Hackers Rest
  • Hacker's Rest
  • Tools & Cheatsheets
    • Cybersecurity YouTube Channels
  • Hacking Methodology
  • Hands-on Practice
  • Fundamentals
    • Network Fundamentals
    • Computer Fundamentals
  • Unix
    • Unix Fundamentals
    • Hardening & Setup
      • TMUX/Screen Cheatsheet
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Data Exfiltration
      • Persistence
    • Vim
  • Windows
    • Windows Fundamentals
    • PowerShell
    • Hardening & Setup
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Persistence
      • Data Exfiltration
      • Active Directory
        • Enumeration
        • Getting Access
        • Privilege Escalation
        • Persistence
      • Kerberos
      • Impacket
  • MacOS
    • MacOS Basics
    • Hardening & Configuration
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Persistence
  • Web
    • Burp Suite
    • DNS
    • Web Notes
      • Enumeration
      • Web Filter Bypass
      • Command Injection
      • Subdomain/Virtual Host Enumeration
      • The Web Application Hacker's Handbook
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Basic Enumeration
    • Cryptography & Encryption
    • Network Hardware
    • OS Agnostic
    • OSINT
    • Password Cracking
      • Gathering the Hashes
      • Wordlist Manipulation
      • Cracking the Hashes
    • Pivoting
      • Chisel
      • Plink.exe
      • SSH
      • Sshuttle
      • Socat
    • Reverse Engineering & Binary Exploitation
      • Buffer Overflow
    • Scripting
      • Script Language Syntax
    • SQL
    • SSH & SCP
    • Steganography
    • Wireless
  • Unsorted
Powered by GitBook
On this page
  • Web Application Enumeration
  • HTTP Enumeration
  • Subdomain enumeration
  • dirsearch
  • gobuster:
  • DirBuster - Http folder enumeration - can take a dictionary file
  • Dirb
  • Nikto
  • Nmap HTTP Enumeration
  • Uniscan
  • Wfuzz - The web brute forcer
  • Misc

Was this helpful?

Edit on GitHub
  1. Web
  2. Web Notes

Enumeration

PreviousWeb NotesNextWeb Filter Bypass

Last updated 2 years ago

Was this helpful?

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Web Application Enumeration

is an open source python-based Web Application Attack and Audit Framework.

The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

It can also be abused by attackers to find and enumerate weaknesses in web applications and can be downloaded and run with the following commands:

git clone --depth 1 https://github.com/andresriancho/w3af.git
    cd w3af
    ./w3af_gui

HTTP Enumeration

Subdomain enumeration

dirsearch

python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist

gobuster:

gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

DirBuster - Http folder enumeration - can take a dictionary file

Dirb

  • Directory brute force finding using a dictionary file

dirb http://$ip/ wordlist.dict

dirb <<http://vm/>>
  • Dirb against a proxy

dirb http://$ip/ -p $ip:$port

Nikto

nikto -h $ip
  • Proxy Enumeration (useful for open proxies)

nikto -useproxy http://$ip:3128 -h $ip

Nmap HTTP Enumeration

nmap --script=http-enum -p80 -n $ip/24
  • Nmap Check the server methods

nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Uniscan

directory finder:

uniscan -qweds -u <<http://vm/>>

Wfuzz - The web brute forcer

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
  • Recurse level 3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Misc

  • Get Options available from web server

  curl -vX OPTIONS vm/test
  • Open a service using a port knock (Secured with Knockd)

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 -max-retries 0 -p $x server_ip_address; done
  • WordPress Scan - Wordpress security scanner

wpscan --url $ip/blog --proxy $ip:3129
  • RSH Enumeration - Unencrypted file transfer system

auxiliary/scanner/rservices/rsh_login
  • Finger Enumeration

finger @$ip

finger batman@$ip
  • TLS & SSL Testing

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html

w3af
https://sidxparab.gitbook.io/subdomain-enumeration-guide/
https://github.com/maurosoria/dirsearch