#Harvesting


| Hacking - #Harvesting

===[Shell]===
[| Hacking - |Shell]
Seclists https://github.com/danielmiessler/SecLists/tree/master/Web-Shells

===[CVE]===

Index

#Protocol

#Protocol


| Hacking - #Protocol
Payload:
https://github.com/swisskyrepo/PayloadsAllTheThings/
https://github.com/danielmiessler/SecLists/
OWASP Cheatsheet: https://github.com/OWASP/CheatSheetSeries
https://github.com/qazbnm456/awesome-web-security
Writeup: https://bu.gbounty.cc/index.php/2019/09/26/doan-xem/
Standard: http://www.pentest-standard.org/index.php/Main_Page
-------------------------------------------------
Checklist:
https://wiki.owasp.org/index.php/Testing_Checklist
https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab
Quick https://github.com/jhaddix/tbhm/blob/master/11_Auxiliary_Info.md
Methodology:
http://www.0daysecurity.com/pentest.html
https://github.com/jhaddix/tbhm
https://book.hacktricks.xyz/pentesting-methodology
https://portswigger.net/kb/issues
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
--------------------
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies


CVE Harvesting
Version: Production, Beta, Mobile, Dev, Old, Unknown/Proprietary
===[Pentest]===
Reconnaissance
ExploitDB
OSINT

Light Testing:
Misconfiguration
Email
<s>000’”)};–//
Subdomain Takeover
Information Leakage | User Enumeration
IDOR
Bruteforce: Login, OTP
Open Redirect
Path Traversal
Cache Poisoning
False2True
False Delete
Null Byte Injection
Unprotected Database

Heavy Testing:
Header
Session
HTTP Parameter Pollution
CRLF: Log, Response Splitting, Header Injection
HTTP Desync | Request Smuggling
XSS | HTML Injection
SQLi
CSRF | SSRF
Template Injection
Directory Traversal | File Inclusion: LFI/RFI
Log Injection > Execution
Deserialization
XXE
RCE
Command Injection
Fuzzing
Buffer Overflow
API
Upload
WAF
Poisoning
DNS
Cross-Origin
-------------
SVG
Emoji

Optional:
Race Conditions
Memory
OAuth
Extension
SEH
Use after free
Active Directory

Misc:
[Hacking - IoT]
[Hacking - Mobile]

===[Report|Web Application]===
[Organization]: Known Vulnerability
--------Recon--------
IP
History
Domain: In Scope, Out of Scope
Domain1: rDNS, Whois
Domain2: ...
Technology
Site1: Server, Firewall, Developer
Site2: ...
Directory
Entry Points: GET|POST, Cookies, Header
API
Admin
Site1: robots.txt, Admin UI, Entry Detail, Directory, Parameter
Site2: ...
Repository
File
Issue
Documentation
Support
Default
Version: Old/Deprecated | Beta/Staging | Unknown/Proprietary
Leakage:
Site1:
Site2:
--------Test--------
Suspicious:
Vulnerability1
Site1: Version, Known CVE, Writeup
Site2: ...
Vulnerability2
...
-------------------------------------------------------------------------------
# URL Method Description Vulnerability Note
1 http://localhost Cookie PHPSESSID=3l9hrft7npk
2 http://localhost UserAgent Mozilla/5.0
3 http://localhost/login GET Login page
4 http://localhost?id=1 GET Entry point id=1
5 http://localhost/login POST Entry point Username=abc


===[Bounty]===
Summary:
Severity:
Description:
Environment:
Reproduction steps:
Impact:
-----------------------------------
Description:
Vulnerable Endpoint:
Impact:
CVSS:

Proof of concept:


===[PDF]===
Protocol:
#Protocol
#Recon
Domain
Default
Repository
Infomation Leakage
SE
Filter
Dork
#Tools
Penetration Testing:


=================================================
Web Hacking 101 https://b-ok.cc/book/3653856/ab66e3
The Web Application Hacker's Handbook http://index-of.es/EBooks/11_TheWeb%20Application%20Hackers%20Handbook.pdf
---------------------------------
PENTESTING-BIBLE https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE

Index

#Reconnaissance

#Reconnaissance


| Hacking - #Recon
List:
Online http://archive.ph/bNfwK

Intercept: BurpSuite[HTML, JS, Cookies, Header]
Extension: Wappalyzer|Builtwith|Whatruns, uMatrix, webdev7, Shodan, postMessage-tracker
Packet: Wireshark
----------------------------
System: Process Hacker|Explorer, PChunter
Window: Window Spy, Window Detective

===[Workflow]===
Discovery:
Subdomain
Archive
OSINT
Default Assets
Other Version: Production, Beta, Mobile, Dev, Old, Unknown/Proprietary
IP https://medium.com/bugbountywriteup/accessing-the-website-directly-through-its-ip-address-a-case-of-a-poorly-hidden-sql-injection-82833defbbc3
Identify Technology:
Extension
Tools
Mapping:
Burpsuite BurpSmartBuster
Tools
Misc:
Documentation
API
Repository
Cloud

===[Lightning Recon]===
Domain:
subfinder -d target.com
http://archive.today/*.google.com
https://chaos.projectdiscovery.io/#/
https://dnsdumpster.com/
https://subdomainfinder.c99.nl/
https://subbuster.cyberxplore.com
https://securitytrails.com/list/apex_domain/google.com
https://crt.sh/?q=%25.shopify.com
https://www.abuseipdb.com/whois/66.249.83.87
https://google.com.ipaddress.com/
Port:
https://hackertarget.com/nmap-online-port-scanner/
http://www.t1shopper.com/tools/port-scan/
Virtual host:
https://pentest-tools.com/information-gathering/find-virtual-hosts
https://hackertarget.com/server-info/
Technology:
Wappalyzer | Builtwith | Whatruns
w3tech https://w3techs.com/search
What CMS? https://whatcms.org/
Misc:
https://www.shodan.io/
robots.txt + sitemap.xml + .git + Archive
Wayback https://github.com/tomnomnom/waybackurls
Social:
https://www.wikidata.org/w/index.php?search=pay.google.com&title=Special:Search&profile=advanced&fulltext=1&advancedSearch-current=%7B%7D&ns0=1&ns120=1
https://news.ycombinator.com/from?site=corp.google.com
https://www.reddit.com/search/?q=site%3Acorp.google.com
https://archive.4plebs.org/pol/search/text/%22corp.google%22/
https://archive.rebeccablacktech.com/g/search/text/%22corp.google%22/
https://twitter.com/search?q=corp.google&src=typed_query
https://github.com/search
https://www.google.com/search?q=site%3Apastebin.com+corp.google
https://boardreader.com/
inurl:forum|viewthread|showthread|viewtopic|showtopic|"index.php?topic" | intext:"reading this topic"|"next thread"|"next topic"|"send private message"

===[Heavy Recon]===
[Search/Security] + [|SE]
http://archive.ph/*.google.com
https://web.archive.org/web/*/google.com/*
-------------
https://www.shodan.io/
https://censys.io/
https://searchdns.netcraft.com/?restriction=site+ends+with&host=.google.com&lookup=wait..&position=limited
[Security/Hacking]
https://check-host.net/
https://urlscan.io/
https://sitereport.netcraft.com/?url=
------------
https://subdomainfinder.c99.nl/
https://subbuster.cyberxplore.com
https://securitytrails.com/list/apex_domain/google.com
https://crt.sh/?q=%25.shopify.com
http://archive.ph/*.google.com
https://dnsdumpster.com/
https://searchdns.netcraft.com/?restriction=site+ends+with&host=.google.com&lookup=wait..&position=limited
https://sitereport.netcraft.com/?url=
https://bgp.he.net/
https://www.virustotal.com/gui/
[Domain]
dig, host, whois
subfinder -d target.com
Sublist3r, Knockpy, MassDNS
python knock.py example.com -w list.txt
./sublist3r.py -d example.com
Wayback https://github.com/tomnomnom/waybackurls
https://chaos.projectdiscovery.io/#/
https://viewdns.info
ReverseWhois https://viewdns.info/reversewhois
https://google.com.ipaddress.com/
https://www.abuseipdb.com/whois/66.249.83.87
Social:
https://www.wikidata.org/w/index.php?search=pay.google.com&title=Special:Search&profile=advanced&fulltext=1&advancedSearch-current=%7B%7D&ns0=1&ns120=1
https://news.ycombinator.com/from?site=corp.google.com
https://www.reddit.com/search/?q=site%3Acorp.google.com
https://archive.4plebs.org/pol/search/text/%22corp.google%22/
https://archive.rebeccablacktech.com/g/search/text/%22corp.google%22/
https://twitter.com/search?q=corp.google&src=typed_query
https://github.com/search
https://www.google.com/search?q=site%3Apastebin.com+corp.google
https://boardreader.com/
inurl:forum|viewthread|showthread|viewtopic|showtopic|"index.php?topic" | intext:"reading this topic"|"next thread"|"next topic"|"send private message"
-------------
Seclists https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
Assetfinder https://github.com/tomnomnom/assetfinder
Altdns https://github.com/infosec-au/altdns
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
Commonspeak https://pentester.io/commonspeak-bigquery-wordlists/
Domain Profiler https://github.com/jpf/domain-profiler
./profile target.com
LinkFinder https://github.com/GerbenJavado/LinkFinder
./linkfinder.py -i https://target.com -o cli
------------------------------
https://www.zoomeye.org/searchResult?q=corp.google.com
https://www.robtex.com/
https://app.binaryedge.io/services/query
https://sslmate.com/certspotter/api/
https://censys.io/domain?q=
https://community.riskiq.com/research
https://recon.dev/dashboard
IP Range:
http://whois.domaintools.com/
https://bgp.he.net/
Screenshot:
Heavy: ./EyeWitness -f live.txt -d out --headless
Light: meg -d 10 -c 200 / live.txt
rDNS
https://www.yougetsignal.com/tools/web-sites-on-web-server/
http://reverseip.domaintools.com/search/
https://www.bing.com/search?q=ip%3A208.109.192.70
https://api.hackertarget.com/reverseiplookup/?q=208.109.192.70
OSINT
Photon https://github.com/s0md3v/Photon
python3 photon.py -u target.com --keys --dns
Recon-NG https://github.com/lanmaster53/recon-ng
theHarvester https://github.com/laramies/theHarvester

---------------------------------------

Nmap | MASSCAN
Port knocking https://nmap.org/book/nmap-defenses-trickery.html
nmap -A -T4 -p- x.x.x.x xxx.xxx.xxx.xxx-yyy
nmap -sSV -T4 -O -p0-65535 apollo.sco.com
nmap -sC -sV -T4 -A target
Seclists https://github.com/danielmiessler/SecLists/tree/master/Discovery/Infrastructure
Common Protocol https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/curl-protocols.txt
Port:
https://hackertarget.com/nmap-online-port-scanner/
http://www.t1shopper.com/tools/port-scan/
Identify Technology:
Technology:
Wappalyzer | Builtwith | Whatruns
Builtwith https://builtwith.com/
w3tech https://w3techs.com/search
What CMS? https://whatcms.org/
WhatWeb https://github.com/urbanadventurer/WhatWeb
whatweb target.com
https://libraries.io
Server Fingerprint:
nc 202.41.76.251 80
GET / HTTP/1.1
Firewall:
Wafw00f https://github.com/EnableSecurity/wafw00f
Version: Production, Beta, Mobile, Dev, Old, Unknown/Proprietary
Virtual host:
https://pentest-tools.com/information-gathering/find-virtual-hosts
https://hackertarget.com/server-info/
VHostScan https://github.com/codingo/VHostScan
virtual-host-discovery https://github.com/jobertabma/virtual-host-discovery
|Favicon

Mapping:
Active|Passive Spider:
Burp Suite
Scrapy
Directory:
dirsearch https://github.com/maurosoria/dirsearch
./dirsearch.py --url <target> -w <wordlist> -e <extension>
Dirb | DirBuster | Gobuster
Meg https://github.com/tomnomnom/meg
Arjun https://github.com/s0md3v/Arjun
python3 arjun.py -u https://
Seclists https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
Quick Hit https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/quickhits.txt
CMS URL https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/URLs
CMS https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/CMS
Frontpage https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/frontpage.txt
robot https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/RobotsDisallowed-Top100.txt
Directory https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/SVNDigger
raft https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-small-directories.txt
API https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api
Language:
PHP https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/Common-PHP-Filenames.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/PHP.fuzz.txt
Server:
Apache https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/apache.txt
Nginx https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/nginx.txt
Oracle https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/oracle.txt
Tomcat https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/tomcat.txt
Spring-boot https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt
Weblogic https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/weblogic.txt
Jboss https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/jboss.txt
Admin Finder + robots.txt
http://aixoa.blogspot.com/2016/01/admin-page-wordlist.html

Locate Entry points:
Query: POST|GET
Cookie
Login|Forget password mechanism
Header: User-Agent, Referer, Accept, Accept-Language, Host headers
Hidden form input
URL
Parameter name
------------------------
Profile page | Application settings
Shopping cart
File Manager
Message board
Blog
Log
Email
Network name, SSID

Default Assets:
Install script | Sample applications
Hardcoded String|URL
Control Panel
Password
Dork
Metafile
---------------------------------------
Misc:
Documentation
[API]
[Information Leakage]
S3recon https://github.com/clarketm/s3recon
s3recon "list.txt" -o "results.json" --public
google
apple
microsoft
amazon
uber
lyft
[Repository]
Gitrob https://github.com/michenriksen/gitrob
[|Default]
[Mobile]
[IoT]
[Cloud]


=================================================
LazyRecon https://github.com/nahamsec/lazyrecon
Reconnoitre https://github.com/codingo/Reconnoitre
-------------------------
theHarvester https://github.com/laramies/theHarvester
OWASP Amass https://github.com/OWASP/Amass
Recon-ng https://github.com/lanmaster53/recon-ng
Striker https://github.com/s0md3v/Striker
-------------------------
Gitrob https://github.com/michenriksen/gitrob

Index