Exploit Notes

Web Basic Pentesting

Last modified: 2023-01-31

Web

Basic methodologies of web penetration tests. A default port is 80. HTTPS uses a port 443.

Enumeration

nmap --script http-auth --script-args http-auth.path=/login -p 80,443 <target-ip>
nmap --script http-devframework -p 80,443 <target-ip>
nmap --script http-enum -p 80,443 <target-ip>
nmap --script http-headers -p 80,443 <target-ip>
nmap --script http-methods -p 80,443 <target-ip>

Nikto

Nikto is a web server scanenr.

nikto -h http://<target-ip>

# -p: Specify ports
nikto -p 80,3000 -h <target-ip>

# -T: Tuning
#  1: Interesting files
#  2: Misconfiguration
#  3: Information Disclosure
#  4: Injection (XSS/Script/HTML)
nikto -T 1 2 3 -h <target-ip>

# -useragent: Custom user agent
nikto -useragent <user-agent> -h <target-ip>

# -e: IDS evasion
#  1: Random URI encoding
#  7: Change the case of URL
nikto -e 1 7 -h <target-ip>

Whatweb

Whatweb is a web scanner.

whatweb <target-ip>

# Aggression level (1-4)
whatweb -a 3 <target-ip>

To use plugins, run the following commands.

# List all plugins
whatweb -l

# Search plugins
whatweb -I apache
whatweb -I phpBB
whatweb -I phpmyadmin
whatweb -I windows

# Use plugin
whatweb -p phpBB <target-ip>

Investigation

# WHOIS
whois example.com

# SSL/TLS connection
openssl s_client --connect example.com:443
sslscan example.com
  • httpx

    Multi purpose HTTP toolkit.

SSL Certificates

It may contain the sensitive information about the target company.
We can find it on the key icon in the URL bar in the most web browsers.


Find Information in Web Pages

curl http://vulnerable.com/ | grep -i hidden
curl http://vulnerable.com/ | grep -i password

Request using Python

GET Request

#!/usr/bin/env python3
import requests

ip = '10.0.0.1'
port '80'
url = 'http://%s:%s' % (ip, port)
ua = 'Mozilla/5.0 ...'

# Args
params = {'page': '2', 'item': 'chair'}
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
auth = requests.auth.HTTPBasicAuth('username', 'password')

r = requests.get(url, params=params, headers=headers, cookies=cookies, auth=auth)

print(r.text)
  • With Session

    #!/usr/bin/env python3
    import requests
    
    url = 'http://example.com'
    
    session = requests.Session()
    r = session.get(url)
    
    print(r.text)
    

POST Request

#!/usr/bin/env python3
import requests

url = 'http://example.com/login'

data = {'username': 'admin', 'password': 'admin'}

# Args
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}

r = requests.post(url, data=data, headers=headers, cookies=cookies)
  • With Session

    #!/usr/bin/env python3
    import requests
    
    url = 'http://example.com/comment'
    
    data = {'name': 'Mike', 'comment': 'Hello'}
    
    session = requests.Session()
    
    r = session.post(url, data=data)
    
    print(r.text)
    

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.