Skip to content

Easy Web Enumeration

The tools you need

  • Fuzz Faster U Fool (Have to install and build yourself)
  • GoBuster (Recommended)
  • EyeWitness - EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.

Wordlists

SecLists (or use apt install) for word lists - ESSENTIAL FOR ANY WEB ENUMERATION ATTACK

Directory/File Enumeration

This is simply the process by which we try to find any files or directories inside of a domain, for example: 

yvesb04@htb[/htb]$ gobuster dir -u http://10.10.10.121/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.121/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/11 21:47:25 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/12/11 21:47:46 Finished
===============================================================

DNS Subdomain Enumeration

What is it?

Suppose we know inlanefreight.com, we may want to find any existing subdomains, using GoBuster we can do this: 

$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Domain:     inlanefreight.com
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/SecLists/Discovery/DNS/namelist.txt
===============================================================
2020/12/17 23:08:55 Starting gobuster
===============================================================
Found: blog.inlanefreight.com
Found: customer.inlanefreight.com
Found: my.inlanefreight.com
Found: ns1.inlanefreight.com
Found: ns2.inlanefreight.com
Found: ns3.inlanefreight.com
===============================================================
2020/12/17 23:10:34 Finished
===============================================================

Web server headers provide a good picture of what is hosted on a web server. They can reveal the specific application framework in use, the authentication options, and whether the server is missing essential security options or has been misconfigured.

For this we can use a bunch of tools: 

nc -nv 10.129.42.253 21 #Example usage

nmap -sV --script=banner <target>
nmap -sV --script=banner -p21 10.10.10.0/24  # Example usage

curl -IL https://www.inlanefreight.com # Example usage

Robots.txt

Try visiting website/robots.txt, you may find something you shouldn't look at!