When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.
- Web Application – WordPress, CMS, Drupal, etc.
- Web Technologies – Node.js, PHP, Java, etc.
- Web Server – Apache, IIS, Nginx, etc.
- Database – MySQL, MariaDB, PostgreSQL, etc.
- OS – Ubuntu Linux, Windows Server, etc.
Pulling out internal/external links from source code.
curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
To view just HTTP Links:
curl -s <address> | grep -Eo '(href|src)=".*"' | sed -r 's/(href|src)=//g' | tr -d '"' | sort
Strip out the HTML code from source-code of webpage.
curl <address> -s -L | html2text -width '99' | uniq
Check for contents of robots.txt.
curl <address>/robots.txt -s | html2text
To perform a scan.
sudo nikto -host=http://<address>/
First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.
For invalid HTTPS certificates, you can include
-k to any of these commands to bypass cert checks.
gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -x txt,php,html
After common finishes, I like to use the following to dig deeper.
gobuster dir -u http://<address>/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -s '200,204,301,302,307,403,500' -e -x txt,html,php,asp
We can also leverage the following wordlist to look for CGI URLs.
gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e
Note: If you start getting spammed with a particular response code, you can remove that from the
If you find a cgi-bin directory, you may want to consider scanning it for .sh files. If one is found, see if you the machine is vulnerable to shellshock. There is an nmap script that can identify the vulnerability, but it isn’t always reliable. May be beneficial to run it through a tool like Burp to look at the requests.
This is a tool you can get from Github. It provides much of the same functionality as Gobuster.
The following syntax will run the tool to enumerate php and html files. It will exclude responses w/ code 400, 401, and 403.
python3 dirsearch.py -u http://url.tld -e php,html -x 400,401,403
Subdomain Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/
Valid User Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/07/bruteforcing-usernames-w-wfuzz/
Enumerating valid parameters in URLs. You can run the following command to try and brute-force valid parameter names.
wfuzz -u http://<address>/?FUZZ=index -w /usr/share/seclists/Discovery/Web-Content/common.txt
Once you feel you’ve enumerated everything, just check your work against this list to make sure you’re not missing anything.
- Did you brute force directories?
- Did your brute force search recursively?
- Did your brute force include file extensions?
- Is your brute force case-sensitive?
- Did you enumerate the hostname of the box and updated your /etc/hosts file to include it?
- Did you enumerate subdomains?
- Did you brute force directories when browsing to it via hostname?
- Did you review every webpage on the box for clues?
- Did you review the source code?
- Are there usernames hidden anywhere?
- Are there specific version details provided?
- Did you check for vulnerable technologies?
- If you’re able to enumerate version information, did you searchsploit and/or research for public exploits?
- What about for PHP or ASP?
- What about for WordPress or Drupal?
- What about for Apache or IIS?
- Can you use a specific tool like WPSCAN to enumerate further?
- Did you find a login page?
- Can you enumerate multiple users on it?
- Can you brute-force it?
- Can you perform an injection attack (SQL, XSS, etc.)?
- If there is HTTPS on the page, did you check the certificate for details?
- Does the cert contain specific email addresses?
- Does the cert contain information about a hostname of the box?
- Is the cert valid on other domain-names?
- Are there other ports running HTTP or HTTPS that you need to repeat all of this on?