• Sat. Apr 17th, 2021

Notes on website enumeration

Enumeration with NMAP 


  1. Verify port 80/443 open on target host ncat -v 80 ncat -v 443 or nmap  
  2. Run http- enum script on NMAP (nmap –script =http-enum  
  3. Check services running on target ports nmap -sV -p80 

Gain more info on vulnerabilities on services Identified to be running on web ports example :
Nmap –script=http-php-version 

Nmap –script=http-enum 
Will provide http info on ports and a list of found web location folders on the target server 

NMAP Scripts 
Nmap –script=http-enum 
Nmap –script=http-php-version 1234 

Collecting OSINT information (open source intelligence gathering) 

Lets you do data gathering for a domain and can retrieve stuff such as emails etc 

  1. Run with theharvester command on the terminal 
  2. Select options -d for domain -b for data source such as google 
  3. Example Theharvester -d bob.com -l 200 -b google 

Opensource reconnaissance framework and is built upon numerous python scripts 

  1. Usufy.py -n bob.com will check for user profiles matching the target domain 
  2. Mailfy.py -n dan will search for email addresses matching target and if they have been leaked. 
  3. Searchfy.py -q “bob”  will search online through places like github, Instagram for matching info 
  4. Domainfy.py -n bob will find websites domains associated with the domain name  

OWASP Dirbuster for exposing hidden directories 


  1. Start application from console with the following command: dirbuster 
  2. Enter target url and port  
  3. Change number of threads 
  4. Set type of brute force either list based or pure. If selecting list based a number of dictionary lists can be found by pressing list info 
  5. Default lists are stored in /usr/share/dirbuster/wordlists 
  6. Can take a fair while to run 
Machine generated alternative text:
OWA* Dir&ßter 1.0-RCI - Web &ute 
@Brut. Fcrc. 
C) @Auto (HEAD 
@Standard C) Fuzz 
to •Rh 
Scroll Up