Web Scanning
Nmap Script
Banner grabbing
Nikto
Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities quickly. Nikto is written in Perl and comes standard as a tool with Kali Linux.
Personally, I think that Nikto is a great choice to quickly enumerate a webserver, identify the web applications running on it and test for common vulnerabilities.
During the scanning process Nikto searches for potential security problems in the form of misconfigurations, default files and folders, insecure objects and outdated software.
You should know that Nikto is not designed to be stealthy. It scans the target host in the fastest way possible and generates a lot of requests which makes the scanning process very obvious in web server log files and to intrusion detection systems (IDS).
Wordpress scan
WPScan is a popular WordPress vulnerability scanner that can be used to find known vulnerabilities in WordPress, enumerate users, themes and plugins and run dictionary attacks on the user accounts.
WordPress is a very popular blogging platform and is used by numerous websites. The blogging platform is easy to install and can be customized using a lot of (free) plugins and themes. Because of its popularity among bloggers and website owners, it is also a popular target for (black hat) hackers. The reason it’s so popular among hackers is not only because WordPress itself has a long history of severe vulnerabilities, but also because WordPress plugins and themes can introduce vulnerabilities. Website administrators who do not keep up with WordPress updates and do not take appropriate security measures, such as installing Website Application Firewalls (WAFs), can become easy targets that even the most inexperienced hackers can take advantage of.
Sooner or later you will encounter WordPress blogs on penetration testing assignments or maybe you plan to run your own blog someday. Therefore, we will learn how to test a WordPress website for vulnerabilities with WPScan and run some automated tests.
Updating DB of WPScan
Scanning the target
Active Enumeration
Just because WPScan is unable to find plugins with the default scan it doesn’t mean that the WordPress website doesn’t have plugins installed. The default scan option enumerates plugins using passive detection meaning that it only scans the main page and searches for traces of plugins in the HTML content, JavaScript and CSS files.
However, we can also run more aggressive scans with WPScan that actively test WordPress installations for plugins and themes. Depending on the options selected, an active scan tries every plugin from the database to test if it’s present on the target system. Active scans usually yield a much more reliable result. Let’s have a look at the different options available for actively scanning a website for plugins. The following parameters can be used in conjunction with the enumerate option:
p: Scans popular plugins only.
vp: Scans vulnerable plugins only.
ap: Scans all plugins.
To enable the active/aggressive scan option to scan for all plugins we also have to set the aggressive mode using the --plugins-version-detection option.
The same options are available for WordPress themes:
t: Scans popular themes only.
vt: Scans vulnerable themes only.
at: Scans all themes.
To scan for all plugins
Enumerating wordpress users
Password Attack
Scanning with Api Tokens
Disable-tls-checks
Backup files search
An automated tool that checks for backup artifacts that may disclose the web-application's source code.
WebDav
Davtest
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
Cadaver
We can use cadaver client to login into WebDav and can put the web shell to execute
Uniscan
LFI, RFI, and RCE vulnerability scanner
GIT
Download .git
Extract .git content
Last updated