TCP: HTTP(S) - 80 / 443

NOTE: Remember to update /etc/hosts if there is any redirect issues to target site

NOTE: While waiting for the scan to be completed, do the following

  • Attempt Weak Credentials on any login features found

  • Look for user input fields

  • Look for file upload fields

  • Run through source code of webpages

Interesting Files

robots.txt

sitemap.xml

Directory Enumeration

Wordlists

/usr/share/wordlists/dirb/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/small.txt

GoBuster

  • HTTP - Port 80

The following command brute forces web directories and files against a target IP

gobuster dir -u http://<IP Address>/ -w <Word Lists> -t 42 -b 400,401,404 -f -o <>.gobuster

The following command brute forces web directories and files against a target IP and trying various file extensions

gobuster dir -u http://<IP Address>/ -w <Word Lists> -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

  • HTTPS - Port 443

The following command brute forces directories and files over HTTPS, ignoring SSL errors, trying multiple file extensions

gobuster dir -u https://<IP Address>/ -k -w <Word Lists> -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

Dirbuster

The following is a command to run Dirbuster - another alternatives to GoBuster

dirb http://<IP Address>/

Fuzz Faster U Fool (FFUF)

The following is a command to brute force directories/files on the target at the root path using FFUF

ffuf -c -u http:///FUZZ -w <Word Lists>

Vulnerability Scanning

Nmap

The following command scans port 80 and retrieves the HTTP response headers from the web server

nmap -p80 --script http-headers <IP Address>

The following command scans port 80 and extracts the title of the web page from the HTML response.

nmap -p80 --script http-title <IP Address>

The following command scans port 80, detects the service version, and checks for known vulnerabilities (CVEs) against it.

nmap -p80 -sV --script vulners <IP Address>

nikto

The following command scans the target web server for common vulnerabilities, misconfigurations, outdated software, and dangerous files using Nikto.

nikto -host http://<IP Address>/

WordPress Scan

NOTE: Look for signs that it is a WordPress site

  • URL paths include "wp-admin", "wp-content", "wp-login.php", "wp-includes"

Determine attack surface

whatweb http://<Target IP Address>

The following command scans the WordPress site to enumerate all installed plugins and all users.

wpscan --url http://<Target IP Address> --enumerate ap u

The following command scans the WordPress site to enumerate plugins (p) using aggressive detection methods

wpscan --url http://<Target IP Address> --enumerate p --plugins-detection aggressive -o <>.wpscan
PreviousService EnumerationNextTCP: SMB - 139 / 445

Last updated