whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Enumeration/Websites.md

5.2 KiB
Raw Blame History

Website Enumeration

Resources

When enumerating websites, check the following resources as a starting point

  • Components of the website, like blog frameworks, shops
  • robots.txt and sitemap.xml
  • Favicon of the site
  • Headers, curl <site> including -I and -v parameters
  • Use Wappalyzer or whatweb to list an overview of the site's components
  • Snapshots of the site via waybackmachine
  • Check git respositories of the site

Web Enumeration in Practice

Fuzz Faster U Fool

Directory fuzzing via ffuf

ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt

ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

Enumerate directories of the website regardless of HTTP status

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all

Fuzz with other HTTP methods like POST

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST

File fuzzing via ffuf

ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt

Fuzz URL parameters

ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39

Fuzz values of parameters

seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33

Fuzz HTTP POST values in the following way

ffuf -u http://<IP> -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'

Fuzz Users and Use Bruteforce

Fuzz users and write the results to a file as output

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out

Use the output users saved in fuff.out to bruteforce

ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200

Fuzz Subdomains

ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

or if the subdomains are listed in the target's host file

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
  • Fuzz Vhosts & Server Blocks
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0

Proxy

  • -replay-proxy <IP> or -x <ProxyIP>

FUZZ Saved Request

A stored request can be fuzzed using ffuf, remember to set the parameter value you want to fuzz to FUZZ inside the file.

ffuf -request req.txt -w pin.txt -fs 89 -t 70 > output

Gobuster

Repo

Enumerate Directories via Gobuster

gobuster dir -u <URL> -w <wordlist>

Enumerate DNS via Gobuster

gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>

Enumerate Vhosts via Gobuster

Find other Domains on a host via seclists/Discovery/DNS/subdomains-top1million-5000.txt

gobuster vhost -u <URL> -w <wordlist>

FileExtension

Fuzz for specific file extensions

gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js

Basic Auth

gobuster help dir

  • --username and --password

  • dir -s Accept HTTP Status

  • dir -k Skip TLS Auth

  • dir -a User Agent

Wordlists

/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

Wfuzz

Enumerate directories via Wfuzz

Fuzz directories with wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0

POST requests fuzzing with wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u $ATTACKER_IP/FUZZ -t 100 --hh 0 -X POST

Parameters with Wfuzz

Fuzz parameters

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test

DNS with Wfuzz

 wfuzz -H "Host: FUZZ.example.com" --hc 302,400 -t 50 -c -z file,"/usr/share/seclists/Discovery/Web-Content/namelist.txt" http://example.com