Goals

  • Identify web server hosting software (e.g. Apache/Nginx/Node…)
  • Identify exact web service software version (e.g. xxx CMS 1.2.3)
  • Identify attackable endpoints (paths, CVEs, admin panels, etc)
  • Identify server OS
  • Identify database type & version

Scanning

With nikto:

nikto -host <url>
  • Suspicious/interesting headers
  • Outdated versions
  • Some directory enumeration

Alternatively, use whatweb $HOST_OR_IP which spits out basic information (banner grabbing, security headers, etc) about the site.

Directory Enumeration

Dirbusting should reveal any commonly used paths and endpoints (and may even discover special ones such as .git). Wordlists are available in /usr/share/wordlists/ on Kali (you are also recommended to use seclists). If common wordlists aren’t working, try relevant words from the host’s context, e.g. if there’s a SMB share then maybe there’s an web service endpoint with the same name.

You might also want to check paths such as robots.txt which could reveal other endpoints.

GoBuster

gobuster dir -u <url> -w <wordlist> -x <extensions>

DirSearch

dirsearch -u <url> -w <wordlist> -e <extensions> 

Use -r to scan recursively.

Fuzzing

  • See wfuzz
  • See ffuf

Manual Inspection

Inspect URLs

Check the extensions of URLs (or try index.html, index.php, etc) to determine the server software in use. Note that many modern server softwares use routes and may not depend on actual filenames.

Inspect Source

  • Check for hidden form input elements.
  • Check for comments indicating server software used.

Inspect Certificates

TLS/SSL certificates can provide potential usernames and/or potential (sub)domains.

Inspect Headers

  • Look for banners (X-Powered-By, Server, etc)
  • Look for other non-standard headers X-* (x-amz-cf-id, and X-Aspnet-Version etc.

Inspect Sitemap

  • /sitemap.xml
  • /robots.txt may reveal additional endpoints

Default Admin Credentials

If an admin panel is found in Directory Enumeration, then try to use default credentials to login. EyeWitness can also be used to identify default credentials by taking screenshots.

Public Exploit Database

Search using searchsploit / ExploitDB (e.g. with name or version of server, CMS, OS, plugin, etc)