sudo nmap -p80 -sV 192.168.50.20

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
201 
PORT STATE SERVICE VERSION 
80/tcp open http
Apache httpd 2.4.41 ((Ubuntu))
Listing 98 - Running Nmap scan to discover web server version 
Our scan shows that Apache version 2.4.41 is running on the Ubuntu host. 
To take our enumeration further, we use service-specific Nmap NSE scripts, like 
http-enum
, which 
performs an initial fingerprinting of the web server. 
kali@kali:~$ 
sudo nmap -p80 --script=http-enum 192.168.50.20
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 06:30 EDT 
Nmap scan report for 192.168.50.20 
Host is up (0.10s latency). 
PORT STATE SERVICE 
80/tcp open http 
| http-enum: 
| /login.php: Possible admin folder 
| /db/: BlogWorx Database 
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' 
| /db/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' 
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' 
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' 
|_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.41 
(ubuntu)' 
Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds 
Listing 99 - Running Nmap NSE http enumeration script against the target 
As shown above, we discovered several interesting folders that could lead to further details about 
the target web application. 
By using Nmap scripts, we managed to discover more application-specific information that we 
can add to the web server enumeration we performed earlier. 
8.2.2
Technology Stack Identification with Wappalyzer 
Along with the active information gathering we performed via Nmap, we can also passively fetch 
a wealth of information about the application technology stack via 
Wappalyzer
.
342
Once we have registered a free account, we can perform a Technology Lookup on the 
megacorpone.com
domain. 
342
(Wappalyzer, 2022), https://www.wappalyzer.com/ 

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
202 
Figure 81: Wappalyzer findings 
From this quick third-party external analysis, we learned about the OS, the UI framework, the web 
server, and more. The findings also provide information about JavaScript libraries used by the 
web application - this can be valuable data, as some versions of JavaScript libraries are known to 
be affected by several vulnerabilities. 
8.2.3
Directory Brute Force with Gobuster 
Once we have discovered an application running on a web server, our next step is to map all its 
publicly-accessible files and directories. To do this, we would need to perform multiple queries 
against the target to discover any hidden paths. Gobuster
343
is a tool (written in Go language) that 
can help us with this sort of enumeration. It uses wordlists to discover directories and files on a 
server through brute forcing. 
343
(OJ, 2022), https://www.kali.org/tools/gobuster/ 

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
203 
Due to its brute forcing nature, Gobuster can generate quite a lot of traffic, 
meaning it will not be helpful when staying under the radar is necessary. 
Gobuster supports different enumeration modes, including fuzzing and dns, but for now, we’ll only 
rely on the dir mode, which enumerates files and directories. We need to specify the target IP 
using the -u parameter and a wordlist with -w. The default running threads are 10; we can reduce 
the amount of traffic by setting a lower number via the -t parameter. 
kali@kali:~$ 

Yüklə

Dostları ilə paylaş: