# Enumeration with Wordlists ## Directory Enumeration #### gobuster Gobuster to burp --proxy, hide responses with specific response length (--ex\*), ignore TLS cert (-k) {% code title="gobuster" %} ``` gobuster dir --url https://a/api --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -k -r -b 500,404 -t 1 --timeout 25s --exclude-length 47340 --proxy http://127.0.0.1:8080 -o gobuster-apwfuzz ``` {% endcode %} **Wfuzz** Wfuzz can ignore specific HTTP response status codes. ``` wfuzz -c --hc 302 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt https://example.com/FUZZ ``` **wfuzz with HTTP proxy** Chain wfuzz with HTTP Proxy such Burp, handy when a dictionary is too big. You can specify maximum timeout for a request (--req-delay 1000) and number of threats (-t1). Use (-Z) to ignore connection errors. ``` wfuzz -t1 -c --hc 302 --req-delay 1000 -Z --sc 200,202,204,307,403 -f ./wfuzz_out.txt -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -p 127.0.0.1:8080:HTTP https://example.com/FUZZ ``` **kiterunner** ``` kr scan http://10.10.0.200:5000/users -A=httparchive_apiroutes_2024_01_28.txt -x 1 kiterunner ``` ### REST API FUZZY LIST ### REST API - OpenAPI, Swagger ``` /api /api-docs /api/api-docs /api/docs /api/openapi.json /api/openapi.yaml /api/swagger.json /api/swagger.yaml /api/v1/openapi.json /api/v1/openapi.yaml /api/v1/swagger.json /api/v1/swagger.yaml /api/v2/openapi.json /api/v2/openapi.yaml /api/v2/swagger.json /api/v2/swagger.yaml /openapi /openapi-docs /openapi-resources /openapi-ui.html /openapi.json /openapi.yaml /openapi/api-docs /openapi/api-docs /openapi/docs /openapi/index.html /openapi/v1/api-docs /openapi/v1/openapi.json /openapi/v1/openapi.json/ /openapi/v1/openapi.yaml /openapi/v2/api-docs /openapi/v2/openapi.json /openapi/v2/openapi.yaml /static/api/openapi.json /static/api/openapi.yaml /static/api/swagger.json /static/api/swagger.yaml /swagger-resources /swagger-ui.html /swagger.json /swagger.yaml /swagger/api-docs /swagger/index.html /swagger/v1/api-docs /swagger/v1/swagger.json /swagger/v1/swagger.json/ /swagger/v1/swagger.yaml /swagger/v2/api-docs /swagger/v2/swagger.json /swagger/v2/swagger.yaml /ui /v1/api-docs /v1/openapi-docs /v2/api-docs /v2/openapi-docs ``` ### Admin panels ## Usernames ## Passwords ## Accounts A quick list for application and user accounts enumeration ``` Admin Administrator adm admin administrator alex ali ana andrea anna ansible antonio api app appadmin author azureuser backup bwsa carlos daniel david designer ec2-user ftp ftpuser git guest hadoop hbv7 info jose kisadmin laura local localadmin marco maria michael mysql nagios operator oracle pi postgres puppet root sa sandra sara service su super superadmin support test test1 test2 ts3 ubnt ubuntu user user1 user2 users usuario vagrant vice writer wwo www ``` ## Projects {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## References [Stok epic video](https://www.youtube.com/watch?v=ngZ1Osul4P8) about wordlists. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/web-pentesting/enumeration-with-wordlists.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.