Port 80 (HTTP)

WhatWeb

whatweb http://IP

Wafw00f

Before proceeding with further fingerprinting, it's crucial to determine if inlanefreight.com employs a WAF, as it could interfere with our probes or potentially block our requests.

To detect the presence of a WAF, we'll use the wafw00f tool.

wafw00f <domain>

Directory Enumeration

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>

We can use -b for removing specific status codes

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we want to scan a https web with certificates issues:

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we are running agains https use -k:

gobuster dir -b 403,404 -u <url> --wordlist <wordlist.txt> -t 100 -k

Also we can brute force the API paths using a wordlist along with the pattern Gobuster feature. We can call this feature by using the -p option and providing a file with patterns. For our test, we'll create a simple pattern file on our Kali system containing the following text:

{GOBUSTER}/v1
{GOBUSTER}/v2

In this example, we are using the "{GOBUSTER}" placeholder to match any word from our wordlist, which will be appended with the version number. To keep our test simple, we'll try with only two versions.

We are now ready to enumerate the API with gobuster using the following command:

gobuster dir -u <url> -w /usr/share/wordlists/dirb/big.txt -p pattern

wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt https://example.com/FUZZ

--hs/ss "regex" #Hide/Show
--hc/sc CODE #Hide/Show by code in response
--hl/sl NUM #Hide/Show by number of lines in response
--hw/sw NUM #Hide/Show by number of words in response
--hh/sh NUM #Hide/Show by number of chars in response
--hc/sc NUM #Hide/Show by response code

ffuf -c -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://example.com/FUZZ

--fr "regex" # Hide/Show by regex in response
--fc/sc CODE # Hide/Show by response code
--fl/sl NUM # Hide/Show by number of lines in response
--fw/sw NUM # Hide/Show by number of words in response
--fs/sh NUM # Hide/Show by number of chars in response
--fc/sc NUM # Hide/Show by response code

DNS Subdomain Enumeration

gobuster dns -d <domain> -w <wordlist.txt> -i --wildcard

VHost Enumeration

gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Fuzzing a Request

ffuf -request ssrf.req -request-proto http -w <(seq 1 65535) -debug-log /dev/stdout

Nikto

Only FingerPrint

nikto -h inlanefreight.com -Tuning b

CMS

Automatic

wpscan --url http://example.com --api-token "token"

User Enumeration

wpscan --url https://example.com --enumerate u

Brute Force

wpscan --url example.com -U user -P /usr/share/wordlists/rockyou.txt

wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50

Manual

To list the version manually, we can use several methods

Look at the page code and look in the <meta> tag.
Search in the readme.html or license.txt file
Look in the HTTP headers
Look in /wp-login.php and /wp-admin.php pages
Try interacting with the REST API using /wp-json/v2/user

Enumerate version

curl -s <url> | grep WordPress

Enumerate plugins

curl -s <url> | grep plugins

Enumerate themes

curl -s <url> | grep themes

User Enumeration

curl https://xxx/wp-json/wp/v2/users

Diccionario wordpress

/usr/share/wordlists/SecLists/Discovery/Contenido Web/CMS/wordpress.fuzz.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wp-themes.fuzz.txt

Important Files and Directories Login or authentication

/wp-login.php (usually changed to login.php).
/wp-admin/login.php
/wp-admin/wp-login.php
xmlrpc.php

Directories

/wp-content (where plugins and themes are stored).
/wp-content/uploads/ (where the uploaded files are stored)
wp-config.php (contains info to connect to the db)

Automatic

droopescan scan joomla --url http://joomla-site.local/

Manual

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

Users: http://<host>/api/v1/users?public=true
Config File: http://<host>/api/index.php/v1/config/application?public=true

GitTools

./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Enumeration of .git repository

git log
git show <hash>

Create Wordlists from web page

# -m -> Minimum word length. Only words with at least 5 character
cewl http://url -m 5 -w wordlist.txt

Crawlers

pip3 install scrapy
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
unzip ReconSpider.zip

python3 ReconSpider.py http://inlanefreight.com

Auto Recon

./finalrecon.py --help

Option

Argument

Description

-h, --help

Show the help message and exit.

--url

URL

Specify the target URL.

--headers

Retrieve header information for the target URL.

--sslinfo

Get SSL certificate information for the target URL.

--whois

Perform a Whois lookup for the target domain.

--crawl

Crawl the target website.

--dns

Perform DNS enumeration on the target domain.

--sub

Enumerate subdomains for the target domain.

--dir

Search for directories on the target website.

--wayback

Retrieve Wayback URLs for the target.

--ps

Perform a fast port scan on the target.

--full

Perform a full reconnaissance scan on the target.

PreviousPort 79 (finger)NextPort 111 (RPCBIND)

Last updated 1 month ago