HTTP Methods scanning differences between Metasploit and Nmap

Metasploit has auxiliary modules dedicated to scan HTTP methods. I was interest to compare this Metasploit module with Nmap http-methods NSE script.

I decided to scan a /24 rang, how represent 255 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/options” auxiliary module is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option, we have set THREADS to 256.

Cli testing

time sudo msfcli scanner/http/options THREADS=256 RHOSTS=xxx.xxx.xxx.xxx/24 E

Metasploit, between the cli, has take around 21 seconds to scan all the 255 IP addresses, and return us 7 responses.

Console testing

Metasploit, between the console, has take around 13 seconds to scan all the 255 IP addresses, and return us 7 responses, the same as the cli.

Example of output :

[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD methods
[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD, POST methods

Nmap

With Nmap, the following command will permit you to scan the HTTP methods.

time sudo nmap –script=http-methods -PN -T4 -p 80 -oN xxx.xxx.xxx.0-255_http_methods.txt xxx.xxx.xxx.0/24

Nmap has take around 11 seconds to scan all the 255 IP addresses, and return us 7 responses. The 7 responses are the same as the Metasploit one, with the same available methods detected.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.11s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-methods: OPTIONS GET HEAD POST DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK
| Potentially risky methods: DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK
|_See http://nmap.org/nsedoc/scripts/http-methods.html

In term of time of execution, Metasploit console and Nmap are equivalent, but in term of result the fact that the Nmap NSE script give references on the potential risky methods is nice advanced information included by default.

One Reply to “HTTP Methods scanning differences between Metasploit and Nmap”

  1. actually if you look at the code, the TRACE method is logged to the database as a vuln with the appropriate references, i can update the module to report “risky” methods though

Comments are closed.