When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.
- Web Application – WordPress, CMS, Drupal, etc.
- Web Technologies – Node.js, PHP, Java, etc.
- Web Server – Apache, IIS, Nginx, etc.
- Database – MySQL, MariaDB, PostgreSQL, etc.
- OS – Ubuntu Linux, Windows Server, etc.
Pulling out internal/external links from source code.
curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
Strip out the HTML code from source-code of webpage.
curl <address> -s -L | html2text -width '99' | uniq
Check for contents of robots.txt.
curl <address>/robots.txt -s | html2text
To perform a scan.
sudo nikto -host=http://<address>
First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.
For invalid HTTPS certificates, you can include
-k to any of these commands to bypass cert checks.
gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e
We can also leverage the following wordlist to look for CGI URLs.
gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e
Note: If you start getting spammed with a particular response code, you can remove that from the
This is a tool you can get from Github. It provides much of the same functionality as Gobuster.
The following syntax will run the tool to enumerate php and html files. It will exclude responses w/ code 400, 401, and 403.
python3 dirsearch.py -u http://url.tld -e php,html -x 400,401,403
Subdomain Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/
Valid User Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/07/bruteforcing-usernames-w-wfuzz/
Once you feel you’ve enumerated everything, just check your work against this list to make sure you’re not missing anything.
- Did you brute force directories?
- Did your brute force search recursively?
- Did your brute force include file extensions?
- Is your brute force case-sensitive?
- Did you enumerate the hostname of the box and updated your /etc/hosts file to include it?
- Did you enumerate subdomains?
- Did you brute force directories when browsing to it via hostname?
- Did you review every webpage on the box for clues?
- Did you review the source code?
- Are there usernames hidden anywhere?
- Are there specific version details provided?
- Did you check for vulnerable technologies?
- If you’re able to enumerate version information, did you searchsploit and/or research for public exploits?
- What about for PHP or ASP?
- What about for WordPress or Drupal?
- What about for Apache or IIS?
- Can you use a specific tool like WPSCAN to enumerate further?
- Did you find a login page?
- Can you enumerate multiple users on it?
- Can you brute-force it?
- Can you perform an injection attack (SQL, XSS, etc.)?
- If there is HTTPS on the page, did you check the certificate for details?
- Does the cert contain specific email addresses?
- Does the cert contain information about a hostname of the box?
- Is the cert valid on other domain-names?
- Are there other ports running HTTP or HTTPS that you need to repeat all of this on?