Backlink: reference-notes-readme


Fuzzing

Directory Fuzzing

Placeholder Text

Wfuzz

Vhosts

Web server vhosts running on a target machine may not be accessible unless we navigate directly to full hostname, including subdomain. In order to discover any subdomain names, we can fuzz for them with wfuzz.

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.sneakycorp.htb" --hc 200 --hw 356 -t 100 10.10.10.197

Gobuster

Dir Mode

Used to find additional content on a specific domain or subdomain, including hidden files and directories. The -u flag specifies domain/subdomain and -w specifies wordlist.

gobuster dir -u <target url> -w <wordlist>
gobuster dir -u http://10.10.10.56:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp"  -o "/home/borari/cybersecurity/htb/boxes/10.10.10.56-shocker/scans/tcp_80_http_gobuster_root.txt"
gobuster dir -u http://192.168.96.47:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -s "200,204,301,302,307,403,500" -x "txt,html,php,jpg" -t 25 --timeout 5s -o "./tcp_80_gobuster.txt"

Advanced Options

FlagUsage
-eExpanded mode, prints full URLs
-kSkips SSL certificate verification
-lIncludes length of the body in output
-sPositive status codes
-bNegative status codes
-xDefines specific file extensions
-zDon't display progress
-oOutput file
-tSets threads for simultaneous requests (e.g. 25)
--timeoutSets timeout interval. Default 10s, 5s worked for Proving Grounds box.

DNS Mode

The DNS mode is used for DNS subdomain brute-forcing. You can use it to find subdomains for a given domain. In this mode, you can use the flag -d to specify the domain you want to brute force and -w to specify the wordlist you want to use.

gobuster dns -d <target domain> -w <wordlist>

Vhost Mode

Virtual hosting is used when organizations host multiple domain names on a single server or cluster of servers. This allows one server to share its resources with multiple hostnames. Finding virtual hostnames on a server can reveal additional web content belonging to an organization.

gobuster vhost -u <target url> -w <wordlist>

WebDAV

Enumeration

I can enumerate webdav with the davtest tool in Kali.

davtest -url http://10.10.10.14

AutoRecon's Enumeration

Below are the commands that autorecon fires against an exposed http service. Having them here is helpful for being able to run the enumeration again against any newly discovered vhosts.

sslscan --show-certificate admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_sslscan.txt"
nmap -vv --reason -Pn -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_nmap.txt" -oX "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/xml/admin_http_nmap.xml" admin.cronos.htb
curl -sSik http://admin.cronos.htb:80/ -m 10 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_index.html"
curl -sSik http://admin.cronos.htb:80/robots.txt -m 10 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_robots.txt"
if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png http://admin.cronos.htb:80/ /home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_screenshot.png; fi
whatweb --no-errors -a 3 -v http://admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_whatweb.txt"
nikto -ask=no -h http://admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_nikto.txt"
gobuster dir -u http://admin.cronos.htb:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_gobuster.txt"