Gobuster
sudo gobuster dir -u http://192.168.184.117/ -w /home/amandine/SecLists/Discovery/Web-Content/common.txt
-x
:To add extensions file switch
-k
: To ignore certificate validation (https)
Tip: When the webserver is IIS worth checking for .asp
.aspx
extension
ffuf
Directory fuzzing
ffuf -u http://10.2.2.31/FUZZ -w /home/amandine/SecLists/Discovery/Web-Content/common.txt
With proxy (add -x switch)
-x socks5://127.0.0.1:9000
wpscan --url http://10.10.10.37 -e vp,vt,tt,cb,dbe,u,m --api-token
Options
vp
: vulnerable plugins | vt
: vulnerable theme | tt
:Timthumbs | cb
: Config backups
u:
users enumeration | m
: media
--plugins-detection mixed
: to be add to not miss plugins.
--disable-tls-checks
Docker
docker run -it --rm wpscanteam/wpscan --url http://10.10.10.37 -e vp,vt,tt,cb,dbe,u,m --api-token
Whatweb
whatweb http://192.168.111/
nikto
nikto -h 192.168.226.122 -output nikto-scan -p 80
CEWL
To create a custom wordlists based on a website or blog. The command below will create a cewl.txt file with words of minimum 2 letters.
--with-numbers:
accept words with numbers
-d
: depth of crawling (default 2)
cewl http://10.11.1.39/otrs/index.pl -m 2 -w cewl.txt
cewl -m <WORDS_SIZE> --with-numbers -w dictiFromWebsite <URL> -d <DEPTH>
Technique to spoof the web server
We can spoof the webserver and impersonate a search base engine changing the header.
curl -H 'User-Agent: Googlebot/2.1' http://10.11.1.39/robots.txt
Other useful wordlists for directory fuzzing
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Others things to check for
Last updated