-
FTP:
- Port: 20 & 21
- Service: File Transfer Protocol
-
SSH:
- Port: 22
- Service: Secure Shell / Secure Socket Shell / Remote Login (rlogin) / Remote Shell (rsh) / Remote Copy (rcp) / Remote Distribution (rdist)
-
TELNET:
- Port: 23
- Service: Telecommunication Network / Terminal Network
-
SMTP:
- Port: 25
- Service: Simple Mail Transfer Protocol
-
DNS:
- Port: 53
- Service: Domain Name System
-
DHCP:
- Ports: 67 & 68
- Service: Dynamic Host Configuration Protocol
-
HTTP:
- Port: 80
- Service: Hypertext Transfer Protocol
-
HTTPS:
- Port: 443
- Service: Hypertext Transfer Protocol Secure
-
POP3:
- Port: 110
- Service: Post Office Protocol
-
NNTP:
- Port: 119
- Service: Network News Transfer Protocol
-
IMAP:
- Port: 143
- Service: Internet Message Access Protocol
- Physical Layer: Deals with transmission modes (simplex, half-duplex, full-duplex).
- Data Link Layer: Contains MAC (Media Access Control) and LLC (Logical Link Control).
- Network Layer: Involves logical addressing and switching.
- Transport Layer: Ensures reliable data transfer.
- Session Layer: Manages sessions between applications.
- Presentation Layer: Handles data representation and encryption.
- Application Layer: Provides interfaces for network applications.
- Anonymous Proxy
- SSL Proxy
- Transparent Proxy
- Reverse Proxy
- Forward Proxy
- Site-to-Site VPN
- IPsec VPN
- SSH VPN
- L2TP
- PPTP
- OpenVPN
- SSL and TLS VPN
- John the Ripper
- hashcat
- Hydra
- ophcrack
- Ncrack
- WGen
- SSH Auditor
Blind SSRF (Server-Side Request Forgery) occurs when an attacker can make a server perform HTTP requests to arbitrary destinations without receiving direct responses.
Web Cache Deception involves tricking a caching proxy into improperly storing sensitive data, which an attacker can then retrieve from the cache.
- Injection Attacks (SQLi, XSS)
- Duplicate Registration
- No Rate Limit
- Weak Password Policies
- Insecure Direct Object References (IDOR)
- CAPTCHA Bypass
- Insufficient Email Verification
- Nmap
- Masscan
- Naabu
- Altdns
- Amass
- Aquatone
- DNSRecon
- Nessus
- Nuclei
- DalFox XSS Scanner
- SQLMap
- Shodan
- Censys
- Google Dorks
- FOCA
- FFuF
- Dirb
- Gobuster
- Dirsearch
- Dirbuster
- Utilize Google Dorking to find hidden resources and vulnerabilities.
- Exploit signup vulnerabilities like SQL injection, XSS, or weak passwords.
- Look for Blind SSRF vulnerabilities to cause servers to make unauthorized requests.
- Exploit Web Cache Deception by tricking caching proxies into storing sensitive data.
- Utilize recon tools for discovering hosts, subdomains, and vulnerabilities in target applications.
- Learn networking basics and common web technologies.
- Study security concepts and common vulnerabilities.
- Explore bug bounty resources such as books, YouTube channels, and practice platforms.
- Start practicing with labs and platforms like PortSwigger Academy, Pentester Lab, TryHackMe, and Hack The Box.
Use tools like John the Ripper, hashcat, and Hydra to crack passwords and create wordlists. These tools can help test the strength of passwords and identify weak authentication mechanisms.
Exploit XSS vulnerabilities to escalate to an Account Takeover (ATO) by stealing session IDs, initiating ATO via email invites, manipulating security questions, or adding authentication methods.
Exploit Web Cache Deception vulnerabilities by tricking caching proxies into storing sensitive data and gain unauthorized access to cached information.
Google Dorking for Hidden Resources
Use Google Dorking to discover hidden log files, webcams, passwords, and other sensitive information exposed on the internet.
Test signup/register functionality for injection attacks, duplicate registration, rate limiting bypass, weak password policies, insecure direct object references (IDOR), CAPTCHA bypass, and insufficient email verification.
Blind SSRF (Server-Side Request Forgery) is an attack where an attacker can cause a vulnerable server to make HTTP requests to arbitrary destinations without directly receiving the responses.
- Out-of-Band Techniques: Utilize external services or resources to confirm SSRF vulnerability and exfiltrate data without directly receiving responses.
- Web Applications: Including SOAP and RESTful web services, XML-based APIs, and applications parsing XML input.
- File Upload Forms: Upload crafted XML files containing external entity references and observe server responses.
- Document Processing Libraries: Libraries and software parsing XML documents may contain XXE vulnerabilities.
- XML-RPC and SOAP Endpoints: Send XML requests with crafted external entity references and analyze server responses.
- Third-Party Plugins and Libraries: Review third-party code for XML parsing functionalities.
- Content Management Systems (CMS): CMS platforms processing XML data may be susceptible to XXE vulnerabilities.
- Mobile Applications: Applications accepting XML input, communicating with XML-based APIs, or parsing XML data might be vulnerable.
- Use Waybackurls to gather all possible URLs of the target.
- Use GF tool to filter SQL parameters of the target and save them.
- Exploit SQL injection vulnerabilities in input fields to manipulate the database or gain unauthorized access.
Web Cache Deception (WCD) is an attack where an attacker tricks a caching proxy into improperly storing private information, gaining unauthorized access to cached data.
- Exploit the caching of static and public files like stylesheets, scripts, and images.
- Inject malicious content into web applications to manipulate caching behavior.
- Use out-of-band techniques to exfiltrate cached data without directly receiving responses.
- Injection Attacks: SQL injection, XSS.
- Duplicate Registration: Allow multiple sign-ups using identical credentials.
- No Rate Limit: Lack of rate limiting on signup page can lead to fake account generation.
- Weak Password Policies: Lack of complexity requirements and multi-factor authentication.
- Insecure Direct Object References (IDOR): Manipulate parameters to gain unauthorized access.
- CAPTCHA Bypass: Exploit flaws in CAPTCHA implementation.
- Insufficient Email Verification: Lack of or weak email verification mechanisms.
- John the Ripper: A fast password cracker written in C.
- Hashcat: World's fastest and most advanced password recovery utility.
- Hydra: Parallelized login cracker supporting numerous protocols.
- Ophcrack: Windows password cracker based on rainbow tables.
- Ncrack: High-speed network authentication cracking tool.
- WGen: Python tool for creating wordlists.
- SSH Auditor: Scans for weak SSH passwords on networks.
Out-of-Band SSRF exploitation involves using external services or resources to confirm SSRF vulnerability and exfiltrate data without directly receiving responses from the server.
- Check state-changing requests like POST, DELETE, PUT for SQL injection vulnerabilities.
- Test parameters with string input for context breaking with ' or #.
- Study networking basics, web technologies, and security concepts.
- Refer to books, YouTube channels, expert write-ups, articles, and blogs.
- Practice on platforms like PortSwigger Academy, Pentester Lab, and Hack the Box.
- Web Applications
- File Upload Forms
- Document Processing Libraries
- XML-RPC and SOAP Endpoints
- Third-Party Plugins and Libraries
- Content Management Systems (CMS)
- Mobile Applications
- Use Waybackurls to gather all possible URLs of the target.
- Use GF tool to filter SQL parameters of the target and save them.
- Exploit caching of static and public files.
- Inject malicious content into web applications.
- Use out-of-band techniques to exfiltrate cached data.
- Injection Attacks
- Duplicate Registration
- No Rate Limit
- Weak Password Policies
- Insecure Direct Object References (IDOR)
- CAPTCHA Bypass
- Insufficient Email Verification