Website Enumeration

Notes on website enumeration

Enumeration with NMAP 

Process 

1. Verify port 80/443 open on target host ncat -v 1.2.3.4 80 ncat -v 1.2.3.4 443 or nmap  
2. Run http- enum script on NMAP (nmap –script =http-enum 1.2.3.4)  
3. Check services running on target ports nmap -sV -p80 1.2.3.4 

Gain more info on vulnerabilities on services Identified to be running on web ports example :
Nmap –script=http-php-version 1.2.3.4 

Nmap –script=http-enum 1.2.3.4 
Will provide http info on ports and a list of found web location folders on the target server 

NMAP Scripts 
Nmap –script=http-enum 1.2.3.4 
Nmap –script=http-php-version 1234 

Collecting OSINT information (open source intelligence gathering) 

Theharvester 
Lets you do data gathering for a domain and can retrieve stuff such as emails etc 

1. Run with theharvester command on the terminal 
2. Select options -d for domain -b for data source such as google 
3. Example Theharvester -d bob.com -l 200 -b google 

OSRFramework 
Opensource reconnaissance framework and is built upon numerous python scripts 

1. Usufy.py -n bob.com will check for user profiles matching the target domain 
2. Mailfy.py -n dan will search for email addresses matching target and if they have been leaked. 
3. Searchfy.py -q “bob”  will search online through places like github, Instagram for matching info 
4. Domainfy.py -n bob will find websites domains associated with the domain name  

OWASP Dirbuster for exposing hidden directories 

Process 

1. Start application from console with the following command: dirbuster 
2. Enter target url and port  
3. Change number of threads 
4. Set type of brute force either list based or pure. If selecting list based a number of dictionary lists can be found by pressing list info 
5. Default lists are stored in /usr/share/dirbuster/wordlists 
6. Can take a fair while to run