For week 5 of the course, there was an activity that was given. The topic was enumeration.
The first was to enumerate the user of wp1.pentest.id
The second was to enumerate the user of jo1.pentest.id
The third was to enumerate the user email of @pentest.id
Enumerating is about listing out all the results. Enumerating user means to list out all the users of that domain and enumerating emails is to list out all the emails.
There were several tools that were introduced to carry out the activity. The tools mentioned were wpscan, jooscan, TheHarvester, Google and nmap. wp1 and jo1 was only active until 24 hours after class ended. I thought of doing the activity later on when I would be done with an event but I had to do it fast.
And so, the morning after class, I tried the activity. It was about 6-7am when I arrived at Binus and I asked my friend from another class to help. He said that he was done with the first two and he was willing to help.
First, he told me to open wp1.pentest.id and asked what I know about it. I told him that the only thing I knew was that it was WordPress because, well, it said so.
It is stated there “Just another WordPress site”. My friend then told me to use wpscan. He told me to do the following command in terminal:
wpscan -h
By doing so, I can see all the commands from wpscan. Then I look for the one to enumerate users and it was ruby ./wpscan.rb –url www.example.com –enumerate u so I did so. The command I entered was
ruby ./wpscan.rb –url http://wp1.pentest.id/ –enumerate u
The result that I got was as follows
I did the same for jo1.pentest.id and the result was as follows
I soon realized that wpscan was for WordPress and jooscan was for Joomla. So late at figuring everything out. All the time.
I couldn’t get to the third activity due to the time. I was currently participating in an event as committee and I had to work. The time was also ticking so I thought the two users should do, for now.