Enumeration
Enumeration phase tools. Fuzzing, Discovery, ...
Wordlists
Subdomain enumeration: /Discovery/DNS (subdomain*)
Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list*.txt, web-extensions.txt, burp-parameter-names.txt)
LFI wordlist: /Fuzzing/LFI
Crunch Word list generator
Port mapping
Nmap
Some useful nmap scripts (/usr/share/nmap/scripts/
):
smb-os-discovery.nse (usually on
-p 445
)http-enum (example on port
-p 80
)
Some nmap usages examples:
-p 21 --packet-trace -Pn -n --disable-arp-ping
to scan port 21 and get a detailed information for the packet as the answer
Scan types
Types of ports states
XML (-oX
) output to HTML tool: xsltproc
Fuzzing
Ffuf
Typical Usage
Recursive search
File extension
Setting and/or fuzz headers (example: VHosts)
Filter or Match
Example: Filter (remove) by response size anything of size 600
HTTP Verb
Data
Ignore comments
Colorize output
Output to file
PHP Config file defualt positions
X.Y
is the php version
Nginx: /etc/php/X.Y/fpm/php.ini
Apache: /etc/php/X.Y/apache2/php.ini
SNMP
Simple Networking Management Protocol
Can provide information such as process parameters, routing information, versions and services bound to interfaces
snmpwalk
is used to interact with it
Example:
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0
onesixtyone can bruteforce the community string names
Example with included bruteforce file:
onesixtyone -c dict.txt 10.129.42.254
Gobuster
DNS, vhost, and directory brute-forcing
Directory mode
gobuster dir
option
DNS mode
FTP
If it has SSL we can use openssl to connect:
Custom Wordlist Generation (CeWL)
Others
Webserver banner: Find in header, can use
curl -IL
Whatweb: handy tool and contains much functionality to automate web application enumeration
Last updated