80,443 - Pentesting Mbinu za Web

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Huduma ya web ni huduma ya kawaida na yenye upana na kuna aina nyingi tofauti za udhaifu.

Bandari ya chaguo-msingi: 80 (HTTP), 443(HTTPS)

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https

nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Mwongozo wa Web API

Web API Pentesting

Muhtasari wa metodolojia

Katika metodolojia hii tutadhani kuwa unataka kushambulia domain (au subdomain) na hiyo tu. Kwa hivyo, unapaswa kutumia metodolojia hii kwa kila domain, subdomain au IP iliyogunduliwa ndani ya wigo ikiwa web server haijaamuliwa.

  • Anza kwa kutambua technologies zinazotumika na web server. Tafuta tricks za kuthibitisha utakazokumbuka kwa ukaguzi mzima ikiwa utaweza kutambua tech kwa usahihi.
  • Kuna known vulnerability yoyote ya version ya technology?
  • Inatumia well known tech? Kuna useful trick ya kutoa taarifa zaidi?
  • Kuna specialised scanner ya kuendesha (kama wpscan)?
  • Endesha general purposes scanners. Hujui kama watafika kitu au kupata taarifa za kuvutia.
  • Anza na initial checks: robots, sitemap, 404 error na SSL/TLS scan (ikiwa HTTPS).
  • Anza spidering ukurasa wa wavuti: Ni wakati wa kupata faili zote, files, folders na parameters being used. Pia, angalia special findings.
  • Kumbuka kuwa kila wakati directory mpya inapotambulika wakati wa brute-forcing au spidering, inapaswa kuspider.
  • Directory Brute-Forcing: Jaribu brute force kwa folders zote zilizogunduliwa kutafuta files na directories mpya.
  • Kumbuka kuwa kila wakati directory mpya inapotambulika wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force.
  • Backups checking: Jaribu kuona kama unaweza kupata backups za discovered files kwa kuongeza common backup extensions.
  • Brute-Force parameters: Jaribu kutafuta hidden parameters.
  • Mara tu utakapokuwa umeidentified endpoints zote zinazokubali user input, angalia aina zote za vulnerabilities zinazohusiana nayo.
  • Follow this checklist

Server Version (Je ni dhaifu?)

Tambua

Angalia kama kuna known vulnerabilities kwa server version inayokimbia.
HTTP headers and cookies of the response zinaweza kuwa zenye msaada mkubwa kutambua technologies na/au version zinazotumika. Nmap scan inaweza kutambua server version, lakini pia inaweza kuwa muhimu kutumia tools whatweb, webtech or https://builtwith.com/:

whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

Tafuta for vulnerabilities of the web application version

Angalia kama kuna WAF

Mbinu za teknolojia za wavuti

Baadhi ya mbinu za kutafuta udhaifu katika teknolojia mbalimbali zinazotumika:

Take into account that the same domain can be using different technologies in different ports, folders and subdomains.
If the web application is using any well known tech/platform listed before or any other, don’t forget to search on the Internet new tricks (and let me know!).

Mapitio ya Source Code

Ikiwa source code ya application inapatikana kwenye github, mbali na kufanya mwenyewe White box test ya application, kuna taarifa ambazo zinaweza kuwa zitumike kwa Black-Box testing ya sasa:

  • Je, kuna Change-log or Readme or Version file au kitu chochote chenye version info accessible kupitia web?
  • Je, credentials zimehifadhiwa vipi na wapi? Je, kuna file (inayoweza kufikiwa?) iliyo na credentials (usernames au passwords)?
  • Je, passwords ziko kwa plain text, encrypted au ni algorithm gani ya hashing algorithm inatumiwa?
  • Je, inatumia master key yoyote kwa encrypting kitu? Ni algorithm gani inatumiwa?
  • Je, unaweza access any of these files kwa kutumia exploit ya udhaifu fulani?
  • Je, kuna interesting information in the github (solved and not solved) issues? Au katika commit history (maybe some password introduced inside an old commit)?

Source code Review / SAST Tools

Automatic scanners

General purpose automatic scanners

nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

Skana za CMS

Ikiwa CMS inatumiwa usisahau endesha skana, huenda ukapata kitu cha kuvutia:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin tovuti kwa masuala ya usalama. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal au (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

Kwa wakati huu unapaswa tayari kuwa na taarifa baadhi za server ya wavuti inayotumika na mteja (ikiwa data yoyote imetolewa) na mbinu kadhaa za kuzingatia wakati wa mtihani. Ikiwa una bahati umeweza hata kupata CMS na kuendesha scanner.

Hatua kwa hatua Ugunduzi wa Programu ya Wavuti

Kuanzia hapa tutaanza kuingiliana na programu ya wavuti.

Ukaguzi wa awali

Kurasa chaguo-msingi zenye taarifa za kuvutia:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • Angalia pia maoni kwenye kurasa kuu na za pili.

Kulazimisha makosa

Web servers zinaweza kuonekana wasiotarajiwa wakati data isiyo ya kawaida inapotumwa kwazo. Hii inaweza kufungua vulnerabilities au disclosure sensitive information.

  • Fikia kurasa za kufikia za uwongo kama /whatever_fake.php (.aspx,.html,.etc)
  • Ongeza “[]”, “]]”, na “[[” katika cookie values na parameter values ili kuanzisha makosa
  • Tandaza kosa kwa kutoa input kama /~randomthing/%s mwishoni mwa URL
  • Jaribu HTTP Verbs tofauti kama PATCH, DEBUG au zisizo sahihi kama FAKE

Angalia kama unaweza kupakia faili (PUT verb, WebDav)

Ikiwa utagundua kuwa WebDav imewezeshwa lakini huna ruhusa za kutosha za kupakia faili kwenye folda ya mizizi jaribu:

  • Brute Force credentials
  • Upload files via WebDav to the rest of found folders inside the web page. You may have permissions to upload files in other folders.

SSL/TLS vulnerabilites

  • Ikiwa programu isn’t forcing the user of HTTPS katika sehemu yoyote, basi ni vulnerable to MitM
  • Ikiwa programu inakuwa sending sensitive data (passwords) using HTTP. Hii ni high vulnerability.

Tumia testssl.sh kuangalia vulnerabilities (Katika Bug Bounty programs pengine aina hizi za vulnerabilities hazitakubaliwa) na tumia a2sv to recheck the vulnerabilities:

./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

Information about SSL/TLS vulnerabilities:

Spidering

Zindua aina fulani ya spider ndani ya web. Lengo la spider ni kupata njia nyingi iwezekanavyo kutoka kwa tested application. Kwa hiyo, web crawling na external sources zinapaswa kutumika ili kupata njia halali nyingi iwezekanavyo.

  • gospider (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com).
  • hakrawler (go): HML spider, with LinkFider for JS files and Archive.org as external source.
  • dirhunt (python): HTML spider, also indicates “juicy files”.
  • evine (go): Interactive CLI HTML spider. It also searches in Archive.org
  • meg (go): This tool isn’t a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
  • urlgrab (go): HTML spider with JS rendering capabilities. However, it looks like it’s unmaintained, the precompiled version is old and the current code doesn’t compile
  • gau (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
  • ParamSpider: This script will find URLs with parameter and will list them.
  • galer (go): HTML spider with JS rendering capabilities.
  • LinkFinder (python): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to JSScanner, which is a wrapper of LinkFinder.
  • goLinkFinder (go): To extract endpoints in both HTML source and embedded javascript files. Useful for bug hunters, red teamers, infosec ninjas.
  • JSParser (python2.7): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintained.
  • relative-url-extractor (ruby): Given a file (HTML) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly (minify) files.
  • JSFScan (bash, several tools): Gather interesting information from JS files using several tools.
  • subjs (go): Find JS files.
  • page-fetch (go): Load a page in a headless browser and print out all the urls loaded to load the page.
  • Feroxbuster (rust): Content discovery tool mixing several options of the previous tools
  • Javascript Parsing: A Burp extension to find path and params in JS files.
  • Sourcemapper: A tool that given the .js.map URL will get you the beatified JS code
  • xnLinkFinder: This is a tool used to discover endpoints for a given target.
  • waymore: Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links)
  • HTTPLoot (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
  • SpiderSuite: Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
  • jsluice (go): It’s a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
  • ParaForge: ParaForge is a simple Burp Suite extension to extract the paramters and endpoints from the request to create custom wordlist for fuzzing and enumeration.
  • katana (go): Awesome tool for this.
  • Crawley (go): Print every link it’s able to find.

Brute Force directories and files

Anza brute-forcing kutoka kwenye folda ya root na hakikisha unafanya brute-force kwa directories zote zilizopatikana kwa kutumia hii method na pia kwa directories zote zilizo gunduliwa na Spidering (unaweza kufanya brute-forcing hii recursively na kuongeza mwanzoni mwa wordlist iliyotumika majina ya directories uliyo zipata).
Tools:

  • Dirb / Dirbuster - Imejumuishwa katika Kali, zamani (na polepole) lakini inafanya kazi. Inaruhusu auto-signed certificates na recursive search. Polepole ikilinganishwa na chaguzi nyingine.
  • Dirsearch (python): It doesn’t allow auto-signed certificates but allows recursive search.
  • Gobuster (go): It allows auto-signed certificates, it doesn’t have recursive search.
  • Feroxbuster - Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): This isn’t a spider but a tool that given the list of found URLs will to delete “duplicated” URLs.
  • Scavenger: Burp Extension to create a list of directories from the burp history of different pages
  • TrashCompactor: Remove URLs with duplicated functionalities (based on js imports)
  • Chamaleon: It uses wapalyzer to detect used technologies and select the wordlists to use.

Recommended dictionaries:

Kumbuka kwamba kila wakati directory mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force.

What to check on each file found

Special findings

Wakati wa kufanya spidering na brute-forcing unaweza kupata vitu vya kuvutia ambavyo unapaswa kutambua.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

403 & 401 Bypasses

502 Proxy Error

Ikiwa ukurasa wowote unarepond na code hiyo, inawezekana ni proxy iliyopangwa vibaya. If you send a HTTP request like: GET https://google.com HTTP/1.1 (na host header na headers nyingine za kawaida), the proxy itajaribu kufikia google.com na utakuwa umeipata SSRF.

NTLM Authentication - Info disclosure

Ikiwa server inayouliza authentication ni Windows au ukiona login inakuuliza credentials (na kuomba domain name), unaweza kusababisha information disclosure.
Tuma header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” na kutokana na jinsi NTLM authentication inavyofanya kazi, server itajibu kwa info za ndani (version za IIS, version za Windows…) ndani ya header “WWW-Authenticate”.
Unaweza ku-automate hii kwa kutumia nmap plugin “http-ntlm-info.nse”.

HTTP Redirect (CTF)

Inawezekana kuweka content ndani ya Redirection. Content hii haitaonyeshwa kwa mtumiaji (kwa sababu browser itatekeleza redirection) lakini kitu kinaweza kufichwa ndani yake.

Web Vulnerabilities Checking

Sasa baada ya enumeration kamili ya web application, ni wakati wa kuangalia kwa udhaifu nyingi zinazowezekana. Unaweza kupata checklist hapa:

Web Vulnerabilities Methodology

Pata taarifa zaidi kuhusu web vulns katika:

Monitor Pages for changes

Unaweza kutumia tools kama https://github.com/dgtlmoon/changedetection.io kumonitor pages kwa mabadiliko ambayo yanaweza kuingiza vulnerabilities.

HackTricks Automatic Commands

HackTricks Automatic Commands ```yaml Protocol_Name: Web #Protocol Abbreviation if there is one. Port_Number: 80,443 #Comma separated if there is more than one. Protocol_Description: Web #Protocol Abbreviation Spelled out

Entry_1: Name: Notes Description: Notes for Web Note: | https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

Entry_2: Name: Quick Web Scan Description: Nikto and GoBuster Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3: Name: Nikto Description: Basic Site Info via Nikto Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4: Name: WhatWeb Description: General purpose auto scanner Command: whatweb -a 4 {IP}

Entry_5: Name: Directory Brute Force Non-Recursive Description: Non-Recursive Directory Brute Force Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6: Name: Directory Brute Force Recursive Description: Recursive Directory Brute Force Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7: Name: Directory Brute Force CGI Description: Common Gateway Interface Brute Force Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8: Name: Nmap Web Vuln Scan Description: Tailored Nmap Scan for web Vulnerabilities Command: nmap -vv –reason -Pn -sV -p {Web_Port} –script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer) {IP}

Entry_9: Name: Drupal Description: Drupal Enumeration Notes Note: | git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10: Name: WordPress Description: WordPress Enumeration with WPScan Command: | ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php wpscan –url {Web_Proto}://{IP}{1} –enumerate ap,at,cb,dbe && wpscan –url {Web_Proto}://{IP}{1} –enumerate u,tt,t,vp –passwords {Big_Passwordlist} -e

Entry_11: Name: WordPress Hydra Brute Force Description: Need User (admin is default) Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’

Entry_12: Name: Ffuf Vhost Description: Simple Scan with Ffuf for discovering additional vhosts Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H “Host:FUZZ.{Domain_Name}” -c -mc all {Ffuf_Filters}

</details>

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>