Directory Enumeration

Perform a directory enumeration scan on all HTTP endpoints in an Nmap scan and screenshot the results.

Setup

mkdir -p $PROJECT_DIR/dir_enum;cd $PROJECT_DIR/dir_enum

# Install Tools
sudo apt update && sudo apt install eyewitness naabu nuclei libpcap-dev golang-go libxml2-utils -y
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
mv "$HOME/go/bin/httpx" "$HOME/go/bin/httpx-ng"  # Competing package names
echo "export PATH=$PATH:$HOME/go/bin" >> "$HOME/.zshrc"
source "$HOME/.zshrc"

Convert Nmap XML

xmllint --xpath '//host[status/@state="up"]/address[@addrtype="ipv4"]/@addr' $NMAP_TCP_XML_OUTPUT | \
sed 's/ addr="/\n/g' | sed 's/"//g' | grep -v '^$' | while read IP; do
    xmllint --xpath "//host[address/@addr=\"$IP\"]/ports/port[state/@state='open']/@portid" $NMAP_TCP_XML_OUTPUT | \
    sed 's/ portid="/\n/g' | sed 's/"//g' | grep -v '^$' | while read PORT; do
        echo "$IP:$PORT"
    done
done >> httpx.hosts

Check for HTTP Servers

httpx-ng -status-code -title -web-server -t 15 -no-fallback -probe-all-ips -random-agent -o http-server-discovery.txt -l httpx.hosts
cat http-server-discovery.txt | grep -v "The plain HTTP request was sent to HTTPS port" | cut -d ' ' -f 1 >> http.hosts

Run Nuclei Scan

nuclei -ut  # Update Templates
nuclei -l http.hosts -je nuclei_out.json

You can import these Nuclei results into Bitor if the output is too much to review on screen.

Create Fuzzing Wordlist

wget https://github.com/v0re/dirb/raw/master/wordlists/big.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/Web-Servers/IIS.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Logins.fuzz.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Passwords.fuzz.txt
cat IIS.txt big.txt Logins.fuzz.txt Passwords.fuzz.txt | sort -u > ffuf.wordlist
rm IIS.txt big.txt Logins.fuzz.txt Passwords.fuzz.txt

# Remove all lines that don't start with a letter (since they are known to cause false postives)
sed -i '/^[a-zA-Z]/!d' ffuf.wordlist  # Remove me for a more verbose scan

Run Directory Enumeration Scan (FFUF)

ffuf -w http.hosts:HOST -w ffuf.wordlist:PATH -u HOST/PATH/FUZZ -ac -ic -ach -acs advanced -recursion -recursion-depth 5 -c -o ffuf_results.csv -of csv -sf -fw 1
grep ",200," ffuf_results.csv | cut -d "," -f 3 | grep -v "~" | sed 's/FUZZ//g' > enum_200-results.txt

Watch this scan run for the first few minutes to make sure your getting valid results. I'd suggesting filtering by words when you are getting results for every attempt by updating the -fw flag (Ex. If every page returns a 200 response with 5 words, make the filter flag -fw 1,5)

Review Fuzzing Results

This test is prone of false positives, review the output to make sure there are no single hosts with an absurd number of 200 responses.

cat enum_200-results.txt | cut -d '/' -f 1,2,3 | sort | uniq -c | sort -nr | head

If you find any single hosts that clearly had a load of false positive results, you can remove all hits from that host in our output using sed -i '/<FALSE_POSTIVE_IP>/d' enum_200-results.txt

Screenshot Scan Results

eyewitness -f enum_200-results.txt -d enum_200_screenshots

Export Files

echo;echo "Download the following files:"
echo " [-] Screenshot Folder: $(realpath enum_200_screenshots)"
echo " [-] Nuclei Scan: $(realpath nuclei_out.json)"

PreviousNetwork Listening NextNetwork Password Spraying

Last updated 1 month ago