80,443 - Web

Foothold

• source code

• links

• redirect

• cookies

• burpsuite

• headers

  • shcheck

Fuzzing

• directories (use different wordlists)

• files (use different wordlists)

• files+extensions (use different wordlists)

• subdomains (use different wordlists)

Login

• default creds

• credentials related to software

• bruteforce

  • cupp

  • pydictor

  • crunch

  • psudohash

  • password-permutor

  • statistically-likely-usernames

  • username-anarchy

  • password-stretcher

Injection

• IDOR

• SQLi

  • SQL (PHP...)

  • NoSQL (Node...)

  • Header Based Injection

• SSTI

• XXE

• XSS

• Command Injection

• Header Injection

Generate errors

• Check resources showing input info

• Symbols to cause errors

Playing with BurpSuite

• send parameters empty

• add symbols

• change order of parameters

• change content-type

• content-type: if www-urlencoded ... change to application/json and format parameters

• change http verbs (GET to POST, POST to OPTIONS, etc)

Credentials bruteforce

Hydra

From here https://github.com/vanhauser-thc/thc-hydra

hydra -L wordlist.txt -P wordlist.txt lanzand0nas.net http-post-form "/directory/master/login.php:username=^USER^&password=^PASS^:Wrong password for user admin" -d

ffuf

From here https://github.com/ffuf/ffuf

cat post-login.txt

POST /login.php HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
[...]

username=FUZZ&password=s3cr3t

ffuf -c -w wordlist.txt -request post-login.txt -request-proto http

It will take the FUZZ word from the file and fuzzing over it.

Wfuzz

From here https://github.com/xmendez/wfuzz

Bypass 403 Forbidden

• https://github.com/devploit/nomore403

Specific Software

Jenkins

• https://github.com/stevenvegar/Jenkins_scripts