We covered scanning hosts for services, open ports, running software, hidden directories using scanning tools such as Nmap and Nikto. We gathered details such as the ports the webserver is running on, the version of the webserver, domain and email information, hidden directories, the PHP version and the content management system running on the machine. We also discovered ssh and FTP server along with other services running on non-standard ports. This was part of TryHackMe Probe.
The Complete Practical Web Application Penetration Testing Course
We used the below commands to run the Nmap scans:
nmap -p- -T4 IP
nmap -p80,1443,9007,443 -A IP
We also used the below commands to scan for hidden directories with gobuster
sudo dir gobuster -u http://IP:8000 -w /usr/share/wordlists/dirbuster/common.txt
We used Nikto and wpscan to reveal more detail about the webserver and the CMS
wpscan –url http://IP:9007 –enumerate ap,at,cb,dbe –disable-tls-checks
wpscan –url http://IP:9007 –enumerate u –disable-tls-checks
Room Answers
What is the port number of the FTP service?
What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
What is the value of the PHP Extension Build on the server?
What is the banner for the FTP service?
What software is used for managing the database on the server?
What is the Content Management System (CMS) hosted on the server?
What is the version number of the CMS hosted on the server?
What is the username for the admin panel of the CMS?
During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?
What is the name of the software being used on the standard HTTP port?
What is the flag value associated with the web page hosted on port 8000?
Video Walkthrough
