Documentation Index Fetch the complete documentation index at: https://mintlify.com/HackTricks-wiki/hacktricks/llms.txt
Use this file to discover all available pages before exploring further.
The web service is the most common and extensive service and a wide variety of vulnerability types exist.
Default Ports: 80 (HTTP), 443 (HTTPS)nc -v domain.com 80 # GET / HTTP/1.0 openssl s_client -connect domain.com:443 # GET / HTTP/1.0
Methodology Overview
Identify Technologies
Find the technologies being used to look for known vulnerabilities and useful tricks. whatweb -a 1 < UR L > # Stealthy whatweb -a 3 < UR L > # Aggressive webtech -u < UR L > webanalyze -host https://target.com -crawl 2
Check for WAF
wafw00f < UR L > nmap --script http-waf-detect < I P >
Launch General Scanners
nikto -h < UR L > whatweb -a 4 < UR L > nuclei -ut && nuclei -target < UR L > zaproxy # Via API
Initial Checks
Check default informational pages:
/robots.txt/sitemap.xml/crossdomain.xml/.well-known/Check comments in main and secondary pages
Run SSL/TLS scan if HTTPS: ./testssl.sh 10.10.10.10:443 sslscan < host:por t > sslyze --regular < ip:por t >
Spider the Application
Find all possible files, folders, and parameters: gospider -s https://target.com hakrawler -url https://target.com katana -u https://target.com gau target.com # Uses wayback, otx, commoncrawl
Directory Brute-Forcing
# Feroxbuster (fast, recursive) feroxbuster -u https://target.com -w /usr/share/wordlists/dirb/big.txt # ffuf ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ # gobuster gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -u https://target.com # dirsearch (recursive) python3 dirsearch.py -w small_dirlist -e php,html,py -u https://target.com -r
Backup Checking
Check for backup files appending common extensions:
file.ext~, #file.ext#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old
Parameter Discovery
# Arjun arjun -u https://target.com/endpoint # Param Miner (Burp extension) # x8 x8 -u https://target.com/endpoint
Vulnerability Checking
Use the web vulnerabilities methodology checklist for all discovered endpoints.
Technology-Specific Tricks
# WordPress wpscan --force update -e --url < UR L > wpscan --url < UR L > --enumerate u,ap,at,cb,dbe # Joomla joomscan --ec -u < UR L > # Drupal droopescan scan drupal -u < UR L > # Generic CMS cmsmap [-f W] -F -d < UR L >
If source code is available on GitHub:
Check Change-log/Readme for version info
Look for credentials in code, configs, commit history
Search for hash algorithms, encryption keys
Check Issues for unresolved vulnerabilities
.git directory exposed → extract source code.env file → API keys, DB passwordsJS files → use RetireJS to check for known vulnerabilities
API endpoints → test for API-specific vulnerabilities
403 Forbidden → try bypass techniques
502 Proxy Error → potential misconfigured proxy/SSRF
NTLM Authentication → info disclosure via NTLM challenge
NTLM Authentication Info Disclosure # Windows servers with NTLM auth disclose version info curl -s -I -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" \ http://target.com/ # Check WWW-Authenticate header for IIS and Windows version # Automated with nmap nmap -p 80,443 --script http-ntlm-info < I P >
Automated Command Reference # Quick web scan (Nikto + Gobuster) nikto -host http:// < I P > : < POR T > && \ gobuster dir -w < Small_Dirlis t > -u http:// < I P > : < POR T > && \ gobuster dir -w < Big_Dirlis t > -u http:// < I P > : < POR T > # WhatWeb whatweb -a 4 < I P > # Nmap web vuln scan nmap -vv --reason -Pn -sV -p < Por t > \ --script= "banner,(http* or ssl*) and not (brute or broadcast or dos or fuzzer)" < I P > # WordPress wpscan --url http:// < I P > /wp-login.php --enumerate ap,at,cb,dbe && \ wpscan --url http:// < I P > /wp-login.php --enumerate u,tt,t,vp --passwords < Big_Passwordlis t > # Ffuf vhost discovery ffuf -w < Subdomain_Lis t > :FUZZ -u http:// < Domain_Nam e > -H "Host: FUZZ.<Domain_Name>" \ -c -mc all -fs < common_siz e >
SSL/TLS Vulnerability Reference
No HTTPS enforcement → MitM possibleSensitive data in HTTP → high severityCheck for BEAST, POODLE, HEARTBLEED, ROBOT, DROWN via testssl.sh
