Web app recon

Gobuster

sudo gobuster dir -u http://192.168.184.117/ -w /home/amandine/SecLists/Discovery/Web-Content/common.txt

-x :To add extensions file switch

-k: To ignore certificate validation (https)

Tip: When the webserver is IIS worth checking for .asp .aspx extension

-x .php,.txt,.html

ffuf

Directory fuzzing

ffuf -u http://10.2.2.31/FUZZ -w /home/amandine/SecLists/Discovery/Web-Content/common.txt

With proxy (add -x switch)

-x socks5://127.0.0.1:9000

wpscan --url http://10.10.10.37 -e vp,vt,tt,cb,dbe,u,m --api-token

Options vp: vulnerable plugins | vt: vulnerable theme | tt:Timthumbs | cb: Config backups

u: users enumeration | m: media

--plugins-detection mixed: to be add to not miss plugins.

--disable-tls-checks

Docker

docker run -it --rm wpscanteam/wpscan --url http://10.10.10.37 -e vp,vt,tt,cb,dbe,u,m --api-token

Whatweb

whatweb http://192.168.111/

nikto

nikto -h 192.168.226.122 -output nikto-scan -p 80

CEWL

To create a custom wordlists based on a website or blog. The command below will create a cewl.txt file with words of minimum 2 letters.

--with-numbers: accept words with numbers

-d: depth of crawling (default 2)

cewl http://10.11.1.39/otrs/index.pl -m 2 -w cewl.txt
cewl -m <WORDS_SIZE> --with-numbers -w dictiFromWebsite <URL> -d <DEPTH>

Technique to spoof the web server

We can spoof the webserver and impersonate a search base engine changing the header.

curl -H 'User-Agent: Googlebot/2.1' http://10.11.1.39/robots.txt

Other useful wordlists for directory fuzzing

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Others things to check for

Last updated