A while ago I wrote about more efficient brute forcing if mod_negotiation is enabled. Also released a python script to automate this. Well now I’ve written some metasploit auxiliary modules that perform the same task. One module can be used to scan ranges for web servers that have it enabled, the other module can be used to actually brute force files. You can find them on github:
I’ve also made a redmine ticket on metasploit and submitted them, if you are lazy and just want to wait until metasploit includes them. Assuming they do, after all it’s my first attempt at contributing to metasploit and my code might not be up to the standards.
For the ones paying attention to every detail, yes I fucked up and made a typo while submitting the ticket :)
If you want to use them you can place them in the following directory:
[metasploit-root]/modules/auxiliary/scanner/http/
After you’ve place them there, just fire up metasploit and perform a search for negotiation, they should show up in the results. If something goes wrong, read the code I didn’t do a lot of error checking. If you are wondering why I choose to make modules for the mod_negotiation issue…like always I wanted to learn something new and I was familiar with it so was more confident I could implement them. If it all went well it should all look like the following:
Search results
msf > search negotiation
[*] Searching loaded modules for pattern ‘negotiation’…Auxiliary
=========Name Disclosure Date Rank Description
—- ————— —- ———–
scanner/http/mod_negotiation_brute normal HTTP Mod Negotiation Bruter
scanner/http/mod_negotiation_scanner normal HTTP Mod Negotiation Scanner
Scanner information
msf > info scanner/http/mod_negotiation_scanner
Name: HTTP Mod Negotiation Scanner
Version: 0.1
License: BSD License
Rank: NormalProvided by:
diablohorn <diablohorn@gmail.com>Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
FILENAME index yes Filename to use as a test
PATH / yes The path to detect mod_negotiation
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual hostDescription:
This module scans the webserver of the given host(s) for the
existence of mod_negotiate. Returns the ip if the host is
vulnerable.
Bruter information
msf > info scanner/http/mod_negotiation_brute
Name: HTTP Mod Negotiation Bruter
Version: 0.1
License: BSD License
Rank: NormalProvided by:
diablohorn <diablohorn@gmail.com>Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
FILEPATH /opt/metasploit3/msf3/data/wmap/wmap_files.txt yes path to file with file names
PATH / yes The path to detect mod_negotiation
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual hostDescription:
This module performs a brute force attack using mod_negotiation on
the given host(s). Returns the ip and the found file if the host is
vulnerable.
DiabloHorn 