Backlink: reference-notes-readme
Fuzzing
Directory Fuzzing
Placeholder Text
Wfuzz
Vhosts
Web server vhosts running on a target machine may not be accessible unless we navigate directly to full hostname, including subdomain. In order to discover any subdomain names, we can fuzz for them with wfuzz.
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.sneakycorp.htb" --hc 200 --hw 356 -t 100 10.10.10.197
Gobuster
Dir Mode
Used to find additional content on a specific domain or subdomain, including hidden files and directories. The -u flag specifies domain/subdomain and -w specifies wordlist.
gobuster dir -u <target url> -w <wordlist>
gobuster dir -u http://10.10.10.56:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "/home/borari/cybersecurity/htb/boxes/10.10.10.56-shocker/scans/tcp_80_http_gobuster_root.txt"
gobuster dir -u http://192.168.96.47:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -s "200,204,301,302,307,403,500" -x "txt,html,php,jpg" -t 25 --timeout 5s -o "./tcp_80_gobuster.txt"
Advanced Options
| Flag | Usage |
|---|---|
| -e | Expanded mode, prints full URLs |
| -k | Skips SSL certificate verification |
| -l | Includes length of the body in output |
| -s | Positive status codes |
| -b | Negative status codes |
| -x | Defines specific file extensions |
| -z | Don't display progress |
| -o | Output file |
| -t | Sets threads for simultaneous requests (e.g. 25) |
| --timeout | Sets timeout interval. Default 10s, 5s worked for Proving Grounds box. |
DNS Mode
The DNS mode is used for DNS subdomain brute-forcing. You can use it to find subdomains for a given domain. In this mode, you can use the flag -d to specify the domain you want to brute force and -w to specify the wordlist you want to use.
gobuster dns -d <target domain> -w <wordlist>
Vhost Mode
Virtual hosting is used when organizations host multiple domain names on a single server or cluster of servers. This allows one server to share its resources with multiple hostnames. Finding virtual hostnames on a server can reveal additional web content belonging to an organization.
gobuster vhost -u <target url> -w <wordlist>
WebDAV
Enumeration
I can enumerate webdav with the davtest tool in Kali.
davtest -url http://10.10.10.14
AutoRecon's Enumeration
Below are the commands that autorecon fires against an exposed http service. Having them here is helpful for being able to run the enumeration again against any newly discovered vhosts.
sslscan --show-certificate admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_sslscan.txt"
nmap -vv --reason -Pn -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_nmap.txt" -oX "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/xml/admin_http_nmap.xml" admin.cronos.htb
curl -sSik http://admin.cronos.htb:80/ -m 10 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_index.html"
curl -sSik http://admin.cronos.htb:80/robots.txt -m 10 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_robots.txt"
if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png http://admin.cronos.htb:80/ /home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_screenshot.png; fi
whatweb --no-errors -a 3 -v http://admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_whatweb.txt"
nikto -ask=no -h http://admin.cronos.htb:80 2>&1 | tee "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_nikto.txt"
gobuster dir -u http://admin.cronos.htb:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "/home/borari/cybersecurity/htb/boxes/10.10.10.13-cronos/scans/admin_http_gobuster.txt"