Web Application Scans

API Endpoints wordlist
https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d

Nikto

# For web applications, you can use nikto to identify potential vulnerabilities
# Not very stealth
# Think about changing the default user agent !
nitko -h http://monsite.com -o output.xml -Format [csv, xml, html, txt]

Whatweb

# Whatweb is another scanning tool for web applications
$ whatweb -h
$ whatweb -l # Liste les plugins

$ whatweb www.monsite.com
$ whatweb www.monsite.com -v
$ whatweb www.monsite.com -a 1 # Stealhty
$ whatweb www.monsite.com -a 3 # Plus aggressif et plus de test faits

ChopChop

https://github.com/michelin/ChopChop

# ChopChop is a new tool used to scan/test different endpoints.
# Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot.

# Easiest usage
$ ./gochopchop scan --url https://foobar.com

# List plugins
$ ./gochopchop plugins
$ ./gochopchop plugins --severity High

# URL list
$ ./gochopchop scan --url-file url_file.txt

Wordpress - wpscan

# Scan Wordpress - version docker disponible
$ wpscan -h

# Scan non intrusif
$ wpscan --url http://monsite.com

# Enumeration
wpscan.rb --url www.example.com --enumerate # Tout
wpscan.rb --url www.example.com --enumerate p # Plugins
wpscan.rb --url www.example.com --enumerate u # Users

# Scan bruteforce les user énumérés avec une wordlist
$ wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Joomla - joomlavs

# Scan Joomla - version docker disponible
$ joomlavs --url www.monsite.com -v

# Enumeration
$ joomlavs --url www.monsite.com -a # All
$ joomlavs --url www.monsite.com -c # Composants
$ joomlavs --url www.monsite.com -m # Modules
$ joomlavs --url www.monsite.com -t # Templates
$ joomlavs --url www.monsite.com -q # Quiet : full passif

SSL weakness

# Scanner 1
testssl https://monsite.com

# Scanner 2
sslscan https://domain.fr

Onionscan

https://github.com/s-rah/onionscan