diff --git a/Enumeration/Websites.md b/Enumeration/Websites.md index e89d673..34c3506 100644 --- a/Enumeration/Websites.md +++ b/Enumeration/Websites.md @@ -1,66 +1,75 @@ # Website Enumeration -* `robots.txt` -* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum` -* `sitemap.xml` -* Headers, `curl ` including `-I` or `-v` parameters -* Check Components of the website, like blog frameworks, shops. -* Wappalyzer -* Snapshots of the site via waybackmachine -* Check repos of the site -* Check buckets -* Fuzz -## URL Fuzzing +## Resources + +When enumerating websites, check the following resources as a starting point + +* Components of the website, like blog frameworks, shops +* `robots.txt` and `sitemap.xml` +* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database) of the site +* Headers, `curl ` including `-I` and `-v` parameters +* Use Wappalyzer or whatweb to list an overview of the site's components +* Snapshots of the site via waybackmachine +* Check git respositories of the site + +## Web Enumeration in Practice + ### Fuzz Faster U Fool -* Simple Fuzzing +Directory fuzzing via ffuf + ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -``` -* Fuzz dirs -```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt ``` -* Fuzz files -```sh -ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt -``` +Enumerate directories of the website regardless of HTTP status -* Fuzz all existing websites regardless of HTTP status ```sh ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all ``` -* Fuzz with other HTTP methods like POST +Fuzz with other HTTP methods like POST + ```sh ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST ``` -#### Fuzz parameters +File fuzzing via ffuf + +```sh +ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt +``` + +#### Fuzz URL parameters ```sh ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39 ``` -* Fuzz values +Fuzz values of parameters ```sh seq 0 255 | fuff -u 'http:///sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33 ``` -* Fuzz Post Methods + +Fuzz HTTP POST values in the following way + ```sh -ffuf -u http:///sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' +ffuf -u http:// -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' ``` #### Fuzz Users and use Bruteforce -* Fuzz users and write file +Fuzz users and write the results to a file as output + ```sh ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/signup -mr "username already exists" -o fuff.out ``` -* Use users saved in `fuff.out` to bruteforce + +Use the output users saved in `fuff.out` to bruteforce + ```sh ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/login -fc 200 ``` @@ -87,32 +96,29 @@ ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1m [Repo](https://github.com/OJ/gobuster.git) -#### Directories +#### Enumerate Directories via Gobuster ```sh gobuster dir -u -w ``` -#### DNS +#### Enumerate DNS via Gobuster ```sh gobuster dns -d -w --show-cname --show-ips --resolver ``` -#### Vhosts +#### Enumerate Vhosts via Gobuster + +Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt` -* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt` ```sh gobuster vhost -u -w ``` #### FileExtension -```sh --x -``` - -* Fuzz for files and file extensions +Fuzz for specific file extensions ```sh gobuster dir -u -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js ``` @@ -140,21 +146,22 @@ gobuster help dir ### Wfuzz -#### URLs with Wfuzz -* GET requests fuzzing with wfuzz +#### Enumerate directories via Wfuzz + +Fuzz directories with wfuzz ```sh wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 ``` -* POST requests fuzzing with wfuzz +POST requests fuzzing with wfuzz ```sh wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 -X POST ``` #### Parameters with Wfuzz -* Fuzz parameters +Fuzz parameters ```sh wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http:///api/items\?FUZZ\=test ```