@soulofzephir/pi-skill-pentesting 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,291 @@
1
+ # OWASP Top 10 Vulnerability Checklist
2
+
3
+ ## A01 - Broken Access Control
4
+
5
+ ### IDOR (Insecure Direct Object Reference)
6
+ ```
7
+ Test:
8
+ - /api/users/1 โ†’ /api/users/2 (can view others?)
9
+ - /orders/123 โ†’ /orders/124 (can access others?)
10
+ - /download?file=report1.pdf โ†’ /download?file=../../etc/passwd
11
+ ```
12
+
13
+ **Check:**
14
+ - [ ] Horizontal privilege escalation possible?
15
+ - [ ] Vertical privilege escalation possible?
16
+ - [ ] Direct object references exposed in URL?
17
+ - [ ] Authorization bypass on admin endpoints?
18
+ - [ ] Missing rate limiting on sensitive endpoints?
19
+
20
+ ### Forced Browsing
21
+ **Check:**
22
+ - [ ] Can access admin panel without auth?
23
+ - [ ] Can force browse to /admin, /dashboard, /settings?
24
+ - [ ] API endpoints protected?
25
+
26
+ ### Mass Assignment
27
+ **Check:**
28
+ - [ ] Can modify is_admin=true in request?
29
+ - [ ] Can modify role=user to role=admin?
30
+
31
+ ---
32
+
33
+ ## A02 - Cryptographic Failures
34
+
35
+ ### Sensitive Data Exposure
36
+ **Check:**
37
+ - [ ] HTTPS enforced everywhere?
38
+ - [ ] Credit card data properly handled?
39
+ - [ ] PII encrypted at rest?
40
+ - [ ] Passwords hashed (bcrypt, argon2)?
41
+ - [ ] Secrets in source code?
42
+
43
+ ### Weak Crypto
44
+ **Check:**
45
+ - [ ] MD5/SHA1 for passwords?
46
+ - [ ] DES/3DES still in use?
47
+ - [ ] Weak TLS versions (SSLv3, TLS1.0, 1.1)?
48
+
49
+ ### Insecure Key Management
50
+ **Check:**
51
+ - [ ] API keys in code?
52
+ - [ ] Keys in URLs?
53
+ - [ ] Hardcoded credentials?
54
+
55
+ ---
56
+
57
+ ## A03 - Injection
58
+
59
+ ### SQL Injection
60
+ **Test Payloads:**
61
+ ```
62
+ '
63
+ "
64
+ ' OR '1'='1
65
+ ' OR 1=1--
66
+ ' UNION SELECT NULL--
67
+ ' UNION SELECT username,password FROM users--
68
+ '; DROP TABLE users--
69
+ ```
70
+
71
+ **Check:**
72
+ - [ ] Login form injectable?
73
+ - [ ] Search fields injectable?
74
+ - [ ] URL parameters injectable?
75
+ - [ ] Blind SQLi possible?
76
+ - [ ] Error messages leak info?
77
+
78
+ ### XSS (Cross-Site Scripting)
79
+ **Test Payloads:**
80
+ ```html
81
+ <script>alert(1)</script>
82
+ <img src=x onerror=alert(1)>
83
+ <svg onload=alert(1)>
84
+ javascript:alert(1)
85
+ <iframe src="javascript:alert(1)">
86
+ <marquee onstart=alert(1)>
87
+ ```
88
+
89
+ **Types:**
90
+ - [ ] Reflected XSS
91
+ - [ ] Stored XSS
92
+ - [ ] DOM-based XSS
93
+
94
+ **Check:**
95
+ - [ ] Input sanitized?
96
+ - [ ] Output encoded?
97
+ - [ ] CSP prevents execution?
98
+
99
+ ### Command Injection
100
+ **Test Payloads:**
101
+ ```
102
+ ; ls
103
+ | cat /etc/passwd
104
+ && whoami
105
+ `id`
106
+ $(id)
107
+ ```
108
+
109
+ **Check:**
110
+ - [ ] OS command execution possible?
111
+ - [ ] Ping/traceroute vulnerable?
112
+
113
+ ### LDAP Injection
114
+ **Test:**
115
+ ```
116
+ *)(objectClass=*
117
+ admin)(&(password=*)
118
+ ```
119
+
120
+ ### XML Injection / XXE
121
+ **Test:**
122
+ ```xml
123
+ <?xml version="1.0"?>
124
+ <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
125
+ <foo>&xxe;</foo>
126
+ ```
127
+
128
+ ---
129
+
130
+ ## A04 - Insecure Design
131
+
132
+ ### Missing Rate Limiting
133
+ **Check:**
134
+ - [ ] Login brute forceable?
135
+ - [ ] Registration floodable?
136
+ - [ ] API unlimited requests?
137
+ - [ ] File upload unlimited?
138
+
139
+ ### Business Logic Flaws
140
+ **Check:**
141
+ - [ ] Price manipulation possible?
142
+ - [ ] Quantity manipulation possible?
143
+ - [ ] Coupon reuse possible?
144
+ - [ ] Workflow bypass possible?
145
+
146
+ ---
147
+
148
+ ## A05 - Security Misconfiguration
149
+
150
+ ### Default Credentials
151
+ **Check:**
152
+ - [ ] Admin/admin works?
153
+ - [ ] test/test works?
154
+ - [ ] vendor/vendor works?
155
+
156
+ ### Debug Mode
157
+ **Check:**
158
+ - [ ] Debug=true in production?
159
+ - [ ] Stack traces exposed?
160
+ - [ ] Verbose error messages?
161
+
162
+ ### Directory Listing
163
+ **Check:**
164
+ - [ ] Directory listing enabled?
165
+ - [ ] .git/.env exposed?
166
+
167
+ ### Unnecessary Features
168
+ **Check:**
169
+ - [ ] TRACE method enabled?
170
+ - [ ] OPTIONS method enabled?
171
+ - [ ] XML parsing enabled unnecessarily?
172
+
173
+ ---
174
+
175
+ ## A06 - Vulnerable Components
176
+
177
+ ### Outdated Software
178
+ **Check:**
179
+ - [ ] jQuery outdated?
180
+ - [ ] Bootstrap outdated?
181
+ - [ ] Framework version old?
182
+ - [ ] CMS plugins outdated?
183
+
184
+ ### Known CVEs
185
+ **Check:**
186
+ - [ ] Components with known exploits?
187
+ - [ ] Deprecated libraries?
188
+
189
+ ---
190
+
191
+ ## A07 - Identification & Authentication Failures
192
+
193
+ ### Weak Password Policy
194
+ **Check:**
195
+ - [ ] No minimum length?
196
+ - [ ] No complexity required?
197
+ - [ ] Common passwords allowed? (123456, password, admin)
198
+
199
+ ### Session Management
200
+ **Check:**
201
+ - [ ] Session ID in URL?
202
+ - [ ] Session fixation possible?
203
+ - [ ] Sessions timeout?
204
+ - [ ] Concurrent sessions allowed for sensitive accounts?
205
+ - [ ] Session cookies: HttpOnly? Secure? SameSite?
206
+
207
+ ### MFA
208
+ **Check:**
209
+ - [ ] MFA available?
210
+ - [ ] MFA enforced for admin?
211
+
212
+ ### Password Reset
213
+ **Check:**
214
+ - [ ] Token predictable?
215
+ - [ ] Token reusable?
216
+ - [ ] Email enumeration possible?
217
+
218
+ ---
219
+
220
+ ## A08 - Software & Data Integrity Failures
221
+
222
+ ### Insecure Deserialization
223
+ **Test:**
224
+ ```
225
+ O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"is_admin";b:1;}
226
+ ```
227
+
228
+ **Check:**
229
+ - [ ] Serialized objects accepted?
230
+ - [ ] Type checking done?
231
+
232
+ ### CI/CD Issues
233
+ **Check:**
234
+ - [ ] Dependencies verified?
235
+ - [ ] Code signed?
236
+ - [ ] Pipeline secure?
237
+
238
+ ---
239
+
240
+ ## A09 - Security Logging Failures
241
+
242
+ **Check:**
243
+ - [ ] Failed logins logged?
244
+ - [ ] Successful logins logged?
245
+ - [ ] Admin actions logged?
246
+ - [ ] Logs contain PII?
247
+ - [ ] Logs accessible?
248
+
249
+ ---
250
+
251
+ ## A10 - Server-Side Request Forgery (SSRF)
252
+
253
+ **Test Payloads:**
254
+ ```
255
+ http://localhost/admin
256
+ http://127.0.0.1:22
257
+ http://169.254.169.254/ (AWS metadata)
258
+ file:///etc/passwd
259
+ ```
260
+
261
+ **Check:**
262
+ - [ ] URL parameters fetch external resources?
263
+ - [ ] Image URL parameter vulnerable?
264
+ - [ ] Internal network accessible?
265
+
266
+ ---
267
+
268
+ ## Quick Scan Commands
269
+
270
+ ```bash
271
+ # Nuclei template scan
272
+ nuclei -u https://target.com -t cves/ -severity critical,high
273
+
274
+ # SQLMap basic
275
+ sqlmap -u "https://target.com/search?q=1" --batch
276
+
277
+ # Directory enumeration
278
+ gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
279
+
280
+ # Parameter discovery
281
+ arjun -u https://target.com/api/
282
+
283
+ # XSS with dalfox
284
+ dalfox url https://target.com/search?q=test
285
+
286
+ # CMS scanner
287
+ wpscan --url https://target.com --enumerate vp
288
+
289
+ # Check for exposed .git
290
+ curl https://target.com/.git/config
291
+ ```
@@ -0,0 +1,323 @@
1
+ # Open Port & Network Scanning Checklist
2
+
3
+ ## ๐Ÿ” Port Scanning Overview
4
+
5
+ ### Common Ports to Check
6
+
7
+ | Category | Ports | Service |
8
+ |----------|-------|---------|
9
+ | **Web** | 80, 443, 8080, 8443 | HTTP/HTTPS |
10
+ | **Database** | 3306, 5432, 27017, 1433, 6379 | MySQL, PostgreSQL, MongoDB, MSSQL, Redis |
11
+ | **Remote Access** | 22, 23, 3389, 5900 | SSH, Telnet, RDP, VNC |
12
+ | **Email** | 25, 110, 143, 465, 587, 993, 995 | SMTP, POP3, IMAP |
13
+ | **Directory** | 389, 636, 3268 | LDAP, LDAPS |
14
+ | **File** | 21, 69, 2049 | FTP, TFTP, NFS |
15
+ | **DevOps** | 2375, 2376, 4243 | Docker, Kubernetes |
16
+ | **Monitoring** | 9200, 5601 | Elasticsearch, Kibana |
17
+ | **Other** | 111, 512, 513, 514, 515 | RPC, rexec, rlogin, syslog |
18
+
19
+ ---
20
+
21
+ ## ๐ŸŽฏ Quick Port Scan Commands
22
+
23
+ ### Nmap (Recommended)
24
+ ```bash
25
+ # Basic scan
26
+ nmap -sV target.com
27
+
28
+ # Full port scan
29
+ nmap -p- -sV -sC -O target.com
30
+
31
+ # Top 100 ports
32
+ nmap --top-ports 100 target.com
33
+
34
+ # UDP scan (slow)
35
+ nmap -sU target.com
36
+
37
+ # Aggressive scan with scripts
38
+ nmap -A -p- target.com
39
+
40
+ # Stealth SYN scan (needs root)
41
+ nmap -sS target.com
42
+
43
+ # Quick scan
44
+ nmap -F target.com
45
+ ```
46
+
47
+ ### Alternative Tools
48
+ ```bash
49
+ # masscan (fast)
50
+ masscan -p1-65535 target.com --rate=1000
51
+
52
+ # rustscan (modern, fast)
53
+ rustscan -a target.com
54
+
55
+ # nc (basic check)
56
+ nc -zv target.com 1-1000
57
+
58
+ # PowerShell
59
+ 1..1024 | % {
60
+ $tcp = New-Object System.Net.Sockets.TcpClient
61
+ $tcp.BeginConnect("target.com", $_, $null, $null)
62
+ if ($tcp.AsyncWaitHandle.WaitOne(200)) {
63
+ Write-Host "Port $_ is OPEN"
64
+ }
65
+ $tcp.Close()
66
+ }
67
+ ```
68
+
69
+ ---
70
+
71
+ ## ๐Ÿ”ด High Risk Open Ports
72
+
73
+ ### โŒ Never Expose Public
74
+
75
+ | Port | Service | Risk | Should Be |
76
+ |------|---------|------|-----------|
77
+ | 22 | SSH | Brute force | localhost only or key-only |
78
+ | 3306 | MySQL | SQL injection + remote | 127.0.0.1 only |
79
+ | 5432 | PostgreSQL | Data breach | localhost only |
80
+ | 27017 | MongoDB | Data breach | localhost only |
81
+ | 6379 | Redis | No auth common | bind to localhost |
82
+ | 11211 | Memcached | DDoS amplification | localhost only |
83
+ | 9200 | Elasticsearch | Data exposure | behind auth/firewall |
84
+ | 2375 | Docker | Container escape | NEVER expose |
85
+ | 8080 | HTTP Proxy | Open proxy | internal only |
86
+ | 3128 | Squid | Open proxy | internal only |
87
+ | 1080 | SOCKS | Proxy abuse | internal only |
88
+
89
+ ---
90
+
91
+ ## โš ๏ธ Service-Specific Checks
92
+
93
+ ### SSH (Port 22)
94
+ **Check:**
95
+ - [ ] Password authentication disabled?
96
+ - [ ] Root login disabled?
97
+ - [ ] Strong key only (RSA 4096+ / Ed25519)?
98
+ - [ ] Failed login rate limited?
99
+ - [ ] SSH keys rotated regularly?
100
+ - [ ] Banner shows version? (hide it!)
101
+ - [ ] Max auth tries limited?
102
+
103
+ **Test:**
104
+ ```bash
105
+ # Check SSH version/info leak
106
+ ssh -v target.com
107
+
108
+ # Check supported algorithms
109
+ ssh -vvv target.com
110
+
111
+ # Test weak ciphers
112
+ ssh -c 3des-cbc target.com
113
+
114
+ # Check for banner
115
+ nc target.com 22
116
+ ```
117
+
118
+ ---
119
+
120
+ ### Database Ports
121
+
122
+ #### MySQL (3306)
123
+ **Check:**
124
+ - [ ] Bind address = 127.0.0.1?
125
+ - [ ] Root access from remote?
126
+ - [ ] Empty/default password?
127
+ - [ ] SSL required for remote?
128
+ - [ ] Users limited to specific IPs?
129
+
130
+ **Test:**
131
+ ```bash
132
+ # Try connection
133
+ mysql -h target.com -u root -p
134
+
135
+ # Nmap scripts
136
+ nmap --script=mysql-info target.com -p 3306
137
+ nmap --script=mysql-empty-password target.com -p 3306
138
+ nmap --script=mysql-brute target.com -p 3306
139
+ ```
140
+
141
+ #### PostgreSQL (5432)
142
+ **Check:**
143
+ - [ ] pg_hba.conf restricts access?
144
+ - [ ] SSL enforced?
145
+ - [ ] Password complexity enforced?
146
+
147
+ **Test:**
148
+ ```bash
149
+ # Try connection
150
+ psql -h target.com -U postgres
151
+
152
+ # Nmap scripts
153
+ nmap --script=pgsql-brute target.com -p 5432
154
+ ```
155
+
156
+ #### MongoDB (27017)
157
+ **Check:**
158
+ - [ ] No authentication enabled?
159
+ - [ ] Restriction to localhost?
160
+ - [ ] SSL/TLS enabled?
161
+
162
+ **Test:**
163
+ ```bash
164
+ # No auth check
165
+ nmap --script=mongodb-info target.com -p 27017
166
+
167
+ # Try connection
168
+ mongosh mongodb://target.com:27017
169
+ ```
170
+
171
+ #### Redis (6379)
172
+ **Check:**
173
+ - [ ] Password set (AUTH)?
174
+ - [ ] Bind to localhost?
175
+ - [ ] Protected mode enabled?
176
+
177
+ **Test:**
178
+ ```bash
179
+ # No auth test
180
+ redis-cli -h target.com
181
+
182
+ # Try commands
183
+ redis-cli -h target.com INFO
184
+ redis-cli -h target.com KEYS *
185
+ redis-cli -h target.com CONFIG GET *
186
+ ```
187
+
188
+ ---
189
+
190
+ ### HTTP/HTTPS Ports (80, 443, 8080, 8443)
191
+
192
+ **Check:**
193
+ - [ ] HTTP redirects to HTTPS?
194
+ - [ ] TLS version (no SSLv3, TLS 1.0/1.1)?
195
+ - [ ] Weak ciphers disabled?
196
+ - [ ] Certificate valid and not expired?
197
+ - [ ] Self-signed cert?
198
+ - [ ] HSTS enabled?
199
+ - [ ] Directory listing disabled?
200
+
201
+ **Test:**
202
+ ```bash
203
+ # SSL/TLS check
204
+ nmap --script=ssl-enum-ciphers target.com -p 443
205
+ testssl.sh target.com
206
+
207
+ # Check certificate
208
+ openssl s_client -connect target.com:443 -showcerts
209
+
210
+ # Check for HTTP methods
211
+ curl -v -X OPTIONS http://target.com/
212
+
213
+ # Check TRACE method (XST attack)
214
+ curl -v -X TRACE http://target.com/
215
+
216
+ # Directory enumeration
217
+ gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
218
+ ffuf -w wordlist.txt -u http://target.com/FUZZ
219
+ ```
220
+
221
+ ---
222
+
223
+ ### Email Ports
224
+
225
+ | Port | Service | Security Checks |
226
+ |------|---------|----------------|
227
+ | 25 | SMTP | Open relay? |
228
+ | 465 | SMTPS | SSL/TLS? |
229
+ | 587 | SMTP | STARTTLS? |
230
+ | 110 | POP3 | SSL? |
231
+ | 143 | IMAP | SSL? |
232
+ | 993 | IMAPS | SSL? |
233
+ | 995 | POP3S | SSL? |
234
+
235
+ **Test:**
236
+ ```bash
237
+ # SMTP open relay check
238
+ telnet target.com 25
239
+ HELO test.com
240
+ MAIL FROM:<test@test.com>
241
+ RCPT TO:<victim@target.com>
242
+ DATA
243
+ test
244
+ .
245
+
246
+ # Test STARTTLS
247
+ openssl s_client -starttls smtp -connect target.com:587
248
+
249
+ # Check for weak ciphers
250
+ nmap --script=smtp-enum-users,smtp-brute target.com -p 25,465,587
251
+ ```
252
+
253
+ ---
254
+
255
+ ## ๐Ÿ› ๏ธ Automation Scripts
256
+
257
+ ### Quick Port Discovery (Bash)
258
+ ```bash
259
+ #!/bin/bash
260
+ TARGET=$1
261
+ echo "Port Scan for: $TARGET"
262
+ echo "======================"
263
+
264
+ # Common high-risk ports
265
+ RISKY_PORTS="21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080,8443"
266
+
267
+ echo "Checking risky ports..."
268
+ nmap -p$RISKY_PORTS -T4 -F $TARGET
269
+
270
+ echo ""
271
+ echo "Checking all ports (verbose)..."
272
+ nmap -p- -T4 -v $TARGET -oN scan_results.txt
273
+
274
+ echo ""
275
+ echo "Running default scripts..."
276
+ nmap -sC -sV -p21,22,80,443,3306,5432,6379,8080 $TARGET
277
+ ```
278
+
279
+ ### PowerShell Quick Scan
280
+ ```powershell
281
+ $ports = @(21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080,8443)
282
+ $target = "target.com"
283
+
284
+ $ports | ForEach-Object -Parallel {
285
+ $port = $_
286
+ try {
287
+ $tcp = New-Object System.Net.Sockets.TcpClient
288
+ $result = $tcp.BeginConnect($using:target, $port, $null, $null)
289
+ $wait = $result.AsyncWaitHandle.WaitOne(300)
290
+ if ($wait -and $tcp.Connected) {
291
+ Write-Host "OPEN: $port" -ForegroundColor Green
292
+ }
293
+ $tcp.Close()
294
+ } catch {}
295
+ }
296
+ ```
297
+
298
+ ---
299
+
300
+ ## ๐Ÿ“Š Port Security Score
301
+
302
+ | Points | Status |
303
+ |--------|--------|
304
+ | 100-90 | Excellent - No risky ports exposed |
305
+ | 89-70 | Good - Few ports, properly secured |
306
+ | 69-50 | Fair - Some risky ports need review |
307
+ | 49-30 | Poor - Multiple risky ports open |
308
+ | 29-0 | Critical - Major security exposure |
309
+
310
+ ---
311
+
312
+ ## ๐Ÿ”ง Hardening Checklist
313
+
314
+ - [ ] Default ports changed (SSH 22โ†’custom)
315
+ - [ ] Firewall restricts access to necessary ports
316
+ - [ ] Only essential ports exposed to internet
317
+ - [ ] Internal services behind VPN/firewall
318
+ - [ ] Port scanning detected & logged
319
+ - [ ] Fail2ban/denyhosts active
320
+ - [ ] Rate limiting on all services
321
+ - [ ] Unused services disabled
322
+ - [ ] All services updated/patched
323
+ - [ ] Strong authentication everywhere