Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web
History
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00
..
buckets Translated to Klingon 2024-02-10 17:52:19 +00:00
electron-desktop-apps Translated to Klingon 2024-02-10 17:52:19 +00:00
php-tricks-esp Translated to Klingon 2024-02-10 17:52:19 +00:00
tomcat Translated to Klingon 2024-02-10 17:52:19 +00:00
403-and-401-bypasses.md Translated to Klingon 2024-02-10 17:52:19 +00:00
aem-adobe-experience-cloud.md Translated to Klingon 2024-02-10 17:52:19 +00:00
angular.md Translated to Klingon 2024-02-10 17:52:19 +00:00
apache.md Translated to Klingon 2024-02-10 17:52:19 +00:00
artifactory-hacking-guide.md Translated to Klingon 2024-02-10 17:52:19 +00:00
bolt-cms.md Translated to Klingon 2024-02-10 17:52:19 +00:00
cgi.md Translated to Klingon 2024-02-10 17:52:19 +00:00
code-review-tools.md Translated to Klingon 2024-02-10 17:52:19 +00:00
dotnetnuke-dnn.md Translated to Klingon 2024-02-10 17:52:19 +00:00
drupal.md Translated to Klingon 2024-02-10 17:52:19 +00:00
flask.md Translated to Klingon 2024-02-10 17:52:19 +00:00
git.md Translated to Klingon 2024-02-10 17:52:19 +00:00
golang.md Translated to Klingon 2024-02-10 17:52:19 +00:00
grafana.md Translated to Klingon 2024-02-10 17:52:19 +00:00
graphql.md Translated to Klingon 2024-02-10 17:52:19 +00:00
gwt-google-web-toolkit.md Translated to Klingon 2024-02-10 17:52:19 +00:00
h2-java-sql-database.md Translated to Klingon 2024-02-10 17:52:19 +00:00
iis-internet-information-services.md Translated to Klingon 2024-02-10 17:52:19 +00:00
imagemagick-security.md Translated to Klingon 2024-02-10 17:52:19 +00:00
jboss.md a 2024-02-09 08:15:24 +01:00
jira.md Translated to Klingon 2024-02-10 17:52:19 +00:00
joomla.md Translated to Klingon 2024-02-10 17:52:19 +00:00
jsp.md Translated to Klingon 2024-02-10 17:52:19 +00:00
laravel.md Translated to Klingon 2024-02-10 17:52:19 +00:00
moodle.md Translated to Klingon 2024-02-10 17:52:19 +00:00
nginx.md Translated to Klingon 2024-02-10 17:52:19 +00:00
nodejs-express.md Translated to Klingon 2024-02-10 17:52:19 +00:00
put-method-webdav.md Translated to Klingon 2024-02-10 17:52:19 +00:00
python.md Translated to Klingon 2024-02-10 17:52:19 +00:00
README.md Translated to Klingon 2024-02-10 17:52:19 +00:00
rocket-chat.md Translated to Klingon 2024-02-10 17:52:19 +00:00
special-http-headers.md Translated to Klingon 2024-02-10 17:52:19 +00:00
spring-actuators.md Translated to Klingon 2024-02-10 17:52:19 +00:00
symphony.md a 2024-02-09 08:15:24 +01:00
tomcat.md Translated to Klingon 2024-02-10 17:52:19 +00:00
uncovering-cloudflare.md Translated to Klingon 2024-02-10 17:52:19 +00:00
vmware-esx-vcenter....md Translated to Klingon 2024-02-10 17:52:19 +00:00
waf-bypass.md Translated to Klingon 2024-02-10 17:52:19 +00:00
web-api-pentesting.md Translated to Klingon 2024-02-10 17:52:19 +00:00
werkzeug.md Translated to Klingon 2024-02-10 17:52:19 +00:00
wordpress.md Translated to Klingon 2024-02-10 17:52:19 +00:00

README.md

80,443 - Pentesting Web Methodology

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Basic Info

The web service is the most common and extensive service and a lot of different types of vulnerabilities exists.

Default port: 80 (HTTP), 443(HTTPS)

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https

nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Web API Qap

{% content-ref url="web-api-pentesting.md" %} web-api-pentesting.md {% endcontent-ref %}

Methodology summary

jImejDaq jImejDaq 'e' vItlhutlh. 'ej, 'oH jImejDaq jImejDaq 'e' vItlhutlh. So, jImejDaq jImejDaq 'e' vItlhutlh, jImejDaq jImejDaq 'e' vItlhutlh, 'ej IP jImejDaq jImejDaq 'e' vItlhutlh.

  • jImejDaq jImejDaq jImejDaq jImejDaq. jImejDaq jImejDaq jImejDaq jImejDaq 'ej jImejDaq jImejDaq jImejDaq jImejDaq.
  • jImejDaq jImejDaq jImejDaq? jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq.
  • jImejDaq jImejDaq jImejDaq? jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq.
  • jImejDaq jImejDaq jImejDaq (vaj wpscan)?
  • jImejDaq jImejDaq jImejDaq. jImejDaq jImejDaq jImejDaq jImejDaq 'ej jImejDaq jImejDaq jImejDaq jImejDaq.
  • jImejDaq jImejDaq: robots, sitemap, 404 'ej SSL/TLS scan (HTTPS vaj).
  • jImejDaq jImejDaq jImejDaq: jImejDaq jImejDaq jImejDaq, jImejDaq 'ej jImejDaq jImejDaq. jImejDaq jImejDaq jImejDaq.
  • _jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jImejDaq jIm
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

vulnerabilities of the web application version Search for

Check if any WAF

Web tech tricks

Some tricks for finding vulnerabilities in different well known technologies being used:

Take into account that the same domain can be using different technologies in different ports, folders and subdomains.
If the web application is using any well known tech/platform listed before or any other, don't forget to search on the Internet new tricks (and let me know!).

Source Code Review

If the source code of the application is available in github, apart of performing by your own a White box test of the application there is some information that could be useful for the current Black-Box testing:

  • Is there a Change-log or Readme or Version file or anything with version info accessible via web?
  • How and where are saved the credentials? Is there any (accessible?) file with credentials (usernames or passwords)?
  • Are passwords in plain text, encrypted or which hashing algorithm is used?
  • Is it using any master key for encrypting something? Which algorithm is used?
  • Can you access any of these files exploiting some vulnerability?
  • Is there any interesting information in the github (solved and not solved) issues? Or in commit history (maybe some password introduced inside an old commit)?

{% content-ref url="code-review-tools.md" %} code-review-tools.md {% endcontent-ref %}

Automatic scanners

General purpose automatic scanners

nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

CMS scanners

If a CMS is used don't forget to run a scanner, maybe something juicy is found:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin websites for Security issues. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal or (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

ghItlhvam vaj web server ghaH ghItlhvam (data Dochvam) 'ej qaStaHvIS vaj web application ghItlhvam qar.

web application ghItlhvam Step-by-step

web application ghItlhvam ghaH qaStaHvIS ghItlhvam.

qaStaHvIS chegh

Default pages vaj qawHaq ghItlhvam:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • ghItlhvam 'ej qar ghItlhvam ghItlhvam ghItlhvam.

vaj 'e' ghItlhvam

web server qaStaHvIS ghItlhvam ghaH 'e' ghItlhvam ghItlhvam ghItlhvam ghItlhvam ghItlhvam ghItlhvam ghItlhvam.

  • fake pages ghItlhvam /whatever_fake.php (.aspx,.html,.etc)
  • "[]", "]]", 'ej "[[" ghItlhvam cookie values 'ej parameter values ghItlhvam ghItlhvam ghItlhvam ghItlhvam
  • /~randomthing/%s URL 'ej input ghItlhvam ghItlhvam ghItlhvam ghItlhvam
  • HTTP Verbs ghItlhvam PATCH, DEBUG ghItlhvam FAKE ghItlhvam

'e' upload files ghItlhvam (PUT verb, WebDav)**

WebDav ghItlhvam ghaH 'e' ghItlhvam 'ej root folder uploading files ghItlhvam ghItlhvam:

  • Brute Force credentials ghItlhvam
  • Upload files WebDav rest found folders web page ghItlhvam ghItlhvam ghItlhvam ghItlhvam

SSL/TLS vulnerabilites

  • application 'e' HTTPS vaj ghItlhvam 'ej MitM vulnerability ghItlhvam
  • application 'e' sensitive data (passwords) HTTP vaj ghItlhvam vulnerability ghItlhvam

testssl.sh ghItlhvam vulnerabilities (Bug Bounty programs vaj vulnerabilities) ghItlhvam a2sv ghItlhvam vulnerabilities recheck ghItlhvam:

./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

SSL/TLS vulnerabilities

Spidering

Qa'vIn spider web. Spider web paths find as much as possible. Web crawling external sources paths find as much as possible.

  • gospider (go): HTML spider, LinkFinder JS files external sources (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
  • hakrawler (go): HML spider, LinkFider JS files Archive.org external source.
  • dirhunt (python): HTML spider, "juicy files" indicate.
  • evine (go): Interactive CLI HTML spider. Archive.org search.
  • meg (go): tool spider useful. indicate file hosts file paths meg fetch path host save response.
  • urlgrab (go): HTML spider JS rendering capabilities. unmaintained, precompiled version old current code compile.
  • gau (go): HTML spider external providers (wayback, otx, commoncrawl).
  • ParamSpider: script find URLs parameter list.
  • galer (go): HTML spider JS rendering capabilities.
  • LinkFinder (python): HTML spider, JS beautify capabilities search paths JS files. look JSScanner wrapper LinkFinder.
  • goLinkFinder (go): extract endpoints HTML source embedded javascript files. useful bug hunters, red teamers, infosec ninjas.
  • JSParser (python2.7): python 2.7 script Tornado JSBeautifier parse relative URLs JavaScript files. easily discover AJAX requests. unmaintained.
  • relative-url-extractor (ruby): file (HTML) extract URLs nifty regular expression find extract relative URLs ugly (minify) files.
  • JSFScan (bash, several tools): Gather interesting information JS files several tools.
  • subjs (go): Find JS files.
  • page-fetch (go): Load page headless browser print urls load page.
  • Feroxbuster (rust): Content discovery tool mixing options previous tools.
  • Javascript Parsing: Burp extension find path params JS files.
  • Sourcemapper: tool .js.map URL beatified JS code.
  • xnLinkFinder: tool discover endpoints given target.
  • waymore: Discover links wayback machine download responses wayback look links.
  • HTTPLoot (go): Crawl (even filling forms) find sensitive info specific regexes.
  • SpiderSuite: Spider Suite advance multi-feature GUI web security Crawler/Spider designed cyber security professionals.
  • jsluice (go): Go package command-line tool extracting URLs, paths, secrets, interesting data JavaScript source code.
  • ParaForge: ParaForge simple Burp Suite extension extract paramters endpoints request create custom wordlist fuzzing enumeration.

Brute Force directories and files

Brute-force root folder brute-force directories found method directories discovered Spidering (brute-forcing recursively appending beginning used wordlist names found directories).
Tools:

  • Dirb / Dirbuster - Included Kali, old (slow) functional. Allow auto-signed certificates recursive search. Too slow compared th other options.
  • Dirsearch (python)**: Allow auto-signed certificates recursive search.
  • Gobuster (go): Allow auto-signed certificates, doesn't recursive search.
  • Feroxbuster **- Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): Spider tool given list found URLs delete "duplicated" URLs.
  • Scavenger: Burp Extension create list directories burp history different pages.
  • TrashCompactor: Remove URLs duplicated functionalities (based js imports).
  • Chamaleon: Use wapalyzer detect used technologies select wordlists use.

Recommended dictionaries:

Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced.

What to check on each file found

Special findings

While performing the spidering and brute-forcing you could find interesting things that you have to notice.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

{% content-ref url="403-and-401-bypasses.md" %} 403-and-401-bypasses.md {% endcontent-ref %}

502 Proxy Error

If any page responds with that code, it's probably a bad configured proxy. If you send a HTTP request like: GET https://google.com HTTP/1.1 (with the host header and other common headers), the proxy will try to access google.com and you will have found a SSRF.

NTLM Authentication - Info disclosure

If the running server asking for authentication is Windows or you find a login asking for your credentials (and asking for domain name), you can provoke an information disclosure.
Send the header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” and due to how the NTLM authentication works, the server will respond with internal info (IIS version, Windows version...) inside the header "WWW-Authenticate".
You can automate this using the nmap plugin "http-ntlm-info.nse".

HTTP Redirect (CTF)

It is possible to put content inside a Redirection. This content won't be shown to the user (as the browser will execute the redirection) but something could be hidden in there.

Web Vulnerabilities Checking

Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:

{% content-ref url="../../pentesting-web/web-vulnerabilities-methodology/" %} web-vulnerabilities-methodology {% endcontent-ref %}

Find more info about web vulns in:

Monitor Pages for changes

You can use tools such as https://github.com/dgtlmoon/changedetection.io to monitor pages for modifications that might insert vulnerabilities.

HackTricks Automatic Commands

Protocol_Name: Web    #Protocol Abbreviation if there is one.
Port_Number:  80,443     #Comma separated if there is more than one.
Protocol_Description: Web         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Web
Note: |
https://book.hacktricks.xyz/pentesting/pentesting-web

Entry_2:
Name: Quick Web Scan
Description: Nikto and GoBuster
Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3:
Name: Nikto
Description: Basic Site Info via Nikto
Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4:
Name: WhatWeb
Description: General purpose auto scanner
Command: whatweb -a 4 {IP}

Entry_5:
Name: Directory Brute Force Non-Recursive
Description:  Non-Recursive Directory Brute Force
Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6:
Name: Directory Brute Force Recursive
Description: Recursive Directory Brute Force
Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7:
Name: Directory Brute Force CGI
Description: Common Gateway Interface Brute Force
Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8:
Name: Nmap Web Vuln Scan
Description: Tailored Nmap Scan for web Vulnerabilities
Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}

Entry_9:
Name: Drupal
Description: Drupal Enumeration Notes
Note: |
git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10:
Name: WordPress
Description: WordPress Enumeration with WPScan
Command: |
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e

Entry_11:
Name: WordPress Hydra Brute Force
Description: Need User (admin is default)
Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Entry_12:
Name: Ffuf Vhost
Description: Simple Scan with Ffuf for discovering additional vhosts
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}


Bug bounty tip: Intigriti qIb bug bounty platform created by hackers, for hackers! https://go.intigriti.com/hacktricks join qaStaHvIS, $100,000 bounties earn start!

{% embed url="https://go.intigriti.com/hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: