by Website enumeration involves discovering resources that the web server is using, as well as the underlying technology that the web server is running on. This information can help you choose more effective vectors to use in an attack, as well as exploit vulnerabilities in specific versions of web server software.
You can use several tools to enumerate websites, including a browser, Nmap, Metasploit, dirbuster, and many more.
Browsers
The simplest way to start website enumeration is to open a browser to popular directory names and note the HTTP response code. For example:
- http://www.example.tld/admin (401)
- http://www.example.tld/cgi-bin (403)
- http://www.example.tld/test (404)
- http://www.example.tld/logs (200)
- http://www.example.tld/bin (200)
- http://www.example.tld/content (402)
- http://www.example.tld/scripts (404)
- http://www.example.tld/.well-known/
404 = “Not Found”
403 = “Forbidden”
402 = “Payment Required”
401 = “Unauthorized” (Must authenticate first)
200 = “OK”
You can therefore assume that directories which don’t return a 404 exist.
Note: For a complete list of HTTP codes, see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml/
Nmap
Nmap has scripts you can use to enumerate information from popular web applications, including:
- nmap –script=http-enum <target>
- nmap –script=http-drupal-enum <target>
- nmap -–script=http-php-version <target>
- nmap –script=http-webdav-scan <target>
- nmap –script=http-wordpress-enum <target>
Some websites are deliberately configured to use non-standard ports. nmap -sV can detect this. If you’re not sure of the port, you can scan all of them. The following example will use a TCP connect scan against all open ports on IP 192.168.1.50. It will try to determine what services are bound to these ports, thus (hopefully) identifying the web applications.
nmap –PN –sT –sV –p0-65535 192.168.1.50You can then examine the output for web services:Interesting ports on 192.168.1.50: (The 65527 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
443/tcp open ssl OpenSSL
901/tcp open http Samba SWAT administration server
1241/tcp open ssl Nessus security scanner
3690/tcp open unknown
8000/tcp open http-alt?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1The results show that:
- There is an Apache HTTP server running on port 80.
- There appears to be an HTTPS server on port 443. You would need to confirm this by opening a browser to https://192.168.1.50.
- There is a Samba SWAT web interface on port 901.
- The service on port 1241 is not HTTPS, but is the SSL-wrapped Nessus daemon.
- There is an unspecified service on port 8000. To see if it’s HTTP, open a browser to http://192.168.1.50:8000. Alternatively, you could use telnet or Netcat to banner grab:
telnet 192.168.10.100 8000 (After making the connection, press Ctrl+] to break, then enter quit)
echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server- Apache Tomcat is running on port 8080.
Dirbuster
Dirbuster is a GUI tool that ships with Kali Linux. Created by the OWASP group, it uses word lists to search for possible directory names on websites.
I went over this web site and I believe you have a lot of fantastic info , saved to bookmarks (:.
hey, impressive blog. such like helped.
greetings, capital blog on lardaceous loss. like helped.
hi-ya, exalted blog of greatness!!! this helped, thank you!!!
As I site possessor I believe the content material here is rattling magnificent , appreciate it for your efforts. You should keep it up forever! Best of luck.
F*ckin’ remarkable things here. I am very glad to see your article. Thanks a lot and i am looking forward to contact you. Will you kindly drop me a mail?