Skip to main content

Posts

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more
Recent posts

Python Basics - Part I

*TL:DR* Initial Installation of python in system   Lets start with simple python program print("Hello World") #---> output ---> Hello world """ Hello world program In python anything inside print() will display on the screen Also the text print to on the screen should be inside "", '' between this """ Python Commands #print a number print(25) # Hash is used to comment out which will ignored on execution # Hash is a single line command """ Multi line command Defined like this can hold multiple lines """ ''' These commands can comment out error making code lines and also declare or define what this particular line of code does explanation For debugging For Future references, as comments are in readable format For collaboration with Peers ''' Python Variables and Literals #variable is the container which holds or store data number = 10 #Number is the var...
Post a Comment
Read more

PostgreSQL - Port 5432

  PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility. Identify PostgreSQL nmap -sV -p 5432 <target-host> nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 #make sure to check for vulnerable versions nmap -sV -p 5432 <target-host> Exploiting Known Vulnerabilities searchsploit postgresql <version> Enumerating Databases and Tables List all databases \l Switch to a database \c <database_name> List tables in the current database: \dt Extract data from a specific table: SELECT * FROM <table_name>; Dumping Hashes SELECT usename, passwd FROM pg_shadow; Accessing File System COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt'; Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgr...
Post a Comment
Read more

MSRPC (Microsoft Remote Procedure Call) Pentesting - Port 135

  It is also known as a function call or a subroutine call. Default ports are 135, 593. Enumeration nmap --script msrpc-enum -p 135 <target-ip> RPC Endpoints To enumerate RPC endpoints, use impacket-rpcdump. impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam. MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare. Metasploit msfconsole msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor Connect # Anonymous logon rpcclient -N -U "" <target-ip> rpcclient -N -U "" -p 593 <target-ip> rpcclient -N -U "" dc.example.local # Specify username # -W: Workgroup # -N: No password rpcclient -U username <target-ip> rpcclient -W WORKGROUP -U username <target-ip> rpcclient -U username -N <target-ip...
Post a Comment
Read more

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

RPC Client Enumeration - Port 135

Pivoting for Red Teamers Using rpcclient via Metasploit for Enumeration & Exploitation rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services . It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines. Using rpcclient Manually (Without Metasploit) If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux: rpcclient -U "" <TARGET_IP> or rpcclient -U "guest" <TARGET_IP> 🔹 If it prompts for a password, just press Enter to attempt a null session login . Common Enumeration Commands enumdomusers # Enumerate domain users queryuser <RID> # Get user details (Replace <RID> with a user RID) enumdomgroups # Enumerate groups querygroup <RID> # Get group details getsid # Get security identifier (SID) lookupnames <...
Post a Comment
Read more