Web Scanning

Nmap Script

nmap --script=http-enum <IP>
nmap --script=http-vuln* <IP>

Banner grabbing

whatweb <IP>

Nikto

nikto -h <IP>
nikto -h <IP> -p 80,8080,1234

-Tuning Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)

nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host <IP>

Wordpress scan

Updating DB of WPScan

wpscan --update

Scanning the target

wpscan --url <ip>

Active Enumeration

• p: Scans popular plugins only.

• vp: Scans vulnerable plugins only.

• ap: Scans all plugins.

• t: Scans popular themes only.

• vt: Scans vulnerable themes only.

• at: Scans all themes.

wpscan --url [url] --enumerate [p/vp/ap/t/vt/at] --plugins-detection aggressive

To scan for all plugins

wpscan --url [url] --enumerate ap --plugins-detection aggressive

Enumerating wordpress users

wpscan --url [url] --enumerate u

Password Attack

wpscan --url [url] --passwords <WORDLIST>

Scanning with API Token

wpscan --url [url] --api-token <API_TOKEN>

Disable-tls-checks

wpscan --url [url] --disable-tls-checks --api-token <API_TOKEN>

Backup files search

bfac --url [url] --level 4

WebDav

Davtest

Used to test WebDAV enabled servers.

davtest --url [url]

Cadavar

cadaver [url]
put <FULL PATH TO FILE>

Uniscan

LFI, RFI and RCE vulnerability scanner

uniscan -u <URL> -qd

Git

git-dumper <URL to .git> <OUTPUT DIR>