Goals
- Identify web server hosting software (e.g. Apache/Nginx/Node…)
- Identify exact web service software version (e.g. xxx CMS 1.2.3)
- Identify attackable endpoints (paths, CVEs, admin panels, etc)
- Identify server OS
- Identify database type & version
Scanning
With nikto
:
- Suspicious/interesting headers
- Outdated versions
- Some directory enumeration
Alternatively, use whatweb $HOST_OR_IP
which spits out basic information (banner grabbing, security headers, etc) about the site.
Directory Enumeration
Dirbusting should reveal any commonly used paths and endpoints (and may even discover special ones such as .git
). Wordlists are available in /usr/share/wordlists/
on Kali (you are also recommended to use seclists
). If common wordlists aren’t working, try relevant words from the host’s context, e.g. if there’s a SMB share then maybe there’s an web service endpoint with the same name.
You might also want to check paths such as robots.txt
which could reveal other endpoints.
GoBuster
DirSearch
dirsearch -u <url> -w <wordlist> -e <extensions>
Use -r
to scan recursively.
Fuzzing
- See
wfuzz
- See
ffuf
Manual Inspection
Inspect URLs
Check the extensions of URLs (or try index.html
, index.php
, etc) to determine the server software in use. Note that many modern server softwares use routes and may not depend on actual filenames.
Inspect Source
- Check for hidden form input elements.
- Check for comments indicating server software used.
Inspect Certificates
TLS/SSL certificates can provide potential usernames and/or potential (sub)domains.
Inspect Headers
- Look for banners (
X-Powered-By
,Server
, etc) - Look for other non-standard headers
X-*
(x-amz-cf-id
, andX-Aspnet-Version
etc.
Inspect Sitemap
/sitemap.xml
/robots.txt
may reveal additional endpoints
Default Admin Credentials
If an admin panel is found in Directory Enumeration, then try to use default credentials to login. EyeWitness can also be used to identify default credentials by taking screenshots.
Public Exploit Database
Search using searchsploit
/ ExploitDB (e.g. with name or version of server, CMS, OS, plugin, etc)