-
Notifications
You must be signed in to change notification settings - Fork 14
Home
Alvin Smith edited this page Feb 24, 2023
·
32 revisions
https://shishirsubedi.com.np/categories/#thm
- feroxbuster can do wildcard auto-filtering.
User-Agent: feroxbuster/<version> - gobuster only returns on 200,204,301,302,307,403 by default.
User-Agent: gobuster/<version>. I didn't make proxychain work for it. Usedhttps_proxy=localhost:8080instead. - dirb used
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)by default.
- feroxbuster for content or directory finding https://epi052.github.io/feroxbuster-docs/docs/examples/core-features/
- ffuf for vhost or subdomain looking, or general fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://$IP -H 'Host: FUZZ.schooled.htb' -fs 20750- gobuster for verbose fuzz bad requests or bad response. Or use proxy. e.g
gobuster fuzz -u http://ip:portFUZZ -w /usr/swagger.txt -t 50 -v > go2.txt
cat go2.txt | grep --invert-match "Lenght=XX"
gobuster dir -u http://127.0.0.1/app --proxy 'http://lance.friedman:pass@10.129.225.107:3128' -w /usr/share/wordlists/dirb/common.txt -x py- wfuzz do the general fuzzing https://github.com/A1vinSmith/OSCP-PWK/wiki/FUZZ
More on that: https://github.com/A1vinSmith/OSCP-PWK/wiki/Web-Enumeration
- Nmap not suitable for the full scan especially for CTF, HTB or THM. Run others to find opening ports first
- Rustscan is fast but sometimes missing ports. https://github.com/RustScan/RustScan/issues/494
- Use masscan as a backup runner. i.e.
masscan -p1-65535,U:1-65535 $IP --rate=2000 -e tun0