Port Enumeration – 80/http

Toolset

Directory Fuzzing

dirb:
dirb http:/// /usr/share/wordlists/dirb/common.txt

gobuster:
/usr/bin/gobuster dir -u http:/// /usr/share/wordlists/dirbuster/directory-list-2.3-medium.tx

ffuf:
ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.174.108/storage/FUZZ -e .txt,.php -o ffuf_output.txt

Website fuzzing

nikto:
nikto -h <ip>:<port>

Username:Password bruteforce

hydra:
hydra -l admin -P /path/to/wordlist/to/be/used.txt http-post-form "/loginformURL:username=^USER^&password=^PASS^:Error msg after invalid login" -t 64
TIP: You can use Burp for invalid message.

Check binary image for imbedded data

binwalk:
binwalk

binwalk – auto-extract data from image:
binwalk -Me

Check for a connection back

tcpdump:
tcpdump -i tun0 icmp -n

Scanning Drupal sites

Drupscan:
./droopescan scan drupal -u http://

Scanning WordPress sites

wpscan:
wpscan --url http:// -e ap --plugins-detection aggressive -o wpscan.out

Fuzzing webpages for keywords:

wfuzz:
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ

Checklist

• Check the functionality and different clickable buttons on the page
• Check what the website does
• Check Powered By banner in the footer of the website
• Check page source
  -> Check for js files
  -> Check for css files
  -> Check for service or version in page source
  -> Check for comments
  -> Check for creds
• Check for /admin, /administrator, /login, /robots.txt for manual enumeration
• Intercept the request in Burp when on the main page and check the request for fishy parameters
• Intercept the request in Burp when using a login panel, admin panel to check for various cookies, parameters
• Try to change parameters and also the request type to POST and send request to check for response
• Note down any names which you see
• If you see a person’s name and their department which they work in you can maybe try to use that as a username and a password like IT dept → Mail password it:it or sales:sales. Also the mail id can be it@ or it@postfish.off.
• Run dirb/ffuf/gobuster with extensions flag -e .php,.txt,.html, etc. And enable output directory
• Run nikto
• You can run wfuzz also to fuzz the webpage for keywords like usernames, etc
• Run nmap scripts for services
• If you find creds try them everywhere, and try uppercase and lowercase, with different combinations and vice versa.
• LFI
  1. LFI can contain certain hardcoded strings like ../ninevehNotes.txt../../../../etc/passwd → this now will get executed and only ../../../../etc/passwd will not get executed
  2. Try Base64 encoding the payload
  3. Try php filters as well → php://filter?cmd=’../../../etc/passwd/’