HTB – Asset Discovery

2022/09/08
  • 進攻是最好的防守
    •

    Asset discovery tools:

    WFUZZ

    >wfuzz -u enterprise.htb/FUZZ -w /usr/share/wfuzz/wordlist/general/admin-panels.txt --hc 404 -t 200

    -u URL
    -w dictionary
    –hc hide the response code 404
    -t thread number

    >wfuzz --basic user:pass -u htb.htb/FUZZ -w /usr/share/wfuzz/wordlist/general/megabeast.txt --hc 404 -t 200

    Brute-force with HTTP basic authentication

    >wfuzz -u http://[URL]/ -H "Host: FUZZ.bank.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hh 11510

    Scan for virtual host or subdomain(FUZZ.bank.htb). –hh means to hide the response with the specific chars(wfuzz will count how many chars in the response)

    Ferox Buster

    Options

    >feroxbuster --url http://enterprise.htb -k

    Disable TLS certificate validation in the client

    >feroxbuster -u http://<target_ip> -x sh,cgi,pl
    >feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
    >feroxbuster -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --url http://[IP] -k

    -x means searching for the file extension “php”. -w means using dictionary. SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings…

    >feroxbuster -x php -h "Authorization: Basic YWRtaW46YWRtaW4=" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --url http://[IP] -k

    -h means adding the HTTP basic authentication header. The User:Pass is admin:admin after Base64 decoded

    ffuf

    >ffuf -u http:/[IP] -H "Host: FUZZ.machines.htb" -w [/path/to/dict] -mc all -ac

    Fuzz the subdomain. -mc means “Match HTTP Status for all”. -ac means “Auto calibrate filtering options”.

    Go Buster

    >gobuster dir -u http://site.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -x txt,php,html

    -w means dictionary
    -s means Positive status codes (will be overwritten with status-codes-blacklist if set) (default “200,204,301,302,307,401,403”)
    -e means expanded mode, print full URLs
    -x means file extension(s) to search for

    >gobuster vhost --append-domain --url "http://site.htb" -w "subdomains-top1million-110000.txt"

    Virtual host enumeration. Gobuster will append the domain with the dict. For example: dev.site.htb, chat.site.htb, etc…

    DirSearch

    >python3 dirsearch.py -u http://url.tld -e php,html -x 400,401,403

    .Git folder

    >git_dumper.py http://[URL]/.git/ folder-to-save
>git init --bare
Reinitialized existing Git repository in /../../git_dump/.git/

    Exposed .git folder could be reconstructed to the source code. Attacker could use git dumper to grab .git folder to their local environment. Use dictionary “SecLists/Discovery/Web-Content/quickhits.txt” with fuzzy tools can confirm if .git folder is there or not.

    關於作者

    Nelley,乃力。
    就是一個村民。