Pentesting - Everything, Everywhere, All In One Place
This is a collection of all the commands and tools I use for pentesting. I will try to keep it updated as much as possible.
If you liked the old content, you can find it in the archive folder.
Bug Hunting Roadmap
- [ ] Grab all the in-scope urls
- [ ] Subdomain enumeration for everyone of them
- [ ] Get live subdomains
- [ ] Check for subdomain takeover
- [ ] Screenshot all the live domains
- [ ] Network
- [ ] Open Ports / Services
- [ ] Content Discovery
- [ ] Framework
- [ ] Favicon
- [ ] Directories
- [ ] URLs
- [ ] S3 Buckets
- [ ] JS files
- [ ] Broken Social Links
- [ ] GIT Repositories
- [ ] Vulnerability Scanning
- [ ] XSS Scanning
- [ ] SQL Injection
- [ ] XXE Injection
- [ ] SSRF Injection
- [ ] Race Condition Testing
- [ ] CORS Vulnerability Testing
- [ ] Parameter Tampering
- [ ] Local File Inclusion / Directory Traversal
- [ ] IDOR
Table of Contents
Preparation
export TARGET="target.com"
mkdir $TARGET
cd $TARGET
mkdir screenshots
export VT_APIKEY=<YourAPIKEY>
Reconnaissance
Subdomain Enumeration
subfinder -d $TARGET -o subdomains_1.txt
findomain -t $TARGET -q > subdomains_2.txt
sublist3r -d $TARGET -t 3 -n -o subdomains_3.txt
gobuster vhost --no-color --append-domain -q -t 50 -u http://$TARGET -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o raw_subdomains_4.txt
grep -oE 'Found: [^ ]+' raw_subdomains_4.txt | awk '{print $2}' > subdomains_4.txt
cat subdomains*.txt | sort | uniq > subdomains.txt
cat subdomains.txt| wc -l
# Go to
# https://chaos.projectdiscovery.io/#/
# to get all the subdomains for a program
## Check https://dnsdumpster.com/ it has nice graph
Get Live Subdomains
~/go/bin/httpx -l subdomains.txt -o subdomains-live.txt
cat subdomains-live.txt | wc -l
Subdomain Takeover
AWS Subdomain Takeover Steps
- Check for "bucket does not exist" messages on the subdomain.
- Determine the original bucket's region.
- Create a new bucket in the same region with the subdomain's name.
- Upload and set 'index.html' to public access.
- Configure the bucket for static file hosting.
Automating Subdomain Takeover
subzy run --targets subdomains.txt --timeout 20 --output subdomain_subzy.txt
subjack -w subdomains.txt -t 100 -timeout 30 -o subdomain_subjack.txt -ssl
Get Screenshots of the Live Subdomians
eyewitness -f subdomains-live.txt --web -d screenshots --timeout 100 --delay 10 --proxy-ip 127.0.0.1 --proxy-port 8080
# or
cat subdomains-live.txt | aquatone --out screenshots -scan-timeout 900 -chrome-path /usr/bin/chromium
Port Scanning
naabu -iL subdomains-live.txt -silent -exclude-cdn -top-ports 1000 -o ports.txt
Content Discovery
- Based on Tech
- COTS / PAID / OSS
- Custom
- Historical
- Recursive
- Mobile APIs
- Change Detection
Content Discovery Lists
- Download the lists from here
wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH -e robots=off
- Tech
- IIS / MSF
- assetnote/httparchiveaspx_asp_cfm_svc_ashx_asmx
- IIS Shortname Scanner
- PHP + CGI
- assetnote/httparchive_cgi_pl
- assetnote/httparchive_php
- General API
- assetnote/httparchiveapiroutes
- assetnote/swagger-wordlist
- seclists/Discovery/Web-Content/api/api-endpoints.txt
- Java
- assetnote/httparchive_jsp_jspa_do_action
- Generic
- assetnote/httparchivedirectories_1m
- RAFT
- Robots Disallowed
- github.com/six2dez/OneListForAll
- jhadix/content_discovery_all.txt
- Other
- Use Technology <=> Host Mappings from assetnote.io
- adobe_experience_manager <=> assetnote/httparchive_adobe_experience_manager
- apache <=> assetnote/httparchive_apache
- cherrypy <=> assetnote/httparchive_cherrypy
- coldfusion <=> assetnote/httparchive_coldfusion
- django <=> assetnote/httparchive_django
- express <=> assetnote/httparchive_express
- flask <=> assetnote/httparchive_flask
- laravel <=> assetnote/httparchive_laravel
- nginx <=> assetnote/httparchive_nginx
- rails <=> assetnote/httparchive_rails
- spring <=> assetnote/httparchive_spring
- symfony <=> assetnote/httparchive_symfony
- tomcat <=> assetnote/httparchive_tomcat
- yii <=> assetnote/httparchive_yii
- zend <=> assetnote/httparchive_zend
- OSS (Open Source Software) / PAID / COTS (Commercial Off The Shelf)
- If the app is open source, you can use the source code to find endpoints
- You can use Source2URL
- PAID / COTS (Commercial Off The Shelf)
- Download a Demo version of the software
- Custom
- use Scavneger to generate custom wordlists from burp history
- Historical
echo bugcrowd.com | gau | wordlistgen | sort -u > wordlist.txt
- Recursive
- Do recursion on 401 and 403 pages, and then do content discovery on the new pages
- Mobile APIs
- Scan APK file for URIs, endpoints & secrets. apkleaks
- Change Detection
- subscribe to the newsletter of the target
- conferences / events / webinars from the targets
- Monitor the target's social media accounts
- change detection
Questions to Ask Yourself when Doing Content Discovery
- How does the app pass data?
- resource?parameter=value¶meter2=value2
- Method /route/resource/subresource/parameter
- How/Where does the app talk about the users? understand how are the users referenced in the app and where
- where?
- cookies
- API Calls
- Headers
- How?
- UID
- UUID
- email
- username
- Does the site have multi-tenancy or user levels?
- admin
- user
- guest
- Does the site has a unique threat model?
- Is it a bank, hospital, streaming service, …?
- You need to test for special api keys, tokens, …
- Has there past security research and vuln?
- check hackerone, bugcrowd, …
- How the app handles these:
- XSS
- CSRF
-
Code Injection (SQLi,Template, RCE, noSQL, …)
-
Spider using Burp Suite or OWASP ZAP or Hakrawler or Gospider
- Extact links and parse js and spider and inline javascript
- Using xnLinkFinder
xnLinkFinder -i tesla.com -d 2 -sp https://tesla.com -o tesla.txt
- Using GAP Burp Extension
- Check for oudated js libraries using RetireJS in Burp Suite
Heat Mapping / Content Discovery
- Upload functions
- Integrations (From 3rd party)
- XSS
- Self Uploads
- XML Based (Docs, PDFs, …)
- SSRF, XSS
- Image Based (JPG, PNG, …)
- Shell, XSS
- Name
- Binary Header
- Metadata
- Where is data stored?
- S3 Permissions
- Content Types
- Look for multipart-forms
- Look for JSON
- Look for XML
- API
- GraphQL
- REST / Methods
- Account Section
- Profile
- Stored XSS
- App Custom Fields
- Integrations
- SSRF, XSS
- Errors
Parameter Analysis
feroxbuster -u http://localhost:3000/#/ --extract-links -o links.txt --filter-status 404 500 --rate-limit 100 --scan-limit 1 -t 10 --random-agent
curl $TARGET/favicon.ico | md5sum
- Check /robots.txt
- Check /sitemap.xml
- Check HTTP headers
- Use google dorks
- site: target.com
- inrul:admin
- filetype:pdf
- intitle:admin
- Check https://archive.org/web/
- Check Github / Gitlab / Bitbucket
- Search in target tab in Burp Suite for words like: path, link, …
Get S3 Buckets
slurp domain -t booking.com
# TODO: check s3 workflow
# also check this https://github.com/nikhil1232/Bucket-Flaws
Add All Live Domains to Burpsuite
cat subdomains-live.txt | xargs -P 10 -I {} curl -k -x http://localhost:8080 {} -o /dev/null
Get IPs, PORTS, and Services
Get Broken Social Links
socialhunter -f subdomains-live.txt -w 10 > sociallinks-hunting.txt
Vulnerabilities Scanning
XSS Scanning
# Find XSS vulnerabilities using XSSHunter
xsshunter -u $TARGET
SQL Injection
# Test for SQL injection vulnerabilities using SQLMap
sqlmap -u $TARGET
XXE Injection
# Test for XXE vulnerabilities using XXEInjector
xxeinjector $TARGET
SSRF Injection
# Detect SSRF vulnerabilities using SSRFDetector
ssrfdetector $TARGET
Git Repository Scanning
# Scan for Git repositories using GitTools
gitdumper $TARGET
# Find secrets in Git repositories using gitallsecrets
gitallsecrets -u $TARGET
Race Condition Testing
# Test for race conditions using RaceTheWeb
racetheweb $TARGET
CORS Vulnerability Testing
# Test for CORS vulnerabilities using CORStest
corstest $TARGET
Parameter Tampering
# Test for parameter tampering vulnerabilities using parameth
parameth -u $TARGET
Local File Inclusion / Directory Traversal
ffuf -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt -u http://10.10.41.192/playground.php?file=FUZZ -fr Failed
files we are intersted to see
| /etc/issue |
contains a message or system identification to be printed before the login prompt. |
| /etc/profile |
controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived |
| /proc/version |
specifies the version of the Linux kernel |
| /etc/passwd |
has all registered user that has access to a system |
| /etc/shadow |
contains information about the system's users' passwords |
| /root/.bash_history |
contains the history commands for root user |
| /var/log/dmessage |
contains global system messages, including the messages that are logged during system startup |