MCPcopy Index your code
hub / github.com/AnasAboreeda/Penetration-Testing-Study-Notes

github.com/AnasAboreeda/Penetration-Testing-Study-Notes @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
464 symbols 1,266 edges 50 files 19 documented · 4%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Pentesting - Everything, Everywhere, All In One Place

This is a collection of all the commands and tools I use for pentesting. I will try to keep it updated as much as possible.

If you liked the old content, you can find it in the archive folder.

Bug Hunting Roadmap

  • [ ] Grab all the in-scope urls
  • [ ] Subdomain enumeration for everyone of them
  • [ ] Get live subdomains
  • [ ] Check for subdomain takeover
  • [ ] Screenshot all the live domains
  • [ ] Network
  • [ ] Open Ports / Services
  • [ ] Content Discovery
  • [ ] Framework
  • [ ] Favicon
  • [ ] Directories
  • [ ] URLs
  • [ ] S3 Buckets
  • [ ] JS files
  • [ ] Broken Social Links
  • [ ] GIT Repositories
  • [ ] Vulnerability Scanning
  • [ ] XSS Scanning
  • [ ] SQL Injection
  • [ ] XXE Injection
  • [ ] SSRF Injection
  • [ ] Race Condition Testing
  • [ ] CORS Vulnerability Testing
  • [ ] Parameter Tampering
  • [ ] Local File Inclusion / Directory Traversal
  • [ ] IDOR

Table of Contents

Preparation

export TARGET="target.com"
mkdir $TARGET
cd $TARGET
mkdir screenshots
export VT_APIKEY=<YourAPIKEY>

Reconnaissance

Subdomain Enumeration


subfinder -d $TARGET -o subdomains_1.txt

findomain -t $TARGET -q > subdomains_2.txt

sublist3r -d $TARGET -t 3 -n -o subdomains_3.txt

gobuster vhost --no-color --append-domain -q -t 50 -u http://$TARGET -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o raw_subdomains_4.txt

grep -oE 'Found: [^ ]+' raw_subdomains_4.txt | awk '{print $2}' > subdomains_4.txt

cat subdomains*.txt | sort | uniq > subdomains.txt

cat subdomains.txt| wc -l

# Go to
# https://chaos.projectdiscovery.io/#/
# to get all the subdomains for a program

## Check https://dnsdumpster.com/ it has nice graph

Get Live Subdomains

~/go/bin/httpx -l subdomains.txt -o subdomains-live.txt

cat subdomains-live.txt | wc -l

Subdomain Takeover

AWS Subdomain Takeover Steps

  1. Check for "bucket does not exist" messages on the subdomain.
  2. Determine the original bucket's region.
  3. Create a new bucket in the same region with the subdomain's name.
  4. Upload and set 'index.html' to public access.
  5. Configure the bucket for static file hosting.

Automating Subdomain Takeover

subzy run --targets subdomains.txt --timeout 20 --output subdomain_subzy.txt
subjack -w subdomains.txt -t 100 -timeout 30 -o subdomain_subjack.txt -ssl

Get Screenshots of the Live Subdomians

eyewitness -f subdomains-live.txt --web -d screenshots --timeout 100 --delay 10 --proxy-ip 127.0.0.1 --proxy-port 8080

# or

cat subdomains-live.txt | aquatone --out screenshots -scan-timeout 900 -chrome-path /usr/bin/chromium

Port Scanning

naabu -iL subdomains-live.txt -silent -exclude-cdn -top-ports 1000 -o ports.txt

Content Discovery

  1. Based on Tech
  2. COTS / PAID / OSS
  3. Custom
  4. Historical
  5. Recursive
  6. Mobile APIs
  7. Change Detection

Content Discovery Lists

  • Download the lists from here

wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH -e robots=off

  1. Tech
  2. IIS / MSF
    1. assetnote/httparchiveaspx_asp_cfm_svc_ashx_asmx
    2. IIS Shortname Scanner
  3. PHP + CGI
    1. assetnote/httparchive_cgi_pl
    2. assetnote/httparchive_php
  4. General API
    1. assetnote/httparchiveapiroutes
    2. assetnote/swagger-wordlist
    3. seclists/Discovery/Web-Content/api/api-endpoints.txt
  5. Java
    1. assetnote/httparchive_jsp_jspa_do_action
  6. Generic
    1. assetnote/httparchivedirectories_1m
    2. RAFT
    3. Robots Disallowed
    4. github.com/six2dez/OneListForAll
    5. jhadix/content_discovery_all.txt
  7. Other
    1. Use Technology <=> Host Mappings from assetnote.io
      • adobe_experience_manager <=> assetnote/httparchive_adobe_experience_manager
      • apache <=> assetnote/httparchive_apache
      • cherrypy <=> assetnote/httparchive_cherrypy
      • coldfusion <=> assetnote/httparchive_coldfusion
      • django <=> assetnote/httparchive_django
      • express <=> assetnote/httparchive_express
      • flask <=> assetnote/httparchive_flask
      • laravel <=> assetnote/httparchive_laravel
      • nginx <=> assetnote/httparchive_nginx
      • rails <=> assetnote/httparchive_rails
      • spring <=> assetnote/httparchive_spring
      • symfony <=> assetnote/httparchive_symfony
      • tomcat <=> assetnote/httparchive_tomcat
      • yii <=> assetnote/httparchive_yii
      • zend <=> assetnote/httparchive_zend
  8. OSS (Open Source Software) / PAID / COTS (Commercial Off The Shelf)
  9. If the app is open source, you can use the source code to find endpoints
    1. You can use Source2URL
  10. PAID / COTS (Commercial Off The Shelf)
    1. Download a Demo version of the software
  11. Custom
  12. use Scavneger to generate custom wordlists from burp history
  13. Historical
  14. echo bugcrowd.com | gau | wordlistgen | sort -u > wordlist.txt
  15. Recursive
  16. Do recursion on 401 and 403 pages, and then do content discovery on the new pages
  17. Mobile APIs
  18. Scan APK file for URIs, endpoints & secrets. apkleaks
  19. Change Detection
  20. subscribe to the newsletter of the target
  21. conferences / events / webinars from the targets
  22. Monitor the target's social media accounts
  23. change detection

Questions to Ask Yourself when Doing Content Discovery

  1. How does the app pass data?
  2. resource?parameter=value&parameter2=value2
  3. Method /route/resource/subresource/parameter
  4. How/Where does the app talk about the users? understand how are the users referenced in the app and where
  5. where?
    1. cookies
    2. API Calls
    3. Headers
  6. How?
    1. UID
    2. UUID
    3. email
    4. username
  7. Does the site have multi-tenancy or user levels?
  8. admin
  9. user
  10. guest
  11. Does the site has a unique threat model?
  12. Is it a bank, hospital, streaming service, …?
  13. You need to test for special api keys, tokens, …
  14. Has there past security research and vuln?
  15. check hackerone, bugcrowd, …
  16. How the app handles these:
  17. XSS
  18. CSRF
  19. Code Injection (SQLi,Template, RCE, noSQL, …)

  20. Spider using Burp Suite or OWASP ZAP or Hakrawler or Gospider

  21. Extact links and parse js and spider and inline javascript
  22. Using xnLinkFinderxnLinkFinder -i tesla.com -d 2 -sp https://tesla.com -o tesla.txt
  23. Using GAP Burp Extension
  24. Check for oudated js libraries using RetireJS in Burp Suite

Heat Mapping / Content Discovery

  1. Upload functions
  2. Integrations (From 3rd party)
    1. XSS
  3. Self Uploads
    1. XML Based (Docs, PDFs, …)
      1. SSRF, XSS
    2. Image Based (JPG, PNG, …)
      1. Shell, XSS
        1. Name
        2. Binary Header
        3. Metadata
  4. Where is data stored?
    1. S3 Permissions
  5. Content Types
  6. Look for multipart-forms
  7. Look for JSON
  8. Look for XML
  9. API
  10. GraphQL
  11. REST / Methods
  12. Account Section
  13. Profile
    1. Stored XSS
  14. App Custom Fields
  15. Integrations
    1. SSRF, XSS
  16. Errors

Parameter Analysis

feroxbuster -u http://localhost:3000/#/ --extract-links -o links.txt --filter-status 404 500 --rate-limit 100 --scan-limit 1 -t 10 --random-agent

curl $TARGET/favicon.ico | md5sum
  • Check /robots.txt
  • Check /sitemap.xml
  • Check HTTP headers
  • Use google dorks
  • site: target.com
    • inrul:admin
    • filetype:pdf
    • intitle:admin
  • Check https://archive.org/web/
  • Check Github / Gitlab / Bitbucket
  • Search in target tab in Burp Suite for words like: path, link, …

Get S3 Buckets

slurp domain -t booking.com

# TODO: check s3 workflow
# also check this https://github.com/nikhil1232/Bucket-Flaws

Add All Live Domains to Burpsuite

cat subdomains-live.txt | xargs -P 10 -I {} curl -k -x http://localhost:8080 {} -o /dev/null

Get IPs, PORTS, and Services

Get Broken Social Links

socialhunter -f subdomains-live.txt -w 10 > sociallinks-hunting.txt

Vulnerabilities Scanning

XSS Scanning

# Find XSS vulnerabilities using XSSHunter
xsshunter -u $TARGET

SQL Injection

# Test for SQL injection vulnerabilities using SQLMap
sqlmap -u $TARGET

XXE Injection

# Test for XXE vulnerabilities using XXEInjector
xxeinjector $TARGET

SSRF Injection

# Detect SSRF vulnerabilities using SSRFDetector
ssrfdetector $TARGET

Git Repository Scanning

# Scan for Git repositories using GitTools
gitdumper $TARGET
# Find secrets in Git repositories using gitallsecrets
gitallsecrets -u $TARGET

Race Condition Testing

# Test for race conditions using RaceTheWeb
racetheweb $TARGET

CORS Vulnerability Testing

# Test for CORS vulnerabilities using CORStest
corstest $TARGET

Parameter Tampering

# Test for parameter tampering vulnerabilities using parameth
parameth -u $TARGET

Local File Inclusion / Directory Traversal

ffuf -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt -u http://10.10.41.192/playground.php?file=FUZZ -fr Failed

files we are intersted to see

/etc/issue contains a message or system identification to be printed before the login prompt.
/etc/profile controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
/proc/version specifies the version of the Linux kernel
/etc/passwd has all registered user that has access to a system
/etc/shadow contains information about the system's users' passwords
/root/.bash_history contains the history commands for root user
/var/log/dmessage contains global system messages, including the messages that are logged during system startup

Core symbols most depended-on inside this repo

run
called by 75
archive/scripts/xploit_installer.py
printGood
called by 50
archive/scripts/xploit_installer.py
printMinus
called by 34
guide/enumeration/tools/remoterecon.py
printInBox
called by 34
guide/enumeration/tools/remoterecon.py
printMinus
called by 34
archive/enumeration/tools/remoterecon.py
printInBox
called by 34
archive/enumeration/tools/remoterecon.py
writeToFile
called by 33
guide/enumeration/tools/remoterecon.py
writeToFile
called by 33
archive/enumeration/tools/remoterecon.py

Shape

Function 426
Class 22
Method 16

Languages

Python90%
C9%
Java1%

Modules by API surface

archive/scripts/string_decode.py123 symbols
archive/scripts/xploit_installer.py82 symbols
guide/enumeration/tools/remoterecon.py30 symbols
archive/enumeration/tools/remoterecon.py30 symbols
archive/social_engineering/tools/scythe/scythe.py26 symbols
archive/scripts/cred_check.py25 symbols
archive/exploitation/openfuck.c24 symbols
guide/enumeration/tools/reconscan.py17 symbols
archive/enumeration/tools/reconscan.py17 symbols
archive/exploitation/trans2open.c16 symbols
archive/scripts/hash_check.py15 symbols
guide/enumeration/tools/recon_scan/reconscan.py11 symbols

For agents

$ claude mcp add Penetration-Testing-Study-Notes \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact