clean up

Enumeration/Websites.md

@@ -1,66 +1,75 @@
 # Website Enumeration
-* `robots.txt`
-* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
-* `sitemap.xml`
-* Headers, `curl <site>` including `-I` or `-v` parameters
-* Check Components of the website, like blog frameworks, shops.
-* Wappalyzer
-* Snapshots of the site via waybackmachine
-* Check repos of the site
-* Check buckets
-* Fuzz
 
-## URL Fuzzing
+## Resources  
+
+When enumerating websites, check the following resources as a starting point
+
+* Components of the website, like blog frameworks, shops
+* `robots.txt` and `sitemap.xml`
+* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database) of the site
+* Headers, `curl <site>` including `-I` and `-v` parameters
+* Use Wappalyzer or whatweb to list an overview of the site's components
+* Snapshots of the site via waybackmachine
+* Check git respositories of the site
+
+## Web Enumeration in Practice
+
 
 ### Fuzz Faster U Fool
 
-* Simple Fuzzing
+Directory fuzzing via ffuf
+
 ```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
-```
 
-* Fuzz dirs
-```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 ```
 
-* Fuzz files
+Enumerate directories of the website regardless of HTTP status
-```sh
-ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
-```
 
-* Fuzz all existing websites regardless of HTTP status
 ```sh
 ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all
 ```
 
-* Fuzz with other HTTP methods like POST
+Fuzz with other HTTP methods like POST
+
 ```sh
 ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST
 ```
 
-#### Fuzz parameters
+File fuzzing via ffuf
+
+```sh
+ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
+```
+
+#### Fuzz URL parameters
 
 ```sh
 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
 ```
-* Fuzz values
+Fuzz values of parameters
 ```sh
 seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
 ```
-* Fuzz Post Methods
+
+Fuzz HTTP POST values in the following way
+
 ```sh
-ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
+ffuf -u http://<IP> -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
 ```
 
 #### Fuzz Users and use Bruteforce
 
-* Fuzz users and write file
+Fuzz users and write the results to a file as output
+
 ```sh
 ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
 ```
-* Use users saved in `fuff.out` to bruteforce
+
+Use the output users saved in `fuff.out` to bruteforce
+
 ```sh
 ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
 ```
@@ -87,32 +96,29 @@ ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1m
 
 [Repo](https://github.com/OJ/gobuster.git)
 
-#### Directories
+#### Enumerate Directories via Gobuster
 
 ```sh
 gobuster dir -u <URL> -w <wordlist>
 ```
 
-#### DNS 
+#### Enumerate DNS via Gobuster
 
 ```sh 
 gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
 ```
 
-#### Vhosts
+#### Enumerate Vhosts via Gobuster
+
+Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
 
-* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
 ```sh
 gobuster vhost -u <URL> -w <wordlist> 
 ```
 
 #### FileExtension
 
-```sh
+Fuzz for specific file extensions
--x
-```
-
-* Fuzz for files and file extensions
 ```sh
 gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
 ```
@@ -140,21 +146,22 @@ gobuster help dir
 
 ### Wfuzz
 
-#### URLs with Wfuzz
 
-* GET requests fuzzing with wfuzz
+#### Enumerate directories via Wfuzz
+
+Fuzz directories with wfuzz
 ```sh
 wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0
 ```
 
-* POST requests fuzzing with wfuzz
+POST requests fuzzing with wfuzz
 ```sh
 wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 -X POST
 ```
 
 #### Parameters with Wfuzz
 
-* Fuzz parameters
+Fuzz parameters
 ```sh
 wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
 ```