nmap --script=http-methods.nse --script-args http-methods.retest=1 <@adressehost>

....
80/tcp open http
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
| See http://nmap.org/nsedoc/scripts/http-methods.html
| GET / -> HTTP/1.1 403 Forbidden
|
| HEAD / -> HTTP/1.1 403 Forbidden
|
| POST / -> HTTP/1.1 404 Not Found
|
| OPTIONS / -> HTTP/1.1 200 OK
|
|_TRACE / -> HTTP/1.1 200 OK
...

nmap --script=http-enum.nse <@adressehost>

.....
8080/tcp open http-proxy
| http-enum:
| /manager/: Possible admin folder
| /web-console/ServerInfo.jsp: JBoss Console
| /web-console/Invoker: JBoss Console
| /invoker/: JBoss Console
|_ /jmx-console/: JBoss Console
.....

nmap --script=http-vuln-cve2011-3192.nse -pT:80,443 <@adressehost>

.....
80/tcp open http
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 OSVDB:74721
| Description:
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| http://seclists.org/fulldisclosure/2011/Aug/175
| http://nessus.org/plugins/index.php?view=single&id=55976
| http://osvdb.org/74721
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
.....

nmap --script=http-vuln-cve2010-0738.nse <@adressehost>

.....
8080/tcp open http-proxy
| http-vuln-cve2010-0738:
|_ /jmx-console/: Authentication was not required
....

• HTTP-DEFAULT-ACCOUNTS
• HTTP-PASSWD (pass transversal)
• HTTP-PUT
• HTTP-TRACE
• HTTP-USERDIR-ENUM

Ces Scripts sont disponibles sur la backtrack5 sous root