Web Basic Pentesting

Basic methodologies of web penetration tests. A default port is 80. HTTPS uses a port 443.

Cheat Sheet

Enumeration

Nmap

nmap --script http-auth --script-args http-auth.path=/login -p 80,443 <target-ip>
nmap --script http-devframework -p 80,443 <target-ip>
nmap --script http-enum -p 80,443 <target-ip>
nmap --script http-headers -p 80,443 <target-ip>
nmap --script http-methods -p 80,443 <target-ip>

Whois

whois example.com

Nikto

nikto -h https://example.com

# -p: Specify ports
nikto -p 80,3000 -h https://example.com

# -T: Tuning
#  1: Interesting files
#  2: Misconfiguration
#  3: Information Disclosure
#  4: Injection (XSS/Script/HTML)
nikto -T 1 2 3 -h https://example.com

# -useragent: Custom user agent
nikto -useragent <user-agent> -h https://example.com

# -e: IDS evasion
#  1: Random URI encoding
#  7: Change the case of URL
nikto -e 1 7 -h <target-ip>

WhatWeb

whatweb <target-ip>

# Aggression level (1-4)
whatweb -a 3 <target-ip>

# List all plugins
whatweb -l

# Search plugins
whatweb -I apache
whatweb -I phpBB
whatweb -I phpmyadmin
whatweb -I windows

# Use plugin
whatweb -p phpBB <target-ip>

SSL Certificate

It may contain the sensitive information about the target company. We can find it on the key icon in the URL bar in the most web browsers.

# Check SSL/TLS connection and get the certificate
openssl s_client --connect example.com:443
sslscan example.com

# Detect TLS version
openssl s_client -connect example.com:443 -tls1
openssl s_client -connect example.com:443 -tls1_1
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

Check Certificate Content

Open web browser.
Click on the lock icon at the left of URL bar.
Download the PEM (.pem) file of the certificate .
Get the content of the PEM file using openssl.

openssl x509 -text -noout -in example.pem

Web Archive

Checking old contents of target website might be useful.

Wayback Machine is the best tool for the purpose.

Google Dorks

We might find interesting information about target site by google dorking.

site:example.com
"example.com"

Bypass HTTPS Forbidden (403)

If we cannot access to target website with such error 403 Forbidden, we need to check the certificate. For example, in FireFox, we can see the certificate by clicking on the lock icon at the left of the URL bar. Then check the Common Name e.g. “example.abc”.

We might be able to access to the domain host by adding the domain in /etc/hosts in our local machine as below.

10.0.0.1 example.abc

Now access to the website again. We might be able to see the contents of the website.

Check Comments in HTML Source

There may be comments in the HTML source code that provide hints for exploitation.

Find Source Code

If the target organization (or user) manages the source code in such like GitHub or GitLab, we might be able to find the source code. Here is GitHub Dorks examples. Try searching the repository with the site name or project name in GitHub.

<site_name> language:Python
<site_name> language:PHP

# e.g.
ExampleBlog language:PHP

Request using Python

GET Request

#!/usr/bin/env python3
import requests

ip = '10.0.0.1'
port '80'
url = 'http://%s:%s' % (ip, port)
ua = 'Mozilla/5.0 ...'

# Args
params = {'page': '2', 'item': 'chair'}
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
auth = requests.auth.HTTPBasicAuth('username', 'password')

r = requests.get(url, params=params, headers=headers, cookies=cookies, auth=auth)

print(r.text)

With Session

#!/usr/bin/env python3
import requests

url = 'http://example.com'

session = requests.Session()
r = session.get(url)

print(r.text)

POST Request

#!/usr/bin/env python3
import requests

url = 'http://example.com/login'

data = {'username': 'admin', 'password': 'admin'}

# Args
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}

r = requests.post(url, data=data, headers=headers, cookies=cookies)

With Session

#!/usr/bin/env python3
import requests

url = 'http://example.com/comment'

data = {'name': 'Mike', 'comment': 'Hello'}

session = requests.Session()

r = session.post(url, data=data)

print(r.text)

PreviousWebs recon NextWindows Forensics

Last updated 1 month ago

hashtagCheat Sheet

hashtagEnumeration

hashtagNmap

hashtagWhois

hashtagNikto

hashtagWhatWeb

hashtagSSL Certificate

hashtagCheck Certificate Content

hashtagWeb Archive

hashtagGoogle Dorks

hashtagBypass HTTPS Forbidden (403)

hashtagCheck Comments in HTML Source

hashtagFind Source Code

hashtagRequest using Python

hashtagGET Request

hashtagPOST Request