Pentest Book
Search…
Crawl/Fuzz
1
# Crawlers
2
dirhunt https://url.com/
3
hakrawler -domain https://url.com/
4
python3 sourcewolf.py -h
5
gospider -s "https://example.com/" -o output -c 10 -d 1
6
gospider -S sites.txt -o output -c 10 -d 1
7
gospider -s "https://example.com/" -o output -c 10 -d 1 --other-source --include-subs
8
​
9
# Fuzzers
10
# ffuf
11
# Discover content
12
ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w six2dez/OneListForAll/onelistforall.txt -u https://url.com/FUZZ
13
# Headers discover
14
ffuf -mc all -ac -u https://hackxor.net -w six2dez/OneListForAll/onelistforall.txt -c -H "FUZZ: Hellothereheadertesting123 asd"
15
# Ffuf - burp
16
ffuf -replay-proxy http:127.0.0.1:8080
17
# Fuzzing extensions
18
# General
19
.htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml,.inc
20
# Backups
21
'.bak','.bac','.old','.000','.~','.01','._bak','.001','.inc','.Xxx'
22
​
23
# kr
24
# https://github.com/assetnote/kiterunner
25
kr brute https://whatever.com/ -w onelistforallmicro.txt -x 100 --fail-status-codes 404
26
kr scan https://whatever.com/ -w routes-small.kite -A=apiroutes-210228 -x 100 --ignore-length=34
27
​
28
# Best wordlists for fuzzing:
29
# https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
30
- raft-large-directories-lowercase.txt
31
- directory-list-2.3-medium.txt
32
- RobotsDisallowed/top10000.txt
33
- https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext -
34
- https://github.com/random-robbie/bruteforce-lists
35
- https://github.com/google/fuzzing/tree/master/dictionaries
36
- https://github.com/six2dez/OneListForAll
37
- AIO: https://github.com/foospidy/payloads
38
- Check https://wordlists.assetnote.io/
39
# Tip: set "Host: localhost" as header
40
41
# Custom generated dictionary
42
gau example.com | unfurl -u paths
43
# Get files only
44
sed 's#/#\n#g' paths.txt |sort -u
45
# Other things
46
gau example.com | unfurl -u keys
47
gau example.com | head -n 1000 |fff -s 200 -s 404
48
​
49
# Hadrware devices admin panel
50
# https://github.com/InfosecMatter/default-http-login-hunter
51
default-http-login-hunter.sh https://10.10.0.1:443/
52
​
53
# Dirsearch
54
dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w six2dez/OneListForAll/onelistforall.txt --request-by-hostname -t 40
55
​
56
# dirb
57
dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt
58
​
59
# wfuzz
60
wfuzz -c -z file,six2dez/OneListForAll/onelistforall.txt --hc 404 http://10.11.1.11/FUZZ
61
​
62
# gobuster
63
gobuster dir -u http://10.11.1.111 -w six2dez/OneListForAll/onelistforall.txt -s '200,204,301,302,307,403,500' -e
64
​
65
# Cansina
66
# https://github.com/deibit/cansina
67
python3 cansina.py -u example.com -p PAYLOAD
68
​
69
# Ger endpoints from JS
70
# LinkFinder
71
# https://github.com/GerbenJavado/LinkFinder
72
python linkfinder.py -i https://example.com -d
73
python linkfinder.py -i burpfile -b
74
​
75
# JS enumeration
76
# https://github.com/KathanP19/JSFScan.sh
77
​
78
# Tip, if 429 add one of these headers:
79
Client-Ip: IP
80
X-Client-Ip: IP
81
X-Forwarded-For: IP
82
X-Forwarded-For: 127.0.0.1
Copied!
Last modified 8mo ago
Export as PDF
Copy link
Edit on GitHub