系統與網站滲透測試參考連結整理及勘誤

# 第一天 * P.1-11：延伸學習 * OSCP認證(PEN-200) (連結重新導向至新連結) https://www.offsec.com/courses/pen-200/ > 其他補充 > * [我們與 OSCP 的距離](https://tech-blog.cymetrics.io/posts/crystal/oscp-review/) > * [資安學習的從零到OSCP](https://peterkan.tw/2024/06/15/how-to-learn-cybersec/) > * [OSCP Guide](https://youtube.com/playlist?list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x&si=d1JRlRTYgoGMicxq) > * [OSCP](https://www.youtube.com/playlist?list=PLT08J44ErMmb9qaEeTYl5diQW6jWVHCR2) > * [Lainkusanagi OSCP Like](https://docs.google.com/spreadsheets/d/18weuz_Eeynr6sXFQ87Cd5F0slOj9Z6rt/edit?gid=487240997#gid=487240997) ## 第一單元：滲透測試簡介 * P.1-15：滲透測試標準 * OWASP WSTG(Web Security Testing Guide) https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf (補充：最新版v4.2) https://owasp.org/www-project-web-security-testing-guide/ * OSSTMM(Open Source Security Testing Methodology Manual) https://www.isecom.org/OSSTMM.3.pdf * CWE(Common Weakness Enumeration) https://cwe.mitre.org/ (補充：CWE TOP 25) https://www.sans.org/top25-software-errors/ ## 第二單元：資料蒐集 * P.1-38：被動蒐集 * Passive Reconnaissance https://www.sciencedirect.com/topics/computer-science/passive-reconnaissance * P.1-39：Google Hacking * Exploi-db GHDB https://www.exploit-db.com/google-hacking-database * P.1-43：theHarvester * https://github.com/laramies/theHarvester * P.1-45：Shodan(1/3) * https://www.shodan.io/ * P.1-46：Shodan(2/3) * https://www.shodan.io/search/filters * ...thedarksource... ==(此連結防毒軟體會警告有問題)== * P.1-48：Censys(1/2) * https://censys.io/ * P.1-50：OSINT * Awesome OSINT https://github.com/jivoi/awesome-osint * P.1-51：OSINT(2/2) * Recon with Me https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/ * P.1-52：Greynoise * https://greynoise.io * P.1-54：hunter * https://hunter.io * P.1-58：publicwww * https://publicwww.com * P.1-60：searchcode * https://searchcode.com ## 第三單元：網路、主機及網站掃描 * P.1-66：Nmap advanced parameter * nmaptocsv https://github.com/maaaaz/nmaptocsv * P.1-69：Masscan * https://github.com/robertdavidgraham/masscan * P.1-71：Ffuf * Ffuf https://github.com/ffuf/ffuf * HTTP Status Code https://developer.mozilla.org/zh-TW/docs/Web/HTTP/Status * P.1-73：gobuster * https://github.com/OJ/gobuster * P.1-79：Nikto * https://github.com/sullo/nikto * https://cirt.net/Nikto2 * 知乎 - Web漏洞扫描神器Nikto使用指南 https://zhuanlan.zhihu.com/p/124246499 * p.1-81：Nessus * Network Vulnerability Scanners https://github.com/enaqx/awesome-pentest?tab=readme-ov-file#network-vulnerability-scanners # 第二天 ## 第四單元：弱點利用 * P.2-15：SQL Injection(11/41) * Blind SQL Injection https://owasp.org/www-community/attacks/Blind_SQL_Injection * P.2-20：SQL Injection(16/41) * SQL injection cheat sheet https://portswigger.net/web-security/sql-injection/cheat-sheet * P.2-22：SQL Injection(18/41) * ==(連結失效)== https://www.acunetix.com/wp-content/uploads/2021/03/sql-injection-cheat-sheet.pdf **(更正連結)** https://cdn.acunetix.com/wp_content/uploads/2021/03/sql-injection-cheat-sheet.pdf * P.2-23：SQL Injection(19/41) * MySQL SQL Injection Practical Cheat Sheet https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/ * Payload list參考 https://github.com/payloadbox/sql-injection-payload-list * P.2-24：SQL Injection(20/41) * SQL injection UNION attacks https://portswigger.net/web-security/sql-injection/union-attacks * ==(連結失效)== http://systw.net/note/af/sblog/more.php?id=360 SQLi UNION attack **(更正連結)** https://systw.net/note/archives/1228 * P.2-27：SQL Injection(21/41) * SQL injection UNION attack https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635 * P.2-45：SQL Injection(41/41) * sqlmap https://github.com/sqlmapproject/sqlmap * P.2-49/P.2-51：XML External Entity注入(2/8) * OWASP Top 10 2021 https://owasp.org/Top10/zh_TW/ * XML External Entity https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection * P.2-50：XML External Entity注入(3/8) * XML external entity (XXE) injection https://portswigger.net/web-security/xxe * P.2-52：XML External Entity注入(5/8) * Out-of-band SQL injection https://www.invicti.com/learn/out-of-band-sql-injection-oob-sqli/ * P.2-53：XML External Entity注入(6/8) * EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf * P.2-60：SSRF * dnsl0g服務 https://dnsl0g.net/ * P.2-79：Fuzzdb字典檔 * https://github.com/fuzzdb-project/fuzzdb * P.2-80：Keyboard walk字典檔 * https://github.com/hashcat/kwprocessor * P.2-98：跨腳本攻擊 * 10 Practical scenarios for XSS attacks https://pentest-tools.com/blog/xss-attacks-practical-scenarios/ * P.2-113：危險或過舊的元件(1/2) Log4j * 可俘虜數十億臺系統與設備！超級資安漏洞風暴正在席捲全球 https://www.ithome.com.tw/news/148753 * CVE-2021-44228 (Apache Log4j Remote Code Execution） https://github.com/roxas-tan/CVE-2021-44228 * Log4Shell POC (CVE-2021-44228) https://github.com/marcourbano/Log4Shell_PoC * Apache Log4j2 lookup feature JNDI injection (CVE-2021-44228) https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2021-44228 * P.2-114：危險或過舊的元件(2/2) * Exploit-DB https://www.exploit-db.com/ * CVE https://cve.mitre.org/ * (補充) CVE Details https://www.cvedetails.com/ * National Vulnerability Database (NVD) https://www.nist.gov/programs-projects/national-vulnerability-database-nvd # 第三天 ## 第五單元：提升權限 * P.3-39：Linux憑證截取提權 * MimiPenguin 2.0 https://github.com/huntergregal/mimipenguin * P.3-46：Linux憑證截取提權(9/9) * Hashcat * https://hashcat.net/hashcat/ * https://hashcat.net/wiki/ * Ophcrack * https://ophcrack.sourceforge.io * P.3-47：Linux binary功能與特性查詢 * GTFOBins https://gtfobins.github.io * P.3-48：Linux提升權限腳本資源參考 * LinEnum https://github.com/rebootuser/LinEnum * Linux elevation of privileges ToC https://guif.re/linuxeop * PEASS-ng https://github.com/peass-ng/PEAss-ng * Checklist - Linux Privilege Escalation https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist * Basic Linux Privilege Escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ * LES https://github.com/The-Z-Labs/linux-exploit-suggester * P.3-51：Windows提升權限(2/21) * Sysinternals Suite https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite * P.3-52：Windows提升權限(3/21) * Windows PrivEsc: Weak Service Permission https://asfiyashaikh.medium.com/windows-privesc-weak-service-permission-b90f3bf4d44f * P.3-53：Windows提升權限(4/21) * windows-kernel-exploits https://github.com/SecWiki/windows-kernel-exploits * P.3-56：Windows提升權限(6/21) * Bloodhound * https://github.com/BloodHoundAD/BloodHound * https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html * P.3-59：Windows提升權限(9/21) * Mimikatz https://github.com/ParrotSec/mimikatz * P.3-63~64補充 * (參考) https://hackmd.io/@SBK6401/S1KgaEz0h * kali的samdump2是Win10 v1607之前的解法 * Win10 v1607之後，有用到AES加密，所以可以用Creddump7或impacket-secretsdump * P.3-74：Windows提權工具(2/3) * Impacket： **集合了許多處理網路協定的實現工具 (資安職能考試有考到)** https://github.com/fortra/impacket * P.3-76：Windows提權參考資源 * Windows-Exploit-Suggester ==(archived by the owner on Jul 19, 2023)== https://github.com/GDSSecurity/Windows-Exploit-Suggester * Archiving Repository 代表該專案唯讀不再更新 * Internal All The Things：Windows - Privilege Escalation (連結變更位置) https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/ * Windows elevation of privileges ToC https://guif.re/windowseop * BeRoot Project https://github.com/AlessandroZ/BeRoot * Patch Checker： **資安職能考試有考到PatchChecker的用途** https://github.com/deadjakk/patch-checker * [(補充)PatchChecker的用途](https://felo.ai/search/__nJpxxY7zB0X0hC4GXFl) * Windows Privilege Escalation Awesome Scripts https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS ## 第六單元：維持存取權限 * P.3-84：維持存取權限(6/9) * Internal All The Things：Reverse Shell Cheat Sheet (連結變更位置) https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/ * P.3-87：維持存取權限(9/9) * pentestmonkey：Reverse Shell Cheat Sheet https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet * Internal All The Things：Reverse Shell Cheat Sheet (連結變更位置) https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/ * Reverse Shell Generator ==會被某些防毒軟體擋掉== https://weibell.github.io/reverse-shell-generator/ * P.3-103：隱密的傳送資料 * dnscat2 https://github.com/iagox86/dnscat2 * iodine https://github.com/yarrick/iodine * Dns2tcp Download for Linux https://pkgs.org/download/dns2tcp alex-sector/dns2tcp https://github.com/alex-sector/dns2tcp ## 第七單元：整理漏洞與撰寫報告 * P.3-108：記錄執行過程 * Tmux Logging https://github.com/tmux-plugins/tmux-logging * P.3-109/110：文件撰寫重點 * OSCP pentest report sample https://help.offensive-security.com/hc/en-su/articles/360040165632-OSCP-Exam-Guide