Nmap Scripting Engine – HTTP

Nmap Usage

Nmap needs the following information port number, script name, any script arguments (optional), and the IP of the target.

nmap -p <port> –script <script-same> –script-args <script arguemens> <target IP>

Listing HTTP MEthods

nmap -p 8585 -sV –script http-methods,http-trace –script-args http-methods.test-all=true,http-methods.url-path=’/uploads’

Using the http-methods script we can see all the available methods. The http-methods script will not identify the TRACE method we have to add the http-trace script. These scrips will locate any risky methods that could hint to exploitation.

HTTP methods status codes

nmap -p 8585 -sV –script http-methods –script-args http-methods.retest

If we change the script argument to http-methods.retest the response will be the status response for the available http methods.

HTTP methods url directory

Sometimes subdirectories on a web server can have different methods that could be vulnerable adding the http-methods.url-path script. In this example, I’ve added the “uploads” directory, and the results were different.

TRACE method is susceptible to Cross-Site Tracing (XST) attack. CONNECT method might allow the web server to be used as a http proxy. The PUT and DELETE can enable changes to the folder contents.

Http Open Proxy

nmap -p 8080 -sV –script http-open-proxy

Using the http-open-proxy, we can detect web servers that are configured to act as a proxy. This can allow an attacker to hide their real ip for other attacks.

Http folder and file discovery

nmap –script http-enum -p 8585

Using the http-enum script we can find any possible misconfiguration that could lead to exposing sensitive data or even directory traversal and expose system files.

Http enumeration with Nikto database

nmap -sV –script http-enum –script-args http-enum.nikto-db-path=/usr/share/nikto/db_dictinary -p 8585

Nikto is a powerful web server enumeration tool. With the http-enum.nikto-db  we can use Nikto databases for identifiying directories on a web server.








nmap -p 21 –script=ftp-brute –script-args userdb=list.txt,passdb=pass.txt,brute.threads=4

As you can see I ran the scan using user list list.txt, password file rockyou.txt, time out of 4 sec. I was able to brute force the username “msfadmin” and password of “msfadmin.”

With the ssh-brute script, we can control various inputs such as usernames, passwords, timeout, and threads. In this example I will be using lists for both usernames and passwords, as well setting a timeout and number of concurrent threads.

nmap -p 22 –script ssh-brute –script-args userdb=users.lst,passdb=pass.lst,ssh-brute.timeout=4s,brute.threads=6

As you can see I ran the scan using user list list.txt, password file rockyou.txt, time out of 4 sec, and six threads. I was able to brute force the username “msfadmin” and password of “msfadmin.”


With the http-default-accounts script, we can find any web application using the default credentials.

nmap -p 8180 –script=http-default-accounts

Using the http-default-accounts script I was able to find that tomcat service on port 8180 is using the default credentials username tomcat and password tomcat.

Email Scraping
Using the http-grep script we can search the http pages for any email address located on the page.

nmap -p80 –script http-grep –script-args http-grep.builtins=e-mail

Using the http-grep script I was able to find the email address “mutillidae-development @”

To Be Continued…

Book: Nmap: Network Exploration and Security Auditing Cookbook ISBN 978-1-78646-745-4