TCP: HTTP(S) - 80 / 443

NOTE: Remember to update /etc/hosts if there is any redirect issues to target site

NOTE: While waiting for the scan to be completed, do the following

Attempt Weak Credentials on any login features found
Look for user input fields
Look for file upload fields
Run through source code of webpages

Interesting Files

robots.txt
sitemap.xml

Directory Enumeration

Wordlists

/usr/share/wordlists/dirb/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/small.txt

GoBuster

HTTP - Port 80

The following command brute forces web directories and files against a target IP

gobuster dir -u http://<IP Address>/ -w <Word Lists> -t 42 -b 400,401,404 -f -o <>.gobuster

The following command brute forces web directories and files against a target IP and trying various file extensions

gobuster dir -u http://<IP Address>/ -w <Word Lists> -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

HTTPS - Port 443

The following command brute forces directories and files over HTTPS, ignoring SSL errors, trying multiple file extensions

gobuster dir -u https://<IP Address>/ -k -w <Word Lists> -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

Dirbuster

The following is a command to run Dirbuster - another alternatives to GoBuster

dirb http://<IP Address>/

Fuzz Faster U Fool (FFUF)

The following is a command to brute force directories/files on the target at the root path using FFUF

ffuf -c -u http:///FUZZ -w <Word Lists>

Vulnerability Scanning

Nmap

The following command scans port 80 and retrieves the HTTP response headers from the web server

nmap -p80 --script http-headers <IP Address>

The following command scans port 80 and extracts the title of the web page from the HTML response.

nmap -p80 --script http-title <IP Address>

The following command scans port 80, detects the service version, and checks for known vulnerabilities (CVEs) against it.

nmap -p80 -sV --script vulners <IP Address>

nikto

The following command scans the target web server for common vulnerabilities, misconfigurations, outdated software, and dangerous files using Nikto.

nikto -host http://<IP Address>/

WordPress Scan

NOTE: Look for signs that it is a WordPress site

URL paths include "wp-admin", "wp-content", "wp-login.php", "wp-includes"

Determine attack surface

whatweb http://<Target IP Address>

The following command scans the WordPress site to enumerate all installed plugins and all users.

wpscan --url http://<Target IP Address> --enumerate ap u

The following command scans the WordPress site to enumerate plugins (p) using aggressive detection methods

wpscan --url http://<Target IP Address> --enumerate p --plugins-detection aggressive -o <>.wpscan

PreviousService Enumeration NextTCP: SMB - 139 / 445

Last updated 6 months ago