WEBVTT

00:00.870 --> 00:06.630
Listing supported Http methods is a crucial step in the process of auditing web servers.

00:06.660 --> 00:13.350
It allows system administrators and penetration testers to gain insight into the configuration and software

00:13.350 --> 00:19.920
of web servers, as well as identify potential security risks associated with a certain Http methods.

00:19.950 --> 00:27.870
By leveraging the power of Nmap, an open source network scanning tool, this task becomes efficient

00:27.870 --> 00:30.760
and effective when it comes to Http methods.

00:30.780 --> 00:36.030
Web servers can support a wide range of options, each serving a specific purpose.

00:36.270 --> 00:43.800
However, it's important to note that the certain methods can introduce vulnerability and vulnerabilities,

00:43.800 --> 00:45.850
if not properly secured.

00:45.870 --> 00:48.560
For instance, methods like Trace.

00:48.570 --> 00:51.210
Let's actually write it down on the notepad.

00:51.240 --> 00:53.760
Methods like trace.

00:53.760 --> 00:55.200
And so the.

00:57.300 --> 00:58.110
Will.

00:59.900 --> 01:00.470
An.

01:01.700 --> 01:05.930
Um, result in vulnerabilities.

01:07.820 --> 01:09.650
If not properly.

01:12.010 --> 01:12.550
Secured.

01:12.550 --> 01:13.090
Right.

01:13.870 --> 01:17.260
So these are the methods, for instance, Trace.

01:18.990 --> 01:19.770
Connect.

01:21.220 --> 01:21.550
Hot.

01:23.070 --> 01:25.770
And delete these methods.

01:26.400 --> 01:34.020
These Http methods have been known to pose potential security risks, especially the connect one here,

01:34.020 --> 01:40.440
when misconfigured or exploited by malicious actors to identify the supported Http methods on a web

01:40.440 --> 01:48.090
server, we can use the Nmap scripting engine again and see which provides a collection of scripts specifically

01:48.090 --> 01:51.420
designed for network scanning and security assessments.

01:51.570 --> 02:01.860
One such script is the Http method script developed by the Bernd Strauss Newberg, which allows to enumerate

02:01.860 --> 02:04.020
the supported methods of a web server.

02:04.020 --> 02:11.880
So let's dive into the practical steps of using Nmap with the Http method script to list the Http methods

02:11.880 --> 02:14.670
supported by a Target web servers.

02:15.000 --> 02:20.220
Now let's open your terminal or command prompt and enter this command.

02:20.220 --> 02:22.980
Firstly, we will use sudo here.

02:22.980 --> 02:36.300
We will add ports here, ports 80 http and 443 SSL, TLS the Https and we will also use the script here,

02:36.300 --> 02:46.170
script Http methods and here we will also add script arguments which we will test all so script.

02:47.900 --> 02:54.860
Arguments, http methods that test all and here we will make it equal true.

02:55.340 --> 02:58.070
And after that you will enter your target system.

02:58.070 --> 03:01.610
In this case, we will test it in two systems.

03:01.820 --> 03:05.090
One is web server, just a WordPress installed on it.

03:05.180 --> 03:11.510
This is just a web hosting server and another is our Metasploitable virtual machine.

03:11.750 --> 03:19.480
So let's actually use with code Silicom Firstly, and here we have problem because we didn't write it.

03:19.490 --> 03:20.330
Nmap here.

03:20.330 --> 03:23.000
Sorry Nmap that's it.

03:23.000 --> 03:27.020
And here we will enter our pseudo password and we are waiting for it.

03:27.050 --> 03:31.340
As I said, you can use your arrow keys to print the results.

03:31.340 --> 03:37.580
In this case it was quick here, so here and let's actually explain this command first.

03:37.700 --> 03:46.730
In this command, the P 80 comma, p 443 specifies the ports to scan.

03:46.760 --> 03:56.180
In this case, the port 80 and port 443, which these are commonly used for Http and Https communication,

03:56.180 --> 03:56.780
as I said.

03:56.780 --> 04:05.990
So the Http methods script is invoked using this script option and the Http methods test.

04:05.990 --> 04:14.260
All true argument ensures that all supported methods are tested and once the scan is complete and map

04:14.270 --> 04:19.430
will present you with the comprehensive report that includes the supported methods for each web server

04:19.430 --> 04:23.240
detecting on detected on Port 80 and port 443.

04:23.360 --> 04:28.520
For example, the output will this will look like this here.

04:28.520 --> 04:38.990
So here we have in port 80, we have get hit post options methods and here we have options hit get post.

04:38.990 --> 04:46.820
So now what we're going to do is we will scan that on our metasploitable vulnerable virtual machine.

04:46.820 --> 04:52.880
In this case, our the machine is on my local IP here.

04:52.940 --> 04:55.280
Let's actually first scan it here.

04:55.970 --> 05:06.110
Ipconfig it was uh, the most exploitable IP address was the last digits was 141 here.

05:07.850 --> 05:09.290
Uh, the fifth.

05:09.320 --> 05:09.530
Yeah.

05:09.560 --> 05:11.690
13 141.

05:11.690 --> 05:12.770
And that's it.

05:12.770 --> 05:18.410
And here, as you can see here, we also have get hit post options and that's it.

05:18.410 --> 05:21.920
So we will first actually let's scan here.

05:21.920 --> 05:30.980
A nmap is V, We will scan this, we will scan the services available and we will we can also use another

05:31.520 --> 05:35.840
protocols like instead of Http and Https, we can use FTP and.

05:36.500 --> 05:39.140
So there is a lot of protocols, as you know.

05:39.470 --> 05:42.350
So here it might take some time.

05:44.280 --> 05:46.710
And here we have a lot of here.

05:46.710 --> 05:56.130
So let's actually now try the FTP 2021 and we also have 20 Sorry, Yes, 21 right now.

05:56.130 --> 06:00.930
We will test it on the we will also add 21 here.

06:02.210 --> 06:03.170
21.

06:04.150 --> 06:07.270
And here in 21, we don't have any Http methods.

06:07.270 --> 06:10.990
And as you can see here, we have Http methods that test all.

06:10.990 --> 06:18.940
So we don't have Http methods here because the Port 21, the Http server is not active here.

06:18.940 --> 06:20.830
As you can see, the service is different, right?

06:20.830 --> 06:29.410
But if you have some client that uses different ports for this Http ports here instead of eight, it

06:29.410 --> 06:33.250
might use 8080 or another kind of ports here.

06:33.280 --> 06:42.040
You might try this here scan and then you will see the service information here so you can select your

06:42.040 --> 06:43.840
port accordingly.

06:43.840 --> 06:53.920
So here in this example, in this example, actually, let's that scan that.com again.

06:57.600 --> 07:04.620
And here we the output reveals that the web server supports common methods like get hit post options.

07:04.860 --> 07:11.760
And it also highlights the presence of the potential risk if you have one.

07:11.910 --> 07:14.990
In this case, the potential risk method is connect method.

07:15.000 --> 07:21.720
But in this case, the connect method is actually not working here because it might be for the security

07:21.720 --> 07:23.970
reasons or another reasons here.

07:24.620 --> 07:31.100
So and it's important to emphasize that the presence of a method in the list of supported methods doesn't

07:31.100 --> 07:36.730
actually doesn't automatically imply accessibility or imply security vulnerabilities.

07:36.740 --> 07:43.920
Additional factors such as configuration settings and firewall rules can impact method availability.

07:43.940 --> 07:50.420
Therefore, it's crucial to interpret the results in the broader context of the Web server's security

07:50.420 --> 07:51.010
posture.

07:51.020 --> 07:56.600
For more granular analysis, you can individually check the status code and responses for each method

07:56.600 --> 08:00.580
using the Http method Retest script argument.

08:00.620 --> 08:05.120
You can simply just add after the script arguments.

08:05.150 --> 08:13.460
You can use the Http method retest all through here and here we will to provide more practical example.

08:13.460 --> 08:16.070
And as you can see here, we have this here.

08:17.050 --> 08:20.460
And here we will also do another two.

08:21.630 --> 08:25.440
For connect method here and as you can see here.

08:29.600 --> 08:31.850
Let's actually use that localhost now.

08:33.970 --> 08:38.220
And as you can see, Http, it doesn't have any methods because it's not a service, right?

08:47.530 --> 08:49.150
And now we will do another method.

08:49.150 --> 08:52.900
So we will just delete the ports here.

08:52.900 --> 08:59.290
Instead, instead of ports, we will use the lowercase and uppercase V here.

09:00.180 --> 09:07.350
And here we have script arguments and so on and we have Http methods.

09:07.380 --> 09:12.780
Retest all here or Http methods just retest here.

09:12.780 --> 09:14.250
It's going to be okay.

09:14.250 --> 09:18.930
And after that we will enter the target IP address or domain here.

09:18.970 --> 09:24.720
In this case it's dot com and here you can use arrow keys to watch the.

09:26.110 --> 09:26.890
Timing.

09:26.890 --> 09:29.860
And here we have 30s remaining.

09:30.070 --> 09:34.930
So here in this example, you will see something different here.

09:36.510 --> 09:41.970
Might take some time because we are now scanning the most commonly used parts here.

09:43.050 --> 09:45.870
I'll stop the video right here and here.

09:45.870 --> 09:51.150
This is the output we are seeing now that the service fingerprint.

09:51.150 --> 09:53.010
And we have that.

09:53.860 --> 09:54.400
Here.

09:54.640 --> 09:57.520
We have a lot of information going down here.

09:57.640 --> 10:05.920
We have this pure ftpd XML, smtpd, ISC bind and lightspeed.

10:06.040 --> 10:13.510
And here in Http methods we have the get hit post options and the http server header is lightspeed.

10:13.540 --> 10:17.440
We have also finger fingerprint strings.

10:17.440 --> 10:21.820
We have the four for get request and the Http options.

10:21.820 --> 10:28.210
Here we have forbidden contact line is 93 catch control, no catch and so on.

10:28.360 --> 10:33.040
So here this is our output could select that.

10:33.040 --> 10:33.660
Com.

10:33.700 --> 10:38.250
So in this example the output reveals that the um.

10:39.350 --> 10:42.830
To connect method is not supported actually.

10:43.930 --> 10:48.490
And it returns a 400 bad request code.

10:48.580 --> 10:57.460
The finding suggests a potentially might be misconfigured or insecure setup here, so to customize the

10:57.460 --> 11:04.510
base path for each Http methods test, you can utilize the Http methods that your URL path argument.

11:04.810 --> 11:07.160
For instance, this here.

11:07.180 --> 11:17.410
After that we will use the in script arguments after script arguments, we will use Http methods and

11:17.710 --> 11:19.960
here we will use.

11:20.750 --> 11:25.390
URL path and my path.

11:25.750 --> 11:31.180
After that you will enter the your code.com or your target.

11:31.900 --> 11:34.210
Uh, domain or IP address.

11:35.950 --> 11:42.160
And it might also take some time for now because it will test almost all of the ports here.

11:56.190 --> 11:56.760
Instead.

11:56.760 --> 11:59.460
Let's actually use that in this time.

11:59.460 --> 12:02.460
We will use the our web server.

12:03.560 --> 12:04.250
Another 41.

12:04.970 --> 12:05.420
That's it.

12:05.960 --> 12:07.430
It will do more quick here.

12:07.430 --> 12:09.590
And as you can see, it's almost done.

12:19.730 --> 12:20.510
That's it.

12:21.350 --> 12:26.420
Here we have the information about that and that's it.

12:26.660 --> 12:31.180
As you can see here, we have openSUSE, Linux, Telnet and so on.

12:31.190 --> 12:34.580
We have potentially risky methods here.

12:34.850 --> 12:36.350
It's trace.

12:37.290 --> 12:43.950
As I said, the connect and trace mode is potentially risky methods here on Http, but it doesn't mean

12:44.040 --> 12:48.870
that it's 100% vulnerable, but you can, uh, check to make sure of it.

12:48.870 --> 12:51.480
And here we have samba SMB.

12:51.480 --> 12:55.620
And so these are the most exploitable, uh, services.

12:57.070 --> 13:00.580
And here we are almost in the Http server header.

13:00.850 --> 13:07.030
We have supported methods, get hit post plot, delete trace options and we have a potential risk methods

13:07.030 --> 13:07.270
here.

13:07.300 --> 13:09.880
Pod delete and trace.

13:10.510 --> 13:14.050
And we also can see the Mac address.

13:14.760 --> 13:17.710
Sort of a central host metasploitable local domain and so on.

13:17.730 --> 13:19.110
Unix Linux.

13:19.440 --> 13:20.460
Linux kernel.

13:21.960 --> 13:23.010
And here.

13:23.010 --> 13:23.670
That's it.

13:23.850 --> 13:25.230
So here.

13:26.300 --> 13:28.220
Other Nmap options.

13:28.490 --> 13:30.500
Script here.

13:30.530 --> 13:36.680
This instruct Nmap to execute a methods script when a web server is detected.

13:36.680 --> 13:44.690
So here the Http method script built on a predefined list of Http methods performs tests to determine

13:44.690 --> 13:46.850
the supported methods on the target server.

13:47.030 --> 13:52.580
And it's important to emphasize that the presence of a Http method in the list of supported methods

13:52.610 --> 14:01.070
doesn't automatically mean that it means the security of doesn't automatically mean that it's vulnerable

14:01.070 --> 14:02.120
100%.

14:02.270 --> 14:08.750
So as I said, additional factors such as configuration settings and firewall rules can impact method

14:08.750 --> 14:14.690
availability, and therefore it's crucial to interpret the results in the broader context of the web

14:14.690 --> 14:16.040
server security posture.

14:17.250 --> 14:25.920
And in conclusion, and also by selecting the a different base paths such as in this case we use use

14:25.920 --> 14:27.860
the my path.

14:27.870 --> 14:29.220
Yeah, my path.

14:29.900 --> 14:36.570
Uh, you can explore web applications residing in various folders and access the availability and responses

14:36.570 --> 14:40.290
of Http methods within these specific contexts.

14:40.890 --> 14:48.780
In conclusion, listing support at Http methods using Nmap Http Methods script provides valuable insights

14:48.780 --> 14:56.040
into the into web servers, configuration and potential security risks by understanding which methods

14:56.040 --> 15:03.060
are supported, system administrators and penetration testers can make informed decisions to strengthen

15:03.060 --> 15:05.730
the security posture of their web application.

15:05.910 --> 15:12.240
Remember to interpret the results in the context of the server's configuration and to consider additional

15:12.240 --> 15:15.840
security measures beyond the presence of a supported methods.

15:15.870 --> 15:23.800
Stay vigilant and ensure that your web servers are adequately protected against potential vulnerabilities.