HD in Cybersecurity (IT114122/IT314122/IT514122)

ITP4416 – Web Application Security AY2023/24 (Sem2)

Name: ____________________ Class: ___________________

Lab 02 – Web Reconnaissance
Learning Objectives:
Upon completion of this lab, you will be able to:
 understand the functions of different types of web reconnaissance tools.
 collect web application information by using different types of web reconnaissance tools.

Note:
Please use RED colored text for ALL your answer and set your screen
captures with RED colored boarder.

Web Reconnaissance Tools:

netdiscover, Nmap, dirbuster (dirb), gobuster, Nikto, WhatWeb

Task 01 – Identify target in a subnet using netdiscover

1 Start both Kali and Kioptrix3 (victim) VMs. Make sure Network Adapters of VMs use NAT.
2 Login to Kali (Default username and password should kali/kali).
3 Check IP address of Kali VM.
ip addr show
4 Use netdiscover to find the IP address of Kioptrix3 (victim).
sudo netdiscover -r 192.168.189.0/24
Ctrl-C to stop netdiscover.
Note:
- You should replace 192.168.189.0/24 with your subnet found in step 3.
- You may use help function to understand more about how to use netdiscover
(netdiscover -h)
- In my case, I found the victim ip is 192.168.189.139 (you should use your identified
victim ip address in task02 ~ task07).
Capture and paste your output below.

Task 02 – Scanning and identify services (i.e. open ports) with Nmap

Page 1
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

1 Use Nmap to identify the open ports (i.e., network services) of the victim server.
sudo nmap 192.168.189.139
Capture and paste your output below.
Note:
- Why sudo? It is because only root user can perform stealth scan (i.e., option -sS).
- By default, Nmap scans the top 1,000 ports for each scan protocol requested. To view
these one-thousand ports, use the following command:
sudo nmap -sT --top-ports 1000 -v -oG -
- By default, only TCP ports are scanned.

Question
Write down the nmap command, which can be used to scan all TCP ports (i.e., 0 ~ 65536)
Ans:

2 Use Nmap to find out the software version of the open ports and also determine the OS
version.
sudo nmap -sV -O 192.168.189.139
Capture and paste your output below. Please highlight the useful information found in your
capture.

Page 2
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

3 Use the following nmap nse script to scan the victim server.
- http-enum
- http-methods
- http-brute
- http-config-backup
- http-rfi-spider
- http-default-accounts
Search how to use the above scripts. Write the commands used in your scanning.
Ans:

Question
1. What is the default path for the nse scripts?
Ans:

2. Any finding with the above nmap nse scripts?

Ans:

Page 3
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 03 – Find out the web technologies behind the web application

1 Use whatweb to scan the victim to find out more information related to web technologies
used by the developer.
whatweb 192.168.189.139
List the findings:

Question
Are the findings scanned by whatweb consistent with the findings in task01 and task02?
Ans:

Page 4
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 04 – Web application scanning by using Nikto

1. Scan the victim server by using Nikto.

nikto -h 192.168.189.139

Capture and paste your output below. Please highlight the useful information found in your
capture.

List the findings:

Question
Are the findings scanned by nikto consistent with the findings in task01 and task03?
Ans:

Page 5
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 05 – dirb / dirbuster / gobuster

1 Before using URL enumeration tools to find any hidden URL. You should first check the
content of robots.txt. Open Firefox to browse the following URL.
http://192.168.186.139/robots.txt

Question
What is/are the findings from robots.txt?
Ans:

2 Use dirb to find out directory/URL in victim server.

dirb http://192.168.186.139 -r

Note:
- dirb is a command line-based tool to brute force any directory based on wordlists. DIRB
will make an HTTP request and see the HTTP response code of each request.
- Some URL found may be purposely hidden by the developer (i.e. There is no web link in
the web apps to access the hidden URL).
Capture and paste your output below. Please highlight the useful information found in your
capture.

List the findings:

Question
What is the default dictionary used by dirb? Find out any other available dictionary within
Kali?
Ans:

Page 6
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

3 Perform the scan again using dirbuster (dirb with GUI).

Capture and paste your output below.

4 Perform the scan again using gobuster (another command line tool which has similar
function as dirb).
Note:
By default, gobuster is not installed in Kali. Use the following command to install it.
sudo apt update
sudo apt install gobuster

Question
Write down the command used (include all the options & parameters).
Ans:

Are the findings consistent with the findings of dirb/dirbuster.

Ans:

Capture and paste your output below.

Page 7
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

END

Page 8