Web Application Scans

API Endpoints wordlist
https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d

Nikto

# For web applications, you can use nikto to identify potential vulnerabilities
# Not very stealth
# Think about changing the default user agent !
nitko -h http://monsite.com -o output.xml -Format [csv, xml, html, txt]


Whatweb

# Whatweb is another scanning tool for web applications
$ whatweb -h
$ whatweb -l # Liste les plugins

$ whatweb www.monsite.com
$ whatweb www.monsite.com -v
$ whatweb www.monsite.com -a 1 # Stealhty
$ whatweb www.monsite.com -a 3 # Plus aggressif et plus de test faits


Wordpress - wpscan

# Scan Wordpress - version docker disponible
$ wpscan -h

# Scan non intrusif
$ wpscan --url http://monsite.com

# Enumeration
wpscan.rb --url www.example.com --enumerate # Tout
wpscan.rb --url www.example.com --enumerate p # Plugins
wpscan.rb --url www.example.com --enumerate u # Users

# Scan bruteforce les user énumérés avec une wordlist
$ wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50


Joomla - joomlavs

# Scan Joomla - version docker disponible
$ joomlavs --url www.monsite.com -v

# Enumeration
$ joomlavs --url www.monsite.com -a # All
$ joomlavs --url www.monsite.com -c # Composants
$ joomlavs --url www.monsite.com -m # Modules
$ joomlavs --url www.monsite.com -t # Templates
$ joomlavs --url www.monsite.com -q # Quiet : full passif


SSL weakness

# Scanner 1
testssl https://monsite.com

# Scanner 2
sslscan https://domain.fr


Onionscan

https://github.com/s-rah/onionscan