Recon to the web app:
Source code (may be hidden things)
whatweb (to see the technologies used and if it's vulnerable to X web-based attack)
wafw00f page.com (can add -a parameter)
http IP or domain (to get the headers of a website)
browsh –startup-url http:/pageORip/Default.aspx (makes website enum with the URL that we give, simulate the webpage in the command prompt, Control + W to get out)
curl IPobj | more (DocType html; title Apache 2 Ubuntu) = wget “http:IPobj/index” -> cat index | more
curl http://IPobj/ejemplo | more (useful to see permission access)
lynx http://IPobj (to see the source code)
davtest (used for scan, authenticate and exploit a WebDAV server)
cadaver (uploads files;download;visualization on screen;edition;move;copy;create y erase collections;manipulate the property & block resources on a WebDAV server)
Brute-force login attack:
LOGIN FORM (see the source code):
hydra -L userwordlist -P passwordlist IPobj http-post-form “/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials…” -t 3
BASIC AUTH [pop-up] (with BurpSuite)
Locate hidden files & directories:
robots.txt
sublist3r -d pagina.com (enumerate subdomains)
dirb http://IPorDOMAIN
gobuster dir --url http://IPorDOMAIN/ --wordlist /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
Identify vulnerabilities in webapps:
NIKTO: TUTORIAL NIKTO WEB APP VULN SCAN
WPscan (wordpress scan):WP SCAN USER DOCUMENTATION
whatweb (to see the used technologies and if it's vulnerable to a X web-based attack)
msf meterpreter: wmap
SQLi (SQL injection)
XSS (cross site scripting)
File inclusion (upload files)
Access to restricted URLs (f.ex Impersonating the User-agent, see robots.txt)
Path traversal (/../../../../../../../../../)
Command Injection (interpreter can use system commands like whoami, cat, etc…)
Files .asp .aspx .php .config (Vulnerable to upload a reverse shell file of this extension)