Last active
September 23, 2025 13:53
-
-
Save githubfoam/4d3c99383b5372ee019c8fbc7581637d to your computer and use it in GitHub Desktop.
Revisions
-
githubfoam revised this gist
Sep 23, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2071,5 +2071,5 @@ ldapsearch -x -H ldap://IPADDRESS -b "" -s base "(objectclass=*)" Extract Directory Information: If anonymous binds are allowed, enumerate users, groups, and system attributes $ ldapsearch -x -H ldap://IPADDRESS -b "dc=oxford,dc=edu,dc=uk" "(objectclass=*)" =========================================================================== -
Sep 23, 2025 . 1 changed file with 24 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2049,3 +2049,27 @@ Enable no_unset to prevent expansion of unset variables. Implement strict input validation and sanitization in applications. Stay updated with Zsh and application security patches. =========================================================================== LDAP SERVER 1. Reconnaissance and Service Verification Confirm LDAP Service Availability: LDAP typically runs on ports 389 (unencrypted) and 636 (LDAPS). Global Catalog ports (3268/3269) may also be relevant for Active Directory environments This helps identify if the LDAP service is listening and whether it supports SSL/TLS. nmap -sV -p 389,636,3268,3269 IPADDRESS Check for Anonymous Binds: Attempt anonymous authentication to determine if the server allows unauthenticated access, which is a common misconfiguration If successful, this may reveal directory information, such as naming contexts or server details ldapsearch -x -H ldap://IPADDRESS -b "" -s base "(objectclass=*)" 2. Enumeration and Information Gathering Extract Directory Information: If anonymous binds are allowed, enumerate users, groups, and system attributes $ ldapsearch -x -H ldap://IPADDRESS -b "dc=iyte,dc=edu,dc=tr" "(objectclass=*)" =========================================================================== -
Jan 23, 2025 . 1 changed file with 15 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,27 @@ ---------------------------------------------------------------------------------------------------- OWASP Top Ten https://owasp.org/www-project-top-ten/ The CWE Top 25 https://www.sans.org/top25-software-errors/ 2022 CWE Top 25 Most Dangerous Software Weaknesses https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html OSSTMM 3 – The Open Source Security Testing Methodology Manual https://www.isecom.org/OSSTMM.3.pdf OWASP Web Security Testing Guide https://owasp.org/www-project-web-security-testing-guide/ PTES, or Penetration Testing Execution Standard http://www.pentest-standard.org/index.php/Main_Page Technical Guide to Information Security Testing and Assessment https://csrc.nist.gov/pubs/sp/800/115/final Information System Security Assessment Framework (ISSAF) ---------------------------------------------------------------------------------------------------- 0-1023 - Well known ports (HTTP, SMTP, DHCP, FTP etc) 1024-49151 - Reserved Ports -
Jan 7, 2025 . 1 changed file with 128 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1329,6 +1329,134 @@ msf exploit(wp_ slideshowgallery _upload) > exploit #subdomain enumeration websites https://dnsdumpster.com/ ============================================================================ Gemini explain how to discover all subdomains 1. Manual Methods Google Search: Use the site: operator in Google Search. For example, to find subdomains of "example.com", search for site:example.com. This will display pages indexed by Google that belong to that domain. Look for patterns in the results (e.g., "[invalid URL removed]", "[invalid URL removed]"). Certificate Transparency Logs: Services like crt.sh can reveal subdomains based on SSL/TLS certificates issued for those subdomains. 2. Automated Tools Subfinder: A fast and efficient tool that discovers subdomains by passively using online sources. Amass: A powerful open-source tool for network mapping and subdomain enumeration. dnsrecon: Another effective tool that uses various techniques like DNS enumeration, zone transfers, and certificate transparency to find subdomains. Fierce: A command-line tool that performs DNS brute-forcing and reconnaissance. TheHarvester: A tool that gathers information from various sources, including search engines, shodan, and censys, to find subdomains. 3. Online Services Subdomain Finder Tools: Many online tools and websites offer subdomain discovery services. However, be cautious of their accuracy and potential privacy implications. Important Considerations: Ethical Considerations: Always obtain proper authorization before performing subdomain enumeration on any target. Rate Limiting: Be mindful of rate limits to avoid being blocked by target servers or search engines. Combining Techniques: Using a combination of manual and automated methods often yields the best results. By utilizing these techniques and tools, you can effectively discover subdomains for a given domain. Remember to prioritize ethical and responsible practices during your investigations. --------------------------------------------------------------------------------------------------------------------- chatGPT explain how to discover all subdomains Discovering all subdomains of a domain can be useful for penetration testing, bug bounties, or network management. Below are methods to discover subdomains systematically and ethically. Always ensure you have permission to perform these tests. 1. Passive Reconnaissance Using Online Tools Tools like VirusTotal, CRT.sh, and Censys can help you discover subdomains by searching through SSL/TLS certificate transparency logs. How to use: Search for domain.com on the platform. Review the results to identify subdomains. DNS Enumeration Services Websites like Sublist3r and SecurityTrails provide DNS enumeration services to find subdomains. 2. Active Reconnaissance DNS Zone Transfer Use tools like dig or nslookup to attempt a zone transfer (if misconfigured): dig AXFR @nameserver domain.com If successful, the full list of subdomains will be retrieved. Note: DNS zone transfers are rare due to security configurations, and you must have authorization to perform this action. Brute-Forcing Subdomains Use tools like Gobuster, Amass, or Sublist3r to brute-force potential subdomains using wordlists. Example command with Gobuster: gobuster dns -d domain.com -w /path/to/wordlist.txt -o output.txt 3. Using Open-Source Tools Several open-source tools specialize in subdomain discovery: Sublist3r: Enumerates subdomains using search engines and APIs. Amass: Performs in-depth reconnaissance with APIs and brute-forcing. Assetfinder: Finds subdomains using passive techniques. Aquatone: Maps subdomains and gathers screenshots. Example with Sublist3r: sublist3r -d domain.com -o subdomains.txt 4. Search Engine Dorks Use search engines like Google with specific queries to identify subdomains. Example queries: site:*.domain.com inurl:subdomain.domain.com 5. Monitoring DNS Logs Tools like SecurityTrails and Spyse monitor DNS logs for changes, revealing new subdomains. 6. Reverse IP Lookup Perform reverse IP lookups to find other domains hosted on the same server, which might include subdomains: Tools like viewdns.info or dnsrecon. 7. Certificate Transparency Logs Check for subdomains in SSL/TLS certificates using: crt.sh Censys CertSpotter Example: Visit crt.sh and search for %domain.com. 8. Check DNS Records Retrieve DNS records to identify subdomains: Use dig or nslookup: dig domain.com any nslookup -type=any domain.com Important Considerations Ethical Use: Only perform subdomain discovery on domains you own or have explicit permission to test. Automate Scans: Use tools like Amass or Sublist3r in combination with cron jobs for continuous monitoring. Respect Legal Boundaries: Always comply with applicable laws and organizational policies. ============================================================================ Google Dorks site:*.domain.com -www -
Jan 7, 2025 . No changes.There are no files selected for viewing
-
Jan 16, 2024 . 1 changed file with 43 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1862,5 +1862,48 @@ echo /et${neko}c/pas${poi}swd Use the echo command with parameter expans =========================================================================== list the probable command injection risks to evade filters according to zsh file below: cat ~/.zshrc # ~/.zshrc file for zsh interactive shells. 1. Magic Space Expansion: bindkey ' ' magic-space enables history expansion on space. Attacker could inject commands using a space, potentially bypassing simple filters. Mitigation: Disable magic-space or implement stricter input validation. 2. History Expansion: setopt hist_verify shows expanded commands before execution. Attacker might exploit this for crafted input to reveal sensitive information. Mitigation: Disable hist_verify or implement secure expansion mechanisms. 3. Aliases: Custom aliases could inadvertently introduce injection vulnerabilities. The file lacks custom aliases, but potential risks remain. Mitigation: Thoroughly review aliases for injection risks. 4. Prompt Substitution: setopt promptsubst enables command substitution in the prompt. Attacker could inject commands through crafted prompts. Mitigation: Disable promptsubst unless essential, and sanitize prompt input. 5. Unset Variables: setopt no_unset is not enabled, allowing expansion of unset variables. Attacker could inject commands through crafted input leveraging unset variables. Mitigation: Enable no_unset to treat unset variables as errors. Additional Security Considerations: Application-Specific Behavior: Analyze application logic for injection vulnerabilities even with secure shell configuration. Secure Coding Practices: Implement robust input validation and sanitization within applications. Regular Updates: Keep Zsh and applications updated for security patches and enhancements. Secure Aliases: Review existing aliases and create new ones with caution. Restricted Mode for Scripts: Consider setopt restricted_shell for scripts to limit execution capabilities. Thorough Testing: Regularly test for injection vulnerabilities with various inputs. Recommendations: Disable unnecessary features like magic-space, hist_verify, and promptsubst if not strictly required. Enable no_unset to prevent expansion of unset variables. Implement strict input validation and sanitization in applications. Stay updated with Zsh and application security patches. =========================================================================== -
Jan 16, 2024 . 1 changed file with 202 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1659,6 +1659,208 @@ Security Awareness Training: Use Case: Simulate attacks to test the organization's security awareness. Metasploit Module: Various modules for social engineering attacks. =========================================================================== =========================================================================== Methods of Filter Bypass: Quoting and Escaping: Attackers use quotes (single, double, backslashes) to break out of intended commands or escape special characters. cat /e"t"c/pa"s"swd cat /'e'tc/pa's' swd Whitespace Insertion: They insert extra spaces or characters to confuse filters that rely on exact string matching. cat /etc/pa ?? wd Wildcards: They use wildcards (*) to match multiple characters and bypass filters that don't handle them correctly. cat /etc/pa*wd Commenting: They add comments (#) to create invalid commands that filters might ignore, allowing malicious code to slip through. Mitigation Techniques: Input Validation: Sanitize User Input: Remove or escape special characters and command delimiters before processing. Whitelisting: Allow only specific, known-safe characters and patterns. Parameterized Queries: Use prepared statements or stored procedures to separate data from commands, preventing injection. Least Privilege: Run applications with minimal permissions to limit potential damage from successful injection. Regular Security Updates: Patch vulnerabilities in web applications, frameworks, and libraries promptly. Web Application Firewalls (WAFs): Deploy WAFs to detect and block common injection attacks. Security Testing: Conduct regular penetration testing and vulnerability scanning to identify injection risks. Secure Coding Practices: Educate developers on secure coding principles to prevent injection vulnerabilities in the first place. Additional Tips: Context-Aware Encoding: Use appropriate encoding for different contexts (e.g., URLs, HTML, SQL). Output Escaping: Escape user-supplied data before displaying it to prevent cross-site scripting (XSS). Input Length Limits: Enforce reasonable input length restrictions to reduce injection possibilities =========================================================================== Command Injection - Filter Bypass refers to the manipulation of input data in order to bypass filters or restrictions that have been put in place to prevent command injection attacks. Command injection occurs when an attacker is able to inject malicious commands into a system, usually by exploiting vulnerabilities in applications that allow user input to be included in commands that are executed by the operating system. In the examples you provided, the attacker is attempting to manipulate the input in various ways to bypass filters and execute the cat /etc/passwd command. Here's a breakdown of each attempt: cat /etc/passwd: The original command that the attacker wants to execute. cat /e"t"c/pa"s"swd: Using double quotes to break the command into parts, hoping to bypass a filter. cat /'e'tc/pa's' swd: Using single quotes to break the command into parts, again attempting to bypass a filter. cat /etc/pa ?? wd: Introducing spaces to potentially confuse filters or break the command into parts. cat /etc/pa*wd: Using wildcards (*) to potentially match and include additional characters. cat /et' 'c/passw' 'd: Inserting spaces between characters to potentially bypass filters. Mitigation for Command Injection - Filter Bypass: Input Validation and Sanitization: Validate and sanitize user inputs to ensure that they adhere to expected formats and patterns. Use whitelisting to allow only known good inputs. Parameterized Queries: Use parameterized queries in database operations to avoid concatenating user inputs directly into SQL queries. Least Privilege Principle: Ensure that applications and processes run with the least privilege necessary to perform their functions. Avoid running processes with elevated privileges. Command Whitelisting: Define a whitelist of allowed commands and parameters, and reject any input that does not match the predefined criteria. Regular Expression Filters: Use regular expressions to filter and validate user inputs. Define patterns that are allowed and reject anything that deviates from the expected pattern. Security Awareness Training: Train developers and administrators about secure coding practices and the risks associated with command injection attacks. Web Application Firewalls (WAF): Implement a WAF to detect and block known command injection patterns. It's important to note that security measures should be implemented in layers, and no single solution is foolproof. A combination of secure coding practices, input validation, and monitoring can significantly reduce the risk of command injection attacks. =========================================================================== Command Injection is a type of security vulnerability where an application allows an attacker to execute arbitrary system commands by manipulating input data. In the context of your examples, it involves injecting malicious commands into a system command that the application constructs and executes. Here are the provided examples and some mitigation strategies: Original Command: cat /etc/passwd Explanation: This command reads the system’s password file. Mitigation: Avoid Direct OS Commands: Instead of directly executing OS commands, use built-in library functions specific to your programming language. For instance, use mkdir() instead of system("mkdir /dir_name"). Parameterization: If you must call system commands, use structured mechanisms that separate data from the command. Parameterize user input to prevent direct concatenation with the command. Malformed Command: cat /e"t"c/pa"s"swd Explanation: The attacker tries to bypass filters by using double quotes within the command. Mitigation: Escape Values: Use functions like escapeshellarg() (available in PHP) to escape user input. It surrounds input in single quotes, preventing direct injection. For example, escapeshellarg("cat /etc/passwd") would render as cat '/etc/passwd'. Malformed Command: cat /'e'tc/pa's' swd Explanation: The attacker uses single quotes to evade filters. Mitigation: Similar to the previous case, use proper escaping functions to handle user input. Malformed Command: cat /etc/pa ?? wd Explanation: The attacker introduces spaces and question marks. Mitigation: Input Validation: Validate user input to ensure it adheres to expected formats. Reject unexpected characters. Whitelisting: Allow only specific characters or patterns (whitelisting) rather than trying to blacklist harmful ones. Malformed Command: cat /etc/pa*wd Explanation: The attacker uses a wildcard (*) to bypass filters. Mitigation: Sanitize Input: Remove or escape special characters like * before constructing the command. Parameterization: Use parameterized queries or prepared statements to separate data from the command. Malformed Command: cat /et' 'c/passw' 'd Explanation: The attacker adds spaces within the command. Mitigation: Input Validation: Validate input to prevent unexpected spaces. Parameterization: Always separate user input from the command structure. Remember, defense against command injection involves a combination of avoiding direct OS commands, proper input validation, and parameterization. Implement these practices to reduce the risk of such vulnerabilities in your applications. =========================================================================== The command cat /e"t"c/pa"s"swd is an attempt to inject and execute the command cat /etc/passwd while evading filters or input validation mechanisms. Whether this evasion is successful depends on how well the specific shell being used handles or sanitizes double quotes within user input. Potential Shells where Evasion May Work: Shells with Weak Input Handling: Shells that do not properly handle or sanitize user input may be susceptible to this evasion attempt. Specific Versions of Bash or Other Shells: Some versions of shells, including Bash, may have variations in their behavior based on the specific version and configuration. How to Verify if a Shell is Susceptible: Test with Simple Commands: Attempt to inject simple commands containing special characters (e.g., quotes, semicolons) to observe how the shell handles them. For example: bash Copy code echo "test" Use echo to Inspect Input: Use echo to see how the shell interprets and prints the input. For example: bash Copy code echo /e"t"c/pa"s"swd Check Shell Version and Configuration: Verify the version of the shell in use and check its configuration settings to understand how it handles special characters in user input. For example: bash Copy code echo $BASH_VERSION =========================================================================== how to verify the shell version and configuration, focusing on special character handling: 1. Determine the Shell: Current Shell: Type echo $SHELL to reveal the current shell. 2. Check Shell Version: Bash: bash --version Zsh: zsh --version Other Shells: <shell_name> --version or <shell_name> -v 3. Review Configuration: Global Configuration Files: Bash: /etc/bashrc, ~/.bashrc Zsh: /etc/zshrc, ~/.zshrc Others: Consult shell's documentation for configuration files. =========================================================================== To check Zsh configuration settings and understand how it handles special characters, especially for the command injection attempt cat /e"t"c/pa"s"swd, you can follow these steps: 1. Check Zsh Version: bash Copy code echo $ZSH_VERSION This command will display the version of Zsh. 2. Inspect Special Character Handling: bash Copy code echo /e"t"c/pa"s"swd Test how Zsh handles special characters by attempting to inject the command. Observe if the output is as expected or if it successfully interprets the injected command. 3. Check Zsh Options: bash Copy code setopt Use the setopt command to see the current options configured in Zsh. Look for options related to command interpretation and special character handling. 4. Check Zsh Interactive Shell Configuration: bash Copy code cat ~/.zshrc Inspect the user-specific Zsh configuration file (usually ~/.zshrc). Look for any settings or options that might affect how Zsh handles special characters. Read Zsh Manual: bash Copy code man zsh Refer to the Zsh manual (man zsh) for comprehensive information about configuration options, special characters, and syntax. Look for sections related to security and input handling. 7. Test with Echo and Parameter Expansion: bash Copy code echo /et${neko}c/pas${poi}swd Use the echo command with parameter expans =========================================================================== =========================================================================== -
Jan 14, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1659,5 +1659,6 @@ Security Awareness Training: Use Case: Simulate attacks to test the organization's security awareness. Metasploit Module: Various modules for social engineering attacks. =========================================================================== =========================================================================== -
Jan 12, 2024 . 1 changed file with 114 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1546,4 +1546,118 @@ docker run --pull always It's common to see -it instead of --interactive --tty It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== #Bard Running a network scan to detect network services in the organization DMZ Running a network scan in the corporate DMZ requires careful consideration and the right tools to avoid disrupting operations and compromising security. Here are some suitable tools with examples of their application: 1. Nmap: This versatile open-source scanner offers various features for DMZ scans, including: TCP SYN scan: Basic scan identifying open ports with minimal impact. (Example: nmap -sS 192.168.1.0/24) UDP scan: Detects services relying on UDP like DNS or SNMP. (Example: nmap -sU 192.168.1.0/24) Xmas scan: Steathy scan using unusual flag combinations, but less reliable due to potential firewall filtering. (Example: nmap -sX 192.168.1.0/24) Service version detection: Identifies specific application versions running on detected ports. (Example: nmap -sV 192.168.1.0/24) 2. Nessus: This commercial vulnerability scanner provides deeper analysis beyond port discovery, including: Vulnerability scans: Identifies known vulnerabilities in detected services and software versions. Exploit detection: Tests for potential exploits based on identified vulnerabilities. Misconfiguration checks: Discovers common misconfigurations that could weaken security. (Example: Run Nessus scan targeting the DMZ IP range and configure relevant vulnerability and misconfiguration checks) 3. Netdiscover: This lightweight tool helps discover active devices in the DMZ network: ARP scans: Identifies devices based on their MAC addresses and IP addresses. Ping scans: Checks for active devices responding to ICMP ping requests. (Example: netdiscover -r 192.168.1.0/24 to locate active devices in the DMZ) 4. Nmap Scripting Engine (NSE): For advanced needs, Nmap offers custom scripts to gather specific information about discovered services. (Example: Use the "http-headers" NSE script to retrieve HTTP headers from web servers on identified ports) Remember: Always obtain proper authorization before scanning any network, including the DMZ. Choose scan options with minimal disruption to ongoing operations. Document your scan procedures and findings for future reference and audits. Consider combining tools for a more comprehensive understanding of the DMZ services and potential vulnerabilities. By choosing the right tools and applying responsible scanning practices, you can effectively detect network services in the corporate DMZ while safeguarding security and network stabilit =========================================================================== #ChatGPT Running a network scan to detect network services in the organization DMZ When running a network scan to detect network services in the corporate DMZ (Demilitarized Zone), various tools can be used for different purposes, including identifying open ports, services, and potential vulnerabilities. Here are a few tools commonly used for network scanning: Nmap: Example: nmap -p- -sV <DMZ_IP> Description: Nmap is a versatile and widely used network scanning tool. The command above scans all 65,535 ports (-p-) and attempts to identify services (-sV) on the specified DMZ IP address. Masscan: Example: masscan -p1-65535 <DMZ_IP> Description: Masscan is a high-performance port scanner that can quickly scan large ranges of IP addresses and ports. The example command scans all ports on the specified DMZ IP address. Netcat (nc): Example: nc -zv <DMZ_IP> 1-1000 Description: Netcat can be used to perform simple port scans. The example command performs a port scan on the first 1000 ports of the specified DMZ IP address. Wireshark: Example: Capture traffic during a network scan. Description: Wireshark is a network protocol analyzer that can be used to capture and analyze the packets exchanged during a network scan. It helps in understanding the communication patterns and potential vulnerabilities. Nessus: Example: Nessus scans targeting specific vulnerabilities. Description: Nessus is a powerful vulnerability scanner that can identify vulnerabilities in network services. It goes beyond simple port scanning and provides detailed information about potential security issues. Metasploit: Example: Utilize Metasploit modules for service-specific exploits. Description: Metasploit is a penetration testing framework that includes various modules for exploiting known vulnerabilities. It can be used to validate the security of services identified during a network scan. =========================================================================== #ChatGPT Metasploit is a powerful penetration testing framework that includes various tools for exploiting and assessing vulnerabilities in networks and systems. When running a network scan to detect network services in the organization's DMZ (Demilitarized Zone), Metasploit can be strategically employed for specific use cases: Service Identification and Version Detection: Use Case: Identify and fingerprint services running on open ports in the DMZ. Metasploit Module: auxiliary/scanner/portscan/tcp Vulnerability Scanning: Use Case: Discover known vulnerabilities in services within the DMZ. Metasploit Module: auxiliary/scanner/http/http_version Exploitation Verification: Use Case: Validate the exploitability of discovered vulnerabilities. Metasploit Module: Various modules specific to the identified vulnerabilities. Password Cracking: Use Case: Test weak or default credentials on services like FTP, SSH, or SMB. Metasploit Module: auxiliary/scanner/ssh/ssh_login, auxiliary/scanner/smb/smb_login Client-Side Attacks: Use Case: Exploit client-side vulnerabilities in web browsers or applications. Metasploit Module: exploit/windows/browser Brute-Force Attacks: Use Case: Attempt to gain unauthorized access by brute-forcing credentials. Metasploit Module: auxiliary/scanner/ftp/ftp_login, auxiliary/scanner/ssh/ssh_login Post-Exploitation Actions: Use Case: After compromising a system, perform post-exploitation activities. Metasploit Module: Various post-exploitation modules for lateral movement, privilege escalation, etc. Denial-of-Service Testing: Use Case: Assess the resilience of services in the DMZ against DoS attacks. Metasploit Module: auxiliary/dos/tcp/synflood Payload Delivery and Meterpreter: Use Case: Deploy Meterpreter for remote access and control. Metasploit Module: Various payloads, e.g., windows/meterpreter/reverse_tcp Security Awareness Training: Use Case: Simulate attacks to test the organization's security awareness. Metasploit Module: Various modules for social engineering attacks. =========================================================================== -
Jan 12, 2024 . 1 changed file with 0 additions and 895 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -619,892 +619,7 @@ nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80 nmap -p80 192.169.42.3 -oG -|nikto -h - nmap -p0-65535 192.168.2.7 ---------------------------------------------------------------------------------------------------- #system who is using the id field or increments it when sending packets out, these systems are called "idle systems" @@ -2277,16 +1392,7 @@ TimeCreated Id LevelDisplayName Message #Clear the log events PS HKLM:\> wevtutil cl Security PS HKLM:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -MaxEvents 50 | ForEach-Object { $_.Properties } ============================================================================ #detect if a domain is hosting a Git service, ChatGPT @@ -2441,4 +1547,3 @@ docker run --pull always It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== -
Jan 12, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2441,3 +2441,4 @@ docker run --pull always It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== -
Jan 11, 2024 . 1 changed file with 244 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -619,7 +619,250 @@ nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80 nmap -p80 192.169.42.3 -oG -|nikto -h - nmap -p0-65535 192.168.2.7 ---------------------------------------------------------------------------------------------------- #ACK (Acknowledgment) flag scanning ACK flag scanning, like a digital archaeologist brushing away the dust of forgotten ports, sheds light on closed ports and potential vulnerabilities hiding in the silent corners of your network. Let's explore how Scapy, a powerful Python-based network manipulation tool, empowers you to perform targeted ACK scans and uncover hidden threats. Crafting the ACK Probe: Scapy's intuitive syntax allows you to build custom TCP packets with specific flags. Here's how to craft a simple ACK probe aimed at port 22 (SSH) of a target host: Python from scapy.all import * # Define target IP and port target_ip = "192.168.1.100" target_port = 22 # Build the ACK packet with no SYN or FIN flag ack_packet = TCP(dport=target_port, flags="A") # Send the packet to the target send(IP(dst=target_ip)/ack_packet) Use code with caution. Learn more This code snippet creates a TCP packet with the destination port set to 22 and the ACK flag set, but no SYN or FIN flags. Scapy offers extensive options for customizing this packet, including setting source ports, adding payloads, and modifying other TCP flags. Interpreting the Responses: Scapy captures and analyzes the responses to your ACK probes, helping you decipher what's lurking behind the closed port: RST (Reset) Flag: If the port is truly closed and properly configured, the target will respond with an RST flag, confirming closure. No Response: A silent response might indicate a filtered port by a firewall or simply a misconfigured system ignoring the unexpected ACK probe. Unexpected Flags/Data: In rare cases, vulnerable systems might respond with unexpected flags or data, potentially revealing a security flaw or misconfiguration. Going Beyond Basic ACK Scans: Scapy's flexibility allows you to perform advanced and targeted ACK scans: Port Scans: Scan a range of ports or specific services to identify potentially vulnerable closed ports. Banner Grabbing: Craft specific ACK probes that trigger some systems to return service banners, revealing their identities and potential vulnerabilities. Vulnerability Testing: Build customized ACK probes based on known vulnerabilities in specific services, like OS fingerprinting or exploiting misconfigurations. Benefits of Scapy for ACK Flag Scanning: Customization: Build precise ACK probes tailored to your specific needs and target systems. Advanced Features: Utilize functionalities like banner grabbing and vulnerability testing for in-depth analysis. Scripting & Automation: Develop custom scripts for automated and repetitive ACK scanning tasks. Challenges and Limitations: Complexity: Scapy requires an understanding of network protocols and Python programming. False Positives: Interpreting responses can be challenging, and silence might not necessarily indicate a truly closed port. Evasion Techniques: Attackers might employ techniques to mask their presence from ACK scans, necessitating advanced detection methods. Conclusion: Scapy empowers you to become a digital sleuth, delving into the shadows of closed ports and unearthing potential vulnerabilities that traditional tools might miss. By crafting custom ACK probes, analyzing responses, and utilizing advanced features, you can gain valuable insights into your network's security posture and proactively address hidden threats. Remember, silence in the network realm doesn't always signify peace, and by actively probing with Scapy and ACK flag scanning, you can secure your systems and stay ahead of lurking dangers. Additional Resources: Scapy Documentation: https://scapy.net/: https://scapy.net/ Scapy Packet Manipulation Tutorial: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy Network Security with Scapy: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/ By mastering Scapy and ACK flag scanning, you can transform the silent shadows of closed ports into a source of security intelligence, safeguarding your network against unforeseen threats lurking in the darkness. ---------------------------------------------------------------------------------------------------- #ACK (Acknowledgment) flag scanning ACK (Acknowledgment) flag scanning involves sending TCP packets with only the ACK flag set to determine the state of TCP ports on a target system. This scanning technique is useful for identifying filtering devices, firewalls, or stateful packet inspection mechanisms. Below is an example of ACK flag scanning using the Scapy library in Python: python Copy code from scapy.all import * # Define the target IP address target_ip = "192.168.1.1" # Define the target port to scan target_port = 80 # Craft a TCP packet with only the ACK flag set ack_packet = IP(dst=target_ip) / TCP(dport=target_port, flags="A") # Send the packet and wait for a response (timeout set to 1 second) response = sr1(ack_packet, timeout=1, verbose=0) # Analyze the response if response: if response.haslayer(TCP): if response.getlayer(TCP).flags == 0x04: # RST print(f"Port {target_port}/TCP is closed") elif response.getlayer(TCP).flags == 0x14: # RST/ACK print(f"Port {target_port}/TCP is open") else: print(f"Port {target_port}/TCP state is unknown or filtered") In this example using Scapy: IP(dst=target_ip): Creates an IP packet with the destination IP address set to the target IP. TCP(dport=target_port, flags="A"): Creates a TCP packet with the destination port set to the target port and only the ACK flag set. sr1(ack_packet, timeout=1, verbose=0): Sends the crafted packet and waits for a response. The timeout parameter sets the maximum time to wait for a response. The script then analyzes the response: If a TCP RST (Reset) packet is received, it indicates that the port is closed. If a TCP RST/ACK (Reset/Acknowledgment) packet is received, it suggests that the port is open. If no response is received, the script considers the port state as unknown or filtered. Keep in mind that ACK flag scanning may not be as reliable as other scanning techniques, as many firewalls and security devices are configured to detect and handle unexpected or unusual flag combinations. Additionally, the effectiveness of scanning may vary depending on the target system's configuration. Always ensure that you have proper authorization before conducting any scanning activities, as unauthorized scanning can lead to legal consequences. Compliance with applicable laws and regulations is essential. ---------------------------------------------------------------------------------------------------- #ACK (Acknowledgment) flag scanning ACK (Acknowledgment) flag scanning is a technique used in network reconnaissance to determine the state of TCP ports on a target system. Unlike regular TCP SYN scans where the SYN flag is set, ACK scans set only the ACK flag in the TCP packet. This type of scan is often used to identify filtering devices, firewalls, or stateful packet inspection mechanisms. Here's an example of using Nmap for ACK flag scanning: bash Copy code nmap -sA target_ip In this example: -sA: This Nmap option specifies the use of ACK flag scanning. Nmap sends TCP packets with only the ACK flag set and analyzes the responses from the target system. The interpretation of the responses is as follows: Open Port: If Nmap receives no response, it suggests that the port is unfiltered and open. Closed Port: If Nmap receives a TCP RST (Reset) packet in response, it indicates that the port is closed. Filtered Port: If Nmap receives a TCP RST/ACK (Reset/Acknowledgment) packet, it suggests that the port is filtered. Alternatives to Nmap for ACK scanning include other network scanning tools that support similar functionality. One such alternative is Hping3. Here's an example using Hping3: bash Copy code hping3 -A target_ip In this example: -A: This Hping3 option specifies ACK flag scanning. Similar to Nmap, Hping3 sends TCP packets with only the ACK flag set and analyzes the responses to determine the state of the TCP ports. Keep in mind that ACK scanning has limitations and may not be as reliable as other scanning techniques. Many modern firewalls and intrusion detection/prevention systems are configured to detect and handle unexpected or unusual flag combinations, including ACK-only packets. Additionally, some operating systems may respond differently to ACK scans. Always ensure that you have proper authorization before performing any scanning activities, as unauthorized scanning can lead to legal consequences. It's important to comply with applicable laws and regulations. ---------------------------------------------------------------------------------------------------- #Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping," Below is a hypothetical example demonstrating the concept of inverse TCP flag scanning using Scapy: python Copy code from scapy.all import IP, TCP, sr1 # Define the target IP address target_ip = "192.168.1.1" # Define the target port to scan target_port = 80 # Craft a TCP packet with inverted flags (e.g., setting the ACK flag) tcp_packet = IP(dst=target_ip) / TCP(dport=target_port, flags="A") # Send the packet and wait for a response (timeout set to 1 second) response = sr1(tcp_packet, timeout=1, verbose=0) # Analyze the response if response: if response.haslayer(TCP): if response.getlayer(TCP).flags == 0x14: # RST/ACK print(f"Port {target_port}/TCP is closed") elif response.getlayer(TCP).flags == 0x04: # RST print(f"Port {target_port}/TCP is open") else: print(f"Port {target_port}/TCP state is unknown or filtered") In this example, the TCP packet is crafted with the ACK (Acknowledgment) flag set. The script then sends the packet to the target and analyzes the response. If a TCP RST/ACK (Reset/Acknowledgment) is received, it indicates that the port is closed. If a TCP RST (Reset) is received, it suggests that the port is open. If no response is received, the script considers the port state as unknown or filtered. ---------------------------------------------------------------------------------------------------- #Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping," Traditional TCP scans focus on identifying open ports, but what about the silent majority - the closed ports? Enter Inverse TCP Flag Scanning, a technique that flips the script, using malformed TCP flags to identify closed ports and potentially uncover hidden vulnerabilities. Let's delve into this intriguing method, exploring its capabilities with nmap and alternative tools. The Logic of the Inverse: Instead of seeking responses from open ports, inverse TCP flag scanning sends probes with specific, unusual TCP flags to elicit responses from closed ports: FIN Probe: Sending a FIN flag (signifying an intent to close a connection) to a closed port should elicit a RST (reset) flag response, confirming the port is indeed closed. XMAS Probe: Combining FIN, PSH (push data), and URG (urgent data) flags creates a "malformed" packet that shouldn't be accepted by any open or listening service. A closed port, however, might respond with an RST/ACK flag combination as a generic rejection. NULL Probe: Sending only the ACK flag with no SYN (synchronize) flag triggers a RST/ACK response from closed ports, similar to the XMAS probe. Unveiling the Shadows: By analyzing responses to these atypical probes, network defenders can: Identify Closed Ports: This provides a more complete picture of network services, aiding in vulnerability assessments and intrusion detection. Uncover Firewalled Services: Some firewalls might block SYN packets (used in traditional scans) while allowing other flags, revealing services hidden from standard scans. Detect Misconfigured Systems: Certain systems might respond to malformed probes in unexpected ways, potentially indicating vulnerabilities or misconfigurations. Examples with nmap: nmap offers the -sF, -sX, and -sN options for FIN, XMAS, and NULL scans, respectively. You can combine these options with other nmap features like port ranges and timing options to tailor your scans. Alternative Tools: Hping3: This powerful packet crafting and injection tool allows sending custom TCP probes with specific flag combinations, enabling advanced inverse scans and vulnerability testing. ZMap: This high-performance scanner can perform large-scale TCP scans, including inverse flag scans, with impressive speed and efficiency. Scapy: As a Python-based network packet manipulation tool, Scapy provides the flexibility to design and send arbitrary TCP probes with any flag combination, empowering advanced users to craft custom inverse scans. Benefits of Inverse TCP Flag Scanning: Complements Traditional Scans: Provides a more comprehensive view of network services and potential vulnerabilities. Bypasses Firewalls: Can detect services hidden from standard scans due to firewall filtering. Proactive Defense: Helps identify misconfigured systems and potential attack vectors. Challenges and Limitations: False Positives: Some applications might respond to malformed probes in unexpected ways, leading to misinterpretation. Evasion Techniques: Attackers might employ techniques to mask their presence from inverse scans, requiring advanced detection methods. Resource Intensive: Certain scanning tools, like ZMap, can be resource-intensive on large networks. Conclusion: Inverse TCP flag scanning offers a valuable tool for network defenders by shining a light on the often-ignored realm of closed ports. By employing nmap and its alternatives, you can gain a deeper understanding of your network services, uncover potential vulnerabilities, and strengthen your overall security posture. Remember, knowledge is power, and by mastering the art of inverse scanning, you can become a digital Sh ---------------------------------------------------------------------------------------------------- #Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping," Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping," is a technique used in network reconnaissance to determine the state of TCP ports on a target system. Instead of sending regular TCP packets with specific flags set, this technique involves inverting the flags to observe how the target system responds. Inverse TCP flag scanning can help evade some firewall and intrusion detection system (IDS) rules that may be configured to detect specific flag combinations. Here's an example using Nmap, a popular open-source network scanning tool: bash Copy code nmap -sF target_ip In this example: -sF: This Nmap option specifies the use of inverse TCP flag scanning. It sets the FIN (Finish) flag for the scan. Nmap sends TCP packets with the FIN flag set and analyzes the responses from the target system. The interpretation of the responses is as follows: Open Port: If Nmap receives a TCP RST (Reset) packet in response, it indicates that the port is open. Closed Port: If Nmap receives no response or a TCP RST/ACK (Reset/Acknowledgment) packet, it suggests that the port is closed. Filtered Port: If Nmap receives no response, it may indicate that a firewall or other network filtering device is blocking the packets, making it difficult to determine the state of the port. It's important to note that inverse TCP flag scanning is not foolproof. Some firewalls and security devices may be configured to detect and handle unusual or unexpected flag combinations, potentially leading to inaccurate results. Alternative tools, such as Hping3, also support inverse TCP flag scanning. Here's an example using Hping3: bash Copy code hping3 -F target_ip In this example: -F: This Hping3 option sets the FIN flag for the scan, similar to the Nmap example. Just like with Nmap, Hping3 will send TCP packets with the FIN flag set and analyze the responses to determine the state of the TCP ports. Keep in mind that the effectiveness of inverse TCP flag scanning may vary depending on the target system's configuration and the network environment. Additionally, using scanning techniques like this should comply with applicable laws and regulations and should only be performed on systems and networks that you have explicit permission to test. Unauthorized scanning can lead to legal consequences. ---------------------------------------------------------------------------------------------------- UDP (User Datagram Protocol) scanning is a technique used in network reconnaissance to discover open UDP ports on a target system. Unlike TCP, UDP is connectionless and doesn't establish a session before exchanging data. As a result, UDP scanning can be more challenging due to the lack of acknowledgment or response from closed ports. Here's an example of UDP scanning using Nmap and its alternatives: Nmap Example: To perform a basic UDP scan using Nmap, you can use the following command: -
Jan 11, 2024 . 1 changed file with 46 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -690,7 +690,7 @@ Beyond nmap: Alternative Tools: Nmap Scripting Engine (NSE): nmap scripts can be used to perform advanced UDP scanning and service identification, such as detecting specific vulnerabilities or fingerprinting applications. Scapy: This Python-based tool allows crafting custom UDP packets for targeted vulnerability tests and research. Benefits of UDP Scanning: Vulnerability Detection: Identifies potential threats and misconfigurations hiding in the UDP realm. @@ -763,6 +763,50 @@ Network Security with Scapy: https://null-byte.wonderhowto.com/how-to/create-pac By mastering Scapy and UDP scanning, you can transform the silent protocol from a potential risk into a valuable source of security intelligence, safeguarding your network against unseen threats. ---------------------------------------------------------------------------------------------------- #UDP Scanning UDP (User Datagram Protocol) scanning is a network reconnaissance technique used to discover open UDP ports on a target system. Unlike TCP (Transmission Control Protocol), UDP is connectionless and does not establish a reliable connection before exchanging data. UDP scanning involves sending UDP packets to various port numbers on a target system and analyzing the responses, if any. Here's an example of UDP scanning using Scapy, a powerful Python library for packet manipulation: python Copy code from scapy.all import * # Define the target IP address target_ip = "192.168.1.1" # Define the range of UDP ports to scan (for example, ports 1 to 100) udp_ports = range(1, 101) # Loop through each port and send a UDP packet for port in udp_ports: # Craft a UDP packet with an empty payload udp_packet = IP(dst=target_ip)/UDP(dport=port) # Send the packet and wait for a response (timeout set to 1 second) response = sr1(udp_packet, timeout=1, verbose=0) # Check if a response was received if response: # Analyze the response if response.haslayer(UDP): print(f"Port {port}/UDP is open") elif response.haslayer(ICMP): if int(response.getlayer(ICMP).type) == 3 and int(response.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]: print(f"Port {port}/UDP is closed") else: print(f"Port {port}/UDP state is unknown") else: print(f"Port {port}/UDP is open/filtered (no response)") In this example: IP(dst=target_ip) creates an IP packet with the destination IP address set to the target IP. UDP(dport=port) creates a UDP packet with the destination port set to the current port in the loop. sr1(udp_packet, timeout=1, verbose=0) sends the crafted UDP packet and waits for a response. The timeout parameter sets the maximum time to wait for a response. The script then analyzes the response. If a UDP response is received, it indicates that the port is open. If an ICMP (Internet Control Message Protocol) response is received with a specific type and code, it may indicate that the port is closed. If no response is received, the port is considered open/filtered. Keep in mind that UDP scanning can be less reliable than TCP scanning, as UDP is connectionless, and some systems may not respond to UDP packets even if the port is open. Additionally, firewalls may block or filter UDP packets, making it challenging to accurately determine the state of a UDP port. ---------------------------------------------------------------------------------------------------- IP Fragment Scanning with Nmap can be enhanced using the --scanflags option, which allows you to set specific TCP flags to improve the detection of services that might be hidden within fragmented packets. This technique involves manipulating TCP flags in fragmented packets to evade detection by security systems. Below is an example of how to use the --scanflags option in Nmap for IP Fragment Scanning: @@ -826,7 +870,7 @@ packet[IP].frag = 0 # Set the Fragment Offset to 0 send(packet) This Scapy script sends a single, unfragmented ICMP packet with the Don't Fragment (DF) flag set. ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- #To get around this, nmap can also send a TCP ACK packet to (by default) port 80. #If the remote machine responds with a RST back, then that machine is up -
Jan 11, 2024 . 1 changed file with 145 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -619,6 +619,151 @@ nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80 nmap -p80 192.169.42.3 -oG -|nikto -h - nmap -p0-65535 192.168.2.7 ---------------------------------------------------------------------------------------------------- DP (User Datagram Protocol) scanning is a technique used in network reconnaissance to discover open UDP ports on a target system. Unlike TCP, UDP is connectionless and doesn't establish a session before exchanging data. As a result, UDP scanning can be more challenging due to the lack of acknowledgment or response from closed ports. Here's an example of UDP scanning using Nmap and its alternatives: Nmap Example: To perform a basic UDP scan using Nmap, you can use the following command: bash Copy code nmap -sU target_ip -sU: Specifies a UDP scan. This command tells Nmap to scan the target system for open UDP ports. By default, Nmap sends UDP packets to commonly used UDP ports and waits for a response. However, UDP scanning can be slower than TCP scanning because there is no reliable method for determining if a UDP port is open. Alternative: hping3 Hping is a flexible and powerful packet crafting tool. While it's not a full-fledged port scanner like Nmap, it can be used for specific UDP scanning tasks. Below is a simple example: bash Copy code hping3 -2 -c 5 -p 53 target_ip -2: Specifies that UDP should be used. -c 5: Sets the count of packets to send to 5. -p 53: Specifies the destination port (53 in this example). In this example, Hping sends 5 UDP packets to port 53 on the target IP. You can change the destination port and packet count as needed. Alternative: Unicornscan Unicornscan is another network scanner that supports UDP scanning. It's designed to be fast and efficient. An example UDP scan using Unicornscan: bash Copy code unicornscan -i eth0 -mU -v -l output.txt target_ip:a -i eth0: Specifies the network interface. -mU: Sets the scan mode to UDP. -v: Enables verbose output. -l output.txt: Logs results to a file. target_ip:a: Specifies the target IP address and the scan type (a for aggressive). Mitigation for UDP Scanning: Firewall Configuration: Configure firewalls to block unnecessary UDP traffic and allow only required services. Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS solutions to detect and alert on unusual or suspicious UDP traffic patterns. Rate Limiting: Implement rate limiting for UDP traffic to detect and mitigate scanning attempts. UDP Flood Protection: Some systems may offer UDP flood protection mechanisms to mitigate the impact of UDP-based attacks. Network Segmentation: Segment the network to limit the scope of potential attacks and reduce the impact of open UDP ports. By understanding UDP scanning techniques and implementing appropriate security measures, organizations can better defend against potential threats. Keep in mind that security practices should be regularly reviewed and updated to adapt to evolving risks. ---------------------------------------------------------------------------------------------------- UDP Scanning: Shining a Light on the Silent Protocol UDP (User Datagram Protocol) plays a crucial role in network communication, but its stateless nature can offer a haven for hidden vulnerabilities. Enter UDP scanning, a technique used to map open ports and identify potential threats lurking within this silent protocol. Let's explore how tools like nmap can shed light on the UDP realm, along with some alternative options. Unveiling the Unseen: nmap and UDP Scanning: nmap provides the -sU option to perform UDP scanning, sending UDP packets to specific ports on target systems. You can specify individual ports or ranges with nmap, tailoring the scan to your needs. nmap analyzes the responses (or lack thereof) to determine whether a port is open, filtered, or closed. Examples of UDP Vulnerability Detection: DNS servers: Unsecured DNS servers can be exploited through UDP amplification attacks, which can target other systems. SNMP (Simple Network Management Protocol): Misconfigured SNMP services accessed via UDP can reveal sensitive information or allow attackers to modify device configurations. Gaming servers: UDP is often used in online gaming, and vulnerabilities in game servers accessed through UDP can be exploited for remote code execution or privilege escalation. Beyond nmap: Alternative Tools: Nmap Scripting Engine (NSE): nmap scripts can be used to perform advanced UDP scanning and service identification, such as detecting specific vulnerabilities or fingerprinting applications. Scapy: This Python-based tool allows crafting custom UDP packets for targeted vulnerability tests and research. Umbra: A dedicated UDP scanning tool focused on speed and stealth, offering features like evasion techniques and advanced port probing. Benefits of UDP Scanning: Vulnerability Detection: Identifies potential threats and misconfigurations hiding in the UDP realm. Network Mapping: Complements TCP scans by providing a complete picture of open ports and services. Proactive Defense: Helps mitigate risks associated with vulnerable UDP services before attackers exploit them. Challenges and Limitations: False positives: Some services might respond to UDP probes even if they are not actively listening, leading to false positives. Limited information: UDP responses often lack detailed information compared to TCP, making service identification and vulnerability assessment more challenging. Evasion techniques: Attackers might employ techniques to mask their presence from UDP scanners, requiring advanced methods for detection. Conclusion: UDP scanning plays a critical role in securing your network by unveiling potential vulnerabilities that might otherwise go unnoticed. While tools like nmap offer a powerful starting point, exploring alternative options and advanced techniques can further enhance your network threat detection and defense capabilities. Remember, ignoring the silent world of UDP can make your network vulnerable to unforeseen dangers. By shining a light on this crucial protocol, you can proactively safeguard your systems and build a more robust security posture. ---------------------------------------------------------------------------------------------------- UDP Scanning with Scapy: Unmasking the Silent Protocol UDP scanning, like a detective scouring the shadows, sheds light on the often-ignored UDP protocol, revealing potential vulnerabilities that traditional TCP scans might miss. Let's explore how Scapy, a powerful Python-based network packet manipulation tool, empowers you to perform robust UDP scans and uncover hidden threats. Delving into the Shadows: Crafting UDP Packets: Scapy allows you to build custom UDP packets using its intuitive syntax. Here's how to craft a simple UDP packet aimed at port 22 (SSH) of a target host: Python from scapy.all import * # Define target IP and port target_ip = "192.168.1.100" target_port = 22 # Build the UDP packet udp_packet = UDP(dport=target_port) # Send the packet to the target send(IP(dst=target_ip)/udp_packet) Use code with caution. Learn more This code snippet creates a UDP packet with the destination port set to 22 and sends it to the target IP. Scapy offers extensive options for customizing this packet, including setting source ports, adding payloads, and crafting specific UDP flags. Analyzing Responses: Scapy captures and analyzes the responses to your UDP packets, providing valuable insights into open ports and potential vulnerabilities. Depending on the target system's configuration, you might receive different responses: Open Port: If the port is open, the target might respond with an ICMP message indicating port unreachable. Filtered Port: If the port is filtered, the target might not respond at all, leaving you with a silent answer. Vulnerable Service: In some cases, the target might reveal information about the running service through its UDP response, potentially disclosing vulnerabilities. Going Beyond Basic Scans: Scapy's flexibility allows you to perform targeted and advanced UDP scans: Port Scans: Scan a range of ports or specific services to identify open UDP endpoints. Banner Grabbing: Extract service banners from responses to identify specific applications and potential vulnerabilities. Vulnerability Testing: Craft custom UDP packets to probe for specific vulnerabilities in services like DNS or SNMP. Benefits of Scapy for UDP Scanning: Customization: Build precise UDP packets tailored to your specific needs and target systems. Advanced Features: Utilize functionalities like banner grabbing and vulnerability testing for in-depth analysis. Scripting & Automation: Develop custom scripts for automated and repetitive UDP scanning tasks. Challenges and Limitations: Complexity: Scapy requires an understanding of network protocols and Python programming. False Positives: Interpreting responses can be challenging, and silent targets might not necessarily indicate closed ports. Evasion Techniques: Attackers might employ techniques to mask their presence from UDP scanners, necessitating advanced detection methods. Conclusion: Scapy empowers you to become a digital sleuth, peering into the shadowy world of UDP and uncovering hidden threats. By crafting custom packets, analyzing responses, and utilizing advanced features, you can gain valuable insights into your network's security posture and proactively address potential vulnerabilities. Remember, silence isn't always golden in the network realm, and by actively probing the UDP landscape with Scapy, you can secure your systems and stay ahead of lurking dangers. Additional Resources: Scapy Documentation: https://scapy.net/ Scapy Packet Manipulation Tutorial: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy Network Security with Scapy: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/ By mastering Scapy and UDP scanning, you can transform the silent protocol from a potential risk into a valuable source of security intelligence, safeguarding your network against unseen threats. ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- IP Fragment Scanning with Nmap can be enhanced using the --scanflags option, which allows you to set specific TCP flags to improve the detection of services that might be hidden within fragmented packets. This technique involves manipulating TCP flags in fragmented packets to evade detection by security systems. Below is an example of how to use the --scanflags option in Nmap for IP Fragment Scanning: bash -
Jan 11, 2024 . 1 changed file with 64 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -618,6 +618,70 @@ nikto -host 192.169.42.33 nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80 nmap -p80 192.169.42.3 -oG -|nikto -h - nmap -p0-65535 192.168.2.7 ---------------------------------------------------------------------------------------------------- IP Fragment Scanning with Nmap can be enhanced using the --scanflags option, which allows you to set specific TCP flags to improve the detection of services that might be hidden within fragmented packets. This technique involves manipulating TCP flags in fragmented packets to evade detection by security systems. Below is an example of how to use the --scanflags option in Nmap for IP Fragment Scanning: bash Copy code nmap --scanflags URG,PSH,FIN target_ip In this example: --scanflags: This option allows you to set specific TCP flags for the scan. URG,PSH,FIN: These are the TCP flags (URGent, PuSH, FINish) that will be set in the scan. You can choose different combinations based on your requirements. The idea is to use specific TCP flags in the scan to observe how the target system handles fragmented packets with these flags set. This can be useful for evading detection and understanding how different network devices and systems respond to such packets. Keep in mind that while Nmap is a legitimate and widely used network scanning tool, the same techniques could be misused by attackers for malicious purposes. Network defenders should be aware of these evasion techniques and take appropriate measures to secure their networks. To defend against IP Fragment Scanning using specific TCP flags, network administrators can consider: Reassembly Handling: Configure firewalls and intrusion detection/prevention systems to reassemble fragmented packets before analysis. Deep Packet Inspection (DPI): Employ DPI techniques to inspect the entire content of fragmented packets, including their TCP flags. Rate Limiting: Implement rate limiting for fragmented packets to control the flow and prevent flooding. Behavioral Analysis: Monitor and analyze the behavior of network traffic over time to detect patterns associated with IP Fragment Scanning. Regular Updates: Keep network devices, firewalls, and intrusion detection/prevention systems up-to-date to ensure they have the latest capabilities for handling and detecting fragmented packets with specific TCP flags. These measures collectively contribute to a more robust defense against IP Fragment Scanning and related evasion techniques. ---------------------------------------------------------------------------------------------------- #IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance Suppose an attacker wants to scan a target system for open ports using IP Fragment Scanning. Nmap provides the --mtu option, which allows the user to specify the maximum transmission unit (MTU) for fragmented packets. The following example demonstrates IP Fragment Scanning with Nmap: bash Copy code nmap -f --mtu 8 target_ip -f: This option tells Nmap to fragment the packets during the scan. --mtu 8: Specifies the maximum transmission unit for the fragmented packets. Nmap will send fragmented packets to the target and analyze the responses to gain insights into how the target system handles fragmented traffic. This information can include details about the operating system, firewall settings, and potentially open ports. ---------------------------------------------------------------------------------------------------- #IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance Hping: Hping is a command-line-oriented TCP/IP packet assembler/analyzer. It allows users to craft and send custom packets, including fragmented ones. bash Copy code hping3 --frag target_ip The --frag option in Hping sends fragmented packets to the target system. ---------------------------------------------------------------------------------------------------- #IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance Scapy: Scapy is a powerful Python-based interactive packet manipulation tool. It allows users to craft custom packets, including fragmented ones. python Copy code from scapy.all import IP, ICMP, send packet = IP(dst="target_ip")/ICMP() packet[IP].flags = 1 # Set the Don't Fragment (DF) flag packet[IP].frag = 0 # Set the Fragment Offset to 0 send(packet) This Scapy script sends a single, unfragmented ICMP packet with the Don't Fragment (DF) flag set. ---------------------------------------------------------------------------------------------------- #To get around this, nmap can also send a TCP ACK packet to (by default) port 80. #If the remote machine responds with a RST back, then that machine is up -
Jan 11, 2024 . 1 changed file with 0 additions and 62 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1945,65 +1945,3 @@ docker run --pull always It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== -
Jan 11, 2024 . 1 changed file with 62 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1945,3 +1945,65 @@ docker run --pull always It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== #ChatGPT IP Fragmentation or Session Splicing is a technique used to evade detection by Intrusion Detection Systems (IDS). In this technique, a malicious actor splits a datagram or packet into multiple fragments before sending it across the network. The idea is that the IDS may have difficulty detecting the true nature of the fully assembled datagram until it reaches its final destination. The fragmentation process involves breaking the original packet into smaller fragments, each containing a portion of the payload. The IDS may not be able to analyze the complete content of the packet until all fragments are reassembled, which usually occurs at the destination rather than within the IDS itself. This makes it challenging for the IDS to accurately identify and analyze the malicious content within the fragmented packets. The reason this technique can be effective is that reassembling fragments is a processor-intensive task, and on a busy system, the IDS may struggle to keep up with the volume of fragmented packets. As a result, some fragmented packets might slip through the IDS undetected. Mitigation Methods: Reassembly at the Network Perimeter: Reassemble fragmented packets at the network perimeter before they reach the IDS. This way, the IDS can analyze complete packets, reducing the chance of evasion. Adjusting IDS Configuration: Configure the IDS to handle IP fragmentation more effectively. Some IDS solutions offer settings to optimize the handling of fragmented packets. Adjusting these configurations can improve the IDS's ability to detect malicious content. Use of Deep Packet Inspection (DPI): Employ Deep Packet Inspection techniques that go beyond simple packet header analysis. DPI involves analyzing the entire content of packets, including fragments, and can help in detecting malicious patterns or signatures. Signature-Based Detection: Enhance signature-based detection capabilities to identify patterns of fragmented packets associated with known attacks. This involves regularly updating the IDS's signature database to include new threat intelligence. Traffic Normalization: Normalize and reassemble fragmented packets within the IDS itself. Some IDS solutions offer traffic normalization features, allowing them to reconstruct packets for analysis before further processing. Rate Limiting and Traffic Shaping: Implement rate limiting and traffic shaping to control the flow of fragmented packets. This can help mitigate the impact of a flood of fragmented packets overwhelming the IDS. Alert on Fragmentation: Configure the IDS to generate alerts specifically for fragmented packets. While this may not prevent the evasion technique, it can prompt administrators to investigate further. It's important to note that using a combination of these mitigation methods is often more effective in enhancing an organization's overall security posture against IP Fragmentation or Session Splicing attacks. Regularly updating and patching IDS systems is also essential to ensure they have the latest capabilities for handling evolving evasion techniques. =========================================================================== #Bard IP Fragmentation/Session Splicing: Evading IDS and Mitigation Strategies IP Fragmentation and Session Splicing exploit the way network packets are transmitted to bypass Intrusion Detection Systems (IDS). Understanding the technique and its mitigation strategies is crucial for robust network security. How it Works: Fragmentation: The attack first divides a malicious datagram (a complete unit of data) into smaller fragments. Each fragment carries some payload and its own header, but lacks enough information to be interpreted individually. Transmission: These fragments are sent through the network separately, potentially taking different routes. An IDS analyzing individual packets cannot recognize the whole attack picture due to incomplete information. Reassembly: At the destination, the fragments are reassembled into the original malicious datagram by the receiver (typically the target system). IDS Evasion: By the time the full attack is assembled and ready for execution, it has potentially bypassed the IDS, enabling the attacker to achieve their goal (e.g., installing malware, exploiting vulnerabilities). Additional Techniques: Session Splicing: Attackers might further manipulate individual fragments, inserting malicious code or altering existing data to enhance the attack or evade specific IDS signature detection. Evasion Strategies: To further complicate detection, attackers might use dynamic fragmentation sizes, randomize fragment order, or send fragments through different protocols/ports. Mitigation Strategies: Deep Packet Inspection (DPI): Implement DPI technology that can analyze the content and structure of entire datagrams, regardless of fragmentation. Fragment Reassembly Thresholds: Configure your IDS and network devices to reassemble and inspect fragments when their total size exceeds a specific threshold, even if individual fragments appear harmless. Signature Updates: Regularly update your IDS with signatures that detect suspicious fragmentation patterns and behavior. Packet Anomaly Detection: Utilize anomaly detection methods within your IDS to identify unusual traffic patterns indicative of potential fragmentation-based attacks. Network Segmentation: Segregate sensitive network segments to limit the potential impact of an attack that bypasses IDS at the perimeter. Remember: IP Fragmentation/Session Splicing is a continuously evolving technique. Network defenders need to stay informed about new evasion tactics and adapt their mitigation strategies accordingly. Layering various security measures like DPI, signature-based IDS, and anomaly detection is crucial for comprehensive protection against this and other IDS-evasion techniques. By understanding how attackers exploit fragmentation and employing effective mitigation strategies, you can significantly strengthen your network defenses and improve your ability to detect and thwart such attacks. =========================================================================== -
Jan 10, 2024 . 1 changed file with 38 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -708,6 +708,44 @@ nmap -sT 187.36.24.156 # TCP connect scan,establish the TCP connection with the #Port Scanning Techniques Open Port: Description: An open port indicates that a service or application actively accepts connections on that port. It means an application is running on the target system and accessible through that port. Nmap usually determines a port is open when it receives a SYN-ACK response during a TCP scan, or an ICMP Echo Reply during a UDP scan. Nmap Output: When Nmap detects an open port, it typically labels it as "open" in the scan results. For instance: PORT 80/tcp open http Closed Port: Description: A closed port means that there is no service listening on that port, and attempts to connect will be met with a refusal. Nmap Output: Nmap labels closed ports as "closed" in the scan results. For example: PORT 23/tcp closed telnet A closed port means there's no service listening on it. The port is accessible, but there's no application ready to respond to connections. Nmap typically identifies a closed port when it receives a RST (Reset) packet in response to its probes Filtered Port: Description: A filtered port implies that Nmap cannot determine the port's state because it did not receive a response from the target system. A filtered port means Nmap couldn't determine its state due to a firewall or other network device blocking probes. It's uncertain whether the port is open or closed because the probes were prevented from reaching the target Nmap might report a port as filtered if it receives no response, an ICMP unreachable message, or an ICMP response indicating administrative filtering. Possible Causes: Filtered ports might result from firewalls, network congestion, or the target system's configuration. Nmap Output: If Nmap detects a filtered port, it usually labels it as "filtered" or "unfiltered." For instance: PORT 135/tcp filtered msrpc PORT 22/tcp open|filtered ssh Open Ports: They represent potential entry points into the target system and are likely running services. Closed Ports: Typically considered safe as they don't provide entry to the system. Filtered Ports: These ports are in an uncertain state, making it harder to determine their accessibility. They might be open or closed, but Nmap couldn't conclusively determine due to the lack of response #relatively unobtrusive and stealthy since it never completes TCP connections, referred to as half-open scanning #does not open a full TCP connection,sends a SYN packet, as if it s going to open a real connection and then wait for a response. #A SYN/ACK indicates the port is listening (open) -
Jan 10, 2024 . 1 changed file with 14 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -714,8 +714,20 @@ nmap -sT 187.36.24.156 # TCP connect scan,establish the TCP connection with the #while a RST (reset) is indicative of a non-listener. #If no response is received after several retransmissions, the port is marked as filtered. #The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received # The port is considered open if a SYN packet (without the ACK flag) is received in response, can be due to TCP feature known as a simultaneous open or split handshake connection Half-Open Scan (SYN Stealth Scan) TCP SYN Scan Description: Initiates a SYN packet to the target port but does not complete the handshake, providing information without establishing a full connection. Sends a SYN packet and immediately checks for a SYN-ACK response without completing the handshake. It doesn't send an RST, leaving the connection half-open. Use Case: Faster than a full connection scan but may leave traces in target system logs. Discerning between open and filtered ports. Circumventing firewalls that only log full TCP connections. Less intrusive scanning, as it doesn't fully establish connections nmap -sS [target] nmap -sS 192.168.0.1 UDP Scan nmap -sU [target] nmap -sU 192.168.0.1 -
Jan 10, 2024 . 1 changed file with 32 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -717,17 +717,46 @@ nmap -sT 187.36.24.156 # TCP connect scan,establish the TCP connection with the # The port is considered open if a SYN packet (without the ACK flag) is received in response,can be due to TCP feature known as a simultaneous open or split handshake connection TCP SYN Scan nmap -sS [target] nmap -sS 192.168.0.1 UDP Scan nmap -sU [target] nmap -sU 192.168.0.1 TCP FIN Scan nmap -sF [target] nmap -sF 192.168.0.1 TCP ACK Scan nmap -sA [target] nmap -sA 192.168.0.1 Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN 192.168.0.1 IP Protocol Scan nmap -sO [target] nmap -sO 192.168.0.1 Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth 192.168.0.1 Send IP Packets nmap –send-ip [target] Xmas Scan Description: Sets multiple TCP flags (FIN, URG, PSH) in the packet sent to the target port. The target's response (or lack of response) indicates the port's status. If the port is open, it might respond differently based on its state. A lack of response might indicate a closed or filtered port. Use Case: Another evasive scanning technique that might bypass certain firewall configurations and reveal additional information. Identifying firewall or IDS configurations. Mapping unusual port behavior. Fingerprinting older operating systems nmap -sX [target] nmap -sX 192.168.0.1 Open Scan (TCP Connect Scan) Description: It involves establishing a full TCP handshake with the target port. If the port is open, it responds with a SYN-ACK, indicating readiness to establish a connection Use Case: Provides reliable results but may be easily detected due to its straightforward nature. nmap -sT [target] nmap -sT 192.168.0.1 TCP NULL Scan Description: Sends TCP packets without any flags set (null packets) to the target port. The response (or lack thereof) helps determine if the port is open, closed, or filtered. Evasive scanning technique as it might not trigger some intrusion detection systems due to the absence of flags Evading firewalls or intrusion detection systems (IDS) that might not filter null packets. Probing systems that implement strict firewall rules. Gathering OS fingerprinting information. nmap -sN [target] nmap -sN 192.168.0.1 nmap -p 1-1024 -sT moonshine.ecn.purdue.edu #only the first 1024 ports nmap -p 1-65535 localhost #Scan specific ports or scan entire port ranges on a local or remote server -
Dec 23, 2023 . No changes.There are no files selected for viewing
-
Dec 20, 2023 . 1 changed file with 64 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1802,3 +1802,67 @@ docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/n -u https://example.com -t /nuclei-templates/ssl/deprecated-tls.yaml =========================================================================== #clamav on Ubuntu 23.04 #https://docs.clamav.net/manual/Installing/Docker.html clamav/clamav:<version>_base: A release with no signature databases. Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases. This method is the best option because it will reduce data costs for ClamAV and for the Docker registry, but it does require advanced familiarity with Linux and Docker. Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time you start a new container. The virus database in /var/lib/clamav is by default unique to each container and thus is normally not shared. some use cases may want to efficiently share the database or at least persist it across short-lived ClamAV containers. Volumes are completely managed by Docker and are the best choice for creating a persistent database volume docker volume create clam_db Then start one or more containers using this volume The first container to use a new database volume will download the full database set Subsequent containers will use the existing databases and may update them as needed: docker run -it --rm \ --name "clam_container_01" \ --mount source=clam_db,target=/var/lib/clamav \ clamav/clamav:unstable_base =========================================================================== #clamav on Ubuntu 23.04 #https://docs.clamav.net/manual/Installing/Docker.html Recommended RAM for ClamAV (As of 2020/09/20): Minimum: 3 GiB Preferred: 4 GiB If your container does not have enough RAM you can expect that the OS (or Docker) may kill your clamd process. You can minimize clamd RAM usage by setting ConcurrentDatabaseReload no in clamd.conf. The downside is that clamd will block any new scans until reload is complete. clamav/clamav:<version>: A release preloaded with signature databases. Use this if you will keep the image around so that you don't download the entire database set every time you start a new container $ docker pull clamav/clamav:unstable unstable: Pulling from clamav/clamav 7264a8db6415: Pull complete a12491ef4ba9: Pull complete 9cfb3c31e879: Pull complete f0e5e90185f2: Pull complete b6f26fdfc81d: Pull complete 6b54ea1b1185: Pull complete Digest: sha256:4d49196411c793d26c81d5a47a91785ef6312252370d717815db4a3893b64c08 Status: Downloaded newer image for clamav/clamav:unstable docker.io/clamav/clamav:unstable will always pull beforehand to ensure the most up-to-date container is being used docker run --pull always It's common to see -it instead of --interactive --tty It's common to also publish (forward) the ClamAV TCP port to the local host to use the TCP socket using --publish 3310:3310 in the docker run command =========================================================================== -
Dec 20, 2023 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -76,6 +76,9 @@ Look up IP Address Location https://whatismyipaddress.com/ip-lookup ---------------------------------------------------------------------------------------------------- Real-time problem & outage monitoring https://downdetector.com/ ---------------------------------------------------------------------------------------------------- By defanging the URLs, you can effectively deliver these links without triggering spam filters, reputation-based filters, or being quarantined. This tool ensures that your intended recipients receive the link and allows them to investigate and address any potential security concerns https://trustifi.com/url-defang-tool/ ---------------------------------------------------------------------------------------------------- #DMARC, SPF query https://dmarcian.com/spf-survey/ https://mxtoolbox.com/SuperTool.aspx?action=mx%3atau.edu.tr&run=toolpage -
Oct 17, 2023 . 1 changed file with 51 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,8 +12,59 @@ https://owasp.org/www-project-web-security-testing-guide/ 0-1023 - Well known ports (HTTP, SMTP, DHCP, FTP etc) 1024-49151 - Reserved Ports 49152-65535 - Dynamic/Private Ports Windows : Start → "cmd" → Run as Administrator → "netstat -bn" Linux : a In the terminal, run the command: "ss -tln" MAC : lsof -iTCP -sTCP:LISTEN -n -P https://portchecker.co https://www.yougetsignal.com/tools/open-ports/ (Scan All Common Ports) https://www.ipfingerprints.com/portscan.php https://www.portcheckers.com/ 21: FTP (File Transfer Protocol) 22: SSH (Secure Shell) 23: Telnet (Remote Login Service) 25: SMTP (Simple Mail Transfer Protocol) 43: WHOIS Protocol obtaining the registration of ownership of domain names and IP addresses 53: DNS (Domain Name System) 67: DHCP Dynamic Host Configuration Protocol 69: TFTP Trivial File Transfer Protocol - a simple file transfer protocol. 80: HTTP (Hypertext Transfer Protocol) 110: POP3 (Post Office Protocol 3) 115: SFTP (Secure File Transfer Protocol) 123: NTP (Network Time Protocol) 135: RPC 139: NetBIOS 143: IMAP (Internet Message Access Protocol) 161: SNMP (Simple Network Management Protocol) 194: IRC (Internet Relay Chat) 389: LDAP Lightweight Directory Access Protocol. 443: SSL / HTTPS (Hypertext Transfer Protocol Secure) 445: SMB (Server Message Block) 465: SMTPS (Simple Mail Transfer Protocol over SSL) 515: LPD Line Printer Daemon. Remote printing protocol on the printer. 554: RTSP (Real Time Stream Control Protocol) 636: LDAP over SSL or Secure LDAP 873: RSYNC (RSYNC File Transfer Services) 993: IMAPS (Internet Message Access Protocol over SSL) 995: POP3S (Post Office Protocol 3 over SSL) 1080: SOCKS SOCKet Secure. Receiving protocol secure anonymous access. 1433: MSSQL 3128: Proxy Currently the port often used proxies. 3306: MySQL 3389: RDP (Remote Desktop Protocol) 5432: PostgreSQL 5631/5632: PC Anywhere 5900: VNC (Virtual Network Computing) 5938: TeamViewer - Remote control system for ensuring your computer and data exchange. 6379: Redis 7070: For direct connections, TCP Port 7070 is used for listening by default. This port is opened when installing AnyDesk. 8080: Alternate port for the HTTP protocol. Sometimes used proxies. 9001/9030: Tor commonly uses ports 9001 and 9030 for network traffic and directory information. 11211: Memcached 25565: Minecraft 44158: Helium Miner Port ---------------------------------------------------------------------------------------------------- https://www.virustotal.com #Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security communit https://dnslytics.com/ #The ultimate online investigation tool Search for Domain, IPv4,IPv6 -
Oct 17, 2023 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,6 +8,12 @@ OSSTMM 3 – The Open Source Security Testing Methodology Manual https://www.isecom.org/OSSTMM.3.pdf OWASP Web Security Testing Guide https://owasp.org/www-project-web-security-testing-guide/ ---------------------------------------------------------------------------------------------------- 0-1023 - Well known ports (HTTP, SMTP, DHCP, FTP etc) 1024-49151 - Reserved Ports 49152-65535 - Dynamic/Private Ports https://portchecker.co ---------------------------------------------------------------------------------------------------- https://www.virustotal.com #Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security communit https://dnslytics.com/ #The ultimate online investigation tool Search for Domain, IPv4,IPv6 -
Sep 1, 2023 . 1 changed file with 31 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -359,6 +359,37 @@ hydra -L Usernames.txt -P Passwords.txt ftp://10.10.10.16 hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f hydra -l admin -P /usr/share/wordlists/test.txt 192.168.80.134 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login” -vV -f #ChatGPT THC-Hydra is indeed a versatile and powerful tool for conducting brute-force attacks on various login services. However, it's essential to clarify that using it to test for the Logjam vulnerability is not a standard or recommended method. Logjam is a vulnerability related to the Diffie-Hellman key exchange in SSL/TLS, and it's typically detected and assessed differently, as explained in the previous response. Here's an example of how THC-Hydra can be used for a more standard brute-force attack against an HTTP login page. Please note that this example is for educational purposes only and should only be performed on systems you own or have explicit permission to test. Install THC-Hydra: You can typically install THC-Hydra on Linux using package managers like apt or yum. For example, on Debian-based systems: bash Copy code sudo apt-get install hydra Prepare a Wordlist: You need a list of possible usernames and passwords to use for the brute-force attack. You can create a simple text file containing pairs of usernames and passwords, one pair per line. For example, wordlist.txt: plaintext Copy code admin:password user:123456 john:secret Run the Brute-Force Attack: Use THC-Hydra to perform the brute-force attack. For an HTTP login page, the command might look like this: bash Copy code hydra -l admin -P wordlist.txt example.com http-post-form "/login.php:user=^USER^&password=^PASS^:Invalid login" -t 4 -l: Specify the username to start with (in this case, "admin"). -P: Specify the path to the wordlist file. example.com: Replace this with the target website's URL. http-post-form: Specify the login form details. "/login.php:user=^USER^&password=^PASS^:Invalid login": Define the login form parameters, where ^USER^ and ^PASS^ will be replaced with usernames and passwords from the wordlist. -t 4: Set the number of parallel tasks to 4 (adjust as needed). Review the Results: THC-Hydra will attempt to log in using the usernames and passwords from the wordlist. If successful, it will display the valid credentials. ---------------------------------------------------------------------------------------------------- #ChatGPT -
Aug 16, 2023 . 1 changed file with 30 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1008,7 +1008,37 @@ $ whois www.alibaba.com dig alibaba.com @8.8.8.8 #specify name server 8.8.8.8 dig @8.8.8.8 +short NS domain.com #ChatGPT The command you provided is using the dig utility, which stands for "domain information groper." It's a command-line tool used for querying DNS (Domain Name System) servers to retrieve DNS-related information about domain names. Let's break down the command: dig: This is the command itself, indicating that you want to use the dig utility. www.alibaba.com: This is the domain name you want to query for DNS information. ANY: This is the type of DNS record you want to retrieve. The ANY type is used to request all available information for the specified domain. +noall: This option instructs dig to exclude the default output, which provides a summary of the query. +answer: This option tells dig to only display the answer section of the DNS response. When you run this command, it queries the DNS server for the www.alibaba.com domain and requests all available DNS records. The response will show the DNS records associated with the domain in the answer section. These records can include information such as IP addresses, mail server addresses, and more. Please note that the ANY query type is often not recommended due to potential security risks and the way some DNS servers respond to it. Some DNS servers may limit or filter responses to ANY queries to prevent unnecessary information disclosure. dig www.alibaba.com ANY +noall +answer ##ChatGPT explain why dig output misses A record :dig www.w3schools.com. +noall +answer www.w3schools.com. 60 IN CNAME cs837.wac.edgecastcdn.net. The output you provided indicates that the www.w3schools.com domain has a CNAME (Canonical Name) record pointing to cs837.wac.edgecastcdn.net. but does not include an A (Address) record. Let's break down what this means: CNAME Record: The CNAME record is a type of DNS record that specifies an alias or canonical name for a domain. In this case, the CNAME record for www.w3schools.com points to cs837.wac.edgecastcdn.net.. This means that when someone tries to access www.w3schools.com, they are redirected to cs837.wac.edgecastcdn.net.. Missing A Record: The A record is used to map a domain name to an IPv4 address. It provides the actual IP address that corresponds to the domain. However, in the output you provided, there is no A record for www.w3schools.com. This suggests that the IP address associated with www.w3schools.com is not directly defined in the DNS records for that domain. The reason for this setup could be that www.w3schools.com is utilizing a Content Delivery Network (CDN) provided by EdgeCast (now part of Verizon Media Platform). CDNs often use CNAME records to point to their servers, which then handle the distribution of content from various locations. This can improve website performance by delivering content from a server that's geographically closer to the user. In this case, the actual IP address you might be looking for might be associated with the cs837.wac.edgecastcdn.net. domain, which the CNAME record points to. To retrieve the IP address associated with cs837.wac.edgecastcdn.net., you could perform a dig query specifically for that domain: dig cs837.wac.edgecastcdn.net. A +noall +answer This query should provide you with the A record containing the IP address associated with the EdgeCast CDN server. #Find Out TTL Value Using dig dig +nocmd +noall +answer a www.alibaba.com #Find Domain SOA Record -
Jul 26, 2023 . 1 changed file with 18 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1660,9 +1660,24 @@ docker run projectdiscovery/nuclei:latest --version docker run projectdiscovery/nuclei:latest -u <target_url> #Clone Nuclei Templates Repository git clone https://github.com/projectdiscovery/nuclei-templates.git #update the templates docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei -update-templates #scans docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \ -u <TARGET_URL> -t /nuclei-templates/<TEMPLATE_NAME>.yaml docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \ -u https://example.com -t /nuclei-templates/cves/exposed-debug-endpoints.yaml docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \ -u <TARGET_URL> -t /nuclei-templates/ssl/deprecated-tls.yaml docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \ -u https://example.com -t /nuclei-templates/ssl/deprecated-tls.yaml =========================================================================== -
Jul 24, 2023 . 1 changed file with 14 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1652,3 +1652,17 @@ nuclei -h echo "Defaults env_keep += "PATH"" |sudo tee -a /etc/sudoers ============================================================================ #nuclei with docker docker pull projectdiscovery/nuclei:latest docker run projectdiscovery/nuclei:latest --version docker run projectdiscovery/nuclei:latest -u <target_url> docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei -u <TARGET_URL> -t /nuclei-templates/<TEMPLATE_NAME>.yaml docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei -u https://example.com -t /nuclei-templates/cves/exposed-debug-endpoints.yaml ============================================================================ -
Jul 3, 2023 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,8 +23,11 @@ Real-time problem & outage monitoring https://downdetector.com/ https://dmarcian.com/spf-survey/ https://mxtoolbox.com/SuperTool.aspx?action=mx%3atau.edu.tr&run=toolpage ---------------------------------------------------------------------------------------------------- Penetration Testing Methodologies https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies Penetration Testing Framework 0.59 http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html ---------------------------------------------------------------------------------------------------- #ChatGPT
NewerOlder