{"id":287,"date":"2021-04-25T16:51:35","date_gmt":"2021-04-25T16:51:35","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=287"},"modified":"2022-05-04T02:06:48","modified_gmt":"2022-05-04T02:06:48","slug":"directory-busting-web-content-discovery","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/directory-busting-web-content-discovery\/","title":{"rendered":"Directory Busting & Web-Content Discovery."},"content":{"rendered":"\n
<\/span>\"\"
\n

S1REN<\/p>\n\n\n\n

Lets shed some light on anything in or past \/<\/p>\n<\/div><\/div>\n\n\n\n

So, you got a target web application? Sweet.
The beginning of your enumeration is going to start with Discovery.
In other words, what the heck can I actually view, enumerate, etc?

I will go into Web Application Assessments in much more detail with a sample machine in a future blog post or dedicated page.

For now, export your URL immediately and localize these commands such that they are ready to launch in a *snap*.
Before anything - are you going to be using SecLists? Hope so!

https:\/\/sirensecurity.io\/blog\/seclists\/<\/a>
cd \/opt\/
git clone https:\/\/github.com\/danielmiessler\/SecLists.git
<\/a>
[Nikto]<\/strong>
nikto --host $URL -C all

[GOBUSTER]<\/strong>
+ We will begin with Gobuster.<\/strong>
export URL=\"https:\/\/example.com\/\"

+ Here are my localized commands:<\/strong>
BUST DIRECTORIES:<\/strong>
gobuster dir -u $URL -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-directories.txt -k -t 30

BUST<\/strong> FILES:<\/strong>
gobuster dir -u $URL -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-files.txt -k -t 30

BUST SUB-DOMAINS:<\/strong>
gobuster dns -d someDomain.com -w \/opt\/SecLists\/Discovery\/DNS\/subdomains-top1million-110000.txt -t 30
--><\/strong> Make sure any DNS name you find resolves to an in-scope address before you test it<\/em>.

===========================================================================<\/strong>

[WFUZZ]<\/strong>
export URL=\"https:\/\/example.com\/FUZZ<\/strong>\"

FUZZ DIRECTORIES:<\/strong>
export URL=\"https:\/\/example.com\/FUZZ\/<\/strong>\"
wfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-directories.txt --hc 404 \"$URL\"

FUZZ FILES:<\/strong>
wfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-files.txt --hc 404 \"$URL\"
<\/p>\n\n\n\n

AUTHENTICATED FUZZING:<\/strong>
e.g.
wfuzz -c -b \"<SESSIONVARIABLE>=<SESSIONVALUE>\" -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-files.txt --hc 404 \"$URL\"
<\/p>\n\n\n\n


FUZZ DATA AND CHECK FOR PARAMETERS:<\/strong>
export URL=\"https:\/\/example.com\/?parameter=FUZZ<\/strong>
--><\/strong> and\/or some combination of...
export URL=\"https:\/\/example.com\/?FUZZ<\/strong>=data
wfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/burp-parameter-names.txt \"$URL\"

+ Can I FUZZ Post Data?<\/strong>
--><\/strong> Yup.
--><\/strong> Example of Command Injection POST Checks<\/strong>:
wfuzz -c -z file,\/usr\/share\/wordlists\/Fuzzing\/command-injection.txt -d \"postParameter=FUZZ<\/strong>\" \"$URL\"


Get creative with WFUZZ!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

So, you got a target web application? Sweet.The beginning of your enumeration is going to start with Discovery.In other words, what the heck can I actually view, enumerate, etc? I will go into Web Application Assessments in much more detail with a sample machine in a future blog post or dedicated page. For now, export […]<\/p>\n","protected":false},"author":1,"featured_media":228,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[27,33,32,29,30,4,28,31],"class_list":["post-287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-directory-busting","tag-fuzz-post-data","tag-gobuster","tag-penetration-testing","tag-pentesting","tag-s1ren","tag-web-discovery","tag-wfuzz"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=287"}],"version-history":[{"count":9,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions"}],"predecessor-version":[{"id":486,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions\/486"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/228"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}