Skip to content

02. HTTP IIS Nmap Script

When performing reconnaissance or vulnerability assessment on a web server (like an IIS server running on port 80), Nmap provides specialized scripts under the http-* category using the Nmap Scripting Engine (NSE). These scripts help gather detailed information about the web server and its potential vulnerabilities or misconfigurations.

1. Enumerate Web Server Directories and Resources

nmap <IP Address> -sV -p 80 --script http-enum

Purpose:

  • Performs directory and file enumeration on the web server (similar to Gobuster/Dirb).

  • Useful for discovering hidden or unlinked directories like /admin, /test, /backup, etc.

Script Used:

  • http-enum

Example:

nmap 192.168.1.10 -sV -p 80 --script http-enum

Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-enum:
|   /admin/           Possible admin folder
|   /images/          Folder with public images
|   /webdav/          WebDAV enabled folder

2. Enumerate HTTP Headers

nmap <IP Address> -sV -p 80 --script http-headers

Purpose:

  • Retrieves HTTP headers sent by the server.

  • Useful to fingerprint technologies, check for security headers (like X-Frame-Options, Content-Security-Policy, etc.), and discover misconfigurations.

Script Used:

  • http-headers

Example:

nmap 192.168.1.10 -sV -p 80 --script http-headers

Output:

| http-headers:
|   Server: Microsoft-IIS/10.0
|   X-Powered-By: ASP.NET
|   Set-Cookie: sessionid=abc123; Path=/
|   Content-Type: text/html
|   X-Frame-Options: SAMEORIGIN

3. Check Allowed HTTP Methods (e.g., PUT, DELETE, etc.)

nmap <IP Address> -sV -p 80 --script http-methods --script-args http-methods.url-path=/webdav/

Purpose:

  • Tests which HTTP methods (GET, POST, PUT, DELETE, OPTIONS, TRACE) are supported.

  • Especially important for checking if WebDAV or other dangerous methods like PUT are enabled.

Script Used:

  • http-methods

Example:

nmap 192.168.1.10 -sV -p 80 --script http-methods --script-args http-methods.url-path=/webdav/

Output:

| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS PUT
|   Potentially risky methods: PUT

Note: The presence of PUT or DELETE methods indicates a serious security risk if not controlled properly.

4. Scan for WebDAV Misconfiguration

nmap <IP Address> -sV -p 80 --script http-webdav-scan --script-args http-methods.url-path=/webdav/

Purpose:

  • Scans for WebDAV support and configuration flaws.

  • Checks if files can be uploaded or manipulated via WebDAV.

Script Used:

  • http-webdav-scan

Example:

nmap 192.168.1.10 -sV -p 80 --script http-webdav-scan --script-args http-methods.url-path=/webdav/

Output:

| http-webdav-scan:
|   WebDAV is ENABLED
|   Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND
|   Upload: Possible
|   WebDAV type: Class 2

Implication:

  • If PUT and DELETE are allowed, an attacker might upload a web shell or malicious file, leading to Remote Code Execution (RCE).

Summary Table

Script Purpose Risk Discovered
http-enum Enumerate files/directories Info leakage, sensitive endpoints
http-headers View HTTP headers Missing security headers
http-methods Discover HTTP methods PUT/DELETE → risk of upload
http-webdav-scan Test WebDAV Web shell upload or abuse

Best Practices for IIS Hardening (Based on Results)

  • Disable unused HTTP methods like PUT, DELETE, TRACE.

  • Restrict WebDAV or remove it if unnecessary.

  • Configure security headers (X-Frame-Options, Content-Security-Policy, Strict-Transport-Security).

  • Use authentication and access control on sensitive directories.