Penetration Testing Study Notes

Penetration Testing notes, resources and scripts

514
163
Python

Pentesting - Everything, Everywhere, All In One Place

This is a collection of all the commands and tools I use for pentesting. I will try to keep it updated as much as possible.

If you liked the old content, you can find it in the archive folder.

Bug Hunting Roadmap

  • [ ] Grab all the in-scope urls
  • [ ] Subdomain enumeration for everyone of them
  • [ ] Get live subdomains
  • [ ] Check for subdomain takeover
  • [ ] Screenshot all the live domains
  • [ ] Network
    • [ ] Open Ports / Services
  • [ ] Content Discovery
    • [ ] Framework
    • [ ] Favicon
    • [ ] Directories
    • [ ] URLs
    • [ ] S3 Buckets
    • [ ] JS files
    • [ ] Broken Social Links
    • [ ] GIT Repositories
  • [ ] Vulnerability Scanning
    • [ ] XSS Scanning
    • [ ] SQL Injection
    • [ ] XXE Injection
    • [ ] SSRF Injection
    • [ ] Race Condition Testing
    • [ ] CORS Vulnerability Testing
    • [ ] Parameter Tampering
    • [ ] Local File Inclusion / Directory Traversal
    • [ ] IDOR

Table of Contents

Preparation

export TARGET="target.com"
mkdir $TARGET
cd $TARGET
mkdir screenshots
export VT_APIKEY=<YourAPIKEY>

Reconnaissance

Subdomain Enumeration


subfinder -d $TARGET -o subdomains_1.txt

findomain -t $TARGET -q > subdomains_2.txt

sublist3r -d $TARGET -t 3 -n -o subdomains_3.txt

gobuster vhost --no-color --append-domain -q -t 50 -u http://$TARGET -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o raw_subdomains_4.txt

grep -oE 'Found: [^ ]+' raw_subdomains_4.txt | awk '{print $2}' > subdomains_4.txt

cat subdomains*.txt | sort | uniq > subdomains.txt

cat subdomains.txt| wc -l

# Go to
# https://chaos.projectdiscovery.io/#/
# to get all the subdomains for a program

## Check https://dnsdumpster.com/ it has nice graph

Get live subdomains

~/go/bin/httpx -l subdomains.txt -o subdomains-live.txt

cat subdomains-live.txt | wc -l

Subdomain Takeover

AWS Subdomain Takeover Steps

  1. Check for “bucket does not exist” messages on the subdomain.
  2. Determine the original bucket’s region.
  3. Create a new bucket in the same region with the subdomain’s name.
  4. Upload and set ‘index.html’ to public access.
  5. Configure the bucket for static file hosting.

Automating Subdomain Takeover

subzy run --targets subdomains.txt --timeout 20 --output subdomain_subzy.txt
subjack -w subdomains.txt -t 100 -timeout 30 -o subdomain_subjack.txt -ssl

Get Screenshots of the live subdomians

eyewitness -f subdomains-live.txt --web -d screenshots --timeout 100 --delay 10 --proxy-ip 127.0.0.1 --proxy-port 8080

# or

cat subdomains-live.txt | aquatone --out screenshots -scan-timeout 900 -chrome-path /usr/bin/chromium

Port Scanning

naabu -iL subdomains-live.txt -silent -exclude-cdn -top-ports 1000 -o ports.txt

Content Discovery

  1. Based on Tech
  2. COTS / PAID / OSS
  3. Custom
  4. Historical
  5. Recursive
  6. Mobile APIs
  7. Change Detection

Content Discovery Lists

  • Download the lists from here

wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH -e robots=off

  1. Tech
    1. IIS / MSF
      1. assetnote/httparchiveaspx_asp_cfm_svc_ashx_asmx
      2. IIS Shortname Scanner
    2. PHP + CGI
      1. assetnote/httparchive_cgi_pl
      2. assetnote/httparchive_php
    3. General API
      1. assetnote/httparchiveapiroutes
      2. assetnote/swagger-wordlist
      3. seclists/Discovery/Web-Content/api/api-endpoints.txt
    4. Java
      1. assetnote/httparchive_jsp_jspa_do_action
    5. Generic
      1. assetnote/httparchivedirectories_1m
      2. RAFT
      3. Robots Disallowed
      4. github.com/six2dez/OneListForAll
      5. jhadix/content_discovery_all.txt
    6. Other
      1. Use Technology <=> Host Mappings from assetnote.io
        • adobe_experience_manager <=> assetnote/httparchive_adobe_experience_manager
        • apache <=> assetnote/httparchive_apache
        • cherrypy <=> assetnote/httparchive_cherrypy
        • coldfusion <=> assetnote/httparchive_coldfusion
        • django <=> assetnote/httparchive_django
        • express <=> assetnote/httparchive_express
        • flask <=> assetnote/httparchive_flask
        • laravel <=> assetnote/httparchive_laravel
        • nginx <=> assetnote/httparchive_nginx
        • rails <=> assetnote/httparchive_rails
        • spring <=> assetnote/httparchive_spring
        • symfony <=> assetnote/httparchive_symfony
        • tomcat <=> assetnote/httparchive_tomcat
        • yii <=> assetnote/httparchive_yii
        • zend <=> assetnote/httparchive_zend
  2. OSS (Open Source Software) / PAID / COTS (Commercial Off The Shelf)
    1. If the app is open source, you can use the source code to find endpoints
      1. You can use Source2URL
    2. PAID / COTS (Commercial Off The Shelf)
      1. Download a Demo version of the software
  3. Custom
    1. use Scavneger to generate custom wordlists from burp history
  4. Historical
    1. echo bugcrowd.com | gau | wordlistgen | sort -u > wordlist.txt
  5. Recursive
    1. Do recursion on 401 and 403 pages, and then do content discovery on the new pages
  6. Mobile APIs
    1. Scan APK file for URIs, endpoints & secrets. apkleaks
  7. Change Detection
    1. subscribe to the newsletter of the target
    2. conferences / events / webinars from the targets
    3. Monitor the target’s social media accounts
    4. change detection

Questions to ask yourself when doing content discovery

  1. How does the app pass data?
    1. resource?parameter=value&parameter2=value2
    2. Method /route/resource/subresource/parameter
  2. How/Where does the app talk about the users? understand how are the users referenced in the app and where
    1. where?
      1. cookies
      2. API Calls
      3. Headers
    2. How?
      1. UID
      2. UUID
      3. email
      4. username
  3. Does the site have multi-tenancy or user levels?
    1. admin
    2. user
    3. guest
  4. Does the site has a unique threat model?
    1. Is it a bank, hospital, streaming service, …?
    2. You need to test for special api keys, tokens, …
  5. Has there past security research and vuln?
    1. check hackerone, bugcrowd, …
  6. How the app handles these:
    1. XSS
    2. CSRF
    3. Code Injection (SQLi,Template, RCE, noSQL, …)
  • Spider using Burp Suite or OWASP ZAP or Hakrawler or Gospider

  • Extact links and parse js and spider and inline javascript

    • Using xnLinkFinderxnLinkFinder -i tesla.com -d 2 -sp https://tesla.com -o tesla.txt
    • Using GAP Burp Extension
  • Check for oudated js libraries using RetireJS in Burp Suite

Heat Mapping / Content Discovery

  1. Upload functions
    1. Integrations (From 3rd party)
      1. XSS
    2. Self Uploads
      1. XML Based (Docs, PDFs, …)
        1. SSRF, XSS
      2. Image Based (JPG, PNG, …)
        1. Shell, XSS
          1. Name
          2. Binary Header
          3. Metadata
    3. Where is data stored?
      1. S3 Permissions
  2. Content Types
    1. Look for multipart-forms
    2. Look for JSON
    3. Look for XML
  3. API
    1. GraphQL
    2. REST / Methods
  4. Account Section
    1. Profile
      1. Stored XSS
    2. App Custom Fields
    3. Integrations
      1. SSRF, XSS
  5. Errors

Parameter Analysis

feroxbuster -u http://localhost:3000/#/ --extract-links -o links.txt --filter-status 404 500 --rate-limit 100 --scan-limit 1 -t 10 --random-agent

curl $TARGET/favicon.ico | md5sum
  • Check /robots.txt

  • Check /sitemap.xml

  • Check HTTP headers

  • Use google dorks

    • site: target.com
      • inrul:admin
      • filetype:pdf
      • intitle:admin
  • Check https://archive.org/web/

  • Check Github / Gitlab / Bitbucket

  • Search in target tab in Burp Suite for words like: path, link, …

Get S3 buckets

slurp domain -t booking.com

# TODO: check s3 workflow
# also check this https://github.com/nikhil1232/Bucket-Flaws

Add all live domains to burpsuite

cat subdomains-live.txt | xargs -P 10 -I {} curl -k -x http://localhost:8080 {} -o /dev/null

Get IPs, PORTS, and Services

Get Broken social links

socialhunter -f subdomains-live.txt -w 10 > sociallinks-hunting.txt

Vulnerabilities Scanning

XSS Scanning

# Find XSS vulnerabilities using XSSHunter
xsshunter -u $TARGET

SQL Injection

# Test for SQL injection vulnerabilities using SQLMap
sqlmap -u $TARGET

XXE Injection

# Test for XXE vulnerabilities using XXEInjector
xxeinjector $TARGET

SSRF Injection

# Detect SSRF vulnerabilities using SSRFDetector
ssrfdetector $TARGET

Git Repository Scanning

# Scan for Git repositories using GitTools
gitdumper $TARGET
# Find secrets in Git repositories using gitallsecrets
gitallsecrets -u $TARGET

Race Condition Testing

# Test for race conditions using RaceTheWeb
racetheweb $TARGET

CORS Vulnerability Testing

# Test for CORS vulnerabilities using CORStest
corstest $TARGET

Parameter Tampering

# Test for parameter tampering vulnerabilities using parameth
parameth -u $TARGET

Local File Inclusion / Directory Traversal

ffuf -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt -u http://10.10.41.192/playground.php?file=FUZZ -fr Failed

files we are intersted to see

/etc/issue contains a message or system identification to be printed before the login prompt.
/etc/profile controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
/proc/version specifies the version of the Linux kernel
/etc/passwd has all registered user that has access to a system
/etc/shadow contains information about the system’s users’ passwords
/root/.bash_history contains the history commands for root user
/var/log/dmessage contains global system messages, including the messages that are logged during system startup
/var/mail/root all emails for root user
/root/.ssh/id_rsa Private SSH keys for a root or any known valid user on the server
/var/log/apache2/access.log the accessed requests for Apache  webserver
C:\boot.ini contains the boot options for computers with BIOS firmware

IDOR

What is an IDOR?

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.

This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it.

  • you should check prarameters like /?userId=123
    • it can be hashed
    • it can be encoded
    • if it’s unpredictable like uuid, you should create 2 accounts and try to swap their ids and see if you can access each other’s private content like profiles

Tips and Tricks

Start a local server to serve local files in a directory


python3 -m http.server 8000

Listen to a local port

nc -nlvp 9001

Online Tools

References