d you would see:

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-form-brute:
|_  ERROR: Failed to retrieve path (/lab/webapp/1) from server
Final times for host: srtt: 0 rttvar: 3750  to: 100000

The reason is that the server is configured to reject POST requests
while your CLI is missing "http-form-brute.method=get". (As noted in
my previous e-mail, the script still uses POST by default.)

There is room for improvement of the auto-detection but I have not
tried to address that with my patch.


Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: