Abusing mod_userdir to enumerate user accounts

Apache's module UserDir provides access to the user directories by using URIs with the syntax /~username/. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server.

This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir enabled.

How to do it...

To try to enumerate valid users in a web server with mod_userdir; use Nmap with these arguments:

$ nmap -p80 --script http-userdir-enum <target>

All of the usernames that were found will be included in the results:

80/tcp open  http
|_http-userdir-enum: Potential Users: root, web, test

How it works...

The argument -p80 --script ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.