🌐 Web Enumeration

Web application reconnaissance and content discovery.


INITIAL WEB RECON

Browse manually in browser

Look at the site. Read it. Click around. — Context before tools

http://$IP
https://$IP
http://$IP:8080
Example Output
See a login page, CMS, or custom app
Check footer: 'Powered by WordPress 5.8'
Check URLs: /index.php?page=about (LFI candidate)

Check page source (Ctrl+U)

Comments, hidden fields, JS files, API endpoints — Devs leave secrets in comments

View source on every page
Example Output
<!-- TODO: remove debug credentials -->
<!-- admin:Passw0rd123 -->
<script src='/api/v1/config.js'></script>
<input type='hidden' name='debug' value='true'>

Check robots.txt

Disallowed paths — Paths they don't want indexed

curl http://$IP/robots.txt
Example Output
User-agent: *
Disallow: /admin/
Disallow: /backup/
Disallow: /internal/
Disallow: /wp-admin/
(Now you know hidden paths exist)

Check sitemap.xml

Site structure — Hidden pages and directories

curl http://$IP/sitemap.xml
Example Output
curl http://10.10.10.5/sitemap.xml
<urlset>
  <url><loc>/internal-dashboard/</loc></url>
  <url><loc>/api/v2/users/</loc></url>
  <url><loc>/old-admin/</loc></url>
</urlset>
(Hidden paths revealed)

Check security.txt

Security contact info — May reveal tech stack

curl http://$IP/.well-known/security.txt
Example Output
curl http://10.10.10.5/.well-known/security.txt
Contact: security@corp.local
Preferred-Languages: en
Canonical: https://corp.local/.well-known/security.txt
(Confirms domain, may reveal email format)

Identify technology stack

CMS, framework, language, server — Guides your attack approach

whatweb http://$IP
wappalyzer (browser extension)
Example Output
whatweb http://10.10.10.5
http://10.10.10.5 [200 OK]
  Apache[2.4.29], PHP[7.2.10],
  WordPress[5.8], jQuery[3.6.0],
  Country[US]

Check HTTP headers

Server, X-Powered-By, cookies — Version info, security headers

curl -I http://$IP
Example Output
HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)
X-Powered-By: PHP/7.2.10
Set-Cookie: PHPSESSID=abc123
(Versions exposed = search for CVEs)

Check SSL/TLS cert

Certificate details — Hostnames, org info, valid dates

openssl s_client -connect $IP:443
Example Output
openssl s_client -connect 10.10.10.5:443
subject=CN = dev.corp.local
subjectAltName = DNS:dev.corp.local, DNS:staging.corp.local
(Found additional hostnames to add to /etc/hosts)

Add hostname to /etc/hosts

If you discover a hostname — Virtual host routing

echo '$IP hostname.htb' >> /etc/hosts
Example Output
echo '10.10.10.5 target.htb dev.target.htb' >> /etc/hosts

curl http://target.htb -> 'Welcome to Our App'
curl http://10.10.10.5 -> 'Apache Default Page'
(Different content = virtual hosting confirmed)

Screenshot all web ports

Visual record — Quick reference for reporting

gowitness single http://$IP
Example Output
gowitness single http://10.10.10.5
gowitness single https://10.10.10.5
gowitness single http://10.10.10.5:8080
(Visual screenshots saved for reference and reporting)

DIRECTORY / FILE DISCOVERY

Gobuster directory scan

Main directory brute force — Find hidden directories

gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
Example Output
=======================================
/admin        (Status: 301)
/uploads      (Status: 301)
/backup       (Status: 301)
/config       (Status: 403)
/phpmyadmin   (Status: 200)
/api          (Status: 200)

Gobuster with extensions

Find files with extensions — php/txt/bak files are gold

gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak,old,conf,zip -o gobuster_ext.txt
Example Output
/config.php.bak  (Status: 200)  <- backup config!
/notes.txt       (Status: 200)  <- dev notes
/shell.php       (Status: 200)  <- existing shell?
/database.sql    (Status: 200)  <- DB dump

Feroxbuster (recursive)

Recursive scanning — Finds nested directories

feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Example Output
feroxbuster -u http://10.10.10.5
200  GET  /admin/
200  GET  /admin/config/
200  GET  /admin/config/database.yml  <- nested find!
301  GET  /backup/
200  GET  /backup/site_2024.zip

Scan discovered directories

Enumerate inside each dir found — Go deeper

gobuster dir -u http://$IP/<found_dir> -w <wordlist> -x php,txt
Example Output
gobuster dir -u http://10.10.10.5/admin -w wordlist.txt -x php
/admin/login.php    (Status: 200)
/admin/config.php   (Status: 200)
/admin/uploads/     (Status: 301)
/admin/backup.php   (Status: 200)

Virtual host / subdomain scan

Find virtual hosts — Different sites on same server

gobuster vhost -u http://<domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
Example Output
Found: dev.domain.htb (Status: 200) [Size: 5432]
Found: staging.domain.htb (Status: 200) [Size: 1234]
Found: admin.domain.htb (Status: 302) [Size: 0]
(Add each to /etc/hosts and browse)

FFUF for fuzzing

Fast fuzzer — Flexible filtering

ffuf -u http://$IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -mc 200,301,302
Example Output
ffuf -u http://10.10.10.5/FUZZ -w wordlist.txt -mc 200,301
admin          [Status: 301, Size: 312]
backup         [Status: 301, Size: 314]
api            [Status: 200, Size: 1543]
.env           [Status: 200, Size: 256]

Check for common files

Manual checks for sensitive files — Backup configs, git repos, env files

curl http://$IP/wp-config.php.bak
curl http://$IP/.git/HEAD
curl http://$IP/.env
curl http://$IP/web.config
curl http://$IP/config.php
Example Output
curl http://10.10.10.5/.git/HEAD
ref: refs/heads/master
(GIT REPO EXPOSED! Use git-dumper)

curl http://10.10.10.5/.env
DB_PASSWORD=s3cretDBp@ss
APP_KEY=base64:abc123...

Nikto web scanner

Vulnerability scanner — Quick scan for known issues

nikto -h http://$IP
Example Output
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The X-Content-Type-Options header is not set
+ /config.php: PHP Config file found
+ /backup/: Directory indexing found
+ OSVDB-3233: /icons/README: Apache default file found

CMS DETECTION & ENUMERATION

WordPress scan

Plugins, themes, users — WP is full of vuln plugins

wpscan --url http://$IP --enumerate ap,at,u --api-token <token>
Example Output
wpscan output:
[+] WordPress version 5.8 identified
[!] 3 vulnerabilities identified
[+] Plugin: wp-file-manager 6.9
  | [!] CVE-2020-25213 - Unauthenticated RCE
[+] Users found: admin, editor

WordPress user enum

Find usernames — Then brute force wp-login

wpscan --url http://$IP --enumerate u
Example Output
wpscan --url http://10.10.10.5 --enumerate u
[+] admin
 | Found By: Author Posts
[+] editor
 | Found By: Wp Json Api
(Now brute force these usernames)

WordPress brute force

Login brute force — Weak admin passwords

wpscan --url http://$IP --usernames <user> --passwords /usr/share/wordlists/rockyou.txt
Example Output
wpscan --url http://10.10.10.5 --usernames admin --passwords rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user(s)
[SUCCESS] - admin / sunshine1
(Login at /wp-admin with admin:sunshine1)

Joomla scan

Joomla enumeration — Version, plugins, vulns

joomscan -u http://$IP
Example Output
[+] Joomla 3.7.0
[++] Joomla 3.7.0 - SQL Injection
    CVE: CVE-2017-8917
    URL: /index.php?option=com_fields&view=fields&layout=modal

Drupal scan

Drupal enumeration — Drupalgeddon exploits

droopescan scan drupal -u http://$IP
Example Output
droopescan scan drupal -u http://10.10.10.5
[+] Version: 7.54
[+] Plugins: php_filter, views
[!] Drupal < 7.58 - Drupalgeddon2 (CVE-2018-7600)
(Unauthenticated RCE if vulnerable)

Check /wp-admin, /administrator, /admin

Manual CMS detection — Find login panels

Browse to common admin paths
Example Output
http://10.10.10.5/wp-admin -> WordPress login
http://10.10.10.5/administrator -> Joomla login
http://10.10.10.5/admin -> Custom admin panel
(Found login page = try defaults, SQLi, brute force)

Check CMS version

Exact version for exploit search — Version-specific exploits

View source for generator meta tag
curl http://$IP/readme.html
curl http://$IP/CHANGELOG.txt
Example Output
View source: <meta name='generator' content='WordPress 5.8'/>
curl http://10.10.10.5/readme.html -> WordPress 5.8
curl http://10.10.10.5/CHANGELOG.txt -> Drupal 7.54
(Exact version for exploit search)