HTTP(S) (80 / 443)

Remember to update /etc/hosts if experiencing any redirect issues to target site

Example:

Interesting Files

robots.txt
sitemap.xml

Directory Enum

GoBuster

1. HTTP (Port 80)

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 42 -b 400,401,403,404 -f -o VM#<>.gobuster

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,403,404 -f -o VM#<>.gobuster

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,403,404 -f -o VM#<>.gobuster

1. HTTPS (Port 443)

gobuster dir -u https://<IP>/ -k -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,403,404 -f -o VM#<>.gobuster

gobuster dir -u https://<IP>/ -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,403,404 -f -o VM#<>.gobuster

View scan results:

cat VM#<>.gobuster | grep -i Found:

Alternative: Dirbuster

dirb http://<IP>/

Alternative: Fuzz Faster U Fool (FFUF)

ffuf -c -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Vulnerability Scanning

1. nmap

nmap -p80 --script http-headers <IP>
nmap -p80 --script http-title <IP> 
nmap -p80 -sV -script vulners -Pn <IP>

2. nikto

nikto -host http://<IP>/

3. wpscan (For Wordpress sites)

wpscan --url http://<IP> --enumerate ap u 
wpscan --url http://<IP> --enumerate p --plugins-detection aggressive 

To do while scans run...

• Attempt Weak Credentials on any login features found, refer to Default/Common Credentials

• Look for user input fields

• Look for file upload fields

• Run through source code of webpages

  • Refer to: https://kashz.gitbook.io/kashz-jewels for targets hosting CMS (Joomla, Wordpress, Tomcat, etc)