This document discusses techniques for enumerating information from a target website or application, including: 1. Using search engines like Google to find publicly available information and hidden features. 2. Bruteforcing files, directories, and parameters to locate hidden areas. Tools like DirBuster can automate this process. 3. Analyzing error messages and response codes to infer application details and find vulnerabilities. 4. Fingerprinting server configuration details like virtual hosts, load balancers, alternative ports and access points. 5. The document provides examples of commands and techniques to practice these enumeration methods.

1. Enumeration
90% of research 10% exploitation.

2. Poke Around
Check page source code.
Find application features.
Understand the app purpose.

3. File And Directory Bruteforcing
Find hidden gems: /admin, /consoleand more.
Find things that may be hidden: ., ~, etc.

4. Bash File And Dir Bruteforcer
This can be easily achieved with a bit of shell scripting.
cat dict.txt | while read WORD
do
OUTPUT=`curl -I -s "http://target/$WORD"`
echo -n "$WORD - `echo $OUTPUT | head -1`"
done
The only problem is that this could be very slow for larger dictionaries.

5. Bruteforcing Tools
DirBuster is a very good tool for this.
Some tools like Burp can also be used for bruteforcing.

6. Error Message Analysis
Requesting non-existent resources.
Supplying weird values to input fields.
Sending completely broken HTTP requests.
Use known tricks such as ?var[]=123for PHP apps.

7. Alternative Ports
Common HTTP ports: 80, 443, 8080, 8443, etc.
Run a port scanner like nmap.

8. Alternative Access
Web services (WSDL): .wsdl, .asmx.
Other login interfaces.
Desktop and Mobile clients.
Java, Flash, AJAX and other RIAs.

9. Public Enumeration Tricks
Using Google we can find publicly-known information.
ext:wsdl domain:target
ext:exe domain:target

10. Supported Methods
Send OPTIONSmethod to various locations.
OPTIONS / HTTP/1.0
Keep in mind that REST applications can support arbitrary method names.

11. Virtual Hosts
Bind/MSN Search: ip:<ip>directive.
Google: site:<domain>directive.
DNS bruteforcing.
VirtualHost databases.
Netcraft.

12. Load Balancers
BIG IP cookies.
Changes in the Date:headers.
Changes in DNS responses.
Changes in packet ids.
hping2 ip -S -p 80 -i u1000 -c 30
HPING ip (eth0 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=hidden ttl=51 DF id=58489 sport=80 flags=SA seq=0 win=24656 rtt=2
len=46 ip=hidden ttl=51 DF id=16912 sport=80 flags=SA seq=2 win=24656 rtt=2
len=46 ip=hidden ttl=51 DF id=58490 sport=80 flags=SA seq=3 win=24656 rtt=1
len=46 ip=hidden ttl=51 DF id=16913 sport=80 flags=SA seq=4 win=24656 rtt=1
len=46 ip=hidden ttl=51 DF id=58491 sport=80 flags=SA seq=5 win=24656 rtt=2
len=46 ip=hidden ttl=51 DF id=16914 sport=80 flags=SA seq=7 win=24656 rtt=1

13. Google Hacking
Useful directives: inurl:, site:, intext:, ext:and more.
Google Hacking Database

14. Lab
We will apply all that we have learned.

15. Challenges
1. Enumerate the files and directories of a demo app.
1. Use shell scripting.
2. Use ready-made tool.
2. Find a PHP app and locate some errors.
3. Enumerate alternative access interfaces of a demo app.
4. Enumerate supported methods of a demo apps.
5. Fingerprint the vhosts of a random target.
6. Find web cameras using a Google Dork.