search

Information Gathering

Basic reconnaissance techniques which can help in exploiting the application.

hashtag
Subdomain Enumeration

sudo wfuzz -c -f output-subdomains.txt -Z -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --sc 200,202,204,301,302,307,403 http://FUZZ.example.com
gobuster vhost -u http://board.htb -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain

hashtag
Folder Enumeration

circle-info

Always scan for folders and files seperately, besides that enumerate every folder in this way which will come up during the enumeration process. You can also add other lists.

Feroxbuster (recursive)

feroxbuster --url http://<IP>:<PORT> -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u IP
also run with -f flag after finishing

hashtag
File Enumeration

gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u IP

Use -x to search for files with given extensions

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -x php,txt,conf

hashtag
Git file

Get the git file

Check status

Get commit history

See commit info

hashtag
Robots.txt and Sitemap.xml

Search for robots.txt and sitemap.xml file on the server. It can contain valuable information.

hashtag
Software Versions

Use Wappalyzer addon in order to identify vulnerable components.

hashtag
Sources

Page source can contain credentials, secrets or hidden pages. Component naming can reveal underlying software which application was build on.

Also it is worth looking into .js and .css files in debbuger.

hashtag
Headers

Sometimes you can find sensitive information exposure in headers. Check it using Network tab in Debbuger or using Burp Suite.

hashtag
Cookies

You can analyze cookies with Cookie Editor addon. In there you can try injections.

hashtag
Exiftool

When you will find .pdf, .jpg or other files you can retreive some data using exiftool.

hashtag
Webdav

If application uses webdav you can analyze it with davtest tool.

hashtag
Public exploits

The most common public exploits databases:

PreviousUsername / Password attacksNextExploit Searching

Last updated