# Port 80 (HTTP)

## WhatWeb

```
whatweb http://IP
```

## Wafw00f

 Before proceeding with further fingerprinting, it's crucial to determine if `inlanefreight.com` employs a WAF, as it could interfere with our probes or potentially block our requests.

To detect the presence of a WAF, we'll use the `wafw00f` tool.

```
wafw00f <domain>
```

## Directory Enumeration

{% tabs %}
{% tab title="Gobuster" %}

```
gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>
```

We can use -b for removing specific status codes

```
gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404
```

If we want to scan a https web with certificates issues:

```
gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404
```

If we are running agains https use -k:

```
gobuster dir -b 403,404 -u <url> --wordlist <wordlist.txt> -t 100 -k
```

Also we can brute force the API paths using a wordlist along with the *pattern* Gobuster feature. We can call this feature by using the **-p** option and providing a file with patterns. For our test, we'll create a simple pattern file on our Kali system containing the following text:

```
{GOBUSTER}/v1
{GOBUSTER}/v2
```

In this example, we are using the "{GOBUSTER}" placeholder to match any word from our wordlist, which will be appended with the version number. To keep our test simple, we'll try with only two versions.

We are now ready to enumerate the API with **gobuster** using the following command:

```
gobuster dir -u <url> -w /usr/share/wordlists/dirb/big.txt -p pattern
```

{% endtab %}

{% tab title="wfuzz" %}

<pre data-overflow="wrap"><code><strong>wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt https://example.com/FUZZ
</strong></code></pre>

* \--hs/ss "regex" #Hide/Show
* \--hc/sc CODE #Hide/Show by code in response
* \--hl/sl NUM #Hide/Show by number of lines in response
* \--hw/sw NUM #Hide/Show by number of words in response
* \--hh/sh NUM #Hide/Show by number of chars in response
* \--hc/sc NUM #Hide/Show by response code
  {% endtab %}

{% tab title="ffuf" %}

<pre data-overflow="wrap"><code><strong>ffuf -c -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://example.com/FUZZ
</strong></code></pre>

* \--fr "regex" # Hide/Show by regex in response
* \--fc/sc CODE # Hide/Show by response code
* \--fl/sl NUM # Hide/Show by number of lines in response
* \--fw/sw NUM # Hide/Show by number of words in response
* \--fs/sh NUM # Hide/Show by number of chars in response
* \--fc/sc NUM # Hide/Show by response code
  {% endtab %}
  {% endtabs %}

## DNS Subdomain Enumeration

{% tabs %}
{% tab title="Gobuster" %}

```
gobuster dns -d <domain> -w <wordlist.txt> -i --wildcard
```

{% endtab %}

{% tab title="wfuzz" %}
{% code overflow="wrap" %}

```
wfuzz -c --hc=400,404,404 -t 20 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt -H "Host: FUZZ.example.com" -u http://example.com  
```

{% endcode %}
{% endtab %}
{% endtabs %}

## VHost Enumeration

{% code overflow="wrap" %}

```
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
```

{% endcode %}

## Fuzzing a Request

{% code overflow="wrap" %}

```
ffuf -request ssrf.req -request-proto http -w <(seq 1 65535) -debug-log /dev/stdout
```

{% endcode %}

## Nikto

**Only FingerPrint**

```
nikto -h inlanefreight.com -Tuning b
```

## CMS

{% tabs %}
{% tab title="WordPress" %}

#### Automatic

```
wpscan --url http://example.com --api-token "token"
```

**User Enumeration**

```
wpscan --url https://example.com --enumerate u
```

**Brute Force**

```
wpscan --url example.com -U user -P /usr/share/wordlists/rockyou.txt
```

```
wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50
```

#### Manual

To list the version manually, we can use several methods

* Look at the page code and look in the \<meta> tag.
* Search in the readme.html or license.txt file
* Look in the HTTP headers
* Look in /wp-login.php and /wp-admin.php pages
* Try interacting with the REST API using /wp-json/v2/user

**Enumerate version**

```
curl -s <url> | grep WordPress
```

**Enumerate plugins**

```
curl -s <url> | grep plugins
```

**Enumerate themes**

```
curl -s <url> | grep themes
```

**User Enumeration**

```
curl https://xxx/wp-json/wp/v2/users
```

**Diccionario wordpress**

* /usr/share/wordlists/SecLists/Discovery/Contenido Web/CMS/wordpress.fuzz.txt
* /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wp-themes.fuzz.txt

**Important Files and Directories Login or authentication**

* /wp-login.php (usually changed to login.php).
* /wp-admin/login.php
* /wp-admin/wp-login.php
* xmlrpc.php

**Directories**

* /wp-content (where plugins and themes are stored).
* /wp-content/uploads/ (where the uploaded files are stored)
* wp-config.php (contains info to connect to the db)
  {% endtab %}

{% tab title="Joomla" %}

#### Automatic

```
droopescan scan joomla --url http://joomla-site.local/
```

#### Manual

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

* Users: `http://<host>/api/v1/users?public=true`
* Config File: `http://<host>/api/index.php/v1/config/application?public=true`
  {% endtab %}

{% tab title="Drupal" %}

```
droopescan scan drupal --url https://example.com
```

{% endtab %}
{% endtabs %}

## **GitTools**

```
./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/
```

### Enumeration of .git repository

```
git log
git show <hash>
```

## Create Wordlists from web page

```
# -m -> Minimum word length. Only words with at least 5 character
cewl http://url -m 5 -w wordlist.txt
```

## Crawlers

```
pip3 install scrapy
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
unzip ReconSpider.zip 
```

```
python3 ReconSpider.py http://inlanefreight.com
```

## Auto Recon

```
./finalrecon.py --help
```

| Option         | Argument | Description                                         |
| -------------- | -------- | --------------------------------------------------- |
| `-h`, `--help` |          | Show the help message and exit.                     |
| `--url`        | URL      | Specify the target URL.                             |
| `--headers`    |          | Retrieve header information for the target URL.     |
| `--sslinfo`    |          | Get SSL certificate information for the target URL. |
| `--whois`      |          | Perform a Whois lookup for the target domain.       |
| `--crawl`      |          | Crawl the target website.                           |
| `--dns`        |          | Perform DNS enumeration on the target domain.       |
| `--sub`        |          | Enumerate subdomains for the target domain.         |
| `--dir`        |          | Search for directories on the target website.       |
| `--wayback`    |          | Retrieve Wayback URLs for the target.               |
| `--ps`         |          | Perform a fast port scan on the target.             |
| `--full`       |          | Perform a full reconnaissance scan on the target.   |