☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Automatic scanners
  • Spidering
  • Directories and Files Enumeration
  • Gobuster
  • Feroxbuster
  • Dirb
  • Nikto
  • Wfuzz
  • Wordlists

Was this helpful?

Edit on GitHub
  1. Services Exploitation

80, 443 - HTTP/S

Previous88 - KerberosNext110, 995 - POP

Last updated 1 year ago

Was this helpful?

Automatic scanners

General purpose automatic scanners:

nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

Spidering

List of spidering tools:

Directories and Files Enumeration

Tools:

Gobuster

gobuster dir -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.0.0.3/
Parameters

  • dir: directory brute-forcing mode.

  • -t <n>: number of concurrent threads (default 10).

  • -w <wordlist>: path to the wordlist.

  • -u <URL>: target URL.

Note:

  • Iterate over the results.

  • Include status code 403 (Forbidden Error) and brutefoce these directories.

  • Add more file extensions to search for; In gobuster: -x sh,pl.

Feroxbuster

feroxbuster --url http://<TARGET>:<PORT>/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o <TARGET><PORT>.out

Dirb

dirb http://www.megacorpone.com -r -z 10

Nikto

nikto -host=http://www.megacorpone.com -maxtime=30s

Wfuzz

Fuzz parameters using injection payloads:

wfuzz -u https://<IP_ADDRESS>/index.php?url=FUZZ --hl 36 -w /usr/share/wfuzz/wordlist/Injections/All_attack.txt

Wordlists

Included in Kali’s wordlists package under /usr/share/wordlists.

  • /rockyou.txt

  • /dirbuster/directory-list-2.3-medium.txt ( 1.9M - 220560 lines )

  • /dirbuster/directory-list-2.3-small.txt ( 709K - 87664 lines )

  • /dirb/common.txt ( 36K - 4614 lines )

  • /dirb/big.txt ( 180K - 20469 lines )

(python): It doesn't allow auto-signed certificates but allows recursive search.

(go): It allows auto-signed certificates, it doesn't have recursive search.

- Fast, supports recursive search.

wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ

- Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ

: It uses wapalyzer to detect used technologies and select the wordlists to use.

Dirsearch
Gobuster
Feroxbuster
wfuzz
ffuf
Chamaleon
Logo80,443 - Pentesting Web MethodologyHackTricks