Ceklis Web Pentesting Untuk Pemula — Recon Phase

3 min readDec 14, 2023

halo semua , kali ini saya akan menjelaskan beberapa checklist yang bisa kalian lakukan jika sedang melakukan pekerjaan penetration testing pada web application.

Identify web server, technologies and database

#https://github.com/urbanadventurer/WhatWeb
./whatweb target.com

WAF Checks

#https://github.com/EnableSecurity/wafw00f 
wafw00f -i target.com

#IP Wafs/CDN lists
https://github.com/MISP/misp-warninglists

Web screenshot

#https://github.com/sensepost/gowitness
gowitness file -f target.txt 
gowitness report serve -D gowitness.sqlite3

URL extraction

#https://github.com/lc/gau
gau --o example-urls.txt target.com

# https://github.com/jaeles-project/gospider
gospider -S target.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt

Wayback History

 #https://github.com/tomnomnom/waybackurls 
 cat target.txt | waybackurls

Subdomain Takeover

#https://github.com/blacklanternsecurity/bbot
bbot -t target.com -f subdomain-enum

JS Files Analysis — finding hardcoded APIs and secrets

#https://github.com/w9w/JSA 
cat urls.txt | python3 jsa.py 

#https://github.com/lc/subjs 
cat js.txt | subjs | httpx 

#https://github.com/GerbenJavado/LinkFinder 
python3 linkfinder.py -d -i https://target.com/example.js -o cli

#https://github.com/ArpitKubadia/JS-Secret-Finder
waybackurls target.com | grep ".js" | ./js_secret_finder.sh

Fuzzing

# https://github.com/ffuf/ffuf

#directory fuzzing
ffuf -mc all -fc 404 -ac -sf -s -w wordlist.txt -u https://www.target.com/FUZZ

#parameter fuzzing
ffuf -w /usr/share/wordlists/secLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'https://www.target.com/index.php?FUZZ=value' -fs 2287

Reverse IP Cloudflare Target

#https://github.com/spyboy-productions/CloakQuest3r
python cloakquest3r.py target.com

Dorking

#TOOLS
#https://github.com/obheda12/GitDorker
python3 GitDorker.py -tf ~/Tools/.github_tokens -q united.com -p -ri -d Dorks/medium_dorks.txt

# https://github.com/dxa4481/truffleHog
trufflehog https://github.com/Plazmaz/leaky-repo
trufflehog --regex --entropy=False https://github.com/Plazmaz/leaky-repo

#DORK
#Github.com
"target.com" + "MYSQL_DATABASE" language:php
"target.com" + "databases"
"target.com" + "pass"

#Github.com - finding files
"target.com" + filename:manifest.xml
"target.com" + filename:travis.yml
"target.com" + filename:vim_settings.xml
"target.com" + filename:database
"target.com" + filename:prod.exs NOT prod.secret.exs
"target.com" + filename:prod.secret.exs
"target.com" + filename:.npmrc _auth
"target.com" + filename:.dockercfg auth
"target.com" + filename:WebServers.xml
"target.com" + filename:.bash_history <Domain name>
"target.com" + filename:sftp-config.json
"target.com" + filename:sftp.json path:.vscode
"target.com" + filename:secrets.yml password
"target.com" + filename:.esmtprc password
"target.com" + filename:passwd path:etc
"target.com" + filename:dbeaver-data-sources.xml
"target.com" + path:sites databases password
"target.com" + filename:config.php dbpasswd
"target.com" + filename:prod.secret.exs
"target.com" + filename:configuration.php JConfig password
"target.com" + filename:.sh_history
"target.com" + shodan_api_key language:python
"target.com" + filename:shadow path:etc
"target.com" + JEKYLL_GITHUB_TOKEN
"target.com" + filename:proftpdpasswd
"target.com" + filename:.pgpass
"target.com" + filename:idea14.key
"target.com" + filename:hub oauth_token
"target.com" + HEROKU_API_KEY language:json
"target.com" + HEROKU_API_KEY language:shell
"target.com" + SF_USERNAME salesforce
"target.com" + filename:.bash_profile aws
"target.com" + extension:json api.forecast.io
"target.com" + filename:.env MAIL_HOST=smtp.gmail.com
"target.com" + filename:wp-config.php
"target.com" + extension:sql mysql dump
"target.com" + filename:credentials aws_access_key_id
"target.com" + filename:id_rsa or filename:id_dsa

#github.com - Finding Languages

"target.com" + language:python username
"target.com" + language:php username
"target.com" + language:sql username
"target.com" + language:html password
"target.com" + language:perl password
"target.com" + language:shell username
"target.com" + language:java api
"target.com" + HOMEBREW_GITHUB_API_TOKEN language:shell

#shodan.io
ssl.cert.subject.CN:”*.target.com”
hostname:target.com

#google.com
site:target.com inurl:/documentationapps
site:target.com filetype:pdf,doc,docx

Directory Enumeration

#https://github.com/maurosoria/dirsearch
python3 dirsearch.py -u target.com --exclude-status 403,401

#https://github.com/OJ/gobuster
gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt

SSL Scan

#https://github.com/DinoTools/sslscan
sslscan target.com

Testing Security Headers

#https://github.com/santoru/shcheck
./shcheck.py https://target.com

cukup sekian kurang lebihnya mohon maaf semoga bermanfaat untuk progress pentest yang sedang kalian tekuni. terimakasih.

reference : https://medium.com/mii-cybersec/metode-alternatif-pada-saat-melakukan-black-box-pentest-13c84d037ec5
https://book.hacktricks.xyz/