Web Enumeration

Goals

• Search for hidden urls
• Look for HTTP codes: 200,204,301,302,307,401,403
• Common directory list: /usr/share/wordlists/dirb/common.txt and /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
• Generated directory list: cewl 10.10.10.46 > dirlist.txt
• https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
• https://blog.bssi.fr/evaluation-des-performances-doutils-de-bruteforce-url/

Common places to check

• /var/www/html
• /var/www/ssl
• XAMPP?

wfuzz - Fast and Flexible with parameter

• -z key,file.txt : wfuzz -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z
• Search for wordfile: wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 victim-ip/FUZZ
• -R: Recursive / depth.
• -t: number of threads => wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 -t 40 victim-ip/FUZZ

dirbuster - GUI

• Generated directory list: cewl 10.10.10.46 > dirlist.txt
• /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
• To check for FOLDERS first and files later
• dirbuster

dirsearch

• PHP + https: dirsearch -u https://nineveh.htb -w /opt/DirBuster/directory-list-2.3-medium.txt -e php

nikto - HTTP security

• To check the security of HTTP headers
• nikto -host http://victim-ip

gobuster - fast - need word file

• To search for hidden urls
• Can enumerate on DNS subdomains
• gobuster dir -w /usr/share/wordlists/dirb/common.txt -o victim-output.txt -u http://victim-ip -t 20 --timeout=3s
• -t num-threads

Uniscan - fast - no need word file

• uniscan -qweds -u http://victim-ip

nmap - Slow

• nmap -sV --script=http-enum -p80 -n victim-ip

dirb - Slow - Single thread

• dirb http://victim-ip /usr/share/wordlists/dirb/common.txt

Wordpress scan

Do 'non-intrusive' checks ...

• wpscan -u http://victim-ip

Do wordlist password brute force on enumerated users using 50 threads ...

• wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --threads 50

Check user

• wpscan --url http://apocalyst.htb --enumerate u

Do wordlist password brute force on the 'admin' username only ...

• wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --username admin
• wpscan --url http://apocalyst.htb -P /usr/share/wordlists/rockyou.txt --usernames falaraki
• (Tested) Check usernames and scan for passwords wpscan --url http://victim-ip -P /usr/share/wordlists/rockyou.tx

Check for vulnerable plugins

• https://tools.kali.org/web-applications/wpscan
• wpscan --url http://apocalyst.htb --enumerate p

LFI scan

• fimap?