File: nikto_user_enum_apache.plugin

package info (click to toggle)
nikto 2.02-1
  • links: PTS
  • area: non-free
  • in suites: lenny
  • size: 1,336 kB
  • ctags: 179
  • sloc: perl: 4,450; makefile: 38; sh: 26
file content (74 lines) | stat: -rw-r--r-- 2,910 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#VERSION,2.01
#LASTMOD,01.09.2008

###############################################################################
#  Copyright (C) 2004 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################

###############################################################################
# PURPOSE
# Enumeration of users and directories in system (as Apache's ~username)
###############################################################################
# NOTES
# This plugin tries to enumerate all the users and directories
# in the system (of course the bruteforce attack is limited to a given range).
# In some Apache/UNIX systems this might give out many local users
# (which could later on be used for a ssh brute-force attack).
# This plugin was originally written by Javier Fernandez-Sanguino Pea
###############################################################################

sub nikto_user_enum_apache
{
    if ($CLI{mutate} !~ /3/) { return; }

    nprint("- Enumerating Apache users (1 to 5 characters).", "d");

    # Note1: This script only generates names with letters A-Z (no numbers)
    #
    # Note2: this script will generate SUM(26^n)(n=$min to $max)
    # it's probably faster to write this to a file than to generate it
    # on the fly BTW.
    #
    # Of course, it could be optimized to skip some "strange"
    # combinations of usernames, but hey, then it wouldn't
    # be 'brute force' would it? (jfs)

    my $text = "a";
    my $ctr  = 0;
    while (length($text) <= 5)
    {
        if (($ctr % 500) eq 0) { nprint("\tUser enumeration guess $ctr ($text)", "v"); }
        (my $RES, $CONTENT) = fetch("/~" . $text, "HEAD");
        if ($RES eq 301 || $RES eq 200 || $RES eq 403)    # this is a valid user
        {
            if (exists($TESTS{999997}{message}))
            {
                $TESTS{999997}{message} .= ", $text";
            } else
            {
                $TESTS{999997}{message} = "Valid users found via Apache enumeration: $text";
            }
            $TESTS{999997}{osvdb} = 637;
            $TARGETS{$CURRENT_HOST_ID}{positives}{999997} = 1;
            $TARGETS{$CURRENT_HOST_ID}{total_vulns}++;
        }
        $text++;
        $ctr++;
    }
}

1;