80, 443

Checklist

    View SSL certificates for usernames
    View Source code
    Check /robots.txt, .htaccess, .htpasswd
    Check HTTP Request
    Run Burp Spider
    View Console
    Use Nikto
    Check OPTIONS
    HTTP PUT / POST File upload
    Parameter fuzzing with wfuzz
    Browser response vs Burp response
    Shell shock (cgi-bin/status)
    Cewl wordlist and directory bruteforce
    nmap --script http-enum 192.168.10.55
    Apache version exploit & other base server exploits
    Port 443 :
IIS :
Apache :

Directory Enumeration

Apache : x -> php, asp, txt, xml, bak
IIS : x-> asp, aspx, txt, ini, tmp, bak, old
Gobuster quick directory busting
1
gobuster dir -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -u http://
Copied!
Gobuster search with file extension
1
gobuster dir -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 100 -x txt,php,csv,md,json,js,html,py,sh -u http://url​gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,csv,md,json,js,html,py,sh -t 100 -u http://url ​gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 100 -x txt,php,csv,md,json,js,html,py,sh -u http://url
Copied!
Gobuster comprehensive directory busting
1
gobuster -s 200,204,301,302,307,403 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 100 -x txt,php,csv,md,json,js,html,py,sh -u http://url
Copied!
    gobuster dir -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,csv,md,json,js,html,py,sh -k -u http://10.10.10.x
    -k (ignore ssl verification)
    -x specific extension
    Dirbuster
    Change wordlists (Wfuzz, dirb)
    Custom directory enumeration (HTB Obscurity)
Parameter Fuzzing
WFUZZ
    hc - status code to ignore
    hw - word length to ignore
    hh - char length to ignore
    hl - line length to ignore
1
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 12 http://192.168.0.119/index.php?FUZZ=id
Copied!

Wordpress

Wpscan
1
wpscan --url http://10.10.10.10 -e u,vp // enumerate users & vulnerable plugins​wpscan --url 10.10.10 --passwords rockyou.txt --usernames elliot
Copied!
Metasploit
1
use auxiliary/scanner/http/wordpress_login_enum
Copied!
python wp_brute.py -t http://10.10 -u usernames.txt
Last modified 5mo ago