search

Port 80 (HTTP)

hashtag
WhatWeb

whatweb http://IP

hashtag
Wafw00f

Before proceeding with further fingerprinting, it's crucial to determine if inlanefreight.com employs a WAF, as it could interfere with our probes or potentially block our requests.

To detect the presence of a WAF, we'll use the wafw00f tool.

wafw00f <domain>

hashtag
Directory Enumeration

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>

We can use -b for removing specific status codes

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we want to scan a https web with certificates issues:

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we are running agains https use -k:

gobuster dir -b 403,404 -u <url> --wordlist <wordlist.txt> -t 100 -k

Also we can brute force the API paths using a wordlist along with the pattern Gobuster feature. We can call this feature by using the -p option and providing a file with patterns. For our test, we'll create a simple pattern file on our Kali system containing the following text:

{GOBUSTER}/v1
{GOBUSTER}/v2

In this example, we are using the "{GOBUSTER}" placeholder to match any word from our wordlist, which will be appended with the version number. To keep our test simple, we'll try with only two versions.

We are now ready to enumerate the API with gobuster using the following command:

gobuster dir -u <url> -w /usr/share/wordlists/dirb/big.txt -p pattern

hashtag
DNS Subdomain Enumeration

hashtag
VHost Enumeration

hashtag
Fuzzing a Request

hashtag
Nikto

Only FingerPrint

hashtag
CMS

hashtag
Automatic

User Enumeration

Brute Force

hashtag
Manual

To list the version manually, we can use several methods

  • Look at the page code and look in the <meta> tag.

  • Search in the readme.html or license.txt file

  • Look in the HTTP headers

  • Look in /wp-login.php and /wp-admin.php pages

  • Try interacting with the REST API using /wp-json/v2/user

Enumerate version

Enumerate plugins

Enumerate themes

User Enumeration

Diccionario wordpress

  • /usr/share/wordlists/SecLists/Discovery/Contenido Web/CMS/wordpress.fuzz.txt

  • /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wp-themes.fuzz.txt

Important Files and Directories Login or authentication

  • /wp-login.php (usually changed to login.php).

  • /wp-admin/login.php

  • /wp-admin/wp-login.php

  • xmlrpc.php

Directories

  • /wp-content (where plugins and themes are stored).

  • /wp-content/uploads/ (where the uploaded files are stored)

  • wp-config.php (contains info to connect to the db)

hashtag
GitTools

hashtag
Enumeration of .git repository

hashtag
Create Wordlists from web page

hashtag
Crawlers

hashtag
Auto Recon

Option
Argument
Description

-h, --help

Show the help message and exit.

--url

URL

Specify the target URL.

--headers

Retrieve header information for the target URL.

--sslinfo

Get SSL certificate information for the target URL.

--whois

Perform a Whois lookup for the target domain.

--crawl

Crawl the target website.

--dns

Perform DNS enumeration on the target domain.

--sub

Enumerate subdomains for the target domain.

--dir

Search for directories on the target website.

--wayback

Retrieve Wayback URLs for the target.

--ps

Perform a fast port scan on the target.

--full

Perform a full reconnaissance scan on the target.

PreviousPort 79 (finger)NextPort 111 (RPCBIND)

Last updated