Skip to content

Enumeration - Web

Gobuster


gobuster dir --url $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -x txt,php,html,htm,aspx -k -f
gobuster dir --url $IP -w /usr/share/wordlists/dirb/big.txt -b 404 -x txt,php,html,htm,aspx -k -f

  • -x php,html,txt files extensions
  • -x cgi cgi scripts
  • -f scan for folders
  • -k no tls validation
  • -t 50 thread number
  • -w wordplis
    • /usr/share/wordlists/dirb/big.txt
    • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

FeroxBuster


feroxbuster --url http://$IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
feroxbuster --url http://$IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

wfuzz


# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404  "$URL/FUZZ"

wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$URL/FUZZ"

# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt --hc 404  "$URL/FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$URL/FUZZ.html"

# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ=id"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ=/etc/passwd"

# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$URL?user=FUZZ"

wfuzz Pycurl is not compiled against Openssl

sudo apt --purge remove python3-pycurl
sudo apt install -y libcurl4-openssl-dev libssl-dev
sudo pip3 install pycurl wfuzz

ffuf


ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://$IP/FUZZ -fw 2
ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"FUZZ"}' -u http://$IP:8081/api -fw 2

dirb


dirb http://$URL -r -z 10

nikto


nikto -n $IP
nikto -useproxy http://127.0.0.1:8080 -host $IP -nossl

autorecon


autorecon $IP