Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-userdir-enum usage example gives no results #1902

Open
h00die opened this issue Jan 30, 2020 · 3 comments
Open

http-userdir-enum usage example gives no results #1902

h00die opened this issue Jan 30, 2020 · 3 comments
Assignees
Labels

Comments

@h00die
Copy link

@h00die h00die commented Jan 30, 2020

While working on the metasploit documentation for the equivalent module, we've been adding 'how to confirm' sections for other tools (usually nmap scripts). We attempted to use scripts/http-userdir-enum.nse based on the usage example from https://nmap.org/nsedoc/scripts/http-userdir-enum.html however it outputs nothing (no errors, no output from script). I've confirmed the setup is vulnerable through the metasploit module.
See https://github.com/rapid7/metasploit-framework/pull/12706/files#r373152822

Example here is an Ubuntu 18.04 fresh apache install w/ only change being userdir enabled.

Metasploit

used as confirmation of vuln server.

msf5 auxiliary(scanner/http/apache_userdir_enum) > exploit

[*] http://1.1.1.1/~ - Trying UserDir: ''
[*] http://1.1.1.1/ - Apache UserDir: '' not found
[*] http://1.1.1.1/~4Dgifts - Trying UserDir: '4Dgifts'
[*] http://1.1.1.1/ - Apache UserDir: '4Dgifts' not found
[*] http://1.1.1.1/~EZsetup - Trying UserDir: 'EZsetup'
[*] http://1.1.1.1/ - Apache UserDir: 'EZsetup' not found
[*] http://1.1.1.1/~OutOfBox - Trying UserDir: 'OutOfBox'
[*] http://1.1.1.1/ - Apache UserDir: 'OutOfBox' not found
[*] http://1.1.1.1/~ROOT - Trying UserDir: 'ROOT'
[*] http://1.1.1.1/ - Apache UserDir: 'ROOT' not found
[*] http://1.1.1.1/~adm - Trying UserDir: 'adm'
[*] http://1.1.1.1/ - Apache UserDir: 'adm' not found
[*] http://1.1.1.1/~admin - Trying UserDir: 'admin'
[*] http://1.1.1.1/ - Apache UserDir: 'admin' not found
[*] http://1.1.1.1/~administrator - Trying UserDir: 'administrator'
[*] http://1.1.1.1/ - Apache UserDir: 'administrator' not found
[*] http://1.1.1.1/~anon - Trying UserDir: 'anon'
[*] http://1.1.1.1/ - Apache UserDir: 'anon' not found
[*] http://1.1.1.1/~auditor - Trying UserDir: 'auditor'
[*] http://1.1.1.1/ - Apache UserDir: 'auditor' not found
[*] http://1.1.1.1/~avahi - Trying UserDir: 'avahi'
[*] http://1.1.1.1/ - Apache UserDir: 'avahi' not found
[*] http://1.1.1.1/~avahi-autoipd - Trying UserDir: 'avahi-autoipd'
[*] http://1.1.1.1/ - Apache UserDir: 'avahi-autoipd' not found
[*] http://1.1.1.1/~backup - Trying UserDir: 'backup'
[+] http://1.1.1.1/ - Apache UserDir: 'backup' found 
[*] http://1.1.1.1/~bbs - Trying UserDir: 'bbs'
[*] http://1.1.1.1/ - Apache UserDir: 'bbs' not found
[*] http://1.1.1.1/~bin - Trying UserDir: 'bin'
[+] http://1.1.1.1/ - Apache UserDir: 'bin' found 
...clip...
[+] http://1.1.1.1/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nmap

/metasploit-framework# nmap -sV --script=http-userdir-enum -p 80 1.1.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-30 13:31 EST
Nmap scan report for ubuntu1804 (1.1.1.1)
Host is up (0.00064s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:0F:8A:9E (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Jan 31, 2020

The script is working as expected. The key difference is that Metasploit default user list, wordlists/unix_users.txt, has 113 entries, while the nmap equivalent, nselib/data/usernames.lst, has only 10.

Here is the output from Nmap when the Metasploit list is used instead:

Nmap scan report for 192.168.73.128
Host is up (0.0010s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-userdir-enum: Potential Users: avahi, avahi-autoipd, backup, bin, daemon, games, gdm, gnats, hplip, irc, kernoops, list, lp, mail, man, messagebus, news, nobody, proxy, pulse, saned, speech-dispatcher, sync, sys, syslog, uucp

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

When inspecting the actual default users in Ubuntu 18.04, the nmap list definitely deserves a refresh and the Metasploit one perhaps too.

@h00die

This comment has been minimized.

Copy link
Author

@h00die h00die commented Feb 4, 2020

Ubuntu server 18.04 w/ lamp installed:

_apt
backup
bin
daemon
dnsmasq
games
gnats
irc
landscape
list
lp
lxd
mail
man
messagebus
mysql
news
nobody
pollinate
proxy
sshd
sync
sys
syslog
systemd-network
systemd-resolve
uucp
uuidd

Just tested w/ metasploit, will submit a PR to their side momentarily to update their list.

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Feb 9, 2020

This is turning out to require a little more thought:

Compared to file wordlists/unix_users.txt in Metasploit, file nselib/data/usernames.lst is used more broadly, including being the default username list for unpwdb, which is in turn used in various brute-forcing scripts.

For this reason it does not make a lot of sense to enrich this file with additional daemon usernames because they do not represent meaningful password cracking targets. To illustrate, I have collected usernames from recent versions of Ubuntu, RHEL, Oracle, Bitnami LAMP, Jetware LAMP, and Kali, which resulted in 89 entries. This would increase the original list roughly 9x, which in turn means that it would slow down password-cracking speed by the same factor for little benefit.

It seems that it might be more prudent to capture this list in a separate file, specifically to be used by by script http-userdir-enum.

@dmiller-nmap Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.