Abusing mod_userdir to enumerate user accounts

Apache's module UserDir provides access to the user directories by using URIs with the syntax /~username/. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server.

This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir enabled.

How to do it...

To try to enumerate valid users in a web server with mod_userdir; use Nmap with these arguments:

$ nmap -p80 --script http-userdir-enum <target>

All of the usernames that were found will be included in the results:

PORT   STATE SERVICE
80/tcp open  http
|_http-userdir-enum: Potential Users: root, web, test

How it works...

The argument -p80 --script ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.

Start your free trial

Nmap 6: Network Exploration and Security Auditing Cookbook by Paulino Calderon Pale

Abusing mod_userdir to enumerate user accounts

How to do it...

How it works...

Don’t leave empty-handed

It’s yours, free.