Skip to content

Enumeration - Web

Gobuster

gobuster dir --url $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404 -x txt,php,html -k -f
* -x php,html,txt common html files * -x cgi cgi scripts * -f scan for folders * -k no tls validation * -t 50 thread number

FeroxBuster

feroxbuster --url $IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
feroxbuster --url $IP -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

wfuzz

# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$URL/FUZZ"

# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$URL/FUZZ"

# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ=id"
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 0 "$URL?FUZZ=/etc/passwd"

# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$URL?user=FUZZ"

# === fuzz files
wfuzz -c -z 'file,/usr/share/wordlists/payloadsAllTheThings/File Inclusion/Intruders/Linux-files.txt' --hc 404,403  "$URL?file=FUZZ"

wfuzz -c -z 'file,/usr/share/wordlists/payloadsAllTheThings/File Inclusion/Intruders/Linux-files.txt' --hc 404,403  "$URL?file=../../../../../../../FUZZ"

wfuzz Pycurl is not compiled against Openssl

sudo apt --purge remove python3-pycurl
sudo apt install -y libcurl4-openssl-dev libssl-dev
sudo pip3 install pycurl wfuzz

ffuf

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://$IP/FUZZ -fw 2
ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$IP:8081/api/FUZZ -fw 2

nikto

nikto -n $IP
nikto -useproxy http://127.0.0.1:8080 -host $IP -nossl