arsic@home:~$

Archive

About

Notes

Web Enumeration

Good Generic Feroxbuster Scan

feroxbuster -u http://hostname/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x sql,php,txt,bak,db,pdf -C 404,400 -E -g -B -o dirs.txt

No output file:
feroxbuster -u http://hostname/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x sql,php,txt,bak,db,pdf -E -g -B -C 404,400

Scanning HTTPS with output:
feroxbuster -u http://hostname/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x sql,php,txt,bak,db,pdf -C 404,400 -E -g -B -k -o dirs.txt

Scanning HTTPS without output:
feroxbuster -u http://hostname/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x sql,php,txt,bak,db,pdf -C 404,400 -E -g -B -k

Subdomain Enumeration with FFuF

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://hostname/ -H "Host: FUZZ.hostname"

You have to filter out false positive using flags like -fs -fc -fw etc, check help.

WPScan

wpscan --url <url> -e

This will run enumeration on everything it can.

Using CeWL to Generate a Wordlist

We may need to generate a custom wordlist for bruteforcing. CeWL will crawl a target url and generate a wordlist based on it’s findings like so:

sudo cewl -d 2 -m 5 -w ourWordlist.txt http://hostname/

Using Wfuzz to check for SQLi 

wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "db=mysql&id=FUZZ" -u http://URL/

-c tells it to color output, -z tells it to use a file at the given file path for sql injections to use. -d tells it to post data to the end point with the given params and -u is the url.

Using Wfuzz to bruteforce passwords 

wfuzz -c -z file,wordlist.txt  --hc 404,403 --hh 4837 -d "username=someusername&password=FUZZ" "http://login.url/"

-hh is there to filter out garbage requests as is usual when fuzzing with wfuzz.

Curl Tips and Tricks

If you want to enum a web app, check the server headers like so for potential version leaks etc:

# HTTP
curl -I urlhere.com

# HTTPS
curl -I -k urlhere.com

-k tells curl to trust the SSL/TLS cert/ignore it.