Web Pentest

Social Engineering

  • lets go phishing
    • run the gophish.exe application
    • enter the browser dashboard, create a new profile
    • try importing a landing page
    • try setting up an email template
    • setting up users and groups
    • monitor campaign

Web & HTTP Protocol

  • HTTP method enumeration
    • curl -X GET/POST/DELETE/OPTIONS, OPTIONS will let you know what you can do
    • curl -I is HEAD request
    • dirb dirb http://demo.ine.local
    • curl post request curl -X POST demo.ine.local/login.php -d "name=john&password=password" -v
    • curl upload file curl demo.ine.local/uploads/ --upload-file hello.txt
    • burp suite, setup foxyproxy click the fox icon and select burp suite, send to repeater and modify the request
  • Passive crawling with burp suite
    • burp suite, setup foxyproxy click the fox icon and select burp suite
    • go to the proxy tab and turn off intercept
    • navigate to dashboard, ensure passive crawling is enabled and browse the application
ejpt

Written By

GitHub Contributor Team