URL & App Scan

In order to be able to identify vulnerabilities within an application, URLs is a good place to start. In a black box testing the urls will not be revealed and it has to be determined. The following tools can be used for either checking for URLs from a predefined list.

DIRB

In the following command a wordlist is also supplied. In case of no wordlist, dirb will use a default one.

dirb http://thief.htb /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

Gobuster

The below command can be used for enumerating URLs,

gobuster dir -k -u http://10.129.240.196/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,302,307,403,500' -e -z -x html,htm,asp,aspx,php

The following command can be used for enumerating parts of an URL,

gobuster dir -u http://192.168.90.12 -w /usr/share/wordlists/dirb/big.txt -p pattern.txt
#The pattern.txt file should contains,
{GOBUSTER}/v1
{GOBUSTER}/v2

dir - Enumerate the directories

dns - DNS subdomain enumeration

s - The status codes that the scan should return

z - No progress, don't display it

e - Expanded mode, print complete url

x - Extensions to search for

gobuster help <mode> #this will list out all the options under that mode

Nikto

Nikto does a general scan of the webserver for vulnerabilities and some of the obvious urls that may be vulnerable,

nikto -host=http://devzat.htb

Whatweb

Whatweb identifies the web technologies used in a website. It can also identify content management systems, javascripts, web servers, etc.

whatweb http://particle42.com

Last updated