Apache's module userdir
provides access to user directories using URIs with the syntax /~username/
. With Nmap, we can perform dictionary attacks and determine a list of valid usernames on the system remotely.
This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir
enabled.
To attempt to enumerate valid users in a web server with mod_userdir
, use the following command:
$ nmap -p80 --script http-userdir-enum <target>
All the users found will be included in the results:
PORT STATE SERVICE 80/tcp open http |_http-userdir-enum: Potential Users: root, web, test