{"id":1446,"date":"2020-05-11T10:20:32","date_gmt":"2020-05-11T08:20:32","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1446"},"modified":"2025-03-31T21:33:49","modified_gmt":"2025-03-31T19:33:49","slug":"https","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1446","title":{"rendered":"80 <span class=\"caps\">HTTP<\/span>"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Enumeration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Mandatory<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Start Burp<\/li>\n\n\n\n<li>Start .\/script\/web-enum.sh<\/li>\n\n\n\n<li>Browse through the page (with&nbsp;Burp)&nbsp;<ol class=\"wp-block-list\">\n<li>Check robots.txt<\/li>\n\n\n\n<li>Check a 404 page (site \/dsoidfsiohfdghfdghfgdiofdiogidgffg)<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Deter\u00admine and write down each used technology:&nbsp;<ol class=\"wp-block-list\">\n<li>Serv\u00ader<\/li>\n\n\n\n<li>Appli\u00adca\u00adtion Server<\/li>\n\n\n\n<li>Lan\u00adguages<\/li>\n\n\n\n<li>Frame\u00adworks<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>For all of the pre\u00advi\u00adous findings:&nbsp;<ol class=\"wp-block-list\">\n<li>Check if there is a blog post&nbsp;here<\/li>\n\n\n\n<li>Check for exploits.<\/li>\n\n\n\n<li>Check for <a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/pentesting-web\">web tech tricks on Hacktricks<\/a><\/li>\n\n\n\n<li>Try a spe\u00adcial\u00adized scanner<\/li>\n\n\n\n<li>Down\u00adload the exact ver\u00adsion of the <span class=\"caps\">CMS<\/span> and look for inter\u00adest\u00ading&nbsp;files.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Repeat web crawl\u00ading for all found directories.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Optional<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check for sequen\u00adtial URLs and try to enu\u00admer\u00adate oth\u00ader&nbsp;URLs.<\/li>\n\n\n\n<li>If there are para\u00adme\u00adters, try change them (maybe also with a small script and a wordlist with usu\u00adal com\u00admand parameters)&nbsp;<ul class=\"wp-block-list\">\n<li>See <a href=\"https:\/\/github.com\/devanshbatham\/ParamSpider\">ParamSpi\u00adder<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Try oth\u00ader wordlists<\/li>\n\n\n\n<li>Try wordlists with oth\u00ader suffixes<\/li>\n\n\n\n<li>Try oth\u00ader crawlers (dirb \/ dir\u00adbuster \/&nbsp;nikto&nbsp;\/&nbsp;\u2026)<\/li>\n\n\n\n<li>Find exploits for the server<\/li>\n\n\n\n<li>Check if exter\u00adnal sources are embe\u00add\u00aded (e.g. via a para\u00adme\u00adter \/&nbsp;<span class=\"caps\">LFI<\/span>)<\/li>\n\n\n\n<li>Make a wordlist with&nbsp;cewl<\/li>\n\n\n\n<li>Ana\u00adlyze the cookies<\/li>\n\n\n\n<li>Ana\u00adlyze the local storage<\/li>\n\n\n\n<li>If you have a domain:&nbsp;<ol class=\"wp-block-list\">\n<li>Try vhost enumeration<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>For logins \/ htauth:&nbsp;<ol class=\"wp-block-list\">\n<li>Search for default passwords<\/li>\n\n\n\n<li>Typ \u2019 or \u201d or \u2014 to trig\u00adger a pos\u00adsi\u00adble <span class=\"caps\">SQL<\/span> injection.<\/li>\n\n\n\n<li>Try usu\u00adal combinations:&nbsp;<ul class=\"wp-block-list\">\n<li>admin \/&nbsp;admin<\/li>\n\n\n\n<li>admin \/ password<\/li>\n\n\n\n<li>guest \/&nbsp;guest<\/li>\n\n\n\n<li>test \/&nbsp;test<\/li>\n\n\n\n<li>admin \/ 123456<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Brute-force with cewl-based wordlist<\/li>\n\n\n\n<li>Brute-force with gen\u00ader\u00adal wordlists<\/li>\n\n\n\n<li>Set anoth\u00ader Host header<\/li>\n\n\n\n<li>Set proxy header<\/li>\n\n\n\n<li><a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/pentesting-web\">Try oth\u00ader tips from the Hack\u00adtricks list<\/a><\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Per\u00adform a gen\u00ader\u00adal vul\u00adner\u00ada\u00adbil\u00adi\u00adty&nbsp;scan:&nbsp;<ol class=\"wp-block-list\">\n<li>Nmap <span class=\"caps\">NSE<\/span><\/li>\n\n\n\n<li>Metas\u00adploit exploit_suggester<\/li>\n\n\n\n<li>Open\u00adVAS<\/li>\n\n\n\n<li>Nes\u00adsus<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>For forms:\n<ol class=\"wp-block-list\">\n<li>Make a pseu\u00addo-nor\u00admal request which is record\u00aded in&nbsp;Burp<\/li>\n\n\n\n<li>Per\u00adform requests with the following:&nbsp;<ol class=\"wp-block-list\">\n<li>\u2019<\/li>\n\n\n\n<li>\u201d<\/li>\n\n\n\n<li>Extrem long input&nbsp;data<\/li>\n\n\n\n<li>Escap\u00ading char\u00adac\u00adters for the used tech\u00adnol\u00ado\u00adgy (e.g. &lt;% %&gt; {{ }} \u2026)<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Store the request in a file and exe\u00adcute <code>sqlmap -v 4 -r \/tmp\/request<\/code>.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>For file uploads:&nbsp;<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/file-upload\">See file upload tricks.<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>You have many text to look through \/ parse? <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4868\" data-type=\"post\" data-id=\"4868\">See the grepable strings page.<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nik\u00adto<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=264\">dirb<\/a><\/li>\n\n\n\n<li>dir\u00adbuster<\/li>\n\n\n\n<li>unis\u00adcan<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=264\"><span class=\"caps\">OWASP<\/span> <span class=\"caps\">ZAP<\/span><\/a><\/li>\n\n\n\n<li>Blind\u00adEle\u00adphant<\/li>\n\n\n\n<li>WhatWeb<\/li>\n\n\n\n<li>com\u00admix (<span class=\"caps\">SQL<\/span> injections)<\/li>\n\n\n\n<li>wp_scan (Word\u00adPress)<\/li>\n\n\n\n<li>jom\u00adscan (Joom\u00adla)<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=500\">droopes\u00adcan<\/a> (Dru\u00adpal, Silverstripe)<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=24\">sslyze<\/a> (<span class=\"caps\">SSL<\/span>&nbsp;scan)<\/li>\n\n\n\n<li><a href=\"https:\/\/sabre.io\/dav\/clients\/cadaver\/\">Cadav\u00ader<\/a> (for CalDAV\/CardDAV client software)<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/lanjelot\/patator\">Pata\u00adtor<\/a> (brute force)<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=933\">magscan<\/a> (Magen\u00adto)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Enu\u00admer\u00ada\u00adtion Manda\u00adto\u00adry Option\u00adal&nbsp;Tools<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[36],"tags":[37,50,180],"class_list":["post-1446","post","type-post","status-publish","format-standard","hentry","category-port","tag-checklist","tag-enumeration","tag-http"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1446"}],"version-history":[{"count":13,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1446\/revisions"}],"predecessor-version":[{"id":4870,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1446\/revisions\/4870"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}