News - Main Page
Whitepapers
Tools and Download
Presentations

Examples

This page lists some common uses of http-dir-enum. The output has been edited for brevity in most cases.

Guessing Directory Names

The simplest (and most common) way to run http-dir-enum is:

$ http-dir-enum.pl -f directory-names.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( http://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

URL .................... http://192.168.2.54
Directory name file .... directory-names.txt
HTTP Method ............ HEAD
Recursive dir search ... On
Auto-ignore ............ On

######## Scan started on Fri Mar 28 16:08:11 2008 #########
[I] Processing directory: / (0 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54
cgi-bin 403
doc 403
icons 200
test 200
images 200
[I] Processing directory: cgi-bin (4 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/cgi-bin
[I] Processing directory: doc (3 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/doc
[I] Processing directory: icons (2 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/icons
[I] Processing directory: test (1 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/test
test/include 200
test/www 403
[I] Processing directory: images (2 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/images
[I] Processing directory: test/include (1 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/test/include
[I] Processing directory: test/www (0 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/test/www
######## Scan completed on Fri Mar 28 16:08:16 2008 #########
7 results.

5648 queries in 5 seconds (1130 queries / sec)

This will guess directory names using the dictionary file directory-names.txt. http-dir-enum will automatically figure out which HTTP response code it needs to ignore - for most directories it's 404, but some it's 403 or even 200. Any requests that don't elicit the ignored response code are reported.

By default directory name guessing is recursive, i.e. when a directory is found http-dir-enum search for subdirectories within it. To turn off recursion use -r 0.

HTTP HEAD requests are used by default as they're small and faster. Some servers don't respond well to HEAD requests, so you can use GET requests instead with -H g.

To slow scans down a bit (you don't want to DoS the server you're testing!) you can use -l 100 to limit scanning to 100 requests per second. You'll need to figure out many requests the target can handle. It varies a lot between servers, and even between directories on a single server.

If you're scanning an IIS server you might want to use -S 0 to turn off case sensitivity.

You can use just the first 2000 lines of your huge dictionary file using -n 2000.

If for some reason you don't want http-dir-enum to automatically detect which HTTP response code to ignore, use -a 0 to turn off this feature.

To manually specify an HTTP response code to ignore, use something like -i 404, or -i '404|200'.

Less Output

If you'd prefer not to know exactly where your scan is up to, you can use the -q option:

$ http-dir-enum.pl -q -f directory-names.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( http://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

URL .................... http://192.168.2.54
Processes .............. 8
Directory name file .... directory-names.txt
Query timeout .......... 20 secs
HTTP Method ............ HEAD
Max Queries / sec ...... unlimited
Trailing slash ......... On
Recursive dir search ... On
Close connections ...... Off
Follow redirects ....... Off
Case sensistive dirs ... On
Auto-ignore ............ On

######## Scan started on Fri Mar 28 16:21:25 2008 #########
icons 200
test 200
images 200
cgi-bin 403
doc 403
test/include 200
test/www 403
######## Scan completed on Fri Mar 28 16:21:29 2008 #########
7 results.

5648 queries in 4 seconds (1412 queries / sec)

Guessing File Names

Sometimes during testing you need to search all the directories on a web server for a particular file. Maybe you just uploaded a file via the web app, but don't know where it's storing it on the server. Or, maybe you just researched the web server you're testing and found that 'password.properties' is a really important file if you can download it.

You need to supply a list of known directory name (taken from your directory-guessing attack), and a list of filenames:

$ http-dir-enum.pl -k dirs.txt -f files.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( http://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

######## Scan started on Fri Mar 28 16:35:48 2008 #########
[I] Processing directory: cgi-bin (6 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/cgi-bin
cgi-bin/test.cgi 200
[I] Processing directory: icons (6 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/icons
[I] Processing directory: test (5 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/test
[I] Processing directory: images (4 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/images
[I] Processing directory: doc (3 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/doc
[I] Processing directory: test/include (2 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/test/include
[I] Processing directory: test/www (1 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/test/www
[I] Processing directory: cgi-bin/test.cgi (0 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/cgi-bin/test.cgi
######## Scan completed on Fri Mar 28 16:35:50 2008 #########
1 results.

1688 queries in 2 seconds (844 queries / sec)

Apache Username Guessing

Apache servers configured with the UserDir directive are vulnerable to username enumeration. This can be exploited with http-dir-enum. First create a dictionary file in the following format:

~root ~bin ~listen ~adm ...

The run http-dir-enum with your dictionary file:

$ http-dir-enum.pl -f apache-tilda-usernames.txt http://localhost
Starting http-dir-enum v0.4.3 ( http://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

######## Scan started on Mon Mar 31 12:51:25 2008 #########
[I] Processing directory: / (0 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://localhost
~adm 403
~apache 403
~bin 403
~cron 403
~daemon 403
~ftp 403
~games 403
~halt 403
~ldap 403
~lp 403
...

Each user that exists on the systems should show up with a 403 response code (meaning that that user's home directory exists, but you can't browse it).

Using HTTPS

http-dir-enum is based on the LWP library, so can do SSL if LWP is installed properly. Simply specify an HTTPS URL:

$ http-dir-enum.pl -f dict.txt https://192.168.2.54

Non-Standard TCP Ports

Simply put the port number in the URL as you would in a browser:

$ http-dir-enum.pl -f dict.txt http://192.168.2.54:8000

Using a Proxy

Use the -P option to specify the URL for your proxy:

$ http-dir-enum.pl -P http://myproxy:3128 -f dict.txt http://192.168.2.54

Using Basic Authentication

You can specify Basic Auth credentials on the command line:

$ http-dir-enum.pl -u user -p pass -f dict.txt http://192.168.2.54

 

Last Updated : 31/03/2008 13:56:44