Web Application Enumeration
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
21 hours 43 minutes
web application penetration testing.
Web application enumeration
are learning objectives are to understand what tools are available to enumerate. Web servers describe the limitations of these scanners, know what directory brute forcing is and how it can aid in web site enumeration
and explain why manual enumeration of web applications is important.
Do you recognize that picture? It's our friend Wordpress which will get a lot more familiar with in the upcoming labs.
In full disclosure. When I saw a web server in P W K R O S E P,
I got nervous because our attacks service just grew exponentially. There could be various pages in there. There could be admin admin accounts that could be user accounts maybe have to register for something to gain access to it. It introduces a whole level of complexity and larger attack surface.
Now this is my bread and butter
and really it's just a matter of breaking things down into smaller pieces and making it more digestible. And again, the more reps you do, the more experience you have with web applications, the less scary it becomes.
You'll also notice that there's all these content management systems, there's Word Press, there's drew people, there's Djamila.
And what makes them interesting is they have a large attack surface as well. Just because so many people use them, you'll notice in the news, it will say, you know, this plug in for Wordpress is vulnerable and now, you know, five million sites are now vulnerable to a unrestricted file, upload bypass vulnerability.
So because so many people use this, so many people are looking for zero days in these in these applications to exploit them.
So it makes it a larger attack surface there.
Also, if you're doing bug bounties uh now or if you're a web application security engineer, pen tester, your mindset needs to change. It doesn't matter if the secure flag isn't set on on a cookie.
Um It doesn't matter if there's a sea surf attack if there because it's a client side attack. If no one's there to be exploited.
As I said, we should focus on server side attacks. I know there's clients, it attacks a cross site scripting and sea surf but really we want to focus on the server side attacks. So get out of the bug bounty mindset of, you know, I'm finding specific vulnerabilities in a web application if you want to do that. I recommend the E W. P. T uh
exam because that is very specific
to have web applications.
So enumeration with our friend and map yet again.
So keep in mind when you're doing your skin with end map. That's probably the first time you're going to observe a web server. And don't assume it's on port 80 or 443 can also be on ports like 80 80 or 8443 But also understand if his http or http. S seen. A lot of junior pen testers
try a port using http when they should be using https different protocol
and they can't connect to the site.
So play around with those protocols on those different ports and see if maybe it changes depending on
it's HDP or H G P S.
We can also remind our refine our end map scan with that bone scan. I talked about the bone scan with end map in the very beginning that kind of has a very robust output.
It's not as good as things like Burp suite. Active scan. Of course you can't use Burp Suite Pro. Uh no SCP but it's kind of, you know, it's a fast scanner vulnerability scanner for web applications.
Also we should get an output and map of the version of a patch here. Engine X or I I S Is that version vulnerable? So check that out first. When you start enumerating these web servers,
you'll see here is the output from an n map scan and it gives us with the bone script in it.
You'll see it already gives us a lot of good information and always making fun of the HDP flag not set with cookies, but here you go right here or see surf. You know, here you go again.
Also, let's look at the bottom. We can see a possible sequel injection. That's great for us and maybe enumerating uh users or user names and passwords or maybe even getting a shell in the box.
So we're also trying to look for different folders and directories on the web server
with nick toe. That also does stuff like that. This this is a great scanner
chris Hello is a friend and you know, I've spoken to him a lot about nick toe and how he saved me with the SCP. There's a lot of output with nick toe and there are also a lot of false positives,
but test everything because the one thing in there that's buried in that output might be what gets you a shell in. Oh, SCP, I'm just saying,
but you know, again, this this nick toe I think is a great tool to use on on web servers if it's not on port 80 you have to specify the port of its 443 or 80 80. So keep that in mind.
Directory brute forcing. Why do we do Directory brute forcing? Well, if we use a tool like Burp suite, which we'll talk about later, that's not brute forcing directories for you. So I figure out what directories there are. We have to use tools for that.
And if you're not brute forcing directories, you may miss out on an admin directory or some juicy directory that might have information that'll help us enumerate the server or vulnerabilities. So it always suggests running a brute force er against the web server to see what is on it.
It also finds things through response codes. And we'll talk about response codes as well. But it will look at a response code of like 200 meaning that you can reach that web page or 404 meaning that that page doesn't exist. And it will tell you whether the page exists or not, whether it gets a 200
it will, you'll get output or for for it won't give you output.
Doesn't find vulnerabilities.
A directory may have a vulnerability vulnerability in it, but a directory brute force is not going to say, hey, look at this, this is what's vulnerable.
Derby is a fast and dirty directory brute force. Er I really like it, it goes really, really fast and as you can see here, it gives you the response codes, it tells you whether there's a 200 or 403
um and it also tells you if a directory is listenable, if you can look at every single file in that directory.
So I really like running this first because the other two brute forcers take a lot more time steve fault installed in Cali you can specify a word list that has a default word list in it,
but there's a word list I like using and we'll look at dir buster and you can see here, I like using that directory list. 2.3 medium dot txt. So I always like using, no matter whether it's Derby Derby buster or go buster which will look at next but
Doorbusters, oh, wasps, Directory brute force er is written in java. You can specify which word list you want to use, you can specify the file extension. That's why it's important to enumerate the technology, whether the servers using PHP or a sp whether as text files on it,
whether it's using PERL maybe there's a G in there.
Um So I would definitely recommend uh knowing what file extensions to specify or trying a few different ones.
It's also already installed in Cali the one that's not is go buster
and go buster is probably my favorite.
So go buster is also a command line tool, it goes very fast. Um As you can see here, I'm specifying that word list again.
Um actually I'm specifying a different one but my favorite is that medium word list.
So you can see here you can also specify extensions. I have PHP txt. Html and it's giving me the response code of the server as well.
It's written and go I really really like this, download it and give it a try
also. How do you use Apple? Isar or get that extension? Because that also enumerates website technology very quickly
from this. You can already tell it's Wordpress, you can already tell there's my sequel database. There doesn't show the version of Apache but we know we're working with Apache. So I I really like using appetizer.
Also don't discount. Manual enumeration tools are great but know how to use manual enumeration to figure out what's going on. Always look at the robots dot txt file. What it says is disallowed. We really that's the juicy information to us as hackers, right? It's disallowed. We want to look at it.
Also view the source of the page, right click view source. Maybe there's some meta tags. Maybe there's some comments in there. Maybe the developer left comments like
having to build out this directory but not yet but yet. We can search for that directory or maybe something is great out on the page, but it's not, you know, it's in the source of the page, like a certain directory and we can still surf to it. So I always look at the source of the page which you can also do using curl. If you use the curl command,
you're just looking at the source of the page and you may see things you may miss
when you're looking at the beautiful browser.
Also look at cookies. If there's a PHP session ID can be pretty sure it's running PHP.
If there's a S P C H I D can be pretty sure you can upload a sp shell like we saw. And that will work for us to
also look at the network tab, refresh the page. Look at all the connections that website makes. Maybe it will give us other directories and other files we should be looking at.
here's your hands on quiz
in an environment. You're allowed to do this Run Derby Run Derby buster. Run, go buster
and see which one you like, See which one you don't like.
Um, but try to compare them and also use end map with that bone script and see what you find.
I'm going to give a demo really quick.
So I'd like to show you all these tools that I was just talking about Here. Is this website here awesome. Photo blog. This is great
Iran and map Iran S B S C. I ran the bone script
as you can see here. It does a whole lot of different scripts, cookie flags. Like I said don't worry about that one. C serve clients side. I'm not really worried about that either. This is enumerating directories. This might be interesting possible admin folder
robots dot txt and all these other interesting folders I should be looking at
also an internal iP. That might be interesting but it's local host
a version of Apache. Maybe that's vulnerable and all these possible sequel injections. That's interesting too.
Also around Nikto
so you can see a whole lot of output.
I can tell you off the bat this os V B v D B 5034 That's a false positive
but it gave us a little bit more information about this local host eyepieces. The server may reveal its internal or real I. P. And the location header via request to images over http. 1.0.
If we do curl
doesn't give us that. Give us 192168152 That's because we're using http
1.1. So how do we downgrade to 1.0 we can use net cat
V. for Verbose Port 80. You press enter you won't see anything.
What you want to do is I like to use a get request
forward slash http. And it said 1.0. So let's try that. Press enter. Press enter again.
You know what I forgot I forgot to say images
but you'll see the output of the page and you'll also see the super secret hidden directory.
Well that's interesting
but let me go back.
and do h and get out of this.
Http 1.0 Enter, enter.
Now we see the 1-7 1
001 local host
on port 80.
So we downgraded our version of HTTP to 1.0 there.
We did see using the curl command.
Was this the super hidden directory
But like I told you, I always like to look at robots dot txt.
So here we are. We find flag number one.
We go here.
See we found flag number one.
Now let's go to this super secret directory
and that here.
And we can see flag too.
Also talked about Derby, which is the quick and dirty one. You'll see how fast this thing is.
Really, really, really fast. It tells you that the response code.
This is interesting bash history.
Maybe I can see the bash history of the server
which would be information disclosure.
So I do see in fact that I'm able to read the bash history
uh this might be dub dub dub data that that process.
but I don't see anything sensitive in here, but again that that should not be uh accessible, but it is here and I only found that through using Derby.
Also here are these listenable directories if we go to them.
So admin up loads is always interesting. Right? I can see all these different images here.
So just running that fast and dirty scan with Derby, I got a whole lot of good information.
Trigaux buster, tried er buster and see if you like those as well.
So in summary we should now understand what tools are available to enumerate web servers. We've described the limitations of scanners, we know what directory brute forcing is and how it can aid in website enumeration and we've explained why manual enumeration of web applications is important