Skip to content

Latest commit

 

History

History
219 lines (143 loc) · 5.35 KB

http-enum.md

File metadata and controls

219 lines (143 loc) · 5.35 KB

🔬HTTP Enumeration

Lab 1 - Method Enumeration

🔬 HTTP Method Enumeration

  • Target IP: 192.41.48.3
  • Credentials: john:password
ip -br -c a
	eth1@if193355  UP  192.41.48.2/24

  • Open the browser and navigate to

    • http://192.41.48.3/login.php

  • View Source code of the login page and check the POST method

  • Login with the provided credentials
  • Follow the remaining links
    • http://192.41.48.3/post.php
    • http://192.41.48.3/index.php

Dirb

  • Enumerate hidden directories using dirb
dirb http://192.41.48.3

dirb http://192.41.48.3

📌 Hidden directories are css, img, js, mail, uploads, vendor

Curl

  • Use curl to send some requests
# GET
curl -X GET 192.41.48.3

# HEAD
curl -I 192.41.48.3

# OPTIONS
curl -X OPTIONS 192.41.48.3 -v

# POST
curl -X POST 192.41.48.3

# PUT
curl -X PUT 192.41.48.3

  • Use curl to interact with login.php and post.php
curl -X OPTIONS 192.41.48.3/post.php -v
	Allow: GET,POST,HEAD,OPTIONS

curl -X OPTIONS 192.41.48.3/login.php -v
	Allow: GET,POST,HEAD,OPTIONS

curl -X POST 192.41.48.3/login.php -d "name=john&password=password" -v

POST

  • Interact with uploads directory
curl -X OPTIONS 192.41.48.3/uploads/ -v

📌 WebDAV module is enabled on the Apache Server and allows file upload via PUT method.

  • Upload a file with PUT method
echo "Hello Hackers" > hello.txt

curl 192.41.48.3/uploads/ --upload-file hello.txt

http://192.41.48.3/uploads/hello.txt

curl -X DELETE 192.41.48.3/uploads/hello.txt -v

BurpSuite

🔬 Check the BurpSuite Basics lab here

  • Target IP has changed to 192.83.140.3
  • Use BurpSuite to interact with the web page, by turning on the FoxyProxy Firefox plugin and opening the BurpSuite with the Proxy intercept on.
  • Capture the home page and send it to Repeater
  • Use the various options to sed requests and check the response.

  • Try to login in the webpage, intercept the request and send it to the repetear
  • Send a POST to login.php with valid credentials

  • Try to upload a file to /uploads/

Lab 2 - Directory Enumeration

Gobuster

🔬 Directory Enumeration with Gobuster

  • Target IP: 192.185.38.3
  • Enumerate a Multillidae II vulnerable web app
ip -br -c a
	eth1@if203734  UP  192.185.38.2/24

nmap -sS -sV 192.185.38.2
  • Open the browser and navigate to
    • http://192.185.38.3/

  • Use gobuster to enumerate directories, ignoring 403 and 404 status codes
gobuster dir -u http://192.185.38.3 -w /usr/share/wordlists/dirb/common.txt -b 403,404

gobuster

  • Scan to find specific file extensions and interesting files
gobuster dir -u http://192.185.38.3 -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r

# -u = url string
# -w = wordlist
# -b = status code blacklist
# -x = extensions string
# -r = follow redirect

gobuster dir -u http://192.185.38.3/data -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r

  • Check the xml file
    • http://192.185.38.3/data/accounts.xml

accounts.xml

Burp Suite

🔬 Directory Enumeration with Burp Suite

  • Target IP: 192.221.162.3
  • Enumerate a Multillidae II vulnerable web app
ip -br -c a
	eth1@if203734  UP  192.221.162.2/24

nmap -sS -sV 192.221.162.3
  • Open the browser and navigate to
    • http://192.221.162.3/
    • Activate FoxyProxy Plugin
  • Start BurpSuite (set User options/Display/Look to Darcula and restart BurpSuite)
    • Intercept the home page request and send it to Intruder
    • Intruder - set HOST target IP and PORT
    • Configure Payload Positions
      • Clear §
      • Add §name§ in the GET request
    • Payloads - Options - add a list of strings and load the /usr/share/wordlists/dirb/common.txt list
    • Start Attack and check the status code

  • Navigate to http://192.221.162.3/passwords/accounts.txt