2 - Webserver Enum

# Passive Recon 1. Review public DNS DNS records for domain and associated subdomains - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/2 - DNS Overview|DNS Overview]] - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/3 - Digging DNS|Digging DNS]] 2. Review certificates and other info for domain and associated subdomains - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/5 - Certificate Transparency Logs|Certificate Transparency Logs]] - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/8 - Search Engine Discovery|Search Engine Discovery]] - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/9 - Web Archives|Web Archives]] # Active Recon 1. Add domain and associated subdomains to `/etc/hosts` for proper name resolution 2. Web fuzzing - Firs, directory fuzzing - Second, extension fuzzing after a directory is found - Third, if extension found, fuzz for pages with extension appended - Fourth, subdomain/vhost fuzzing ```bash # dir fuzzing ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<target_FQDN/IP>:<port>/FUZZ -c -v -ic # extennsion fuzzing ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -u http://<target_FQDN/IP>:<port>/directory/<page>FUZZ -c -ic # page fuzzing ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<target_FQDN/IP>:<port>/directory/FUZZ.php -c -ic # subdomain fuzzing ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt.txt -u https://FUZZ.inlanefreight.htb # vhost fuzzing ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://academy.htb/ -H 'Host: FUZZ.academy.htb' ``` 3. Review `robots.txt` and `sitemap.xml` 4. Crawl webserver for all links - Use `scrapy` or `reconspider.py` - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/7 - Crawling, robots.txt, .well-known URIs|Crawling]] 5. Review page source of all discovered pages for sensitive info and potential usernames 6. Capture sever errors for potential tech stack indications 7. Attempt to fingerprint webserver tech stack - Use `whatweb` command line tool to discover webserver tech stack - Use `wappalyzer` browser extension to discover webserver tech stack - Scan webserver with `nikto` to discover webserver tech stack and potential vulns - Use `wafw00f` to discover WAF 8. Perform web app enum - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/2 - Application Discovery & Enum|General Web Application Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/3 - WordPress - Discovery & Enum|WordPress - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/5 - Joomla - Discovery & Enum| Joomla - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/7 - Drupal - Discovery & Enum|Drupal - Discovery & Enum]] - [[5 - CPTS/4 - Skills Assessments/Linux Privsec/2 - Tomcat Enum|Tomcat Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/11 - Jenkins - Discovery & Enum|Jenkins - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/13 - Splunk - Discovery & Enum|Splunk - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/15 - PRTG Network Monitor|PRTG Network Monitor - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/16 - osTicket|osTicket - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/17 - Gitlab - Discovery & Enum|Gitlab - Discovery & Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/19 - Attacking Tomcat CGI|Tomcat CGI]] & [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/20 - Attacking CGI Apps|CGI Apps]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/25 - IIS Tilde Enum|IIS Tilde Enum]] - [[5 - CPTS/3 - CPTS Notes/22 - Attacking Common Web Apps/23 - ColdFusion - Discovery & Enum|ColdFusion - Discovery & Enum]] 9. Check for vulns in webserver tech stack and web apps versions - Use both `searchsploit` AND Google - Document discovered vulns 10. Look for login pages to test with default or weak creds - Try default or common weak creds before attempting to brute force - [[5 - CPTS/2 - Checklists/1 - External Enum/3 - Default Creds Attack Sequence|Default Creds]] - [[5 - CPTS/3 - CPTS Notes/14 - Login Brute Forcing/6 - Hydra - Basic HTTP Auth|Hydra - Basic HTTP Auth]] - [[5 - CPTS/3 - CPTS Notes/14 - Login Brute Forcing/7 - Hydra - Login & Security Forms|Hydra - Login & Security Forms]] - Notes: - Check for password reset or recovery mechanisms - Review cookies and sessions - Test for session fixation or missing CRSF protections 11. Identify input fields to submit data - Intercept request with `burp` and review responses - [[5 - CPTS/3 - CPTS Notes/12 - Web Proxies/2 - Intercepting Requests|Intercepting Requests]] 12. Test submitting data to EVERY input field - Does input appear to be used by a system command like `ping` -> Think: **Command Injection** - Does a file upload mechanism exist? -> Think: **File Upload Attacks** - Does the webserver appear to be populating data from a db? -> Think: **SQLi** - Test simple injection: `' OR 1=1 --` - Test UNION injection `' UNION SELECT NULL,NULL--` - Do GET parameters appear to be pulling local files on webserver? -> Think: **Path Traversal and File Inclusion** - Fuzz GET and POST parameters - [[5 - CPTS/3 - CPTS Notes/13 - Web Fuzzing with Ffuf/6 - Parameter Fuzzing| Parameter Fuzzing]] - Try `php://filter` for source code disclosure - [[5 - CPTS/3 - CPTS Notes/18 - File Inclusion/4 - PHP Filters|PHP Filters]] - Try `php://data` and `php://input` and `php://expect` for RCE - [[5 - CPTS/3 - CPTS Notes/18 - File Inclusion/5 - PHP Wrappers|PHP Wrappers]] - Try [[5 - CPTS/3 - CPTS Notes/18 - File Inclusion/6 - RFI|RFI]] - Try [[5 - CPTS/3 - CPTS Notes/18 - File Inclusion/7 - LFI-enabled File Upload Attacks|LFI-enabled File Upload Attacks]] - Try [[5 - CPTS/3 - CPTS Notes/18 - File Inclusion/8 - Log Poisoning|Log Poisoning]] - Is there an API, UID, or other sequence number present in accounts, pages, etc.? -> Think: **IDOR** - Is XML or SVG input accepted? -> Think: **XXE** - Is basic HTTP auth or a security message present? --> Think: **Verb Tampering** - Test all input fields for XSS 13. If the webserver uses a web socket or an APIU, check GET and POST requests for potential SQLi with `sqlmaap`