2022-11-13 01:16:26 +01:00
|
|
|
# Website Enumeration
|
2023-08-15 23:24:58 +02:00
|
|
|
|
|
|
|
## Resources
|
|
|
|
|
|
|
|
When enumerating websites, check the following resources as a starting point
|
|
|
|
|
|
|
|
* Components of the website, like blog frameworks, shops
|
|
|
|
* `robots.txt` and `sitemap.xml`
|
|
|
|
* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database) of the site
|
|
|
|
* Headers, `curl <site>` including `-I` and `-v` parameters
|
|
|
|
* Use Wappalyzer or whatweb to list an overview of the site's components
|
2022-11-13 01:16:26 +01:00
|
|
|
* Snapshots of the site via waybackmachine
|
2023-08-15 23:24:58 +02:00
|
|
|
* Check git respositories of the site
|
|
|
|
|
|
|
|
## Web Enumeration in Practice
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
|
|
|
|
### Fuzz Faster U Fool
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Directory fuzzing via ffuf
|
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
|
2023-03-25 15:31:51 +01:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
|
|
|
|
```
|
2023-03-25 15:31:51 +01:00
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Enumerate directories of the website regardless of HTTP status
|
2022-11-13 01:16:26 +01:00
|
|
|
|
2023-03-25 15:31:51 +01:00
|
|
|
```sh
|
|
|
|
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all
|
|
|
|
```
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Fuzz with other HTTP methods like POST
|
|
|
|
|
2023-03-25 15:31:51 +01:00
|
|
|
```sh
|
|
|
|
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST
|
|
|
|
```
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
File fuzzing via ffuf
|
|
|
|
|
|
|
|
```sh
|
|
|
|
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Fuzz URL parameters
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
```sh
|
|
|
|
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
|
|
|
|
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
|
|
|
|
```
|
2023-08-15 23:24:58 +02:00
|
|
|
Fuzz values of parameters
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
|
|
|
|
```
|
2023-08-15 23:24:58 +02:00
|
|
|
|
|
|
|
Fuzz HTTP POST values in the following way
|
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
2023-08-15 23:24:58 +02:00
|
|
|
ffuf -u http://<IP> -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
|
2022-11-13 01:16:26 +01:00
|
|
|
```
|
2023-02-11 16:58:56 +01:00
|
|
|
|
2023-08-31 01:33:59 +02:00
|
|
|
#### Fuzz Users and Use Bruteforce
|
2022-11-13 01:16:26 +01:00
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Fuzz users and write the results to a file as output
|
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
|
|
|
|
```
|
2023-08-15 23:24:58 +02:00
|
|
|
|
|
|
|
Use the output users saved in `fuff.out` to bruteforce
|
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
|
|
|
|
```
|
|
|
|
#### Fuzz Subdomains
|
|
|
|
|
|
|
|
```sh
|
|
|
|
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
|
|
|
|
```
|
|
|
|
or if the subdomains are listed in the target's host file
|
|
|
|
```sh
|
|
|
|
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
|
|
|
|
```
|
|
|
|
* Fuzz Vhosts & Server Blocks
|
|
|
|
```sh
|
|
|
|
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
|
|
|
|
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Proxy
|
|
|
|
|
|
|
|
* `-replay-proxy <IP>` or `-x <ProxyIP>`
|
2023-08-31 01:33:59 +02:00
|
|
|
|
|
|
|
#### FUZZ Saved Request
|
|
|
|
|
|
|
|
A stored request can be fuzzed using ffuf, remember to set the parameter value you want to fuzz to `FUZZ` inside the file.
|
|
|
|
|
|
|
|
```sh
|
|
|
|
ffuf -request req.txt -w pin.txt -fs 89 -t 70 > output
|
|
|
|
```
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
### Gobuster
|
|
|
|
|
|
|
|
[Repo](https://github.com/OJ/gobuster.git)
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
#### Enumerate Directories via Gobuster
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
```sh
|
|
|
|
gobuster dir -u <URL> -w <wordlist>
|
|
|
|
```
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
#### Enumerate DNS via Gobuster
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
```sh
|
|
|
|
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
|
|
|
|
```
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
#### Enumerate Vhosts via Gobuster
|
|
|
|
|
|
|
|
Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
```sh
|
|
|
|
gobuster vhost -u <URL> -w <wordlist>
|
|
|
|
```
|
|
|
|
|
|
|
|
#### FileExtension
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Fuzz for specific file extensions
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Basic Auth
|
|
|
|
|
|
|
|
```sh
|
|
|
|
gobuster help dir
|
|
|
|
```
|
|
|
|
* `--username` and `--password`
|
|
|
|
|
|
|
|
* `dir -s` Accept HTTP Status
|
|
|
|
* `dir -k` Skip TLS Auth
|
|
|
|
* `dir -a` User Agent
|
|
|
|
|
|
|
|
#### Wordlists
|
|
|
|
|
|
|
|
```sh
|
|
|
|
/usr/share/seclists/Discovery/Web-Content/common.txt
|
|
|
|
/usr/share/seclists/Discovery/Web-Content/big.txt
|
|
|
|
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
|
|
|
|
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
|
|
|
|
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
|
|
|
|
```
|
|
|
|
|
|
|
|
### Wfuzz
|
|
|
|
|
2023-03-05 17:16:35 +01:00
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
#### Enumerate directories via Wfuzz
|
|
|
|
|
|
|
|
Fuzz directories with wfuzz
|
2023-03-05 17:16:35 +01:00
|
|
|
```sh
|
|
|
|
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0
|
|
|
|
```
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
POST requests fuzzing with wfuzz
|
2023-03-05 17:16:35 +01:00
|
|
|
```sh
|
|
|
|
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 -X POST
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Parameters with Wfuzz
|
|
|
|
|
2023-08-15 23:24:58 +02:00
|
|
|
Fuzz parameters
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
|
|
|
|
```
|
2023-02-11 16:58:56 +01:00
|
|
|
|
|
|
|
#### DNS with Wfuzz
|
|
|
|
|
|
|
|
```sh
|
2023-03-05 17:16:35 +01:00
|
|
|
wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com
|
2023-02-11 16:58:56 +01:00
|
|
|
```
|