Directory Enumeration
gobuster dir -u http://10.129.42.190/nibbleblog/ –wordlist /usr/share/dirb/wordlists/common.txt
mstrkoffee@htb[/htb]$ sudo apt install seclists -y
Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company.
Web Enumeration
mstrkoffee@htb[/htb]$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txtBanner Grabbing HTTP
curl -IL https://www.inlanefreight.comWhatweb
wafw00f -v https://www.tesla.comVirtual Hosts
| Resource/Command | Description |
|---|---|
curl -s http://192.168.10.10 -H "Host: randomtarget.com" | Changing the HOST HTTP header to request a specific domain. |
cat ./vhosts.list | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done | Bruteforcing for possible virtual hosts on the target domain. |
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612 | Bruteforcing for possible virtual hosts on the target domain using ffuf. |
Crawling
| Resource/Command | Description |
|---|---|
ZAP | https://www.zaproxy.org/ |
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt | Discovering files and folders that cannot be spotted by browsing the website. |
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS | Mutated bruteforcing against the target web server. |
FFuF
We can use ffuf to discover files and folders that we cannot spot by simply browsing the website. All we need to do is launch ffuf with a list of folders names and instruct it to look recursively through them.
Crawling
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt