Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • Enumeration
  • Feroxbuster
  • Gobuster
  • FFUF
  • PHPINFO document root
  1. Menu
  2. Services

HTTP/HTTPS (80/443)

Don't forget to check robots.txt!

Enumeration

Feroxbuster

Feroxbuster is similar to gobuster but uses more threads by default and has a recursive method which gobuster does not have. You can start with a small list, but if nothing useful is found you can use the larger "medium" list.

feroxbuster -e -x php html txt / -u http://$IP -w /usr/share/wordlists/dirb/common.txt

feroxbuster -e -x php html txt / -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Gobuster

However, there are times that feroxbuster breaks and starts displaying every page attempted. In those cases I go back to gobuster.

gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

FFUF

search for subdomains (notice the -fs to filter by size)

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.195.230 -fs {size}

fuzz for existing usernames

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.77.43/customers/signup -mr "username already exists"

brute force valid accounts (use anything but status 200 as valid submission)

ffuf -w valid_users.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.77.43/customers/login -fc 200

PHPINFO document root

If you have access to a phpinfo.php file you can find the document root fast with curl

curl http://$IP/phpinfo.php | grep 'DOCUMENT_ROOT' | html2text

PreviousSMTP (25)NextOWASP TOP 10 (2017)

Last updated 3 years ago