Pentesting, Tips & Tricks

Enumerating HTTP Ports (80, 443, 8080, etc.)


When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.

  • Web Application – WordPress, CMS, Drupal, etc.
  • Web Technologies – Node.js, PHP, Java, etc.
  • Web Server – Apache, IIS, Nginx, etc.
  • Database – MySQL, MariaDB, PostgreSQL, etc.
  • OS – Ubuntu Linux, Windows Server, etc.

Using Curl

Pulling out internal/external links from source code.

curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

Strip out the HTML code from source-code of webpage.

curl <address> -s -L | html2text -width '99' | uniq

Check for contents of robots.txt.

curl <address>/robots.txt -s | html2text


Using Nikto

To perform a scan.

sudo nikto -host=http://<address>


Using Gobuster

First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.

For invalid HTTPS certificates, you can include -k to any of these commands to bypass cert checks.

gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e

We can also leverage the following wordlist to look for CGI URLs.

gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e

Note: If you start getting spammed with a particular response code, you can remove that from the -s flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s