Pentesting, Tips & Tricks

Enumerating HTTP Ports (80, 443, 8080, etc.)

When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.

  • Web Application – WordPress, CMS, Drupal, etc.
  • Web Technologies – Node.js, PHP, Java, etc.
  • Web Server – Apache, IIS, Nginx, etc.
  • Database – MySQL, MariaDB, PostgreSQL, etc.
  • OS – Ubuntu Linux, Windows Server, etc.

Using Curl

Pulling out internal/external links from source code.

curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

Strip out the HTML code from source-code of webpage.

curl <address> -s -L | html2text -width '99' | uniq

Check for contents of robots.txt.

curl <address>/robots.txt -s | html2text

Using Nikto

To perform a scan.

sudo nikto -host=http://<address>

Using Gobuster

First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.

For invalid HTTPS certificates, you can include -k to any of these commands to bypass cert checks.

gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e

We can also leverage the following wordlist to look for CGI URLs.

gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e

Note: If you start getting spammed with a particular response code, you can remove that from the -s flag.

Using Dirsearch

This is a tool you can get from Github. It provides much of the same functionality as Gobuster.

The following syntax will run the tool to enumerate php and html files. It will exclude responses w/ code 400, 401, and 403.

python3 -u http://url.tld -e php,html -x 400,401,403

Using WFuzz

Subdomain Enumeration. Check out the post I made on this topic over at

Valid User Enumeration. Check out the post I made on this topic over at

Enumeration Checklist

Once you feel you’ve enumerated everything, just check your work against this list to make sure you’re not missing anything.

  • Did you brute force directories?
    • Did your brute force search recursively?
    • Did your brute force include file extensions?
    • Is your brute force case-sensitive?

  • Did you enumerate the hostname of the box and updated your /etc/hosts file to include it?
    • Did you enumerate subdomains?
    • Did you brute force directories when browsing to it via hostname?

  • Did you review every webpage on the box for clues?
    • Did you review the source code?
    • Are there usernames hidden anywhere?
    • Are there specific version details provided?

  • Did you check for vulnerable technologies?
    • If you’re able to enumerate version information, did you searchsploit and/or research for public exploits?
    • What about for PHP or ASP?
    • What about for WordPress or Drupal?
    • What about for Apache or IIS?
    • Can you use a specific tool like WPSCAN to enumerate further?

  • Did you find a login page?
    • Can you enumerate multiple users on it?
    • Can you brute-force it?
    • Can you perform an injection attack (SQL, XSS, etc.)?
  • If there is HTTPS on the page, did you check the certificate for details?
    • Does the cert contain specific email addresses?
    • Does the cert contain information about a hostname of the box?
    • Is the cert valid on other domain-names?

  • Are there other ports running HTTP or HTTPS that you need to repeat all of this on?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s