-
Notifications
You must be signed in to change notification settings - Fork 14
Home
Alvin Smith edited this page Sep 27, 2024
·
34 revisions
https://shishirsubedi.com.np/categories/#thm
- feroxbuster can do wildcard auto-filtering.
User-Agent: feroxbuster/<version>
- gobuster only returns on 200,204,301,302,307,403 by default.
User-Agent: gobuster/<version>
. I didn't make proxychain work for it. Usedhttps_proxy=localhost:8080
instead. - dirb used
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
by default.
- feroxbuster for content or directory finding https://epi052.github.io/feroxbuster-docs/docs/examples/core-features/
- ffuf for vhost or subdomain looking, or general fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://$IP -H 'Host: FUZZ.schooled.htb' -fs 20750
- gobuster for verbose fuzz bad requests or bad response. Or use proxy. e.g
gobuster fuzz -u http://ip:portFUZZ -w /usr/swagger.txt -t 50 -v > go2.txt
cat go2.txt | grep --invert-match "Lenght=XX"
gobuster dir -u http://127.0.0.1/app --proxy 'http://lance.friedman:[email protected]:3128' -w /usr/share/wordlists/dirb/common.txt -x py
- wfuzz do the general fuzzing https://github.com/A1vinSmith/OSCP-PWK/wiki/FUZZ
More on that: https://github.com/A1vinSmith/OSCP-PWK/wiki/Web-Enumeration
ffuf -request File containing the raw http request
ffuf -u http://x.htb/upload-cover -X POST -request request.txt -w ports.txt
Due to the slow performance of Burp Suite's Intruder tool for fuzzing, a faster alternative ffuf
. To set up the scan, save the raw request to a file named request.txt and created another file called ports.txt...
- Nmap not suitable for the full scan especially for CTF, HTB or THM. Run others to find opening ports first
- Rustscan is fast but sometimes missing ports. https://github.com/RustScan/RustScan/issues/494
- Use masscan as a backup runner. i.e.
masscan -p1-65535,U:1-65535 $IP --rate=2000 -e tun0