From the course: Certified Ethical Hacker (CEH)

Performing website and web application reconnaissance

From the course: Certified Ethical Hacker (CEH)

Start my 1-month free trial Buy for my team

Performing website and web application reconnaissance

- [Instructor] There are many different tools that you can use for performing reconnaissance in a web application. One of the most popular is the Nikto scanner. So Nikto can be launched from any Kali Linux or Parrot OS system. You can also install it very easily, just do an app get install Nikto. And in this case, what I'm going to do is I'm going to launch it against a system that has an IP address of 10.6.6.23. This is one of the containers in WebSploit. And as you can see, it actually starts to enumerate different interesting content. In this case, different directories like admin and admin.index.html, wp-admin, so it may be a WordPress installation, and wp-login and so on. So in some cases actually allows you to obtain information about the underlying server. Like in this case it's actually running nginx 1.14.2, which is an older version of nginx. So this is actually a pretty nifty, very lightweight scanner for web applications. Another amazing tool is the OWASP Zed Attack Proxy. You can launch it by just using the zaproxy command. As you've seen in the screen, this is a great OWASP project that not only allows you to perform reconnaissance, but also of course uses as a proxy and it has many different plugins and so on. So in this case, I'm going to start the application and I'm going to launch it against exactly the same website or the same application that is running here in WebSploit. And before I do the automated scan, let me actually draw your attention to this pull down menu. You have different options to send the transaction. So in other words, to be able to perform this scan. One is called safe mode, which is very, very stealth. And the other one is called protected mode. The standard mode is the default and then you have a very verbose attack mode. Let's actually do the attack mode just to be a script kiddy here. Let me close this advertisement that they had in there, or warning message. And then I'm going to select automated scan. The IP address is 10.6.6.23. And then I'm just going to click on attack and that will launch the automated scan. And as you can see, it's actually able to find many, many different resources within that web application. If you go under the sites section here, you see that it was actually able to enumerate a lot of the different files and resources that application actually has. Now if you click on alerts, there are a few different findings in here. Two of them are medium severity, a couple of them are low severity, and a few of them are informational only. So the ones that are medium severity in this case is that the header is not set for content security policies or CSP is actually not available within the application. And that can help detect and mitigate different types of attacks, including cross-site scripting and the different data injection attacks. Another one, it's actually missing anti click jacking headers and so on. Now I'm launching this attack against another system, so 10.6.6.13. And as you can see, it's actually able to enumerate yet a lot of different files within the environment. This is actually the very popular dvwa. It was able to find different types of vulnerabilities or you know, misconfigurations. One is the anti cross-site request forgery and tokens capability. It also found that it's possible to view different directory listing and different structures of the web application, and then also missing anti-click jacking headers and using the no HttpOnly flag, and many other minor incidents. And the reason for that is because I have the dvwa application configured to set to impossible. So in other words, most of the vulnerabilities are closed or are not enabled. Now let's go over a couple of additional tools where you can learn how to enumerate different directories and web content. And one of those is Gobuster. Gobuster is a very popular tool that has been created using the Go programming language. And in this case, I'm going to do a directory enumeration. I'm going to select a word list. And within WebSploit, I have a directory under root called SecLists. And that SecLists directory is a GitHub repository by a colleague. His name is Dan Miessler, and many people from the industry has actually contributed to this GitHub repository. And it has a lot of different files including payloads, tons and tons of work list. And I can use this for Discovery as you see in there. And then under Discovery, I can go over web content. Let me actually navigate there real quick. Now in this case I'm going to select the directory list medium. This is actually one that actually even comes with Kali Linux, but I'm just going to use it here for simplicity. Then after the I define the word list, I'm going to define the URL with the -u parameter. I'm going to point it to the 10.6.6.23 container that we used earlier. And I'm going to hit enter. And as you can see in there, it was actually able to enumerate other directories that Nikto was not able to enumerate, for example, /s. And then I think that we saw /admin but not assets and then secret and a few others in there as well. Another tool that is very similar to Gobuster that I also like a lot is called ffuf. And ffuf is an application that also allows you to enumerate many different files within a web application. And you can use it very similar to Gobuster. You can specify a word list. And in this case, I'm going to use the same thing that I used before. So I'm going to go under root, SecLists, and then in this case I'm going to go under Discovery, Web-Content, and then the directory listing 2.3 medium. I'm going to do exactly the same IP address. But one of the main differences in here is that you have to put the word FUZZ with all uppercase in the place where you want to fuzz the discovery, right? So basically that you will like to perform the fuzzing and obtain information about the underlying structure of the application, whether directories, files, et cetera. Now you can also use color coding with a -c and then have a verbose output with a -v option. So if I hit enter, it looks like I misspelled the IP address. So it's 10.6.6.23 is truncating in there in the screen. Let me see if I can make it a little bit bigger so you can see it better. And then of course, even the FUZZ keyword is now being truncated in there, but you get the point. Then I am going to, oops, put verbose again. And now you see that it's able to enumerate several directories in there, including the secret, wp-login, assets and so on. I also have a writeup on how to use ffuf using Burp Suite. And as a matter of fact, the first example here is very similar to what you just saw a few minutes ago. And then one of the things that I really like about ffuf is the ability for you to be able to send the output to other tools, and specifically how to use the replay proxy option to send output into Burp Suite, and then of course analyze those transactions. So in this case, I'm going to take advantage of the writeup in here, but I'm using a word list. The word list is called words.txt. Now I'm sending it to a local application that I had in here running on port 8888. I'm selecting of course the FUZZ keyword in the root directory. And then I'm outputting the file into JSON format. This is optional just to demonstrate that you can also export the output into a JSON file as well. And then I'm using the replay proxy option to send the output of the directories and the path that you find into a proxy. In this case, I'm going to be using Burp Suite. Now if I have Burp Suite running, you see that all these are the different directories that the ffuf application is actually finding and then sending it to Burp Suite. And then in Burp Suite you can actually do a lot of different things, including replay, modifying the transactions and performing any other types of attacks. So very, very powerful tools, and especially whenever you combine them like this. So once again, hacking is not about tools, it's about the methodology. All these are tools that allow you to perform different observations and different reconnaissance. However, the more that you practice, the better you will become. And all these tools will be up to you on the way that you're going to be using them. So concentrate on the methodology, understanding what is the root cause of the vulnerability, and that's how you become a better ethical hacker.

Contents