Abusing mod_userdir to enumerate user accounts
Apache's module UserDir
provides access to the user directories by using URIs with the syntax /~username/
. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server.
This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir
enabled.
How to do it...
To try to enumerate valid users in a web server with mod_userdir
; use Nmap with these arguments:
$ nmap -p80 --script http-userdir-enum <target>
All of the usernames that were found will be included in the results:
PORT STATE SERVICE 80/tcp open http |_http-userdir-enum: Potential Users: root, web, test
How it works...
The argument -p80 --script ...
Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.