1

I'm attempting to brute a site in my test lab with Nmap's http-brute nse, which has the URL structure https://192.168.101.6/api/auth?email=a@b.com&password=pass

Unfortunately Nmap's official documentation (https://nmap.org/nsedoc/scripts/http-brute.html) has no information on how to supply arguments such as the email and password fields.

I'm aiming to supply my request as follows (where $1 is the email variable and $2 is the password variable):
https://192.168.101.6/api/auth?email=$1&password=$2
Note: $1 should load my email dictionary emails.txt and $2 should load my password list pass.txt

Is this possible with Nmap's http-brute NSE? Or would i need to use another tool such as burp or hydra?

16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20

3 Answers3

3

The http-brute script documentation states that it performs "brute force password auditing against http basic, digest and ntlm authentication." These are HTTP authentication methods, but what you are looking for is form-based authentication.

The http-form-brute script does what you want. You can use the uservar and passvar script-args to tell it which variables to send, but if you are using a version of the script since r35542 (2015-12-31), then it should be able to auto-detect the form on the page you want to brute-force. Read the docs carefully, since you may need some of the other arguments like http-form-brute.method. The online docs always refer to the current development snapshot, but you can get the docs for the version of the script you have by running nmap --script-help http-form-brute.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
  • We're on the right path but after supplying the following command `nmap -d -vv -p 443 --script http-form-brute --script-args "brute.emptypass=true,brute.firstonly=false,http-form-brute.path=/api/auth,http-form-brute.method=GET,uservar=email,passvar=password,http-form-brute.onfailure=The selected email is invalid,userdb=user.txt" 192.168.101.6` i receive the error `ERROR: Failed to recognize failed authentication. See http-form-brute.onsuccess and http-form-brute.onfailure` – 16b7195abb140a3929bbc322d1c6f1 Jan 21 '16 at 04:05
  • Even though it appears to submit correctly: `NSE: Starting http-form-brute against 192.168.101.6:443. NSE: [http-form-brute 192.168.101.6:443] Form submission path: /api/auth NSE: [http-form-brute 192.168.101.6:443] HTTP method: GET NSE: [http-form-brute 192.168.101.6:443] Username field: email NSE: [http-form-brute 192.168.101.6:443] Password field: password ` – 16b7195abb140a3929bbc322d1c6f1 Jan 21 '16 at 04:06
  • 1
    @mk444 try `--script-trace` to see the http traffic and make sure it's what you expect. There may be a redirect you need to look for instead of the text on the page. – bonsaiviking Jan 21 '16 at 04:19
  • Spot on! The parameters are getting jumbled. Will have to continue this a bit later – 16b7195abb140a3929bbc322d1c6f1 Jan 21 '16 at 04:31
  • It looks like the issue is: `userdb=user.txt` is not getting activated. Instead of the user `email=a@b.com` (contents of user.txt), the script is passing in: `email=TIULDZOE`. Any ideas? – 16b7195abb140a3929bbc322d1c6f1 Jan 21 '16 at 09:47
  • 1
    @mk444 The script first tries with bogus random creds to see if the failure detection works. If it can't successfully detect failure, it gives up. – bonsaiviking Jan 21 '16 at 13:15
  • How do i force a specific username? i.e. i want `email=a@b.com` at all times and only need the password field to be brute forced. – 16b7195abb140a3929bbc322d1c6f1 Jan 22 '16 at 00:05
  • @mk444 See the script args documented, especially for `unpwdb` library. Put just the username you want in a file and specify that file with the `userdb` script arg. – bonsaiviking Jan 22 '16 at 02:04
  • That's what I'm already doing but unfortunately it's forcing the bogus username as you mentioned. Is there a way to disable the bogus creds? – 16b7195abb140a3929bbc322d1c6f1 Jan 22 '16 at 02:12
  • @mk444 Either switch to using `onsuccess` or edit the script to use your real username instead of the random one. Ask more in #nmap on freenode or dev@nmap.org, since stackexchange is complaining about a long comment chain. – bonsaiviking Jan 22 '16 at 02:31
1

I fired up Zenmap, pulled up the listing for the http-brute script, and plugged in the address, user cred file, and password cred file in the appropriate GUI fields to produce command line arguments for them. The command line string that Zenmap output for me:

[initial output from Zenmap was here, and was incorrect because of the way in which I selected some arguments to be input. A lesson about tools not making up for mistakes in human skill. Anyways, it's still a good tool.]

Note: I haven't actually tested the above formulation against any targets to see that it actually works. I'm away my test environment, but just happen to have nmap & Zenmap installed on pretty much every single device I own that a version exists for. :)

Really, I'd quite recommend Zenmap as a tool for learning about nmap usage in general, but particularly when it comes to discovering, selecting, and using scripts well. To be honest, in fact, when I started using Zenmap I found it so helpful in building scans with complex qualities (especially with, but not limited to, scripts) that I eventually became a little spoiled by it and lost a bit of sharpness in using the command line. Still, as another non-expert attempting to upgrade my skills I've found it exceedingly useful. (Of course, YMMV.)

mostlyinformed
  • 2,715
  • 16
  • 38
  • Unfortunately that did not work. The syntax appears to be incorrect so I ran a similar, constructed command (using nmap's default wordlist, so no txt files supplied) `nmap -d -vv -p 443 --script http-brute --script-args "brute.emptypass=true,brute.firstonly=false,http-brute.path=/api/auth?,http-brute.method=GET" 192.168.101.6` but since the email= and password= strings do not get passed to nmap, it immediately fails. – 16b7195abb140a3929bbc322d1c6f1 Jan 17 '16 at 10:14
  • Rereading the script I suggested...ugh. Forgot a few things. Maybe try this one I just slapped together from a couple sources: nmap -p80 --script http-brute 192.168.01.01 --script-args http-brute.path=/targetdirectory/targetpage , userdb=users.txt, passdb=passwords.txt – mostlyinformed Jan 17 '16 at 16:25
  • Replacing the relevant ips and file names, of course. And 443 for the port. Anyway, the syntax is at least generally correct – mostlyinformed Jan 17 '16 at 16:34
  • Thanks but no luck. Unfortunately that produces the same results as the scan I mentioned in my first comment and fails. I think we need to work out a way to pass the userlist into email= and password list into password= – 16b7195abb140a3929bbc322d1c6f1 Jan 18 '16 at 05:03
0

Thanks @bonsaiviking for all of your help.

A more in-depth analysis of the --script-trace revealed the primary issues were the user-agent and brute.emptypass=true. Also, since the first pass of the script supplies bogus creds i needed to use a string that matched when a bogus username was supplied aswell a string match on the correct username ("error").

Successful command:
nmap -p 443 --script http-form-brute --script-args "brute.firstonly=true,http-form-brute.path=/api/auth,http-form-brute.method=GET,userdb=user.txt,http-form-brute.uservar=email,http-form-brute.passvar=password,http-form-brute.onfailure=error,http.useragent=" 192.168.101.6

16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20