Ceklis Web Pentesting Untuk Pemula — Recon Phase
3 min readDec 14, 2023
halo semua , kali ini saya akan menjelaskan beberapa checklist yang bisa kalian lakukan jika sedang melakukan pekerjaan penetration testing pada web application.
Identify web server, technologies and database
#https://github.com/urbanadventurer/WhatWeb
./whatweb target.com
WAF Checks
#https://github.com/EnableSecurity/wafw00f
wafw00f -i target.com
#IP Wafs/CDN lists
https://github.com/MISP/misp-warninglists
Web screenshot
#https://github.com/sensepost/gowitness
gowitness file -f target.txt
gowitness report serve -D gowitness.sqlite3
URL extraction
#https://github.com/lc/gau
gau --o example-urls.txt target.com
# https://github.com/jaeles-project/gospider
gospider -S target.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt
Wayback History
#https://github.com/tomnomnom/waybackurls
cat target.txt | waybackurls
Subdomain Takeover
#https://github.com/blacklanternsecurity/bbot
bbot -t target.com -f subdomain-enum
JS Files Analysis — finding hardcoded APIs and secrets
#https://github.com/w9w/JSA
cat urls.txt | python3 jsa.py
#https://github.com/lc/subjs
cat js.txt | subjs | httpx
#https://github.com/GerbenJavado/LinkFinder
python3 linkfinder.py -d -i https://target.com/example.js -o cli
#https://github.com/ArpitKubadia/JS-Secret-Finder
waybackurls target.com | grep ".js" | ./js_secret_finder.sh
Fuzzing
# https://github.com/ffuf/ffuf
#directory fuzzing
ffuf -mc all -fc 404 -ac -sf -s -w wordlist.txt -u https://www.target.com/FUZZ
#parameter fuzzing
ffuf -w /usr/share/wordlists/secLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'https://www.target.com/index.php?FUZZ=value' -fs 2287
Reverse IP Cloudflare Target
#https://github.com/spyboy-productions/CloakQuest3r
python cloakquest3r.py target.com
Dorking
#TOOLS
#https://github.com/obheda12/GitDorker
python3 GitDorker.py -tf ~/Tools/.github_tokens -q united.com -p -ri -d Dorks/medium_dorks.txt
# https://github.com/dxa4481/truffleHog
trufflehog https://github.com/Plazmaz/leaky-repo
trufflehog --regex --entropy=False https://github.com/Plazmaz/leaky-repo
#DORK
#Github.com
"target.com" + "MYSQL_DATABASE" language:php
"target.com" + "databases"
"target.com" + "pass"
#Github.com - finding files
"target.com" + filename:manifest.xml
"target.com" + filename:travis.yml
"target.com" + filename:vim_settings.xml
"target.com" + filename:database
"target.com" + filename:prod.exs NOT prod.secret.exs
"target.com" + filename:prod.secret.exs
"target.com" + filename:.npmrc _auth
"target.com" + filename:.dockercfg auth
"target.com" + filename:WebServers.xml
"target.com" + filename:.bash_history <Domain name>
"target.com" + filename:sftp-config.json
"target.com" + filename:sftp.json path:.vscode
"target.com" + filename:secrets.yml password
"target.com" + filename:.esmtprc password
"target.com" + filename:passwd path:etc
"target.com" + filename:dbeaver-data-sources.xml
"target.com" + path:sites databases password
"target.com" + filename:config.php dbpasswd
"target.com" + filename:prod.secret.exs
"target.com" + filename:configuration.php JConfig password
"target.com" + filename:.sh_history
"target.com" + shodan_api_key language:python
"target.com" + filename:shadow path:etc
"target.com" + JEKYLL_GITHUB_TOKEN
"target.com" + filename:proftpdpasswd
"target.com" + filename:.pgpass
"target.com" + filename:idea14.key
"target.com" + filename:hub oauth_token
"target.com" + HEROKU_API_KEY language:json
"target.com" + HEROKU_API_KEY language:shell
"target.com" + SF_USERNAME salesforce
"target.com" + filename:.bash_profile aws
"target.com" + extension:json api.forecast.io
"target.com" + filename:.env MAIL_HOST=smtp.gmail.com
"target.com" + filename:wp-config.php
"target.com" + extension:sql mysql dump
"target.com" + filename:credentials aws_access_key_id
"target.com" + filename:id_rsa or filename:id_dsa
#github.com - Finding Languages
"target.com" + language:python username
"target.com" + language:php username
"target.com" + language:sql username
"target.com" + language:html password
"target.com" + language:perl password
"target.com" + language:shell username
"target.com" + language:java api
"target.com" + HOMEBREW_GITHUB_API_TOKEN language:shell
#shodan.io
ssl.cert.subject.CN:”*.target.com”
hostname:target.com
#google.com
site:target.com inurl:/documentationapps
site:target.com filetype:pdf,doc,docx
Directory Enumeration
#https://github.com/maurosoria/dirsearch
python3 dirsearch.py -u target.com --exclude-status 403,401
#https://github.com/OJ/gobuster
gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt
SSL Scan
#https://github.com/DinoTools/sslscan
sslscan target.com
Testing Security Headers
#https://github.com/santoru/shcheck
./shcheck.py https://target.com
cukup sekian kurang lebihnya mohon maaf semoga bermanfaat untuk progress pentest yang sedang kalian tekuni. terimakasih.
reference : https://medium.com/mii-cybersec/metode-alternatif-pada-saat-melakukan-black-box-pentest-13c84d037ec5
https://book.hacktricks.xyz/