killchain-compendium/Enumeration/Websites.md

# Website Enumeration
* `robots.txt`
* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
* `sitemap.xml`
* Headers, `curl <site>` including `-I` or `-v` parameters
* Check Components of the website, like blog frameworks, shops.
* Wappalyzer
* Snapshots of the site via waybackmachine
* Check repos of the site
* Check buckets
* Fuzz

## URL Fuzzing

### Fuzz Faster U Fool

```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
```
* Fuzz dirs
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```
* Fuzz files
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
```

#### Fuzz parameters

```sh
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```
* Fuzz values
```sh
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
```
* Fuzz Post Methods
```sh
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
```

#### Fuzz Users and use Bruteforce

* Fuzz users and write file
```sh
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
```
* Use users saved in `fuff.out` to bruteforce
```sh
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
```
#### Fuzz Subdomains

```sh
ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
or if the subdomains are listed in the target's host file
```sh
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
```
* Fuzz Vhosts & Server Blocks
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
```

#### Proxy

* `-replay-proxy <IP>` or `-x <ProxyIP>`
 
### Gobuster

[Repo](https://github.com/OJ/gobuster.git)

#### Directories

```sh
gobuster dir -u <URL> -w <wordlist>
```

#### DNS 

```sh 
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
```

#### Vhosts

* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
```sh
gobuster vhost -u <URL> -w <wordlist> 
```

#### FileExtension

```sh
-x
```

* Fuzz for files and file extensions
```sh
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
```

#### Basic Auth 

```sh
gobuster help dir
```
* `--username` and `--password`

* `dir -s`   Accept HTTP Status 
* `dir -k`   Skip TLS Auth
* `dir -a`   User Agent

#### Wordlists

```sh
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
```

### Wfuzz

* Fuzz parameters
```sh
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
```

#### DNS with Wfuzz

```sh
 wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -H "User-Agent: DEDSEC" -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com
 ```
restructured enumeration 2022-11-13 01:16:26 +01:00			`# Website Enumeration`
			* `robots.txt`
			* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
			* `sitemap.xml`
			* Headers, `curl <site>` including `-I` or `-v` parameters
			`* Check Components of the website, like blog frameworks, shops.`
			`* Wappalyzer`
			`* Snapshots of the site via waybackmachine`
			`* Check repos of the site`
			`* Check buckets`
			`* Fuzz`

			`## URL Fuzzing`

			`### Fuzz Faster U Fool`

			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt`
			```
			`* Fuzz dirs`
			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt`
			```
			`* Fuzz files`
			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt`
			```

			`#### Fuzz parameters`

			```sh
			`ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39`
			`ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39`
			```
			`* Fuzz values`
			```sh
			`seq 0 255 \| fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33`
			```
			`* Fuzz Post Methods`
			```sh
			`ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'`
			```
added Wfuzz DNS to Enumeration/Websites.md 2023-02-11 16:58:56 +01:00
restructured enumeration 2022-11-13 01:16:26 +01:00			`#### Fuzz Users and use Bruteforce`

			`* Fuzz users and write file`
			```sh
			`ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out`
			```
			* Use users saved in `fuff.out` to bruteforce
			```sh
			`ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200`
			```
			`#### Fuzz Subdomains`

			```sh
			`ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt`
			```
			`or if the subdomains are listed in the target's host file`
			```sh
			`ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0`
			```
			`* Fuzz Vhosts & Server Blocks`
			```sh
			`ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0`
			`ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0`
			```

			`#### Proxy`

			* `-replay-proxy <IP>` or `-x <ProxyIP>`

			`### Gobuster`

			`[Repo](https://github.com/OJ/gobuster.git)`

			`#### Directories`

			```sh
			`gobuster dir -u <URL> -w <wordlist>`
			```

			`#### DNS`

			```sh
			`gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>`
			```

			`#### Vhosts`

			* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
			```sh
			`gobuster vhost -u <URL> -w <wordlist>`
			```

			`#### FileExtension`

			```sh
			`-x`
			```
added Wfuzz DNS to Enumeration/Websites.md 2023-02-11 16:58:56 +01:00
restructured enumeration 2022-11-13 01:16:26 +01:00			`* Fuzz for files and file extensions`
			```sh
			`gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js`
			```

			`#### Basic Auth`

			```sh
			`gobuster help dir`
			```
			* `--username` and `--password`

			* `dir -s` Accept HTTP Status
			* `dir -k` Skip TLS Auth
			* `dir -a` User Agent

			`#### Wordlists`

			```sh
			`/usr/share/seclists/Discovery/Web-Content/common.txt`
			`/usr/share/seclists/Discovery/Web-Content/big.txt`
			`/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt`
			`/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt`
			`/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt`
			```

			`### Wfuzz`

			`* Fuzz parameters`
			```sh
			`wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test`
			```
added Wfuzz DNS to Enumeration/Websites.md 2023-02-11 16:58:56 +01:00
			`#### DNS with Wfuzz`

			```sh
			`wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -H "User-Agent: DEDSEC" -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com`
			```