2019-01-22: Andrew Howden (MageChat #security) shared some references:
-
Fuzzing https://github.com/minimaxir/big-list-of-naughty-strings
-
RCE Backdoors -- PHP https://github.com/bartblaze/PHP-backdoors
-
Techniques -- DNS It is useful to have a list of the domains a target owns. Some services may be hosted under another domain (such as sitewards.net), that are not hosted under a public facing domain. To do this,
Check the SSL certificate of the root domain for SAN domains: $ openssl x509 -in /tmp/certificate.txt -text -noout will show you certificate info
Run DNS Enumeration of the root domain over all TLDs Run DNS Enumeration of various phishing domains for the root TLD (If you have time) Run the combination.
-
Tools https://dnsdumpster.com/
-
Tools Most of the tools below ship with Kali Linux. Probably easier if you spin that up on a temporary partition.
Vulnerability scanners
- Skipfish (Google)
- http://w3af.org/faq
- Brute Force Tools
- Hydra (freeworld.thc.org/the-hydra/) Sniffers Hunt (packetstormsecurity.nl/sniffers/hunt); some use session hijacking. Password hash cracking John the ripper Hashcat Dictionaries https://github.com/danielmiessler/SecLists/tree/master/Passwords Pre-cracked hashes https://hashkiller.co.uk/md5-decrypter.aspx
Email Capture
mailsnarf (monkey.org/~dugsong/dsniff)
ARP Cache poisioning
Caine and Abel (oxid.it)
Protocol handler enumeration
Duh.vbs
DUHForMac
MAC Spoofing
Nothing Yet
POST Enumeration
Burp intruder
Telephone number spoofing
SpoofCard
USB injection
Switchblade
HTTP Proxy
Burp Proxy (portswigger.net/proxy)
Port Scanner
nmap
Connectivity
netcat (sending data over TCP/IP the easy way)
https://github.com/aploium/shootback (TCP behind NAT / Firewall)
IMSI
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
XSS Scan + Exploitation
ZAP (OWASP)
JSFuck (http://www.jsfuck.com/)
XSS Hunter
Magento
Admin panel flaws
Magento's admin router will match /index.phpadmin,index.phprss/catalog/notifystock,index.php///admin. Servers might be configured to match /admin, and thus we can thus bypass admin blocks.
Downloader
Magento's /downloader/ endpoint auths against the admin list, but does not include the normal admin fail2ban style blocking after {x} invalid attempts. This makes it susceptible to brute force.[1]. This appears to have been solved in CE 1.9.3[2]
Resources
https://charlesreid1.com/wiki/Man_in_the_Middle
https://github.com/enaqx/awesome-pentest/blob/master/README.md
https://attack.mitre.org/wiki/Main_Page
https://support.hypernode.com/knowledgebase/how-to-protect-your-magento-store-against-brute-force/#What_does_Magereport_check_for
2019-01-22: Peter O'Callaghan (MageChat #security) [8:09 AM] https://www.youtube.com/watch?v=Qw1nNPiH_Go <- jam packed with tools to use for bug bounties, not exactly the same as pen testing, since a bunch of the earlier stuff is about recon, which is not (necessarily) so important during a Pen test. (edited)