Abusing mod_userdir to enumerate user accounts

Apache's module UserDir provides access to the user directories by using URIs with the syntax /~username/. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server.

This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir enabled.

How to do it...

To try to enumerate valid users in a web server with mod_userdir; use Nmap with these arguments:

$ nmap -p80 --script http-userdir-enum <target>

All of the usernames that were found will be included in the results:

PORT   STATE SERVICE
80/tcp open  http
|_http-userdir-enum: Potential Users: root, web, test

How it works...

The argument -p80 --script ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.