base64
echo 'test' | base64
echo 'dGVzdAo=' | base64 -d
hex
echo 'test' | xxd -p
echo '746573740a' | xxd -p -r
rot13
echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
- unpacker ↗️
reverses jspacker. Signature
eval(function(p,a,c,k,e,r)
References
Some example ffuf commands
In each case, FUZZ is the placeholder for word replacement.**
Fuzzing for specific extensions
ffuf \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-u http://example.com/target_dir/FUZZ
-e .txt,.html,.bak # etc
Recursive fuzzing
ffuf \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-u http://example.com/target_dir/FUZZ \
-recursion
Fuzzing a POST parameter
ffuf \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-u http://example.com/example.php \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "y=FUZZ"
-ic
Fuzzing a GET parameter
ffuf \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-u http://example.com/example.php?x=FUZZ \
-ic
References
dnsenum
Performs various dns-level and osint searches to find sub domains.
dnsenum \
--enum target.tld \
-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
gobuster
You can do virtual host subdomain brute forcing with gobuster. You can specify the target as a hostname or ip.
gobuster vhost \
-u http[s]://targetip[:port] \
-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
--append-domain
You can do a DNS zone transfer using dig by using axfr
dig axfr @dns-server.com target.tld
This will return all dns records for target.tld. It’s intended to copy all records from a primary to secondary server and should only happen if trusted, but misconfigured servers may allow unauthorised transfers allowing for enumeration without brute forcing 🌿
.
The seclists from https://github.com/danielmiessler/SecLists ↗️ can be installed on Kali using apt
apt install seclists
They’re installed into /usr/share/seclists/
proxychains ↗️ is a tool which forwards TCP traffic via a proxy. You run other applications via it. For example
proxychains curl www.example.com
The relevant part of config for HTTP traffic is in /etc/proxychains.conf
#socks4 127.0.0.1 9050 # comment this line out. TODO: Why?
# Add the following line
http 127.0.0.1 8080
This config forwards the traffic to a proxy on 8080 which is the default for burp. Change the setup as needed for other tools.
getcap is a program to get capabilities of others. The one which is a way in is cap_setuid
getcap -r / 2>/dev/null
If anything’s listed which lets you script, you can use that to get a shell. Here’s a Python example:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Just over a year ago I decided to bite the bullet and try out colemak. I’ve been at it full time on my Corne, by still using qwerty on traditional keyboards.
My findings:
- makes me a vim noob
- wpm has increased but plateaued because I want to retain qwerty memory
- what has been a success is Corne
- reflection: embrace qwerty and touch type on corne
Meta search
- Kagi ↗️ premium (paid for and ad-free) search prioritising privacy and user experience. Reminiscent of the good-old-days
- SearXNG ↗️ self-hostable, open-source metasearch engine that aggregates results from 200+ engines. There are hosted versions but privacy or veracity is not guaranteed
Specialist
- Virus Total ↗️ meta engine for checking files and their hashes against virus databases
- Shodan ↗️ is an engine to find devices connected to the internet
- Censys ↗️ searches hosts, IPs, certificates