Abusing mod_userdir to enumerate user accounts
Apache's module userdir
provides access to user directories using URIs with the syntax /~username/
. With Nmap, we can perform dictionary attacks and determine a list of valid usernames on the system remotely.
This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir
enabled.
How to do it...
To attempt to enumerate valid users in a web server with mod_userdir
, use the following command:
$ nmap -p80 --script http-userdir-enum <target>
All the users found will be included in the results:
PORT STATE SERVICE 80/tcp open http |_http-userdir-enum: Potential Users: root, web, test
How it works...
The Nmap options -p80 --script http-userdir-enum
launch the NSE script http-userdir-enum
if a web server is found on port 80
(-p80
). Apache web servers with mod_userdir
allow access to user directories using URIs such as http://domain.com/~root/
, and this script helps us...