# Reconnaissance ## Search Engine ``` https://binsearch.info/ | Search Binary File https://duckduckgo.com/ | Supports search syntax. https://web.archive.org/ | WebSite Temp file https://www.shodan.io/ https://search.censys.io/ ``` ### Search Syntax ```(work) Phone Number | 身分證號 0900..0999 100001..999999 site:domain intext:"身分證號" | "護照號*" --------------------------- Password Files filetype:txt | filetype:log | filetype:xls | filetype:csv intext:"密碼" | intext:"password" "password" ext:log | ext:txt | ext:ini | ext:cfg --------------------------- Login Page site:domain inurl:login | inurl:admin | inurl:signin --------------------------- Sensitive Files intitle:index of /etc/ssh site:gov.tw ext:zip | ext:rar | ext:tar | ext:gz | ext:bak | ext:old | ext:swp | ext:log | ext:txt | ext:cfg | ext:conf --------------------------- intitle:"index of" "parent directory" site:gov.tw inurl:"wsdl" | inurl:"api" ``` # Enumerating & Scanning ## Web techniques Linux Tools ``` #whatweb whatweb $TARGET_DOMAIN whatweb $TARGET_IP ``` Online https://sitereport.netcraft.com/ ## Web Application Scanner ``` #nikto nikto -h $TARGET_DOMAIN nikto -h $TARGET_IP nikto -h $TARGET_IP -usecookies $COOKIES ``` ``` sudo apt update sudo apt install golang-go go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest or sudo apt install nuclei nuclei -target https://$TARGET_DOMAIN ``` ## CMS Scanner 1. CMS Version Check https://github.com/Tuhinshubhra/CMSeeK (No verify yet) ``` git clone https://github.com/Tuhinshubhra/CMSeeK cd CMSeeK pip/pip3 install -r requirements.txt For guided scanning: python3 cmseek.py python3 cmseek.py -u example.com ``` 2. WordPress Scanner ``` wpscan --url internal.thm/wordpress/ ``` 3. joomscan Scanner (no verify yet ) https://github.com/OWASP/joomscan ## Sub Domain Enumerate ### DNS (Domain Name ) ``` dnsenum --enum $TARGET_DOMAIN -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt ``` ### HTTP Host Header (IP) ![圖片](https://hackmd.io/_uploads/HJFzi4IdA.png) ``` # wfuzz wfuzz -u http://$TARGET_IP -H "Host: FUZZ.$TARGET_DOMAIN" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 26 --hw: exclude Spcify word length ``` ## Directories ``` # feroxbuster feroxbuster -u http://$TARGET_DOMAIN -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt feroxbuster -u https://$TARGET_DOMAIN -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt ``` # Initial Setting ``` #Victim Machines TARGET_IP=10.10.165.130 TARGET_DOMAIN='XXXXXXX' ## kali IP #Normal User echo "export TARGET_IP=10.10.10.189" >> ~/.zshrc source .zshrc #Privilege Use sudo -s echo "export TARGET_IP=10.10.10.189" >> /root/.zshrc source .zshrc ## Kali Domain echo "export TARGET_DOMAIN=travel.htb" >> ~/.zshrc source .zshrc sudo -s echo "export TARGET_DOMAIN=travel.htb" >> /root/.zshrc source .zshrc ----------------------- #Attack Machine ATTACKER_INTERFACE="tun0" ATTACKER_IP=$(ip addr show $ATTACKER_INTERFACE | awk '/inet / {print $2}' | cut -d '/' -f 1) ``` ## Domain Info ``` whois $TARGET_DOMAIN nslookup $TARGET_DOMAIN ``` ## Detective Waf https://github.com/EnableSecurity/wafw00f ``` wafw00f http://$TARGET_IP wafw00f http://$TARGET_DOMAIN wafw00f ``` ## Nmap-Scanning ### Simple Scanning ``` TARGET_IP=10.10.89.220 nmap -Pn -p- $TARGET_IP --min-rate 10000 nmap -p80 -sC -sV -Pn $TARGET_IP --min-rate 10000 ``` --min-rate 10000 -> 每秒10000 Packet ### Complex Scanning ```sh #/bin/sh echo " ################################################## # # # MeowHecker is a cat. ^O^ # # # ################################################## " echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning All Port TARGET_OPEN_PORTS=$(nmap -Pn --min-rate 10000 -p- $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo "(ALL - port):$TARGET_OPEN_PORTS"; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -sC $TARGET_IP echo "END" ``` Adding Domain name to Local Cache ```bash TARGET_DOMAIN='RetroWeb' echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts echo "Check " cat /etc/hosts | tail -n 1 ``` GoTo : [Active Recon](/jZSjYlEESIWbdjKtVTfDAg) # Network Services Pentesting GoTo : [Network Service penetration](/FyQUFaZYRKyLSwYhTAvALg) - Name: - Version: - Exists CVE ? # Testing Network infrastructure Configuration ## Know server vulnerabilities ## Administrator Tools # WEB Vuln Identification / Exploitation ## OWASP (WSTG) https://github.com/OWASP/wstg/tree/master/document/4-Web_Application_Security_Testing - Information Gathering - Web site technique - Web Site mata file - Web Content - Host Service? - Virtual Host Scanning? - Configuration and Deployment Management Testing - Web Site Configure File - Extension name ? - BackUP file - HTTP Method - Cloud Storage - Identity_Management_Testing - Register Mechanism - Account Enumerating - Authentication_Testing - Default Password ? (Wifi?) - Account Lock ? - Authentication Flawed? - Password Reset mechanism - Authorization_Testing - File Include - Access Control (failure) - Privilege Escalation - IDOR - Session_Management_Testing - Input_Validation_Testing - XSS - SQLI - Command INjection - Testing_for_Error_Handling - Leak information by Error Message - Testing_for_Weak_Cryptography - Business_Logic_Testing - Logic Flaw - System Handle Time - Work Flow Bypass - File Upload - Client-side_Testing - API_Testing .dll,.exe,.elf ------> Reverse it ! DB Credential / API KEY a.config a.config.1 a.config.bak a.config.20241129 Save Data -> External Systems (Cloud) Information Leak ! (Access Control Failure!) GoTo : : [Web penetration](/HeqpRWIdTiuZ0IzLr2oDlA) **1. Mapping Website Structure** - SiteMap - Dynamic Parameters /Fuzz/ Browsing Website 1. Support Page -> **Find Valid Account** (Important) 2. Find out Login page 3. Register page -> **Register a Account** (Important) 4. Forget Passwords (Before we test it, we need a account we can control) 5. Upload page 6. Embedding Page -> XSS / SSTI 7. Query Pages -> /XSS /SQL,LDAP injection **2. Fuzzing** naughty strings -> trigger Unexpected Behavior https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/big-list-of-naughty-strings.txt **Common Web Vulns** 1. Authentication Bypass 2. XSS,CSRF 3. SQLI 4. File Upload 6. File Download 8. SSRF? 9. SSTI? 10. Hide API? 11. XXE? 12. whether Website can be write by (NFS/SMB)? **Flows** - Identify Flawed Design - Confirm Defense Mechanisms - Bypass Defense Mechanisms **Filter Bypass** 1. Path Traversal 2. Obfuscate (Encoding) 3. Upper and Lower (Windows) **RCE / Lateral Movement** GoTo : [Lateral Movement & Reverse Shell](/vyVONxxDSS-v8IQf5NLLwA) # Privilege Escalation GoTo : [Linux Privilege Escalation - cheat Sheet](/bacm0UUcSQa-wD1Yw-J9MA) GoTo : [Windows Privilege Escalation - cheat Sheet](/F1Ec_YkdTo20hkQYnjRSAw) --- # Fast Links Area [Remote Brute Force Login](/ngZz3rf5QMyfW_8cIGJHKw) [Password/HASH/Encoder](/y7G9q6TBRmCujlS92M8VTQ) [Lateral Movement & Reverse Shell](/vyVONxxDSS-v8IQf5NLLwA) [Active Directory - Cheat Sheet](/dyb7O0UFTW6tVtIubN8YVw) [Metasploit - Cheat Sheet](/DLNUVZmGQ02itjSd3AUppQ) [Linux Command - Cheat Sheet](/gKwYHiazSoG597IPbFH6tw) [Windows Command - Cheat Sheet](/-f8j2LgtQRORLXqBiYnJ5g) # Recover The file ## file.dat (FTVT) File Header (Magic Bytes) ![image](https://hackmd.io/_uploads/HJAXsA2e1g.png) Google -> FTVT -> Video! Analysis the file metadata ``` sudo apt-get install mediainfo mediainfo file.dat ``` Recovering ``` mv 00000000.dat 00000000.264 ``` ![image](https://hackmd.io/_uploads/BkrfhRngJl.png) ``` mkvmerge -o output.mkv 00000000.264 vlc output.mkv Work! ``` H.264 視頻文件(.264)通常是「裸流」,不包含標準容器格式(如 MP4 或 MKV)的額外資訊。將其放入標準容器(例如 MKV 或 MP4)後,可以讓大多數播放器識別並順利播放該文件。 <!-----meow Testing Flows 1.加密失效 Google Hacking -> site:nhi.gov.tw 身分證號 有遮 -> 下載 或 開啟新分頁 如果是PDF -> 用Adobe Reader 複製圖片小畫家來開 2.認證加密失效 1qaz@WSX a12345/a12345 Google Hacking -> 系統手冊 使用預設密碼登入 或是找到帳號明成用相同方式登入 Information 收集 -> 猜密碼 可以用機構代碼 or 系統識別碼 去猜帳密 並看Password Policy 有些往再會用js來方送參數 Reset Password -> 可以寫python 來enumreate 3. 注入攻擊 目錄scanning (No Waf) + injection 發現影藏後台(google Hacking -> 後台) + injection X-Forward-For XSS Upload UDP -> Insert XSS payload ||||| https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf 個人檔案XSS php: autologin ->XSS 4,無效的存取控管 Googl Hacking 任意下載 ViewCase?n / Downlaod Parameter -> web config | 其實發現當網站使用奇怪編碼把檔案名當parameter 傳遞就可以去嘗試 | =jcBmd2^rh4FyuN4xdROqa]\${A}$ 目錄掃描 ckfinder/ckfinder.html 有時候登入後會有IDOR問題 可以用腳本枚舉身分證號或識別碼來拿個資 有時候上傳檔案後可以對她又見查看圖片路徑 在去猜可能檔案名 (IDOR) 5.不安全的組態設定 目錄scanning / aspx,jsp,php,html.rar.7zip,tar.gz,gz.zip,bak,pdf | db.tar.gz | /web.zip 修改parameter | ASP.NET: webaid Upload Parameter -> Modify Extension -> jpg to txt,html -> XSS |SSTI 6 過舊元件 PHP CGI _>RCE <!-- # Public Exploit DB packetstorm https://packetstormsecurity.com/search/?q=exploit exploit-db https://www.exploit-db.com/ Rapid7 https://www.rapid7.com/db/ GIT Hub https://github.com/search?q=POC&ref=simplesearch NVD https://nvd.nist.gov/vuln/full-listing --> <!-- Enumerate [Nmap](/IQ0X0dEjQb2MlYNWltGiyQ) Check permission [AccessChk](/eG8iTjXCRimYh0Hh1UEcxQ) Vulnerability scanner [Nessus](/g7wmgc2HSeaLxr7CjtMu-g) PWN [spike](/vbjUdZ9uSA2mEdCCgLQCiw) [mona](/4foU8SD3R661QFbsRx9dPQ) web USB [Hak5](/jIA0ERyJRDKX9vJwKlq4XQ) MITM(Man in the middle attack) >[responder](/Uq2Bd8I3THKo7TzgEOOSiQ) LLMNR, NBT-NS and MDNS poisoner HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2 Capture packet [tcpdump](/kfifQDlrRCCKhDLpB47RbQ) [wireshark](/eIhUKz8GQhq14lgoJJv1Xg) Decryption (local) [john](/kt8t2zU4Shqc9OUVZywoIw) [Hashcat](/1_bS2IjFSmuMbhWA98szbA) (Remote) Service password Crack McAfee McAfee is Anti-virus software Decryption -> ma.db(Configure file) -> Agent_repository-> Password Tools Develop [netcat](/cf6LLDnNRCGAF9C9rdgnRw) [Cheat sheet (web links)](/QNXBbZJgSImS28EKbjs5Sw) --> Owner:侯智晟 Email:meowheckerouo@gmail.com