Web Application Enumeration

Curl for headers

export URL=http://$IP
curl -I -v $URL 

wfuzz

# for files
export URL=http://$IP/FUZZ
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

# for directories
export URL=http://$IP/FUZZ/
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

# files with extensions
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hc 404 "http://192.168.201.15/FUZZ.php"

gobuster

gobuster dir -u http://<ip>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e

# -b - opposite to '-s'
# -t - number of threads

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u <domain> -t 50 --append-domain

Subdomain enumeration

gobuster dns -d <domain> -w <wordlist> -t 30

Nikto

export URL=http://$IP/
nikto --host=$URL -C all

Nmap

Enumerate HTTP

nmap -p 80 --script=http-methods $IP

Enumerate HTTP methods

nmap -p <port> --script=http-methods --script-args http-methods.url-path='<URI>' <ip>

Enumerate Wordpress with nmap

nmap -p <port> -sV --script=http-wordpress-enum <ip>

Useful NSE scripts

http-methods
http-headers
http-ls
http-robots.txt
http-cookie-flags
http-cors

Other fuzzing

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "<url>" 

gobuster dir --wordlist /usr/share/wordlists/dirb/common.txt --url <url> 

dirsearch -r -f -u <url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -e php,aspx,jsp,html,txt,xml 

dirsearch -r -f -u <url> -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 40 -e php,aspx,jsp,html,txt,xml,pdf,zip 

dirsearch -r -f -u <url> -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt -t 40 -e php,aspx,jsp,html,txt,xml,pdf,zip