Web Scanning
Web Scanning¶
Perform advanced MiTM attacks on websites with ease (New BeEF)
Malicious Style Sheets for User Tracking
Data manipulation tool
Web Content Discovery
HTML5 Security Cheatsheet
Passively scan the web using the Common Crawl internet index or parsing data from your local system
File Upload:
File upload vulnerability scanner and exploitation tool
Local File Inclusion:
Unique automated LFi Exploiter with Bind/Reverse Shells
Tools:
Web Server Version Enumerator
Admin Pannel Finder
Identify and Fingerprint WAFs
Open source web vulnerability scanner.
Mass Exploit Scanner
Scanner for SQLi/XSS/LFI/RFI and other Vulns
Web Application Security Scanner Framework
Bruteforce directories and files
Brute-force GET and POST parameters
Performs reverse lookups and looks for virtual hosts with different responses
CMS¶
CMS Detection
Website Vulnerability Scanner & Auto Exploiter
Wordpress Fingerprinting tool
CMS WebApp Information Gatherer
Detect VBulletin CMS vulnerabilities and analysis them
Offensive information and vulnerability scanner
Exploit Wordpress
OWASP Joomla Vulnerability Scanner Project
Application server attack toolkit
https://github.com/Dionach/CMSmap
Brute Force Web Directories¶
Web Application Fuzzer (OLD)
Fast web fuzzer written in Go
Fuzz Headers:
ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -H "X-Sample-Header: FUZZ" -X "GET" -u https://example.org/
Fuzz Files and Folders:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -X "GET" -u https://example.org/FUZZ
Fuzz GET Parameters:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -X "GET" -u https://example.org/?FUZZ=test
Fuzz POST Parameters:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -X "POST" -d "username=admin\&password=FUZZ" -u https://example.org/
Fuzz Parameters with radamsa:
>>> ffuf -ac -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -X "GET" -mc all -u https://example.org/FUZZ
Fuzz Extensions:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt -e .aspx,.php,.jsp,.do,.action,.log,.txt,.html,.action,.asp,.cfm -X "GET" -u https://example.org/FUZZ
Fuzz Multiple:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt:FUZZ -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/web-extensions.txt:FUZZ2 -X "GET" -u https://example.org/FUZZFUZZ2
Fuzz Multiple in Step:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt:FUZZ -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/web-extensions.txt:FUZZ2 --mode pitchfork -X "GET" -u https://example.org/FUZZFUZZ2
Fuzz Multiple with every combination:
>>> ffuf -ac -mc all -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/common.txt:FUZZ -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/web-extensions.txt:FUZZ2 --mode clusterbomb -X "GET" -u https://example.org/FUZZFUZZ2
Fuzz with Folder Recursion:
>>> ffuf -ac -mc all -recursion -recursion-depth 5 -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/raft-large-words.txt -X "GET" -u https://example.org/FUZZ
Fuzz with Full Request:
>>> ffuf -request /tmp/request -w /opt/Hacking/Enumeration/SecurityLists/Discovery/Web-Content/raft-large-words.txt
Nikto¶
To scan a particular host
nikto.pl -host [host IP/name]
To scan a host on multiple ports (default = 80)
nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]
To scan a host and output fingerprinted information to a file
nikto.pl -host [host IP/name] -output [output_file]
To use a proxy while scanning a host
nikto.pl -host [host IP/name] -useproxy [proxy address]
TWA¶
A tiny web auditor with strong opinions.
To run it from a Docker container¶
docker run -t trailofbits/twa -vw google.com
URLs¶
Text Fragments¶
https://example.com#:~:text=[prefix-,]textStart[,textEnd][,-suffix]