Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • DIRB
  • Gobuster
  • Nikto
  • Whatweb

Was this helpful?

  1. Web Application

URL & App Scan

In order to be able to identify vulnerabilities within an application, URLs is a good place to start. In a black box testing the urls will not be revealed and it has to be determined. The following tools can be used for either checking for URLs from a predefined list.

DIRB

In the following command a wordlist is also supplied. In case of no wordlist, dirb will use a default one.

dirb http://thief.htb /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

Gobuster

The below command can be used for enumerating URLs,

gobuster dir -k -u http://10.129.240.196/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,302,307,403,500' -e -z -x html,htm,asp,aspx,php

The following command can be used for enumerating parts of an URL,

gobuster dir -u http://192.168.90.12 -w /usr/share/wordlists/dirb/big.txt -p pattern.txt
#The pattern.txt file should contains,
{GOBUSTER}/v1
{GOBUSTER}/v2

dir - Enumerate the directories

dns - DNS subdomain enumeration

s - The status codes that the scan should return

z - No progress, don't display it

e - Expanded mode, print complete url

x - Extensions to search for

gobuster help <mode> #this will list out all the options under that mode

Nikto

Nikto does a general scan of the webserver for vulnerabilities and some of the obvious urls that may be vulnerable,

nikto -host=http://devzat.htb

Whatweb

Whatweb identifies the web technologies used in a website. It can also identify content management systems, javascripts, web servers, etc.

whatweb http://particle42.com

PreviousSubdomain EnumerationNextSubdomain/Vhost Fuzz

Last updated 7 months ago

Was this helpful?

🖥️