Enumeration

Enumeration phase tools. Fuzzing, Discovery, ...

Wordlists

  • Seclists

    • Subdomain enumeration: /Discovery/DNS (subdomain*)

    • Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list*.txt, web-extensions.txt, burp-parameter-names.txt)

    • LFI wordlist: /Fuzzing/LFI

  • Crunch Word list generator

Port mapping

Nmap

Some useful nmap scripts (/usr/share/nmap/scripts/):

Some nmap usages examples:

  • -p 21 --packet-trace -Pn -n --disable-arp-ping to scan port 21 and get a detailed information for the packet as the answer

Scan types

Types of ports states

XML (-oX) output to HTML tool: xsltproc

Fuzzing

Ffuf

Typical Usage

ffuf -w ./SecLists/example.txt:FUZZ -u http://domain.com/FUZZ

Recursive search

-recursion -recursion-depth 1

File extension

-e .php

Setting and/or fuzz headers (example: VHosts)

-H "Host: FUZZ.domain.com"

Filter or Match

-f*
-m*

Example: Filter (remove) by response size anything of size 600

-fs 600

HTTP Verb

-X POST

Data

-d ""

Ignore comments

-ic

Colorize output

-c

Output to file

-o <file_name>

PHP Config file defualt positions

X.Y is the php version

Nginx: /etc/php/X.Y/fpm/php.ini

Apache: /etc/php/X.Y/apache2/php.ini

SNMP

Simple Networking Management Protocol

Can provide information such as process parameters, routing information, versions and services bound to interfaces

snmpwalk is used to interact with it

  • Example: snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

onesixtyone can bruteforce the community string names

  • Example with included bruteforce file: onesixtyone -c dict.txt 10.129.42.254

Gobuster

DNS, vhost, and directory brute-forcing

Directory mode

gobuster dir option

DNS mode

FTP

If it has SSL we can use openssl to connect:

openssl s_client -connect 10.129.14.136:21 -starttls ftp

Custom Wordlist Generation (CeWL)

Others

  • Webserver banner: Find in header, can use curl -IL

  • Whatweb: handy tool and contains much functionality to automate web application enumeration

Last updated