forked from n3k/Pentest
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWeb_Methodology.txt
290 lines (179 loc) · 8.89 KB
/
Web_Methodology.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
Misc
21,22,23,25,53,80,81,111,135,137,138,139,161,389,443,445,1099,1433,2049,3260,3268,3306,3389,5060,5061,6379,7000,7080,7443,7001,8080,9050,9090,9143,8081,8888,9091,8000,9000,9173,10099,10199,10443,9443,8443,27000,27001,27018,27019,27017,3299,5984,8009,9160,9100,11211
Web only
80,81,443,1099,3000,7000,7443,7001,8000,8001,8083,8008,8014,8042,8069,8080,8081,8088,8090,8888,8443,8500,8983,9000,9060,9080,9090,9091,9173,9443,9800,9981,10099,10199,10443,11211,18091,18092,20720,28017
Search engines:
censys.io/
https://viewdns.info/
https://www.shodan.io/
https://viz.greynoise.io/table
https://www.zoomeye.org/
https://fofa.so/
https://www.onyphe.io/
https://app.binaryedge.io/
https://hunter.io/
https://wigle.net/
+] Recon:
To grab all the IP Blocks of a company:
Hurracine Electric: https://bgp.he.net
https://whois.arin.net/ui
https://apps.db.ripe.net/db-web-ui/#/query?bflag&searchtext=
https://reverse.report/name/mr.example.ar
https://dnscheck.ripe.net/test/
- Shodan -> Shodan ORG operator. => https://www.shodan.io/search?query=org%3A%22TARGET-NAME%22
Basic Operations: Filters
- country: filters results by two letter country code
- hostname: filters results by specified text in the hostname or domain
- net: filter results by a specific IP range or subnet
- os: search for specific operating systems
- port: narrow the search for specific services
nmap -sn -Pn -n --script=shodan-api --script-args 'shodan-api.apikey=vya4EEvnTbGlffq62C6a85vnjkipd61D' target.com
* Study company acquisitions... Understanding if another company is owned was bought by the target gives extra ideas for recon
- Wikipedia de ORG
- Crunchbase -> https://www.crunchbase.com/organization/tesla-motors#section-overview
- Subdomain discovery:
* https://dnsdumpster.com/
* Certificate Transparency:
curl -s https://certspotter.com/api/v0/certs\?domain\=aaf.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u
* AMASS
https://github.com/caffix/amass
Install method 1: go get -u github.com/caffix/amass
Install method 2:
apt-get install snapd
service snapd start
snap install amass
#!/bin/bash
mkdir $1
touch $1/$1.txt
amass -active -d $1 -r 8.8.8.8,1.1.1.1 | tee ./$1/$1.txt
amass -ip -d example.com -r 8.8.8.8,1.1.1.1
# amass -active -d demandbase.com
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1: No such file or directory
# systemctl status apparmor
â apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:apparmor(7)
http://wiki.apparmor.net/
# systemctl restart apparmor
* SubFinder
https://github.com/subfinder/subfinder
Installation: go get github.com/subfinder/subfinder
Upgrade: go get -u github.com/subfinder/subfinder
./subfinder -d yahoo.com -v -o ~/Documents/Bounties/Yahoo/subdomains.txt
* aiodnsbrute
aiodnsbrute google.com 2>/dev/null
* massdns --> to use with https://gist.github.com/n3k/1b72d159a2a0376a5ce7644b66ec7e41
-> DNS Bruteforcing
- Old Archives:
https://github.com/n3k/waybackurls
cat domains.txt | waybackurls > urls
+] Leaked Credentials / Secrets:
gitrob
git-all-secrets => https://github.com/anshumanbh/git-all-secrets
truffleHog
git-secrets
repo-supervisor
Clone all the repos from a company:
https://github.com/mazen160/GithubCloner.git
-> python githubcloner.py --org organization -o /tmp/output
Use truffleHog for finding high entropy strings such as passwords, tokens, keys:
$ truffleHog https://github.com/dxa4481/truffleHog.git
git-all-secrets already uses truffleHog as part of its workflow!
Avoids forked repos by default!
# docker run -it abhartiya/tools_gitallsecrets -token=<> -org=<>
# docker run -it abhartiya/tools_gitallsecrets -token=<> -org=<> -toolName=thog
If you want to run only truffleHog with the default regex AND the high entropy settings, provide the thogEntropy flag like this:
# docker run -it abhartiya/tools_gitallsecrets -token=<> -org=<> -toolName=thog -thogEntropy
Retrieve results:
# docker ps -a
# docker cp <container-id>:/root/results.txt
+] Analysis of specific websites:
- Builtwith -> tool to recognize the software stack that a website runs
- brutespray -> is a tool that takes the output of Nmap greppeable (oG) and based on the ports that run adminitration interfaces like ssh, ftp, smtp, telnet, mysql, etc. will attempt to bruteforce the user/password with the given wordlists using medusa in the background:
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /sr/share/wordlist/pass.txt --threads 5 --hosts 5
- Linkfinder + JSParser --> To parse .JS files and grab URLs from them!
+] Content Discovery:
Dictionary: https://gist.github.com/n3k/ecb652f13e1d3ae92d2eb1a062b1d32e
- dirsearch
Example use:
python3 dirsearch.py -u https://ads.example.com/ -w /root/dirsearch/content_discovery_all.txt -e js,html,xml,json --proxy=192.168.191.1:8080 --header "Authorization: bearer 210370854284-59-XXXXXXXXXX"
- GoBuster
Example use:
gobuster.exe -u https://embed.examplemedia.com/ -w content_discovery_all.txt -fw
-k - Skip verification of SSL certificates.
- Robots Disallowed
for host in $(cat auto_hosts.txt); do screen -S "scr_"$host -d -m; screen -r "scr_"$host -X stuff $'dirb https://'$host'/ | tee out_'$host'\n'; done
for host in $(cat auto_hosts.txt); do echo 'dirb https://'$host'/ > "out_'$host'"' > start_$host; (bash "start_"$host 2>&1 &) ; done
+] Parameter Bruting:
- parameth
- backslah-powered-scanner/resources/params
- ParamMiner!
+] Match-Replace Rules to Disable Websockets
MATCH: HTTP/1.1 101 Switching Protocols --> (Response Header)
REPLACE: HTTP/1.1 200 OK
MATCH: Upgrade: websocket --> (Response Header)
REPLACE:
MATCH: Connection: upgrade --> (Response Header)
REPLACE: Connection: close
MATCH: ^Sec-WebSocket-.*$ --> (Response Header)
REPLACE:
Launch a Nikto scan in case you missed something
All:
21,22,23,25,53,80,81,111,135,137,138,139,161,389,443,445,1099,1433,2049,3000,3260,3268,3299,3306,3366,3389,3868,4000,4040,4044,5000,5060,5061,5432,5673,5900,5984,6000,6379,7077,7080,7443,7447,8000,8009,8080,8081,8089,8181,8443,8880,8888,8983,9000,9050,9090,9091,9100,9143,9160,9173,9443,9999,10000,10099,10199,10443,11211,15672,27000,27001,27017,27018,27019
Tests for OAUTH implementation to perform:
1) Invalidation of authorization token after revoking access:
2) Race condition in the authorization/refresh token generation
3) Invalidation of authorization code:
4) Redirect URI validation: this is a very common attack vector! If you don’t properly validate the redirect URI you might be sending the token or code to an unintended location.
5) Grant and response type validation -> try to change the response type from code to token in the input query string, and – tada – suddenly some implementations return a token instead of just the authorization code.
6) Bind tokens to the client -> Make sure that when client 1 requests an authorization code that also only client 1 can use that code to request a token. Same for refresh tokens.
SAML Tests:
• Signature wrapping
• Tampered audience
• Tampered signature
• Removed signature
• Changed identity
• Included comments in identity looking for canonicalization issues
• Inserted XXE payloads
+] Some aws cli S3 commands:
// needs a configured aws account
C:\Users\x1>aws s3 ls s3://inhouse.infob.com
PRE tenaris/
PRE toyota-gazoo-racing/
PRE toyota-rav4/
PRE toyota/
PRE volkswagen/
PRE volkswagen40/
PRE wabi/
2020-04-23 16:07:02 4 test.txt
2020-04-23 16:07:44 4 test2.txt
2020-04-23 18:05:17 15 test3.txt
C:\Users\x1>aws s3api get-bucket-acl --bucket inhouse.infob.com
{
"Owner": {
"DisplayName": "ib-brandedcontent",
"ID": "f61fd3f79814e2d1dd84b6e987a17befa51a10d7b474d40c16476caffc0be3ff"
},
"Grants": [
{
"Grantee": {
"DisplayName": "ib-brandedcontent",
"ID": "f61fd3f79814e2d1dd84b6e987a17befa51a10d7b474d40c16476caffc0be3ff",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
C:\Users\x1>aws s3 cp test4.html s3://inhouse.infob.com
upload: .\test4.html to s3://inhouse.infob.com/test4.html
aws s3api put-object-acl --bucket inhouse.infob.com --key test4.html --acl public-read