Enumerating Target

After knowing that the target machine is available or active during the Target Discovery process. The next thing to do is enumerate invaluable information such as email, username, password, or any services available on the target systems. This will be used to help us as pentesters in identifying vulnerabilities on these services.

In this post, I’m going to use WPScan and TheHarvester to help me enumerate my target:

♡ usernames from wp1.pentest.id

♡usernames from  jo1.pentest.id

♡ find emails that has @pentest.id and @gmail.com

WPScan

WPScan is specifically made for finding  vulnerabilities in WordPress. It can be used to scan remote WordPress installations to find security issues.

Since wp1.pentest.id and jo1.pentest.id are wordpress-based websites. WPScan is the perfect tool for enumeration, right?

To enumerate usernames in WPScan, simply type wpscan –url wp1.pentest.id / your targeted website –random-agent –enumerate u and voila, I get all the usernames registered in wp1.pentest.id. Note: you can also use –user-agent instead of –random-agent if you want to use a specified User-Agent.

Enumeration result for wp1.pentest.id

Let’s do the same thing with jo1.pentest.id..

Yeay! I got one username and that is adminjo. If the website has more than 10 usernames, type u[start-finish] (e.g. u[5-20]) instead of u to find list of usernames from specified range of IDs. You can also find other information, like plugins or vulnerable themes. Type wpscan -h or –help to open the help screen.

The Harvester

Now, I want to enumerate emails that has @pentest.id and @gmail.com. To do that I use the Harvester since the tool can gather information like emails, subdomains, hosts, employee names, and open ports from different public sources.

Type theharvester -d pentest.id -l 100 -b google to use Google as the data source for enumerating 100 emails that has pentest.id as their domain. (-l is for how many results you want to find, -d is for the domain name you want to search, and -b is for the data source you want to use)

Unfortunately, I could not find any emails with domain pentest.id but I did find some hostnames and their IP addresses with pentest.id as their domain.

Let’s just move on to another domain which is gmail.com. Same like pentest.id, just change the domain to gmail.com and here are the list of emails that contains gmail.com.

For The Harvester documentation, just type theharvester –help or -h ♡