Skip to content

Enumerating Web

Enumeration is the process of gathering information about a target. In the context of web applications, this means finding out as much as possible about the target application. This information can be used to identify potential vulnerabilities and to help plan an attack.

Directory Enumeration

Directory enumeration is the process of finding directories on a web server. This can be done manually by browsing the website or automatically using tools like dirb, dirbuster, or gobuster.

gobuster dir --url [url] --wordlists [wordlist] -x [extensions;php,txt,html] -t [threads]

Search for php files and directory: 

gobuster dir --url $url --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php -t 150

gobuster dir --url $url --wordlist $(locate *list-2.3-medium.txt | head -n 1) -t 150 -x php 

# Find wordlist and use it
cat $(locate *list-2.3-medium.txt | head -n 1) | gobuster dir --url $url -w - -t 50 -x php

FeroxBuster

FeroxBuster is a tool for web content discovery. It is similar to gobuster.

# A complete example
feroxbuster -u http://192.168.1.26:8000/api/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -H 'Authorization: Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IlNhbW15IiwiZXhwIjoxNjgzNTgwODE2LCJzdWIiOiJhY2Nlc3MifQ.QCYFvWCrs74U_6bs8SYx6hR5QhjKHkKOwdJh9x8tlIo'

# Without headers
feroxbuster -u <URL> -w <wordlist> -t 50

API Endpoint Fuzzing

API Endpoint Fuzzing is a security testing technique used to discover vulnerabilities in web application programming interfaces (APIs). It involves sending a large number of intentionally malformed or unexpected input data to an API endpoint to identify potential weaknesses or security flaws. 

ffuf -u http://10.10.160.127/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "value:this_is_not_real"
You can specify cookies with the -b parameter.

Parameter Enumeration

To enumerate GET parameters, you can use the following command:

ffuf -w burp-parameter-names.txt:FUZZ -u http://127.0.0.1:5000/?FUZZ=val -fs xxx


# A complete example

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://127.0.0.1:5000/?FUZZ=val -fs 15
``

#MATCHER OPTIONS:
#  -mc              Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
#  -ml              Match amount of lines in response
#  -mr              Match regexp
#  -ms              Match HTTP response size
#  -mw              Match amount of words in response
#
#FILTER OPTIONS:
#  -fc              Filter HTTP status codes from response. Comma separated list of codes and ranges
#  -fl              Filter by amount of lines in response. Comma separated list of line counts and ranges
#  -fr              Filter regexp
#  -fs              Filter HTTP response size. Comma separated list of sizes and ranges
#  -fw              Filter by amount of words in response. Comma separated list of word counts and ranges

To enumerate POST parameters, you can use the following command:

ffuf -w burp-parameter-names.txt:FUZZ -X POST -d "FUZZ=val" -u http://

ffuf -w $(locate burp-parameter-names.txt | head -n 1):FUZZ -X POST -d "FUZZ=val" -u http://127.0.0.1:5000/?FUZZ=val

Subdomain & vhost fuzzing

Subdomain and vhost fuzzing is a technique used to discover hidden subdomains and virtual hosts on a target domain. This can help identify additional attack surfaces and potential vulnerabilities in web applications. There are several tools that can be used for subdomain and vhost fuzzing, including gobuster, wfuzz and ffuf. These tools allow you to brute force subdomains and virtual hosts by trying different combinations of words and characters in the domain name. This can help uncover hidden subdomains and virtual hosts that may not be publicly accessible or visible through normal browsing.

To perform subdomain and vhost fuzzing, you can use the following commands:

gobuster vhost --useragent "PENTEST" --wordlist "/path/to/wordlist.txt" --url $URL

Some applications don't allow vhost fuzzing like showcased above. The command below can be used to fuzz the host header instead.

wfuzz -H "Host: FUZZ.something.com" --hc 404,403 -H "User-Agent: PENTEST" -c -z file,"/path/to/wordlist.txt" $URL

Another tool that can be used for subdomain and vhost fuzzing is ffuf. The command below can be used to fuzz the host header.

ffuf -H "Host: FUZZ.$DOMAIN" -H "User-Agent: PENTEST" -c -w "/path/to/wordlist.txt" -u $URL

Another example of using ffuf for subdomain and vhost fuzzing is shown below.

ffuf -c -r -w "/path/to/wordlist.txt" -u "http://FUZZ.$TARGET/"