Day 035 #FromZeroToHacker – Web Enumeration

Time to learn the methodology of enumerating websites using tools such as Gobuster, Nikto and WPScan.

Let’s find everything in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Web Enumeration

The next room in the path is Upload Vulnerabilities, but it is recommended to complete first Web Enumeration and What the Shell? rooms first, so let’s do it.

Enumeration is the process of probing a target for information, a basic tool in our arsenal and normally the first step to do while attacking a target.

What I have learnt today?

Manual enumeration

Forget about hooded hackers in a dim-light room typing like crazy: We can yield a lot of results by just visiting the website with just a mouse and a browser.

With your browser, you can right-click an image and find out where the images are kept. Or you can read the Source code to find comments and find that the junior programmer has commented the admin username and password.

Using our browser Developer Console

Brave, Chrome, Firefox and most modern browsers have Developer Tools or Console. There, we can find assets, view the source code, debug or execute JavaScript code, and more.

Right-click and select Inspect or press F12 on your keyboard, this will open the Inspecting tool.

Web Enumerating with the Inspecting tool

Right now, nothing important there, but sometimes developers leave comments between the <!-- and --> tags. For example: <!-- This isn't working. Try login as admin:admin123 and find out why we are getting an 404 error --> .

This piece of code won’t be displayed in the browser for regular users, but we can read them in the source code, so it is a good place to look.

Web Enumerating by reading comments in the source code

Gobuster

With Gobuster you won’t catch any ghosts, but you can find hidden folders.

If you haven’t cringed enough to leave this blog yet, Gobuster is an open-source, low-level language (It uses Golang or Go) tool used to brute-force your way to find URIs, DNS subdomains, Virtual Hosts names, Open Amazon S3 buckets and more.

You can install it with the sudo apt install gobuster command.

Useful Global flags

While running Gobuster, we can use flags in our commands to specify a bit more what we want to do. Some flags are:

-t Number of concurrent threats (Default 10)
-v Verbose output
-z Don’t display progress
-q Don’t print the banner and other noise
-o Output file to write results to

You can find all the global flags in the Gobuster Readme.md file.

Gobuster modes

dir Mode

With the dir mode, we can enumerate the directory structure of a website by using brute force with wordlists. Not only we can scan the website, but it also returns the status codes as well.

Using dir Mode

Using this mode is pretty simple. Here is a simple command:

gobuster dir -u IP -w WORDLIST_ROUTE

The -u flag points to the IP of the base path website, and the -w loads the wordlist we want to use. Simple, right? If we want to enumerate the shopping cart, we just use IP/cart and so on.

And there are even more flags you can use:

Gobuster Dir Flags

For example, if you want to run the same code, but only look for certain file extensions, you can use the -x flag:

gobuster dir -u IP -w WORDLIST_ROUTE -x .html,.css,.js

You can also use the -k flag to skip the TLS validation, ignoring the S from HTTPS.

dns Mode

The DNS lets you brute-force subdomains, as some vulnerabilities may be fixed on the regular domain, but not in the subdomain.

Using dns Mode

Using this mode is pretty simple too. Here is a simple command:

gobuster dns -d DOMAIN_NAME -w WORDLIST_ROUTE

Pretty much the same as the dir mode, but pointing to a DOMAIN_NAME with -d.

And here is a list of all the DNS flags:

Gobuster DNS Flags

vhost Mode

vhost, the last mode. This one allows Gobuster brute-force virtual hosts.

Virtual Hosts are different websites on the same machine. Virtual Hosts are IP based and run on the same server.

Using vhost Mode

No surprise: Using this mode is pretty simple too. Here is a simple command:

gobuster vhost -u URL -w WORDLIST_ROUTE --append-domain

You are getting the hang of it, right? Ah! Of course, more flags:

Gobuster Vhost flags

Using Wordlists

Kali Linux comes with default lists already installed by default. Some of them, and their route directory are:

  • /usr/share/wordlists/dirbuster/directory-list-2.3-*.txt
  • /usr/share/wordlists/dirbuster/directory-list-1.0.txt
  • /usr/share/wordlists/dirb/big.txt
  • /usr/share/wordlists/dirb/common.txt
  • /usr/share/wordlists/dirb/small.txt
  • /usr/share/wordlists/dirb/extensions_common.txt

There is also a great GitHub repo called SecLists. You can download them individually, but you can also get the entire repo with sudo apt install seclists.

WPScan

Despite being released in June 2011, it is still one of our main tools as a hackpentesters, as it is a great way to enumerate and research a few security vulnerability categories in WordPress sites like Sensitive Information, Path Discovery, Weak Passwords and more. A WordPress killer.

And you can install it with sudo apt update && sudo apt install wpscan, or it is already pre-installed if you are using Kali Linux.

Getting ready

WPScan uses a local database as a primary reference point when enumerating so, before doing anything, it is good practice to run wpscan --update to update the said database.

WPScan update

WPScan modes

Enumerating for Installed Themes

We can learn what Theme is using a determinate WordPress site is using by going to the Inspector and doing a bit of research:

Web Enumeration via Developer tools
Web Enumeration via Source code

But automation is the future, right?

wpscan --url URL --enumerate t

This command runs WPScan with the url URL and --enumerate t enumerates popular themes. Click to learn more about WPScan flags.

Enumerated theme
Enumerating for Installed Plugins

Directory Listing is a feature often enabled by default and WPScan can leverage this feature to look for plugins installed in this common folder (WP_URL_/wp-content/plugins/pluginname).

Enumerated plugins

Here we just saw that the easy-table-of-contents plugin is installed, and we even have the version number! Now we can Google for vulnerabilities in this plugin.

In WordPress, plugins must have a Readme file containing meta-information such as the plugin name, version, PHP version required, etc:

Wordpress example Readme file

We can do all of this and more with just a simple command:

wpscan --url URL --enumerate p

Yes, the same command as before but using p in the value of the enumerate flag to indicate we are looking for plugins.

Enumerating for Users

WPScan can also enumerate users by looking for the post author, as they are indeed a type of user.

wpscan --url URL&nbsp;--enumerate u

Same as always, but enumerating users now, hence the u value.

Enumerating users
The ‘Vulnerable’ flag

We are lazy. And if you are not, you should be.

After we discover what themes, plugins and users are present, we need to search for vulnerabilities in Google or websites like NVD, CVEDetails and more. But we are lazy:

wpscan --url URL --enumerate vp

This command will enumerate all the plugins, but also the vp argument searches for Vulnerable Plugins. This simplifies our job.

Performing a Password Attack

We have found a bunch of usernames. What is the next step? Brute-force our way in:

wpscan --url URL --usernames USERNAME --passwords WORDLIST_ROUTE

Provide an URL, a username and a list of passwords (rockyou.txt is one of the best ones out there) and it will try to find the password of the username you used in the flag argument.

Adjusting WPScan’s Aggressiveness (WAF)

WPScan is aggressive by default, which may trigger defences on (WordPress servers, plugins, firewalls, etc), blocking you automatically.

We can use arguments such as --plugins-detection and an aggressiveness level (passive/aggressive) to dodge this problem: --plugins-detection aggressive.

Nikto

Released in 2001, Nikto is still used today, thanks to being open-source and feature-rich. Capable of assessing all types of web servers (not just WordPress as WPScan), Nikto can be used to discover vulnerabilities such as Sensitive files, Outdated servers and programs, and Common misconfigurations (Directory indexing, XSS protections, etc).

Pre-installed in Kali Linux and Parrot, it can be installed with the sudo apt update && sudo apt install nikto command.

Nikto modes

Basic scanning

The most basic scan you can do is using the -h flag to retrieve the headers, and it will look for sensitive files or directories.

nikto -h IP

Nikto basic

Here, Nikto has identified that the application is Apache Tomcat (with just the favicon), and has learned that the HTTP methods PUT and DELETE can be performed by clients. Interesting

Scanning multiple hosts & ports

Nikto can be provided with multiple arguments to perform multiple tasks. For example, we can scan multiple ports on one host:

nikto -h IP -p PORT_1, PORT_2, PORT_3

For example:

nikto -h 10.10.10.10 -p 80,8000,8080

Introduction to Plugins

We can extend the capabilities of Nikto with plugins. You can use the --list-plugins flag to list the plugins installed.

Some interesting plugins are apacheusers to enumerate Apache HTTP Authentication Users, cgi to look for CGI scripts, robots to analyse the robots.txt file, and dir_traversal which attempts to use a directory traversal attack (LFI). Here is the Nikto Plugin list to view all of them.

We can specify the plugin we want to use with the -Plugin argument:

nikto -h IP -Plugin PLUGIN_NAME

Verbosing our Scan

We can increase the verbosity of our Nikto scan with the -Display flag and the 1, 2 or 3 arguments

  • 1 = Show any redirects that are given by the web server
  • 2 = Show any cookies received
  • 3 = Output any errors
Tuning your Scan for Vulnerability Searching

We can select what type of vulnerabilities we want to scan for with the -Tuning flag and the following values as argument:

  • 0 = File Upload
  • 2 = Misconfigurations/Default files
  • 3 = Information Disclosure
  • 4 = Injection
  • 8 = Command Execution
  • 9 = SQL Injection
Saving your findings

We can save our results into a file (Text file or HTML report) with the -o flag and provide the filename with an extension.

nikto -h IP -o report.html

And it will create a .html file like this:

![[day_035_html_report.png]]

If you have a short memory like me, you may want this Nikto Cheat Sheet.

Summary

We have seen 4 ways to enumerate a website:

  • Manual enumeration
  • Gobuster
  • WPScan
  • Nikto

Stats

From 121.950th to 122.070th. I don’t know why, but well..

Here is also the Skill Matrix:

Skills Matrix

Resources

Random Room

TryHackMe: Web Enumeration

Other resources

Gobuster Readme.md
Gobuster tutorial
SecLists
WPScan flags
LFI
Nikto Plugin list
Nikto Cheat Sheet