@soulofzephir/pi-skill-pentesting 1.0.1 โ 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/pentesting/SKILL.md +124 -93
- package/skills/pentesting/checklists/api-security.md +210 -0
- package/skills/pentesting/checklists/cloud-metadata.md +290 -0
- package/skills/pentesting/checklists/sensitive-data.md +323 -0
- package/skills/pentesting/checklists/subdomain.md +243 -0
- package/skills/pentesting/checklists/websocket.md +197 -0
- package/skills/pentesting/tools/test-skill.ps1 +291 -0
- package/skills/pentesting/tools/test-skill.sh +345 -0
- package/soulofzephir-pi-skill-pentesting-1.0.2.tgz +0 -0
|
@@ -0,0 +1,243 @@
|
|
|
1
|
+
# Subdomain Discovery & Enumeration
|
|
2
|
+
|
|
3
|
+
## ๐ What is Subdomain Enumeration?
|
|
4
|
+
|
|
5
|
+
Finding subdomains of a target domain for expanding attack surface.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## โ ๏ธ Why Subdomains Matter
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
Target: example.com
|
|
13
|
+
โโโ www.example.com (usually secured)
|
|
14
|
+
โโโ api.example.com (API attacks)
|
|
15
|
+
โโโ dev.example.com (dev environment - often vulnerable!)
|
|
16
|
+
โโโ staging.example.com (staging - often less secure)
|
|
17
|
+
โโโ admin.example.com (admin panel)
|
|
18
|
+
โโโ git.example.com (git repository)
|
|
19
|
+
โโโ *.example.com (thousands of possibilities)
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## ๐งช Subdomain Discovery Methods
|
|
25
|
+
|
|
26
|
+
### 1. Passive Reconnaissance (No direct contact)
|
|
27
|
+
|
|
28
|
+
#### Certificate Transparency Logs
|
|
29
|
+
```bash
|
|
30
|
+
# crt.sh
|
|
31
|
+
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' 2>/dev/null
|
|
32
|
+
|
|
33
|
+
# Alternative
|
|
34
|
+
curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].sub_domain'
|
|
35
|
+
|
|
36
|
+
# certspotter
|
|
37
|
+
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true" | jq -r '.[].dns_names[]'
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
#### DNS Aggregators
|
|
41
|
+
```bash
|
|
42
|
+
# SecurityTrails
|
|
43
|
+
curl -s "https://securitytrails.com/api/v1/domain/example.com/subdomains" \
|
|
44
|
+
-H "API-KEY: YOUR_KEY"
|
|
45
|
+
|
|
46
|
+
# VirusTotal
|
|
47
|
+
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_KEY&domain=target.com"
|
|
48
|
+
|
|
49
|
+
# Shodan
|
|
50
|
+
shodan domain target.com
|
|
51
|
+
|
|
52
|
+
# DNSdumpster
|
|
53
|
+
curl -s "https://dnsdumpster.com/static/map/target.com.png" -o target-map.png
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
#### Search Engine Dorking
|
|
57
|
+
```
|
|
58
|
+
site:*.target.com
|
|
59
|
+
site:target.com -www
|
|
60
|
+
inurl:target.com
|
|
61
|
+
intitle:"target" -www
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
---
|
|
65
|
+
|
|
66
|
+
### 2. Active Enumeration
|
|
67
|
+
|
|
68
|
+
#### DNS Brute Force
|
|
69
|
+
```bash
|
|
70
|
+
# amass (fast)
|
|
71
|
+
amass enum -passive -d target.com -o subdomains.txt
|
|
72
|
+
amass enum -active -d target.com -brute -o subdomains.txt
|
|
73
|
+
|
|
74
|
+
# subfinder (fast, passive)
|
|
75
|
+
subfinder -d target.com -o subdomains.txt
|
|
76
|
+
|
|
77
|
+
# sublist3r
|
|
78
|
+
python sublist3r.py -d target.com -o subdomains.txt
|
|
79
|
+
|
|
80
|
+
# massdns (fast DNS resolver)
|
|
81
|
+
massdns -r resolvers.txt -t AAAA domains.txt -o A results.txt
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
#### Wordlists
|
|
85
|
+
```
|
|
86
|
+
# Common subdomains wordlist
|
|
87
|
+
bitquark-subdomains-top100000.txt
|
|
88
|
+
subdomains-top1million-5000.txt
|
|
89
|
+
jhadriel-top1000.txt
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
#### DNS Zone Transfer
|
|
93
|
+
```bash
|
|
94
|
+
# Try zone transfer
|
|
95
|
+
dig axfr @ns1.target.com target.com
|
|
96
|
+
|
|
97
|
+
# dnsenum
|
|
98
|
+
dnsenum target.com
|
|
99
|
+
|
|
100
|
+
# fierce
|
|
101
|
+
fierce -dns target.com
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
### 3. OSINT Sources
|
|
107
|
+
|
|
108
|
+
```bash
|
|
109
|
+
# GitHub Search
|
|
110
|
+
site:github.com "target.com"
|
|
111
|
+
|
|
112
|
+
# Wayback Machine
|
|
113
|
+
curl -s "https://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text" | sort -u
|
|
114
|
+
|
|
115
|
+
# DNS dumpster
|
|
116
|
+
curl -s "https://dnsdumpster.com/static/map/target.com.png"
|
|
117
|
+
|
|
118
|
+
# Bufferover
|
|
119
|
+
curl -s "https://dns.bufferover.run/dns?q=.target.com"
|
|
120
|
+
|
|
121
|
+
# ThreatCrowd
|
|
122
|
+
curl -s "https://threatcrowd.org/api/v2/domain/report/?domain=target.com"
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
---
|
|
126
|
+
|
|
127
|
+
## ๐งช Testing Checklist
|
|
128
|
+
|
|
129
|
+
### Passive Recon
|
|
130
|
+
- [ ] Certificate Transparency logs
|
|
131
|
+
- [ ] DNS aggregators (SecurityTrails, VirusTotal)
|
|
132
|
+
- [ ] Search engine dorking
|
|
133
|
+
- [ ] Wayback Machine
|
|
134
|
+
- [ ] ASN enumeration
|
|
135
|
+
|
|
136
|
+
### Active Enum
|
|
137
|
+
- [ ] DNS brute force with wordlist
|
|
138
|
+
- [ ] DNS zone transfer attempt
|
|
139
|
+
- [ ] Virtual host enumeration
|
|
140
|
+
- [ ] DNS wildcard detection
|
|
141
|
+
|
|
142
|
+
### Analysis
|
|
143
|
+
- [ ] Filter unique subdomains
|
|
144
|
+
- [ ] Check for takeover opportunities
|
|
145
|
+
- [ ] Check for forgotten subdomains
|
|
146
|
+
- [ ] Check for staging/dev environments
|
|
147
|
+
- [ ] Check for cloud services
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
## ๐ง Subdomain Takeover Checklist
|
|
152
|
+
|
|
153
|
+
### Vulnerable Providers
|
|
154
|
+
```
|
|
155
|
+
โ
Amazon AWS (S3, CloudFront, Elastic Beanstalk)
|
|
156
|
+
โ
GitHub Pages
|
|
157
|
+
โ
Heroku
|
|
158
|
+
โ
Fastly
|
|
159
|
+
โ
Azure
|
|
160
|
+
โ
Cloudflare
|
|
161
|
+
โ
Shopify
|
|
162
|
+
โ
Tumblr
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
### Indicators
|
|
166
|
+
```
|
|
167
|
+
- DNS points to service that no longer exists
|
|
168
|
+
- CNAME points to expired/deactivated service
|
|
169
|
+
- HTTP 404/403 on subdomain
|
|
170
|
+
- "No Such Bucket" / "404 Not Found" errors
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### Check Commands
|
|
174
|
+
```bash
|
|
175
|
+
# Check CNAME
|
|
176
|
+
dig CNAME dev.target.com
|
|
177
|
+
|
|
178
|
+
# Check for takeover
|
|
179
|
+
nslookup่ๆ subdomain.target.com
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
---
|
|
183
|
+
|
|
184
|
+
## ๐ ๏ธ Tools Summary
|
|
185
|
+
|
|
186
|
+
| Tool | Type | Speed | Accuracy |
|
|
187
|
+
|------|------|-------|----------|
|
|
188
|
+
| amass | Passive/Active | Fast | High |
|
|
189
|
+
| subfinder | Passive | Very Fast | Medium |
|
|
190
|
+
| sublist3r | Passive | Medium | Medium |
|
|
191
|
+
| massdns | Active | Very Fast | High |
|
|
192
|
+
| shuffledns | Active | Very Fast | High |
|
|
193
|
+
| assetfinder | Passive | Fast | Medium |
|
|
194
|
+
|
|
195
|
+
### Recommended Workflow
|
|
196
|
+
```bash
|
|
197
|
+
# 1. Passive enum (fast)
|
|
198
|
+
subfinder -d target.com -o passive.txt
|
|
199
|
+
|
|
200
|
+
# 2. Passive via crt.sh
|
|
201
|
+
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' > crt.txt
|
|
202
|
+
|
|
203
|
+
# 3. Active brute force (slow but thorough)
|
|
204
|
+
amass enum -active -d target.com -brute -o active.txt
|
|
205
|
+
|
|
206
|
+
# 4. Combine and deduplicate
|
|
207
|
+
cat passive.txt crt.txt active.txt | sort -u > all_subdomains.txt
|
|
208
|
+
|
|
209
|
+
# 5. Check which are alive
|
|
210
|
+
cat all_subdomains.txt | httprobe -c 50 > alive.txt
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
---
|
|
214
|
+
|
|
215
|
+
## ๐ Subdomain Discovery Checklist
|
|
216
|
+
|
|
217
|
+
| Method | Status | Notes |
|
|
218
|
+
|--------|--------|-------|
|
|
219
|
+
| crt.sh | โ | Certificate Transparency |
|
|
220
|
+
| SecurityTrails | โ | Requires API key |
|
|
221
|
+
| Subfinder | โ | Fast passive |
|
|
222
|
+
| Amass | โ | Comprehensive |
|
|
223
|
+
| Zone Transfer | โ | DNS zone transfer |
|
|
224
|
+
| Brute Force | โ | With wordlist |
|
|
225
|
+
| Wayback | โ | Historical subs |
|
|
226
|
+
| Takeover Check | โ | Cloud services |
|
|
227
|
+
|
|
228
|
+
---
|
|
229
|
+
|
|
230
|
+
## ๐จ Common High-Risk Subdomains
|
|
231
|
+
|
|
232
|
+
| Subdomain | Risk | Reason |
|
|
233
|
+
|-----------|------|--------|
|
|
234
|
+
| dev/* | ๐ด CRITICAL | Often unpatched, debug enabled |
|
|
235
|
+
| staging/* | ๐ HIGH | Less tested, similar to prod |
|
|
236
|
+
| test/* | ๐ HIGH | May have test credentials |
|
|
237
|
+
| git/* | ๐ด CRITICAL | Source code exposure |
|
|
238
|
+
| vpn/* | ๐ด CRITICAL | Gateway to internal |
|
|
239
|
+
| admin/* | ๐ด CRITICAL | Admin panels |
|
|
240
|
+
| api/* | ๐ HIGH | API attack surface |
|
|
241
|
+
| old/* | ๐ HIGH | Often forgotten, unmaintained |
|
|
242
|
+
| cdn/* | ๐ก MEDIUM | Can be used for phishing |
|
|
243
|
+
| mail/* | ๐ก MEDIUM | Email security |
|
|
@@ -0,0 +1,197 @@
|
|
|
1
|
+
# WebSocket Security Checklist
|
|
2
|
+
|
|
3
|
+
## ๐ What is WebSocket?
|
|
4
|
+
|
|
5
|
+
Full-duplex communication over a single TCP connection. Common in:
|
|
6
|
+
- Real-time chat applications
|
|
7
|
+
- Live dashboards
|
|
8
|
+
- Gaming
|
|
9
|
+
- Collaborative tools
|
|
10
|
+
- Streaming data
|
|
11
|
+
|
|
12
|
+
```
|
|
13
|
+
ws://target.com/socket
|
|
14
|
+
wss://target.com/socket (secure)
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## โ ๏ธ WebSocket Vulnerabilities
|
|
20
|
+
|
|
21
|
+
### 1. Lack of Origin Validation
|
|
22
|
+
```
|
|
23
|
+
Attacker can connect from malicious site
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### 2. Cross-Site WebSocket Hijacking (CSWSH)
|
|
27
|
+
```
|
|
28
|
+
Attacker tricks user into connecting to attacker's WebSocket
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
### 3. Lack of Authentication After Upgrade
|
|
32
|
+
```
|
|
33
|
+
WebSocket accepts connection before auth
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
### 4. Sensitive Data in Messages
|
|
37
|
+
```
|
|
38
|
+
PII, tokens transmitted without encryption
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### 5. DoS via WebSocket
|
|
42
|
+
```
|
|
43
|
+
Unlimited message sending
|
|
44
|
+
Connection pool exhaustion
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
---
|
|
48
|
+
|
|
49
|
+
## ๐งช Testing Checklist
|
|
50
|
+
|
|
51
|
+
### Phase 1: Discovery
|
|
52
|
+
- [ ] WebSocket endpoint identified (ws:// or wss://)
|
|
53
|
+
- [ ] WebSocket URL discovered
|
|
54
|
+
- [ ] JavaScript analyzed for WebSocket usage
|
|
55
|
+
- [ ] WSS (secure WebSocket) used?
|
|
56
|
+
|
|
57
|
+
### Phase 2: Connection Testing
|
|
58
|
+
- [ ] Connection without authentication?
|
|
59
|
+
- [ ] Origin header validation?
|
|
60
|
+
- [ ] Cross-origin connection possible?
|
|
61
|
+
- [ ] Connection persists after logout?
|
|
62
|
+
|
|
63
|
+
### Phase 3: Authentication
|
|
64
|
+
- [ ] Token in URL? (security risk!)
|
|
65
|
+
- [ ] Token in message header?
|
|
66
|
+
- [ ] Token in cookie?
|
|
67
|
+
- [ ] Token expiration checked?
|
|
68
|
+
- [ ] Token reuse possible?
|
|
69
|
+
|
|
70
|
+
### Phase 4: Authorization
|
|
71
|
+
- [ ] Can access other users' data?
|
|
72
|
+
- [ ] IDOR in WebSocket messages?
|
|
73
|
+
- [ ] Privilege escalation possible?
|
|
74
|
+
|
|
75
|
+
### Phase 5: Input Validation
|
|
76
|
+
- [ ] XSS via WebSocket messages
|
|
77
|
+
- [ ] SQL/NoSQL Injection in messages
|
|
78
|
+
- [ ] Command Injection in messages
|
|
79
|
+
- [ ] Message size limits enforced?
|
|
80
|
+
|
|
81
|
+
### Phase 6: DoS Testing
|
|
82
|
+
- [ ] Connection limit exists?
|
|
83
|
+
- [ ] Message rate limiting?
|
|
84
|
+
- [ ] Ping/pong heartbeats?
|
|
85
|
+
- [ ] Auto-reconnect abuse possible?
|
|
86
|
+
|
|
87
|
+
### Phase 7: Data Exposure
|
|
88
|
+
- [ ] Sensitive data in messages?
|
|
89
|
+
- [ ] PII exposure?
|
|
90
|
+
- [ ] Stack traces in errors?
|
|
91
|
+
- [ ] Debug messages?
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## ๐ง Testing Tools & Commands
|
|
96
|
+
|
|
97
|
+
### Browser DevTools
|
|
98
|
+
```javascript
|
|
99
|
+
// Open DevTools > Network > WS tab
|
|
100
|
+
// Look for "ws://" or "wss://" connections
|
|
101
|
+
|
|
102
|
+
// In Console
|
|
103
|
+
WebSocket = WebSocket
|
|
104
|
+
// Override to log all messages
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
### Manual Testing with wscat
|
|
108
|
+
```bash
|
|
109
|
+
# Install
|
|
110
|
+
npm install -g wscat
|
|
111
|
+
|
|
112
|
+
# Connect
|
|
113
|
+
wscat -c ws://target.com/socket
|
|
114
|
+
|
|
115
|
+
# Connect with headers
|
|
116
|
+
wscat -c ws://target.com/socket -H "Authorization: Bearer TOKEN"
|
|
117
|
+
|
|
118
|
+
# Connect with origin
|
|
119
|
+
wscat -c ws://target.com/socket -o https://evil.com
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### Python websocket-client
|
|
123
|
+
```python
|
|
124
|
+
import websocket
|
|
125
|
+
|
|
126
|
+
ws = websocket.WebSocket()
|
|
127
|
+
ws.connect("wss://target.com/socket",
|
|
128
|
+
header={"Authorization": "Bearer TOKEN"})
|
|
129
|
+
|
|
130
|
+
# Send message
|
|
131
|
+
ws.send('{"type": "message", "text": "Hello"}')
|
|
132
|
+
|
|
133
|
+
# Receive
|
|
134
|
+
result = ws.recv()
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
### Burp Suite
|
|
138
|
+
1. Proxy > WebSockets tab
|
|
139
|
+
2. Enable interception
|
|
140
|
+
3. Manipulate messages in transit
|
|
141
|
+
|
|
142
|
+
---
|
|
143
|
+
|
|
144
|
+
## ๐ง Common WebSocket Payloads
|
|
145
|
+
|
|
146
|
+
### XSS via WebSocket
|
|
147
|
+
```json
|
|
148
|
+
{"message": "<script>alert(1)</script>"}
|
|
149
|
+
{"type": "chat", "content": "<img src=x onerror=alert(1)>"}
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
### SQL Injection
|
|
153
|
+
```json
|
|
154
|
+
{"user_id": "1 OR 1=1"}
|
|
155
|
+
{"id": "1; DROP TABLE users--"}
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
### NoSQL Injection
|
|
159
|
+
```json
|
|
160
|
+
{"username": {"$ne": ""}}
|
|
161
|
+
{"id": {"$gt": 0}}
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
### Large Message (DoS)
|
|
165
|
+
```json
|
|
166
|
+
{"message": "A" * 100000}
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
## ๐ WebSocket Security Score
|
|
172
|
+
|
|
173
|
+
| Check | Points |
|
|
174
|
+
|-------|--------|
|
|
175
|
+
| WSS (secure) used | 15 |
|
|
176
|
+
| Origin validation | 20 |
|
|
177
|
+
| Authentication required | 20 |
|
|
178
|
+
| Authorization enforced | 20 |
|
|
179
|
+
| Input validation | 15 |
|
|
180
|
+
| Rate limiting | 10 |
|
|
181
|
+
|
|
182
|
+
**Total: /100**
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## ๐ก๏ธ Secure WebSocket Checklist
|
|
187
|
+
|
|
188
|
+
- [ ] Use `wss://` not `ws://`
|
|
189
|
+
- [ ] Validate `Origin` header
|
|
190
|
+
- [ ] Authenticate during WebSocket handshake
|
|
191
|
+
- [ ] Use secure tokens (not in URL)
|
|
192
|
+
- [ ] Implement rate limiting
|
|
193
|
+
- [ ] Validate all input
|
|
194
|
+
- [ ] Set message size limits
|
|
195
|
+
- [ ] Implement heartbeat/ping-pong
|
|
196
|
+
- [ ] Close connections on logout
|
|
197
|
+
- [ ] Log WebSocket activity
|