updated

Author: hdks-bug

CNAME

@@ -16,6 +16,14 @@ Finding API keys which are leaked is crucial work for penetration testing or bug
 trufflehog git https://github.com/<username>/<repo> --results=verified,unknown
 ```
 
+## Using Leaker
+
+[Leaker](https://github.com/vflame6/leaker) is a passive leak enumeration tool.
+
+```sh
+leaker info@example.com
+```
+
 ## Google Dorks
 
 Google Dorks is useful to search leaked API keys/tokens.  

…cs/exploit/reconnaissance/email/index.md …s/exploit/reconnaissance/emails/index.mddocs/exploit/reconnaissance/email/index.md renamed to docs/exploit/reconnaissance/emails/index.md docs/exploit/reconnaissance/email/index.md renamed to docs/exploit/reconnaissance/emails/index.md

@@ -190,6 +190,14 @@ naabu -p - -host <target-ip>
 naabu -sD -s -p 22,80,443 -host <target-ip>
 ```
 
+## Smap
+
+We can passively scan open ports using [Smap](https://github.com/s0md3v/Smap).
+
+```sh
+smap -iL subdomains.txt -oN ports.txt
+```
+
 ## References
 
 - [Nmap](https://nmap.org/book/nmap-defenses-trickery.html)

docs/exploit/reconnaissance/leaked-api-keys.md

@@ -0,0 +1,7 @@
+# Social Account Enumeration
+
+## [Sherlock](https://github.com/sherlock-project/sherlock)
+
+```sh
+sherlock <SOCIAL_ACCOUT_NAME>
+```

docs/exploit/reconnaissance/port-scan.md

@@ -18,7 +18,13 @@ To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See
 ```sh
 # -all: Use all sources for enumeration
 # -cs: Include all sources in the output
-subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt
+subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > subdomains.txt ; rm tmp.txt
+```
+
+In addition, we can **enumerate active web servers** from the collected subdomains using [httpx](https://github.com/projectdiscovery/httpx):
+
+```sh
+cat subdomains.txt | httpx -silent -no-color -title -status-code -tech-detect > web_servers.txt
 ```
 
 ### BBOT

docs/exploit/reconnaissance/social-account-enumeration.md

@@ -24,6 +24,48 @@ nmap --script http-methods -p 80,443 <target-ip>
 whois example.com
 ```
 
+### [Wapiti](https://github.com/wapiti-scanner/wapiti)
+
+```sh
+# Get login cookies
+wapiti-getcookie -u https://example.com/login -c cookies.json
+
+# Scan
+wapiti -u https://example.com/ -c cookies.json
+
+# List modules
+wapiti --list-modules
+
+## Scan with specific modules
+# Fuzzing backups, directories, files
+wapiti -u https://example.com/ -c cookies.json -m backup,buster
+# Brute force login attemps
+wapiti -u https://example.com/login -c cookies.json -m brute_login_form
+# Bypass access control
+wapiti -u https://example.com/admin -c cookies.json -m htaccess
+# CMS detection
+wapiti -u https://example.com/ -c cookies.json -m cms
+# LDAP injection
+wapiti -u https://example.com/ -c cookies.json -m ldap
+# log4shell
+wapiti -u https://example.com/ -c cookies.json -m log4shell
+# Nikto
+wapiti -u https://example.com/ -c cookies.json -m nikto
+# spring4shell
+wapiti -u https://example.com/ -c cookies.json -m spring4shell
+# Subdomain takeover
+wapiti -u https://sub.example.com --scope subdomain -m takeover
+# Time-based SQL injection
+wapiti -u https://example.com/ -c cookies.json -m timesql
+# WordPress
+wapiti -u https://example.com/ -c cookies.json -m wp_enum
+# XXE
+wapiti -u https://example.com/ -c cookies.json -m xxe
+
+# Scan API endpoints
+wapiti -u https://api.example.com/ --swagger /path/to/swagger.json
+```
+
 ### Nikto
 
 ```sh

…issance/subdomain/subdomain-discovery.md …ssance/subdomains/subdomain-discovery.mddocs/exploit/reconnaissance/subdomain/subdomain-discovery.md renamed to docs/exploit/reconnaissance/subdomains/subdomain-discovery.md docs/exploit/reconnaissance/subdomain/subdomain-discovery.md renamed to docs/exploit/reconnaissance/subdomains/subdomain-discovery.md

@@ -0,0 +1,12 @@
+# Set Icon for an Executable
+
+If you want to set a custom icon for your executable file, you can set it using some tools such as Resource Hacker.  
+At first, you need to prepare a .ico file of the icon. To convert JPG/PNG to ICO, you may use [Favicon Converter](https://favicon.io/favicon-converter/).
+
+## Using Resource Hacker
+
+1. Launch **Resource Hacker**.
+2. Open your executable file.
+3. Click **Action -> Add an Image or Other Binary Resource**, then select the .ico file.
+4. Click **Add Resource**.
+5. Save the executable.

…aissance/subdomain/subdomain-takeover.md …issance/subdomains/subdomain-takeover.mddocs/exploit/reconnaissance/subdomain/subdomain-takeover.md renamed to docs/exploit/reconnaissance/subdomains/subdomain-takeover.md docs/exploit/reconnaissance/subdomain/subdomain-takeover.md renamed to docs/exploit/reconnaissance/subdomains/subdomain-takeover.md

@@ -0,0 +1,153 @@
+# Target Files for Infostealers
+
+Since the files targeted by infostealers on compromised machines share common characteristics, I have summarized them below.
+
+## AI
+
+- OpenClaw: `%USERPROFILE%\.openclaw`
+
+## Browser Credentials
+
+### Chromium-based Browsers
+
+- 360browser: `%LOCALAPPDATA%\360browser\Browser\User Data`
+- Brave: `%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data`
+- CentBrowser: `%LOCALAPPDATA%\CentBrowser\User Data`
+- Chrome: `%LOCALAPPDATA%\Google\Chrome\User Data`
+- CocCoc Browser: `%LOCALAPPDATA%\CocCoc\Browser\User Data`
+- Edge: `%LOCALAPPDATA%\Microsoft\Edge\User Data`
+- Opera: `%APPDATA%\Opera Software\Opera Stable`
+- Opera GX: `%APPDATA%\Opera Software\Opera Stable GX Stable`
+- Vivaldi: `%LOCALAPPDATA%\Vivaldi\User Data`
+- Yandex: `%LOCALAPPDATA%\Yandex\YandexBrowser\User Data`
+
+Each Chromium-based browser stores a significant amount of sensitive information within its corresponding profile directory. Infostealers selectively extract specific data from these locations, particularly the following:
+
+- **Decryption key**: `Local State`  
+- **Autofill data**: `Default\Web Data` (SQL database)  
+- **Local Storage**: `Default\Local Storage\leveldb` (LevelDB)  
+- **Session Storage**: `Default\Session Storage` (LevelDB)  
+- **Browsing History**: `Default\History` (SQL database)  
+- **Browser Extensions**: `Default\Local Extension Settings` (LevelDB)  
+
+At the same time, browser-side protection mechanisms continue to improve. For example, Google Chrome has adopted **App-Bound Encryption**, making it significantly more difficult to steal credentials and cookies.
+
+However, attackers attempt to bypass these protections by leveraging implementations such as [Chrome App Bound Encryption Decryption](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption), which demonstrate methods to circumvent App-Bound Encryption and recover protected data.
+
+#### Browser Extension IDs
+
+In Chromium-based browsers, the `User Data\Default\Local Extension Settings` directory contains ID-specific subdirectories corresponding to installed browser extensions. Infostealers target and exfiltrate the **LevelDB** data stored within each of these directories.
+
+**Authenticators**
+
+- Aegis Authenticator: `ppdjlkfkedmidmclhakfncpfdmdgmjpm`
+- Authenticator: `bhghoamapcdpbohphigoooaddinpkbai`
+- Authy: `gjffdbjndmcafeoehgdldobgjmlepcal`
+- Duo Mobile: `eidlicjlkaiefdbgmdepmmicpbggmhoj`
+- EOS Authenticator: `oeljdldpnmdbchonielidgobddffflal`
+- FreeOTP: `elokfmmmjbadpgdjmgglocapdckdcpkn`
+- Google Authenticator: `khcodhlfkpmhibicdjjblnkgimdepgnd`
+- LastPass Authenticator: `cfoajccjibkjhbdjnpkbananbejpkkjb`
+- MEW CX: `nlbmnnijcnlegkjjpcfjclmcfggfefdm`
+- Microsoft Authenticator: `bfbdnbpibgndpjfhonkflpkijfapmomn`
+- OTP Auth: `bobfejfdlhnabgglompioclndjejolch`
+- Sollet: `fhmfendgdocmcbmfikdcogofphimnkno`
+
+**Crypto Wallets**
+
+- Airbitz: `ieedgmmkpkbiblijbbldefkomatsuahh`
+- Atomic: `bhmlbgebokamljgnceonbncdofmmkedg`
+- BinanceChain: `fhbohimaelbohpjbbldcngcnapndodjp`
+- BitBox: `ocmfilhakdbncmojmlbagpkjfbmeinbd`
+- BRD: `nbokbjkelpmlgflobbohapifnnenbjlh`
+- Coin98: `aeachknmefphepccionboohckonoeemg`
+- Coinomi: `blbpgcogcoohhngdjafgpoagcilicpjh`
+- Copay: `ieedgmmkpkbiblijbbldefkomatsuahh`
+- Digital Bitbox: `dbhklojmlkgmpihhdooibnmidfpeaing`
+- Electrum: `hieplnfojfccegoloniefimmbfjdgcgp`
+- Exodus: `idkppnahnmmggbmfkjhiakkbkdpnmnon`
+- GreenAddress: `gflpckpfdgcagnbdfafmibcmkadnlhpj`
+- Guarda Wallet: `fcglfhcjfpkgdppjbglknafgfffkelnm`
+- iWallet: `kncchdigobghenbbaddojjnnaogfppfj`
+- Jaxx Liberty: `mhonjhhcgphdphdjcdoeodfdliikapmj`
+- KeepKey: `dojmlmceifkfgkgeejemfciibjehhdcl`
+- LastPass: `gabedfkgnbglfbnplfpjddgfnbibkmbb`
+- Keplr: `dmkamcknogkgcdfhhbddcghachkejeap`
+- Ledger Live: `pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln`
+- Ledger Wallet: `hbpfjlflhnmkddbjdchbbifhllgmmhnm`
+- MetaMask: `nkbihfbeogaeaoehlefnkodbefgpgknn`
+- Mycelium: `pidhddgciaponoajdngciiemcflpnnbg`
+- NeoLine: `cphhlgmgameodnhkjdmkpanlelnlohao`
+- OneKey: `ilbbpajmiplgpehdikmejfemfklpkmke`
+- Phantom: `bfnaelmomeimhlpmgjnjophhpkkoljpa`
+- Ronin: `fnjhmkhhmkbjkkabndcnnogagogbneec`
+- Samourai Wallet: `apjdnokplgcjkejimjdfjnhmjlbpgkdi`
+- Station Wallet: `aiifbnbfobpmeekipheeijimdpnlpgpp`
+- TezBox: `mnfifefkajgofkcjkemidiaecocnkjeh`
+- TronLink: `ibnejdfjmmkpcnlpebklmnkoeoihofec`
+- Trust Wallet: `pknlccmneadmjbkollckpblgaaabameg`
+- Wombat: `amkmjjmmflddogmhpjloimipbofnfjih`
+
+**Password Managers**
+
+- Avira Password Manager: `caljgklbbfbcjjanaijlacgncafpegll`
+- Bitwarden: `inljaljiffkdgmlndjkdiepghpolcpki`
+- Browserpass: `naepdomgkenhinolocfifgehidddafch`
+- Dashlane: `flikjlpgnpcjdienoojmgliechmmheek`
+- KeePassXC: `kgeohlebpjgcfiidfhhdlnnkhefajmca`
+- Keeper: `gofhklgdnbnpcdigdgkgfobhhghjmmkj`
+- NordPass: `njgnlkhcjgmjfnfahdmfkalpjcneebpl`
+- Norton Password Manager: `admmjipmmciaobhojoghlmleefbicajg`
+- RoboForm: `hppmchachflomkejbhofobganapojjol`
+- Trezor Password Manager: `imloifkgjagghnncjkhggdhalmcnfklk`
+- Zoho Vault: `igkpcodhieompeloncfnbekccinhapdb`
+
+**Others**
+
+- Splikity: `jhfjfclepacoldmjmkmdlmganfaalklb`
+- YubiKey: `mammpjaaoinfelloncbbpomjcihbkmmc`
+
+### Gecko-based Browsers
+
+- Firefox: `%APPDATA%\Mozilla\Firefox\Profiles\<profile>`
+
+Gecko-based browsers are targeted through files stored within the profile directory, including `cert9.db`, `key4.db`, `logins.json`, `cookies.sqlite`, `formhistory.sqlite`, `places.sqlite`, `sessionstore.jsonlz4`, and `storage\default\moz-extension+++`.
+
+In some cases, the entire profile directory is exfiltrated, and tools such as [firefox_decrypt](https://github.com/unode/firefox_decrypt) are used to extract stored credentials.
+
+## Chat Clients
+
+- Discord: `%APPDATA%\discord`
+- Telegram: `%APPDATA%\Telegram Desktop\tdata`
+
+## Crypto Wallets
+
+- Armory: `%APPDATA%\Armory`
+- Atomic: `%APPDATA%\atomic`
+- Binance: `%APPDATA%\Binance`
+- Bitcoin Core: `%APPDATA%\Bitcoin\wallets`
+- Coinomi: `%LOCALAPPDATA%\Coinomi`
+- Daedalus Mainnet: `%APPDATA%\Daedalus Mainnet`
+- Dash Core: `%APPDATA%\DashCore`
+- Dogecoin Core: `%APPDATA%\Dogecoin`
+- Electron Cash: `%APPDATA%\Electron Cash`
+- Electrum: `%APPDATA%\Electrum`
+- Electrum LTC: `%APPDATA%\Electrum-LTC`
+- Ethereum: `%APPDATA%\Ethereum`
+- Exodus: `%APPDATA%\Exodus`
+- JaxxClassic: `%APPDATA%\Jaxx\Local Storage\leveldb`
+- JaxxLiberty: `%APPDATA%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb`
+- Ledger Live: `%APPDATA%\Ledger Live`
+- Litecoin Core: `%APPDATA%\Litcoin`
+- Monero GUI: `%USERPROFILE%\Documents\Monero\wallets`
+- Raven Core: `%APPDATA%\Raven`
+- Wasabi Wallet: `%APPDATA%\WalletWasabi\Client`
+- Zcash: `%APPDATA%\Zcash`
+
+## Email Clients
+
+- Thunderbird: `%APPDATA%\Thunderbird\Profiles`
+
+## Game Clients
+
+- Steam: `%ProgramFiles(x86)%\Steam`