Information Gathering
Basic reconnaissance techniques which can help in exploiting the application.
Subdomain Enumeration
sudo wfuzz -c -f output-subdomains.txt -Z -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --sc 200,202,204,301,302,307,403 http://FUZZ.example.comgobuster vhost -u http://board.htb -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --append-domainFolder Enumeration
Feroxbuster (recursive)
feroxbuster --url http://<IP>:<PORT> -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txtGobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u IPalso run with -f flag after finishingFile Enumeration
gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u IPUse -x to search for files with given extensions
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -x php,txt,confGit file
Get the git file
git-dumper <URL> <DIR>Check status
git statusGet commit history
git logSee commit info
git show <612ff5783cc5dbd1e0e008523dba83374a84aaf1>Robots.txt and Sitemap.xml
Search for robots.txt and sitemap.xml file on the server. It can contain valuable information.
Software Versions
Use Wappalyzer addon in order to identify vulnerable components.
Sources
Page source can contain credentials, secrets or hidden pages. Component naming can reveal underlying software which application was build on.
Also it is worth looking into .js and .css files in debbuger.
Headers
Sometimes you can find sensitive information exposure in headers. Check it using Network tab in Debbuger or using Burp Suite.
Cookies
You can analyze cookies with Cookie Editor addon. In there you can try injections.
Exiftool
When you will find .pdf, .jpg or other files you can retreive some data using exiftool.
exiftool file.pdfWebdav
If application uses webdav you can analyze it with davtest tool.
davtest -url http://10.129.83.212Public exploits
The most common public exploits databases:
Last updated