Directory Busting & Web-Content Discovery.
S1REN
Lets shed some light on anything in or past /
So, you got a target web application? Sweet.
The beginning of your enumeration is going to start with Discovery.
In other words, what the heck can I actually view, enumerate, etc?
I will go into Web Application Assessments in much more detail with a sample machine in a future blog post or dedicated page.
For now, export your URL immediately and localize these commands such that they are ready to launch in a *snap*.
Before anything - are you going to be using SecLists? Hope so!
https://sirensecurity.io/blog/seclists/
cd /opt/
git clone https://github.com/danielmiessler/SecLists.git
[Nikto]
nikto --host $URL -C all
[GOBUSTER]
+ We will begin with Gobuster.
export URL="https://example.com/"
+ Here are my localized commands:
BUST DIRECTORIES:
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
BUST FILES:
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
BUST SUB-DOMAINS:
gobuster dns -d someDomain.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30
--> Make sure any DNS name you find resolves to an in-scope address before you test it.
===========================================================================
[WFUZZ]
export URL="https://example.com/FUZZ"
FUZZ DIRECTORIES:
export URL="https://example.com/FUZZ/"
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 "$URL"
FUZZ FILES:
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
AUTHENTICATED FUZZING:
e.g.
wfuzz -c -b "<SESSIONVARIABLE>=<SESSIONVALUE>" -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
FUZZ DATA AND CHECK FOR PARAMETERS:
export URL="https://example.com/?parameter=FUZZ
--> and/or some combination of...
export URL="https://example.com/?FUZZ=data
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"
+ Can I FUZZ Post Data?
--> Yup.
--> Example of Command Injection POST Checks:
wfuzz -c -z file,/usr/share/wordlists/Fuzzing/command-injection.txt -d "postParameter=FUZZ" "$URL"
Get creative with WFUZZ!
Comments are closed.