# Website Enumeration * `robots.txt` * [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum` * `sitemap.xml` * Headers, `curl ` including `-I` or `-v` parameters * Check Components of the website, like blog frameworks, shops. * Wappalyzer * Snapshots of the site via waybackmachine * Check repos of the site * Check buckets * Fuzz ## URL Fuzzing ### Fuzz Faster U Fool ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt ``` * Fuzz dirs ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt ``` * Fuzz files ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt ``` #### Fuzz parameters ```sh ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39 ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39 ``` * Fuzz values ```sh seq 0 255 | fuff -u 'http:///sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33 ``` * Fuzz Post Methods ```sh ffuf -u http:///sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' ``` #### Fuzz Users and use Bruteforce * Fuzz users and write file ```sh ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/signup -mr "username already exists" -o fuff.out ``` * Use users saved in `fuff.out` to bruteforce ```sh ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http:///customers/login -fc 200 ``` #### Fuzz Subdomains ```sh ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt ``` or if the subdomains are listed in the target's host file ```sh ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http:// -fs 0 ``` * Fuzz Vhosts & Server Blocks ```sh ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0 ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0 ``` #### Proxy * `-replay-proxy ` or `-x ` ### Gobuster [Repo](https://github.com/OJ/gobuster.git) #### Directories ```sh gobuster dir -u -w ``` #### DNS ```sh gobuster dns -d -w --show-cname --show-ips --resolver ``` #### Vhosts * Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt` ```sh gobuster vhost -u -w ``` #### FileExtension ```sh -x ``` * Fuzz for files and file extensions ```sh gobuster dir -u -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js ``` #### Basic Auth ```sh gobuster help dir ``` * `--username` and `--password` * `dir -s` Accept HTTP Status * `dir -k` Skip TLS Auth * `dir -a` User Agent #### Wordlists ```sh /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/big.txt /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt ``` ### Wfuzz * Fuzz parameters ```sh wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http:///api/items\?FUZZ\=test ``` #### DNS with Wfuzz ```sh wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -H "User-Agent: DEDSEC" -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com ```