âŗ
Ichyaboy
  • 👋Ichyaboy
  • Hackthebox Related
    • 🎰Machines
      • Linux based Machines
        • Talkative
        • Encoding
      • Windows based machines
        • Silo
    • 🕹ī¸Challenges (coming soon)
  • Portswigger Related
    • 🔧Server-side topics
      • Business logic flaws
        • Excessive trust in client-side controls
        • 2FA Broken Logic
        • High-level logic vulnerability
        • Inconsistent handling of exceptional input
        • Inconsistent security controls
        • Weak isolation on dual-use endpoint
        • Low-level logic flaw
        • Infinite money logic flaw
      • Information Disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
      • Access Control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User role can be modified in user profile
        • User ID controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with data leakage in redirect
        • User ID controlled by request parameter with password disclosure
        • Insecure direct object references
        • URL-based access control can be circumvented
        • Method-based access control can be circumvented
        • Multi-step process with no access control on one step
        • Referer-based access control
      • File Upload
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
        • Web shell upload via path traversal
        • Web shell upload via extension blacklist bypass
        • Web shell upload via obfuscated file extension
        • Remote code execution via polyglot web shell upload
        • Web shell upload via race condition
      • Race Conditions
        • Limit overrun race conditions
        • Bypassing rate limits via race conditions
        • Multi endpoint race conditions
        • Single endpoint race conditions
        • Time sensitive vulnerabilities
        • Partial construction race conditions
      • SSRF
        • Basic SSRF against the local server
        • Basic SSRF against another back end system
        • Blind SSRF with out of band detection
        • SSRF with blacklist based input filter
        • SSRF with filter bypass via open redirection vulnerability
        • Blind SSRF with Shellshock exploitation
        • SSRF with whitelist based input filter
      • XXE Injection
        • Exploiting XXE using external entities to retrieve files
        • Exploiting XXE to perform SSRF attacks
        • Blind XXE with out of band interaction
        • Blind XXE with out of band interaction via XML parameter entities
        • Exploiting blind XXE to exfiltrate data using a malicious external DTD
        • Exploiting blind XXE to retrieve data via error messages
        • Exploiting XInclude to retrieve files
        • Exploiting XXE via image file upload
        • Exploiting XXE to retrieve data by repurposing a local DTD
      • Nosql Injection
        • Detecting NoSQL injection
        • Exploiting NoSQL operator injection to bypass authentication
        • Exploiting NoSQL injection to extract data
        • Exploiting NoSQL operator injection to extract unknown fields
      • Api Testing
        • Exploiting an API endpoint using documentation
        • Exploiting server side parameter pollution in a query string
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
        • Exploiting server side parameter pollution in a REST URL
    • đŸŽ¯Client-side topics
      • Cross-site scripting (XSS)
        • Stored XSS
          • Stored XSS into HTML context with nothing encoded
          • Stored XSS into anchor href attribute with double quotes HTML encoded
          • Stored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
          • Reflected XSS into attribute with angle brackets HTML encoded
          • Reflected XSS into a JavaScript string with angle brackets HTML encoded
          • Reflected XSS into HTML context with most tags and attributes blocked
          • Reflected XSS into HTML context with all tags blocked except custom ones
          • Reflected XSS with some SVG markup allowed
          • Reflected XSS in canonical link tag
          • Reflected XSS into a JavaScript string with single quote and backslash escaped
          • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped
          • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped
          • Reflected XSS with event handlers and href attributes blocked
          • Reflected XSS in a JavaScript URL with some characters blocked
        • DOM-based XSS
          • DOM XSS in document.write sink using source location.search
          • DOM XSS in innerHTML sink using source location.search
          • DOM XSS in jQuery anchor href attribute sink using location.search source
          • DOM XSS in jQuery selector sink using a hashchange event
          • DOM XSS in document.write sink using source location.search inside a select element
          • DOM XSS in AngularJS expression with angle brackets and double quotes HTML encoded
          • Reflected DOM XSS
          • Stored DOM XSS
        • CSP Bypass
          • Reflected XSS protected by CSP, with CSP bypass
          • Reflected XSS protected by very strict CSP, with dangling markup attack
        • Client-side template injection
          • Reflected XSS with AngularJS sandbox escape without strings
          • Reflected XSS with AngularJS sandbox escape and CSP
        • Common XSS Attacks
          • Exploiting cross site scripting to steal cookies
          • Exploiting cross site scripting to capture passwords
          • Exploiting XSS to perform CSRF
      • WebSockets
        • Manipulating WebSocket messages to exploit vulnerabilities
        • Cross site WebSocket hijacking
        • Manipulating the WebSocket handshake to exploit vulnerabilities
      • Cross-site Request forgery (CSRF)
        • CSRF vulnerability with no defenses
        • CSRF where token validation depends on request method
        • CSRF where token validation depends on token being present
        • CSRF where token is not tied to user session
        • CSRF where token is tied to non session cookie
        • CSRF where token is duplicated in cookie
        • SameSite Lax bypass via method override
        • SameSite Strict bypass via client side redirect
        • SameSite Strict bypass via sibling domain
        • SameSite Lax bypass via cookie refresh
        • CSRF where Referer validation depends on header being present
        • CSRF with broken Referer validation
      • Cross-origin resource sharing
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Clickjacking
        • Basic clickjacking with CSRF token protection
        • Clickjacking with form input data prefilled from a URL parameter
        • Clickjacking with a frame buster script
        • Exploiting clickjacking vulnerability to trigger DOM based XSS
        • Multistep clickjacking
      • DOM-based vulnerabilities
        • DOM XSS using web messages
        • DOM XSS using web messages and a JavaScript URL
        • DOM XSS using web messages and JSON.parse
        • DOM based open redirection
        • DOM based cookie manipulation
        • Exploiting DOM clobbering to enable XSS
        • Clobbering DOM attributes to bypass HTML filters
  • Resources
    • đŸŗī¸Cheatsheets
      • Basic Tools
      • Footprinting
      • Web Inofrmation Gathering
      • Nmap
      • File Transfer
      • Passwords Attacks
      • USING THE METASPLOIT FRAMEWORK
      • Shells & Payloads
      • Attacking Common Services
      • Pivoting, Tunneling, and Port Forwarding
    • 🏴Useful Scripts
      • NoSQL REGEX Password Length
      • NoSQL REGEX Password
      • Creds BruteForce CSRF Handling
Powered by GitBook
On this page
  • Infrastructure-based Enumeration
  • Host-based Enumeration
  • FTP
  • SMB
  • NFS
  • DNS
  • SMTP
  • IMAP/POP3
  • SNMP
  • MySQL
  • MSSQL
  • IPMI
  • Linux Remote Management
  • Windows Remote Management
  • Oracle TNS
  1. Resources
  2. Cheatsheets

Footprinting

Infrastructure-based Enumeration

Command

Description

curl -s https://crt.sh/\?q\=<target-domain>\&output\=json | jq .

Certificate transparency.

for i in $(cat ip-addresses.txt);do shodan host $i;done

Scan each IP address in a list using Shodan.

Host-based Enumeration

FTP

Command

Description

ftp <FQDN/IP>

Interact with the FTP service on the target.

nc -nv <FQDN/IP> 21

Interact with the FTP service on the target.

telnet <FQDN/IP> 21

Interact with the FTP service on the target.

openssl s_client -connect <FQDN/IP>:21 -starttls ftp

Interact with the FTP service on the target using encrypted connection.

wget -m --no-passive ftp://anonymous:anonymous@<target>

Download all available files on the target FTP server.

SMB

Command

Description

smbclient -N -L //<FQDN/IP>

Null session authentication on SMB.

smbclient //<FQDN/IP>/<share>

Connect to a specific SMB share.

rpcclient -U "" <FQDN/IP>

Interaction with the target using RPC.

samrdump.py <FQDN/IP>

Username enumeration using Impacket scripts.

smbmap -H <FQDN/IP>

Enumerating SMB shares.

crackmapexec smb <FQDN/IP> --shares -u '' -p ''

Enumerating SMB shares using null session authentication.

enum4linux-ng.py <FQDN/IP> -A

SMB enumeration using enum4linux.

NFS

Command

Description

showmount -e <FQDN/IP>

Show available NFS shares.

mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock

Mount the specific NFS share.umount ./target-NFS

umount ./target-NFS

Unmount the specific NFS share.

DNS

Command

Description

dig ns <domain.tld> @<nameserver>

NS request to the specific nameserver.

dig any <domain.tld> @<nameserver>

ANY request to the specific nameserver.

dig axfr <domain.tld> @<nameserver>

AXFR request to the specific nameserver.

dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

Subdomain brute forcing.

SMTP

Command

Description

telnet <FQDN/IP> 25

Connect to the SMTP service.

IMAP/POP3

Command

Description

curl -k 'imaps://<FQDN/IP>' --user <user>:<password>

Log in to the IMAPS service using cURL.

openssl s_client -connect <FQDN/IP>:imaps

Connect to the IMAPS service.

openssl s_client -connect <FQDN/IP>:pop3s

Connect to the POP3s service.

SNMP

Command

Description

snmpwalk -v2c -c <community string> <FQDN/IP>

Querying OIDs using snmpwalk.

onesixtyone -c community-strings.list <FQDN/IP>

Bruteforcing community strings of the SNMP service.

braa <community string>@<FQDN/IP>:.1.*

Bruteforcing SNMP service OIDs.

MySQL

Command

Description

mysql -u <user> -p<password> -h <FQDN/IP>

Login to the MySQL server.

MSSQL

Command

Description

mssqlclient.py <user>@<FQDN/IP> -windows-auth

Log in to the MSSQL server using Windows authentication.

IPMI

Command

Description

msf6 auxiliary(scanner/ipmi/ipmi_version)

IPMI version detection.

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)

Dump IPMI hashes.

Linux Remote Management

Command

Description

ssh-audit.py <FQDN/IP>

Remote security audit against the target SSH service.

ssh <user>@<FQDN/IP>

Log in to the SSH server using the SSH client.

ssh -i private.key <user>@<FQDN/IP>

Log in to the SSH server using private key.

ssh <user>@<FQDN/IP> -o PreferredAuthentications=password

Enforce password-based authentication.

Windows Remote Management

Command

Description

rdp-sec-check.pl <FQDN/IP>

Check the security settings of the RDP service.

xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP>

Log in to the RDP server from Linux.

evil-winrm -i <FQDN/IP> -u <user> -p <password>

Log in to the WinRM server.

wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>"

Execute command using the WMI service.

Oracle TNS

Command

Description

./odat.py all -s <FQDN/IP>

Perform a variety of scans to gather information about the Oracle database services and its components.

sqlplus <user>/<pass>@<FQDN/IP>/<db>

Log in to the Oracle database.

./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt

Upload a file with Oracle RDBMS.

PreviousBasic ToolsNextWeb Inofrmation Gathering

Last updated 1 year ago

đŸŗī¸
Page cover image