Website enumeration involves discovering resources that the web server is using, as well as the underlying technology that the web server is running on. This information can help you choose more effective vectors to use in an attack, as well as exploit vulnerabilities in specific versions of web server software.
You can use several tools to enumerate websites, including a browser, Nmap, Metasploit, dirbuster, and many more.
The simplest way to start website enumeration is to open a browser to popular directory names and note the HTTP response code. For example:
- http://www.example.tld/admin (401)
- http://www.example.tld/cgi-bin (403)
- http://www.example.tld/test (404)
- http://www.example.tld/logs (200)
- http://www.example.tld/bin (200)
- http://www.example.tld/content (402)
- http://www.example.tld/scripts (404)
404 = "Not Found", 403 = "Forbidden", 402 = "Payment Required", 401 = "Unauthorized" (Must authenticate first), and 200 = "OK". You can therefore assume that directories which don't return a 404 exist.
Note: For a complete list of HTTP codes, see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml/
Nmap has scripts you can use to enumerate information from popular web applications, including:
- nmap --script=http-enum <target>
- nmap --script=http-drupal-enum <target>
- nmap -–script=http-php-version <target>
- nmap --script=http-webdav-scan <target>
- nmap --script=http-wordpress-enum <target>
Some websites are deliberately configured to use non-standard ports. nmap -sV can detect this. If you're not sure of the port, you can scan all of them. The following example will use a TCP connect scan against all open ports on IP 192.168.1.50. It will try to determine what services are bound to these ports, thus (hopefully) identifying the web applications.
nmap –PN –sT –sV –p0-65535 192.168.1.50
You can then examine the output for web services:Interesting ports on 192.168.1.50: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server 1241/tcp open ssl Nessus security scanner 3690/tcp open unknown 8000/tcp open http-alt? 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
The results show that:
- There is an Apache HTTP server running on port 80.
- There appears to be an HTTPS server on port 443. You would need to confirm this by opening a browser to https://192.168.1.50.
- There is a Samba SWAT web interface on port 901.
- The service on port 1241 is not HTTPS, but is the SSL-wrapped Nessus daemon.
- There is an unspecified service on port 8000. To see if it's HTTP, open a browser to http://192.168.1.50:8000. Alternatively, you could use telnet or Netcat to banner grab:
telnet 192.168.10.100 8000 (After making the connection, press Ctrl+] to break, then enter quit)
echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server
- Apache Tomcat is running on port 8080.
Dirbuster is a GUI tool that ships with Kali Linux. Created by the OWASP group, it uses word lists to search for possible directory names on websites.