Port 80 (HTTP)

WhatWeb

whatweb http://IP

Directory Enumeration

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>

We can use -b for removing specific status codes

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we want to scan a https web with certificates issues:

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we are running agains https use -k:

gobuster dir -b 403,404 -u <url> --wordlist <wordlist.txt> -t 100 -k

Also we can brute force the API paths using a wordlist along with the pattern Gobuster feature. We can call this feature by using the -p option and providing a file with patterns. For our test, we'll create a simple pattern file on our Kali system containing the following text:

{GOBUSTER}/v1
{GOBUSTER}/v2

In this example, we are using the "{GOBUSTER}" placeholder to match any word from our wordlist, which will be appended with the version number. To keep our test simple, we'll try with only two versions.

We are now ready to enumerate the API with gobuster using the following command:

gobuster dir -u <url> -w /usr/share/wordlists/dirb/big.txt -p pattern

DNS Subdomain Enumeration

gobuster dns -d <domain> -w <wordlist.txt> -i --wildcard

VHost Enumeration

gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Fuzzing a Request

ffuf -request ssrf.req -request-proto http -w <(seq 1 65535) -debug-log /dev/stdout

CMS

Automatic

wpscan --url http://example.com --api-token "token"

User Enumeration

wpscan --url https://example.com --enumerate u

Brute Force

wpscan --url example.com -U user -P /usr/share/wordlists/rockyou.txt
wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50

Manual

To list the version manually, we can use several methods

  • Look at the page code and look in the <meta> tag.

  • Search in the readme.html or license.txt file

  • Look in the HTTP headers

  • Look in /wp-login.php and /wp-admin.php pages

  • Try interacting with the REST API using /wp-json/v2/user

Enumerate version

curl -s <url> | grep WordPress

Enumerate plugins

curl -s <url> | grep plugins

Enumerate themes

curl -s <url> | grep themes

User Enumeration

curl https://xxx/wp-json/wp/v2/users

Diccionario wordpress

  • /usr/share/wordlists/SecLists/Discovery/Contenido Web/CMS/wordpress.fuzz.txt

  • /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wp-themes.fuzz.txt

Important Files and Directories Login or authentication

  • /wp-login.php (usually changed to login.php).

  • /wp-admin/login.php

  • /wp-admin/wp-login.php

  • xmlrpc.php

Directories

  • /wp-content (where plugins and themes are stored).

  • /wp-content/uploads/ (where the uploaded files are stored)

  • wp-config.php (contains info to connect to the db)

GitTools

./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Enumeration of .git repository

git log
git show <hash>
PreviousPort 79 (finger)NextPort 111 (RPCBIND)

Last updated