Web Enumeration

Recon

nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

EyeWitness or Aquatone - See Information Gathering

GitHub - blackhatethicalhacking/SecretOpt1c: SecretOpt1c is a Red Team tool that helps uncover sensitive information in websites using ACTIVE and PASSIVE Techniques for Superior Accuracy!GitHub

Common files

robots.txt

.git

.svn

.DS_Store

GitHub - lijiejie/ds_store_exp: A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.GitHub

# python ds_store_exp.py http://10.13.X.X/.DS_Store   
[200] http://10.13.X.X/.DS_Store
[200] http://10.13.X.X/JS/.DS_Store
[200] http://10.13.X.X/Images/.DS_Store
[200] http://10.13.X.X/dev/.DS_Store
<--SNIP-->

.DS_Store Files and Why You Should Know About Them - BuildThisBuildThis

What happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files | HackerNoonhackernoon

The risk of .DS_Store - CyberAntCyberAnt

Misconfigurations on popular third-party services

https://github.com/intigriti/misconfig-mappergithub.com

Exploring Third-Party Services for Open Signups: Security Risks and Best PracticesIntigriti

Git Exposed

Nuclei Template: https://github.com/coffinxp/priv8-Nuclei/blob/main/git-exposed.yaml

id: git-exposed

info:
  name: Exposed Git Repository
  author: kaks3c
  severity: medium
  description: |
    Checks for exposed Git repositories by making requests to potential Git repository paths.
  tags: p3,logs,git

http:
  - raw:
      - |
        GET {{BaseURL}}{{path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Connection: close

    attack: pitchfork
    payloads:
      path:
        - /.git/
        - /.git/HEAD
        - /.git/config
        - /.git/logs/HEAD
        - /.git/logs/
        - /.git/description
        - /.git/refs/heads/
        - /.git/refs/remotes/
        - /.git/objects/

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "commit (initial): Initial commit" #/.git/logs/HEAD
          - "ref: refs/heads/" #/.git/HEAD
          - "logallrefupdates = true" #/.git/config
          - "repositoryformatversion = 0" #/.git/config
          - "Index of /" #/.git/
          - "You do not have permission to access /.git/" #403_/.git
          - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description

      - type: regex
        regex:
          - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/
          - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/
          - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}"  #/.git/logs/

    stop-at-first-match: true

.git found => download the target .git folder

GitHub - WangYihang/GitHacker: 🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.GitHub

GitHub - Ebryx/GitDump: A pentesting tool that dumps the source code from .git even when the directory traversal is disabledGitHub

After that, search for creds, etc:

Credentials in git repos

SVN Expoxed

GitHub - anantshri/svn-extractor: simple script to extract all web resources by means of .SVN folder exposed over network.GitHub

./svn-extractor.py --url http://url.com --match database.php

PHPMyAdmin

target[.]com/phpmyadmin/setup/index.php ==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php ==> 200 to phpmyadmin setup

OWASP Noir

GitHub - owasp-noir/noir: Attack surface detector that identifies endpoints by static analysisGitHub

$ noir -b . -u http://example.com
$ noir -b . -u http://example.com --passive-scan

Extract URLs and paths from web pages

Manually

https://0-a.nl/jsendpoints.txt

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Open Console (ctrl + shift + i) + Allow pasting ("autoriser le collage") + copy paste JS code + click on bookmark

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Crawling

Gourlex

gourlex -t domain.com

GitHub - trap-bytes/gourlex: Gourlex is a simple tool that can be used to extract URLs and paths from web pages.GitHub

Katana

katana -u https://tesla.com

GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.GitHub

GetAllURL - gau

GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub

gau https://target.com

LinkFinder

GitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub

python3 linkfinder.py -i https://example.com/app.js

LazyEgg

GitHub - schooldropout1337/lazyeggGitHub

Gouge - Burp extension to extract URLs which are seen in JS files

GitHub - mqst/gouge: Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp SuiteGitHub

ReconSpider

See Fingerprinting / Crawling

JS Files

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Javascript Deobfuscator

GitHub - ben-sb/javascript-deobfuscator: General purpose JavaScript deobfuscatorGitHub

API Endpoint in JS File

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

JSNinja

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

JS Link Finder

JS Link Finder

Jsluice

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

API

Sensitive data in JS Files

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

Sensitive Data (API Key, JWT token, etc.) Exposed

JS Miner - Burp Extension

X-Keys - Burp Extension

GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.GitHub

jsluice++ - Burp Extension

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

SecretFinder

GitHub - m4ll0k/SecretFinder: SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript filesGitHub

Mantra

GitHub - MrEmpy/mantra: 「🔑」A tool used to hunt down API key leaks in JS files and pagesGitHub

Parameters fuzzing

Arjun

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub

Hacker tools: Arjun – The parameter discovery toolIntigriti

Parmahunter

GitHub - nullenc0de/paramhunter: Looks for parameters in urlsGitHub

Wordlists

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first, then https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt

Fuzzing

GitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.GitHub

GitHub - Karanxa/Bug-Bounty-Wordlists: A repository that includes all the important wordlists used while bug hunting.GitHub

• dirb lists

• https://wordlists.assetnote.io/

• SecList: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content

• BugBounty All Fuzz: https://raw.githubusercontent.com/Karanxa/Bug-Bounty-Wordlists/refs/heads/main/all_fuzz.txt

• Common extensions: raft-[ small | medium | large ]-extensions.txt from SecList Web-Content

• Create wordlist - CeWL

cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10

Amin interfaces

Bug-Bounty-Wordlists/admin.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Backups

Bug-Bounty-Wordlists/backup_files_only.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/backup_files_with_path.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Config files

Bug-Bounty-Wordlists/config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/webconfig.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/git_config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SQL files

Bug-Bounty-Wordlists/sql.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Vulnerability Assessment

Vulnerability ScannersPort Scan

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface

Password lists

CMS

CMS

Crawling

Gospider

GitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub

GoSpider - Hacker Tools: Enumerate the web! 👩‍💻Intigriti

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

With Burp

Running a full crawl and auditBurp_Suite

With Zap

The ZAP Homepage

sudo snap install zaproxy --classic

• Spidering

• Fuzzing

Fuzz

Wordlists

Fuzzing

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

Admin interface=> Password guessing

CMS

Banner grabbing

curl -IL https://www.inlanefreight.com

Tool: https://github.com/FortyNorthSecurity/EyeWitness ; or Aquatone

Information Gathering

whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Cloudflare Bypass for Web Scraping

GitHub - sarperavci/CloudflareBypassForScraping: A cloudflare verification bypass script for webscrapingGitHub