Skip to content

Latest commit

 

History

History
72 lines (52 loc) · 3.61 KB

README.md

File metadata and controls

72 lines (52 loc) · 3.61 KB
Raw

PENTEST

Tools and more... List below is not exhaustive.

FINGERPRINT

  • pillage.sh
    Finding interesting files on a system thanks to a LFI previously found on the target.

  • haveibeenpwned.sh - Takes input emails and checking their pwned status on https://haveibeenpwned.com/.

  • versionchecker.sh
    versionchecker.sh will hash some input files and compare them to hashes computed from the specific GIT releases. It helps to identify for example a CMS version if some CHANGELOG.txt files are missing.
    Example of command: ./versionchecker.sh -s ./input -g ~/Documents/repo/drupal/ -p "^[78].[0-9.]+$"

  • knocktone/knocktone.py

    • convert knockpy json output file for aquatone-scan
    • DNS resolve and look for unresolved aliases
    • generate subdomains list
    • scan headers generated by aquatone-scan
    • and much more...
    • pip install -r requirements.txt

  • recon.sh

    • wrapper for fingerprinting a domain

  • cors/cors.py

    • Multi-threaded script looking for some permissive CORS, taking a list of urls or domains in input
      Example of command: cors.py -f urls.txt

  • git.sh

    • Small bash script providing the following information about a web exposed git repository (even if no traversal dir):
      • Dates of last commits on each branch
      • Highlights directory traversal
      • Highlights if remote url can be accessed (may provide juicy info like user:password@github.com)
      • Displays .git/config file and root .gitignore Example of command: git.sh -u http://monsite.com/.git/

PRIVILEGE ESCALATION

  • linux/lin_shell_bind_tcp.c - /bin/sh TCP bind shell.

  • linux/lin_reverse_tcp_shell.c - /bin/sh TCP reverse shell.

  • linux/uid_gid_root_shell.c - setreuid/setregid root /bin/sh shell.

  • windows/privesc.bat - Custom privesc script for windows using accesschk.exe (needed to be uploaded in the same time, check sysinternals).

  • windows/wmic_info.bat - Relevant information thanks to the WMI command-line utility.

  • windows/win_user_add.c - Add Windows user to local group Administrators.

EXPLOITS

  • shellshock_webshell.py - Exploits a vuln cgi script (shellshock - GNU Bash through 4.3).
  • egg_hunter.c - A 18 bytes Egg-Hunter shellcode (https://www.exploit-db.com/exploits/41909/)
  • rce_phpmailer_exim.py - Reverse shell linux exploit for PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, zend-mail < 2.4.11 with Exim MTA
  • xss/keylogger.js - Keylogger in javascript useful when XSS found or browser cache poisoning while MITM
  • xss/formscapture.js - Set a callback function on all forms submit event

NETWORK

  • mitm/phishing.sh - Launches an MITM attack and redirecting a specific domain to our phising web page.
  • mitm.sh (with Mitmproxy) - has it's own repo
    A custom proxy that aims at stripping all HTTPS web page links and keeping unsecure connection with the proxy: VICTIM <-- HTTP --> MITMPROXY <-- HTTPS --> WEBSITE.
    It works for any websites with at least one insecure page (which reliably means HSTS is not used for the current domain).
    You can control and do whatever you want with the trafic thanks to custom Python scripts.

WORDLISTS

  • dorks-lfi-rfi.txt (dorks for LFI/RFI)

DEV

  • bruteforce/java/
  • bruteforce/javascript/ - Bruteforce algorithms with permutations and fixed position characters.