4.0 KiB
4.0 KiB
Website Enumeration
robots.txt
- Favicon,
curl
target andmd5sum
sitemap.xml
- Headers,
curl <site>
including-I
or-v
parameters - Check Components of the website, like blog frameworks, shops.
- Wappalyzer
- Snapshots of the site via waybackmachine
- Check repos of the site
- Check buckets
- Fuzz
URL Fuzzing
Fuzz Faster U Fool
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
- Fuzz dirs
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
- Fuzz files
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
Fuzz parameters
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
- Fuzz values
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
- Fuzz Post Methods
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
Fuzz Users and use Bruteforce
- Fuzz users and write file
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
- Use users saved in
fuff.out
to bruteforce
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
Fuzz Subdomains
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
or if the subdomains are listed in the target's host file
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
- Fuzz Vhosts & Server Blocks
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
Proxy
-replay-proxy <IP>
or-x <ProxyIP>
Gobuster
Directories
gobuster dir -u <URL> -w <wordlist>
DNS
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
Vhosts
- Find other Domains on a host via
seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster vhost -u <URL> -w <wordlist>
FileExtension
-x
- Fuzz for files and file extensions
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
Basic Auth
gobuster help dir
-
--username
and--password
-
dir -s
Accept HTTP Status -
dir -k
Skip TLS Auth -
dir -a
User Agent
Wordlists
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
Wfuzz
- Fuzz parameters
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
DNS with Wfuzz
wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -H "User-Agent: DEDSEC" -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com