HTTP scanning¶

Directory bruteforce¶

gobuster

gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 50 -u IP

`-w`	Path to the wordlist
`-t`	Number of concurrent threads (default 10)
`-u`	The target URL

dirb

dirb http://ip /usr/share/wordlists/dirb/common.txt

wfuzz

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://IP/FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://IP/?par1=val1&par2=FUZZ

`-c`	Output with colors
`-w`	Specify a wordlist file
`--hc`	Hide responses with the specified code

Server enum¶

nikto: nikto -h IP

nikto --ssl IP
nmap: nmap -p80,443 --script=http* -T4 IP

SSL certificate testing¶

SSL Labs: https://www.ssllabs.com/ssltest/analyze.html
testssl: testssl.sh IP
nmap: nmap -p 443 --script ssl-enum-ciphers IP

Misc scanners¶

uniscan - LFI, RFI, and RCE vulnerability scanner::

./uniscan.pl -u http://url -qweds

`-u`	<url> example: https://www.example.com/
`-q`	Enable Directory checks
`-w`	Enable File checks
`-e`	Enable robots.txt and sitemap.xml check
`-d`	Enable Dynamic checks
`-s`	Enable Static checks

wpscan

wpscan --url IP

Cloudflare¶

do a password reset email and check the headers

2. omit Authentication Origin Pull Briefly, the feature verifies that the connection came from Cloudflare, and your web server will reject connections that don’t meet this criterion. As you can see from the help page, there is only a single generic certificate that is configured. This means the verification that takes place is not specific to a given client, account, or website.

This allows us to quite easily add a new site to our own personal Cloudflare account, set the Origin IP to the server we wish to attack, and reconfigure this site with our own WAF, cache, and security rules. The firewall will allow us through because the connection comes from Cloudflare. The Authenticated Origin Pull will succeed because the request is signed by Cloudflare. And Cloudflare will respect our WAF rules because the traffic is routed through our site, not the client site.

3. external sites: a. http://www.crimeflare.org:82 - possible get real IP if it is in Crimeflare database b. https://searchdns.netcraft.com/ - dns history, maybe in the past there was real IP, not Cloudflare

4. enumerate dns Sometimes admin configure only A/AAAA records for Cloudflare, rest has real IP