Le site nmap.org offre des scripts de détection de vulnérabilté et d'intrusion à l'adresse http://nmap.org/nsedoc/


# Scripts concernant http : #



## Enumeration et test des methodes http dangereuses : http-methods ##


<code>nmap --script=http-methods.nse --script-args http-methods.retest=1 <@adressehost>
</code>
<code>....
80/tcp open http
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
| See http://nmap.org/nsedoc/scripts/http-methods.html
| GET / -> HTTP/1.1 403 Forbidden
|
| HEAD / -> HTTP/1.1 403 Forbidden
|
| POST / -> HTTP/1.1 404 Not Found
|
| OPTIONS / -> HTTP/1.1 200 OK
|
|_TRACE / -> HTTP/1.1 200 OK
...
</code>

## Enumeration de la directory d'un serveur : http-enum ##


<code>nmap --script=http-enum.nse <@adressehost>
</code>
<code>.....
8080/tcp open http-proxy
| http-enum:
| /manager/: Possible admin folder
| /web-console/ServerInfo.jsp: JBoss Console
| /web-console/Invoker: JBoss Console
| /invoker/: JBoss Console
|_ /jmx-console/: JBoss Console
.....
</code>

## Détection de la vulnérabilité Apache Killer : http-vuln-cve2011-3192 ##


<code>nmap --script=http-vuln-cve2011-3192.nse -pT:80,443 <@adressehost>
</code>
<code>.....
80/tcp open http
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 OSVDB:74721
| Description:
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| http://seclists.org/fulldisclosure/2011/Aug/175
| http://nessus.org/plugins/index.php?view=single&id=55976
| http://osvdb.org/74721
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
.....
</code>

## Detection de la vulnerabilité JBOSS bypass authentification : http-vuln-cve2010-0738 ##


<code>nmap --script=http-vuln-cve2010-0738.nse <@adressehost>
</code>
<code>.....
8080/tcp open http-proxy
| http-vuln-cve2010-0738:
|_ /jmx-console/: Authentication was not required
....
</code>

## D'autres scripts à tester : ##


  * HTTP-DEFAULT-ACCOUNTS
  * HTTP-PASSWD (pass transversal)
  * HTTP-PUT
  * HTTP-TRACE
  * HTTP-USERDIR-ENUM

Ces Scripts sont disponibles sur la backtrack5 sous root