Directory Scanning to identify the sub domains Link to heading
Using the gobuster fing the sub directories
gobuster dir -u http://10.10.10.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.88
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/23 20:44:04 Starting gobuster in directory enumeration mode
===============================================================
/webservices (Status: 301) [Size: 316] [--> http://10.10.10.88/webservices/]
/server-status (Status: 403) [Size: 299]
===============================================================
2022/03/23 21:01:06 Finished
===============================================================###### Login Credentials and Rabithole
As we found one sub directory, always run one more gobuster scan with new subdirectory url to find if any more sub directories are present.
We have found new directory now which could not be found during the first scan.
gobuster dir -u http://10.10.10.88//webservices -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.88//webservices
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/25 21:54:56 Starting gobuster in directory enumeration mode
===============================================================
/wp (Status: 301) [Size: 319] [--> http://10.10.10.88/webservices/wp/]
SSL websites scan Link to heading
Gobuster needs to scan http and https website separtely. In some case if you want to skip the certificate authenticity and validity, you can use -k switch. Find below
gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirb/common.txt -k
Scanning large number of sub directories Link to heading
If the website has large number of folders, Or for easier review, write the output to a file using -o flag
gobuster dir -u http:10.10.10.58:3000/ -w /usr/share/wordlists/dirb/common.txt -o directory.txt
Some more methods for Directory Scan to find the sub directories Link to heading
Using Wfuzz Link to heading
-sc flags used to show only the http codes which we want( below 200 and 301 http codes are specified to show )
┌──(rocky㉿kali)-[~/hckbox/tartarsauce]
└─$ wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,301 http://10.10.10.88/FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.88/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt"
000000003: 200 563 L 128 W 10766 Ch "# Copyright 2007 James Fisher"
000000007: 200 563 L 128 W 10766 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000013: 200 563 L 128 W 10766 Ch "#"
000000014: 200 563 L 128 W 10766 Ch "http://10.10.10.88/"
000000012: 200 563 L 128 W 10766 Ch "# on atleast 2 different hosts"
000000011: 200 563 L 128 W 10766 Ch "# Priority ordered case sensative list, where entries were found"
000000008: 200 563 L 128 W 10766 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000005: 200 563 L 128 W 10766 Ch "# This work is licensed under the Creative Commons"
000000010: 200 563 L 128 W 10766 Ch "#"
000000009: 200 563 L 128 W 10766 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000004: 200 563 L 128 W 10766 Ch "#"
000000002: 200 563 L 128 W 10766 Ch "#"
000000006: 200 563 L 128 W 10766 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000001967: 301 9 L 28 W 316 Ch "webservices"
000016812: 404 9 L 32 W 278 Ch "xbg"
000045240: 200 563 L 128 W 10766 Ch "http://10.10.10.88/"
Total time: 2743.707
Proces2.3-medium.txt - jobs"
000000159: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - logos"
-hc flag can be used to hide the httpd code which we want to exclude
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://10.10.10.88/webservices/FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.88/webservices/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 403 11 L 32 W 298 Ch "# directory-list-2.3-medium.txt"
000000013: 403 11 L 32 W 298 Ch "#"
000000011: 403 11 L 32 W 298 Ch "# Priority ordered case sensative list, where entries were found"
000000007: 403 11 L 32 W 298 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 403 11 L 32 W 298 Ch "http://10.10.10.88/webservices/"
000000012: 403 11 L 32 W 298 Ch "# on atleast 2 different hosts"
000000003: 403 11 L 32 W 298 Ch "# Copyright 2007 James Fisher"
000000010: 403 11 L 32 W 298 Ch "#"
000000005: 403 11 L 32 W 298 Ch "# This work is licensed under the Creative Commons"
000000006: 403 11 L 32 W 298 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000002: 403 11 L 32 W 298 Ch "#"
000000009: 403 11 L 32 W 298 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000004: 403 11 L 32 W 298 Ch "#"
000000008: 403 11 L 32 W 298 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000793: 301 9 L 28 W 319 Ch "wp"
Mutiple wordlists also for directory scanning Link to heading
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –hc 404 http://10.10.10.88/FUZZ/FUZ2Z
FUZZ - will use the first wordlist specified and FUZ2Z will use the second wordlist specified.
sed Requests: 84630
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://10.10.10.88/FUZZ/FUZ2Z
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.88/FUZZ/FUZ2Z
Total requests: 48646713600
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # directory-list-2.3-medium.txt"
000000003: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # Copyright 2007 James Fisher"
000000015: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - index"
000000007: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt"
000000008: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # or send a letter to Creative Commons, 171 Second Street,"
000000005: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # This work is licensed under the Creative Commons"
000000002: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - #"
000000009: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # Suite 300, San Francisco, California, 94105, USA."
000000006: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - # Attribution-Share Alike 3.0 License. To view a copy of this"
000000017: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - download"
000000019: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - news"
000000023: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - full"
000000031: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - logo"
000000004: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - #"
000000033: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - new"
000000030: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 11"
000000032: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - blog"
000000029: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - privacy"
000000028: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - spacer"
000000026: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - about"
000000025: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - contact"
000000022: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - warez"
000000024: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 12"
000000027: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - search"
000000034: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 10"
000000036: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - faq"
000000016: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - images"
000000021: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - serial"
000000018: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 2006"
000000020: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - crack"
000000040: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - default"
000000048: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 01"
000000052: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 07"
000000051: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 2"
000000050: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 06"
000000047: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - links"
000000049: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 08"
000000046: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 09"
000000045: 200 563 L 128 W 10766 Ch "# directory-list-2.3-medium.txt - 1"
Intresting thing about WFUZZ is we can use the FUZZ word anywhere you want to identify the subdomain from a main domain. for ex: HOST: FUZZ.object.htb. Here the FUZZ can be tested with the wordlist of subdomaian we have. Refer an example below:
wfuzz -u http://object.htb -H 'Host: FUZZ.object.htb' -w /usr/share/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt 127 ⨯
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://object.htb/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 362 L 3419 W 29932 Ch "www"
000000007: 200 362 L 3419 W 29932 Ch "webdisk"
000000047: 200 362 L 3419 W 29932 Ch "news"
000000046: 200 362 L 3419 W 29932 Ch "img"
000000015: 200 362 L 3419 W 29932 Ch "ns"
000000050: 200 362 L 3419 W 29932 Ch "wiki"
000000048: 200 362 L 3419 W 29932 Ch "portal
Since its large number of output lets reduce it by using the -hh 29932( this number is found on above results)
(rocky㉿kali)-[~/hckbox/object]
└─$ wfuzz -u http://object.htb -H 'Host: FUZZ.object.htb' -w /usr/share/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt --hh 29932
Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://object.htb/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0
Processed Requests: 1851
Filtered Requests: 1851
Using Feroxbuster Link to heading
You can see the neater results above. The same scan done with gobuster will give a pages of results which you require to write to file to review.
Dirb Link to heading
Dirb scanning using the username and password authentication
