Skip to content

17. Nmap HTTP Enumeration Detecting HTTP Methods

Enumerating HTTP Methods

nmap -Pn -sV -p 80 -T4 --script http-methods --script-args http-methods.test=all nmap.scanme.org

Explanation:

Flags and Options:

  1. -Pn:

    • Disables host discovery (no ping).
    • Useful for scanning hosts that block ICMP packets or appear offline.

    • -sV:

    • Enables service version detection.

    • Identifies the software and version running on the web server.

    • -p 80:

    • Specifies port 80 (default HTTP port).

    • -T4:

    • Sets a faster timing template for quicker scans.

    • Suitable for stable network connections.

    • --script http-methods:

    • Executes the http-methods NSE script, which enumerates supported HTTP methods.

    • --script-args http-methods.test=all:

    • Configures the script to test all HTTP methods, including standard (e.g., GET, POST) and potentially dangerous ones (e.g., PUT, DELETE, TRACE).

    • nmap.scanme.org:

    • The target domain for the scan.

Purpose:

  • Enumerate HTTP Methods: Identify HTTP methods supported by the target server.
  • Test for Misconfigurations: Detect potentially risky HTTP methods (e.g., PUT, DELETE, TRACE) that could be exploited for attacks like file upload or request tracing.

Example Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
| http-methods: 
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|   Potentially risky methods: TRACE
|_  See https://nmap.org/nsedoc/scripts/http-methods.html

Key Findings:

  1. Supported Methods:
    • Lists HTTP methods the server supports, such as GET, HEAD, POST, OPTIONS, and TRACE.
  2. Potentially Risky Methods:
    • Identifies methods like TRACE, PUT, or DELETE, which may allow:
      • TRACE: Cross-Site Tracing (XST) attacks.
      • PUT: Arbitrary file uploads, potentially leading to malicious code execution.
      • DELETE: Deletion of server files or resources.

Actionable Insights:

  • Secure the Server:

    • Disable unnecessary or risky HTTP methods (TRACE, PUT, DELETE) unless explicitly needed.
    • Update the web server to the latest version if vulnerabilities are identified.

    • Validate Results:

    • Cross-check the findings using tools like curl or web security scanners to ensure accuracy.

    • Enhance Security:

    • Configure web server headers to return only the required HTTP methods.

    • Use a Web Application Firewall (WAF) to mitigate risks from misconfigured methods.

Use Case:

This command is particularly useful in web application penetration testing to detect misconfigurations and potential vulnerabilities related to HTTP methods. Ensure you have proper authorization before performing scans.