1
00:00:00,870 --> 00:00:06,630
Listing supported Http methods is a crucial step in the process of auditing web servers.

2
00:00:06,660 --> 00:00:13,350
It allows system administrators and penetration testers to gain insight into the configuration and software

3
00:00:13,350 --> 00:00:19,920
of web servers, as well as identify potential security risks associated with a certain Http methods.

4
00:00:19,950 --> 00:00:27,870
By leveraging the power of Nmap, an open source network scanning tool, this task becomes efficient

5
00:00:27,870 --> 00:00:30,760
and effective when it comes to Http methods.

6
00:00:30,780 --> 00:00:36,030
Web servers can support a wide range of options, each serving a specific purpose.

7
00:00:36,270 --> 00:00:43,800
However, it's important to note that the certain methods can introduce vulnerability and vulnerabilities,

8
00:00:43,800 --> 00:00:45,850
if not properly secured.

9
00:00:45,870 --> 00:00:48,560
For instance, methods like Trace.

10
00:00:48,570 --> 00:00:51,210
Let's actually write it down on the notepad.

11
00:00:51,240 --> 00:00:53,760
Methods like trace.

12
00:00:53,760 --> 00:00:55,200
And so the.

13
00:00:57,300 --> 00:00:58,110
Will.

14
00:00:59,900 --> 00:01:00,470
An.

15
00:01:01,700 --> 00:01:05,930
Um, result in vulnerabilities.

16
00:01:07,820 --> 00:01:09,650
If not properly.

17
00:01:12,010 --> 00:01:12,550
Secured.

18
00:01:12,550 --> 00:01:13,090
Right.

19
00:01:13,870 --> 00:01:17,260
So these are the methods, for instance, Trace.

20
00:01:18,990 --> 00:01:19,770
Connect.

21
00:01:21,220 --> 00:01:21,550
Hot.

22
00:01:23,070 --> 00:01:25,770
And delete these methods.

23
00:01:26,400 --> 00:01:34,020
These Http methods have been known to pose potential security risks, especially the connect one here,

24
00:01:34,020 --> 00:01:40,440
when misconfigured or exploited by malicious actors to identify the supported Http methods on a web

25
00:01:40,440 --> 00:01:48,090
server, we can use the Nmap scripting engine again and see which provides a collection of scripts specifically

26
00:01:48,090 --> 00:01:51,420
designed for network scanning and security assessments.

27
00:01:51,570 --> 00:02:01,860
One such script is the Http method script developed by the Bernd Strauss Newberg, which allows to enumerate

28
00:02:01,860 --> 00:02:04,020
the supported methods of a web server.

29
00:02:04,020 --> 00:02:11,880
So let's dive into the practical steps of using Nmap with the Http method script to list the Http methods

30
00:02:11,880 --> 00:02:14,670
supported by a Target web servers.

31
00:02:15,000 --> 00:02:20,220
Now let's open your terminal or command prompt and enter this command.

32
00:02:20,220 --> 00:02:22,980
Firstly, we will use sudo here.

33
00:02:22,980 --> 00:02:36,300
We will add ports here, ports 80 http and 443 SSL, TLS the Https and we will also use the script here,

34
00:02:36,300 --> 00:02:46,170
script Http methods and here we will also add script arguments which we will test all so script.

35
00:02:47,900 --> 00:02:54,860
Arguments, http methods that test all and here we will make it equal true.

36
00:02:55,340 --> 00:02:58,070
And after that you will enter your target system.

37
00:02:58,070 --> 00:03:01,610
In this case, we will test it in two systems.

38
00:03:01,820 --> 00:03:05,090
One is web server, just a WordPress installed on it.

39
00:03:05,180 --> 00:03:11,510
This is just a web hosting server and another is our Metasploitable virtual machine.

40
00:03:11,750 --> 00:03:19,480
So let's actually use with code Silicom Firstly, and here we have problem because we didn't write it.

41
00:03:19,490 --> 00:03:20,330
Nmap here.

42
00:03:20,330 --> 00:03:23,000
Sorry Nmap that's it.

43
00:03:23,000 --> 00:03:27,020
And here we will enter our pseudo password and we are waiting for it.

44
00:03:27,050 --> 00:03:31,340
As I said, you can use your arrow keys to print the results.

45
00:03:31,340 --> 00:03:37,580
In this case it was quick here, so here and let's actually explain this command first.

46
00:03:37,700 --> 00:03:46,730
In this command, the P 80 comma, p 443 specifies the ports to scan.

47
00:03:46,760 --> 00:03:56,180
In this case, the port 80 and port 443, which these are commonly used for Http and Https communication,

48
00:03:56,180 --> 00:03:56,780
as I said.

49
00:03:56,780 --> 00:04:05,990
So the Http methods script is invoked using this script option and the Http methods test.

50
00:04:05,990 --> 00:04:14,260
All true argument ensures that all supported methods are tested and once the scan is complete and map

51
00:04:14,270 --> 00:04:19,430
will present you with the comprehensive report that includes the supported methods for each web server

52
00:04:19,430 --> 00:04:23,240
detecting on detected on Port 80 and port 443.

53
00:04:23,360 --> 00:04:28,520
For example, the output will this will look like this here.

54
00:04:28,520 --> 00:04:38,990
So here we have in port 80, we have get hit post options methods and here we have options hit get post.

55
00:04:38,990 --> 00:04:46,820
So now what we're going to do is we will scan that on our metasploitable vulnerable virtual machine.

56
00:04:46,820 --> 00:04:52,880
In this case, our the machine is on my local IP here.

57
00:04:52,940 --> 00:04:55,280
Let's actually first scan it here.

58
00:04:55,970 --> 00:05:06,110
Ipconfig it was uh, the most exploitable IP address was the last digits was 141 here.

59
00:05:07,850 --> 00:05:09,290
Uh, the fifth.

60
00:05:09,320 --> 00:05:09,530
Yeah.

61
00:05:09,560 --> 00:05:11,690
13 141.

62
00:05:11,690 --> 00:05:12,770
And that's it.

63
00:05:12,770 --> 00:05:18,410
And here, as you can see here, we also have get hit post options and that's it.

64
00:05:18,410 --> 00:05:21,920
So we will first actually let's scan here.

65
00:05:21,920 --> 00:05:30,980
A nmap is V, We will scan this, we will scan the services available and we will we can also use another

66
00:05:31,520 --> 00:05:35,840
protocols like instead of Http and Https, we can use FTP and.

67
00:05:36,500 --> 00:05:39,140
So there is a lot of protocols, as you know.

68
00:05:39,470 --> 00:05:42,350
So here it might take some time.

69
00:05:44,280 --> 00:05:46,710
And here we have a lot of here.

70
00:05:46,710 --> 00:05:56,130
So let's actually now try the FTP 2021 and we also have 20 Sorry, Yes, 21 right now.

71
00:05:56,130 --> 00:06:00,930
We will test it on the we will also add 21 here.

72
00:06:02,210 --> 00:06:03,170
21.

73
00:06:04,150 --> 00:06:07,270
And here in 21, we don't have any Http methods.

74
00:06:07,270 --> 00:06:10,990
And as you can see here, we have Http methods that test all.

75
00:06:10,990 --> 00:06:18,940
So we don't have Http methods here because the Port 21, the Http server is not active here.

76
00:06:18,940 --> 00:06:20,830
As you can see, the service is different, right?

77
00:06:20,830 --> 00:06:29,410
But if you have some client that uses different ports for this Http ports here instead of eight, it

78
00:06:29,410 --> 00:06:33,250
might use 8080 or another kind of ports here.

79
00:06:33,280 --> 00:06:42,040
You might try this here scan and then you will see the service information here so you can select your

80
00:06:42,040 --> 00:06:43,840
port accordingly.

81
00:06:43,840 --> 00:06:53,920
So here in this example, in this example, actually, let's that scan that.com again.

82
00:06:57,600 --> 00:07:04,620
And here we the output reveals that the web server supports common methods like get hit post options.

83
00:07:04,860 --> 00:07:11,760
And it also highlights the presence of the potential risk if you have one.

84
00:07:11,910 --> 00:07:14,990
In this case, the potential risk method is connect method.

85
00:07:15,000 --> 00:07:21,720
But in this case, the connect method is actually not working here because it might be for the security

86
00:07:21,720 --> 00:07:23,970
reasons or another reasons here.

87
00:07:24,620 --> 00:07:31,100
So and it's important to emphasize that the presence of a method in the list of supported methods doesn't

88
00:07:31,100 --> 00:07:36,730
actually doesn't automatically imply accessibility or imply security vulnerabilities.

89
00:07:36,740 --> 00:07:43,920
Additional factors such as configuration settings and firewall rules can impact method availability.

90
00:07:43,940 --> 00:07:50,420
Therefore, it's crucial to interpret the results in the broader context of the Web server's security

91
00:07:50,420 --> 00:07:51,010
posture.

92
00:07:51,020 --> 00:07:56,600
For more granular analysis, you can individually check the status code and responses for each method

93
00:07:56,600 --> 00:08:00,580
using the Http method Retest script argument.

94
00:08:00,620 --> 00:08:05,120
You can simply just add after the script arguments.

95
00:08:05,150 --> 00:08:13,460
You can use the Http method retest all through here and here we will to provide more practical example.

96
00:08:13,460 --> 00:08:16,070
And as you can see here, we have this here.

97
00:08:17,050 --> 00:08:20,460
And here we will also do another two.

98
00:08:21,630 --> 00:08:25,440
For connect method here and as you can see here.

99
00:08:29,600 --> 00:08:31,850
Let's actually use that localhost now.

100
00:08:33,970 --> 00:08:38,220
And as you can see, Http, it doesn't have any methods because it's not a service, right?

101
00:08:47,530 --> 00:08:49,150
And now we will do another method.

102
00:08:49,150 --> 00:08:52,900
So we will just delete the ports here.

103
00:08:52,900 --> 00:08:59,290
Instead, instead of ports, we will use the lowercase and uppercase V here.

104
00:09:00,180 --> 00:09:07,350
And here we have script arguments and so on and we have Http methods.

105
00:09:07,380 --> 00:09:12,780
Retest all here or Http methods just retest here.

106
00:09:12,780 --> 00:09:14,250
It's going to be okay.

107
00:09:14,250 --> 00:09:18,930
And after that we will enter the target IP address or domain here.

108
00:09:18,970 --> 00:09:24,720
In this case it's dot com and here you can use arrow keys to watch the.

109
00:09:26,110 --> 00:09:26,890
Timing.

110
00:09:26,890 --> 00:09:29,860
And here we have 30s remaining.

111
00:09:30,070 --> 00:09:34,930
So here in this example, you will see something different here.

112
00:09:36,510 --> 00:09:41,970
Might take some time because we are now scanning the most commonly used parts here.

113
00:09:43,050 --> 00:09:45,870
I'll stop the video right here and here.

114
00:09:45,870 --> 00:09:51,150
This is the output we are seeing now that the service fingerprint.

115
00:09:51,150 --> 00:09:53,010
And we have that.

116
00:09:53,860 --> 00:09:54,400
Here.

117
00:09:54,640 --> 00:09:57,520
We have a lot of information going down here.

118
00:09:57,640 --> 00:10:05,920
We have this pure ftpd XML, smtpd, ISC bind and lightspeed.

119
00:10:06,040 --> 00:10:13,510
And here in Http methods we have the get hit post options and the http server header is lightspeed.

120
00:10:13,540 --> 00:10:17,440
We have also finger fingerprint strings.

121
00:10:17,440 --> 00:10:21,820
We have the four for get request and the Http options.

122
00:10:21,820 --> 00:10:28,210
Here we have forbidden contact line is 93 catch control, no catch and so on.

123
00:10:28,360 --> 00:10:33,040
So here this is our output could select that.

124
00:10:33,040 --> 00:10:33,660
Com.

125
00:10:33,700 --> 00:10:38,250
So in this example the output reveals that the um.

126
00:10:39,350 --> 00:10:42,830
To connect method is not supported actually.

127
00:10:43,930 --> 00:10:48,490
And it returns a 400 bad request code.

128
00:10:48,580 --> 00:10:57,460
The finding suggests a potentially might be misconfigured or insecure setup here, so to customize the

129
00:10:57,460 --> 00:11:04,510
base path for each Http methods test, you can utilize the Http methods that your URL path argument.

130
00:11:04,810 --> 00:11:07,160
For instance, this here.

131
00:11:07,180 --> 00:11:17,410
After that we will use the in script arguments after script arguments, we will use Http methods and

132
00:11:17,710 --> 00:11:19,960
here we will use.

133
00:11:20,750 --> 00:11:25,390
URL path and my path.

134
00:11:25,750 --> 00:11:31,180
After that you will enter the your code.com or your target.

135
00:11:31,900 --> 00:11:34,210
Uh, domain or IP address.

136
00:11:35,950 --> 00:11:42,160
And it might also take some time for now because it will test almost all of the ports here.

137
00:11:56,190 --> 00:11:56,760
Instead.

138
00:11:56,760 --> 00:11:59,460
Let's actually use that in this time.

139
00:11:59,460 --> 00:12:02,460
We will use the our web server.

140
00:12:03,560 --> 00:12:04,250
Another 41.

141
00:12:04,970 --> 00:12:05,420
That's it.

142
00:12:05,960 --> 00:12:07,430
It will do more quick here.

143
00:12:07,430 --> 00:12:09,590
And as you can see, it's almost done.

144
00:12:19,730 --> 00:12:20,510
That's it.

145
00:12:21,350 --> 00:12:26,420
Here we have the information about that and that's it.

146
00:12:26,660 --> 00:12:31,180
As you can see here, we have openSUSE, Linux, Telnet and so on.

147
00:12:31,190 --> 00:12:34,580
We have potentially risky methods here.

148
00:12:34,850 --> 00:12:36,350
It's trace.

149
00:12:37,290 --> 00:12:43,950
As I said, the connect and trace mode is potentially risky methods here on Http, but it doesn't mean

150
00:12:44,040 --> 00:12:48,870
that it's 100% vulnerable, but you can, uh, check to make sure of it.

151
00:12:48,870 --> 00:12:51,480
And here we have samba SMB.

152
00:12:51,480 --> 00:12:55,620
And so these are the most exploitable, uh, services.

153
00:12:57,070 --> 00:13:00,580
And here we are almost in the Http server header.

154
00:13:00,850 --> 00:13:07,030
We have supported methods, get hit post plot, delete trace options and we have a potential risk methods

155
00:13:07,030 --> 00:13:07,270
here.

156
00:13:07,300 --> 00:13:09,880
Pod delete and trace.

157
00:13:10,510 --> 00:13:14,050
And we also can see the Mac address.

158
00:13:14,760 --> 00:13:17,710
Sort of a central host metasploitable local domain and so on.

159
00:13:17,730 --> 00:13:19,110
Unix Linux.

160
00:13:19,440 --> 00:13:20,460
Linux kernel.

161
00:13:21,960 --> 00:13:23,010
And here.

162
00:13:23,010 --> 00:13:23,670
That's it.

163
00:13:23,850 --> 00:13:25,230
So here.

164
00:13:26,300 --> 00:13:28,220
Other Nmap options.

165
00:13:28,490 --> 00:13:30,500
Script here.

166
00:13:30,530 --> 00:13:36,680
This instruct Nmap to execute a methods script when a web server is detected.

167
00:13:36,680 --> 00:13:44,690
So here the Http method script built on a predefined list of Http methods performs tests to determine

168
00:13:44,690 --> 00:13:46,850
the supported methods on the target server.

169
00:13:47,030 --> 00:13:52,580
And it's important to emphasize that the presence of a Http method in the list of supported methods

170
00:13:52,610 --> 00:14:01,070
doesn't automatically mean that it means the security of doesn't automatically mean that it's vulnerable

171
00:14:01,070 --> 00:14:02,120
100%.

172
00:14:02,270 --> 00:14:08,750
So as I said, additional factors such as configuration settings and firewall rules can impact method

173
00:14:08,750 --> 00:14:14,690
availability, and therefore it's crucial to interpret the results in the broader context of the web

174
00:14:14,690 --> 00:14:16,040
server security posture.

175
00:14:17,250 --> 00:14:25,920
And in conclusion, and also by selecting the a different base paths such as in this case we use use

176
00:14:25,920 --> 00:14:27,860
the my path.

177
00:14:27,870 --> 00:14:29,220
Yeah, my path.

178
00:14:29,900 --> 00:14:36,570
Uh, you can explore web applications residing in various folders and access the availability and responses

179
00:14:36,570 --> 00:14:40,290
of Http methods within these specific contexts.

180
00:14:40,890 --> 00:14:48,780
In conclusion, listing support at Http methods using Nmap Http Methods script provides valuable insights

181
00:14:48,780 --> 00:14:56,040
into the into web servers, configuration and potential security risks by understanding which methods

182
00:14:56,040 --> 00:15:03,060
are supported, system administrators and penetration testers can make informed decisions to strengthen

183
00:15:03,060 --> 00:15:05,730
the security posture of their web application.

184
00:15:05,910 --> 00:15:12,240
Remember to interpret the results in the context of the server's configuration and to consider additional

185
00:15:12,240 --> 00:15:15,840
security measures beyond the presence of a supported methods.

186
00:15:15,870 --> 00:15:23,800
Stay vigilant and ensure that your web servers are adequately protected against potential vulnerabilities.