Assessment tools & enumeration
Fingerprinting Web Servers with Nmap
We should start web application enumeration from its core component, the web server, since this is the common denominator of any web application that exposes its services.
Since we found port 80 open on our target, we can proceed with service discovery. To get started, we'll rely on the nmap service scan (-sV) to grab the web server (-p80) banner.
kali@kali:~$ sudo nmap -p80 -sV $ip
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 05:13 EDT
Nmap scan report for $ip
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Our scan shows that Apache version 2.4.41 is running on the Ubuntu host.
To take our enumeration further, we use service-specific Nmap NSE scripts, like http-enum, which performs an initial fingerprinting of the web server.
kali@kali:~$ sudo nmap -p80 --script=http-enum $ip
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 06:30 EDT
Nmap scan report for $ip
Host is up (0.10s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /db/: BlogWorx Database
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /db/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds
As shown above, we discovered several interesting folders that could lead to further details about the target web application.
By using Nmap scripts, we managed to discover more application-specific information that we can add to the web server enumeration we performed earlier.
Technology Stack Identification with Wappalyzer
Along with the active information gathering we performed via Nmap, we can also passively fetch a wealth of information about the application technology stack via Wappalyzer.
Once we have registered a free account, we can perform a Technology Lookup on a target domain.
From a quick third-party external analysis, it's possible to learn about the OS, the UI framework, the web server, and more. The findings also provide information about JavaScript libraries used by the web application - this can be valuable data, as some versions of JavaScript libraries are known to be affected by several vulnerabilities.
https://www.wappalyzer.com/
Directory Brute Force / Fuzzing
Gobuster
Once we have discovered an application running on a web server, our next step is to map all its publicly-accessible files and directories. To do this, we would need to perform multiple queries against the target to discover any hidden paths. Gobuster is a tool (written in Go language) that can help us with this sort of enumeration. It uses wordlists to discover directories and files on a server through brute forcing.
Due to its brute forcing nature, Gobuster can generate quite a lot of traffic, meaning it will not be helpful when staying under the radar is necessary.
Gobuster supports different enumeration modes, including fuzzing and dns, but for now, we'll only rely on the dir mode, which enumerates files and directories. We need to specify the target IP using the -u parameter and a wordlist with -w. The default running threads are 10; we can reduce the amount of traffic by setting a lower number via the -t parameter.
kali@kali:~$ gobuster dir -u $ip -w /usr/share/wordlists/dirb/common.txt -t 5
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://$ip
[+] Method: GET
[+] Threads: 5
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/30 05:16:21 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> http://$ip/css/]
/db (Status: 301) [Size: 311] [--> http://$ip/db/]
/images (Status: 301) [Size: 315] [--> http://$ip/images/]
/index.php (Status: 302) [Size: 0] [--> ./login.php]
/js (Status: 301) [Size: 311] [--> http://$ip/js/]
/server-status (Status: 403) [Size: 278]
/uploads (Status: 301) [Size: 316] [--> http://$ip/uploads/]
===============================================================
2022/03/30 05:18:08 Finished
===============================================================
Under the /usr/share/wordlists/dirb/ folder we selected the common.txt wordlist, which found ten resources. Four of these resources are inaccessible due to insufficient privileges (Status: 403). However, the remaining six are accessible and deserve further investigation.
Extensions
https://www.kali.org/tools/gobuster/
Ffuf
Simple Scan
Ignore HTTP Status Codes
VHOST Fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb
Extension
DirSearch
Security Testing with Burp Suite
Burp Suite is a GUI-based integrated platform for web application security testing. It provides several different tools via the same user interface.
While the free Community Edition mainly contains tools used for manual testing, the commercial versions include additional features, including a formidable web application vulnerability scanner. Burp Suite has an extensive feature list and is worth investigating, but we will only explore a few basic functions in this section.
We can find Burp Suite Community Edition in Kali under Applications > 03 Web Application Analysis > burpsuite.
We can also launch it from the command line with burpsuite:
Banner Grabbing
https://www.kali.org/tools/whatweb/
Nikto
Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities quickly. Nikto is written in Perl and comes standard as a tool with Kali Linux.
During the scanning process Nikto searches for potential security problems in the form of misconfigurations, default files and folders, insecure objects and outdated software.
Nikto is not designed to be stealthy. It scans the target host in the fastest way possible and generates a lot of requests which makes the scanning process very obvious in web server log files and to intrusion detection systems (IDS).
-Tuning Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
$ nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host $ip
# Command
WordPress Scan
WPScan is a popular WordPress vulnerability scanner that can be used to find known vulnerabilities in WordPress, enumerate users, themes and plugins and run dictionary attacks on the user accounts.
WordPress is a very popular blogging platform and is used by numerous websites. The blogging platform is easy to install and can be customized using a lot of (free) plugins and themes. Because of its popularity among bloggers and website owners, it is also a popular target for (black hat) hackers. The reason it’s so popular among hackers is not only because WordPress itself has a long history of severe vulnerabilities, but also because WordPress plugins and themes can introduce vulnerabilities. Website administrators who do not keep up with WordPress updates and do not take appropriate security measures, such as installing Website Application Firewalls (WAFs), can become easy targets that even the most inexperienced hackers can take advantage of.
Updating DB of WordPress
Scanning the Targer
Active Enumeration
If WPScan is unable to find plugins with the default scan, it doesn’t necessarily mean that the WordPress website doesn’t have any plugins installed. The default scan option enumerates plugins using passive detection meaning that it only scans the main page and searches for traces of plugins in the HTML content, JavaScript and CSS files.
We can run more aggressive scans with WPScan that actively test WordPress installations for plugins and themes. Depending on the options selected, an active scan tries every plugin from the database to test if it’s present on the target system. Active scans usually yield a much more reliable result. The following parameters can be used in conjunction with the enumerate option:
- p: Scans popular plugins only
- vp: Scans vulnerable plugins only
- ap: Scans all plugins
To enable the active/aggressive scan option to scan for all plugins we also have to set the aggressive mode using the --plugins-version-detection option.
The same options are available for WordPress themes:
- t: Scans popular themes only
- vt: Scans vulnerable themes only
- at: Scans all themes
To scan for all plugins: