Determines if a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body.
http-axis2-dir-traversal exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.
http-litespeed-sourcecode-download.nse exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:
* <code>/index.php\00.txt</code>
References:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2333
* http://www.exploit-db.com/exploits/13850/
library. The cvs-brute-repository script allows for guessing possible
repository names needed in order to perform password guessing using the
cvs-brute.nse script. [Patrik]
It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.
Attempts to retrieve the configuration settings from the MySQL database
dump on a Barracuda Networks Spam & Virus Firewall device using the
directory traversal vulnerability in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi".
The web administration interface runs on port 8000 by default.
Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval
Original exploit by ShadowHatesYou <Shadow@SquatThis.net>
For more information, see:
http://seclists.org/fulldisclosure/2010/Oct/119http://www.exploit-db.com/exploits/15130/
- broadcast-netbios-master-browser attempts to discover master browsers in
the broadcast domain
- smb-mbenum lists servers registered with the master browser
[Patrik]
These scripts got removed from default:
dhcp-discover
dns-zone-transfer
These scripts got removed from intrusive:
dns-recursion
ftp-bounce
http-open-proxy
socks-open-proxy
Thanks to Toni for noticing these.
This was really lame compared to http-brute, only guessing two
username/password combinations. Also we shouldn't be guessing any
passwords in a default script.
