Web Application Tools
Note that sometimes one dirbuster works over another one. It's worth running them all should one be failing you at all.
Files of Interest
- Configuration files such as .ini, .config, and .conf files.
- Application source code files such as .php, .aspx, .jsp, and .py files.
- Log files such as .log, .txt, and .xml files.
- Backup files such as .bak, .zip, and .tar.gz files.
- Database files such as .mdb, .sqlite, .db, and .sql files.
8.2.1 Fingerprinting with nmap
Basic Scan
sudo nmap -p 80 -sV 192.168.50.1
Basic HTTP scan
sudo nmap -p 80 --script=http-enum -sV 192.168.50.1
8.2.2 - Feroxbuster
Run this first, it's likely to catch most things and the recursion support is mega useful
feroxbuster -u http://192.168.168.125 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x "txt,html,php,asp,aspx,jsp,zip" -v -k -n -e
feroxbuster -u http://192.168.168.125 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x "txt,html,php,asp,aspx,jsp,zip" -v -k -n -e
if we dont want to see any denied
feroxbuster -u http://192.168.138.249:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -C 404
If the website redirects
feroxbuster -u http://192.168.138.249:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -C 404,302
8.2.3 Directory bruteforce with Dirb
Sometimes dirb will catch something that feroxbuster won't
dirb http://192.168.50.20 /usr/share/wordlists/dirb/common.txt
dirb http://192.168.50.16:5002 /usr/share/wordlists/dirb/big.txt
dirb http://172.16.123.7 SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
8.2.4 Directory bruteforce with Gobuster
Worth using especially for enumerating directories that feroxbuster found recursively
gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5
gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
gobuster dir -u http://172.16.123.7/wordpress -w SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
Exclude a status code
gobuster dir -u https://192.168.138.157:20000 -w /path/to/wordlist -k -s "200"
Exclude a length
gobuster dir -u https://192.168.138.157:20000 -w /path/to/wordlist -k -l "4867"
gobuster dir -u http://10.11.1.71:80/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e txt,php,html,htm
8.2.5 - Dirsearch
dirsearch -u 192.168.248.213
8.2.6 - FFUF
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://$IP/FUZZ
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://$IP/FUZZ
Subdomain enum
ffuf -w SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://FUZZ/onlyrands.com
Parameter Fuzzing
https://medium.com/@atrophy0141/ffuf-parameter-fuzzing-identify-hidden-vulnerabilities-in-penetration-testing-c6054c38aff3
ffuf -w ~/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://target/script.php?FUZZ=test_value -fs 4242
Git Enumeration
If you happen to find a .git file while dirbusting, you can attempt to download, enumerate and extract .git content (if needed)
mkdir <DESTINATION_FOLDER>
./gitdumper.sh <URL>/.git <DESTINATION_FOLDER>
Extract git content
mkdir <EXTRACT_FOLDER>
./extractor.sh <DESTINATION_FOLDER> <EXTRACT_FOLDER>