-
Notifications
You must be signed in to change notification settings - Fork 14
Web Enumeration
lethanhtung01011980 edited this page Jun 18, 2020
·
34 revisions
- Search for hidden urls
- Look for HTTP codes: 200,204,301,302,307,401,403
- Common directory list: /usr/share/wordlists/dirb/common.txt and /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- Generated directory list: cewl 10.10.10.46 > dirlist.txt
- https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
- https://blog.bssi.fr/evaluation-des-performances-doutils-de-bruteforce-url/
- /var/www/html
- /var/www/ssl
- XAMPP?
- -z key,file.txt :
wfuzz -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z
- Search for wordfile:
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 victim-ip/FUZZ
- -R: Recursive / depth.
- -t: number of threads =>
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 -t 40 victim-ip/FUZZ
- Generated directory list: cewl 10.10.10.46 > dirlist.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- To check for FOLDERS first and files later
-
dirbuster
- PHP + https:
dirsearch -u https://nineveh.htb -w /opt/DirBuster/directory-list-2.3-medium.txt -e php
- To check the security of HTTP headers
nikto -host http://victim-ip
- To search for hidden urls
- Can enumerate on DNS subdomains
gobuster dir -w /usr/share/wordlists/dirb/common.txt -o victim-output.txt -u http://victim-ip -t 20 --timeout=3s
- -t num-threads
uniscan -qweds -u http://victim-ip
nmap -sV --script=http-enum -p80 -n victim-ip
dirb http://victim-ip /usr/share/wordlists/dirb/common.txt
Do 'non-intrusive' checks ...
wpscan -u http://victim-ip
Do wordlist password brute force on enumerated users using 50 threads ...
wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --threads 50
Check user
wpscan --url http://apocalyst.htb --enumerate u
Do wordlist password brute force on the 'admin' username only ...
wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --username admin
wpscan --url http://apocalyst.htb -P /usr/share/wordlists/rockyou.txt --usernames falaraki
- (Tested) Check usernames and scan for passwords
wpscan --url http://victim-ip -P /usr/share/wordlists/rockyou.tx
Check for vulnerable plugins
- https://tools.kali.org/web-applications/wpscan
wpscan --url http://apocalyst.htb --enumerate p
- fimap?