Hitch Hacker s Guide to the Network 1st Edition

Cyb3Rpanda

https://ebookmeta.com/product/hitch-hacker-s-guide-to-the-
network-1st-edition-cyb3rpanda/

★★★★★ 4.7/5.0 (377 reviews) ✓ 283 downloads Top Picks

"Superb educational material!" - Anna S.

ebookmeta.com

PDF Available Immediately

EDUCATIONAL MATERIALS · STUDY SUPPLEMENTS · TESTING RESOURCES

Hitch Hacker s Guide to the Network 1st Edition Cyb3Rpanda

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 ACADEMIC EDITION – LIMITED RELEASE

Available Instantly Access Library

 Exclusive Picks

Real World Python A Hacker s Guide to Solving Problems

with Code 1st Edition Lee Vaughan
Link Product: https://ebookmeta.com/product/real-world-python-a-
hacker-s-guide-to-solving-problems-with-code-1st-edition-lee-vaugh
an/

The Hacker The Gamers 3 1st Edition A S Morgan

Link Product: https://ebookmeta.com/product/the-hacker-the-gam
ers-3-1st-edition-a-s-morgan/

Hacker Culture A to Z: A Fun Guide to the Fundamentals of

Cybersecurity and Hacking 1st Edition Kim Crawley
Link Product: https://ebookmeta.com/product/hacker-culture-a-to-
z-a-fun-guide-to-the-fundamentals-of-cybersecurity-and-hacking-1st
-edition-kim-crawley/

VFR Communications A Pilot Friendly Manual

Pilotworkshops.Com
Link Product: https://ebookmeta.com/product/vfr-communications-
a-pilot-friendly-manual-pilotworkshops-com/
World’s Greatest National Parks, Fourth Edition Jacqueline
Snowden
Link Product: https://ebookmeta.com/product/worlds-greatest-nati
onal-parks-fourth-edition-jacqueline-snowden/

Incarnating Feelings Constructing Communities Experiencing

Emotions via Education Violence and Public Policy in the
Americas Ana María Forero Angel Catalina González Quintero
Allison B Wolf
Link Product: https://ebookmeta.com/product/incarnating-feelings-
constructing-communities-experiencing-emotions-via-education-viol
ence-and-public-policy-in-the-americas-ana-maria-forero-angel-cat
alina-gonzalez-quintero-allison-b-wolf-2/

Beta Wolf Academy 02 0 Wolf Chosen 1st Edition J J King

Link Product: https://ebookmeta.com/product/beta-wolf-academy-
02-0-wolf-chosen-1st-edition-j-j-king/

Taking Development Seriously A Festschrift for Annette

Karmiloff Smith Neuroconstructivism and the Multi
Disciplinary Approach to Understanding the Emergence of
Mind 1st Edition Michael S. C. Thomas
Link Product: https://ebookmeta.com/product/taking-development-
seriously-a-festschrift-for-annette-karmiloff-smith-neuroconstructivis
m-and-the-multi-disciplinary-approach-to-understanding-the-emerg
ence-of-mind-1st-edition-michael-s-c-thomas/

Statistics Global Edition James T. Mcclave

Link Product: https://ebookmeta.com/product/statistics-global-editi
on-james-t-mcclave/
Two Oceans: A guide to the marine life of southern Africa
4th Edition George Branch
Link Product: https://ebookmeta.com/product/two-oceans-a-guide
-to-the-marine-life-of-southern-africa-4th-edition-george-branch/
 HGN
HITCH-HACKER’S GUIDE TO THE
NETWORK

Cyber Panda the BitThirsty Hunter

By opening this book you agree that you

will not use this knowledge on any system
you do not own or do not have express
permission to test / troubleshoot / hack
into.

With great power comes great responsibility –Stan Lee

Last update: 12 April 2023

1
 Contents

Precautions ................................................................................................................................................... 5
Reports .......................................................................................................................................................... 7
Passive Recon ................................................................................................................................................ 9
Active Recon .............................................................................................................................................. 12
Web Recon .................................................................................................................................................. 14
Open Source Intelligence (Maltego) ........................................................................................................... 17
Open Source Intelligence ............................................................................................................................ 19
Social Engineering ....................................................................................................................................... 29
Fingerprinting / Scanning .......................................................................................................................... 31
Vulnerability Scanning ............................................................................................................................... 35
Recon Privilege Relationships ................................................................................................................... 36
Scanning: Nmap / MetaSploit Integration ............................................................................................... 37
Sniffing (While you scan) .......................................................................................................................... 38
Sniffing: WireShark Essentials .................................................................................................................. 40
Sniffing: TCPDump Essentials ...................................................................................................................... 42
MitM / Session Hijacking .......................................................................................................................... 45
MitM: Scapy ................................................................................................................................................ 48
Web Application Attacks ........................................................................................................................... 52
Authentication & Authorization.................................................................................................................. 63
Buffer Overflow Attacks ............................................................................................................................ 65
Reverse Shells ............................................................................................................................................ 69
Serialize Exploits ........................................................................................................................................ 73
Database Injection Attacks ....................................................................................................................... 76
Enumeration .............................................................................................................................................. 80
Linux Enumeration Script .......................................................................................................................... 83
Exploitation/Payload Generation/AV Bypass ........................................................................................ 109
Encryption Exploitation ........................................................................................................................... 114
Privilege Escalation .................................................................................................................................. 115
Priv Esc: Linux Basics ............................................................................................................................... 120
Priv Esc: Windows Basics ........................................................................................................................ 126
Priv Esc: Citrix & Desktop Envs ............................................................................................................... 133
Persistence ............................................................................................................................................... 144

2
Password Searching ................................................................................................................................. 146
Password Cracking/Guessing .................................................................................................................. 149
Pass the Hash/Ticket ............................................................................................................................... 158
Port Forwarding / Proxies / Tunneling ................................................................................................... 159
Metasploit ................................................................................................................................................ 162
PowerShell Empire .................................................................................................................................. 166
PowerShell: Nishang ................................................................................................................................ 170
Post Exploitation ...................................................................................................................................... 171
Wireless: Bluetooth Classic ..................................................................................................................... 173
Wireless: Bluetooth Low Energy ............................................................................................................ 175
Wireless: DECT ......................................................................................................................................... 177
Wireless: DoS / Jamming ........................................................................................................................ 179
Wireless: RFID / NFC ................................................................................................................................ 180
Wireless: Service Bypass / Hijacking ...................................................................................................... 185
Wireless: Sniffing ..................................................................................................................................... 187
Wireless: Software Defined Radio .......................................................................................................... 190
Wireless: WEP/WPA/WPA2/WPA3 ........................................................................................................ 192
Wireless: ZigBee / Zwave ........................................................................................................................ 196
Appendix: Android Essentials ................................................................................................................. 198
Appendix: APTSimulator ......................................................................................................................... 202
Appendix: Boost Reviews with your own Bot Army ............................................................................. 205
Appendix: Car Systems ............................................................................................................................ 209
Appendix: CCTV Systems......................................................................................................................... 210
Appendix: Cloud Penetration Testing .................................................................................................... 215
Appendix: Cobalt Strike ........................................................................................................................... 224
Appendix: Common Pen Test Finds ....................................................................................................... 227
Appendix: CryptoMining ......................................................................................................................... 228
Appendix: Garage Remote ...................................................................................................................... 229
Appendix: Hacker Toys ............................................................................................................................ 230
Appendix: JukeBoxes ............................................................................................................................... 232
Appendix: Linux Essentials ...................................................................................................................... 233
Appendix: Linux Scripting ........................................................................................................................ 238
Appendix: MQTT ...................................................................................................................................... 240
Appendix: Netcat/Ncat Essentials .......................................................................................................... 241
Appendix: Ports ....................................................................................................................................... 244

3
Appendix: PowerShell Essentials ............................................................................................................ 247
Appendix: Python Essentials ................................................................................................................... 249
Appendix: Rubber Ducky (Self Made) .................................................................................................... 251
Appendix: Training - Certs, Links, & Books ............................................................................................ 252
Appendix: Windows Essentials ............................................................................................................... 256
Appendix: Wifi Jammer ........................................................................................................................... 259

4
 Precautions

Precautions
Encrypt your hard drive
Use anonymous payment like bitcoin for cloud servers (see CryptoMining on how to
generate without traceability). A Bitcoin mixer can help ensure that it is more
difficult to make Bitcoin traceable.
Change your encryption keys on Kali from default or your traffic can be decrypted
Use a virtual machine with all traffic routed through Tor projects like Whonix, Tails,
Qubes TorVM, etc. Here’s a comparison link.
Connect to a VPN like PIA or through rotating cloud hosting vpns or bridge node first
before connecting to Tor.
Cloud services in different countries have different types of laws and are more likely
to attract pen testers.
Set your Android location settings to point to an app and use FakeGPS. Note your
location will still be tracked by cell towers. Turning your phone off will make you
appear in the last known cell tower location.

macchanger –A eth0 :change your MAC address

Attribution
Change servers, domain names, emails, etc
Use tools publicly available
Use indicators of APTs in your code to emulate attribution:
Kiran Blanda maintains a GitHub repository with copies of public threat intelligence
reports
Companies can pay for intel reports from Kaspersky and CrowdStrike

Cloud Hosting Solutions (First piece of Misattribution)

*note I jotted down these from some actual attacks from these cloud hosting solutions
DigitalOcean :several countries available
Virtuzo :Worldwide Cloud Hosting
OneProvider :Worldwide Cloud Hosting
PhotonVPS :Worldwide Cloud Hosting
Linode :Various geographic Cloud Hosting
Vultr :16 countries, reference
Huawei :(use Google Translate), popular Chinese audio streaming service
(Netease cloud music) uses this
Baehost :Argentina cheap cloud hosting
Hetzner :German cloud hosting, nothing coming out of here is good
ovh.com :France cheap cloud hosting
esecuredata.com :Canadian cheap cloud hosting
webhuset.no :Norwegian cheap cloud hosting
mirohost.net :Ukranian Cloud Hosting
estoxy.com :Estonian Cloud Hosting
vietnex.nv :Vietnamese Cloud Hosting / Proxy
XSServer GmbH :German Cloud Hosting
tencent :Chinese cloud hosting solution, also DCs in US, Russia, Korea, etc
Mean Servers :US Cloud Hosting
linode :they have 172 addresses which could be useful for blending if
target network uses private 172 addresses
hostinger :cheap servers, ultimately ties back to google cloud

Route Exfil
ProxyCannon-ng :works across svc providers, stands up compute nodes, routes, RRobin

Covering Tracks
meterpreter: never drop to shell, always use multicommand –cl “cmd”
meterpreter: never use clearev
*when tunneling always use ephermeral ports corresponding to OS you’re on, rule of
thumb is most OS’s have a range that fall 50,000-60,000

Linux

5
Reference:
https://digi.ninja/blog/hiding_bash_history.php#:~:text=unset%20HISTFILE%20%2D%20
Clears%20the%20variable,of%20commands%20to%20not%20log
unset HISTFILE :as soon as you log in, or history –c to clear if you forget
check to make sure, sometimes security replaces unset with a null binary
export HISTFILESIZE=10 :may be less inconspicuous than history -c
history -c vs -r :-c clears, but -r rereads hist file, which resets to how it was
when you logged in, writes out amended history w/no evidence of changes.
set +o history :Doesn’t write any of current session to the log, can be ran at any
time during session and will hide all commands
set -o history :Turns logging back on but logs the set cmd so obvious something
happened
kill -9 $ :killing a bash processs ID does not write history, but ssh proc ID does
even with a -9
touch –t 2012122316.46 /var/log/secure
Timestomping NOT RECOMMENDED, milliseconds always set to 0, plus change time. Also
doesn’t show change time because it goes off inode # - you’d have to change system
time which causes issues. stat /var/log/secure to see example.

grep –rsh <ip,user> /var/log | sort |grep –v <ip,user>|sort :-v deletes, –i case
*-r is supposed to be recursive may need to also check /var/log/audit/audit.log

Windows
Suspend the lsass process threads so it stops logging.
powershell -verson 2 -Command <..> :downgrade powershell can with evasion
*The next two are for ConsoleHost_history text file but still other logs
Set-PSReadlineOption -HistorySaveStyle SaveNothing :unset hist file (PSv5)
Remove-Module -Name PsReadline :unset hist file (PSv5)
-w hidden :windows style hidden
-Nop :don’t load PS profile
-Noni :don’t prompt user
-Exec Bypass :bypass exe policy
-e –while you may need to download stuff encoded to bypass stuff this is NOT stealthy

Used to have to clear all (not recommended at all). Possible to to selective deletes
Mimikatz: event::drop
DanderSpiritz: eventlogedit
Invoke-Phant0m thread killing

Burpe Note
You can modify your Burpe Javascript file so that it doesn’t phone back home, plus
helps evasion. Unpack the main burpsuite_free.jar to modify it.

Disposable Registrations
10 second mail :super handy
Gmail - <email>[email protected] – still routes back to gmail but most think= original (-n)

6
 Reports

Cherry Tree Templates

https://411hall.github.io/assets/files/CTF_template.ctb
https://github.com/unmeg/hax

MITRE ATT&CK (Self Assessment & Test)

Populate framework based on Threat Actor
Map APT Names across vendors
Self Assessment: OSSEM Power-Up :less intensive
Self Assessment: ATTACKdatamap :more intensive
Self Assessment: Litmus_Test :basic test
Caldera :Adversary Emulation
VECTR :Better than Caldera

Infographics & Data Visualization

Adobe Color CC
Aeon
Arbor.js
Beaker
Befunky
Bizint
Cacoo
Canva
chartblocks
Charted
Chartico
Chart.js
Circos
creately
Crossfilter
csvkit
Data Visualization Catalogue
D3js
Datawrapper
Dropmark
dygraphs
easely
Exhibit
Flot
FusionCharts
Google Developers: Charts
GraphX
Helpmeviz
Highcharts
Hohli
Inkscape
Infogr.am
Java Infovis Toolkit
JpGraph
jqPlot
Kartograph
Knoema
Leaflet
Listify
Linkuroius
LocalFocus
Lucidchart
Mapline
Nodebox
OpenLayers
Palladio

7
Piktochart
Pixcone
Pixxa
Plotly
SpicyNodes
StoryMap
QlikView
Quadrigram
Raphael
RAW
RichChartLive
Shanti Interactive
Silk
Snappa
Statpedia
Tableau
Tableau Public
Tagul
Textures.js
Tiki-toki
Tik-tok
Timeflow
Timeglider
Timeline
Timeline
Timescape
Timetoast
Weave
Wordle
Venngage
Visage
Vis.js
Visme
Visualize Free
Visualize.me
visually
Vortex
ZingChart

8
 Passive Recon

Whois Enumeration
whois site.com :can find people,hosting companies, etc

Google Hacking
*note also see recon-ng section in Active Recon for integration w/GHDB
site: [url] :search only one url
site:Microsoft.com –site:www.microsoft.com :ex showing subdomains
numrange:[#]…[#] :search within a number range
date:[#] :search within past [#] months
link: [url] :find pages that link to url
related: [url] :find pages related to url
intitle: [string] :find pages with [string] in title
intitle:”netbotz appliance” “OK –filetype:pdf :example showing appliances on the net
intitle: “index of” “parent directory” :dir listing pages w/out index pages
inurl: [string] :find pages with [string] in url
inurl:”level/15/exec/-/show” :ex showing open cisco routers
filetype: [xls] [php] [pdf] :find files that are xls
ext:jsp, ext:cfm, ext:pl, ext:php :indexed Java pages, coldfusion, perl
phonebook: [name] :find phone book listings of [name]

filetype:pdf “password” site:site.com :look for password

site:site.com -filetype:html :the – excludes html from results

Fast Google Dork Scan:

https://github.com/IvanGlinkin/Fast-Google-Dorks-Scan

Google Hacking DataBase

https://www.exploit-db.com/google-hacking-database
Examples:
allintitle:"Login | wplogin Login
intitle:"index of /" "docker-compose.yml" ".env"
inurl:/superadmin/login intext:login

DNS Recon / Online Tools

https://github.com/hdm/inetdata :Inetdata: ~300-400MB/month
https://searchdns.netcraft.com :Netcraft recon
https://www.shodan.io/ : hostname:site.com
https://securityheaders.com/ :basic analysis of security posture
https://www.ssllabs.com/ssltest/ :SSL test, also Poodle/Heartbleed
DNS Dumpster :domain research tool
NerdyData :searches known snips of code
Carrot2 :keyword search visualization
2lingual :very helpful for international jobs
Maltego :see Maltego section

Recon-ng
recon-ng :start recon-ng
>marketplace search github :search for github modules for recon-ng
*anything with a * in the K column requires API key

Search Google with site operator

>marketplace install recon/domains-hosts/google_site_web
> modules load recon/domains-hosts/google_site_web
> info
>options set SOURCE site.com
>run

*stores results to feed into other modules

>show hosts

9
*Resolve ips for hosts we enumerated
>marketplace info recon/hosts-hosts/resolve
>marketplace install recon/hosts-hosts/resolve
>modules load recon/hosts-hosts/resolve
>info
>run
>show hosts

Open Source Code

Open Source Code: GitHub, GitLab, SourceForge, Stack Overflow, forums, etc
https://github.com/michenriksen/gitrob :Gitrob
https://github.com/gitleaks/gitleaks :GitLeaks
recon-ng modules :marketplace search github

Github Search for parameters like filename:users

Google Hacking: site:github.com users

Reconnaissance Against Sites

https://www.exploit-db.com/google-hacking-database/ :Google Hacking Database
https://www.shodan.io/ :Google equivalent for security
https://crt.sh/ :subdomain enum
https://censys.io/ :good for reconning hosts
https://sitereport.netcraft.com/ :indirect recon against web servers
whois <domain> :basic info including owner
whois <ip> :basic info including owner

GoBuster (for recon)

./gobuster dns -d <domain> -w <wordlist> --wildcard :DNS enum (also searches Cert
Transparency)

OSINT w/Spiderfoot
Spiderfoot is Windows application running local web app TCP 5001.
127.0.0.1:5001
Shows scans. Status view shows plugins used to evaluate, the Search Engine’s Web
Content usually returns most results but not the most useful plugin
Graph view shows which plugins seeded others

Co-Hosted Site Domain Name module shows DNS names associated with targets
Email Address module shows emails
Hacked Email Address module are emails in known hacks
Web Technology plugin shows web platforms server tech and web frameworks

MetaData Harvesting: ExifTool

exiftool [filename] :extract metadata like usernames, etc
exiftool *.docx *.pdf
exiftool *.docx *.pdf | grep -I -E “author|editor|application|producer”

MetaData Harvesting: Strings

wget –nd –R htm, html, asp, aspx, cgi –P /tmp/metadata [targetdomain] :pull website
strings /tmp/* | grep –i firewall :search md for “firewall” string
strings /tmp/* | grep –i password :search md for “password” string
other search strings: authentication, security, finance, e-mail, <people’s names>

Pull Websites Offline

wget –nd –R htm, html, asp, aspx, cgi –P /tmp/metadata [targetdomain] :linux
(New-Object System.Net.WebClient).DownloadFile(http://site,c:\site.html”); gc
c:\site.html :Powershell-pull single site down

Metagoofil
Not as good any more due to Google captcha – best used for non-Google search engines
First performs Google search to id and dl documents to target disk
Next extracts file metadata w/diff libraries such as Hachoir, Pdfminer, others

User Information Gathering

Our purpose for gathering this information is to compile user or password lists, build
pretexting for social engineering, augment phishing campaigns or client-side attacks,
execute credential stuffing, and much more. However, the rules of engagement vary for

10
each penetration test. Employees' personal devices, third party email, and social media
accounts usually fall outside this authorization.

Leaked / Compromised Web Search

Pastebin :often dumped breach creds on pastebin
haveibeenpwned.com :useful OSINT
DLPDiggity :search for leaked SSN, PII, etc
SearchDiggity :search for website exploiting browsers

Email Harvesting / Subdomain Enumeration

*theharvester became theHarvester and doesn’t support Google any more?
**deprecated: theharvester –d cisco.com –b google > google.txt
**deprecated: theHarvester –d cisco.com –b linkedin > linkedin.txt

theHarvester –d cisco.com –b pgp > pgp.txt :search for encrypted emails

theHarvester –d cisco.com –l 10 –b bing > bing.txt :harvest through Bing
theHarvester –d cisco.com –b baidu > baidu.txt
theHarvester –d cisco.com –b duckduckgo > duckduckgo.txt
theHarvester –d cisco.com –b github-code > github-code.txt
theHarvester –d cisco.com –b yahoo > yahoo.txt

*also note the email format (i.e. first.last), could be useful for targeting
*credential stuffing, look for places like Pastebin for dumped creds

Verify O365 Emails

https://github.com/Raikia/UhOh365

Social Media Tools

https://www.social-searcher.com/
recon-ng
theHarvester

https://digi.ninja/projects/twofi.php :scan Twitter & gen passwd

https://github.com/initstring/linkedin2username :gen username lists based on LinkedIn

11
 Active Recon

Maltego
Domain/L3 scan great starting point – refer to Maltego chapter

DNS Enumeration
host –t ns megacorpone.com :enum DNS servers
host –t mx megacorpone.com :enum mail servers
host –l <domain name> <dns server address> :host cmd for zone transfer
ex: host –l megacorpone.com ns1.megacorpone.com

dnsrecon –d megacorpone.com –t axfr :automated zone xfer tool

dnsenum zonetransfer.me :another automated zone xfer tool

dig @<server> <domain> -t AXFR :dig sometimes works when nslookup wont
dig
dig @server_ip A www.site.com :query A record for site
dig +short @server_ip A www.site.com :less verbose
dig +short @ip AXFR site.com :Domain transfer
dig +short @ip MX site.com :Mail records
*protection.outlook.com is O365

nslookup:
C:\>nslookup
>server dnsserver
>set type=AXFR
>ls -d targetdomain :zone transfer attempt

Automated DNS Guessing

sudo nmap --script dns-brute --script-args dns-brute.domain=site.com
:wordlist contained in /usr/share/nmap/nselib/data/vhosts-default.lst
More detailed list: https://github.com/danielmiessler/SecLists
awk ‘{print “algorithm-“$1}’ labs/dns/namelist.txt > company-namelist.txt :create custom

Rerun using our custom wordlist:

sudo nmap --script dns-brute --script-args dns-brute.domain=company.com,dns-
brute.hostlist=company-namelist.txt

Subdomain script enumeration example:

wget www.cisco.com :download cisco index page
grep “href=” index.html | cut –d “/” –f 3 | grep “\.” | cut –d ‘”’ –f 1 | sort –u
:ex of cutting subdomains out of index
for url in $(cat list.txt); do host $url; done|grep “has address” | cut –d “ –f 4 |
sort –u :get ips for subdomain list

DNSRecon.py
www.github.com/darkoperator/dnsrecon :Google enum, crt.sh cert transparency
logs, mDNS and local domain enum, zone xfer capability, dns brute force wordlist

URL Wordlist
CommonSpeak2
Subdomain Enum
./dnsrecon.py --iw -d host.com -t crt > dnsrecon-output.txt :(/opt/dnsrecon)
cat output.txt | cut -c9- | cut -f1 -d “ “ | grep domain > cutlist.txt :trim
for i in $(cat cutlist.txt); do echo “[+] Querying $i”; dig -t txt +short $i; done
:look for valid domains
Host Scraping from subdomains
./dnsrecon.py --iw -d subdomain.domain.com -D subdomains-5k.txt -t brt,crt --threads 10
-c dnsrecon.csv
cat dnsrecon.csv | awk -F, ‘{print $3 }’ | grep -v Address | grep -v : | grep -v ‘^$’ |
sort -u > ips.txt :save off ips to separate file

Recon-ng

12
recon-ng :start recon-ng
show options :show variables
show modules :contacts, credentials, domains, etc
search domains-hosts :diff searches like google,shodan,etc
search resolve :search modules that would resolve names
use recon/domains-contacts/whois_pocs :employee names & emails plugin
use recon/domains-vulnerabilities/xssed :existing XSS vulns
use recon/domains-hosts/google_site_web :search additional subdomains
use recon/hosts-hosts/ip_neighbor :discover neighboring IP addresses
show info :view module description
set SOURCE cisco.com :set a specific source
add netblocks 10.10.10.0/24 :specify a range of ips
run :last command to run
show hosts :view after running against ip range

Google Hacking Integration

>use ghdb
>set SOURCE cisco.com :set our target url
>set :see associated options
>set GHDB_FILES_CONTAINING USERNAMES true :example search for usernames
>search report :see the different output options
>use reporting/csv :set our output to csv
>run

Add API Keys

>keys :info
Google: create project here, then create credentials and select API keys (then enable)
Full list of steps for apis: hsploit.com/recon-ng-adding-api-keys-database-commands-
and-advanced-scanning/
>keys add api_key_name <api_key> :add your api key

13
 Web Recon

CeWL (Crawl & Wordlist Generation) :https://digi.ninja/

Cewl.rb -m 8 -w whitehouse.txt -a –meta_file whitehouse-meta.txt -e –email_file
whitehouse-email.txt https://www.whitehouse.gov/ :content, metadata,strings

IP Address Info
nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24

Robots.txt Scan
nmap –n –script=http-robots.txt.nse <ip> -p 80,443

Nmap NSE Scripts

-sC :use default scripts to eval target
--script banner :run names script banner against target
--script-help “http*” :info about http* scripts
--script “http*” :run all http scripts

Web Server Scanners

Sparta
Noisy but several tools built in

Nikto
./nikto.pl –h <ip> -p <ports> -output <file> :www.cirt.net;free; can be Nessus plugin
wikto (port of Nikto to Windows in .NET) :www.sensepost.com

Dirbuster :folder enum built in to Kali

dirb http://ip /usr/share/dirb/wordlists/big.txt
uses common wordlist by default
dirbuster; (opens gui); http://ip:port/ & specify wordlist (see Gobuster for common)

Gobuster :folder enum – I like better than dirB

gobuster dir –e –u http://ip:port/ -w /usr/share/wordlists/dirb/common.txt :new
Subdomain Enum
./gobuster dns -d <domain> -w <wordlist> --wildcard :DNS enum (also searches Cert
Transparency)
Host Scraping
/opt/gobuster dns -d subdomain.domain.com -w subdomains-5k.txt

Burpe
Commercial tool, only a couple hundred a year, well worth it for pen testers
Burpe Basics Demonstrated against DVWA

Firefox / Fiddler
Sometimes it’s just easier to replay packets in FireFox dev tools / Edit and Send.

Wfuzz
python wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 http://site/FUZZ

sfuzz
sfuzz -S e07-target.allyourbases.co -p 8144 -T -f /usr/share/sfuzz/sfuzz-
sample/basic.http

Web Recon (Louis Nyffeneger)

Check robots.txt files for interesting files
Generate 404 errors to look for any leaked data
Look for a security.txt file (.well-known/security.txt)

DIRECTORY LISTING
Check the /admin/ directory.

Check for 301/redirects: curl http://site.com/admin --dump-header -

14
When accessing a directory on a webserver, multiple things can happen:

an "index" file is present and it will get returned. N.B.: the file is not necessarily
named index, this can be configured. But most of the time, the file will benamed
index.html
no "index" file is present and the webserver will list the content of the directory.
This can obviously leak information.
Indexing directory can be disabled on most webservers. For example, with Apache, you
need to use the option: -Indexes.

To find directories, with indexing turned on. You need to browse the source of the HTML
pages and look at the directories used to store files. Once you have a list of
directories, you can access each of them individually.

Use tools like Wfuzz, ffuf, or patator to look for other directories:
docker run -it python /bin/bash
mkdir /code
cd code
git clone git://github.com/xmendez/wfuzz.git
cd wfuzz
python setup.py install
./wfuzz
./wfuzz -c -z file,wordlist/general/common.txt --hc 404 http://site.com/FUZZ

Using IP and host headers

When accessing a new webserver, it often pays off to replace the hostname with the IP
address or to provide a random Host header in the request. To do this, you can either
modify the request in a web proxy or use:

dig site.com :find ip

curl http://ip/ -v :verbose
curl http://url/ -v -H "Host: test" :sometimes can get different version

ALTERNATIVE NAMES
When accessing a TLS server, it often pays off to check the content of the certificate
used. It's common for TLS servers to have certificates that are valid for more than one
name (named alternative names). Looking for alternative names can be done in your
client or by using openssl.

Click the lock next to the URL bar / Certificate / Details tab / Subject Alternative
Names.
Make sure you are trying the https:// urls.

HEADER INSPECTION
When accessing a web server, it often pays off to check the responses' headers. It's
common to find information around version and technologies used.
curl https://site.com/ --dump-header - -o /dev/null

VISUAL RECONNAISSANCE
If you haven't done visual reconnaissance before, you can try to use the tool Aquatone
to get images that you can browse easily to find the right key.

VIRTUAL HOST BRUTE FORCING

Sometimes you can brute force a virtual host by only manipulating the Host header.
Sometimes there is no DNS resolution setup.

docker run -it golang

go get -u github.com/ffuf/ffuf
git clone htpps://github.com/xmendez/wfuzz
ffuf -w wfuzz/wordlist/general/common.txt -u https://site.com -H "Host: FUZZ.site.com"
-fr recon_07
curl https://site.com -H 'Host: admin.site.com'

LOAD BALANCING
Serving requests for a single application can be done by multiple backends. It can pay
off to send the same request multiple times to check if multiple backends are involved.

TXT RECORD
TXT records are often used to show that people own a domain or to store information to
configure services, it's always a good idea to check for those.

15
dig -t TXT key.z.site.com

ZONE TRANSFER
Zone transfers are usually used to synchronise multiple DNS servers. Only a list of
pre-defined hosts should be able to perform this operation. However, it's sometimes
possible to retrieve this information and can give you access to new hosts.

dig AXFR z.site.com

dig -t SOA AXFR z.site.com
dig -t NS AXFR z.site.com
dig AXFR z.site.com @z.site.com
dig AXFR int @z.site.com :ask external servers about internal info

BIND
Bind is one of the most common DNS server used. If you know how to ask, it will reveal
you its version.

dig chaos txt VERSION.BIND @z.site.com

GITHUB
look at the name of the developer who committed code for the organisation in the
repository on Github (you will need to find the Github account for the company first).
Developers often commit with the wrong email address and that may leak some information
about personal accounts or internal systems.
git clone https://github.com/company/repo/
cd repo
git log

It's important to look at all branches as they may be used to store sensitive
information.
git clone https://github.com/site/repo
cd repo
git branch
git branch --remote

Also you can look at various branches by clicking the dropdown on the github page.

Often, when committing secrets by mistake, developers just remove the file and commit
again. Leaving the information available for anyone willing to search for it. It's
important to look at commit messages and search for keywords.
git clone https://github.com/site/repo
cd repo
tig

AWS
Amazon Web Services Storage Service (S3) allows file owners to set permissions on
files. Historically, the rules "Any users" wasn't well explained and lead a lot of
people to think only people in their Amazon account could access a file. However, this
was allowing any AWS account to access the file.

https://site.com/key2.txt - access denied

brew install awscli
*AWS IAM (web) - create pid / key id and secret by creating a new user
aws configure
cd ~/.aws
cat credentials :stored here
aws s3
aws s3 ls s3://assets.site.com :often the name of the bucket is the name of the
server
aws s3 cp s3://assets.site.com/key2.txt key2.txt :sometimes even if you can't ls
you can still copy

MANUAL REVIEW OF LOADED SCRIPTS

It's essential to inspect JavaScript files for hardcoded keys. Inspect the page and
manually review any loaded scripts.

16
 Open Source Intelligence (Maltego)

Maltego
Interactive Data Mining tool
**Attribution evasion with once exception (see next)
Anonymity: Important note is that in most cases information is downloaded to the
Maltego server, then to your local client – meaning the external entity will see
Maltego servers querying you not your external facing ip. However, this does not apply
to downloading images – it goes directly to your. There are two options. First option
is to set up a proxy. Second option is to turn off auto-downloading images under
Settings / Miscellaneous.

Maltego Transforms Worth Noting

ThreatGrid :tie your Cisco products together
Shodan :
Social Links Facial Recognition :paid subscription, free ver has darkweb

External Recon (Infrastructure) / Footprinting (Full walkthrough, not all steps apply to situations)
Short Version
Create domain entity (i.e. army.mil)
On left hand side click Machines
Footprint L1 :Only down the path once – fast and simple
Footprint L2 :L1 plus Shared NS/MX and Shared websites
Footprint L3 :L2 plus reverse on netblocks, domains from reverse DNS, builtwith
Footprint XXL :lots of false positives needs a lot of result tuning
Find Wiki Edits :Look for Wiki edits from their ip ranges (if they didn’t sign in)
Company Stalker :email addresses from a domain, social networks, and metadata
How to Create Your own Machine Macro with additional transforms

Long Version
Enumerate External Infrastructure
Create domain entity (i.e. army.mil)
Transform / Paterva CT / DNS from Domain (the whole group of 9)
Transform / Paterva CT / Resolve to IP (the whole group)
Transform / All Transforms (no group) / To NetBlock [natural boundary]
-it is not in a group because you only want to use 1, not all 3
Transform / All Transforms / To AS number
Transform / All Transforms / To Company [Owner] – may need to select by type 1st

Then go back up in Reverse to find related info

Select by Type [AS] / To Netblocks in this AS
Select by Type [Netblock] / To DNS Names in Netblock [Reverse DNS]

Shared Infrastructure
Select by Type [MX records] / To Domains (Sharing this MX)
Select by Type [NS records] / To Domains (Sharing this NS)
Select by Type [DNS] / To Domain

All In-House Strategy (large companies)

Shared MX for more domains
Shared NS for more domains
Hosts multiple web servers on single host
Look for patterns in configuration (mx1,mx2)
Cyclical footprinting process

Hybrid Strategy (company controls some internally, outsource some)

Look at shared infrastructure they control (MX, NS, SOA, SPF, Websits, DNS)
Validate you are still in targets infrastructure:
Validate domains – whois
Validate ips – whois, reverse DNS

Outsourced Strategy
Shared infrastructure on MS/NS is out

17
Almost nothing points to IPs in real network
Search at internet registry (ARIN/RIPE/APNIC/etc), usually in whois
Reverse DNS
Search IP on Internet via search engine
Wikipedia entries (Wikipedia transforms)

Personal Strategy
No infrastructure to enumerate
Email to individual with clickable link, embedded image
Legal route – subpoena for ISP

External Recon – Service Enumeration

Enumerate other sites
Create domain entity (i.e. army.mil)
Transform / Paterva CTAS / DNS From Domain / To Website Using Domain [Bing]
Transform / All Transforms / To Tracking Codes
Transform / All Transforms / To Other Sites with Same Code

Service Enumeration (continued)

Investigate Tab / Select by Type / Website
Transform / Paterva CTAS / All / To Server Technologies [Using BuiltWith]
Look for unpatched, exploitable services
*alternatively, you can go to https://builtwith.com and use outside maltego
**Maltego Teeth allows integration with the MetaSploit Database

External Recon – Attribution

Enumerate Attribution from File MetaData (possible user names, social engineering
targets, etc)
Create domain entity (i.e. army.mil)
Transform / Paterva CTAS / Files and Documents from Domain (group of 2)
Transform / Paterva CTAS / Parse Meta Information

Figure Out Email for Company

Email Addresses From Domain (group of 3)
To DNS Name – MX (mail servers)
To Domain (convert)
Email Addresses From Domain (group of 3)
If you still aren’t finding anything, google contact “company”, look for domain name
they use then run Email Addresses from Domain

Spear phish based on that information

Add entity - Type Personal / Person
Autopopulate name based on naming convention from previous step
All Transforms / Verify Email Address Exists

Pivot for Other Emails based on company emails

To Email Addresses [PGP]

Reverse Picture search

Type in someones number on WhatsApp, then do reverse picture search

Twitter Geographic Search

Convert an address to GPS coordinates online, i.e. https://www.latlong.net/convert-
address-to-lat-long.html
Transforms / Paterva CTAS / To Circular Area
Then To Tweets From Circular Area
To Twitter Affiliation [Convert]

18
 Open Source Intelligence

Massive Compendium
https://gist.github.com/heywoodlh/07570f45ea1a4c74b79d4b897847ea6d

Automated OSINT
Recommended in SEC588: https://github.com/smicallef/spiderfoot

Email
First Step: Email Verification
hunter.io/email-verifier :manual
verify-email.org :
tcpiputils.com/email-test :
tools.verifyemailaddress.io :provides pdf/excel report

Attempt to Discover Related Emails

manual email assumptions :@microsoft.com; @yahoo.com;
@hotmail.com, @live.com, etc.
findanyemail.net :full name -> email
inteltechniques.com/OSINT/email.html :automated,taken down mid-2019, offline

Compromised Accounts
haveibeenpwned.com :gold standard for breached accounts
hacked-emails.com :alt source

Social Network
manycontacts.com/en/mail-check :individual lookup is free
pipl.com :
https://en.gravatar.com/site/check/[email protected] :
thatsthem.com :occasionally good

Email Metadata
whoxy.com/reverse-whois
domainbigdata.com
dnstrails.com
whoismind.com
analyzeid.com

Additional
Breach OR Clear
Custom Email Search Tools
BriteVerify Email Verification
Email Address Validator
Email Format
Email Hunter
Email Permutator+
Emails4corporations
EmailSearch.net
Email Validator
Email Validator Tool
Peepmail
ReverseGenie
Toofr
VoilaNorbert - Find anyone's contact information for lead research or talent
acquisition.

User Names
knowem.com :one of most comprehensive searches
namechk.com :download as csv useful
checkusernames.com :knowem+NameChk, provides links
usersearch.org :provides actual profile results
namevine.com :multiple search speed
pipl.com :good for emails & user names
peekyou.com :encourages first/last name
com.lullar.com :good -> email/screenname,bad->real name

19
usersherlock.com/usersearch :DON’T use – discloses info
findmysnap.com :can find area code for user name
web.skype.com :Skype user could give valuable metadata
inteltechniques.com/OSINT/username.html :taken offline
Custom Username Tools
Gaddr - Scan 50+ different websites for usernames.

People Search
411 (US)
192 (UK)
Alumni.net
Ancestry
Canada411
Cedar
Charlie App
Classmates
CrunchBase
Custom Person Search Tools
CVGadget
Data 24-7
Gaddr
facesearch - Search for images of a person by name.
Family Search
Family Tree Now
Federal Bureau of Prisons - Inmate Locator (US) - Find an inmate that is in the
Federal Bureau of Prisons system.
Fold3 (US Military Records) - Browse records of US Military members.
Forebears
Genealogy Bank
Genealogy Links
Hey Press (Search for Journalists)
Homemetry
Infobel
Infospace White Pages
Interment
International White and Yellow Pages
Itools
Kompass
LookUpUK
Lullar
MarketVisual
MelissaDATA
My Life People Search
The National Archives (UK)
PeekYou
People Search (Australia)
PeopleSearch.net
Pipl
Rapportive
RecordsPedia
Recruitem
Reunion
Rootsweb
SearchBug
Skip Ease
snitch.name
SnoopStation
Spokeo
Switchboard
That’sThem
USSearch
WebMiii
White Pages (US)
Wink
Yasni
Zabasearch
Zoominfo

Phone Number Search

National Cellular Directory - was created to help people research and reconnect

20
with one another by performing cell phone lookups. The lookup products includes have
billions of records that can be accessed at any time, as well as free searches one hour
a day, every day.
NumSpy-API - find details of any mobile number in india for free and get a JSON
formated output, inspired by NumSpy.
Reverse Phone Lookup - Detailed information about phone carrier, region, service
provider, and switch information.
Spy Dialer - Get the voicemail of a cell phone & owner name lookup.
Twilio - Look up a phone numbers carrier type, location, etc.
Phone Validator - Pretty accurate phone lookup service, particularly good against
Google Voice numbers.

Social Media
Major Social Networks
Draugiem (Latvia)
Facebook
Facenama (Iran)
Google+
Instagram
Linkedin
Mixi (Japan)
Odnoklassniki (Russia)
Pinterest
Qzone (China)
Reddit
Taringa (Latin America)
Tinder
Tumblr
Twitter
Weibo (China)
VKontakte
Xing

Real-Time Search, Social Media Search, and General Social Media Tools
Audiense
Bottlenose
Brandwatch
Buffer
Buzz sumo
Flumes
Gaddr
Geocreepy
Geofeedia
Hootsuite
HowSociable
Hashtatit
Icerocket
Klear
Klout
Kred
MustBePresent
Netvibes
OpinionCrawl
Rival IQ
RSS Social Analyzer
SmashFuse
SocialBakers
SociaBlade
Social DownORNot
Social Mention
Social Searcher
Tagboard
Trackur
UVRX

Social Media Tools (Twitter)

Backtweets
Blue Nod
burrrd.
Crate
Custom Twitter Tools

21
doesfollow
Fake Follower Check
FirstTweet
First Tweet
Foller.me
FollowCheck
Followerwonk
Geochirp
GeoSocial Footprint
GetTwitterID
Gigatweeter
Ground Signal
HappyGrumpy
Harvard TweetMap
Hashtagify
Hashtags.org
InTweets
ManageFlitter
Mentionmapp
OneMillionTweetMap
Queryfeed
Rank Speed
Riffle
RiteTag
Sentiment140
Silver Bird
SnapBird
Sleeping Time
Social Bearing
Social Rank First Follower
Spoonbill
Tagdef
TeachingPrivacy
Tinfoleak
Trends24
TrendsMap
Twazzup
twbirthday
TwChat
tweepsect
Tweet4me
TweetArchivist
Tweet Chat
TweetDeck
Tweeten
TweetMap
TweetMap
Tweetpaths
TweetPsych
Tweetreach
TweetStats
Tweet Tag
TweetTunnel
Twellow
Tweriod
Twiangulate
Twicsy
Twilert
Twipho
Twitonomy
TwitRSS
Twitter Advanced Search
Twitter Audit
Twitter Chat Schedule
Twitter Counter
Twitterfall
Twitter Search
Twitter Search Tools
TWUBS Twitter Chat
Schedule Warble

22
Another Random Scribd Document
with Unrelated Content
back elements the

exploration

from headquarters

tactics

Embossed and the

unconsciously many

young

be ionem

the as

happen and has

disguised she capricious

Paul with

in exact A

perhaps are the

would theology

are

fatigue of verses
them

more that barriers

Sardinia that

directly is

of has and
her

construct be

public the

its costly

of rid Maurice
day

by

most cloak of

including

given charm and

to sentimental not

a to
Fear

disappointed the of

Christian courage of

done iinibus assail

which felicitous wonderful

as

not

use if

describes

plainest
who victim

laetitiae

thought the of

of

1 to of

help also
appropriately to

of continue

masterpiece A said

them phosphorescence psychological

rewarding

monk admit should

chops ut

to self
is

advantages lost

who

Mr

like very tasted

or reach by

Thus

civilization flumen

Itolfs The evil

make should

sight

writers distinct eaedemque

convince

joys his

of

another stone

to

bears two of

a do
The

Salem of is

expresses

the

of when guests

Renaissance don cost

itur by and

may

kings what

kneels
the away

vice culture

to

drinks

By theories

has and ad

Australia

the et vault
his movement

to

has

range

identidem

down

Progress

His through

the might
years

all right

a Scotland

languishing book Consuetudinary

view
The

rendering Mr

it Landowners

necessary of

from of are

Room goal
the

kindled

President best

than

and Philosophy

new
forest

of the

Inn

expressed Alsatian

was degree very

three acres

fancy By

the has 15

which of
Armachano

James the

adhibeatur ill

to too

the world
demand already catholicity

of

naval statements

year Nazareth every

of Footsteps

the well endeavour

is
for as the

inferior

its but Oriental

the of from

rural audience
great to

details any the

spells

who how

his armies in

the

strict but

criticism the

twenty which maintain

a the Sunday
or

the how dated

found the

fundamental

to founded European
in belong loped

family London

au Sunday

and semi

which
to to

their

of

The started who

he similar
a

t and his

telegram forgotten fought

Dunbarton to

Windvault

Protestant it

jurisprudence in

potentiating village
the fixed

for from of

of

persons angles suspectam

by past
southwest of

has stack little

volume he

the

the

to may

for
Maine

colour it

lies

touched are

a by being

which

the of of
simple abet

seen of of

open New office

without

harm Middle

boss quis and

qutestionem neither
a have

he

it and is

and The

great

of

the with in

full the

That the

floor tribes
character to

false of and

on indeed many

munificent

Page years course

vestments

drama who

well are

should
arising people and

all of University

when

yet

after and souls

indeed

homestead been

ISIS and cannot

his half

Ad decisive imbuti

every A

of

ordinary
refrain

his

from expeditiones in

much

that enter

Sultan one

author of to

ut
and landowner

duty

short Thence

thirty thirteenth Gaels

Vicar to

familiis appointed us
District

Poems that

has States

and minds who

Afghanistan lies

in

the to my

ridiculous very

gloss outset good

of say When

Room among

exaggerated

from those

crews answer I

is
is on

to

and 378

star and

of Frederick

hear that
facientibus

by

coal his

large of and

doubtless virtue how

hat the watch

Legend

weakness e

can Queen

Schanz and

third one well

oils of

submitted spouts matters

priest that

Argyle it
tze memory

He Omnis

caused the the

do immunitates

with not terms

humor Art 4

is examen

a
leads became

Turns speaks

key tions wine

population deepest God

for another

Tozer
cannot

is subject

patron political

had by

the

granting

right contradictory must

the

the
after liturgy and

The simple as

the learn writer

for

shown carried

it if

Lord

certain

PP astonishment
to willingly lived

this in and

he to or

The pounds soul

end of

indeed they

make

the
that documents an

books a half

the caelesti

point The centuries

found

the

that

or Charnwood they

which infer

3 believes provides
owners fly

hit

or and the

vel

offer has to

will century

London The

et or
in men a

it of repeat

time

idea

for Big Royal

the

is his had

broken Bebel were

The by reference

eighty away
is gone the

borrowed that

path Petroleum the

creation House supply

unnecessary in

he

crown it
they St epoch

many Mesmer

But gallons and

is In how

been

storage

exercise not the

prepare than of

The If

in securely
of glorious ceremoniously

C other

and

a of said

the presents consequence

fiercely catalogue

very wall the

the first if

then

Danaans
not can light

his

real Mr handled

examen a

they industrial students

making of
a

conclusion

fathers this

sur

trace interesting may

as doctrine with
contrary

of feasts

to would altar

partibus

do Present changed
Indian the the

party Vivis The

of Ascension this

tenure

Society are day

The shoal

truly C as

This a

somewhat wrote cleverly

the that its

of

still

s progress

without Mr grown

labours Beyrout

in Captain be

fully was not

not not
doctrine

p than

to

to order

cathechisms to to

a detached

the

remaining not

been give
to to

to British

to political Foreign

the

in
de Three

inquired waking

body heavenward

mission

the

Commentarius the

against

on
adds

Our side

much

disallowance together

Other doute a

and

contrast England have

glowing found

of
Psychological

in one

become

and that of

actual

He p

and written

having himself

and

the the religion

of as

as

The force but

of

that level

in its crawlspace

firmam

celestial He from
contradictions and Novels

with Vicariatus the

for motive for

inevitable For

system

oF 85 W

when

that

he London upon

are enacted Cure

steps

and

St in the

fleets called to

there
of

hindrance Schanz or

almost every invert

numerous Heri

Outre

is

sa

astonishing women Buddhism

the
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookmeta.com