Web Enumeration

Recon

nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

EyeWitness or Aquatone - See Information Gathering

GitHub - blackhatethicalhacking/SecretOpt1c: SecretOpt1c is a Red Team tool that helps uncover sensitive information in websites using ACTIVE and PASSIVE Techniques for Superior Accuracy!GitHub

HTTP/2 - DoS

Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487

GitHub - bcdannyboy/CVE-2023-44487: Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487GitHub

Apache Vulnerability Testing

GitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709GitHub

Common files

robots.txt

.git

.svn

.DS_Store

GitHub - lijiejie/ds_store_exp: A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.GitHub

# python ds_store_exp.py http://10.13.X.X/.DS_Store   
[200] http://10.13.X.X/.DS_Store
[200] http://10.13.X.X/JS/.DS_Store
[200] http://10.13.X.X/Images/.DS_Store
[200] http://10.13.X.X/dev/.DS_Store
<--SNIP-->

.DS_Store Files and Why You Should Know About Them - BuildThisBuildThis

What happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files | HackerNoonhackernoon

The risk of .DS_Store - CyberAntCyberAnt

Misconfigurations on popular third-party services

https://github.com/intigriti/misconfig-mappergithub.com

Exploring Third-Party Services for Open Signups: Security Risks and Best PracticesIntigriti

Git Exposed

Nuclei Template: https://github.com/coffinxp/priv8-Nuclei/blob/main/git-exposed.yaml

id: git-exposed

info:
  name: Exposed Git Repository
  author: kaks3c
  severity: medium
  description: |
    Checks for exposed Git repositories by making requests to potential Git repository paths.
  tags: p3,logs,git

http:
  - raw:
      - |
        GET {{BaseURL}}{{path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Connection: close

    attack: pitchfork
    payloads:
      path:
        - /.git/
        - /.git/HEAD
        - /.git/config
        - /.git/logs/HEAD
        - /.git/logs/
        - /.git/description
        - /.git/refs/heads/
        - /.git/refs/remotes/
        - /.git/objects/

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "commit (initial): Initial commit" #/.git/logs/HEAD
          - "ref: refs/heads/" #/.git/HEAD
          - "logallrefupdates = true" #/.git/config
          - "repositoryformatversion = 0" #/.git/config
          - "Index of /" #/.git/
          - "You do not have permission to access /.git/" #403_/.git
          - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description

      - type: regex
        regex:
          - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/
          - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/
          - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}"  #/.git/logs/

    stop-at-first-match: true

.git found => download the target .git folder

wget -r -np -nH --cut-dirs=1 -R "index.html*" http://dev.dumpme.htb/.git/

Or with tools:

The best tool is goop

GitHub - nyancrimew/goop: Yet another tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases.GitHub

$ git clone https://github.com/deletescape/goop
$ cd goop
$ go build
$ ./goop http://dev.dumpme.htb  

GitHub - lijiejie/GitHack: A `.git` folder disclosure exploitGitHub

GitHub - WangYihang/GitHacker: 🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.GitHub

GitHub - Ebryx/GitDump: A pentesting tool that dumps the source code from .git even when the directory traversal is disabledGitHub

After that, search for creds, etc:

Credentials in git repos

SVN Expoxed

GitHub - anantshri/svn-extractor: simple script to extract all web resources by means of .SVN folder exposed over network.GitHub

./svn-extractor.py --url http://url.com --match database.php

PHPMyAdmin

target[.]com/phpmyadmin/setup/index.php ==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php ==> 200 to phpmyadmin setup

WSAAR

GitHub - Nishacid/WSAAR: Auto-Recon script that will help you in the Burp Suite Certified Practitioner Examor with any web-security lab.GitHub

OWASP Noir

GitHub - owasp-noir/noir: Attack surface detector that identifies endpoints by static analysisGitHub

$ noir -b . -u http://example.com
$ noir -b . -u http://example.com --passive-scan

Wayback Machine

Information Gathering

GitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine!GitHub

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Extract URLs and paths from web pages

Manually

https://0-a.nl/jsendpoints.txt

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Open Console (ctrl + shift + i) + Allow pasting ("autoriser le collage") + copy paste JS code + click on bookmark

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Crawling

Gourlex

gourlex -t domain.com

GitHub - trap-bytes/gourlex: Gourlex is a simple tool that can be used to extract URLs and paths from web pages.GitHub

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

echo https://google.com | hakrawler

Waybackurls

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Katana & Urlfinder

katana -u https://tesla.com

GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.GitHub

urlfinder -d tesla.com

GitHub - projectdiscovery/urlfinder: A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.GitHub

GetAllURL - gau

GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub

gau https://target.com

LinkFinder

GitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub

python3 linkfinder.py -i https://example.com/app.js

LazyEgg

GitHub - schooldropout1337/lazyeggGitHub

Gouge - Burp extension to extract URLs which are seen in JS files

GitHub - mqst/gouge: Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp SuiteGitHub

ReconSpider

See Fingerprinting / Crawling

JS Files

Burp

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

GetJS

GitHub - 003random/getJS: A tool to fastly get all javascript sources/filesGitHub

JSHunter

Endpoint Extraction and Sensitive Data Detection

cat urls.txt | grep "\.js" | jshunter

GitHub - cc1a2b/jshunter: JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers and security researchers.GitHub

Javascript Deobfuscator

GitHub - ben-sb/javascript-deobfuscator: General purpose JavaScript deobfuscatorGitHub

API Endpoint in JS File

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

JSNinja

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

JS Link Finder

JS Link Finder

Jsluice

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

API

Sensitive data in JS Files

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

Sensitive Data (API Key, JWT token, etc.) Exposed

JS Miner - Burp Extension

X-Keys - Burp Extension

GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.GitHub

jsluice++ - Burp Extension

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

SecretFinder

GitHub - m4ll0k/SecretFinder: SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript filesGitHub

Mantra

GitHub - MrEmpy/mantra: 「🔑」A tool used to hunt down API key leaks in JS files and pagesGitHub

Parameters fuzzing

x8

Hidden parameters discovery

GitHub - Sh1Yo/x8: Hidden parameters discovery suiteGitHub

Arjun

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub

Hacker tools: Arjun – The parameter discovery toolIntigriti

Parmahunter

GitHub - nullenc0de/paramhunter: Looks for parameters in urlsGitHub

Wordlists

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first, then https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt

Fuzzing

GitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.GitHub

GitHub - Karanxa/Bug-Bounty-Wordlists: A repository that includes all the important wordlists used while bug hunting.GitHub

• dirb lists

• https://wordlists.assetnote.io/

• SecList: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content

• BugBounty All Fuzz: https://raw.githubusercontent.com/Karanxa/Bug-Bounty-Wordlists/refs/heads/main/all_fuzz.txt

• Common extensions: raft-[ small | medium | large ]-extensions.txt from SecList Web-Content

• Create wordlist - CeWL

cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10

Amin interfaces

Bug-Bounty-Wordlists/admin.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Backups

Bug-Bounty-Wordlists/backup_files_only.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/backup_files_with_path.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Config files

Bug-Bounty-Wordlists/config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/webconfig.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/git_config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SQL files

Bug-Bounty-Wordlists/sql.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Vulnerability Assessment

Vulnerability ScannersPort Scan

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface

Password lists

CMS

CMS

Crawling

Gospider

GitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub

GoSpider - Hacker Tools: Enumerate the web! 👩‍💻Intigriti

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

With Burp

Running a full crawl and auditBurp_Suite

With Zap

The ZAP Homepage

sudo snap install zaproxy --classic

• Spidering

• Fuzzing

Fuzz

Wordlists

Fuzzing

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

Admin interface=> Password guessing

CMS

Banner grabbing

curl -IL https://www.inlanefreight.com

Tool: https://github.com/FortyNorthSecurity/EyeWitness ; or Aquatone

Information Gathering

whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Cloudflare Bypass for Web Scraping

GitHub - sarperavci/CloudflareBypassForScraping: A cloudflare verification bypass script for webscrapingGitHub