# 80,443 - WEB

## Enumeration

**Ports**: 80 / 443 (TCP)

A web application consists of domains, subdomains, directories, APIs, endpoints, files... In this section, the attacker will find some of the main steps to gather information on a web application for future web exploitations.

## General Enumeration

Using the default scripts of Nmap should provide the attacker with enough information to continue enumerating the web.

```bash
nmap -sC -sV -p80,443 <TARGET>
```

Nonetheless, there is a huge quantity of Nmap scripts for web enumeration.

```bash
sudo nmap -p80,443 --script=http* <TARGET>
```

## Well Knows files and directories

At the beginning of web enumeration, you should check for standard web files that can provide you with extra information.

### .git

Some websites accidentally expose their source code via this endpoint. If a `.git` directory exists, you can obtain the repository's contents with [git-dumper](https://github.com/arthaud/git-dumper)

```
git-dumper http://<WEBSITE.COM>/.git ~/website
```

### robots.txt

The file `http://TARGET/robots.txt` will provide you with new endpoints excluded by web crawlers.

### .well-known

The endpoint `http://TARGET/.well-know/`can contain a lot of URIs with valuable details.

You can check for well-known standard URIs at this [link](https://en.wikipedia.org/wiki/Well-known_URI#List_of_well-known_URIs).

### sitemap.xml

The file `http://TARGET/sitemap.xml` will help you find content pages.

## Communication layer

Most of the web sites traffics travels over an encrypted channel, thanks to TLS, so another thing you need to check on a web audit is to enumerate the encryption supported protocols, the certificates and its expiration date.

### Domain certificate

If the web page communication is protected with HTTPS, you can inspect its certificate looking for subdomains or wildcards.

To do so, you can execute the following command.

```bash
echo | openssl s_client -connect <DOMAIN>:443  | openssl x509 -noout -text | grep DNS | sed 's/,/\n/g'
```

As an alternative, use **sslscan**.

```bash
sslscan <URL>
```

### Automated tools

There are tools that perform encryption checks about ciphers, protocols as well as some cryptographic flaws.

* [**Testssl.sh**](https://github.com/drwetter/testssl.sh) (Offline) is a free command line tool which checks a server's service on any port f

```bash
git clone <https://github.com/drwetter/testssl.sh>
cd testssl.sh
./testssl.sh <URL>
```

* [**Qualys - SSL Labs**](https://www.ssllabs.com/ssltest/) (Online) performs a deep analysis of the configuration of any SSL web server on the public Internet.

## Directories/Files enumeration

Another essential step in web enumeration is looking for hidden files that do not appear on the web page. Directory-bruteforcing, can be achieved with the following tools.

* **Ffuf**

```bash
ffuf -w <WORDLIST.TXT> [-e <FILE_EXTENSIONS>] [-of <OUTPUT_FORMAT>] [-o <OUTPUT_FILE>] [-t <NUMBER_OF_THREADS>] -u <URL>/FUZZ
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e /,.asp,.aspx,.html,.php,.txt,.py,.bak,.doc,.js,.cgi -of md -o ffuz.txt -t 60 -u http://WEBSITE.COM/FUZZ 
```

* **Feroxbuster**

```bash
feroxbuster [-t <THREADS>]  [-w <WORDLIST.TXT>]  [-x "<EXTENSIONS>"] [-f] [-v] [-k] [-n] [-q] [-o <FILE_OUTPUT>] -u <URL>
feroxbuster -u http://<WEBSITE.COM>/ -t 10 -w <WORDLIST> -x "txt,html,php,asp,aspx,jsp" -f -v -k -n -q -o ferox.txt
```

* **Gobuster**

```bash
gobuster dir -w <WORDLIST.TXT> [-k] [-x <FILE_EXTENSIONS>] [-t <THREADS>] [-o <OUTPUT_FILE>] -u <URL>
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x /,asp,aspx,html,php,txt,py,bak,doc,js,cgi -t 40 -o GoBuster.txt -u http://10.10.38.126/
```

## Virtual hosts

A single web server can be configured to run multiple websites at once under different subdomain names, what are called virtual hosts (vhosts). Finding vhosts is important because each website might contain vulnerabilities, allowing the attacker to compromise the server and gain unauthorised access to the other website.

You can enumerate virtual hosts with the following tools.

* **Ffuf**

```bash
ffuf -w <WORDLIST.TXT> -u <URL> -H "Host: FUZZ.<DOMAIN>"
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://website.com/ -of md -o vhosts.txt -H "Host: FUZZ.website.com"
```

* **GoBuster**

```bash
gobuster vhost -w <WORDLIST.TXT> [-k] [-t <THREADS>] [-o <OUTPUT_FILE>] -u <URL>
gobuster vhost  -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -k  -o vhosts.txt -u https://example.com/
```

## Web Application Scanners

There are already automated tools that will facilitate your web enumeration.

### Wappalyzer

Wappalyzer is a web browser extension that identifies technologies on websites, such as JavaScript libraries, web servers, operating systems, CMS, Analytics...

### Nikto

Nikto is a CLI scanner that checks for vulnerabilities and configuration problems.

```bash
nikto -url https://example.com/
```

### Wapiti

[Wapiti](https://wapiti-scanner.github.io/) is a general web scanner web applications that crawls the webpages of the deployed webapp, looking for scripts forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer,injecting payloads to see if a script is vulnerable.

```bash
wapiti -u <URL> -c <COOKIES.JSON> -m all
```

### WPScan

WPScan is a WordPress scanner that checks for WordPress version, installed plugins and themes, looking for vulnerabilities. Furthermore, it looks for backed up `wp-config.php` files and database dumps. Finally, it also does user enumeration and password brute-forcing.

```bash
wpscan [-e ap,at,dbe,u] [--api-token <API-TOKEN>] [--random-user-agent] [--detection-mode aggressive] [--plugins-detection aggressive] [--disable-tls-checks] [-o <OUTPUT_FILE>] --url <URL>
```

### Joomscan

Joomscan is a Joomla vulnerability scanner that already comes preinstalled with Kali.

```bash
joomscan -u <URL> 
```

### Drupal

Drupal is another CMS like WordPress and Joomla with associated scanners such as [drupwn](https://github.com/immunit/drupwn) and [droopescan](https://github.com/SamJoan/droopescan).

```bash
python3 drupwn [--users] [--nodes] [--thread <NUMBER>] [--mode enum] --target <URL>
droopescan scan drupal  [-t <NUMBER_THREADS>] -u <URL> 
```

### Badmoodle

[Badmoodle](https://github.com/cyberaz0r/badmoodle) is an unofficial community-based vulnerability scanner for moodle that scans for canonical and non-canonical Moodle vulnerabilities.

```bash
./badmoodle.py -u <URL>
```

## References

* [Robots.txt](https://moz.com/learn/seo/robotstxt)
* [Web Application Security Testing > 01-Information Gathering](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver)