@soulofzephir/pi-skill-pentesting 1.0.2 โ†’ 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,243 @@
1
+ # Subdomain Discovery & Enumeration
2
+
3
+ ## ๐Ÿ” What is Subdomain Enumeration?
4
+
5
+ Finding subdomains of a target domain for expanding attack surface.
6
+
7
+ ---
8
+
9
+ ## โš ๏ธ Why Subdomains Matter
10
+
11
+ ```
12
+ Target: example.com
13
+ โ”œโ”€โ”€ www.example.com (usually secured)
14
+ โ”œโ”€โ”€ api.example.com (API attacks)
15
+ โ”œโ”€โ”€ dev.example.com (dev environment - often vulnerable!)
16
+ โ”œโ”€โ”€ staging.example.com (staging - often less secure)
17
+ โ”œโ”€โ”€ admin.example.com (admin panel)
18
+ โ”œโ”€โ”€ git.example.com (git repository)
19
+ โ”œโ”€โ”€ *.example.com (thousands of possibilities)
20
+ ```
21
+
22
+ ---
23
+
24
+ ## ๐Ÿงช Subdomain Discovery Methods
25
+
26
+ ### 1. Passive Reconnaissance (No direct contact)
27
+
28
+ #### Certificate Transparency Logs
29
+ ```bash
30
+ # crt.sh
31
+ curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' 2>/dev/null
32
+
33
+ # Alternative
34
+ curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].sub_domain'
35
+
36
+ # certspotter
37
+ curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true" | jq -r '.[].dns_names[]'
38
+ ```
39
+
40
+ #### DNS Aggregators
41
+ ```bash
42
+ # SecurityTrails
43
+ curl -s "https://securitytrails.com/api/v1/domain/example.com/subdomains" \
44
+ -H "API-KEY: YOUR_KEY"
45
+
46
+ # VirusTotal
47
+ curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_KEY&domain=target.com"
48
+
49
+ # Shodan
50
+ shodan domain target.com
51
+
52
+ # DNSdumpster
53
+ curl -s "https://dnsdumpster.com/static/map/target.com.png" -o target-map.png
54
+ ```
55
+
56
+ #### Search Engine Dorking
57
+ ```
58
+ site:*.target.com
59
+ site:target.com -www
60
+ inurl:target.com
61
+ intitle:"target" -www
62
+ ```
63
+
64
+ ---
65
+
66
+ ### 2. Active Enumeration
67
+
68
+ #### DNS Brute Force
69
+ ```bash
70
+ # amass (fast)
71
+ amass enum -passive -d target.com -o subdomains.txt
72
+ amass enum -active -d target.com -brute -o subdomains.txt
73
+
74
+ # subfinder (fast, passive)
75
+ subfinder -d target.com -o subdomains.txt
76
+
77
+ # sublist3r
78
+ python sublist3r.py -d target.com -o subdomains.txt
79
+
80
+ # massdns (fast DNS resolver)
81
+ massdns -r resolvers.txt -t AAAA domains.txt -o A results.txt
82
+ ```
83
+
84
+ #### Wordlists
85
+ ```
86
+ # Common subdomains wordlist
87
+ bitquark-subdomains-top100000.txt
88
+ subdomains-top1million-5000.txt
89
+ jhadriel-top1000.txt
90
+ ```
91
+
92
+ #### DNS Zone Transfer
93
+ ```bash
94
+ # Try zone transfer
95
+ dig axfr @ns1.target.com target.com
96
+
97
+ # dnsenum
98
+ dnsenum target.com
99
+
100
+ # fierce
101
+ fierce -dns target.com
102
+ ```
103
+
104
+ ---
105
+
106
+ ### 3. OSINT Sources
107
+
108
+ ```bash
109
+ # GitHub Search
110
+ site:github.com "target.com"
111
+
112
+ # Wayback Machine
113
+ curl -s "https://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text" | sort -u
114
+
115
+ # DNS dumpster
116
+ curl -s "https://dnsdumpster.com/static/map/target.com.png"
117
+
118
+ # Bufferover
119
+ curl -s "https://dns.bufferover.run/dns?q=.target.com"
120
+
121
+ # ThreatCrowd
122
+ curl -s "https://threatcrowd.org/api/v2/domain/report/?domain=target.com"
123
+ ```
124
+
125
+ ---
126
+
127
+ ## ๐Ÿงช Testing Checklist
128
+
129
+ ### Passive Recon
130
+ - [ ] Certificate Transparency logs
131
+ - [ ] DNS aggregators (SecurityTrails, VirusTotal)
132
+ - [ ] Search engine dorking
133
+ - [ ] Wayback Machine
134
+ - [ ] ASN enumeration
135
+
136
+ ### Active Enum
137
+ - [ ] DNS brute force with wordlist
138
+ - [ ] DNS zone transfer attempt
139
+ - [ ] Virtual host enumeration
140
+ - [ ] DNS wildcard detection
141
+
142
+ ### Analysis
143
+ - [ ] Filter unique subdomains
144
+ - [ ] Check for takeover opportunities
145
+ - [ ] Check for forgotten subdomains
146
+ - [ ] Check for staging/dev environments
147
+ - [ ] Check for cloud services
148
+
149
+ ---
150
+
151
+ ## ๐Ÿ”ง Subdomain Takeover Checklist
152
+
153
+ ### Vulnerable Providers
154
+ ```
155
+ โœ… Amazon AWS (S3, CloudFront, Elastic Beanstalk)
156
+ โœ… GitHub Pages
157
+ โœ… Heroku
158
+ โœ… Fastly
159
+ โœ… Azure
160
+ โœ… Cloudflare
161
+ โœ… Shopify
162
+ โœ… Tumblr
163
+ ```
164
+
165
+ ### Indicators
166
+ ```
167
+ - DNS points to service that no longer exists
168
+ - CNAME points to expired/deactivated service
169
+ - HTTP 404/403 on subdomain
170
+ - "No Such Bucket" / "404 Not Found" errors
171
+ ```
172
+
173
+ ### Check Commands
174
+ ```bash
175
+ # Check CNAME
176
+ dig CNAME dev.target.com
177
+
178
+ # Check for takeover
179
+ nslookup่™šๆ—  subdomain.target.com
180
+ ```
181
+
182
+ ---
183
+
184
+ ## ๐Ÿ› ๏ธ Tools Summary
185
+
186
+ | Tool | Type | Speed | Accuracy |
187
+ |------|------|-------|----------|
188
+ | amass | Passive/Active | Fast | High |
189
+ | subfinder | Passive | Very Fast | Medium |
190
+ | sublist3r | Passive | Medium | Medium |
191
+ | massdns | Active | Very Fast | High |
192
+ | shuffledns | Active | Very Fast | High |
193
+ | assetfinder | Passive | Fast | Medium |
194
+
195
+ ### Recommended Workflow
196
+ ```bash
197
+ # 1. Passive enum (fast)
198
+ subfinder -d target.com -o passive.txt
199
+
200
+ # 2. Passive via crt.sh
201
+ curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' > crt.txt
202
+
203
+ # 3. Active brute force (slow but thorough)
204
+ amass enum -active -d target.com -brute -o active.txt
205
+
206
+ # 4. Combine and deduplicate
207
+ cat passive.txt crt.txt active.txt | sort -u > all_subdomains.txt
208
+
209
+ # 5. Check which are alive
210
+ cat all_subdomains.txt | httprobe -c 50 > alive.txt
211
+ ```
212
+
213
+ ---
214
+
215
+ ## ๐Ÿ“‹ Subdomain Discovery Checklist
216
+
217
+ | Method | Status | Notes |
218
+ |--------|--------|-------|
219
+ | crt.sh | โ˜ | Certificate Transparency |
220
+ | SecurityTrails | โ˜ | Requires API key |
221
+ | Subfinder | โ˜ | Fast passive |
222
+ | Amass | โ˜ | Comprehensive |
223
+ | Zone Transfer | โ˜ | DNS zone transfer |
224
+ | Brute Force | โ˜ | With wordlist |
225
+ | Wayback | โ˜ | Historical subs |
226
+ | Takeover Check | โ˜ | Cloud services |
227
+
228
+ ---
229
+
230
+ ## ๐Ÿšจ Common High-Risk Subdomains
231
+
232
+ | Subdomain | Risk | Reason |
233
+ |-----------|------|--------|
234
+ | dev/* | ๐Ÿ”ด CRITICAL | Often unpatched, debug enabled |
235
+ | staging/* | ๐ŸŸ  HIGH | Less tested, similar to prod |
236
+ | test/* | ๐ŸŸ  HIGH | May have test credentials |
237
+ | git/* | ๐Ÿ”ด CRITICAL | Source code exposure |
238
+ | vpn/* | ๐Ÿ”ด CRITICAL | Gateway to internal |
239
+ | admin/* | ๐Ÿ”ด CRITICAL | Admin panels |
240
+ | api/* | ๐ŸŸ  HIGH | API attack surface |
241
+ | old/* | ๐ŸŸ  HIGH | Often forgotten, unmaintained |
242
+ | cdn/* | ๐ŸŸก MEDIUM | Can be used for phishing |
243
+ | mail/* | ๐ŸŸก MEDIUM | Email security |
@@ -0,0 +1,197 @@
1
+ # WebSocket Security Checklist
2
+
3
+ ## ๐Ÿ” What is WebSocket?
4
+
5
+ Full-duplex communication over a single TCP connection. Common in:
6
+ - Real-time chat applications
7
+ - Live dashboards
8
+ - Gaming
9
+ - Collaborative tools
10
+ - Streaming data
11
+
12
+ ```
13
+ ws://target.com/socket
14
+ wss://target.com/socket (secure)
15
+ ```
16
+
17
+ ---
18
+
19
+ ## โš ๏ธ WebSocket Vulnerabilities
20
+
21
+ ### 1. Lack of Origin Validation
22
+ ```
23
+ Attacker can connect from malicious site
24
+ ```
25
+
26
+ ### 2. Cross-Site WebSocket Hijacking (CSWSH)
27
+ ```
28
+ Attacker tricks user into connecting to attacker's WebSocket
29
+ ```
30
+
31
+ ### 3. Lack of Authentication After Upgrade
32
+ ```
33
+ WebSocket accepts connection before auth
34
+ ```
35
+
36
+ ### 4. Sensitive Data in Messages
37
+ ```
38
+ PII, tokens transmitted without encryption
39
+ ```
40
+
41
+ ### 5. DoS via WebSocket
42
+ ```
43
+ Unlimited message sending
44
+ Connection pool exhaustion
45
+ ```
46
+
47
+ ---
48
+
49
+ ## ๐Ÿงช Testing Checklist
50
+
51
+ ### Phase 1: Discovery
52
+ - [ ] WebSocket endpoint identified (ws:// or wss://)
53
+ - [ ] WebSocket URL discovered
54
+ - [ ] JavaScript analyzed for WebSocket usage
55
+ - [ ] WSS (secure WebSocket) used?
56
+
57
+ ### Phase 2: Connection Testing
58
+ - [ ] Connection without authentication?
59
+ - [ ] Origin header validation?
60
+ - [ ] Cross-origin connection possible?
61
+ - [ ] Connection persists after logout?
62
+
63
+ ### Phase 3: Authentication
64
+ - [ ] Token in URL? (security risk!)
65
+ - [ ] Token in message header?
66
+ - [ ] Token in cookie?
67
+ - [ ] Token expiration checked?
68
+ - [ ] Token reuse possible?
69
+
70
+ ### Phase 4: Authorization
71
+ - [ ] Can access other users' data?
72
+ - [ ] IDOR in WebSocket messages?
73
+ - [ ] Privilege escalation possible?
74
+
75
+ ### Phase 5: Input Validation
76
+ - [ ] XSS via WebSocket messages
77
+ - [ ] SQL/NoSQL Injection in messages
78
+ - [ ] Command Injection in messages
79
+ - [ ] Message size limits enforced?
80
+
81
+ ### Phase 6: DoS Testing
82
+ - [ ] Connection limit exists?
83
+ - [ ] Message rate limiting?
84
+ - [ ] Ping/pong heartbeats?
85
+ - [ ] Auto-reconnect abuse possible?
86
+
87
+ ### Phase 7: Data Exposure
88
+ - [ ] Sensitive data in messages?
89
+ - [ ] PII exposure?
90
+ - [ ] Stack traces in errors?
91
+ - [ ] Debug messages?
92
+
93
+ ---
94
+
95
+ ## ๐Ÿ”ง Testing Tools & Commands
96
+
97
+ ### Browser DevTools
98
+ ```javascript
99
+ // Open DevTools > Network > WS tab
100
+ // Look for "ws://" or "wss://" connections
101
+
102
+ // In Console
103
+ WebSocket = WebSocket
104
+ // Override to log all messages
105
+ ```
106
+
107
+ ### Manual Testing with wscat
108
+ ```bash
109
+ # Install
110
+ npm install -g wscat
111
+
112
+ # Connect
113
+ wscat -c ws://target.com/socket
114
+
115
+ # Connect with headers
116
+ wscat -c ws://target.com/socket -H "Authorization: Bearer TOKEN"
117
+
118
+ # Connect with origin
119
+ wscat -c ws://target.com/socket -o https://evil.com
120
+ ```
121
+
122
+ ### Python websocket-client
123
+ ```python
124
+ import websocket
125
+
126
+ ws = websocket.WebSocket()
127
+ ws.connect("wss://target.com/socket",
128
+ header={"Authorization": "Bearer TOKEN"})
129
+
130
+ # Send message
131
+ ws.send('{"type": "message", "text": "Hello"}')
132
+
133
+ # Receive
134
+ result = ws.recv()
135
+ ```
136
+
137
+ ### Burp Suite
138
+ 1. Proxy > WebSockets tab
139
+ 2. Enable interception
140
+ 3. Manipulate messages in transit
141
+
142
+ ---
143
+
144
+ ## ๐Ÿ”ง Common WebSocket Payloads
145
+
146
+ ### XSS via WebSocket
147
+ ```json
148
+ {"message": "<script>alert(1)</script>"}
149
+ {"type": "chat", "content": "<img src=x onerror=alert(1)>"}
150
+ ```
151
+
152
+ ### SQL Injection
153
+ ```json
154
+ {"user_id": "1 OR 1=1"}
155
+ {"id": "1; DROP TABLE users--"}
156
+ ```
157
+
158
+ ### NoSQL Injection
159
+ ```json
160
+ {"username": {"$ne": ""}}
161
+ {"id": {"$gt": 0}}
162
+ ```
163
+
164
+ ### Large Message (DoS)
165
+ ```json
166
+ {"message": "A" * 100000}
167
+ ```
168
+
169
+ ---
170
+
171
+ ## ๐Ÿ“‹ WebSocket Security Score
172
+
173
+ | Check | Points |
174
+ |-------|--------|
175
+ | WSS (secure) used | 15 |
176
+ | Origin validation | 20 |
177
+ | Authentication required | 20 |
178
+ | Authorization enforced | 20 |
179
+ | Input validation | 15 |
180
+ | Rate limiting | 10 |
181
+
182
+ **Total: /100**
183
+
184
+ ---
185
+
186
+ ## ๐Ÿ›ก๏ธ Secure WebSocket Checklist
187
+
188
+ - [ ] Use `wss://` not `ws://`
189
+ - [ ] Validate `Origin` header
190
+ - [ ] Authenticate during WebSocket handshake
191
+ - [ ] Use secure tokens (not in URL)
192
+ - [ ] Implement rate limiting
193
+ - [ ] Validate all input
194
+ - [ ] Set message size limits
195
+ - [ ] Implement heartbeat/ping-pong
196
+ - [ ] Close connections on logout
197
+ - [ ] Log WebSocket activity