3 - Web Enumeration

- When ports 80 and/or 443 are discovered to be open on a host, assume a web server is running - Use `ffuf` or `gobuster` to check for hidden files/directories on the web server - `gobuster` is useful for a quick first pass - `ffuf` is useful for a second deep dive # `gobuster` - `gobuster` can be used for DNS, vHost, and directory brute-forcing - can also be used to enumerate S3 buckets ## Directory/File Enumeration - looking for hidden directories and files ```bash gobuster dir -u http://ip_addr/ -w /usr/share/seclists/Discovery/Web-Content/common.txt #dir option brutes forces directories #-u specifies a URL #-w specifies a wordlist ``` | HTTP Status Code No | HTTP Status Code Text | Description | | ------------------- | --------------------- | --------------------------------------------------------------------------- | | 200 | OK | Request succeeded; response depends on the request method. | | 301 | Moved Permanently | Resource has a new permanent URI. | | 400 | Bad Request | Client Error: Server cannot understand the request due to malformed syntax. | | 403 | Forbidden | Client Error: Server understood the request but refuses to authorize it. | | 404 | Not Found | Server Error: Requested resource could not be found. | | 500 | Internal Server Error | Server Error: Generic error message when the server fails. | | 503 | Service Unavailable | Server Error: Server is currently unable to handle the request. | ## DNS Subdomain Enumeration - looking for admin panels or application with additional functionality that may be exploited ```bash gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt #dns option brute-forces dns subdomains #-d option sepcifies a FQDN ``` ![[images/Pasted image 20250823135540.png]] # banner and web server header grabbing - may reveal application framework in use, authentication options, and whether server is missing essential security options or has been misconfigured - `curl` can be used to retrieve server header info - `eyewitness` is another tool to take screenshots of target web applications, fingerprint them, and identify possible default credentials ```bash curl -IL https://www.inlanefreight.com ``` ![[images/Pasted image 20250820194907.png]] # `whatweb` - used to extract the version of web servers, supporting frameworks, and applications - helpful for pinpointing tech in use as a starting point for searching for vulns ```bash whatweb ip_addr #returns webserver info whatweb --no-errors ip_addr/CIDR #automtates web enumeration across a network ``` # SSL Certificates - when HTTPS is in use, view the associated certificates for info such as company name and email address![[images/Pasted image 20250820195658.png]] # `robots.txt` - common file whose purpose is to instruct search engine web crawlers as to which resources can and cannot be accessed for indexing - **gives an indication as to existing directories/files**![[images/Pasted image 20250820195919.png]] # website source code - `crtl + u` shows a web page's HTML source code - look for commented info such as leftover credentials - screenshot of HTML code for https://berkshirehathaway.com/ ![[images/Pasted image 20250820200206.png]]