Web Server Enumeration
This cheatsheet focuses strictly on the transport layer, web server daemon, and infrastructure misconfigurations. The goal is to extract banners, analyze SSL/TLS certificates for hidden subdomains, and identify server-level vulnerabilities before touching the application layer logic.
Server Fingerprinting & Headers
Identify the underlying web server (Apache, Nginx, IIS) and extract configuration details from HTTP headers.
Fetch headers (-I) and follow redirects (-L) to catch the final destination
Force a non-existent method to see if the server leaks info in the 405/501 error
Aggressive fingerprinting for server versions, CMS, and HTTP headers
Enumerate server headers, supported methods, and default pages
SSL/TLS Enumeration
When targeting HTTPS (443, 8443), the SSL/TLS certificate is a goldmine for discovering hidden internal hostnames, staging environments, or alternate domains listed in the Subject Alternative Name (SAN) field.
Connect and dump the full certificate chain to inspect the CN and SAN fields
openssl s_client -connect 10.10.10.10:443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -text
Quickly view the certificate details during a standard request
Efficiency
If you find a new domain name (e.g., staging.target.thm) in the SSL certificate, immediately add it to your /etc/hosts file. Web servers often rely on Host-based routing to serve different applications on the same IP.
Server Misconfigurations
Scan for outdated web server daemons, default administrative pages, and dangerous HTTP methods (like PUT or TRACE).
Classic web server scanner. Highly effective for catching default CGI scripts and outdated Apache/IIS instances.
Test for the TRACE method (Cross-Site Tracing vulnerability)
Test if PUT is enabled (Arbitrary File Upload at the server level)
Important
Nikto is incredibly noisy and will instantly trigger a WAF or IPS. Only use it in CTFs or assessments where stealth is explicitly out of scope.