Enumeration

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Web Application Enumeration

w3af is an open source python-based Web Application Attack and Audit Framework.

The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

It can also be abused by attackers to find and enumerate weaknesses in web applications and can be downloaded and run with the following commands:

git clone --depth 1 https://github.com/andresriancho/w3af.git
    cd w3af
    ./w3af_gui

HTTP Enumeration

Subdomain enumeration

https://sidxparab.gitbook.io/subdomain-enumeration-guide/

dirsearch

https://github.com/maurosoria/dirsearch

python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist

gobuster:

gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

DirBuster - Http folder enumeration - can take a dictionary file

Dirb

  • Directory brute force finding using a dictionary file

dirb http://$ip/ wordlist.dict

dirb <<http://vm/>>
  • Dirb against a proxy

dirb http://$ip/ -p $ip:$port

Nikto

nikto -h $ip
  • Proxy Enumeration (useful for open proxies)

nikto -useproxy http://$ip:3128 -h $ip

Nmap HTTP Enumeration

nmap --script=http-enum -p80 -n $ip/24
  • Nmap Check the server methods

nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Uniscan

directory finder:

uniscan -qweds -u <<http://vm/>>

Wfuzz - The web brute forcer

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
  • Recurse level 3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Misc

  • Get Options available from web server

  curl -vX OPTIONS vm/test
  • Open a service using a port knock (Secured with Knockd)

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 -max-retries 0 -p $x server_ip_address; done
  • WordPress Scan - Wordpress security scanner

wpscan --url $ip/blog --proxy $ip:3129
  • RSH Enumeration - Unencrypted file transfer system

auxiliary/scanner/rservices/rsh_login
  • Finger Enumeration

finger @$ip

finger batman@$ip
  • TLS & SSL Testing

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html

Last updated