@soulofzephir/pi-skill-pentesting 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/PUBLISH.md +97 -0
- package/README.md +255 -0
- package/package.json +39 -0
- package/skills/pentesting/SKILL.md +399 -0
- package/skills/pentesting/checklists/headers.md +286 -0
- package/skills/pentesting/checklists/injection.md +456 -0
- package/skills/pentesting/checklists/owasp.md +291 -0
- package/skills/pentesting/checklists/ports.md +323 -0
- package/skills/pentesting/reports/template.md +268 -0
- package/skills/pentesting/tools/generate-report.ps1 +327 -0
- package/skills/pentesting/tools/header-scan.ps1 +202 -0
- package/skills/pentesting/tools/header-scan.sh +173 -0
- package/skills/pentesting/tools/security-scan.ps1 +338 -0
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
# OWASP Top 10 Vulnerability Checklist
|
|
2
|
+
|
|
3
|
+
## A01 - Broken Access Control
|
|
4
|
+
|
|
5
|
+
### IDOR (Insecure Direct Object Reference)
|
|
6
|
+
```
|
|
7
|
+
Test:
|
|
8
|
+
- /api/users/1 โ /api/users/2 (can view others?)
|
|
9
|
+
- /orders/123 โ /orders/124 (can access others?)
|
|
10
|
+
- /download?file=report1.pdf โ /download?file=../../etc/passwd
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
**Check:**
|
|
14
|
+
- [ ] Horizontal privilege escalation possible?
|
|
15
|
+
- [ ] Vertical privilege escalation possible?
|
|
16
|
+
- [ ] Direct object references exposed in URL?
|
|
17
|
+
- [ ] Authorization bypass on admin endpoints?
|
|
18
|
+
- [ ] Missing rate limiting on sensitive endpoints?
|
|
19
|
+
|
|
20
|
+
### Forced Browsing
|
|
21
|
+
**Check:**
|
|
22
|
+
- [ ] Can access admin panel without auth?
|
|
23
|
+
- [ ] Can force browse to /admin, /dashboard, /settings?
|
|
24
|
+
- [ ] API endpoints protected?
|
|
25
|
+
|
|
26
|
+
### Mass Assignment
|
|
27
|
+
**Check:**
|
|
28
|
+
- [ ] Can modify is_admin=true in request?
|
|
29
|
+
- [ ] Can modify role=user to role=admin?
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## A02 - Cryptographic Failures
|
|
34
|
+
|
|
35
|
+
### Sensitive Data Exposure
|
|
36
|
+
**Check:**
|
|
37
|
+
- [ ] HTTPS enforced everywhere?
|
|
38
|
+
- [ ] Credit card data properly handled?
|
|
39
|
+
- [ ] PII encrypted at rest?
|
|
40
|
+
- [ ] Passwords hashed (bcrypt, argon2)?
|
|
41
|
+
- [ ] Secrets in source code?
|
|
42
|
+
|
|
43
|
+
### Weak Crypto
|
|
44
|
+
**Check:**
|
|
45
|
+
- [ ] MD5/SHA1 for passwords?
|
|
46
|
+
- [ ] DES/3DES still in use?
|
|
47
|
+
- [ ] Weak TLS versions (SSLv3, TLS1.0, 1.1)?
|
|
48
|
+
|
|
49
|
+
### Insecure Key Management
|
|
50
|
+
**Check:**
|
|
51
|
+
- [ ] API keys in code?
|
|
52
|
+
- [ ] Keys in URLs?
|
|
53
|
+
- [ ] Hardcoded credentials?
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
## A03 - Injection
|
|
58
|
+
|
|
59
|
+
### SQL Injection
|
|
60
|
+
**Test Payloads:**
|
|
61
|
+
```
|
|
62
|
+
'
|
|
63
|
+
"
|
|
64
|
+
' OR '1'='1
|
|
65
|
+
' OR 1=1--
|
|
66
|
+
' UNION SELECT NULL--
|
|
67
|
+
' UNION SELECT username,password FROM users--
|
|
68
|
+
'; DROP TABLE users--
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
**Check:**
|
|
72
|
+
- [ ] Login form injectable?
|
|
73
|
+
- [ ] Search fields injectable?
|
|
74
|
+
- [ ] URL parameters injectable?
|
|
75
|
+
- [ ] Blind SQLi possible?
|
|
76
|
+
- [ ] Error messages leak info?
|
|
77
|
+
|
|
78
|
+
### XSS (Cross-Site Scripting)
|
|
79
|
+
**Test Payloads:**
|
|
80
|
+
```html
|
|
81
|
+
<script>alert(1)</script>
|
|
82
|
+
<img src=x onerror=alert(1)>
|
|
83
|
+
<svg onload=alert(1)>
|
|
84
|
+
javascript:alert(1)
|
|
85
|
+
<iframe src="javascript:alert(1)">
|
|
86
|
+
<marquee onstart=alert(1)>
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
**Types:**
|
|
90
|
+
- [ ] Reflected XSS
|
|
91
|
+
- [ ] Stored XSS
|
|
92
|
+
- [ ] DOM-based XSS
|
|
93
|
+
|
|
94
|
+
**Check:**
|
|
95
|
+
- [ ] Input sanitized?
|
|
96
|
+
- [ ] Output encoded?
|
|
97
|
+
- [ ] CSP prevents execution?
|
|
98
|
+
|
|
99
|
+
### Command Injection
|
|
100
|
+
**Test Payloads:**
|
|
101
|
+
```
|
|
102
|
+
; ls
|
|
103
|
+
| cat /etc/passwd
|
|
104
|
+
&& whoami
|
|
105
|
+
`id`
|
|
106
|
+
$(id)
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
**Check:**
|
|
110
|
+
- [ ] OS command execution possible?
|
|
111
|
+
- [ ] Ping/traceroute vulnerable?
|
|
112
|
+
|
|
113
|
+
### LDAP Injection
|
|
114
|
+
**Test:**
|
|
115
|
+
```
|
|
116
|
+
*)(objectClass=*
|
|
117
|
+
admin)(&(password=*)
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
### XML Injection / XXE
|
|
121
|
+
**Test:**
|
|
122
|
+
```xml
|
|
123
|
+
<?xml version="1.0"?>
|
|
124
|
+
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
|
|
125
|
+
<foo>&xxe;</foo>
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
---
|
|
129
|
+
|
|
130
|
+
## A04 - Insecure Design
|
|
131
|
+
|
|
132
|
+
### Missing Rate Limiting
|
|
133
|
+
**Check:**
|
|
134
|
+
- [ ] Login brute forceable?
|
|
135
|
+
- [ ] Registration floodable?
|
|
136
|
+
- [ ] API unlimited requests?
|
|
137
|
+
- [ ] File upload unlimited?
|
|
138
|
+
|
|
139
|
+
### Business Logic Flaws
|
|
140
|
+
**Check:**
|
|
141
|
+
- [ ] Price manipulation possible?
|
|
142
|
+
- [ ] Quantity manipulation possible?
|
|
143
|
+
- [ ] Coupon reuse possible?
|
|
144
|
+
- [ ] Workflow bypass possible?
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
## A05 - Security Misconfiguration
|
|
149
|
+
|
|
150
|
+
### Default Credentials
|
|
151
|
+
**Check:**
|
|
152
|
+
- [ ] Admin/admin works?
|
|
153
|
+
- [ ] test/test works?
|
|
154
|
+
- [ ] vendor/vendor works?
|
|
155
|
+
|
|
156
|
+
### Debug Mode
|
|
157
|
+
**Check:**
|
|
158
|
+
- [ ] Debug=true in production?
|
|
159
|
+
- [ ] Stack traces exposed?
|
|
160
|
+
- [ ] Verbose error messages?
|
|
161
|
+
|
|
162
|
+
### Directory Listing
|
|
163
|
+
**Check:**
|
|
164
|
+
- [ ] Directory listing enabled?
|
|
165
|
+
- [ ] .git/.env exposed?
|
|
166
|
+
|
|
167
|
+
### Unnecessary Features
|
|
168
|
+
**Check:**
|
|
169
|
+
- [ ] TRACE method enabled?
|
|
170
|
+
- [ ] OPTIONS method enabled?
|
|
171
|
+
- [ ] XML parsing enabled unnecessarily?
|
|
172
|
+
|
|
173
|
+
---
|
|
174
|
+
|
|
175
|
+
## A06 - Vulnerable Components
|
|
176
|
+
|
|
177
|
+
### Outdated Software
|
|
178
|
+
**Check:**
|
|
179
|
+
- [ ] jQuery outdated?
|
|
180
|
+
- [ ] Bootstrap outdated?
|
|
181
|
+
- [ ] Framework version old?
|
|
182
|
+
- [ ] CMS plugins outdated?
|
|
183
|
+
|
|
184
|
+
### Known CVEs
|
|
185
|
+
**Check:**
|
|
186
|
+
- [ ] Components with known exploits?
|
|
187
|
+
- [ ] Deprecated libraries?
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
## A07 - Identification & Authentication Failures
|
|
192
|
+
|
|
193
|
+
### Weak Password Policy
|
|
194
|
+
**Check:**
|
|
195
|
+
- [ ] No minimum length?
|
|
196
|
+
- [ ] No complexity required?
|
|
197
|
+
- [ ] Common passwords allowed? (123456, password, admin)
|
|
198
|
+
|
|
199
|
+
### Session Management
|
|
200
|
+
**Check:**
|
|
201
|
+
- [ ] Session ID in URL?
|
|
202
|
+
- [ ] Session fixation possible?
|
|
203
|
+
- [ ] Sessions timeout?
|
|
204
|
+
- [ ] Concurrent sessions allowed for sensitive accounts?
|
|
205
|
+
- [ ] Session cookies: HttpOnly? Secure? SameSite?
|
|
206
|
+
|
|
207
|
+
### MFA
|
|
208
|
+
**Check:**
|
|
209
|
+
- [ ] MFA available?
|
|
210
|
+
- [ ] MFA enforced for admin?
|
|
211
|
+
|
|
212
|
+
### Password Reset
|
|
213
|
+
**Check:**
|
|
214
|
+
- [ ] Token predictable?
|
|
215
|
+
- [ ] Token reusable?
|
|
216
|
+
- [ ] Email enumeration possible?
|
|
217
|
+
|
|
218
|
+
---
|
|
219
|
+
|
|
220
|
+
## A08 - Software & Data Integrity Failures
|
|
221
|
+
|
|
222
|
+
### Insecure Deserialization
|
|
223
|
+
**Test:**
|
|
224
|
+
```
|
|
225
|
+
O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"is_admin";b:1;}
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
**Check:**
|
|
229
|
+
- [ ] Serialized objects accepted?
|
|
230
|
+
- [ ] Type checking done?
|
|
231
|
+
|
|
232
|
+
### CI/CD Issues
|
|
233
|
+
**Check:**
|
|
234
|
+
- [ ] Dependencies verified?
|
|
235
|
+
- [ ] Code signed?
|
|
236
|
+
- [ ] Pipeline secure?
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
## A09 - Security Logging Failures
|
|
241
|
+
|
|
242
|
+
**Check:**
|
|
243
|
+
- [ ] Failed logins logged?
|
|
244
|
+
- [ ] Successful logins logged?
|
|
245
|
+
- [ ] Admin actions logged?
|
|
246
|
+
- [ ] Logs contain PII?
|
|
247
|
+
- [ ] Logs accessible?
|
|
248
|
+
|
|
249
|
+
---
|
|
250
|
+
|
|
251
|
+
## A10 - Server-Side Request Forgery (SSRF)
|
|
252
|
+
|
|
253
|
+
**Test Payloads:**
|
|
254
|
+
```
|
|
255
|
+
http://localhost/admin
|
|
256
|
+
http://127.0.0.1:22
|
|
257
|
+
http://169.254.169.254/ (AWS metadata)
|
|
258
|
+
file:///etc/passwd
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
**Check:**
|
|
262
|
+
- [ ] URL parameters fetch external resources?
|
|
263
|
+
- [ ] Image URL parameter vulnerable?
|
|
264
|
+
- [ ] Internal network accessible?
|
|
265
|
+
|
|
266
|
+
---
|
|
267
|
+
|
|
268
|
+
## Quick Scan Commands
|
|
269
|
+
|
|
270
|
+
```bash
|
|
271
|
+
# Nuclei template scan
|
|
272
|
+
nuclei -u https://target.com -t cves/ -severity critical,high
|
|
273
|
+
|
|
274
|
+
# SQLMap basic
|
|
275
|
+
sqlmap -u "https://target.com/search?q=1" --batch
|
|
276
|
+
|
|
277
|
+
# Directory enumeration
|
|
278
|
+
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
|
|
279
|
+
|
|
280
|
+
# Parameter discovery
|
|
281
|
+
arjun -u https://target.com/api/
|
|
282
|
+
|
|
283
|
+
# XSS with dalfox
|
|
284
|
+
dalfox url https://target.com/search?q=test
|
|
285
|
+
|
|
286
|
+
# CMS scanner
|
|
287
|
+
wpscan --url https://target.com --enumerate vp
|
|
288
|
+
|
|
289
|
+
# Check for exposed .git
|
|
290
|
+
curl https://target.com/.git/config
|
|
291
|
+
```
|
|
@@ -0,0 +1,323 @@
|
|
|
1
|
+
# Open Port & Network Scanning Checklist
|
|
2
|
+
|
|
3
|
+
## ๐ Port Scanning Overview
|
|
4
|
+
|
|
5
|
+
### Common Ports to Check
|
|
6
|
+
|
|
7
|
+
| Category | Ports | Service |
|
|
8
|
+
|----------|-------|---------|
|
|
9
|
+
| **Web** | 80, 443, 8080, 8443 | HTTP/HTTPS |
|
|
10
|
+
| **Database** | 3306, 5432, 27017, 1433, 6379 | MySQL, PostgreSQL, MongoDB, MSSQL, Redis |
|
|
11
|
+
| **Remote Access** | 22, 23, 3389, 5900 | SSH, Telnet, RDP, VNC |
|
|
12
|
+
| **Email** | 25, 110, 143, 465, 587, 993, 995 | SMTP, POP3, IMAP |
|
|
13
|
+
| **Directory** | 389, 636, 3268 | LDAP, LDAPS |
|
|
14
|
+
| **File** | 21, 69, 2049 | FTP, TFTP, NFS |
|
|
15
|
+
| **DevOps** | 2375, 2376, 4243 | Docker, Kubernetes |
|
|
16
|
+
| **Monitoring** | 9200, 5601 | Elasticsearch, Kibana |
|
|
17
|
+
| **Other** | 111, 512, 513, 514, 515 | RPC, rexec, rlogin, syslog |
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## ๐ฏ Quick Port Scan Commands
|
|
22
|
+
|
|
23
|
+
### Nmap (Recommended)
|
|
24
|
+
```bash
|
|
25
|
+
# Basic scan
|
|
26
|
+
nmap -sV target.com
|
|
27
|
+
|
|
28
|
+
# Full port scan
|
|
29
|
+
nmap -p- -sV -sC -O target.com
|
|
30
|
+
|
|
31
|
+
# Top 100 ports
|
|
32
|
+
nmap --top-ports 100 target.com
|
|
33
|
+
|
|
34
|
+
# UDP scan (slow)
|
|
35
|
+
nmap -sU target.com
|
|
36
|
+
|
|
37
|
+
# Aggressive scan with scripts
|
|
38
|
+
nmap -A -p- target.com
|
|
39
|
+
|
|
40
|
+
# Stealth SYN scan (needs root)
|
|
41
|
+
nmap -sS target.com
|
|
42
|
+
|
|
43
|
+
# Quick scan
|
|
44
|
+
nmap -F target.com
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Alternative Tools
|
|
48
|
+
```bash
|
|
49
|
+
# masscan (fast)
|
|
50
|
+
masscan -p1-65535 target.com --rate=1000
|
|
51
|
+
|
|
52
|
+
# rustscan (modern, fast)
|
|
53
|
+
rustscan -a target.com
|
|
54
|
+
|
|
55
|
+
# nc (basic check)
|
|
56
|
+
nc -zv target.com 1-1000
|
|
57
|
+
|
|
58
|
+
# PowerShell
|
|
59
|
+
1..1024 | % {
|
|
60
|
+
$tcp = New-Object System.Net.Sockets.TcpClient
|
|
61
|
+
$tcp.BeginConnect("target.com", $_, $null, $null)
|
|
62
|
+
if ($tcp.AsyncWaitHandle.WaitOne(200)) {
|
|
63
|
+
Write-Host "Port $_ is OPEN"
|
|
64
|
+
}
|
|
65
|
+
$tcp.Close()
|
|
66
|
+
}
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
---
|
|
70
|
+
|
|
71
|
+
## ๐ด High Risk Open Ports
|
|
72
|
+
|
|
73
|
+
### โ Never Expose Public
|
|
74
|
+
|
|
75
|
+
| Port | Service | Risk | Should Be |
|
|
76
|
+
|------|---------|------|-----------|
|
|
77
|
+
| 22 | SSH | Brute force | localhost only or key-only |
|
|
78
|
+
| 3306 | MySQL | SQL injection + remote | 127.0.0.1 only |
|
|
79
|
+
| 5432 | PostgreSQL | Data breach | localhost only |
|
|
80
|
+
| 27017 | MongoDB | Data breach | localhost only |
|
|
81
|
+
| 6379 | Redis | No auth common | bind to localhost |
|
|
82
|
+
| 11211 | Memcached | DDoS amplification | localhost only |
|
|
83
|
+
| 9200 | Elasticsearch | Data exposure | behind auth/firewall |
|
|
84
|
+
| 2375 | Docker | Container escape | NEVER expose |
|
|
85
|
+
| 8080 | HTTP Proxy | Open proxy | internal only |
|
|
86
|
+
| 3128 | Squid | Open proxy | internal only |
|
|
87
|
+
| 1080 | SOCKS | Proxy abuse | internal only |
|
|
88
|
+
|
|
89
|
+
---
|
|
90
|
+
|
|
91
|
+
## โ ๏ธ Service-Specific Checks
|
|
92
|
+
|
|
93
|
+
### SSH (Port 22)
|
|
94
|
+
**Check:**
|
|
95
|
+
- [ ] Password authentication disabled?
|
|
96
|
+
- [ ] Root login disabled?
|
|
97
|
+
- [ ] Strong key only (RSA 4096+ / Ed25519)?
|
|
98
|
+
- [ ] Failed login rate limited?
|
|
99
|
+
- [ ] SSH keys rotated regularly?
|
|
100
|
+
- [ ] Banner shows version? (hide it!)
|
|
101
|
+
- [ ] Max auth tries limited?
|
|
102
|
+
|
|
103
|
+
**Test:**
|
|
104
|
+
```bash
|
|
105
|
+
# Check SSH version/info leak
|
|
106
|
+
ssh -v target.com
|
|
107
|
+
|
|
108
|
+
# Check supported algorithms
|
|
109
|
+
ssh -vvv target.com
|
|
110
|
+
|
|
111
|
+
# Test weak ciphers
|
|
112
|
+
ssh -c 3des-cbc target.com
|
|
113
|
+
|
|
114
|
+
# Check for banner
|
|
115
|
+
nc target.com 22
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
---
|
|
119
|
+
|
|
120
|
+
### Database Ports
|
|
121
|
+
|
|
122
|
+
#### MySQL (3306)
|
|
123
|
+
**Check:**
|
|
124
|
+
- [ ] Bind address = 127.0.0.1?
|
|
125
|
+
- [ ] Root access from remote?
|
|
126
|
+
- [ ] Empty/default password?
|
|
127
|
+
- [ ] SSL required for remote?
|
|
128
|
+
- [ ] Users limited to specific IPs?
|
|
129
|
+
|
|
130
|
+
**Test:**
|
|
131
|
+
```bash
|
|
132
|
+
# Try connection
|
|
133
|
+
mysql -h target.com -u root -p
|
|
134
|
+
|
|
135
|
+
# Nmap scripts
|
|
136
|
+
nmap --script=mysql-info target.com -p 3306
|
|
137
|
+
nmap --script=mysql-empty-password target.com -p 3306
|
|
138
|
+
nmap --script=mysql-brute target.com -p 3306
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
#### PostgreSQL (5432)
|
|
142
|
+
**Check:**
|
|
143
|
+
- [ ] pg_hba.conf restricts access?
|
|
144
|
+
- [ ] SSL enforced?
|
|
145
|
+
- [ ] Password complexity enforced?
|
|
146
|
+
|
|
147
|
+
**Test:**
|
|
148
|
+
```bash
|
|
149
|
+
# Try connection
|
|
150
|
+
psql -h target.com -U postgres
|
|
151
|
+
|
|
152
|
+
# Nmap scripts
|
|
153
|
+
nmap --script=pgsql-brute target.com -p 5432
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
#### MongoDB (27017)
|
|
157
|
+
**Check:**
|
|
158
|
+
- [ ] No authentication enabled?
|
|
159
|
+
- [ ] Restriction to localhost?
|
|
160
|
+
- [ ] SSL/TLS enabled?
|
|
161
|
+
|
|
162
|
+
**Test:**
|
|
163
|
+
```bash
|
|
164
|
+
# No auth check
|
|
165
|
+
nmap --script=mongodb-info target.com -p 27017
|
|
166
|
+
|
|
167
|
+
# Try connection
|
|
168
|
+
mongosh mongodb://target.com:27017
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
#### Redis (6379)
|
|
172
|
+
**Check:**
|
|
173
|
+
- [ ] Password set (AUTH)?
|
|
174
|
+
- [ ] Bind to localhost?
|
|
175
|
+
- [ ] Protected mode enabled?
|
|
176
|
+
|
|
177
|
+
**Test:**
|
|
178
|
+
```bash
|
|
179
|
+
# No auth test
|
|
180
|
+
redis-cli -h target.com
|
|
181
|
+
|
|
182
|
+
# Try commands
|
|
183
|
+
redis-cli -h target.com INFO
|
|
184
|
+
redis-cli -h target.com KEYS *
|
|
185
|
+
redis-cli -h target.com CONFIG GET *
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
---
|
|
189
|
+
|
|
190
|
+
### HTTP/HTTPS Ports (80, 443, 8080, 8443)
|
|
191
|
+
|
|
192
|
+
**Check:**
|
|
193
|
+
- [ ] HTTP redirects to HTTPS?
|
|
194
|
+
- [ ] TLS version (no SSLv3, TLS 1.0/1.1)?
|
|
195
|
+
- [ ] Weak ciphers disabled?
|
|
196
|
+
- [ ] Certificate valid and not expired?
|
|
197
|
+
- [ ] Self-signed cert?
|
|
198
|
+
- [ ] HSTS enabled?
|
|
199
|
+
- [ ] Directory listing disabled?
|
|
200
|
+
|
|
201
|
+
**Test:**
|
|
202
|
+
```bash
|
|
203
|
+
# SSL/TLS check
|
|
204
|
+
nmap --script=ssl-enum-ciphers target.com -p 443
|
|
205
|
+
testssl.sh target.com
|
|
206
|
+
|
|
207
|
+
# Check certificate
|
|
208
|
+
openssl s_client -connect target.com:443 -showcerts
|
|
209
|
+
|
|
210
|
+
# Check for HTTP methods
|
|
211
|
+
curl -v -X OPTIONS http://target.com/
|
|
212
|
+
|
|
213
|
+
# Check TRACE method (XST attack)
|
|
214
|
+
curl -v -X TRACE http://target.com/
|
|
215
|
+
|
|
216
|
+
# Directory enumeration
|
|
217
|
+
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
|
|
218
|
+
ffuf -w wordlist.txt -u http://target.com/FUZZ
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
---
|
|
222
|
+
|
|
223
|
+
### Email Ports
|
|
224
|
+
|
|
225
|
+
| Port | Service | Security Checks |
|
|
226
|
+
|------|---------|----------------|
|
|
227
|
+
| 25 | SMTP | Open relay? |
|
|
228
|
+
| 465 | SMTPS | SSL/TLS? |
|
|
229
|
+
| 587 | SMTP | STARTTLS? |
|
|
230
|
+
| 110 | POP3 | SSL? |
|
|
231
|
+
| 143 | IMAP | SSL? |
|
|
232
|
+
| 993 | IMAPS | SSL? |
|
|
233
|
+
| 995 | POP3S | SSL? |
|
|
234
|
+
|
|
235
|
+
**Test:**
|
|
236
|
+
```bash
|
|
237
|
+
# SMTP open relay check
|
|
238
|
+
telnet target.com 25
|
|
239
|
+
HELO test.com
|
|
240
|
+
MAIL FROM:<test@test.com>
|
|
241
|
+
RCPT TO:<victim@target.com>
|
|
242
|
+
DATA
|
|
243
|
+
test
|
|
244
|
+
.
|
|
245
|
+
|
|
246
|
+
# Test STARTTLS
|
|
247
|
+
openssl s_client -starttls smtp -connect target.com:587
|
|
248
|
+
|
|
249
|
+
# Check for weak ciphers
|
|
250
|
+
nmap --script=smtp-enum-users,smtp-brute target.com -p 25,465,587
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
---
|
|
254
|
+
|
|
255
|
+
## ๐ ๏ธ Automation Scripts
|
|
256
|
+
|
|
257
|
+
### Quick Port Discovery (Bash)
|
|
258
|
+
```bash
|
|
259
|
+
#!/bin/bash
|
|
260
|
+
TARGET=$1
|
|
261
|
+
echo "Port Scan for: $TARGET"
|
|
262
|
+
echo "======================"
|
|
263
|
+
|
|
264
|
+
# Common high-risk ports
|
|
265
|
+
RISKY_PORTS="21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080,8443"
|
|
266
|
+
|
|
267
|
+
echo "Checking risky ports..."
|
|
268
|
+
nmap -p$RISKY_PORTS -T4 -F $TARGET
|
|
269
|
+
|
|
270
|
+
echo ""
|
|
271
|
+
echo "Checking all ports (verbose)..."
|
|
272
|
+
nmap -p- -T4 -v $TARGET -oN scan_results.txt
|
|
273
|
+
|
|
274
|
+
echo ""
|
|
275
|
+
echo "Running default scripts..."
|
|
276
|
+
nmap -sC -sV -p21,22,80,443,3306,5432,6379,8080 $TARGET
|
|
277
|
+
```
|
|
278
|
+
|
|
279
|
+
### PowerShell Quick Scan
|
|
280
|
+
```powershell
|
|
281
|
+
$ports = @(21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080,8443)
|
|
282
|
+
$target = "target.com"
|
|
283
|
+
|
|
284
|
+
$ports | ForEach-Object -Parallel {
|
|
285
|
+
$port = $_
|
|
286
|
+
try {
|
|
287
|
+
$tcp = New-Object System.Net.Sockets.TcpClient
|
|
288
|
+
$result = $tcp.BeginConnect($using:target, $port, $null, $null)
|
|
289
|
+
$wait = $result.AsyncWaitHandle.WaitOne(300)
|
|
290
|
+
if ($wait -and $tcp.Connected) {
|
|
291
|
+
Write-Host "OPEN: $port" -ForegroundColor Green
|
|
292
|
+
}
|
|
293
|
+
$tcp.Close()
|
|
294
|
+
} catch {}
|
|
295
|
+
}
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
---
|
|
299
|
+
|
|
300
|
+
## ๐ Port Security Score
|
|
301
|
+
|
|
302
|
+
| Points | Status |
|
|
303
|
+
|--------|--------|
|
|
304
|
+
| 100-90 | Excellent - No risky ports exposed |
|
|
305
|
+
| 89-70 | Good - Few ports, properly secured |
|
|
306
|
+
| 69-50 | Fair - Some risky ports need review |
|
|
307
|
+
| 49-30 | Poor - Multiple risky ports open |
|
|
308
|
+
| 29-0 | Critical - Major security exposure |
|
|
309
|
+
|
|
310
|
+
---
|
|
311
|
+
|
|
312
|
+
## ๐ง Hardening Checklist
|
|
313
|
+
|
|
314
|
+
- [ ] Default ports changed (SSH 22โcustom)
|
|
315
|
+
- [ ] Firewall restricts access to necessary ports
|
|
316
|
+
- [ ] Only essential ports exposed to internet
|
|
317
|
+
- [ ] Internal services behind VPN/firewall
|
|
318
|
+
- [ ] Port scanning detected & logged
|
|
319
|
+
- [ ] Fail2ban/denyhosts active
|
|
320
|
+
- [ ] Rate limiting on all services
|
|
321
|
+
- [ ] Unused services disabled
|
|
322
|
+
- [ ] All services updated/patched
|
|
323
|
+
- [ ] Strong authentication everywhere
|