Enumeration

Directory Enumeration

• Dirsearch

• Gobuster

• Dirbuster

• wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt <https://domain.com/api/FUZZ\>

• ffuf Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u <http://10.10.10.10/FUZZ\>

• chameleon

  • install: curl -sL <https://raw.githubusercontent.com/iustin24/chameleon/master/install.sh> | bash

  • execute ./chameleon --url <url> -a --fc 403

Vhost Enumeration

• ffuf

• gobuster vhost

• sublist3r

• Feroxbuster

Website Enumeration

• caido

• burp suite

• wappalyzer

• nikto

• Look for:

  • /robots.txt

  • /sitemap.xml

Additional Enumeration

• Nmap nmap -sC -sV -p- <target ip>

• https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

• https://github.com/Nekmo/dirhunt | Avoid using older Python libraries

• https://github.com/projectdiscovery/katana | Requires go installed and is for larger than vulnhub machines

Website functionality

• X-Forwarded-For

  • https://research.securitum.com/x-forwarded-for-header-security-problems/

  • If the "X-Forward-For: 127.0.0.1" header is used, it allows to bypass restrictions of the web application and access endpoints that are restricted otherwise.

  • https://book.hacktricks.wiki/en/pentesting-web/abusing-hop-by-hop-headers.html

• SSRF (Server Side Request Forgery)

Common Attack Vectors

• Web Application vulnerabilities

  • SQLi

  • No SQL

  • XSS

  • File Upload

  • IDOR

• Default credentials

• Misconfigured services

• Known CVE exploits