# TCP: HTTP(S) - 80 / 443 **NOTE: Remember to update /etc/hosts if there is any redirect issues to target site** **NOTE: While waiting for the scan to be completed, do the following** * Attempt Weak Credentials on any login features found * Look for user input fields * Look for file upload fields * Run through source code of webpages ## Interesting Files > robots.txt > > sitemap.xml ## Directory Enumeration ### Wordlists ``` /usr/share/wordlists/dirb/common.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt /usr/share/wordlists/dirb/big.txt /usr/share/wordlists/dirb/small.txt ``` ### GoBuster * HTTP - Port 80 > The following command brute forces web directories and files against a target IP {% code overflow="wrap" %} ```bash gobuster dir -u http:/// -w -t 42 -b 400,401,404 -f -o <>.gobuster ``` {% endcode %} > The following command brute forces web directories and files against a target IP and trying various file extensions {% code overflow="wrap" fullWidth="false" %} ```bash gobuster dir -u http:/// -w -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster ``` {% endcode %} * HTTPS - Port 443 > The following command brute forces directories and files over HTTPS, ignoring SSL errors, trying multiple file extensions {% code overflow="wrap" %} ```bash gobuster dir -u https:/// -k -w -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster ``` {% endcode %} *** ### Dirbuster > The following is a command to run Dirbuster - another alternatives to GoBuster ```bash dirb http:/// ``` *** ### Fuzz Faster U Fool (FFUF) > The following is a command to brute force directories/files on the target at the root path using FFUF {% code overflow="wrap" %} ```bash ffuf -c -u http:///FUZZ -w ``` {% endcode %} *** ## Vulnerability Scanning ### Nmap > The following command scans port 80 and retrieves the HTTP response headers from the web server ```bash nmap -p80 --script http-headers ``` > The following command scans port 80 and extracts the title of the web page from the HTML response. ```bash nmap -p80 --script http-title ``` > The following command scans port 80, detects the service version, and checks for known vulnerabilities (CVEs) against it. ```bash nmap -p80 -sV --script vulners ``` *** ### nikto > The following command scans the target web server for common vulnerabilities, misconfigurations, outdated software, and dangerous files using Nikto. ```bash nikto -host http:/// ``` *** ## WordPress Scan **NOTE: Look for signs that it is a WordPress site** * URL paths include "wp-admin", "wp-content", "wp-login.php", "wp-includes" Determine attack surface ```bash whatweb http:// ``` > The following command scans the WordPress site to enumerate all installed plugins and all users. ```bash wpscan --url http:// --enumerate ap u ``` > The following command scans the WordPress site to enumerate plugins (p) using aggressive detection methods {% code overflow="wrap" %} ```bash wpscan --url http:// --enumerate p --plugins-detection aggressive -o <>.wpscan ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yongjun04.gitbook.io/oscp-cheatsheet/methodology/service-enumeration/tcp-http-s-80-443.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.