clean up

2023-08-15 23:24:58 +02:00 · 2023-08-15 23:24:58 +02:00 · 6911784f26
parent 3842ce9514
commit 6911784f26
1 changed files with 47 additions and 40 deletions
--- a/Enumeration/Websites.md
+++ b/Enumeration/Websites.md
@ -1,66 +1,75 @@
 # Website Enumeration
-* `robots.txt`
-* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
-* `sitemap.xml`
-* Headers, `curl <site>` including `-I` or `-v` parameters
-* Check Components of the website, like blog frameworks, shops.
-* Wappalyzer
-* Snapshots of the site via waybackmachine
-* Check repos of the site
-* Check buckets
-* Fuzz

-## URL Fuzzing
+## Resources  
+
+When enumerating websites, check the following resources as a starting point
+
+* Components of the website, like blog frameworks, shops
+* `robots.txt` and `sitemap.xml`
+* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database) of the site
+* Headers, `curl <site>` including `-I` and `-v` parameters
+* Use Wappalyzer or whatweb to list an overview of the site's components
+* Snapshots of the site via waybackmachine
+* Check git respositories of the site
+
+## Web Enumeration in Practice
+

 ### Fuzz Faster U Fool

-* Simple Fuzzing
+Directory fuzzing via ffuf
+
 ```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
-```

-* Fuzz dirs
-```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 ```

-* Fuzz files
-```sh
-ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
-```
+Enumerate directories of the website regardless of HTTP status

-* Fuzz all existing websites regardless of HTTP status
 ```sh
 ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all
 ```

-* Fuzz with other HTTP methods like POST
+Fuzz with other HTTP methods like POST
+
 ```sh
 ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST
 ```

-#### Fuzz parameters
+File fuzzing via ffuf
+
+```sh
+ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
+```
+
+#### Fuzz URL parameters

 ```sh
 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
 ```
-* Fuzz values
+Fuzz values of parameters
 ```sh
 seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
 ```
-* Fuzz Post Methods
+
+Fuzz HTTP POST values in the following way
+
 ```sh
-ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
+ffuf -u http://<IP> -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
 ```

 #### Fuzz Users and use Bruteforce

-* Fuzz users and write file
+Fuzz users and write the results to a file as output
+
 ```sh
 ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
 ```
-* Use users saved in `fuff.out` to bruteforce
+
+Use the output users saved in `fuff.out` to bruteforce
+
 ```sh
 ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
 ```
@ -87,32 +96,29 @@ ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1m

 [Repo](https://github.com/OJ/gobuster.git)

-#### Directories
+#### Enumerate Directories via Gobuster

 ```sh
 gobuster dir -u <URL> -w <wordlist>
 ```

-#### DNS 
+#### Enumerate DNS via Gobuster

 ```sh 
 gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
 ```

-#### Vhosts
+#### Enumerate Vhosts via Gobuster
+
+Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`

-* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
 ```sh
 gobuster vhost -u <URL> -w <wordlist> 
 ```

 #### FileExtension

-```sh
-x
-```
-
-* Fuzz for files and file extensions
+Fuzz for specific file extensions
 ```sh
 gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
 ```
@ -140,21 +146,22 @@ gobuster help dir

 ### Wfuzz

-#### URLs with Wfuzz

-* GET requests fuzzing with wfuzz
+#### Enumerate directories via Wfuzz
+
+Fuzz directories with wfuzz
 ```sh
 wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0
 ```

-* POST requests fuzzing with wfuzz
+POST requests fuzzing with wfuzz
 ```sh
 wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 -X POST
 ```

 #### Parameters with Wfuzz

-* Fuzz parameters
+Fuzz parameters
 ```sh
 wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
 ```