• Determine if TRACE is available
(base) root@kali:~# nmap -p80 --script http-methods,http-trace --script-args http-methods.retest  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 16:03 EDT  
Nmap scan report for  
Host is up (0.00060s latency).  
80/tcp open  http  
| http-methods:   
|   Supported Methods: HEAD GET POST OPTIONS TRACE  
|   Potentially risky methods: TRACE  
|   Status Lines:   
|     POST: HTTP/1.1 200 OK  
|     TRACE: HTTP/1.1 200 OK  
|     GET: HTTP/1.1 200 OK  
|     OPTIONS: HTTP/1.1 200 OK  
|_    HEAD: HTTP/1.1 200 OK  
|_http-trace: TRACE is enabled  
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
  • Try to pull out information using telnet
    • type the following after you connect
_TRACE / HTTP/1.1  
Host: foo.bar  
X-Header: test_

See the code in action below:

(base) root@kali:~# telnet 80  
Connected to  
Escape character is '^]'.  
TRACE / HTTP/1.1  
Host: foo.bar  
X-Header: test
  • Try to pull out info using nc
    • curl -X TRACE
    • curl -X TRACE -H “X-Header: test”