Usage: #nmap --script http-webdav-scan -p80 <TARGET IP>

In this post I am showcasing a useful nmap scan that can show the commands that are available to you on a vulnerable webserver.  Specifically a webserver that has webdav enabled.

For those that need a bit of a refresher, Webdav is an extension of HTTP where remote web authoring is allowed.  Essentially one could curl (PUT,GET,MOVE,etc) or to put it another way upload and download files to a server.  This is not a problem if you are the expected person doing this work, however when webdav is enabled and these actions are allowed by anyone on the internet it becomes a huge problem.

What can an attacker do with this?  Well, the primary goal I would imagine would be to gain full access to the hosting server or to at least plant something that will gain the attacker a level of control.  I would venture to say that the typical "thing" to upload would be a reverse shell.

If we take another look at the picture above we will see that the public options are quite verbose.

I feel like I am not driving this home enough.  Imagine having a project(website) that you worked incredibly hard on.  You are ready to showcase it to the world!  This is your work and only yours.  You probably don't want anyone to modify it when you post it to the world.  However you made a mistake and unintentionally allowed anyone on the internet to modify your work.

Does that sound scary?  It does to me.  Thankfully we have handy NSE scripts like "http-webdav-scan" that can tell us that we need to patch some gaps.

If disabling webdave is something you are considering here are some useful links.

this NSE script has become a "run every time" kind of script when doing a pentest or CTF

[1] https://nmap.org/nsedoc/scripts/http-webdav-scan.html

Popular Posts