Web Servers

Web Servers

Two most common Apache, Microsoft IIS

Nikto

nikto -h [target ip/hostname]
nikto -h [target ip/hostname] -p 80,88,443
nikto -h [target ip/hostname -p 80-88
nikto -h [target] -C all

Run early, its slow but good

Sanity Check

Look at robots.txt
Look in the webpage for comments
Is the site not rendering right? (check dns /etc/hosts)

DIRB

Comes with a default word list

Dirb [url target host]

Custom wordlist:

Dirb [url target host] [wordlist]

-n will stop the scan on current dir and move to the next
-q stops the running scan and saves the current state
-r will return the remaining scan statistics

Dirbuster

dirbuster

Wordlist location:

/usr/share/dirbuster/wordlists/

To run, set the target to the target url, set the number of threads, select a word list and hit the start button.
Much faster because its multi threaded

Netcat

We can grab the banner of the web service running on the target host:

nc [target ip] 80

Enter this HTTP request on the next line

HEAD / HTTP/1.0

To retrieve the top level page on the webserver we can use the following command:

nc [target ip] 80

Run this HTTP request

GET / HTTP/1.0

GoBuster

Another good web application scanner.

gobuster dir -u http://magic.uploadvulns.thm -w /usr/share/wordlists/dirb/big.txt

dir to run it in directory enumeration mode
-u followed by the url
-w to specify a wordlist

Syntax

dir -> Directory/File Brute force mode
dns -> DNS brute forcing mode
-x -> Flag for extentions to be tested against
-w -> Sets a wordlist to be used
-U -> Set username for basic authentication (if required by the directory)
-P -> Set password for basic authentication
-s -> Set the status codes gobuster will recognize as valid
-k -> Skip ssl certificate validation
-a -> Set a user agent string
-H -> Specify and HTTP header
-u -> Set the url to brute force
/usr/share/wordlists -> Location of the wordlists

Example full syntax

dirb http://10.10.10.10:80/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X .txt

This command tests the /secret/ directory
It specifies to use the wordlist directory-list-2.3-medium.txt
With the -x flag it sets gobuster to test for .txt file extensions i.e. admin.txt, secret.txt

Gobuster Sub-Domain Enumeration

gobuster vhost -u http://horizontall.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150
/\/\/\/\/\/\/\/\/\/\/
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

Dirsearch

Full Syntax

dirsearch -u http://10.10.54.223:80/island/2100 -t 16 -r -e ticket -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

WpScan

if you have a wordpress server check below URI as if it is enabled, you can get alot of information.

http://10.10.110.100:65000/wordpress/index.php/wp-json/

TLDR; The best one liner

wpscan --url http://backdoor.htb --plugins-detection aggressive --detection-mode aggressive -e ap -o loot/wpscan-out

Ideal for wordpress sites to find their vulnerable plugins, users, and themes.
Default scan runs non intrusive checks which means no accounts will be brute forced and themes and plugins will be enumerated passively.

wpscan --update
wpscan --url [target url]
wpscan --url http://x.x.x.x --enumerate u,p,t

Active enumeration
p ->scans popular plugins only
vt ->scans vulnerable these only
at ->scans all themes
Full command:

wpscan --url [url] --enumerate [p/vp/ap/t/vt/at]

The following command will test a target for all popular plugins:

wpscan --url [url] --enumerate p --plugins-detection aggressive

To scan a wordpress installation only for vulnerable plugins we can run the following command:

wpscan --url [url] --enumerate vp --plugins-detection aggressive

Scan for all plugins in the WPScan database run the enumerate option with ap:

wpscan --url [url] --enumerate ap --plugins-detection aggressive

Enumerating WP users

wpscan --url [target url] --enumerate u

Wordpress Bruteforce

can brute force with wpscan however this tool works great

./wp-brute.py -c -u http://10.10.110.100:65000/wordpress -H X-Forwarded-For -l admin -P /usr/share/seclists/rockyou.txt
[+] Plugin seems to be not installed, or the source IP or username is in whitelist.

./wp-brute.py --exploit --url http://10.10.110.100:65000/wordpress --header X-Forwarded-For --login admin --passwordlist /usr/share/seclists/rockyou.txt --quiet
./wp-brute.py --exploit --url http://10.10.110.100:65000/wordpress --header X-Forwarded-For --login admin --passwordlist ../../10.10.110.100/list.txt

BFAC

Advanced backup-file artifacts for testing web applications
https://github.com/mazen160/bfac
Install

git clone https://github.com/mazen160/bfac
sudo python3 setup.py install

Find backup files on the website/application

bfac --url http://$ip/ --level 4

If you manage to download a backupfile, grep for users - might be a password as well

Burp Spider Website

Set Foxy Proxy to 127.0.0.1 8080 and enable it
Turn off intercept
Refresh the page you want to spider
Navigate to Target/Site Map in Burp Suite

PreviousSSTI NextJWT Tokens

Last updated 1 year ago