Abusing mod_userdir to enumerate user accounts
Apache's module UserDir
provides access to the user directories by using URIs with the syntax /~username/
. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server.
This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir
enabled.
How to do it...
To try to enumerate valid users in a web server with mod_userdir
; use Nmap with these arguments:
$ nmap -p80 --script http-userdir-enum <target>
All of the usernames that were found will be included in the results:
PORT STATE SERVICE 80/tcp open http |_http-userdir-enum: Potential Users: root, web, test
How it works...
The argument -p80 --script ...
Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.