Enumeration with Wordlists

Wordlists for assets, usernames and passwords for your pentest

Directory Enumeration

gobuster

Gobuster to burp --proxy, hide responses with specific response length (--ex*), ignore TLS cert (-k)

gobuster
gobuster dir --url https://a/api --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -k -r -b 500,404 -t 1 --timeout 25s --exclude-length 47340 --proxy http://127.0.0.1:8080 -o gobuster-apwfuzz

Wfuzz

Wfuzz can ignore specific HTTP response status codes.

wfuzz -c --hc 302 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt https://example.com/FUZZ

wfuzz with HTTP proxy

Chain wfuzz with HTTP Proxy such Burp, handy when a dictionary is too big. You can specify maximum timeout for a request (--req-delay 1000) and number of threats (-t1). Use (-Z) to ignore connection errors.

wfuzz  -t1 -c --hc 302 --req-delay 1000 -Z  --sc 200,202,204,307,403 -f ./wfuzz_out.txt -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -p 127.0.0.1:8080:HTTP https://example.com/FUZZ

kiterunner

https://github.com/assetnote/kiterunner

kr scan http://10.10.0.200:5000/users -A=httparchive_apiroutes_2024_01_28.txt -x 1 kiterunner

REST API - OpenAPI, Swagger

/api
/api-docs
/api/api-docs
/api/docs
/api/openapi.json
/api/openapi.yaml
/api/swagger.json
/api/swagger.yaml
/api/v1/openapi.json
/api/v1/openapi.yaml
/api/v1/swagger.json
/api/v1/swagger.yaml
/api/v2/openapi.json
/api/v2/openapi.yaml
/api/v2/swagger.json
/api/v2/swagger.yaml
/openapi
/openapi-docs
/openapi-resources
/openapi-ui.html
/openapi.json
/openapi.yaml
/openapi/api-docs
/openapi/api-docs
/openapi/docs
/openapi/index.html
/openapi/v1/api-docs
/openapi/v1/openapi.json
/openapi/v1/openapi.json/
/openapi/v1/openapi.yaml
/openapi/v2/api-docs
/openapi/v2/openapi.json
/openapi/v2/openapi.yaml
/static/api/openapi.json
/static/api/openapi.yaml
/static/api/swagger.json
/static/api/swagger.yaml
/swagger-resources
/swagger-ui.html
/swagger.json
/swagger.yaml
/swagger/api-docs
/swagger/index.html
/swagger/v1/api-docs
/swagger/v1/swagger.json
/swagger/v1/swagger.json/
/swagger/v1/swagger.yaml
/swagger/v2/api-docs
/swagger/v2/swagger.json
/swagger/v2/swagger.yaml
/ui
/v1/api-docs
/v1/openapi-docs
/v2/api-docs
/v2/openapi-docs

Admin panels

https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/admin.txt

Usernames

https://github.com/danielmiessler/SecLists/tree/master/Usernames

https://github.com/insidetrust/statistically-likely-usernames

Passwords

https://wiki.skullsecurity.org/index.php/Passwords

Accounts

A quick list for application and user accounts enumeration

Admin
Administrator
adm
admin
administrator
alex
ali
ana
andrea
anna
ansible
antonio
api
app
appadmin
author
azureuser
backup
bwsa
carlos
daniel
david
designer
ec2-user
ftp
ftpuser
git
guest
hadoop
hbv7
info
jose
kisadmin
laura
local
localadmin
marco
maria
michael
mysql
nagios
operator
oracle
pi
postgres
puppet
root
sa
sandra
sara
service
su
super
superadmin
support
test
test1
test2
ts3
ubnt
ubuntu
user
user1
user2
users
usuario
vagrant
vice
writer
wwo
www

Projects

References

Stok epic video about wordlists.

PreviousLog4jNextBug Bounty - Web Recon

Last updated