Sticky notes for pentesting. Search hacking techniques and tools for penetration testings, bug bounty, CTF.
WEB Basic Pentesting
Basic methodologies of web penetration tests. A default port is 80. HTTPS uses a port 443.
Enumeration
1
2
3
4
5
| nmap --script http-auth --script-args http-auth.path=/login -p 80,443 <target-ip>
nmap --script http-devframework -p 80,443 <target-ip>
nmap --script http-enum -p 80,443 <target-ip>
nmap --script http-headers -p 80,443 <target-ip>
nmap --script http-methods -p 80,443 <target-ip>
|
Nikto
Nikto is a web server scanenr.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| nikto -h http://<target-ip>
# -p: Specify ports
nikto -p 80,3000 -h <target-ip>
# -T: Tuning
# 1: Interesting files
# 2: Misconfiguration
# 3: Information Disclosure
# 4: Injection (XSS/Script/HTML)
nikto -T 1 2 3 -h <target-ip>
# -useragent: Custom user agent
nikto -useragent <user-agent> -h <target-ip>
# -e: IDS evasion
# 1: Random URI encoding
# 7: Change the case of URL
nikto -e 1 7 -h <target-ip>
|
Whatweb
Whatweb is a web scanner.
1
2
3
4
| whatweb <target-ip>
# Aggression level (1-4)
whatweb -a 3 <target-ip>
|
To use plugins, run the following commands.
1
2
3
4
5
6
7
8
9
10
11
| # List all plugins
whatweb -l
# Search plugins
whatweb -I apache
whatweb -I phpBB
whatweb -I phpmyadmin
whatweb -I windows
# Use plugin
whatweb -p phpBB <target-ip>
|
Investigation
1
2
3
4
5
6
| # WHOIS
whois example.com
# SSL/TLS connection
openssl s_client --connect example.com:443
sslscan example.com
|
- httpx : Multi purpose HTTP toolkit.
Find Information in Web Pages
1
2
| curl http://vulnerable.com/ | grep -i hidden
curl http://vulnerable.com/ | grep -i password
|
Request using Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| #!/usr/bin/env python3
import requests
ip = '10.0.0.1'
port '80'
url = 'http://%s:%s' % (ip, port)
ua = 'Mozilla/5.0 ...'
# Args
params = {'page': '2', 'item': 'chair'}
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
auth = requests.auth.HTTPBasicAuth('username', 'password')
r = requests.get(url, params=params, headers=headers, cookies=cookies, auth=auth)
print(r.text)
|
1
2
3
4
5
6
7
| #!/usr/bin/env python3
import requests
url = 'http://example.com'
session = requests.Session()
r = session.get(url)
print(r.text)
|
1
2
3
4
5
6
7
8
9
| #!/usr/bin/env python3
import requests
url = 'http://example.com/login'
data = {'username': 'admin', 'password': 'admin'}
# Args
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
r = requests.post(url, data=data, headers=headers, cookies=cookies)
|
1
2
3
4
5
6
7
8
| #!/usr/bin/env python3
import requests
url = 'http://example.com/comment'
data = {'name': 'Mike', 'comment': 'Hello'}
session = requests.Session()
r = session.post(url, data=data)
print(r.text)
|
Excited to learn, I’m sure you can.
Disclaimer
1
2
| Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. Please use the contents in this site at your own risk.
The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned. Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
|
