Easy web enumeration
The tools you need¶
- Fuzz Faster U Fool (Have to install and build yourself)
- [[GoBuster]] (Recommended)
- EyeWitness - EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.
Wordlists¶
SecLists (or use apt install) for word lists - ESSENTIAL FOR ANY WEB ENUMERATION ATTACK
Directory/File Enumeration¶
This is simply the process by which we try to find any files or directories inside of a domain, for example:
yvesb04@htb[/htb]$ gobuster dir -u http://10.10.10.121/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.121/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/11 21:47:25 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/12/11 21:47:46 Finished
===============================================================
DNS Subdomain Enumeration¶
What is it?¶
Suppose we know inlanefreight.com, we may want to find any existing subdomains, using [[GoBuster]] we can do this:
$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Domain: inlanefreight.com
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/namelist.txt
===============================================================
2020/12/17 23:08:55 Starting gobuster
===============================================================
Found: blog.inlanefreight.com
Found: customer.inlanefreight.com
Found: my.inlanefreight.com
Found: ns1.inlanefreight.com
Found: ns2.inlanefreight.com
Found: ns3.inlanefreight.com
===============================================================
2020/12/17 23:10:34 Finished
===============================================================
Banner Grabbing¶
Web server headers provide a good picture of what is hosted on a web server. They can reveal the specific application framework in use, the authentication options, and whether the server is missing essential security options or has been misconfigured.
For this we can use a bunch of tools:
nc -nv 10.129.42.253 21 #Example usage
nmap -sV --script=banner <target>
nmap -sV --script=banner -p21 10.10.10.0/24 # Example usage
curl -IL https://www.inlanefreight.com # Example usage
Robots.txt¶
Try visiting website/robots.txt, you may find something you shouldn't look at!