80,443 - Pentesting Mbinu za Wavuti

Reading time: 19 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Huduma ya wavuti ni huduma ya kawaida zaidi na yenye wigo mpana, na kuna aina nyingi tofauti za udhaifu.

Bandari chaguo-msingi: 80 (HTTP), 443 (HTTPS)

bash
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https
bash
nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Mwongozo wa Web API

Web API Pentesting

Muhtasari wa Mbinu

Katika mbinu hii tuta dhani kwamba unakusudia kushambulia domain (au subdomain) na hiyo tu. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyotambuliwa ndani ya wigo.

  • Anza kwa kutambua teknolojia zinazotumiwa na web server. Tafuta tricks za kuzingatia kwa wakati wa mtihani ikiwa utaweza kutambua tech kwa ufanisi.
  • Je, kuna known vulnerability kwa toleo la teknolojia?
  • Unatumia tech inayojulikana? Kuna useful trick ya kutoa taarifa zaidi?
  • Je, kuna specialised scanner ya kuendesha (kama wpscan)?
  • Endesha general purposes scanners. Hujui kama zitapunguza kitu au zitapata taarifa za kuvutia.
  • Anza na initial checks: robots, sitemap, hitilafu 404 na SSL/TLS scan (ikiwa ni HTTPS).
  • Anza spidering ukurasa wa wavuti: Ni wakati wa kutafuta faili zote, folda na parameters being used. Pia, angalia special findings.
  • Kumbuka kwamba kila mara dirisha jipya linapogunduliwa wakati wa brute-forcing au spidering, linapaswa kuspider.
  • Directory Brute-Forcing: Jaribu brute force folda zote zilizogunduliwa ukitafuta files na directories mpya.
  • Kumbuka kwamba kila mara dirisha jipya linapogunduliwa wakati wa brute-forcing au spidering, linapaswa ku-funge kwa Brute-Force.
  • Backups checking: Jaribu kama unaweza kupata backups za discovered files kwa kuambatanisha extensions za kawaida za backup.
  • Brute-Force parameters: Jaribu kutafuta hidden parameters.
  • Mara tu utakapo tambuza endpoints zote zinazowezekana zinazopokea user input, angalia aina zote za vulnerabilities zinazohusiana nazo.
  • Follow this checklist

Toleo la Server (Ina udhaifu?)

Tambua

Angalia kama kuna known vulnerabilities kwa toleo la server linalokimbia.
HTTP headers and cookies of the response zinaweza kuwa muhimu sana kutambua teknolojia na/au toleo linalotumika. Nmap scan inaweza kutambua toleo la server, lakini pia inaweza kuwa muhimu zana whatweb, webtech au https://builtwith.com/:

bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

Tafuta kwa udhaifu wa toleo la programu-tumizi ya wavuti

Angalia kama kuna WAF

Mbinu za teknolojia za wavuti

Baadhi ya mbinu za kugundua udhaifu katika teknolojia mbalimbali maarufu zinazotumika:

Chukua kwa kuzingatia kwamba domaini ile ile inaweza kutumia teknolojia tofauti katika ports, folders na subdomains tofauti.
Ikiwa web application inatumia teknolojia/platform maarufu yoyote iliyoorodheshwa hapo juu au nyingine yoyote, usisahau kutafuta mtandaoni mbinu mpya (na nijulishe!).

Mapitio ya source code

Ikiwa source code ya application inapatikana kwenye github, mbali na kufanya kwa mwenyewe White box test ya application kuna taarifa fulani ambazo zinaweza kuwa zinafaa kwa Black-Box testing ya sasa:

  • Je, kuna Change-log au Readme au Version file au kitu chochote chenye taarifa za toleo zinazopatikana kupitia wavuti?
  • Je, vipi na wapi credentials zinasajiliwa? Je, kuna faili (inayoweza kupatikana?) yenye credentials (majina ya watumiaji au passwords)?
  • Je, passwords ziko kwa plain text, encrypted au ni algoriti gani ya hashing inayotumika?
  • Je, inatumia master key kwa ku-encrypt kitu chochote? Ni algorithm gani inayotumika?
  • Je, unaweza kupata faili zozote kwa kutumia udhaifu fulani?
  • Je, kuna taarifa yoyote ya kuvutia kwenye github (issues zilizosuluhishwa na zisizotatuliwa)? Au kwenye commit history (labda password ililetwa ndani ya commit ya zamani)?

Source code Review / SAST Tools

Skana za moja kwa moja

Skana za moja kwa moja za matumizi ya jumla

bash
nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

Skana za CMS

Ikiwa CMS inatumiwa usisahau run a scanner, labda utapata kitu cha kuvutia:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin tovuti kwa masuala ya Security. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal or (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

bash
cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

Kwa hatua hii unapaswa tayari kuwa na baadhi ya habari kuhusu web server inayotumika na mteja (ikiwa data yoyote imetolewa) na mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati umepata hata CMS na umeendesha scanner.

Ugunduzi wa Web Application hatua kwa hatua

Kuanzia hapa tutaanza kuingiliana na web application.

Ukaguzi wa awali

Kurasa za default zenye taarifa za kuvutia:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • Angalia pia comments katika main na secondary pages.

Kulazimisha makosa

Web servers zinaweza kutenda kwa njia isiyotegemewa wakati data za ajabu zinapotumwa kwao. Hii inaweza kufungua udhaifu au kufichua taarifa nyeti.

  • Access fake pages like /whatever_fake.php (.aspx,.html,.etc)
  • Add "[]", "]]", and "[[" in cookie values and parameter values to create errors
  • Generate error by giving input as /~randomthing/%s at the end of URL
  • Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE

Angalia kama unaweza kupakia files (PUT verb, WebDav)

If you find that WebDav is enabled but you don't have enough permissions for uploading files in the root folder try to:

  • Brute Force credentials
  • Upload files via WebDav to the rest of found folders inside the web page. You may have permissions to upload files in other folders.

SSL/TLS udhaifu

  • Ikiwa application haisuluhishi kulazimisha matumizi ya HTTPS sehemu yoyote, basi inaweza kuwa hatarini kwa MitM
  • Ikiwa application inatuma data nyeti (passwords) kwa kutumia HTTP. Basi ni udhaifu mkubwa.

Use testssl.sh to checks for vulnerabilities (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use a2sv to recheck the vulnerabilities:

bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

Information kuhusu SSL/TLS vulnerabilities:

Spidering

Anzisha aina fulani ya spider ndani ya wavuti. Lengo la spider ni kupata njia nyingi iwezekanavyo kutoka kwenye application inayojaribiwa. Kwa hivyo, crawling ya wavuti na vyanzo vya nje vinapaswa kutumika ili kupata njia sahihi nyingi iwezekanavyo.

  • gospider (go): HTML spider, LinkFinder katika JS files na external sources (Archive.org, CommonCrawl.org, VirusTotal.com).
  • hakrawler (go): HML spider, na LinkFider kwa JS files na Archive.org kama chanzo cha nje.
  • dirhunt (python): HTML spider, pia inaonyesha "juicy files".
  • evine (go): Interactive CLI HTML spider. Pia inatafuta katika Archive.org
  • meg (go): Tool hii si spider lakini inaweza kuwa muhimu. Unaweza kutoa faili lenye hosts na faili lenye paths na meg itafetch kila path kwa kila host na kuhifadhi response.
  • urlgrab (go): HTML spider yenye JS rendering capabilities. Hata hivyo, inaonekana haijatumika mara kwa mara, precompiled version ni ya zamani na code ya sasa haisomi.
  • gau (go): HTML spider inayotumia external providers (wayback, otx, commoncrawl)
  • ParamSpider: Script hii itapata URLs zenye parameter na kuziweka katika orodha.
  • galer (go): HTML spider yenye JS rendering capabilities.
  • LinkFinder (python): HTML spider, na JS beautify capabilities inayoweza kutafuta njia mpya katika JS files. Inaweza kuwa muhimu pia kuangalia JSScanner, ambayo ni wrapper ya LinkFinder.
  • goLinkFinder (go): Kutoka ku-extract endpoints katika HTML source na embedded javascript files. Inafaa kwa bug hunters, red teamers, infosec ninjas.
  • JSParser (python2.7): Script ya python 2.7 inayotumia Tornado na JSBeautifier kuchambua relative URLs kutoka JavaScript files. Inasaidia kugundua AJAX requests kwa urahisi. Inaonekana haijasasishwa.
  • relative-url-extractor (ruby): Ikitolewa file (HTML) itatoa URLs kutoka kwake kwa kutumia regular expression za kupendeza kupata na kutoa relative URLs kutoka kwa minified files.
  • JSFScan (bash, several tools): Kukusanya taarifa za kuvutia kutoka JS files kwa kutumia zana kadhaa.
  • subjs (go): Tafuta JS files.
  • page-fetch (go): Pakia page katika headless browser na chapa URLs zote zilizo load ili kuonyesha page.
  • Feroxbuster (rust): Content discovery tool inayochanganya chaguo kadhaa za tools zilizotajwa hapo juu
  • Javascript Parsing: Burp extension ya kutafuta path na params katika JS files.
  • Sourcemapper: Tool ambayo ikitolewa .js.map URL itakuletea code ya JS iliyobebwa (beautified)
  • xnLinkFinder: Tool hii inatumika kugundua endpoints kwa target fulani.
  • waymore: Gunduwa links kutoka wayback machine (pia download responses katika wayback na kutafuta links zaidi)
  • HTTPLoot (go): Crawl (hata kwa kujaza forms) na pia pata taarifa nyeti kwa kutumia regex maalum.
  • SpiderSuite: Spider Suite ni GUI web security Crawler/Spider yenye sifa nyingi iliyoundwa kwa wataalamu wa usalama wa mtandao.
  • jsluice (go): Ni Go package na command-line tool ya ku-extract URLs, paths, secrets, na data nyingine ya kuvutia kutoka JavaScript source code.
  • ParaForge: ParaForge ni Burp Suite extension rahisi ya ku-extract the paramters and endpoints kutoka request ili kuunda custom wordlist kwa fuzzing na enumeration.
  • katana (go): Tool nzuri kwa hili.
  • Crawley (go): Chapisha kila link inayoweza kupatikana.

Brute Force directories and files

Anza brute-forcing kutoka folda ya root na hakikisha una brute-force all the directories found kwa kutumia this method na wote directories discovered na Spidering (unaweza kufanya brute-forcing hii recursively na kuongeza mwanzoni mwa wordlist iliyotumika majina ya directories yaliyopatikana).
Tools:

  • Dirb / Dirbuster - Imejumuishwa katika Kali, old (na slow) lakini inafanya kazi. Inaruhusu auto-signed certificates na recursive search. Ndiyo maana ni polepole ikilinganishwa na chaguo nyingine.
  • Dirsearch (python): Haikubali auto-signed certificates lakini inaruhusu recursive search.
  • Gobuster (go): Inaruhusu auto-signed certificates, hauna recursive search.
  • Feroxbuster - Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): Hii si spider lakini ni tool ambayo ikipewa list ya URLs zilizopatikana itafuta na kuondoa URLs "duplicated".
  • Scavenger: Burp Extension ya kutengeneza orodha ya directories kutoka burp history ya kurasa mbalimbali
  • TrashCompactor: Ondoa URLs zenye functionalities zinazojirudia (kulingana na js imports)
  • Chamaleon: Inatumia wapalyzer kutambua teknolojia zinazotumika na kuchagua wordlists za kutumia.

Recommended dictionaries:

Kumbuka kwamba kila mara folda mpya inapopatikana wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force.

What to check on each file found

Special findings

Wakati wa kufanya spidering na brute-forcing unaweza kupata vitu vinavyovutia ambavyo unapaswa kuyazingatia.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

403 & 401 Bypasses

502 Proxy Error

Ikiwa ukurasa wowote unajibu kwa code hiyo, kuna uwezekano kuna proxy iliyopangwa vibaya. Ikiwa utatuma HTTP request kama: GET https://google.com HTTP/1.1 (kwa host header na headers nyingine za kawaida), proxy itajaribu kufikia google.com na utakuwa umepata SSRF.

NTLM Authentication - Info disclosure

Ikiwa server inayotoa ombi la authentication ni Windows au ukiona login inayokuuliza credentials zako (na kuomba domain name), unaweza kusababisha information disclosure.
Tuma header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” na kutokana na jinsi NTLM authentication inavyofanya kazi, server itajibu na info za ndani (version ya IIS, version ya Windows...) ndani ya header "WWW-Authenticate".
Unaweza automate hii kwa kutumia nmap plugin "http-ntlm-info.nse".

HTTP Redirect (CTF)

Inawezekana kuweka content ndani ya Redirection. Content hii haitaonekana kwa mtumiaji (kwani browser itatekeleza redirection) lakini kitu kinaweza kufichwa ndani yake.

Web Vulnerabilities Checking

Sasa baada ya enumeration kamili ya web application, ni wakati wa kuangalia kwa zaid ya udhaifu zinazowezekana. Unaweza kupata checklist hapa:

Web Vulnerabilities Methodology

Pata taarifa zaidi kuhusu web vulns katika:

Monitor Pages for changes

Unaweza kutumia zana kama https://github.com/dgtlmoon/changedetection.io kufuatilia pages kwa mabadiliko ambayo yanaweza kuingiza vulnerabilities.

HackTricks Automatic Commands

Protocol_Name: Web    #Protocol Abbreviation if there is one.
Port_Number:  80,443     #Comma separated if there is more than one.
Protocol_Description: Web         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Web
Note: |
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

Entry_2:
Name: Quick Web Scan
Description: Nikto and GoBuster
Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3:
Name: Nikto
Description: Basic Site Info via Nikto
Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4:
Name: WhatWeb
Description: General purpose auto scanner
Command: whatweb -a 4 {IP}

Entry_5:
Name: Directory Brute Force Non-Recursive
Description:  Non-Recursive Directory Brute Force
Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6:
Name: Directory Brute Force Recursive
Description: Recursive Directory Brute Force
Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7:
Name: Directory Brute Force CGI
Description: Common Gateway Interface Brute Force
Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8:
Name: Nmap Web Vuln Scan
Description: Tailored Nmap Scan for web Vulnerabilities
Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}

Entry_9:
Name: Drupal
Description: Drupal Enumeration Notes
Note: |
git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10:
Name: WordPress
Description: WordPress Enumeration with WPScan
Command: |
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e

Entry_11:
Name: WordPress Hydra Brute Force
Description: Need User (admin is default)
Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Entry_12:
Name: Ffuf Vhost
Description: Simple Scan with Ffuf for discovering additional vhosts
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks