Nginx Recon Basics
Part two of Gurkirat Singh's series on web server reconnaissance, this time focusing on the Nginx web server.
Welcome to another part two of my three part reconnaissance basics. In my previous article you learned about the apache web server. In this this article we will focus on the Nginx web server and nginx recon at Attack Defence labs.
Nginx is a web server like apache, its a multipurpose opensource server mainly used for serving cached contents, load balancers or reverse proxy. Like apache, it can also serve php or static contents.
So, why nginx if you have apache? Well, nginx performs better than apache in some scenarios and many big companies are using it to serve their clients. Here are few of them https://www.nginx.com/resources/wiki/community/why_use_it/
You get the idea why nginx is so important now, so let's dive into this
Let the Recon Begin
In my case the ip is 192.14.197.3
. You can find the ip by running `ifconfig` and the change the last part from 2 to 3 eth1 interface
Not asked but, What is version of nginx version running?
Using nmap
tool to find the version
nmap -sS -sV 192.14.197.3
It is running nginx v1.15.4
What are the authentication types being used for /Admin
and /Administrator
folder?
Using authentication recon tip from previous post, sending unauthenticated request deliberately to get the authentication type and scheme
curl 192.14.197.3/Admin -Is
curl 192.14.197.3/Administrator -Is
Find the password of user “admin” which is required to access the /Admin
directory using metasploit.
In this you need to use the http_login module, that you used in previous part to find the password for the directory
The http auth credentials for /Admin
is admin:57chevy
Find the password of user “alice” which is required to access the /Administrator
directory.
Same thing as above with different user, auth_uri and password file
The http auth credentials for /Administrator
is alice:sunshine1
Note: Regarding hydra brute forcing, I am leaving this to you. Here is an awesome resource for a headstart -> http://tylerrockwell.github.io/defeating-basic-auth-with-hydra/
Retrieve flags from /Admin
and /Administrator
directories
Alright, so you have the authentication type and credentials. Use it with the curl to get the details
Now you got the flags, submit it!
If you have liked my post and want to connect with me, here the links
- Twitter: @tbhaxor
- GitHub: @tbhaxor
- LinkedIn: @gurkirat--singh
- Instagram: @_tbhaxor_