CTF Methodology - Content Discovery

For discovering as much information about the web server once found, we need to bruteforce URLs, DNS subdomains and virtual hosts.

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Scan a host

1

nikto -h $RHOST

Scan specefic ports

1

nikto -h $RHOST -port $PORT1, $PORT2

Gobuster

Gobuster is a tool used to brute-force :- URIs (directories and files) in web sites, DNS subdomains (with wildcard support), Virtual Host names on target web servers, Open Amazon S3 buckets

Find directories and files . Check what framework application is using and set values for -x flag accordingly

1

gobuster dir -u $RHOST -w $WORDLIST -t 50 -x <file_extensions>

Vhost Mode (Finds out if the subdomain exists by visiting url and verifying IP address)

1

gobuster vhost -v -w $WORDLIST -u $RHOST -o $OUTPUTFILE

Find subdomains on a specific domain

1

gobuster dns -d $DOMAIN -w $WORDLIST -i

• use -k to skip SSL verification

Gobuster Thread Switch

The Gobuster thread switch specifies the number of concurrent threads that will run at the same time .

1

gobuster -r $NUMBER

Verbose

1

gobuster -v

Change user agent for requests

1

gobuster -a $ANYUSERAGENT

Gobuster export results to txt

1

gobuster -o $FILENAME

ffuf

A fast web fuzzer written in Go.

Directory discovery

1

ffuf -w $WORDLIST -u https://target/FUZZ

Virtual host discovery

1

ffuf -w $WORDLIST -u https://target -H "Host: FUZZ" -fs 4242

• Assuming respinse size is 4242 bytes

GET parameter fuzzing

1

ffuf -w $PARAMLIST -u https://$RHOST/script.php?FUZZ=test_value -fs 4242

if the parameter name is known:-

1

ffuf -w $VALUESLIST -u https://$RHOST/script.php?valid_name=FUZZ -fc 401

• Assuming 401 is return status code for wrong parameter

POST data fuzzing

1

ffuf -w $POSTDATA -X POST -d "username=admin\&password=FUZZ" -u https://$RHOST/login.php -fc 401

Again filtering out 401 response code .

Maximum execution time

1

ffuf -w $WORDLIST -u https://$RHOST/FUZZ -maxtime 60

• Meaning it wont run forever but stop at 60 seconds