Web Basic Pentesting
Last modified: 2023-01-31
Basic methodologies of web penetration tests. A default port is 80. HTTPS uses a port 443.
Enumeration
nmap --script http-auth --script-args http-auth.path=/login -p 80,443 <target-ip>
nmap --script http-devframework -p 80,443 <target-ip>
nmap --script http-enum -p 80,443 <target-ip>
nmap --script http-headers -p 80,443 <target-ip>
nmap --script http-methods -p 80,443 <target-ip>
Nikto
Nikto is a web server scanenr.
nikto -h http://<target-ip>
# -p: Specify ports
nikto -p 80,3000 -h <target-ip>
# -T: Tuning
# 1: Interesting files
# 2: Misconfiguration
# 3: Information Disclosure
# 4: Injection (XSS/Script/HTML)
nikto -T 1 2 3 -h <target-ip>
# -useragent: Custom user agent
nikto -useragent <user-agent> -h <target-ip>
# -e: IDS evasion
# 1: Random URI encoding
# 7: Change the case of URL
nikto -e 1 7 -h <target-ip>
Whatweb
Whatweb is a web scanner.
whatweb <target-ip>
# Aggression level (1-4)
whatweb -a 3 <target-ip>
To use plugins, run the following commands.
# List all plugins
whatweb -l
# Search plugins
whatweb -I apache
whatweb -I phpBB
whatweb -I phpmyadmin
whatweb -I windows
# Use plugin
whatweb -p phpBB <target-ip>
Investigation
# WHOIS
whois example.com
# SSL/TLS connection
openssl s_client --connect example.com:443
sslscan example.com
-
Multi purpose HTTP toolkit.
SSL Certificates
It may contain the sensitive information about the target company.
We can find it on the key icon in the URL bar in the most web browsers.
Find Information in Web Pages
curl http://vulnerable.com/ | grep -i hidden
curl http://vulnerable.com/ | grep -i password
Request using Python
GET Request
#!/usr/bin/env python3
import requests
ip = '10.0.0.1'
port '80'
url = 'http://%s:%s' % (ip, port)
ua = 'Mozilla/5.0 ...'
# Args
params = {'page': '2', 'item': 'chair'}
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
auth = requests.auth.HTTPBasicAuth('username', 'password')
r = requests.get(url, params=params, headers=headers, cookies=cookies, auth=auth)
print(r.text)
-
With Session
#!/usr/bin/env python3 import requests url = 'http://example.com' session = requests.Session() r = session.get(url) print(r.text)
POST Request
#!/usr/bin/env python3
import requests
url = 'http://example.com/login'
data = {'username': 'admin', 'password': 'admin'}
# Args
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
r = requests.post(url, data=data, headers=headers, cookies=cookies)
-
With Session
#!/usr/bin/env python3 import requests url = 'http://example.com/comment' data = {'name': 'Mike', 'comment': 'Hello'} session = requests.Session() r = session.post(url, data=data) print(r.text)
