The text from this page can be cleanly downloaded to your terminal directly using the following command: curl -s https://harfordcda.neocities.org/web_enum.html | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/d Linux PrivEsc SMB and RPC Enumeration #################################### Sub_Domains #################################### #Saving subdomains to a text file #theHarvester git clone https://github.com/laramies/theHarvester theHarvester -d domain -b all > subs.txt #Amass #https://github.com/OWASP/Amass/blob/master/CONTRIBUTING.md amass enum -passive -d domain -src -o subs.txt $sublister git clone https://github.com/aboul3la/Sublist3r python sublister.py -d site #################################### What services are running on the site? #################################### whatweb -v -l site curl -s -I http://site nmap -sV --script=http-enum site nikto -h site uniscan -u http://site -qweds #any of the above command can be simply wrapped in a one liner for mass scanning for url in $(cat subs.txt); do curl -s -I --connect-timeout 10 "$url"; done ######################################## Brute forcing for directories and files: ######################################## #Wordlist git clone https://github.com/danielmiessler/SecLists; cd seclists; ls -al #GoBuster git clone https://github.com/OJ/gobuster gobuster dir -e -u http://site/ --timeout 60s -t 100 -w seclists/Discovery/Web-Content/big.txt -x php,pdf,txt,html,js,php5, gobuster dir -u http://site -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt #Dirsearch git clone https://github.com/maurosoria/dirsearch; cd dirsearch; python3 dirsearch.py -u http://site -e php,asp,txt,pdf,sql #Directory Buster dirb http://url/ /usr/share/dirb #DirSearch git clone https://github.com/maurosoria/dirsearch; cd dirsearch; python3 dirsearch.py -u http://site -e php,asp,txt,pdf,sql #Wfuzz wfuzz -c -w seclists/Discovery/Web-Content/big.txt -u http://site/directory/FUZZ.php ######################## SQLmap ######################## # Test URL and POST data and return database banner (if possible) ./sqlmap.py --url="http-url" --data="post-data" --banner # Parse request data and test | request data can be obtained with burp ./sqlmap.py -r request-file options # Fingerprint | much more information than banner ./sqlmap.py -r request file --fingerprint # Get database username, name, and hostname ./sqlmap.py -r request file --current-user --current-db --hostname # Check if user is a database admin ./sqlmap.py -r request file --is-dba # Get database users and password hashes ./sqlmap.py -r request file --users --passwords # Enumerate databases ./sqlmap.py -r request file --dbs # List tables for one database ./sqlmap.py -r request file -D db name --tables
Web enumeration/Application testing manuals and books