Web Enumeration

General

• OWASP ZAP
• Burp Suite
• Telerik Fiddler
• amass
• gobuster / (auto)dirbuster / feroxbuster / rustbuster
• nikto

Frameworks

• w3af
  • Basically Metasploit for webapps
• TIDoS-Framework
  • The Offensive Manual Web Application Penetration Testing Framework
  • Basically Metasploit for webapps
• TODO: sparty

Fingerprinting

• zgrab2
  • WARNING: Installation instructions are super shoddy
    • Clone to /usr/local/src
    • cd /usr/local/src/zgrab2/cmd/zgrab2
    • go build
      • Maybe need to go build the entire thing first?
  • WARNING: May yield false negatives
• wappalyzer
  • Identify technology on websites
• findomain
  • Has paid version
• fingerprintjs
  • Browser fingerprinting library

SSL

• https://github.com/takeshixx/python-ssllabs
• NSE ssl-cipher-enum

XSS

• xsser
  • Automated XSS
• xsssniper
  • Automated XSS
• xsscrapy
  • Automated spider (?) for XSS + SQLi

SQLi

• sqlmap

LFI

• lfimap
  • LFI discovery/exploitation

Fuzzing

• ffuf
  • Fuzzer utility
• FDsploit
  • File inclusion + directory traversal
• fuzz.txt
  • Shortlist for files/directories to fuzz for
• fuzzdb
  • General reference point
• radamsa
  • General-use fuzzer
  • This seems to be geared more towards fuzzing a binary

WAF Bypass

• 3 tricks to bypass Cloudflare WAF in file upload

CMS

• wpscan
  • Scan WP sites
  • Beware the payment model (free, but requires registration and comes w/ daily scan limit of ~75 as of writing)
• joomscan
• droopescan

Java

Java RMI

• remote-method-guesser
  • Identify common RMI vulns
• rmiscout
  • Enumerate remote functions and/or exploit if possible
• BaRMIe
  • Enumerate and attack RMI services

Notes

TODO: Clean up wording.

What is Java RMI? It's basically an RPC protocol built for the Java ecosystem, typically used by apps to communicate with other apps/components. It isn't necessarily the most modern approach (as opposed to, say, a REST API), but it'll be around for a while (and I'm sure it's better in some usecases).

For JMX endpoints, look for RemoteObject or RMIServer in nmap's output. If the JMXRMI endpoint is unauthenticated, you can get a shell on the system with the exploit/multi/misc/java_jmx_server. Worth noting: the scanner part of this tool may lie.

What's JMX? It's be used to monitor and manage a running JVM (read: fewer restrictions on code we can run!), and it typically uses an RMI connector to communicate with clients, hence the mention.

Resources

• HackTricks - Pentesting Java RMI
• Attacking RMI based JMX services
• Java JMX Server Insecure Configuration RCE
• Difference between JMX and RMI

Java Debug Wireless Protocol

Just use Metasploit: exploit/multi/misc/java_jdwp_debugger

Misc

• ysoserial
  • Exploit object deserialization vulns
• CeWL
  • Custom Word List generator
• D4N155
  • wordlist based on website contents
• Digestive
  • Dictionary cracking tool for HTTP Digest challenge/response hashes
• d4js
  • Deobfuscate JS
  • Not super useful, but links to some nice related projects
• FOCA
  • Extract file metadata + hidden info from docs
• js-beautify
  • Beautify JS
• LinkFinder
  • Find endpoints in JS
  • Python script
• linx
  • Find invisible links in JS
• interactsh
  • Detect OOB interactions, e.g. DNS resolution
• jndi-injection-exploit
  • Generate JNDI payloads
• CVE-2022-43684: ServiceNow Insecure Access Control leading to Administrator Account Takeover
• wsgidav
  • WebDAV server based on WSGI
  • Useful for hosting payloads

Post

• BeEF
  • Browser hook
• wwwolf-php-webshell
  • PHP webshell
• WebShell
  • A collection of webshells + backdoors
• reGeorg WebShell
  • For a tunnel
• Vailyn
  • Path traversal + LFI
• Weevely
  • More advanced PHP webshell
• Simple Data Exfiltration Through XSS
• Grabify
  • Create/track URLs

Shells

• PayloadsAllTheThings cheatsheet
• reverse-shell-generator