Nmap Scripting Engine – HTTP

Nmap Usage

Nmap needs the following information port number, script name, any script arguments (optional), and the IP of the target.

nmap -p <port> –script <script-same> –script-args <script arguemens> <target IP>

Listing HTTP MEthods

nmap -p 8585 -sV –script http-methods,http-trace –script-args http-methods.test-all=true,http-methods.url-path=’/uploads’

HTTP methods status codes

nmap -p 8585 -sV –script http-methods –script-args http-methods.retest

HTTP methods url directory

Notes TRACE method is susceptible to Cross-Site Tracing (XST) attack. CONNECT method might allow the web server to be used as a http proxy. The PUT and DELETE can enable changes to the folder contents.

Http Open Proxy

nmap -p 8080 -sV –script http-open-proxy

Http folder and file discovery

nmap –script http-enum -p 8585

Http enumeration with Nikto database

nmap -sV –script http-enum –script-args http-enum.nikto-db-path=/usr/share/nikto/db_dictinary -p 8585


nmap -p 21 –script=ftp-brute –script-args userdb=list.txt,passdb=pass.txt,brute.threads=4

SSH-BRUTE With the ssh-brute script, we can control various inputs such as usernames, passwords, timeout, and threads. In this example I will be using lists for both usernames and passwords, as well setting a timeout and number of concurrent threads.

nmap -p 22 –script ssh-brute –script-args userdb=users.lst,passdb=pass.lst,ssh-brute.timeout=4s,brute.threads=6

http-default-accounts With the http-default-accounts script, we can find any web application using the default credentials.

nmap -p 8180 –script=http-default-accounts

Email Scraping Using the http-grep script we can search the http pages for any email address located on the page.

nmap -p80 –script http-grep –script-args http-grep.builtins=e-mail

To Be Continued…

Resources: https://nmap.org/nsedoc/scripts Book: Nmap: Network Exploration and Security Auditing Cookbook ISBN 978-1-78646-745-4