Web Servers

alt text

Web Servers

  • Two most common Apache, Microsoft IIS

Nikto

nikto -h [target ip/hostname]
nikto -h [target ip/hostname] -p 80,88,443
nikto -h [target ip/hostname -p 80-88
nikto -h [target] -C all

  • Run early, its slow but good

Sanity Check

  • Look at robots.txt

  • Look in the webpage for comments

  • Is the site not rendering right? (check dns /etc/hosts)

DIRB

  • Comes with a default word list

Dirb [url target host]

  • Custom wordlist:

Dirb [url target host] [wordlist]

  • -n will stop the scan on current dir and move to the next

  • -q stops the running scan and saves the current state

  • -r will return the remaining scan statistics

Dirbuster

dirbuster

  • Wordlist location:

/usr/share/dirbuster/wordlists/

  • To run, set the target to the target url, set the number of threads, select a word list and hit the start button.

  • Much faster because its multi threaded

Netcat

  • We can grab the banner of the web service running on the target host:

nc [target ip] 80

  • Enter this HTTP request on the next line

HEAD / HTTP/1.0

  • To retrieve the top level page on the webserver we can use the following command:

nc [target ip] 80

  • Run this HTTP request

GET / HTTP/1.0

GoBuster

  • Another good web application scanner.

gobuster dir -u http://magic.uploadvulns.thm -w /usr/share/wordlists/dirb/big.txt

  • dir to run it in directory enumeration mode

  • -u followed by the url

  • -w to specify a wordlist

Syntax

  • dir -> Directory/File Brute force mode

  • dns -> DNS brute forcing mode

  • -x -> Flag for extentions to be tested against

  • -w -> Sets a wordlist to be used

  • -U -> Set username for basic authentication (if required by the directory)

  • -P -> Set password for basic authentication

  • -s -> Set the status codes gobuster will recognize as valid

  • -k -> Skip ssl certificate validation

  • -a -> Set a user agent string

  • -H -> Specify and HTTP header

  • -u -> Set the url to brute force

  • /usr/share/wordlists -> Location of the wordlists

Example full syntax

dirb http://10.10.10.10:80/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X .txt

  • This command tests the /secret/ directory

  • It specifies to use the wordlist directory-list-2.3-medium.txt

  • With the -x flag it sets gobuster to test for .txt file extensions i.e. admin.txt, secret.txt

Gobuster Sub-Domain Enumeration

gobuster vhost -u http://horizontall.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150
/\/\/\/\/\/\/\/\/\/\/
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

Dirsearch

  • Full Syntax

dirsearch -u http://10.10.54.223:80/island/2100 -t 16 -r -e ticket -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

WpScan

  • if you have a wordpress server check below URI as if it is enabled, you can get alot of information.

http://10.10.110.100:65000/wordpress/index.php/wp-json/

  • TLDR; The best one liner 

wpscan --url http://backdoor.htb --plugins-detection aggressive --detection-mode aggressive -e ap -o loot/wpscan-out

  • Ideal for wordpress sites to find their vulnerable plugins, users, and themes.

  • Default scan runs non intrusive checks which means no accounts will be brute forced and themes and plugins will be enumerated passively.

wpscan --update
wpscan --url [target url]
wpscan --url http://x.x.x.x --enumerate u,p,t

  • Active enumeration

  • p ->scans popular plugins only

  • vt ->scans vulnerable these only

  • at ->scans all themes

  • Full command:

wpscan --url [url] --enumerate [p/vp/ap/t/vt/at]

  • The following command will test a target for all popular plugins:

wpscan --url [url] --enumerate p --plugins-detection aggressive

  • To scan a wordpress installation only for vulnerable plugins we can run the following command:

wpscan --url [url] --enumerate vp --plugins-detection aggressive

  • Scan for all plugins in the WPScan database run the enumerate option with ap:

wpscan --url [url] --enumerate ap --plugins-detection aggressive

  • Enumerating WP users

wpscan --url [target url] --enumerate u

Wordpress Bruteforce

  • can brute force with wpscan however this tool works great

./wp-brute.py -c -u http://10.10.110.100:65000/wordpress -H X-Forwarded-For -l admin -P /usr/share/seclists/rockyou.txt
[+] Plugin seems to be not installed, or the source IP or username is in whitelist.

./wp-brute.py --exploit --url http://10.10.110.100:65000/wordpress --header X-Forwarded-For --login admin --passwordlist /usr/share/seclists/rockyou.txt --quiet
./wp-brute.py --exploit --url http://10.10.110.100:65000/wordpress --header X-Forwarded-For --login admin --passwordlist ../../10.10.110.100/list.txt

BFAC

  • Advanced backup-file artifacts for testing web applications

  • https://github.com/mazen160/bfac

  • Install

git clone https://github.com/mazen160/bfac
sudo python3 setup.py install

  • Find backup files on the website/application

bfac --url http://$ip/ --level 4

  • If you manage to download a backupfile, grep for users - might be a password as well

Burp Spider Website

  • Set Foxy Proxy to 127.0.0.1 8080 and enable it

  • Turn off intercept

  • Refresh the page you want to spider

  • Navigate to Target/Site Map in Burp Suite

  • Screenshot 2021-11-15 161926

PreviousSSTINextJWT Tokens

Last updated