1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
|
#VERSION,2.01
#LASTMOD,01.09.2008
###############################################################################
# Copyright (C) 2004 CIRT, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License only.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###############################################################################
###############################################################################
# PURPOSE
# Enumeration of users and directories in system (as Apache's ~username)
###############################################################################
# NOTES
# This plugin tries to enumerate all the users and directories
# in the system (of course the bruteforce attack is limited to a given range).
# In some Apache/UNIX systems this might give out many local users
# (which could later on be used for a ssh brute-force attack).
# This plugin was originally written by Javier Fernandez-Sanguino Pea
###############################################################################
sub nikto_user_enum_apache
{
if ($CLI{mutate} !~ /3/) { return; }
nprint("- Enumerating Apache users (1 to 5 characters).", "d");
# Note1: This script only generates names with letters A-Z (no numbers)
#
# Note2: this script will generate SUM(26^n)(n=$min to $max)
# it's probably faster to write this to a file than to generate it
# on the fly BTW.
#
# Of course, it could be optimized to skip some "strange"
# combinations of usernames, but hey, then it wouldn't
# be 'brute force' would it? (jfs)
my $text = "a";
my $ctr = 0;
while (length($text) <= 5)
{
if (($ctr % 500) eq 0) { nprint("\tUser enumeration guess $ctr ($text)", "v"); }
(my $RES, $CONTENT) = fetch("/~" . $text, "HEAD");
if ($RES eq 301 || $RES eq 200 || $RES eq 403) # this is a valid user
{
if (exists($TESTS{999997}{message}))
{
$TESTS{999997}{message} .= ", $text";
} else
{
$TESTS{999997}{message} = "Valid users found via Apache enumeration: $text";
}
$TESTS{999997}{osvdb} = 637;
$TARGETS{$CURRENT_HOST_ID}{positives}{999997} = 1;
$TARGETS{$CURRENT_HOST_ID}{total_vulns}++;
}
$text++;
$ctr++;
}
}
1;
|