Web

[PDF] Frogy's Mindmap

Version Enumeration

Commits

https://0xdf.gitlab.io/2023/07/29/htb-cerberus.html

for f in `find public/ -type f`; do echo "$f: `git log --oneline "$f" | wc -l`"; done | sort -nrk2 > /tmp/files_stat && head /tmp/files_stat

TARGET_FILE=`head -1 /tmp/files_stat | awk -F: '{print $1}'`
TARGET_FILE_BASENAME=`basename $TARGET_FILE`

for hash in `git log --oneline $TARGET_FILE | awk '{print $1}'`; do (git checkout "$hash"; echo "$hash: `md5sum $TARGET_FILE`") 2>/dev/null | tee -a "/tmp/$TARGET_FILE_BASENAME.md5"; done
git reset --hard && git checkout main

grep `curl -sSLk "https://example.com/$TARGET_FILE" | md5sum | awk '{print $1}'` "/tmp/$TARGET_FILE_BASENAME.md5"

git log $TARGET_FILE

Out-of-Band (OOB) Exploitation/Exfiltration

https://notsosecure.com/out-band-exploitation-oob-cheatsheet

Output Redirection

https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html

sh -c $@|sh . echo echo test > /tmp/.1 && ls -la /tmp/.1 && cat /tmp/.1 && rm /tmp/.1

Tools

https://infosecwriteups.com/cool-recon-techniques-every-hacker-misses-1c5e0e294e89

nikto

https://github.com/sullo/nikto

$ nikto -h http://127.0.0.1 -Cgidirs all

dnsrecon

https://github.com/darkoperator/dnsrecon

Perform reverse DNS lookup for IPs in subnet 10.10.10.0/24 with a name server at 192.168.1.11:

$ dnsrecon -r 10.10.10.0/24 -n 192.168.1.11 -d DoesNotMatter

gobuster

$ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/wordlists/dirbuster/directory-list[-lowercase]-2.3-medium.txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1
$ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/seclists/Discovery/Web-Content/raft-small-words[-lowercase].txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1

wfuzz

$ wfuzz -e encoders
$ wfuzz -c -u 'http://10.10.13.37/index.php?id=FUZZ' -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -f wfuzz.out --hh 1337
$ wfuzz -c -u 'http://10.10.13.37' --basic 'FUZZ:FUZ2Z' -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -w /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt --hc 1337

ffuf

aquatone

Default ports:

$ cat targets.txt | ./aquatone -ports 80,443,8000,8080,8443 -out 10.0-255.0-255.0-255
$ cat targets.txt | ./aquatone -ports xlarge -out 10.0-255.0-255.0-255

From Nmap XML:

$ ports=`cat nmap/tcp.gnmap | grep -ioP '\d+/open/tcp//http' | awk -F/ '{print $1}' | sort -u | awk 1 ORS=',' | sed 's/.$//'`
$ cat targets.txt | ./aquatone -ports $ports -out 10.0-255.0-255.0-255_nmap
Or
$ cat nmap/tcp.xml | ./aquatone -nmap -out 10.0-255.0-255.0-255_nmap

amass

https://github.com/OWASP/Amass/releases

Об обнаружении субдоменовsnovvcrash@gh-pages:~$ _

$ amass intel -active -config config.ini -whois -df domains.txt -ipv4 -src -v -o intel.out
$ amass enum -active -brute -config config.ini -df domains.txt -ipv4 -src -v -o enum.out

subfinder

https://github.com/projectdiscovery/subfinder/releases

$ subfinder -all -config config.yaml -d hackerone.com -o subdomains.txt [-oI -nW]

shuffledns

https://github.com/projectdiscovery/shuffledns/releases

$ shuffledns -d hackerone.com -r /opt/dnsvalidator/resolvers.txt -w /usr/share/commonspeak2-wordlists/subdomains/subdomains.txt -o subdomains.txt -t 500

massdns

$ massdns -r /opt/dnsvalidator/resolvers.txt domains.txt -w domains-resolved.txt -o S

pdtm

https://github.com/projectdiscovery/pdtm

# curl "https://zyedidia.github.io/eget.sh" | sh && sudo mv eget /usr/local/bin
mkdir pd && cd pd
eget -qs linux/amd64 "projectdiscovery/pdtm" --to pdtm
./pdtm -ia -ip -bp `pwd`
./nuclei
curl -sSL "https://github.com/DingyShark/nuclei-scan-sort/raw/main/nuclei_sort.py" -o nuclei_sort.py
sed -i '1 i #!/usr/bin/env python3' nuclei_sort.py
chmod +x nuclei_sort.py

dnsx

https://github.com/projectdiscovery/dnsx

$ dnsx -l dns.txt -resp -a -aaaa -cname -mx -ns -soa -txt
$ dnsx -d megacorp.local -r 192.168.0.11,192.168.0.22 -w /usr/share/seclists/Discovery/DNS/... -a -t 25 -o ~/ws/log/dnsx.log -silent

chaos

https://github.com/projectdiscovery/chaos-client

$ chaos -d megacorp.com -key <API_KEY> -http-status-code -http-title -http-url -o chaos.out

httpx

https://github.com/projectdiscovery/httpx/releases

$ httpx -l domains.txt -vhost -http2 -pipeline -title -content-length -status-code -follow-redirects -tls-probe -content-type -location -csp-probe -web-server -stats -ip -cname -cdn -ports 80,81,300,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,12443,16080,18091,18092,20720,28017 -threads 300 -o httpx.out

With an upsteam proxy using proxify:

$ proxify -silent -socks5-proxy 127.0.0.1:10080
$ httpx -silent -probe -u 192.168.1.11 -p https:443 -http-proxy http://127.0.0.1:8888

katana

$ katana -u https://megacorp.com/ -hl -nos -jc -silent -aff -kf all,robotstxt,sitemapxml -c 150 -fs fqdn  | subjs | jsa.py | goverview probe -N -c 500 | sort -u -t';' -k2,14 | cut -d';' -f1

interactsh

https://github.com/projectdiscovery/interactsh

Self-hosted:

$ interactsh-client -server example.com -token '1337t0k3n' -o interactsh.log -sf interactsh.session -asn -v

nuclei

https://blog.projectdiscovery.io/ultimate-nuclei-guide/

https://twitter.com/reconone_/status/1540666730829082624twitter.com

$ nuclei -update-templates
$ nuclei -l domains.txt [-t cves] -o nuclei.out

Sort results:

# Manually
cat nuclei.out | grep -v info | grep '\] \[' | sort -k3
# Automated
curl -sSL "https://github.com/DingyShark/nuclei-scan-sort/raw/main/nuclei_sort.py" -o nuclei_sort.py
sed -i '1 i #!/usr/bin/env python3' nuclei_sort.py
chmod +x nuclei_sort.py
python3 nuclei_sort.py -i nuclei.out | grep -v info | grep . --color=none

SSL / TLS:

$ nuclei -l domains.txt -t ssl -o nuclei_ssl.out | tee nuclei_ssl.tee
$ cat nuclei_ssl.out | grep -e deprecated-tls -e detect-ssl -e expired-ssl -e mismatched-ssl -e self-signed -e weak-cipher | sort -u

Using tlsx:

$ das -db corp parse https -raw | tlsx -ex -ss -mm -re -o tlsx.out

Web scan against a large scope:

$ nuclei -l targets.txt -ni -eid 'addeventlistener-detect,cname-fingerprint,deprecated-tls,dns-waf-detect,expired-ssl,http-missing-security-headers,mismatched-ssl,mismatched-ssl-certificate,mx-fingerprint,mx-service-detector,nameserver-fingerprint,options-method,revoked-ssl-certificate,robots-txt-endpoint,self-signed-ssl,ssl-dns-names,ssl-issuer,tech-detect,tls-version,txt-fingerprint,untrusted-root-certificate,waf-detect,weak-cipher-suites,xss-deprecated-header-detect' -etags network,xss -o nuclei_web.out | tee nuclei_web.tee

Network scan against a large scope:

nuclei -l targets.txt -eid 'addeventlistener-detect,cname-fingerprint,deprecated-tls,dns-waf-detect,expired-ssl,http-missing-security-headers,mismatched-ssl,mismatched-ssl-certificate,mx-fingerprint,mx-service-detector,nameserver-fingerprint,options-method,revoked-ssl-certificate,robots-txt-endpoint,self-signed-ssl,ssl-dns-names,ssl-issuer,tech-detect,tls-version,txt-fingerprint,untrusted-root-certificate,waf-detect,weak-cipher-suites,xss-deprecated-header-detect' -etags xss -o nuclei_network.out -iserver example.com -itoken '1337t0K3n' | tee nuclei_network.tee

Last updated 9 months ago