đź“‘
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Google Dorks
  • Specific dorks
  • Site analysis
  • WhatWeb
  • Nikto
  • Check for page formats
  • Dumping certificates
  • SOAP Services
  • Git repository
  1. Web Attacks

Enumeration

Google Dorks

"Info:<url>"
site:<url>
site:<url> -inurl:https
site:<url> -filetype: .
site:<url> filetype:Log allintext:"username" "password"
site:<url> ext:pdf

Social media

<query> @<facebook|twitter|linkedin...>

Specific dorks

SOAP WSDL file

inurl:wsdl
filetype:wsdl

SQL Dump

"index of" "database.sql.zip"

FTP server

intitle:”index of” inurl:ftp

Wordpress admin page

intitle:"Index of" wp-admin

Apache2

intitle:"Apache2 Ubuntu Default Page: It works"

PHPMyAdmin

"Index of" inurl:phpmyadmin

JIRA/Kibana

inurl:Dashboard.jspa intext:"Atlassian Jira Project Management Software"
inurl:app/kibana intext:Loading Kibana

cPanel password reset

inurl:_cpanel/forgotpwd

Site analysis

WhatWeb

Advanced web scanner and spider tool. Download from here.

whatweb -v <url>                     #standard scan
whatweb -v -a3 <url>                 #aggressive scan
whatweb -v <url> -u <user>:<pass>    #basic auth

Use with proxy

whatweb -v <url> --proxy <url> --proxy-user <user>:<pass>

Plugins

whatweb -l                #list all plugins
whatweb -I <keyword>      #search by keyword and show detailed description
whatweb --dorks=<plugin>  #list google dorks used by the plugin
whatweb -i <plugin> <url> #use the specified plugin during scan

Nikto

nikto -host <site url> -port <port> -maxtime <max time for scan>
nikto -host <site url> -port <port> -dbcheck

Check for page formats

index.html    #static
index.php     #PHP
index.asp     #IIS
index.aspx    #IIS
index.do      #JSP based
index.jsp     #JSP based

Dumping certificates

openssl s_client -connect <ip>
openssl x509 -in <file>.pem -text #pretty print certificate

Create own certificate

Create and sign a certificate from a given Certificate Authority and private .pem key. After creation import the certificate in your browser.

openssl genrsa -out <name>.key 2048
openssl -req -new -key <name>.key -out <cert>.csr
openssl x509 -req -in <cert>.csr -CA <cert authority> -CAkey <remote key>.key -CAcreateSerial -days 1024 -sha256 -o <file>.pem
openssl pkcs12 -export -out <file>.pfx -in <file>.pem -inkey <name>.key -certfile <remote cert>.cert

SOAP Services

SOAP services expose a WSDL file that can reveal all the possible calls and relative parameters that can be executed on the server. This can allow an attacker to execute arbitrary calls to server-side services to tamper or destroy data

In order to find the definition file try appending the following payloads to the service url

<url>?wsdl
<url>.wsdl
<url>?disco    #ASP.NET
<url>.disco    #ASP.NET

Some public web services may have their WSDL file accessible by visiting soapclient.com

Git repository

If you happen to find a .git folder on a server, you can dump all the files in the repository even if not directly accessible (403 error) with the following tool: https://github.com/arthaud/git-dumper

python3 git-dumper.py <url> <local folder>
PreviousChecklistNextURL bruteforcing

Last updated 2 years ago