Enumeration

Ports: 80 / 443 (TCP)

A web application consists of domains, subdomains, directories, APIs, endpoints, files... In this section, the attacker will find some of the main steps to gather information on a web application for future web exploitations.

General Enumeration

Using the default scripts of Nmap should provide the attacker with enough information to continue enumerating the web.

nmap -sC -sV -p80,443 <TARGET>

Nonetheless, there is a huge quantity of Nmap scripts for web enumeration.

sudo nmap -p80,443 --script=http* <TARGET>

Well Knows files and directories

At the beginning of web enumeration, you should check for standard web files that can provide you with extra information.

.git

Some websites accidentally expose their source code via this endpoint. If a .git directory exists, you can obtain the repository's contents with git-dumper

git-dumper http://<WEBSITE.COM>/.git ~/website

robots.txt

The file http://TARGET/robots.txt will provide you with new endpoints excluded by web crawlers.

.well-known

The endpoint http://TARGET/.well-know/can contain a lot of URIs with valuable details.

You can check for well-known standard URIs at this link.

sitemap.xml

The file http://TARGET/sitemap.xml will help you find content pages.

Communication layer

Most of the web sites traffics travels over an encrypted channel, thanks to TLS, so another thing you need to check on a web audit is to enumerate the encryption supported protocols, the certificates and its expiration date.

Domain certificate

If the web page communication is protected with HTTPS, you can inspect its certificate looking for subdomains or wildcards.

To do so, you can execute the following command.

echo | openssl s_client -connect <DOMAIN>:443  | openssl x509 -noout -text | grep DNS | sed 's/,/\n/g'

As an alternative, use sslscan.

sslscan <URL>

Automated tools

There are tools that perform encryption checks about ciphers, protocols as well as some cryptographic flaws.

• Testssl.sh (Offline) is a free command line tool which checks a server's service on any port f

git clone <https://github.com/drwetter/testssl.sh>
cd testssl.sh
./testssl.sh <URL>

• Qualys - SSL Labs (Online) performs a deep analysis of the configuration of any SSL web server on the public Internet.

Directories/Files enumeration

Another essential step in web enumeration is looking for hidden files that do not appear on the web page. Directory-bruteforcing, can be achieved with the following tools.

• Ffuf

ffuf -w <WORDLIST.TXT> [-e <FILE_EXTENSIONS>] [-of <OUTPUT_FORMAT>] [-o <OUTPUT_FILE>] [-t <NUMBER_OF_THREADS>] -u <URL>/FUZZ
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e /,.asp,.aspx,.html,.php,.txt,.py,.bak,.doc,.js,.cgi -of md -o ffuz.txt -t 60 -u http://WEBSITE.COM/FUZZ 

• Feroxbuster

feroxbuster [-t <THREADS>]  [-w <WORDLIST.TXT>]  [-x "<EXTENSIONS>"] [-f] [-v] [-k] [-n] [-q] [-o <FILE_OUTPUT>] -u <URL>
feroxbuster -u http://<WEBSITE.COM>/ -t 10 -w <WORDLIST> -x "txt,html,php,asp,aspx,jsp" -f -v -k -n -q -o ferox.txt

• Gobuster

gobuster dir -w <WORDLIST.TXT> [-k] [-x <FILE_EXTENSIONS>] [-t <THREADS>] [-o <OUTPUT_FILE>] -u <URL>
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x /,asp,aspx,html,php,txt,py,bak,doc,js,cgi -t 40 -o GoBuster.txt -u http://10.10.38.126/

Virtual hosts

A single web server can be configured to run multiple websites at once under different subdomain names, what are called virtual hosts (vhosts). Finding vhosts is important because each website might contain vulnerabilities, allowing the attacker to compromise the server and gain unauthorised access to the other website.

You can enumerate virtual hosts with the following tools.

• Ffuf

ffuf -w <WORDLIST.TXT> -u <URL> -H "Host: FUZZ.<DOMAIN>"
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://website.com/ -of md -o vhosts.txt -H "Host: FUZZ.website.com"

• GoBuster

gobuster vhost -w <WORDLIST.TXT> [-k] [-t <THREADS>] [-o <OUTPUT_FILE>] -u <URL>
gobuster vhost  -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -k  -o vhosts.txt -u https://example.com/

Web Application Scanners

There are already automated tools that will facilitate your web enumeration.

Wappalyzer

Wappalyzer is a web browser extension that identifies technologies on websites, such as JavaScript libraries, web servers, operating systems, CMS, Analytics...

Nikto

Nikto is a CLI scanner that checks for vulnerabilities and configuration problems.

nikto -url https://example.com/

Wapiti

Wapiti is a general web scanner web applications that crawls the webpages of the deployed webapp, looking for scripts forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer,injecting payloads to see if a script is vulnerable.

wapiti -u <URL> -c <COOKIES.JSON> -m all

WPScan

WPScan is a WordPress scanner that checks for WordPress version, installed plugins and themes, looking for vulnerabilities. Furthermore, it looks for backed up wp-config.php files and database dumps. Finally, it also does user enumeration and password brute-forcing.

wpscan [-e ap,at,dbe,u] [--api-token <API-TOKEN>] [--random-user-agent] [--detection-mode aggressive] [--plugins-detection aggressive] [--disable-tls-checks] [-o <OUTPUT_FILE>] --url <URL>

Joomscan

Joomscan is a Joomla vulnerability scanner that already comes preinstalled with Kali.

joomscan -u <URL> 

Drupal

Drupal is another CMS like WordPress and Joomla with associated scanners such as drupwn and droopescan.

python3 drupwn [--users] [--nodes] [--thread <NUMBER>] [--mode enum] --target <URL>
droopescan scan drupal  [-t <NUMBER_THREADS>] -u <URL> 

Badmoodle

Badmoodle is an unofficial community-based vulnerability scanner for moodle that scans for canonical and non-canonical Moodle vulnerabilities.

./badmoodle.py -u <URL>

References

• Robots.txt

• Web Application Security Testing > 01-Information Gathering