Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

First, let’s rescan 172.16.10.10:8081, which yielded no

discovered endpoints when scanned by Nikto. The following

dirsearch command uses the -u (URL) option to specify a base URL

from which to start crawling.

$ dirsearch -u http://172.16.10.10:8081/

--snip--

Target: http://172.16.10.10:8081/

[00:14:55] Starting:

[00:15:32] 200 - 371B - /upload

[00:15:35] 200 – 44B - /uploads

Great! This tool was able to pick up two previously unknown

endpoints named /upload and /uploads. This is why it’s important to

double and triple-check your results using more than one tool, and

also to manually verify the findings, because tools sometimes

produce false positives. If you navigate to the /upload page, you

should see a file-upload form. Take note of this endpoint because

we’ll test it later in the book.

Let’s also use dirsearch to look for attack vectors in what looked

like an empty folder at http://172.16.10.11/backup/acme-impact-

alliance:

$ dirsearch -u http://172.16.10.11/backup/acme-impact-alliance/

--snip--

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://172.16.10.11/backup/acme-impact-alliance/

--snip--

[22:49:53] Starting:

[22:49:53] 301 - 337B - /backup/acme-impact-alliance/js -> http://172.16.10.11/backup/acme-impact-alliance/js/

[22:49:53] 301 - 339B - /backup/acme-impact-alliance/.git -> http://172.16.10.11/backup/acme-impact-alliance/.git/

--snip--

[22:49:53] 200 - 92B - /backup/acme-impact-alliance/.git/config

--snip--

Dirsearch inspects responses returned from the webserver to

identify interesting behaviors that could indicate an existence of an

asset. For example, it might note whether a certain URL redirects to

a new location (specified by an HTTP status code 301) and the

response size in bytes. Sometimes, you can infer information and

observe behaviors solely by inspecting this information.

This time, we’ve identified a subfolder within the acme-impact-

alliance folder named .git. A folder with this name usually indicates