Red Team Guides
Blue Team GuidesRed Team RecipeDevSecOps Guides
  • Introduction
  • Guides
    • Nix
    • Windows
    • Network
    • Tips and Tricks
    • Tool Syntax
    • Web
    • Databases
    • Programming
    • Wireless
    • Reverse
    • Crypto
    • Steg
    • DevOps
    • Cloud
    • Social Engineering
    • OSINT
    • OT
    • IOT
    • Hardware
    • Physical
  • Scenarios
    • Network Scenarios
    • Web Scenarios
    • Mobile Scenarios
    • Phish Scenarios
    • Physical Scenarios
    • OT Scenarios
  • References
    • References
Powered by GitBook
On this page
  • Tips and tricks
  • Default Credential
  • Dork
  • Browser Cache
  • File transfer
  • Reverse loose
  • Improve accessibility
  • Permanent access
  • Get lsass process and extract information with mimikatz
  • Extract information in memory using mimikatz plugin in volatility
  • Tunnel
  • Search tips on google
  • Video teleconferencing tips
  • Convert binary to ski with perl
  • Review and implementation laboratory
  • send mail
  • Sending the current file by nc
  • read auth clear-text credentials in nix
  • jenkins reverse shell
  • check linux joined ad
  • linux ad credential stored
  • Request TGT using the discovered keytab file
  • Requesting CIFS ticket of Child Domain Controller
  • PTH with Linux
  • Extract the hash of adm_domain user only (with active Kerberos ticket)
  • Extract the hash OPERATIONS.ATOMIC.SITE (with active Kerberos ticket)
  • Extract specify for domain SID
  • Forge a golden ticket using OPERATIONS.ATOMIC.SITE “krbtgt” account
  • Schedule a task at Atomic-DC server from OPS-CHILDDC after passing golden ticket
  • Download & execute Invoke-Mimikatz.ps1 in memory
  • Psexec in ATOMIC-DC server as enterprise administrator:
  • Enumerate named account with SPN in Nuclear.site domain
  • kerberoasting
  • Using “sendemail” for transmitting email:
  • Shell of DB-Server
  • open cmd.exe with wordpress or …
  • Abuse SMPTRAP service
  • amsi one line bypass
  1. Guides

Tips and Tricks

Tips and tricks

Default Credential

S/P
username
password

Jenkins

admin

admin

AWS EC2

ec2-user

N/A (use SSH key)

AWS RDS

N/A (use IAM credentials)

N/A (use IAM credentials)

AWS S3

N/A (use IAM credentials)

N/A (use IAM credentials)

Azure VM

azureuser

N/A (use SSH key)

Azure SQL Database

N/A (use Azure AD authentication or SQL Server authentication)

N/A (use Azure AD authentication or SQL Server authentication)

Google Compute Engine

N/A (use project-level SSH key)

N/A (use project-level SSH key)

Google Cloud SQL

N/A (use Cloud SQL Proxy or SSL/TLS certificate)

N/A (use Cloud SQL Proxy or SSL/TLS certificate)

Docker

root

N/A

Kubernetes

N/A

N/A (use Kubernetes authentication mechanisms)

OpenStack

ubuntu

ubuntu

VMware ESXi

root

N/A

Cisco IOS

cisco

cisco

Juniper Junos

root

juniper123

more: https://github.com/ihebski/DefaultCreds-cheat-sheet

Dork

shodan
censys
securitytrails
greynoise
binaryedge
zoomeye
Netlas
fofa
huntr
leakix

Nginx

“nginx” http.component:nginx

“nginx” AND tags:web AND tags:https

http.html_body.server:nginx

service.name:nginx

http.servers:nginx

app:”nginx”

http.server:nginx

title=”nginx” || header=”nginx”

http.servers=”nginx”

server:nginx

Apache

“apache” http.component:apache

“apache” AND tags:web AND tags:https

http.html_body.server:apache

service.name:apache

http.servers:apache

app:”apache”

http.server:apache

title=”apache” || header=”apache”

http.servers=”apache”

server:apache

Phpmyadmin

Server: phpmyadmin

org asn

asn:ASXXXXXXX org:

asn:ASXXXXXXX AND tags:

include:asn:ASXXXXXXX AND type:organization

asn:ASXXXXXXX organization:

asn:ASXXXXXXX organization:

asn:ASXXXXXXX org:

asn:ASXXXXXXX org:

header=”ASXXXXXXX” && title=” "

asn:ASXXXXXXX organization:

asn:ASXXXXXXX org:

elasticsearch

product:elasticsearch

elasticsearch.protocol:tcp

os:elasticsearch

port:9200

elasticsearch

app:”Elasticsearch” port:”9200”

product:”Elasticsearch”

title=”Elasticsearch” || body=”Elasticsearch” || header=”Elasticsearch”

product:”elasticsearch”

title:”kibana” && title:”elastic”

Minio

http.html:” “

(443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: minio.*)

ssl.cert_subject_alt_name: minio

metadata.product: “MinIO”

“http.component:Minio” OR “http.title:Minio”

title:Minio

http.title:”Minio”

title=”MinIO” || header=”Minio” || header=”X-Amz-Bucket-Region”

intitle:”MinIO”

intitle:”MinIO”

kuberneties

“kubernetes port:6443”

“443.https.get.body: “kubernetes””

“kubernetes.*.cloudapp.azure.com”

“tags:kubernetes”

“title:”kubernetes-dashboard””

“app:”kubernetes-dashboard””

“app:”kubernetes-dashboard””

“title=”Kubernetes Dashboard” || header=”kubernetes””

“title:”kubernetes dashboard””

“title:”Kubernetes Dashboard””

mssql

product:”Microsoft SQL Server”

443.https.get.body:”microsoft sql server” OR 1433.banner:”microsoft sql server”

http.html_content:”Microsoft SQL Server” OR http.html_content:”MSSQLSERVER”

tags:”mssql” OR tags:”microsoft sql server”

product:”Microsoft SQL Server”

app:”Microsoft SQL Server”

title:”Microsoft SQL Server” OR body:”Microsoft SQL Server” OR body:”MSSQLSERVER”

title=”Microsoft SQL Server” || header=”Microsoft SQL Server”

title:”Microsoft SQL Server” OR body:”Microsoft SQL Server”

server:Microsoft-IIS/8.5 intitle:”sql server login”

rdp

“rdp” OR “port:3389”

3389.rdp.banner:”\x03\x00\x00\x0b\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00”

“rdp” AND port:3389

“tags.rdp” OR “tags.mstsc”

“rdp” AND port:3389

“rdp” OR “port:3389”

“rdp” OR “port:3389”

“protocol=rdp” OR “port=3389”

“rdp” OR “port:3389”

“rdp” OR “port:3389”

ftp

“ftp”

“service.ftp.banner”

“service:ftp”

“protocol:ftp”

“ftp”

“ftp”

“ftp”

“protocol==ftp”

“ftp”

“ftp”

ssh

port:22 ssh

22.ssh.banner.raw_version: SSH

22 || ssh

/ssh/ && port:22

ssh port:22

port:22 ssh

port:22 AND service.ssh==true

protocol=ssh

22.ssh.banner.raw_version:SSH

service.ssh == true

dns

hostname:{DNS name}

parsed.names: {DNS name}

domain:{DNS name}

metadata.dns: {DNS name}

dns.name:{DNS name}

site:{DNS name}

dns.host: {DNS name}

domain={DNS name}

domain:{DNS name}

data.hostnames: {DNS name}

modbus

port:502 modbus

modbus

port:502

modbus

port:502

port:502 modbus

port:502 modbus

protocol=modbus

port:502

port:502 modbus

rtsp

port:554 rtsp

protocols: rtsp

port:554

protocols:rtsp

port:554 rtsp

port:554 rtsp

protocol:rtsp

protocol=rtsp

protocol:rtsp

port:554

SMTP

smtp

protocols:smtp

smtp

port:25

port:25

service:smtp

service:smtp

protocol==smtp

smtp

port.tcp eq 25

SMB

smb

protocols.smb.banner.signatures.name: “SMB”

tags.smb = true

metadata.protocol = smb

protocols:”smb”

app:”SMB/CIFS”

service:”smb”

protocol=”smb”

tags:”smb”

protocol:smb

NFS

port:2049 nfs

protocols:”nfs”

port:2049 AND service:nfs

tag:nfs

port:2049 nfs

app:”nfsd”

nfs

title=”NFS” || body=”NFS” || header=”NFS” || keyword=”NFS”

port:2049 AND service:nfs

port:2049 nfs

Docker registries

http.title:”Docker Registry”” OR “http.html:”Docker Registry”” OR “http.component:”docker”” OR “http.component:”registry”

443.https.get.metadata.protocol: Docker

http.headers.server: docker-registry” OR “http.html: docker-registry” OR “http.title: docker-registry

http.metadata.product: Docker Registry

http.component:docker-registry

title:”Docker Registry”” OR “body:”Docker Registry”

product:”Docker Registry”

title=”Docker Registry”” OR “header=”docker-registry”” OR “body=”docker-registry”

docker-registry

http.component:”docker-registry”

memcached

port:11211 memcached

protocols: “memcached”

type:server “memcached” port:11211

service:memcached

port:11211 && memcached

port:”11211” memcached

port:11211 && memcached

title=”Memcached” && protocol=”port:11211”

port: 11211 AND tags: memcached

protocols:”memcached” port:”11211”

RabbitMQ

product:rabbitmq

443.https.get.body:/{“product”:”RabbitMQ”,”version”:”

http.html: /management/rabbitmq/

port:5672 (RabbitMQ) AND tags:RabbitMQ

title:”RabbitMQ Management”

app:”RabbitMQ Management”

port:5672 AND product:rabbitmq

title=”RabbitMQ Management” || body=”RabbitMQ” || header=”RabbitMQ”

port:5672 AND service.name:rabbitmq

product:rabbitmq

WinRM

product:winrm

protocols:winrm

os:windows winrm

winrm

winrm

port:5985 winrm

service:WinRM

protocol==winrm

winrm

winrm

CouchDB

couchdb port:5984

protocols: “couchdb” and port: 5984

http.component: “couchdb” and port: 5984

http.server: “CouchDB” and port: 5984

protocols:couchdb and port:5984

app:”CouchDB” and port:5984

port:5984 and app:couchdb

title=”couchdb” && port=5984

couchdb inurl:5984

app:couchdb && port:5984

PostgreSQL

port:5432 postgres

443.versions.protocol: “PostgreSQL” or 5432.versions.protocol: “PostgreSQL”

pgsql-server

port:5432

service:”postgresql”

port:”5432”

title:”pgAdmin” OR title:”PostgreSQL” OR title:”pgAdmin 4” OR title:”pgAdmin 3”

title=”Adminer” || body=”pgsql” || body=”PostgreSQL”

title:”postgresql” OR body:”postgresql”

pgsql-server

Gitlab

http.favicon.hash:-335242539 “gitlab”

443.https.get.metadata.server: GitLab

http.headers.server:”gitlab”

metadata.service:gitlab

title:”GitLab” && protocols:”https”

title:”GitLab”

http.favicon.hash:-335242539 “gitlab”

title=”GitLab”

title=”GitLab”

title=”GitLab”

SVN

Server: Apache SVN

tags: svn

svn

/svn/index.cgi

title:”viewvc” svn

port: 3690 svn

os:svn

title=”ViewVC” || title=”SVN repository browser” || title=”VisualSVN Server” || body=”Powered by Subversion version”

svn

svn

Tomcat

tomcat country:XX

protocols: “http” and “product:Apache Tomcat”

http.web_server.name:”Apache Tomcat”

metadata.product:tomcat

http.server.product:”Apache Tomcat”

app:”Tomcat”

product:Tomcat

title=”Apache Tomcat” || body=”Apache Tomcat”

http.favicon.hash: -1448465410 && http.html: “Apache Tomcat”

os.query:”Apache Tomcat”

VNC

“vnc” port:5900

port: “5900” AND “VNC protocol”

“vnc” AND port:5900

“vnc” -port:5900

protocol:”vnc” AND port:5900

port:5900 AND app:”RealVNC”

service:”vnc” port:”5900”

port=”5900” && protocol=”vnc”

vnc AND port:5900

“vnc” port:5900

LDAP

“ldap” port:389 or port:636

tags: ldap

service:ldap

tag:ldap

service:”LDAP (389/tcp)” or service:”LDAP SSL (636/tcp)”

app:”openLDAP” or app:”ActiveDirectory”

service.ldap.banner:”ldap”

protocol==LDAP

service:ldap

port:389 or port:636

NetBIOS

port:”137” org:”" or netbios_name:""

protocols: “netbios-ssn” or netbios.name: “"

netbios_host: or netbios_host:

netbios

netbios.domain: “" or netbios.host:

netbios.name: or netbios.ip:

netbios.host:

protocol=”NetBIOS” && cert=””

netbios

netbios

TeamViewer

product:teamviewer

443.versions.banner:TeamViewer

os:’Windows 7’ && port:5938 && app:’TeamViewer’

metadata.teamviewer.enabled:true

product:’TeamViewer’ && type:’host’

app:teamviewer

teamviewer

title=”TeamViewer” || header=”TeamViewer”

service:”TeamViewer”

port.tcp eq 5938 and port.tcp eq 443 and product eq ‘TeamViewer’

NoMachine

“nomachine” port:4000, “nomachine” port:4010, “nomachine” port:4011, “nomachine” port:4022

“nomachine” and port:4000 or port:4010 or port:4011 or port:4022

service:”nomachine” and (port:4000 or port:4010 or port:4011 or port:4022)

“nomachine” port:4000 or port:4010 or port:4011 or port:4022

service:nomachine and (port:4000 or port:4010 or port:4011 or port:4022)

app:”NoMachine” port:4000 or port:4010 or port:4011 or port:4022

service:”nomachine” and (port:”4000” or port:”4010” or port:”4011” or port:”4022”)

title=”NoMachine” && (port=4000 || port=4010 || port=4011 || port=4022)

nomachine AND (port:4000 OR port:4010 OR port:4011 OR port:4022)

tags.nomachine AND (ports:4000 OR ports:4010 OR ports:4011 OR ports:4022)

vCenter

“vCenter” port:443

443.https.get.metadata.product:VMware-vCenter-Server

http.title:”vCenter Server”

tags:”vmware-vcenter”

title:”vSphere Client”

app:”VMware vSphere”

http.html_contains:”vmware-vsphere-client”

title=”VMware vCenter Server” || body=”vCenter Server” || header=”vCenter Server”

service.name:VMware-vSphere

product:”VMware vCenter Server”

ESXi

product:ESXi

os: vmware_esxi

os:’VMware ESXi’

tag:VMware-ESXi

os:’VMware ESXi’

webapp:VMware ESXi

os:VMware ESXi

title=’VMware ESXi’

service.name:VMware ESXi

product:’VMware ESXi’

directory listings

“Server: -frontier -akamai -edgecast -fastly -incapsula -nginx -squarespace -cdn -amazonaws -cloudfront -gstatic -github”

“protocols: http and 200.status_code:/2[0-9][0-9]/ and body: “Index of /” and not (body: “HTTP/1.1 301” or body: “HTTP/1.1 302” or body: “HTTP/1.1 303” or body: “HTTP/1.1 307” or body: “HTTP/1.1 308”)”

http.title:/index of/i

metadata.product:apache && metadata.title:/index of/i

http.html.body:/Index of/i && http.status.code:200

web.title:/index of/i

http.title:/index of/i

title=”Index of /” && protocol=”http” && status_code=”200”

http.body:/index of/i && http.status_code:200

title:”Index of /” && protocol:http

SOCKS

“socks” port:1080

“socks” AND port:1080

port:1080 AND protocol:socks5

“socks” AND port:1080

“SOCKS5” AND port:1080

“SOCKS5” && port:”1080”

“SOCKS” port:”1080”

“SOCKS5” && port=”1080”

“SOCKS5” port:1080

protocol:SOCKS5 port:1080

V2Ray

v2ray

tags.v2ray

v2ray

v2ray

v2ray

v2ray

v2ray

protocol==”v2ray”

v2ray

v2ray

Squid

http.component: squid

80.http.get.headers.server: squid

HTTP.headers.server: squid

http.server_header: squid

http.component: squid

app:Squid

http.component.product: squid

title=”Squid Cache” && protocol=”http” && port=3128

Squid proxy server” OR “Squid proxy cache

intext:”Squid Object Cache”

PRTG

product:prtg port:80” or “product:prtg port:443

443.https.get.body: ‘PRTG Network Monitor’” or “80.http.get.body: ‘PRTG Network Monitor’

text:’PRTG Network Monitor’ AND port:80” or “text:’PRTG Network Monitor’ AND port:443

http.user_agent: ‘PRTG’ OR http.title: ‘PRTG’

product:PRTG” or “body:PRTG Network Monitor

app:PRTG Network Monitor” or “header.server:PRTG Network Monitor

“prtg” or “prtg network monitor”

“title=”prtg” || body=”prtg”” or “protocol=”http” && body=”prtg””

“prtg” or “prtg network monitor”

“product:PRTG” or “PRTG Network Monitor”

WebDAV

Server: Microsoft-IIS/7.5 intitle: “WebDAV” OR “WebDAV MiniRedir”

80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.headers.server:/Microsoft-IIS/7.5/ && title:”WebDAV MiniRedir”

80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.server: Microsoft-IIS/7.5 && html.title: “WebDAV MiniRedir”

server:Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.server: Microsoft-IIS/7.5 && http.title: “WebDAV MiniRedir”

“title=”WebDAV” && header=”Microsoft-IIS/7.5”

http.title:”WebDAV” && http.headers.server:”Microsoft-IIS/7.5”

http.title: “WebDAV” && http.headers.server: “Microsoft-IIS/7.5”

IIS

“Server: Microsoft-IIS” OR “Server: Microsoft-HTTPAPI”

“443.https.get.title: IIS” OR “80.http.get.title: IIS”

“http.headers.server: Microsoft-IIS” OR “http.headers.server: Microsoft-HTTPAPI”

“http.server: Microsoft-IIS” OR “http.server: Microsoft-HTTPAPI”

“server: Microsoft-IIS” OR “server: Microsoft-HTTPAPI”

“webapp=”IIS”” OR “webserver=”IIS””

“http.favicon.hash:-1137975641 AND http.server:”Microsoft-IIS”” OR “http.favicon.hash:-1137975641 AND http.server:”Microsoft-HTTPAPI””

“protocol==http && header==”Server: Microsoft-IIS”” OR “protocol==http && header==”Server: Microsoft-HTTPAPI””

“iis” OR “microsoft-iis”

“http.server.name: Microsoft-IIS” OR “http.server.name: Microsoft-HTTPAPI”

Redis

port:6379 product:redis

ports: “6379” AND tags.raw: “redis”

(“redis” AND port:6379)

redis.server

protocols:”redis” -os:”Windows”

redis port:6379

service:redis port:6379

title=”Redis” && protocol=”redis”

port:”6379” AND protocol:”redis”

port:6379 AND Redis

Cisco Smart Install

Server: Cisco-SMI

443.issmartinstall:true

fingerprint: “Device Type: Cisco Smart Install Client”

/cgi-bin/discovery/

title:Cisco Smart Install - Configuration Assistant

product:Cisco Smart Install

title:Cisco Smart Install

header=’X-Remote-Addr’ && title=’Cisco Smart Install’

http.favicon.hash:-1300641209 && http.title:’Cisco Smart Install’

product:Cisco Smart Install

InfluxDB

“InfluxDB” port:8086

(open_influxdb.port: 8086)

http.title:”InfluxDB Admin”

“influxdb” -service.version:1.8

http.component:influxdb

title:”InfluxDB” port:8086

port:8086 service:InfluxDB

title=”InfluxDB” || body=”InfluxDB”

type:service InfluxDB

server:”InfluxDB”

Cassandra

“cassandra” port:9042

“cassandra” AND port:9042

port:9042 AND “cassandra”

“cassandra” AND tags:{“cassandra”}

“cassandra” AND port:”9042”

“cassandra” port:”9042”

“cassandra” port:9042

title=”cassandra” && port=9042

“cassandra” AND port:”9042”

“cassandra” AND port:”9042”

GlusterFS

“GlusterFS”

443.versions = “GlusterFS”

GlusterFS

http.favicon.hash:-434599080 “gluster”

service.glusterfs.banner: “GlusterFS”

app:”GlusterFS”

http.favicon.hash:-434599080 “gluster”

title=”Gluster Management Console” || body=”GlusterFS” || header=”Gluster”

title:”GlusterFS Management Console”

service:/glusterfs/

Hadoop

“hadoop” port:”50070” or “hadoop” port:”8088”

product:Hadoop

“os:Linux” “hadoop”

“50070” || “8088” && “hadoop”

“hadoop” in_service:”50070, 8088”

“hadoop” port:”50070” or “hadoop” port:”8088”

service.name:hadoop

title=”Hadoop NameNode”” or “title=”Hadoop Resource Manager”

title:”hadoop cluster overview”

hadoop

Fortigate

http.favicon.hash:728337045 && title:”Fortinet - Login”

443.https.get.title:”Fortinet”

http.html:”Fortinet”

port:443 http.html:”FortiGate”

title:”Fortinet FortiGate”

title:”Fortinet FortiGate Login”

http.title:”FortiGate”

title=”Fortinet FortiGate Login” || header=”Fortinet” || body=”Fortinet”

fortigate

JDWP

jdwp country:”" port:"8000"

443.jdwp

(“java.debugwire”)

jdwp

jdwp

app:”JDWP-Debug-Interface”

port=8000 protocol=TCP service=JDWP

title=”Apache Tomcat”

jdwp

IPsec

“ikev2.probe(500)” or “ikev2.probe(4500)” or “ipsec.probe()”

“protocols: ‘ikev2’ or protocols: ‘ipsec’”

“ikev2” or “ipsec”

“port:500 or port:4500 or port: 1701 and tags:ipsec”

“protocols:ikev2 or protocols:ipsec”

“ipsec” or “ikev2”

“ikev2” or “ipsec”

“title=”Fortinet Firewall Login” && body=”/remote/login” && body=”/tmui/login.jsp/” && body=”/remote/login?lang=en” && body=”/remote/login?lang=en_US” && body=”/remote/login?lang=es” && body=”/remote/login?lang=es_US””

“service.name:”IPSec”” or “service.name:”IKEv2””

“protocol:ipsec” or “protocol:ikev2”

Splunkd

product:splunkd

443.https.get.metadata.product: Splunkd

http.html: /en-US/splunkd/

metadata.splunkd.server != null

product: Splunkd

app:Splunk

Splunkd

title=”Splunk” && header=”Splunkd”

title:splunkd

splunkd

Android Debug Bridge

“Android Debug Bridge” port:5555

80.http.get.headers.server:”Android Debug Bridge”

server:adb

metadata.service == “adb”

service:”android debug bridge (adb)”

app:”Android Debug Bridge”

http.component:”Android Debug Bridge”

app=”Android Debug Bridge” || header=”Android Debug Bridge”

http.headers.server:”Android Debug Bridge”

http.server.version:”Android Debug Bridge”

OpenCTI

http.favicon.hash:-1693683099

443.https.tls.certificate.parsed.extensions.authority_key_id:0a11b3211d2e25545ed61a568a78545c

app=nginx port:443

80.http.get.body.sha256:8f2c29dbae3b1cbbe10d59d8ed144c5999329fa974aa06f529ee550dc6341e2c

http.component:nginx

title:’OpenCTI’

ssl://title:OpenCTI

title=”OpenCTI” || header=”X-Opencti-Path” || header=”X-Opencti-User”

Server: nginx intitle:”OpenCTI”

title:”OpenCTI”

Wazuh

wazuh auth_token” or “title:Wazuh

443.https.get.body_sha256:XV8WbTtTSPBOnQ2R26dA9XFeOXXz0vVdNllZlf0u0LQ

generic.server:Wazuh

metadata.product:wazuh

wazuh

title:Wazuh

Wazuh

app=”Wazuh”

wazuh

app:wazuh

Vault

“Vault Server” port:8200

443.https.tls.certificate.parsed.extensions.subject_alt_name: .vault

ssl.cert_subject_alt_name: .vault

http.html_hash:3896359815

html:” “

title:”Vault”

title:”Vault”

title=”Vault” && port=8200

title:”Vault”

“vault” port:8200

Rocket.Chat

product:”Rocket.Chat”

443.https.get.metadata.software:Rocket.Chat

http.html_body:”Rocket.Chat”

http.user_agent:”Rocket.Chat”

http.favicon.hash:-1788329738

title:”Rocket.Chat”

title:”Rocket.Chat”

title=”Rocket.Chat”

title:”Rocket.Chat”

http.title:”Rocket.Chat”

Mattermost

http.favicon.hash:1565243809

443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:mattermost.*

https.cert.subject.common_name:mattermost.*

metadata.product: mattermost

protocols:https && service.metas.product:mattermost

app:”Mattermost”

http.url.path:/api/v4/users

title=”Mattermost” || header=”mattermost”

body:”content”:”Mattermost”

https://leakix.net/search?query=mattermost

Gitter

title:”gitter” http.component:”gitter”

443.https.tls.certificate.parsed.names: “gitter.im”

“gitter.im”

http.user_agent:”Mozilla/5.0 (compatible; Gitter)” or http.user_agent:”com.gitter”

http.component:Gitter or ssl.cert.issuer.cn:gitter

title:”Gitter” or header:”X-Powered-By: Gitter”

host:gitter.im

title=”Gitter” || domain=”gitter.im”

title:”Gitter”

domain:gitter.im