TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page
  • Fuzz for backdoors and params
  • Find & Enum
  • Brute force directories
  • Login & Authentication brute force
  • HTTP Basic Authorization Header Brute Force
  • HTTP Post form Brute Force

Was this helpful?

  1. External Recon

Web Recon

Gotta love the internet

PreviousPorts & services scanningNextCMS

Last updated 3 years ago

Was this helpful?

Fuzz for backdoors and params

wfuzz -u 'http://example.com/index.php?FUZZ=ls' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: somecookie"

Find & Enum

After and finding web servers.

Brute force directories

Using ffuf

ffuf -u http://<victim-ip>:<port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -fc 404,400 -of ecsv -o ffufed

Login & Authentication brute force

HTTP Basic Authorization Header Brute Force

Basic authorization is..basic. A username and a password separated by a colon is then encoded in Base64. The screenshot below demonstrate the credentials admin:admin being sent through the Authorization header of an HTTP request.

hydra -l admin -P passwordlist -s <port> -f example.com http-get /api/v1/users -vV -t 64 

ProTip: You can/should always test first by using a set of valid credentials and check if it returns it valid.

hydra -l known_user -p known_password -s <port> -f example.com http-get /api/v1/users -vV 

HTTP Post form Brute Force

Most of the time, authentication is made via a form posted to the web server. You can try to brute force it but watch out for CSRF. Try sending the same request twice using burp.

hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 31111 -f example.com http-post-f
port scanning