# 80,443 - Pentesting Web Methodology
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
 (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_μ μ°½ν ν΄λλμ΄ νκΈ° λ° κ΅¬μ¬ νμ_).
{% embed url="https://www.stmcyber.com/careers" %}
## Basic Info
μΉ μλΉμ€λ κ°μ₯ **μΌλ°μ μ΄κ³ κ΄λ²μν μλΉμ€**μ΄λ©° λ§μ **λ€μν μ νμ μ·¨μ½μ **μ΄ μ‘΄μ¬ν©λλ€.
**κΈ°λ³Έ ν¬νΈ:** 80 (HTTP), 443(HTTPS)
```bash
PORT STATE SERVICE
80/tcp open http
443/tcp open ssl/https
```
```bash
nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0
```
### Web API Guidance
{% content-ref url="web-api-pentesting.md" %}
[web-api-pentesting.md](web-api-pentesting.md)
{% endcontent-ref %}
## Methodology summary
> μ΄ λ°©λ²λ‘ μμλ λλ©μΈ(λλ μλΈλλ©μΈ)μ 곡격νλ€κ³ κ°μ ν©λλ€. λ°λΌμ λ°κ²¬λ κ° λλ©μΈ, μλΈλλ©μΈ λλ λ²μ λ΄μ λΆνμ€ν μΉ μλ²κ° μλ IPμ μ΄ λ°©λ²λ‘ μ μ μ©ν΄μΌ ν©λλ€.
* [ ] **μΉ μλ²**μμ μ¬μ©λλ **κΈ°μ **μ **μλ³**νλ κ²λΆν° μμν©λλ€. κΈ°μ μ μ±κ³΅μ μΌλ‘ μλ³ν μ μλ€λ©΄ λλ¨Έμ§ ν
μ€νΈ λμ μΌλμ λμ΄μΌ ν **νΈλ¦**μ μ°Ύμ보μΈμ.
* [ ] κΈ°μ λ²μ μ **μλ €μ§ μ·¨μ½μ **μ΄ μμ΅λκΉ?
* [ ] **μ μλ €μ§ κΈ°μ **μ μ¬μ©νκ³ μμ΅λκΉ? λ λ§μ μ 보λ₯Ό μΆμΆνκΈ° μν **μ μ©ν νΈλ¦**μ΄ μμ΅λκΉ?
* [ ] μ€νν **μ λ¬Έ μ€μΊλ**κ° μμ΅λκΉ(μ: wpscan)?
* [ ] **μΌλ° λͺ©μ μ μ€μΊλ**λ₯Ό μ€νν©λλ€. 무μΈκ°λ₯Ό λ°κ²¬ν μ§, ν₯λ―Έλ‘μ΄ μ 보λ₯Ό λ°κ²¬ν μ§ μ μ μμ΅λλ€.
* [ ] **μ΄κΈ° κ²μ¬**λ‘ μμν©λλ€: **robots**, **sitemap**, **404** μ€λ₯ λ° **SSL/TLS μ€μΊ**(HTTPSμΈ κ²½μ°).
* [ ] μΉ νμ΄μ§λ₯Ό **μ€νμ΄λλ§**νκΈ° μμν©λλ€: κ°λ₯ν λͺ¨λ **νμΌ, ν΄λ** λ° **μ¬μ©λλ 맀κ°λ³μ**λ₯Ό **μ°Ύλ** μκ°μ
λλ€. λν **νΉλ³ν λ°κ²¬**μ νμΈνμΈμ.
* [ ] _λΈλ£¨νΈ ν¬μ± λλ μ€νμ΄λλ§ μ€μ μλ‘μ΄ λλ ν λ¦¬κ° λ°κ²¬λ λλ§λ€ μ€νμ΄λλ§ν΄μΌ ν©λλ€._
* [ ] **λλ ν 리 λΈλ£¨νΈ ν¬μ±**: λ°κ²¬λ λͺ¨λ ν΄λλ₯Ό λΈλ£¨νΈ ν¬μ€νμ¬ μλ‘μ΄ **νμΌ** λ° **λλ ν 리**λ₯Ό κ²μν©λλ€.
* [ ] _λΈλ£¨νΈ ν¬μ± λλ μ€νμ΄λλ§ μ€μ μλ‘μ΄ λλ ν λ¦¬κ° λ°κ²¬λ λλ§λ€ λΈλ£¨νΈ ν¬μ±ν΄μΌ ν©λλ€._
* [ ] **λ°±μ
νμΈ**: μΌλ°μ μΈ λ°±μ
νμ₯μλ₯Ό μΆκ°νμ¬ **λ°κ²¬λ νμΌ**μ **λ°±μ
**μ μ°Ύμ μ μλμ§ ν
μ€νΈν©λλ€.
* [ ] **λΈλ£¨νΈ ν¬μ€ 맀κ°λ³μ**: **μ¨κ²¨μ§ 맀κ°λ³μ**λ₯Ό **μ°Ύμ보μΈμ**.
* [ ] **μ¬μ©μ μ
λ ₯**μ μμ©νλ λͺ¨λ κ°λ₯ν **μλν¬μΈνΈ**λ₯Ό **μλ³**ν ν, κ΄λ ¨λ λͺ¨λ μ’
λ₯μ **μ·¨μ½μ **μ νμΈν©λλ€.
* [ ] [μ΄ μ²΄ν¬λ¦¬μ€νΈλ₯Ό λ°λ₯΄μΈμ](../../pentesting-web/web-vulnerabilities-methodology.md)
## Server Version (Vulnerable?)
### Identify
μ€ν μ€μΈ μλ² **λ²μ **μ λν **μλ €μ§ μ·¨μ½μ **μ΄ μλμ§ νμΈν©λλ€.\
**μλ΅μ HTTP ν€λ λ° μΏ ν€**λ μ¬μ© μ€μΈ **κΈ°μ ** λ°/λλ **λ²μ **μ **μλ³**νλ λ° λ§€μ° μ μ©ν μ μμ΅λλ€. **Nmap μ€μΊ**μ μλ² λ²μ μ μλ³ν μ μμ§λ§, [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech) λλ [**https://builtwith.com/**](https://builtwith.com)**μ κ°μ λꡬλ μ μ©ν μ μμ΅λλ€:**
```bash
whatweb -a 1 #Stealthy
whatweb -a 3 #Aggresive
webtech -u
webanalyze -host https://google.com -crawl 2
```
Search **for** [**μΉ μ ν리μΌμ΄μ
μ μ·¨μ½μ ** **λ²μ **](../../generic-methodologies-and-resources/search-exploits.md)
### **WAF νμΈνκΈ°**
* [**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f)
* [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
* [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
### μΉ κΈ°μ νΈλ¦
λ€μν μ μλ €μ§ **κΈ°μ **μμ **μ·¨μ½μ **μ μ°ΎκΈ° μν **νΈλ¦**:
* [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
* [**Apache**](apache.md)
* [**Artifactory**](artifactory-hacking-guide.md)
* [**Buckets**](buckets/)
* [**CGI**](cgi.md)
* [**Drupal**](drupal/)
* [**Flask**](flask.md)
* [**Git**](git.md)
* [**Golang**](golang.md)
* [**GraphQL**](graphql.md)
* [**H2 - Java SQL λ°μ΄ν°λ² μ΄μ€**](h2-java-sql-database.md)
* [**IIS νΈλ¦**](iis-internet-information-services.md)
* [**JBOSS**](jboss.md)
* [**Jenkins**](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md)
* [**Jira**](jira.md)
* [**Joomla**](joomla.md)
* [**JSP**](jsp.md)
* [**Laravel**](laravel.md)
* [**Moodle**](moodle.md)
* [**Nginx**](nginx.md)
* [**PHP (phpμλ μ
μ©λ μ μλ ν₯λ―Έλ‘μ΄ νΈλ¦μ΄ λ§μ)**](php-tricks-esp/)
* [**Python**](python.md)
* [**Spring Actuators**](spring-actuators.md)
* [**Symphony**](symphony.md)
* [**Tomcat**](tomcat/)
* [**VMWare**](vmware-esx-vcenter....md)
* [**μΉ API νν
μ€ν
**](web-api-pentesting.md)
* [**WebDav**](put-method-webdav.md)
* [**Werkzeug**](werkzeug.md)
* [**Wordpress**](wordpress.md)
* [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/)
_κ°μ **λλ©μΈ**μ΄ **λ€λ₯Έ κΈ°μ **μ **λ€λ₯Έ ν¬νΈ**, **ν΄λ** λ° **μλΈλλ©μΈ**μμ μ¬μ©ν μ μλ€λ μ μ κ³ λ €νμΈμ._\
μΉ μ ν리μΌμ΄μ
μ΄ μ΄μ μ λμ΄λ μ μλ €μ§ **κΈ°μ /νλ«νΌ**μ΄λ **κΈ°ν**λ₯Ό μ¬μ©νκ³ μλ€λ©΄, **μΈν°λ·μμ** μλ‘μ΄ νΈλ¦μ **κ²μνλ κ²μ μμ§ λ§μΈμ** (κ·Έλ¦¬κ³ μ μκ² μλ €μ£ΌμΈμ!).
### μμ€ μ½λ κ²ν
μ ν리μΌμ΄μ
μ **μμ€ μ½λ**κ° **github**μ μλ κ²½μ°, μ ν리μΌμ΄μ
μ λν΄ **μμ μ΄ μ§μ νμ΄νΈ λ°μ€ ν
μ€νΈ**λ₯Ό μννλ κ² μΈμλ νμ¬ **λΈλ λ°μ€ ν
μ€νΈ**μ **μ μ©ν μ 보**κ° μμ μ μμ΅λλ€:
* **λ³κ²½ λ‘κ·Έ λλ README λλ λ²μ ** νμΌμ΄λ **λ²μ μ 보μ μ κ·Ό κ°λ₯ν** κ²μ΄ μλμ?
* **μ격 μ¦λͺ
**μ μ΄λ»κ² μ΄λμ μ μ₯λλμ? μ격 μ¦λͺ
(μ¬μ©μ μ΄λ¦ λλ λΉλ°λ²νΈ)μ΄ μλ (μ κ·Ό κ°λ₯ν?) **νμΌ**μ΄ μλμ?
* **λΉλ°λ²νΈ**λ **μΌλ° ν
μ€νΈ**, **μνΈν**λμ΄ μκ±°λ μ΄λ€ **ν΄μ± μκ³ λ¦¬μ¦**μ΄ μ¬μ©λλμ?
* μ΄λ€ κ²μ μνΈννκΈ° μν΄ **λ§μ€ν° ν€**λ₯Ό μ¬μ©νκ³ μλμ? μ΄λ€ **μκ³ λ¦¬μ¦**μ΄ μ¬μ©λλμ?
* μ΄λ€ μ·¨μ½μ μ μ΄μ©ν΄ **μ΄ νμΌλ€μ μ κ·Όν μ μλμ**?
* **github**μ (ν΄κ²°λ κ²κ³Ό ν΄κ²°λμ§ μμ κ²) **μ΄μ**μ ν₯λ―Έλ‘μ΄ μ λ³΄κ° μλμ? λλ **μ»€λ° κΈ°λ‘**μ (μλ§λ **μ€λλ 컀λ°μ μ
λ ₯λ λΉλ°λ²νΈ**)?
{% content-ref url="code-review-tools.md" %}
[code-review-tools.md](code-review-tools.md)
{% endcontent-ref %}
### μλ μ€μΊλ
#### μΌλ° λͺ©μ μ μλ μ€μΊλ
```bash
nikto -h
whatweb -a 4
wapiti -u
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target
# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
```
#### CMS μ€μΊλ
CMSκ° μ¬μ©λλ κ²½μ° **μ€μΊλλ₯Ό μ€ννλ κ²μ μμ§ λ§μΈμ**, μλ§λ ν₯λ―Έλ‘μ΄ κ²μ΄ λ°κ²¬λ μ μμ΅λλ€:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** μΉμ¬μ΄νΈμ 보μ λ¬Έμ . (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **λλ** [**(M)oodle**](moodle.md)\
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
```bash
cmsmap [-f W] -F -d
wpscan --force update -e --url
joomscan --ec -u
joomlavs.rb #https://github.com/rastating/joomlavs
```
> μ΄ μμ μμ ν΄λΌμ΄μΈνΈκ° μ¬μ©νλ μΉ μλ²μ λν μ 보(μ£Όμ΄μ§ λ°μ΄ν°κ° μμ κ²½μ°)λ₯Ό μ΄λ―Έ κ°μ§κ³ μμ΄μΌ νλ©°, ν
μ€νΈ μ€μ μΌλμ λμ΄μΌ ν λͺ κ°μ§ μλ Ήμ΄ μμ΄μΌ ν©λλ€. μ΄μ΄ μ’λ€λ©΄ CMSλ₯Ό μ°Ύκ³ μ€μΊλλ₯Ό μ€ννμ μλ μμ΅λλ€.
## λ¨κ³λ³ μΉ μ ν리μΌμ΄μ
νμ
> μ΄ μμ λΆν° μΉ μ ν리μΌμ΄μ
κ³Ό μνΈμμ©μ μμν κ²μ
λλ€.
### μ΄κΈ° μ κ²
**ν₯λ―Έλ‘μ΄ μ λ³΄κ° μλ κΈ°λ³Έ νμ΄μ§:**
* /robots.txt
* /sitemap.xml
* /crossdomain.xml
* /clientaccesspolicy.xml
* /.well-known/
* μ£Όμ λ° λ³΄μ‘° νμ΄μ§μ μ£Όμλ νμΈνμΈμ.
**μ€λ₯ κ°μ λ°μ**
μΉ μλ²λ μ΄μν λ°μ΄ν°κ° μ μ‘λ λ **μμμΉ λͺ»ν λ°©μμΌλ‘ λμν μ μμ΅λλ€**. μ΄λ **μ·¨μ½μ **μ΄λ **λ―Όκ°ν μ 보μ λ
ΈμΆ**μ μ΄ μ μμ΅λλ€.
* /whatever\_fake.php (.aspx, .html, λ±)μ κ°μ **κ°μ§ νμ΄μ§**μ μ κ·ΌνκΈ°
* **μΏ ν€ κ°** λ° **맀κ°λ³μ** κ°μ **"\[]", "]]", λ° "\[\["** μΆκ°νμ¬ μ€λ₯ μμ±
* **URL**μ **λ**μ **`/~randomthing/%s`**λ‘ μ
λ ₯νμ¬ μ€λ₯ μμ±
* PATCH, DEBUG λλ FAKEμ κ°μ **λ€μν HTTP λμ¬** μλ
#### **νμΌ μ
λ‘λ κ°λ₯ μ¬λΆ νμΈ (**[**PUT λμ¬, WebDav**](put-method-webdav.md)**)**
**WebDav**κ° **νμ±ν**λμ΄ μμ§λ§ λ£¨νΈ ν΄λμ **νμΌ μ
λ‘λ**λ₯Ό μν μΆ©λΆν κΆνμ΄ μλ κ²½μ° λ€μμ μλνμΈμ:
* **μ격 μ¦λͺ
** λ¬΄μ°¨λ³ λμ
* μΉ νμ΄μ§ λ΄μμ **λ°κ²¬λ ν΄λ**μ **λλ¨Έμ§**μ WebDavλ₯Ό ν΅ν΄ **νμΌ μ
λ‘λ**. λ€λ₯Έ ν΄λμ νμΌμ μ
λ‘λν μ μλ κΆνμ΄ μμ μ μμ΅λλ€.
### **SSL/TLS μ·¨μ½μ **
* μ ν리μΌμ΄μ
μ΄ μ΄λ λΆλΆμμλ **HTTPS μ¬μ©μ κ°μ νμ§ μλλ€λ©΄**, μ΄λ **MitMμ μ·¨μ½**ν©λλ€.
* μ ν리μΌμ΄μ
μ΄ **HTTPλ₯Ό μ¬μ©νμ¬ λ―Όκ°ν λ°μ΄ν°(λΉλ°λ²νΈ)λ₯Ό μ μ‘νλ κ²½μ°**, μ΄λ λμ μ·¨μ½μ μ
λλ€.
[**testssl.sh**](https://github.com/drwetter/testssl.sh)λ₯Ό μ¬μ©νμ¬ **μ·¨μ½μ **μ νμΈνκ³ (λ²κ·Έ λ°μ΄ν° νλ‘κ·Έλ¨μμλ μ΄λ¬ν μ’
λ₯μ μ·¨μ½μ μ΄ μμ©λμ§ μμ μ μμ΅λλ€) [**a2sv**](https://github.com/hahwul/a2sv)λ₯Ό μ¬μ©νμ¬ μ·¨μ½μ μ μ¬νμΈνμΈμ:
```bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also
# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan
sslyze --regular
```
μ 보 SSL/TLS μ·¨μ½μ μ λν:
* [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
* [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
### μ€νμ΄λλ§
μΉ λ΄μμ μ΄λ€ μ’
λ₯μ **μ€νμ΄λ**λ₯Ό μ€νν©λλ€. μ€νμ΄λμ λͺ©νλ ν
μ€νΈλ μ ν리μΌμ΄μ
μμ **κ°λ₯ν λ§μ κ²½λ‘λ₯Ό μ°Ύλ κ²**μ
λλ€. λ°λΌμ μΉ ν¬λ‘€λ§κ³Ό μΈλΆ μμ€λ₯Ό μ¬μ©νμ¬ κ°λ₯ν λ§μ μ ν¨ν κ²½λ‘λ₯Ό μ°ΎμμΌ ν©λλ€.
* [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML μ€νμ΄λ, JS νμΌ λ° μΈλΆ μμ€(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com)μμ λ§ν¬ μ°ΎκΈ°.
* [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML μ€νμ΄λ, JS νμΌμ λν LinkFinder λ° Archive.orgλ₯Ό μΈλΆ μμ€λ‘ μ¬μ©.
* [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML μ€νμ΄λ, "juicy files"λ νμ.
* [**evine** ](https://github.com/saeeddhqan/evine)(go): λνν CLI HTML μ€νμ΄λ. Archive.orgμμλ κ²μν©λλ€.
* [**meg**](https://github.com/tomnomnom/meg) (go): μ΄ λꡬλ μ€νμ΄λλ μλμ§λ§ μ μ©ν μ μμ΅λλ€. νΈμ€νΈκ° μλ νμΌκ³Ό κ²½λ‘κ° μλ νμΌμ μ§μ νλ©΄ megκ° κ° νΈμ€νΈμ κ° κ²½λ‘λ₯Ό κ°μ Έμ μλ΅μ μ μ₯ν©λλ€.
* [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): JS λ λλ§ κΈ°λ₯μ΄ μλ HTML μ€νμ΄λ. κ·Έλ¬λ μ μ§ κ΄λ¦¬λμ§ μλ κ²μ²λΌ 보μ΄λ©°, 미리 μ»΄νμΌλ λ²μ μ΄ μ€λλμκ³ νμ¬ μ½λλ μ»΄νμΌλμ§ μμ΅λλ€.
* [**gau**](https://github.com/lc/gau) (go): μΈλΆ μ 곡μ
체(wayback, otx, commoncrawl)λ₯Ό μ¬μ©νλ HTML μ€νμ΄λ.
* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): μ΄ μ€ν¬λ¦½νΈλ 맀κ°λ³μκ° μλ URLμ μ°Ύμ λμ΄ν©λλ€.
* [**galer**](https://github.com/dwisiswant0/galer) (go): JS λ λλ§ κΈ°λ₯μ΄ μλ HTML μ€νμ΄λ.
* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML μ€νμ΄λ, JS νμΌμμ μλ‘μ΄ κ²½λ‘λ₯Ό κ²μν μ μλ JS beautify κΈ°λ₯μ΄ μμ΅λλ€. [JSScanner](https://github.com/dark-warlord14/JSScanner)λ μ΄ν΄λ³Ό κ°μΉκ° μμ΅λλ€. μ΄λ LinkFinderμ λνΌμ
λλ€.
* [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): HTML μμ€μ λ΄μ₯λ μλ°μ€ν¬λ¦½νΈ νμΌ λͺ¨λμμ μλν¬μΈνΈλ₯Ό μΆμΆν©λλ€. λ²κ·Έ νν°, λ λ νμ, μ 보 보μ μ λ¬Έκ°μκ² μ μ©ν©λλ€.
* [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): JavaScript νμΌμμ μλ URLμ ꡬ문 λΆμνκΈ° μν΄ Tornadoμ JSBeautifierλ₯Ό μ¬μ©νλ Python 2.7 μ€ν¬λ¦½νΈ. AJAX μμ²μ μ½κ² λ°κ²¬νλ λ° μ μ©ν©λλ€. μ μ§ κ΄λ¦¬λμ§ μλ κ²μ²λΌ 보μ
λλ€.
* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): νμΌ(HTML)μ μ£Όλ©΄ λ©μ§ μ κ· ννμμ μ¬μ©νμ¬ μλ URLμ μΆμΆν©λλ€.
* [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, μ¬λ¬ λꡬ): μ¬λ¬ λꡬλ₯Ό μ¬μ©νμ¬ JS νμΌμμ ν₯λ―Έλ‘μ΄ μ 보λ₯Ό μμ§ν©λλ€.
* [**subjs**](https://github.com/lc/subjs) (go): JS νμΌμ μ°Ύμ΅λλ€.
* [**page-fetch**](https://github.com/detectify/page-fetch) (go): ν€λλ¦¬μ€ λΈλΌμ°μ μμ νμ΄μ§λ₯Ό λ‘λνκ³ νμ΄μ§λ₯Ό λ‘λνλ λ° μ¬μ©λ λͺ¨λ URLμ μΈμν©λλ€.
* [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): μ΄μ λꡬμ μ¬λ¬ μ΅μ
μ νΌν©ν μ½ν
μΈ λ°κ²¬ λꡬ.
* [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): JS νμΌμμ κ²½λ‘μ 맀κ°λ³μλ₯Ό μ°ΎκΈ° μν Burp νμ₯.
* [**Sourcemapper**](https://github.com/denandz/sourcemapper): .js.map URLμ μ£Όλ©΄ μλ¦λ΅κ² μ 리λ JS μ½λλ₯Ό κ°μ Έμ€λ λꡬ.
* [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): μ£Όμ΄μ§ λμμ μν μλν¬μΈνΈλ₯Ό λ°κ²¬νλ λ° μ¬μ©λλ λꡬμ
λλ€.
* [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Wayback λ¨Έμ μμ λ§ν¬λ₯Ό λ°κ²¬ν©λλ€(μλ΅μ λ€μ΄λ‘λνκ³ λ λ§μ λ§ν¬λ₯Ό μ°Ύμ΅λλ€).
* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): ν¬λ‘€λ§(μμ μμ± ν¬ν¨)νκ³ νΉμ μ κ· ννμμ μ¬μ©νμ¬ λ―Όκ°ν μ 보λ₯Ό μ°Ύμ΅λλ€.
* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suiteλ μ¬μ΄λ² 보μ μ λ¬Έκ°λ₯Ό μν΄ μ€κ³λ κ³ κΈ λ€κΈ°λ₯ GUI μΉ λ³΄μ ν¬λ‘€λ¬/μ€νμ΄λμ
λλ€.
* [**jsluice**](https://github.com/BishopFox/jsluice) (go): URL, κ²½λ‘, λΉλ° λ° JavaScript μμ€ μ½λμμ κΈ°ν ν₯λ―Έλ‘μ΄ λ°μ΄ν°λ₯Ό μΆμΆνκΈ° μν Go ν¨ν€μ§ λ° [λͺ
λ Ήμ€ λꡬ](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice)μ
λλ€.
* [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForgeλ μμ²μμ 맀κ°λ³μμ μλν¬μΈνΈλ₯Ό μΆμΆνμ¬ νΌμ§ λ° μ΄κ±°λ₯Ό μν μ¬μ©μ μ μ λ¨μ΄ λͺ©λ‘μ μμ±νλ κ°λ¨ν **Burp Suite νμ₯**μ
λλ€.
* [**katana**](https://github.com/projectdiscovery/katana) (go): μ΄ μμ
μ λν λ©μ§ λꡬμ
λλ€.
* [**Crawley**](https://github.com/s0rg/crawley) (go): μ°Ύμ μ μλ λͺ¨λ λ§ν¬λ₯Ό μΈμν©λλ€.
### λλ ν 리 λ° νμΌμ λν λ¬΄μ°¨λ³ λμ
λ£¨νΈ ν΄λμμ **λ¬΄μ°¨λ³ λμ
**μ μμνκ³ **μ΄ λ°©λ²**μ μ¬μ©νμ¬ λ°κ²¬λ **λͺ¨λ ** **λλ ν 리**λ₯Ό λ¬΄μ°¨λ³ λμ
ν΄μΌ νλ©°, **μ€νμ΄λλ§**μ μν΄ **λ°κ²¬λ** λͺ¨λ λλ ν 리λ ν¬ν¨ν΄μΌ ν©λλ€(μ΄ λ¬΄μ°¨λ³ λμ
μ **μ¬κ·μ μΌλ‘** μννκ³ μ¬μ©λ λ¨μ΄ λͺ©λ‘μ μμ λΆλΆμ λ°κ²¬λ λλ ν 리 μ΄λ¦μ μΆκ°ν μ μμ΅λλ€).\
λꡬ:
* **Dirb** / **Dirbuster** - Kaliμ ν¬ν¨λμ΄ μμΌλ©°, **μ€λλ** (λ° **λλ¦°**) κΈ°λ₯μ μ
λλ€. μλ μλͺ
λ μΈμ¦μλ₯Ό νμ©νκ³ μ¬κ· κ²μμ μ§μν©λλ€. λ€λ₯Έ μ΅μ
μ λΉν΄ λ무 λ립λλ€.
* [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: μλ μλͺ
λ μΈμ¦μλ₯Ό νμ©νμ§ μμ§λ§** μ¬κ· κ²μμ νμ©ν©λλ€.
* [**Gobuster**](https://github.com/OJ/gobuster) (go): μλ μλͺ
λ μΈμ¦μλ₯Ό νμ©νλ©°, **μ¬κ·** κ²μμ΄ **μμ΅λλ€**.
* [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- λΉ λ₯΄λ©°, μ¬κ· κ²μμ μ§μν©λλ€.**
* [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
* [**ffuf** ](https://github.com/ffuf/ffuf)- λΉ λ¦: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
* [**uro**](https://github.com/s0md3v/uro) (python): μ€νμ΄λλ μλμ§λ§ λ°κ²¬λ URL λͺ©λ‘μ μ£Όλ©΄ "μ€λ³΅λ" URLμ μμ νλ λꡬμ
λλ€.
* [**Scavenger**](https://github.com/0xDexter0us/Scavenger): λ€μν νμ΄μ§μ burp κΈ°λ‘μμ λλ ν 리 λͺ©λ‘μ μμ±νλ Burp νμ₯μ
λλ€.
* [**TrashCompactor**](https://github.com/michael1026/trashcompactor): κΈ°λ₯μ΄ μ€λ³΅λ URLμ μ κ±°ν©λλ€(κΈ°λ° js κ°μ Έμ€κΈ°).
* [**Chamaleon**](https://github.com/iustin24/chameleon): μ¬μ©λ κΈ°μ μ κ°μ§νκΈ° μν΄ wapalyzerλ₯Ό μ¬μ©νκ³ μ¬μ©ν λ¨μ΄ λͺ©λ‘μ μ νν©λλ€.
**μΆμ² μ¬μ :**
* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt)
* [**Dirsearch** ν¬ν¨ μ¬μ ](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
* [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
* [Assetnote λ¨μ΄ λͺ©λ‘](https://wordlists.assetnote.io)
* [https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content)
* raft-large-directories-lowercase.txt
* directory-list-2.3-medium.txt
* RobotsDisallowed/top10000.txt
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
* [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
* [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
* [https://github.com/ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)
* _/usr/share/wordlists/dirb/common.txt_
* _/usr/share/wordlists/dirb/big.txt_
* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
_λ¬΄μ°¨λ³ λμ
λλ μ€νμ΄λλ§ μ€μ μλ‘μ΄ λλ ν λ¦¬κ° λ°κ²¬λ λλ§λ€ λ¬΄μ°¨λ³ λμ
ν΄μΌ ν©λλ€._
### λ°κ²¬λ κ° νμΌμμ νμΈν μ¬ν
* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): μΈμμΈκ³κ° λ°μν μ μλ HTML λ΄μ λμ΄μ§ λ§ν¬λ₯Ό μ°Ύμ΅λλ€.
* **νμΌ λ°±μ
**: λͺ¨λ νμΌμ μ°Ύμ ν, λͺ¨λ μ€ν νμΌμ λ°±μ
μ μ°Ύμ΅λλ€("_.php_", "_.aspx_"...). λ°±μ
μ΄λ¦μ μΌλ°μ μΈ λ³νμ: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp λ° file.old._ λꡬ [**bfac**](https://github.com/mazen160/bfac) **λλ** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**μ μ¬μ©ν μ μμ΅λλ€.**
* **μλ‘μ΄ λ§€κ°λ³μ λ°κ²¬**: [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **λ°** [**Param Miner**](https://github.com/PortSwigger/param-miner) **μ κ°μ λꡬλ₯Ό μ¬μ©νμ¬ μ¨κ²¨μ§ 맀κ°λ³μλ₯Ό λ°κ²¬ν μ μμ΅λλ€. κ°λ₯νλ€λ©΄ κ° μ€ν μΉ νμΌμμ μ¨κ²¨μ§ 맀κ°λ³μλ₯Ό κ²μν΄ λ³΄μμμ€.**
* _Arjun λͺ¨λ κΈ°λ³Έ λ¨μ΄ λͺ©λ‘:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
* _Param-miner βparamsβ :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
* _Assetnote βparameters\_top\_1mβ:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
* _nullenc0de βparams.txtβ:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
* **μ£Όμ:** λͺ¨λ νμΌμ μ£Όμμ νμΈνμμμ€. **μ격 μ¦λͺ
** λλ **μ¨κ²¨μ§ κΈ°λ₯**μ μ°Ύμ μ μμ΅λλ€.
* **CTF**λ₯Ό μ§ν μ€μ΄λΌλ©΄, "μΌλ°μ μΈ" νΈλ¦μ νμ΄μ§μ **μ€λ₯Έμͺ½**μ μλ μ£Όμ μμ **μ 보**λ₯Ό **μ¨κΈ°λ κ²**μ
λλ€(λΈλΌμ°μ λ‘ μμ€ μ½λλ₯Ό μ΄μ΄λ λ°μ΄ν°λ₯Ό λ³Ό μ μλλ‘ **μλ°± κ°μ 곡백**μ μ¬μ©). λ€λ₯Έ κ°λ₯μ±μ **μ¬λ¬ κ°μ μ μ€**μ μ¬μ©νκ³ μΉ νμ΄μ§μ **νλ¨**μ μλ μ£Όμμ **μ 보**λ₯Ό **μ¨κΈ°λ κ²**μ
λλ€.
* **API ν€**: **API ν€**λ₯Ό μ°ΎμΌλ©΄ λ€μν νλ«νΌμ API ν€ μ¬μ© λ°©λ²μ μλ΄νλ κ°μ΄λκ° μμ΅λλ€: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex\)/)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
* Google API ν€: **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjikμ κ°μ API ν€λ₯Ό μ°ΎμΌλ©΄ [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) νλ‘μ νΈλ₯Ό μ¬μ©νμ¬ ν€κ° μ κ·Όν μ μλ APIλ₯Ό νμΈν μ μμ΅λλ€.
* **S3 λ²ν·**: μ€νμ΄λλ§ μ€μ **μλΈλλ©μΈ**μ΄λ **λ§ν¬**κ° **S3 λ²ν·**κ³Ό κ΄λ ¨μ΄ μλμ§ νμΈνμμμ€. κ·Έλ° κ²½μ°, [**λ²ν·μ κΆνμ νμΈνμμμ€**](buckets/).
### νΉλ³ λ°κ²¬
**μ€νμ΄λλ§** λ° **λ¬΄μ°¨λ³ λμ
**μ μννλ λμ **ν₯λ―Έλ‘μ΄** **κ²λ€**μ **μ£Όλͺ©**ν μ μμ΅λλ€.
**ν₯λ―Έλ‘μ΄ νμΌ**
* **CSS** νμΌ λ΄μ λ€λ₯Έ νμΌμ λν **λ§ν¬**λ₯Ό μ°Ύμ΅λλ€.
* [**.git** νμΌμ μ°ΎμΌλ©΄ μΌλΆ μ 보λ₯Ό μΆμΆν μ μμ΅λλ€](git.md)
* **.env**λ₯Ό μ°ΎμΌλ©΄ API ν€, DB λΉλ°λ²νΈ λ° κΈ°ν μ 보λ₯Ό μ°Ύμ μ μμ΅λλ€.
* **API μλν¬μΈνΈ**λ₯Ό μ°ΎμΌλ©΄ [ν
μ€νΈν΄μΌ ν©λλ€](web-api-pentesting.md). μ΄λ€μ νμΌμ μλμ§λ§ μλ§λ "νμΌμ²λΌ" λ³΄μΌ κ²μ
λλ€.
* **JS νμΌ**: μ€νμ΄λλ§ μΉμ
μμ JS νμΌμμ κ²½λ‘λ₯Ό μΆμΆν μ μλ μ¬λ¬ λκ΅¬κ° μΈκΈλμμ΅λλ€. λν λ°κ²¬λ κ° JS νμΌμ **λͺ¨λν°λ§**νλ κ²λ ν₯λ―Έλ‘μΈ κ²μ
λλ€. κ²½μ°μ λ°λΌ λ³κ²½ μ¬νμ΄ μ½λμ μ μ¬μ μΈ μ·¨μ½μ μ΄ λμ
λμμμ λνλΌ μ μμ΅λλ€. μλ₯Ό λ€μ΄ [**JSMon**](https://github.com/robre/jsmon)**μ μ¬μ©ν μ μμ΅λλ€.**
* λ°κ²¬λ JS νμΌμ [**RetireJS**](https://github.com/retirejs/retire.js/) λλ [**JSHole**](https://github.com/callforpapers-source/jshole)λ‘ νμΈνμ¬ μ·¨μ½νμ§ νμΈν΄μΌ ν©λλ€.
* **Javascript Deobfuscator λ° Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
* **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
* **JsFuck λμ€λΈνΌμΌμ΄μ
** (λ¬Έμμ ν¨κ»νλ μλ°μ€ν¬λ¦½νΈ: "\[]!+" [https://ooze.ninja/javascript/poisonjs/](https://ooze.ninja/javascript/poisonjs/))
* [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
* μ¬λ¬ κ²½μ°μ **μ¬μ©λ μ κ· ννμ**μ μ΄ν΄ν΄μΌ ν νμκ° μμ΅λλ€. μ΄λ μ μ©ν κ²μ
λλ€: [https://regex101.com/](https://regex101.com)
* **μμμ΄ κ°μ§λ νμΌμ λͺ¨λν°λ§**ν΄μΌ νλ©°, 맀κ°λ³μμ λ³κ²½μ΄λ μλ‘μ΄ μμμ μΆνμ μ μ¬μ μΈ μλ‘μ΄ μ·¨μ½ν κΈ°λ₯μ λνλΌ μ μμ΅λλ€.
**403 κΈμ§/κΈ°λ³Έ μΈμ¦/401 κΆν μμ (μ°ν)**
{% content-ref url="403-and-401-bypasses.md" %}
[403-and-401-bypasses.md](403-and-401-bypasses.md)
{% endcontent-ref %}
**502 νλ‘μ μ€λ₯**
μ΄λ€ νμ΄μ§κ° **μ½λ**λ‘ **μλ΅**νλ©΄, μλ§λ **μλͺ» ꡬμ±λ νλ‘μ**μΌ κ²μ
λλ€. **`GET https://google.com HTTP/1.1`**μ κ°μ HTTP μμ²μ 보λ΄λ©΄(νΈμ€νΈ ν€λ λ° κΈ°ν μΌλ° ν€λ ν¬ν¨), **νλ‘μ**λ _**google.com**_μ **μ κ·Ό**νλ €κ³ μλνλ©°, μ΄λ‘ μΈν΄ SSRFλ₯Ό λ°κ²¬νκ² λ©λλ€.
**NTLM μΈμ¦ - μ 보 곡κ°**
μΈμ¦μ μμ²νλ μλ²κ° **Windows**μ΄κ±°λ **μ격 μ¦λͺ
**(λ° **λλ©μΈ μ΄λ¦** μμ²)μ μꡬνλ λ‘κ·ΈμΈ νλ©΄μ μ°ΎμΌλ©΄ **μ 보 곡κ°**λ₯Ό μ λν μ μμ΅λλ€.\
**ν€λ**λ₯Ό μ μ‘νμμμ€: `βAuthorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=β` κ·Έλ¦¬κ³ **NTLM μΈμ¦μ΄ μλνλ λ°©μ** λλ¬Έμ, μλ²λ "WWW-Authenticate" ν€λ λ΄μ λ΄λΆ μ 보(IIS λ²μ , Windows λ²μ λ±...)λ‘ μλ΅ν κ²μ
λλ€.\
μ΄ μμ
μ **nmap νλ¬κ·ΈμΈ** "_http-ntlm-info.nse_"λ₯Ό μ¬μ©νμ¬ μλνν μ μμ΅λλ€.
**HTTP 리λλ μ
(CTF)**
**리λλ μ
** λ΄μ **λ΄μ©**μ **λ£λ** κ²μ΄ κ°λ₯ν©λλ€. μ΄ λ΄μ©μ **μ¬μ©μμκ² νμλμ§ μμ΅λλ€**(λΈλΌμ°μ κ° λ¦¬λλ μ
μ μ€ννκΈ° λλ¬Έ) κ·Έλ¬λ κ·Έ μμ **μ¨κ²¨μ§** κ²μ΄ μμ μ μμ΅λλ€.
### μΉ μ·¨μ½μ νμΈ
μΉ μ ν리μΌμ΄μ
μ λν ν¬κ΄μ μΈ μ΄κ±°κ° μνλμμΌλ―λ‘, μ΄μ κ°λ₯ν λ§μ μ·¨μ½μ μ νμΈν μκ°μ
λλ€. 체ν¬λ¦¬μ€νΈλ μ¬κΈ°μμ μ°Ύμ μ μμ΅λλ€:
{% content-ref url="../../pentesting-web/web-vulnerabilities-methodology.md" %}
[web-vulnerabilities-methodology.md](../../pentesting-web/web-vulnerabilities-methodology.md)
{% endcontent-ref %}
μΉ μ·¨μ½μ μ λν λ λ§μ μ 보λ λ€μμμ μ°Ύμ μ μμ΅λλ€:
* [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
* [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html)
* [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection)
### λ³κ²½ μ¬ν λͺ¨λν°λ§ νμ΄μ§
[https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io)μ κ°μ λꡬλ₯Ό μ¬μ©νμ¬ μ·¨μ½μ μ μ½μ
ν μ μλ μμ μ¬νμ λͺ¨λν°λ§ν μ μμ΅λλ€.
**ν΄νΉ κ²½λ ₯**μ κ΄μ¬μ΄ μκ³ ν΄νΉν μ μλ κ²μ ν΄νΉνκ³ μΆλ€λ©΄ - **μ°λ¦¬λ μ±μ© μ€μ
λλ€!** (_μ μ°½ν ν΄λλμ΄ κ΅¬μ¬ νμ_).
{% embed url="https://www.stmcyber.com/careers" %}
### HackTricks μλ λͺ
λ Ή
```
Protocol_Name: Web #Protocol Abbreviation if there is one.
Port_Number: 80,443 #Comma separated if there is more than one.
Protocol_Description: Web #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for Web
Note: |
https://book.hacktricks.xyz/pentesting/pentesting-web
Entry_2:
Name: Quick Web Scan
Description: Nikto and GoBuster
Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
Entry_3:
Name: Nikto
Description: Basic Site Info via Nikto
Command: nikto -host {Web_Proto}://{IP}:{Web_Port}
Entry_4:
Name: WhatWeb
Description: General purpose auto scanner
Command: whatweb -a 4 {IP}
Entry_5:
Name: Directory Brute Force Non-Recursive
Description: Non-Recursive Directory Brute Force
Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
Entry_6:
Name: Directory Brute Force Recursive
Description: Recursive Directory Brute Force
Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10
Entry_7:
Name: Directory Brute Force CGI
Description: Common Gateway Interface Brute Force
Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200
Entry_8:
Name: Nmap Web Vuln Scan
Description: Tailored Nmap Scan for web Vulnerabilities
Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}
Entry_9:
Name: Drupal
Description: Drupal Enumeration Notes
Note: |
git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration
Entry_10:
Name: WordPress
Description: WordPress Enumeration with WPScan
Command: |
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
Entry_11:
Name: WordPress Hydra Brute Force
Description: Need User (admin is default)
Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Entry_12:
Name: Ffuf Vhost
Description: Simple Scan with Ffuf for discovering additional vhosts
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}
```
{% hint style="success" %}
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks μ§μνκΈ°
* [**ꡬλ
κ³ν**](https://github.com/sponsors/carlospolop) νμΈνκΈ°!
* **π¬ [**λμ€μ½λ κ·Έλ£Ή**](https://discord.gg/hRep4RUj7f) λλ [**ν
λ κ·Έλ¨ κ·Έλ£Ή**](https://t.me/peass)μ μ°Έμ¬νκ±°λ **νΈμν°** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**λ₯Ό νλ‘μ°νμΈμ.**
* **[**HackTricks**](https://github.com/carlospolop/hacktricks) λ° [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νΈλ¦μ 곡μ νμΈμ.**
{% endhint %}