Nerd Level Tech logo
|
Lesson 7 of 24

Information Gathering & Enumeration

Web Application Enumeration

5 min read

Web applications are present on nearly every OSCP exam machine. Thorough web enumeration is essential for finding hidden attack vectors.

Initial Web Reconnaissance

Manual First Steps

Before running automated tools, always:

Manual Checklist:
□ Visit the site in browser
□ View page source (Ctrl+U)
□ Check /robots.txt
□ Check /sitemap.xml
□ Look for comments in HTML
□ Identify technologies (Wappalyzer)
□ Check for default pages/credentials

Technology Fingerprinting

# Whatweb - identifies technologies
whatweb http://$IP

# Wappalyzer (browser extension) - detailed stack detection

# Nmap HTTP scripts
nmap --script=http-headers,http-methods,http-title -p 80 $IP

Directory and File Enumeration

Gobuster (Fast and Reliable)

# Directory enumeration
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

# With file extensions
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,bak

# Recommended wordlist for OSCP
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt

Gobuster Options

Flag Purpose Example
-w Wordlist -w /path/to/wordlist
-x Extensions -x php,txt,bak
-t Threads -t 50
-o Output file -o results.txt
-k Skip SSL verification Used for HTTPS
-b Blacklist status codes -b 404,403

Feroxbuster (Recursive)

# Recursive enumeration
feroxbuster -u http://$IP -w /usr/share/wordlists/dirb/common.txt

# With extensions and more threads
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt -t 100

When to Use Which Tool

gobuster   = Fast, single-level enumeration
feroxbuster = Recursive, finds nested directories
ffuf       = Flexible, great for fuzzing parameters
dirsearch  = Python-based, good extensions handling

Virtual Host Enumeration

Servers may host multiple sites via virtual hosts.

# Gobuster vhost mode
gobuster vhost -u http://$DOMAIN -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# FFuf vhost fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://$IP -H "Host: FUZZ.$DOMAIN" -fs <default-size>

Add discovered vhosts to /etc/hosts:

echo "$IP newhost.domain.local" | sudo tee -a /etc/hosts

CMS Identification and Enumeration

WordPress

# WPScan enumeration
wpscan --url http://$IP/wordpress -e ap,at,u

# Enumerate users
wpscan --url http://$IP/wordpress -e u

# Enumerate vulnerable plugins
wpscan --url http://$IP/wordpress -e vp

# Brute force login
wpscan --url http://$IP/wordpress -U users.txt -P /usr/share/wordlists/rockyou.txt

Joomla

# JoomScan
joomscan -u http://$IP

# Manual version check
curl http://$IP/administrator/manifests/files/joomla.xml

Drupal

# Droopescan
droopescan scan drupal -u http://$IP

# Check version
curl http://$IP/CHANGELOG.txt

Parameter and API Enumeration

Finding Hidden Parameters

# FFUF parameter fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "http://$IP/page?FUZZ=test" -fs <default-size>

# Arjun - automated parameter discovery
arjun -u http://$IP/page

API Endpoint Discovery

# Common API paths
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# FFUF for API versions
ffuf -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -u http://$IP/api/FUZZ

Nikto Web Scanner

Nikto finds common vulnerabilities and misconfigurations:

# Basic scan
nikto -h http://$IP

# With specific port
nikto -h http://$IP:8080

# Output to file
nikto -h http://$IP -o nikto.txt

Nikto Findings to Watch For

Critical findings:
├── Default credentials
├── Backup files (.bak, .old)
├── Directory listing enabled
├── Outdated software versions
├── Server information leakage
└── Common CVEs

Web Enumeration Workflow

Step 1: Technology Stack
├── whatweb, Wappalyzer
└── Identify: CMS, language, server

Step 2: Directory Enumeration
├── gobuster with common.txt
├── Add extensions: php, txt, bak, html
└── Note all interesting paths

Step 3: Deeper Enumeration
├── feroxbuster recursive scan
├── CMS-specific tools
└── Virtual host enumeration

Step 4: Manual Investigation
├── Check all found pages
├── View source code
├── Look for hidden forms
└── Test for misconfigurations

Step 5: Vulnerability Scanning
├── nikto for common issues
├── Check for known CVEs
└── Test authentication pages

Important Files to Find

Configuration:
├── config.php, wp-config.php
├── web.config, .htaccess
├── settings.py, config.yml
└── database.yml, credentials.xml

Backup Files:
├── .bak, .old, .backup
├── ~file, file.save
└── .git, .svn

Information Disclosure:
├── robots.txt, sitemap.xml
├── README, INSTALL, CHANGELOG
├── phpinfo.php
└── .git/config

Next, we'll cover DNS enumeration and OSINT techniques. :::

Quiz

Module 2: Information Gathering & Enumeration

Take Quiz