Web Recon

Gotta love the internet

Fuzz for backdoors and params

wfuzz -u 'http://example.com/index.php?FUZZ=ls' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: somecookie"

Find & Enum

After port scanning and finding web servers.

Brute force directories

Using ffuf

ffuf -u http://<victim-ip>:<port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -fc 404,400 -of ecsv -o ffufed

HTTP Basic Authorization Header Brute Force

Basic authorization is..basic. A username and a password separated by a colon is then encoded in Base64. The screenshot below demonstrate the credentials admin:admin being sent through the Authorization header of an HTTP request.

hydra -l admin -P passwordlist -s <port> -f example.com http-get /api/v1/users -vV -t 64

ProTip: You can/should always test first by using a set of valid credentials and check if it returns it valid.

hydra -l known_user -p known_password -s <port> -f example.com http-get /api/v1/users -vV

HTTP Post form Brute Force

Most of the time, authentication is made via a form posted to the web server. You can try to brute force it but watch out for CSRF. Try sending the same request twice using burp.

hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 31111 -f example.com http-post-f

PreviousPorts & services scanning NextCMS

Last updated 2 years ago