Port 80/443 - Web

Web Directory Enumeration

# Export URL=<http(s)://FQDN>
feroxbuster -k -e -u "$URL" -x html txt php js zip bak xml log -t 200 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
feroxbuster -k -e -u "$URL" -x html txt php js zip bak xml log -t 200 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Windows 
feroxbuster -k -e -u "$URL" -x html txt asps asp htm zip bak xml log -t 200 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

Web File Enumeration 

# Export URL=<http(s)://FQDN>/

feroxbuster -k -e -u "$URL" -x html txt php js zip bak xml log -t 200 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

# For some lenghy and complex directories and 
# n: no recursion
feroxbuster -e -u "$URL" -x html txt php js zip bak xml -t 200 -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt --filter-status 401,402,403,404,500,501,502 --quiet -n

# Discover quickwin files and holders - GIT
feroxbuster -e -u "$URL" -x html txt php js zip bak xml -t 200 -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt

# Windows
feroxbuster -e -u "$URL" -x html txt asps asp htm zip bak xml log -t 200 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

Subdomain Enumeration

# Change the value of -fw option when running at the beginning

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.gofer.htb" -u http://gofer.htb -fw 20

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.runner.htb" -u http://runner.htb -fw 4

# Bug Bounty Program - Real World Wordlist

https://github.com/trickest/wordlists/blob/main/inventory/subdomains.txt

Parameter Enumeration

# GET
arjun -u http://server.com/page/

ffuf -ic -c -u "http://proxy.gofer.htb/index.php?FUZZ=file:/etc/passwd" -w "/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt" -t 200 -fw 42

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" 

# POST 
arjun -u http://server.com/page/ -m POST

ffuf -X POST -ic -c -u "http://proxy.gofer.htb/index.php?FUZZ=/etc/passwd" -w "/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt" -t 200 -fw 9
PreviousScan behind a squid proxyNextCTF - param abuse

Last updated