Enumerating Drupal Web Using Nmap Script Engine http-drupal-modules
Hai hai hai.. As my promise before, tonight i will talk a liitle about Nmap Script Engine, especially http-drupal-modules. First of all, i will talk a little about NSE.
What is NSE actually? The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language, ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
Why NSE Powerful? Because NSE is an enhance feature from basic nwtwork mapping. NSE able to detect vulnerability,NSE able to detect backddor, malware, and NSE also worthedfor vulnerability exploitation. So it is not all about the only network mapping anymore, right? :D Fora completelistof NSE feature, youcan see this page : http://nmap.org/nsedoc/
Okay, and now what about http-drupal-modules? What is this module function? http-driupal-module is one of Nmap Script Engine. The author is Hani Benhabiles, OWASP Chapter From Algeria (Hai Hanii !!! :D). Drupal is one of famous CMS (besides Joomlaand WP) on the web. But not many pentest tools, or vulnerability tools talk about Drupal (We know some tools for vulnerability assesment in WPor Joomla). One of the common activity to get information about the CMS, we find the module or plugin that used by its CMS. (Also Themes. WKwkwk) And now, Hani release NSE module to enumerate Drupal Web using http-drupal-modules.
Okay, i will cite some paragraph from Hani’s Blog The recommended (and probably widely used) path to install Drupal modules is /sites/all/modules/. But this is not always true as modules may be in /sites/default/modules/ or /sites/www.example/modules/ for instance. A good way to find uncommon modules paths is to grep for them in the body of normal responses.
A first thought would be to query the modules folder. For example the Views module would be in /sites/all/modules/views/ and check for the returned response (status code, or any string). But I have found this to be not so reliable and varying depending on setups. Not long ago, I have found that LICENSE.txt is a file added automatically to each module uploaded on drupal.org. Perfect, as static content, we could also grep the responses to check for server configurations that return custom 200 Ok responses instead of 404 for not missing resources.
Okay,now let’s the party get started. Turn on your machine and find some targets (Hahaha.. Evil smirk)
1. Download NSE Script http-drupal-modules
You can download from here : http://nmap.org/svn/scripts/http-drupal-modules.nse
2. Install NSE Script
For Linux User, put the http-drupal-modules.nse in /usr/share/nmap/scripts dan di folder /usr/local/share/nmap/scripts
For Windows user, put he http-drupal-modules.nse c:\Program Files\Nmap\Scripts
3.Update NSE script DB
digit@digit-laptop:~$ sudo nmap --script-updatedb
4. Script Arguments Options for Nmap NSE http-drupal-modules :
The base path. Defaults to /.
Number of modules to check. Use this option with a number or “all” as an argument to test for all modules. Defaults to 100.
The path to the modules folder. If not set, the script will try to find the path or default to sites/all/modules/
http-max-cache-size, http.pipeline, http.useragent
See the documentation for the http library
Before testing your target, please make sure, this requirement library is complete
(Check in folder /usr/share/nmap/nselib and folder /usr/local/share/nmap/nselib to ensure the requirement is ullfilled)
➢ pcre (pcre is not included in nselib folder, and you cant find pcre.lua in nmap svn repository, too. Based on Hani’s statement in email, pcre is written in C not in Lua. Maybe for the performance issue.)
5. Testing the Target (For Educational Purpose Only) :
Example Usage NSE http-drupal-modules :
nmap –script http-drupal-modules –script-args http-drupal-modules.root=”/”,http-drupal-modules.number=1000 target.com
root@cybertron:# nmap –script http-drupal-modules –script-args http-drupal-modules.root=”/”,http-drupal-modules.number=1000 drupalsite.org
Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-23 14:35 WIT Nmap scan report for drupalsite.org (126.96.36.199) Host is up (0.35s latency). rDNS record for 188.8.131.52: schettler.net Not shown: 986 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp filtered smtp 80/tcp open http | http-drupal-modules: | views | token | pathauto | wysiwyg | google_analytics | advanced_help | jquery_ui | devel | transliteration | mollom | addthis | masquerade | comment_notify | follow | twitter_pull | devel_themer | feedback |_ noggin 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp filtered smtps 593/tcp filtered http-rpc-epmap 1433/tcp filtered ms-sql-s 1434/tcp filtered ms-sql-m 3333/tcp filtered dec-notes 4444/tcp filtered krb524 8222/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 145.19 seconds
root@cybertron:# nmap –script http-drupal-modules –script-args http-drupal-modules.root=”/”,http-drupal-modules.number=1000 drupal.org
Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-23 14:22 WIT Nmap scan report for drupal.org (184.108.40.206) Host is up (0.30s latency). Other addresses for drupal.org (not scanned): 220.127.116.11 18.104.22.168 rDNS record for 22.214.171.124: master2.drupal.org Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-drupal-modules: | views | comment_upload |_ fasttoggle 443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 152.04 seconds
Happy Hacking :D