|
|
(15 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| | Building environment |
|
| |
|
| == Building a RHEL like env ==
| | * [[Building a RHEL like environment to cybersec]] |
| sudo dnf update -y
| |
| sudo dnf install hydra gobuster wafw00f whatweb golang git seclists wfuzz -y
| |
| cd /tmp
| |
| git clone https://github.com/tomnomnom/hacks.git
| |
| cd hacks/html-tool
| |
| go build -o html-tool main.go
| |
| sudo cp html-tool /usr/local/bin
| |
| cd /tmp
| |
| git clone https://github.com/003random/getJS.git
| |
| cd getJS
| |
| go build -o getJS main.go
| |
| sudo cp getJS /usr/local/bin
| |
| wget https://files.pedromussato.com/programs/burpsuite_community_linux_v2024_8_2.sh
| |
| chmod +x burpsuite_community_linux_v2024_8_2.sh
| |
| ./burpsuite_community_linux_v2024_8_2.sh
| |
|
| |
|
| == Mapping host ==
| | Courses notes |
|
| |
|
| === Mapping open ports on host ===
| | * [[DESEC Security - Introduction to Pentest in Practice - course notes]] |
| nmap -D RND:20 --open -sS --top-ports=100 domain.com -oN open-ports.file
| | * [[UDEMY - TOTAL: CompTIA Security+ Certification (SY0-601) - course notes]] |
| | |
| * nmap - the comand
| |
| * -D RND:20 - will generate 20 random IPs to send the request, to try to mask the requests if there is a inteligent firewall on the other side.
| |
| * --open - to get open ports
| |
| * -sS - SYN scan the target responds with a '''SYN-ACK''' packet (acknowledging the connection)
| |
| * --top-ports=100 - list the top 100 ports
| |
| * domain.com the host you want to map
| |
| * -oN - output name, or, output save to the file named open-ports.file
| |
| | |
| Optionals
| |
| | |
| * -p- - will scan all 65535 ports of the server
| |
| * --min-rate=N - will send N packages per second
| |
| | |
| === Mapping services on ports ===
| |
| nmap --open -sV -pP1,P2... domain.com -oN services-on-ports.file
| |
| | |
| * -sV - to scan the service on the port (scan version)
| |
| * -pP1,P2 - scan just port P1 and P2 but you can use any number of ports (e.g. -p80,443,22)
| |
| | |
| === Search exposed interfaces ===
| |
| gobuster dir -u <nowiki>http://dominio.com/</nowiki> -w /word-list.txt -t 100 -e --no-error -r -o exposed-interfaces.file
| |
| | |
| * gobuster - the command
| |
| * dir - uses directory/file enumeration mode
| |
| * -u - URL
| |
| * -w - word list
| |
| * -t 100 - uses 100 paralel threads for reducing search time
| |
| * -e - shows extended log
| |
| * --no-error - do not returns errors
| |
| * -r - follow redirects
| |
| * -o exposed-interfaces.file - save output to exposed-interfaces.file
| |
| | |
| === FTP brute force test ===
| |
| hydra -v -t10 -l user -p password <nowiki>ftp://domain.com</nowiki> -s PORT
| |
| or
| |
| hydra -v -t10 -L /users-list.file -P /passwords-list.file -s PORT
| |
| | |
| * hydra - the command
| |
| * -v - verbose
| |
| * -t10 - use 10 threads to make things quickly
| |
| * -l - use a specific username
| |
| * -L - use a list of usernames
| |
| * -p - use a specific password
| |
| * -P - use a list of passwords | |
| * -s - specify the port, if not will use the default one (21)
| |
| | |
| === WEB brute force test ===
| |
| Install Burp Suite, go to intercept and turn it on, open the browser,
| |
| [[File:Fmwynvpbcxgwkq.png|none|thumb|600x600px]] | |
| access the login interface, intercept the request that sends the authentication, send it to repeater and instruder,
| |
| [[File:Djukezotdnmggziq.png|none|thumb|600x600px]]
| |
| then go to the repeater and repeat many times to test if the application is susceptible to brute force attacks,
| |
| [[File:Etfqtexbpgubqvpm.png|none|thumb|600x600px]]
| |
| then go to the intruder > positions and put a §§ on the password field,
| |
| [[File:Jsrsahvkbgvkkxzm.png|none|thumb|600x600px]]
| |
| then go to payloads, set payload type to runtime file and then select a file with the password
| |
| [[File:Cefrtaxjxiqcpntj.png|none|thumb|600x600px]]
| |
| result:
| |
| [[File:Fjhxfyxkbpslkuy.png|none|thumb|600x600px]]
| |
| 14 requests in a row and none was blocked by brute force tests.
| |
| | |
| == Mapping application ==
| |
| | |
| === Checking WAF ===
| |
| wafw007f -v <nowiki>http://domain.com</nowiki>
| |
| or
| |
| wafw007f -vv <nowiki>http://domain.com</nowiki>
| |
| or
| |
| wafw007f -vvv <nowiki>http://domain.com</nowiki>
| |
| | |
| * wafw007f - the command
| |
| * -v - verbose level 1
| |
| * -vv - verbose level 2
| |
| * -vvv - verbose level 3
| |
| | |
| === Checking server details ===
| |
| whatweb <nowiki>http://domain.com</nowiki>
| |
| | |
| * whatweb - the command
| |
| | |
| (e.g.)
| |
| root@sadfasdf:~# whatweb <nowiki>http://wiki.pedromussato.com</nowiki>
| |
| <nowiki>http://wiki.pedromussato.com</nowiki> [301 Moved Permanently] Apache[2.4.58], Country[UNITED STATES][US], HTTPServer[Ubuntu Linux][Apache/2.4.58 (Ubuntu)], IP[34.234.173.224], RedirectLocation[https://wiki.pedromussato.com/], Title[301 Moved Permanently]
| |
| root@sadfasdf:~#
| |
| or
| |
| nc -v domain.com 80 -C
| |
| OPTIONS /REALLYANYTHING HTTP/1.0
| |
| | |
| * nc - the command
| |
| * -v - verbose
| |
| * 80 - the port
| |
| * -C - Send CRLF as line-ending
| |
| | |
| (e.g.)
| |
| root@sadfasdf:~# nc -v wiki.pedromussato.com 80 -C
| |
| DNS fwd/rev mismatch: wiki.pedromussato.com != ec2-34-234-173-224.compute-1.amazonaws.com
| |
| wiki.pedromussato.com [34.234.173.224] 80 (http) open
| |
| OPTIONS /asdasd HTTP/1.0
| |
|
| |
| HTTP/1.1 200 OK
| |
| Date: Thu, 03 Oct 2024 19:07:03 GMT
| |
| Server: Apache/2.4.58 (Ubuntu)
| |
| Allow: GET,POST,OPTIONS,HEAD
| |
| Content-Length: 0
| |
| Connection: close
| |
|
| |
| root@sadfasdf:~#
| |
| | |
| === Get information out from HTML ===
| |
| | |
| ==== Get comments from html ====
| |
| echo '<nowiki>http://domain.com'</nowiki> | html-tool comments
| |
| This will return all comments from the page on '<nowiki>http://domain.com'</nowiki>.
| |
| | |
| * html-tool - the command
| |
| * comments - the parameter
| |
| | |
| ==== Get content from html tag ====
| |
| echo '<nowiki>http://domain.com'</nowiki> | html-tool tags <tag 1> <tag 2> ...
| |
| This will return all content from the tags specified on the page on '<nowiki>http://domain.com'</nowiki>.
| |
| | |
| * tags - the parameter
| |
| * <tag 1> <tag 2> ... - can be any html tag
| |
| | |
| ==== Get content from html attributes ====
| |
| echo '<nowiki>http://domain.com'</nowiki> | html-tool attribs <attr 1> <attr 2> ...
| |
| This will return all content from the attributes specified on the page on '<nowiki>http://domain.com'</nowiki>.
| |
| | |
| * attribs - the parameter
| |
| * <attr 1> <attr 2> ... - can be any attribute on the html
| |
| | |
| ==== Get JS files from HTML ====
| |
| getJS --url <nowiki>http://domain.com</nowiki> --complete
| |
| | |
| * getJS - the command
| |
| * --url <nowiki>http://domain.com</nowiki> - query this page
| |
| * --complete - return the complete path to the js file | |
| It's important to note that the --complete will just concatenate the domain with the js file so if the endpoint is a php probably it will return something like
| |
| <nowiki>http://domain.com/page.php/jsfile.js</nowiki>
| |
| what is incorrect so consider use without the --complete or remember that you may remove the page.php from the output.
| |
| | |
| === Spidering ===
| |
| Open Burp Suite go to target > scope and add the scope you want (e.g. '<nowiki>http://domain.com'</nowiki>),
| |
| [[File:7d15h6sq7co9.png|none|thumb|600x600px]]
| |
| go to proxy and open a browser (you can disable the intercept), and go to the site,
| |
| [[File:7u4v05v33rgj.png|none|thumb|600x600px]]
| |
| as you navigate the site map will be populated with the site data.
| |
| [[File:00qis0u551qa.png|none|thumb]] | |
| | |
| === File brute force search ===
| |
| Again using the gobuster command but now using the -x parameter:
| |
| gobuster dir -u <nowiki>http://domain.com</nowiki> -w /wordlist.list -e -t 100 -r --no-error -o output.file -x <file extension 1>,<file extension 2>...
| |
| | |
| * -x <file extension 1>,<file extension 2>... - specifies the file extension to search (e.g. -x php,bkp,xml,old,log,txt)
| |
| | |
| ==== File parameter brute force search ====
| |
| Using a file that contains a list of keywords we can use a for loop to iterate on each keyword and query the endpoint like that:
| |
| for keyword in $(cat keyword.list); do curl <nowiki>http://domain.com/index.php\?$keyword=</nowiki><something>; done
| |
| or
| |
| wfuzz -c --hl 0 -z file,keyword.list <nowiki>http://domain.com/index.php?FUZZ=</nowiki><something>
| |
| | |
| * wfuzz - the command
| |
| * -c - return colored output
| |
| * -z file,keyword.list - specify that the input will be a file and the file is keyword.list
| |
| * --hl 0 - hide response with zero lines (hl == hide line)
| |
| * ?FUZZ=<something> - FUZZ will be the keyword itself and something you can set to anything
| |
| | |
| == Exploration and post exploration ==
| |
| | |
| === Identifying vulnerabilities ===
| |
| First of all look back at what you have collected and then think a bit about the environment and what can be a vulnerability, sql injection, entry points, and things like that.
| |
| | |
| === SQL Injection test ===
| |
| sqlmap -v -u "<nowiki>http://domain.com/index.php?keyword=somevalue</nowiki>" --current-db --threads=10
| |
| | |
| * sqlmap - the command
| |
| * -v - verbose
| |
| * -u "<nowiki>http://domain.com/index.php?keyword=somevalue</nowiki>" - url susceptible to sql injection
| |
| * --current-db - return the current database
| |
| * --threads=10 - use 10 threads to execute faster
| |