When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.
- Web Application – WordPress, CMS, Drupal, etc.
- Web Technologies – Node.js, PHP, Java, etc.
- Web Server – Apache, IIS, Nginx, etc.
- Database – MySQL, MariaDB, PostgreSQL, etc.
- OS – Ubuntu Linux, Windows Server, etc.
Pulling out internal/external links from source code.
curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
Strip out the HTML code from source-code of webpage.
curl <address> -s -L | html2text -width '99' | uniq
Check for contents of robots.txt.
curl <address>/robots.txt -s | html2text
To perform a scan.
sudo nikto -host=http://<address>
First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.
For invalid HTTPS certificates, you can include
-k to any of these commands to bypass cert checks.
gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e
We can also leverage the following wordlist to look for CGI URLs.
gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e
Note: If you start getting spammed with a particular response code, you can remove that from the