Skip to content

Enumeration web

3pigs

  • http://192.168.78.249/admin
  • http://192.168.78.249/admin/
  • http://192.168.78.249/admin.html

-w

  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  • /usr/share/wordlists/dirb/big.txt
  • /usr/share/wordlists/dirb/common.txt

gobuster

# pig 1
gobuster dir --url $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -k

# pig 2
gobuster dir --url $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -k -f

# pig 3
gobuster dir --url $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -x txt,php,html,htm,aspx -k

gobuster dir --url $IP -w /usr/share/wordlists/dirb/big.txt -b 404 -k
gobuster dir --url $IP -w /usr/share/wordlists/dirb/big.txt -b 404 -k -f
gobuster dir --url $IP -w /usr/share/wordlists/dirb/big.txt -b 404 -x txt,php,html,htm,aspx -k

  • -x php,html,txt files extensions
  • -x cgi cgi scripts
  • -f scan for folders ADD / at the end of each request
  • -k no tls validation
  • -t 50 thread number
  • -w wordplis
    • /usr/share/wordlists/dirb/big.txt
    • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster way to work

classic 

gobuster dir --url http://$IP_AERO:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.php -b 404 -k -x php,html -t 50

sometimes 

sudo chmod 777 -R /usr/share/dirbuster/wordlists
|->
sed -e '1,14d' <  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | awk '{print $0,".php"}' | tr -d ' ' > /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.php
sed -e '1,14d' <  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | awk '{print $0,".html"}' | tr -d ' ' > /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.html
sed -e '1,14d' <  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | awk '{print $0,".txt"}' | tr -d ' ' > /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.txt
|->
gobuster dir --url http://$IP:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -k -t 50
gobuster dir --url http://$IP:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.php -b 404 -k -t 50
gobuster dir --url http://$IP:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.html -b 404 -k -t 50
gobuster dir --url http://$IP:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.txt -b 404 -k -t 50
# I know I know, that I can use -x for gobuster, but it always run dir enumeration and files extension enumeration, and somethimes I want to check only files

gobuster scan with pattern

echo "{GOBUSTER}/v1" > part.txt
echo "{GOBUSTER}/v2" >> part.txt

gobuster dir --url $IP -w /usr/share/wordlists/dirb/big.txt -p part.txt -b 404 -k

feroxbuster

feroxbuster --url http://$IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

feroxbuster --url http://$IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e

feroxbuster --url http://$IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

wfuzz

# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404  "$IP/FUZZ"

wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$IP/FUZZ"

# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt --hc 404  "$IP/FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$IP/FUZZ.html"

# === fuzz LINUX files
wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hc 404  "http://$IP/?page=FUZZ"

# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$IP?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$IP?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$IP?FUZZ=id"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$IP?FUZZ=/etc/passwd"

# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$IP?user=FUZZ"

wfuzz Pycurl is not compiled against Openssl 

sudo apt --purge remove python3-pycurl
sudo apt install -y libcurl4-openssl-dev libssl-dev
sudo pip3 install pycurl wfuzz

ffuf

GET 

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://$IP/FUZZ -fw 2
POST 
ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"FUZZ"}' -u http://$IP:8081/api -fw 2

dirb

dirb http://$URL -r -z 10

nikto

nikto -n $IP

nikto -useproxy http://127.0.0.1:8080 -host $IP -nossl

autorecon

autorecon $IP

bash command

for file in $(cat /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt); do echo $file; done