Skip to content

18. Nmap HTTP Enumeration Finding Hidden Files And Directories

This command leverages the http-enum NSE script to discover directories, files, and services exposed on a web server. It is commonly used in web application reconnaissance during penetration testing.

Command:

nmap -sV -p 80 --script http-enum 192.168.56.104

Explanation:

Flags and Options:

  1. -sV:

    • Enables service version detection.
    • Identifies the web server software and version (e.g., Apache, Nginx).

    • -p 80:

    • Specifies port 80, the default HTTP port, as the target.

    • --script http-enum:

    • Executes the http-enum NSE script, which enumerates well-known files, directories, and services on the target web server.

    • Searches for common endpoints, such as admin panels, login pages, and default files (e.g., robots.txt, phpmyadmin, index.php).

    • 192.168.56.104:

    • The target IP address.

Purpose:

  • Directory Enumeration: Identifies exposed directories and files that may provide insights into the server’s structure.
  • Discover Potential Vulnerabilities: Finds unprotected resources, admin panels, or sensitive files that attackers could exploit.

Example Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
| http-enum: 
|   /admin/ - Possible admin folder
|   /robots.txt - Robots file
|   /login/ - Login page
|   /phpmyadmin/ - phpMyAdmin interface
|   /backup/ - Backup folder
|_  /test/ - Test directory

Key Findings:

  1. Exposed Directories:

    • /admin/: Could be an administrative interface. Check for authentication and access controls.
    • /robots.txt: Contains directives for search engines; often reveals hidden directories.
    • /phpmyadmin/: Indicates a phpMyAdmin interface, which, if unsecured, could allow database access.
    • /backup/: Backup files or configurations, which may expose sensitive data.
    • /test/: Test files or directories, which may contain unvalidated content or scripts.

    • Web Server Version:

    • Identifies the server software (e.g., Apache 2.4.41) and version, useful for checking known vulnerabilities.

Actionable Insights:

  • Investigate Sensitive Directories:

    • Use tools like curl or browsers to examine exposed directories and files for misconfigurations or sensitive information.

    • Mitigation Recommendations:

    • Restrict access to sensitive directories using authentication or IP whitelisting.

    • Remove unnecessary files or directories from the server.
    • Ensure software is up-to-date to mitigate vulnerabilities.

    • Further Testing:

    • Combine with other tools like dirbuster or gobuster for deeper enumeration.

    • Use vulnerability scanners to assess the risk of identified directories or services.

Use Case:

This command is ideal for web application reconnaissance during penetration tests. It helps identify low-hanging fruit, such as misconfigurations or exposed resources, which could be exploited further. Ensure you have proper authorization before performing scans.