تعلم الأمن السيبراني مع راكوان

Dashboard عربي تفاعلي لتعلم Web Pentesting باستخدام Linux و Gemini CLI

اكتمال الاختبار 45%

جمع المعلومات

Information Gathering

جمع المعلومات العامة عن الهدف بدون تفاعل هجومي مباشر.

أوامر Linux
commands.sh 
# DNS Information
dig testphp.vulnweb.com +short
nslookup testphp.vulnweb.com
host testphp.vulnweb.com

# WHOIS Lookup
whois testphp.vulnweb.com

# HTTP Headers
curl -I http://testphp.vulnweb.com
curl -v http://testphp.vulnweb.com

# Subdomain Enumeration
subfinder -d testphp.vulnweb.com
amass enum -d testphp.vulnweb.com

# Network Reconnaissance
traceroute testphp.vulnweb.com
ping -c 4 testphp.vulnweb.com
Gemini Prompt (English)
prompt.txt 
Analyze the information gathering results from DNS queries, WHOIS data, and HTTP headers for testphp.vulnweb.com. Summarize:
1. Infrastructure details (IP addresses, hosting provider, server software)
2. Security indicators (server headers, exposed services)
3. Potential attack surface
4. Recommended next steps for penetration testing
5. Any privacy or compliance concerns from exposed information

Format the response as a structured reconnaissance report with clear sections and actionable insights.

فحص المنافذ

Port Scanning

تحديد المنافذ المفتوحة والخدمات وإصداراتها.

أوامر Nmap
nmap_scan.sh 
# Basic Port Scan
nmap -Pn testphp.vulnweb.com

# Service Version Detection
nmap -sS -sV -O -Pn testphp.vulnweb.com

# Full Port Scan
nmap -p- -T4 -Pn testphp.vulnweb.com

# Aggressive Scan with Scripts
nmap -A -T4 -Pn testphp.vulnweb.com

# UDP Port Scan
nmap -sU -p 53,67,68,69,123,161 -Pn testphp.vulnweb.com

# Output to File
nmap -sS -sV -O -oA scan_results testphp.vulnweb.com

# Firewall Evasion
nmap -f --mtu 24 --data-length 200 -D RND:10 testphp.vulnweb.com
Gemini Prompt (English)
prompt.txt 
Review the Nmap scan output and provide a comprehensive analysis:
1. List all open ports and running services with versions
2. Identify risky services (e.g., outdated software, default credentials)
3. Highlight potential vulnerabilities based on service versions
4. Recommend specific enumeration techniques for each service
5. Assess the overall attack surface based on port exposure
6. Suggest firewall rules or security hardening measures

Prioritize findings by risk level (Critical, High, Medium, Low).

التعداد

Enumeration

استخراج معلومات أعمق عن الخدمات المكتشفة.

أوامر التعداد
enumeration.sh 
# HTTP Enumeration
nmap --script http-enum -p 80,443 testphp.vulnweb.com
nmap --script http-methods --script-args http-methods.url-path='/test' testphp.vulnweb.com

# SMB Enumeration (if port 445 open)
nmap --script smb-enum-shares -p 445 target_ip
enum4linux -a target_ip

# SNMP Enumeration (if port 161 open)
snmpwalk -c public -v1 target_ip
onesixtyone -c community.txt target_ip

# FTP Enumeration (if port 21 open)
nmap --script ftp-anon -p 21 target_ip

# SMTP Enumeration (if port 25 open)
nmap --script smtp-commands -p 25 target_ip

# DNS Enumeration
nmap --script dns-brute testphp.vulnweb.com
dnsrecon -d testphp.vulnweb.com
Gemini Prompt (English)
prompt.txt 
Based on the service enumeration results, provide a detailed analysis:
1. For each enumerated service, list discovered resources (shares, users, directories)
2. Identify misconfigurations (anonymous access, excessive permissions)
3. Map the application structure and entry points
4. Recommend specific manual testing approaches for each finding
5. Identify information leakage issues
6. Suggest exploitation paths based on enumeration results

Organize findings by service type and prioritize based on potential impact.

ترويسات الحماية

Security Headers

تحليل إعدادات الحماية الخاصة بترويسات HTTP.

أوامر التحليل
security_check.sh 
# Check Security Headers
curl -I https://testphp.vulnweb.com
curl -I http://testphp.vulnweb.com

# Using specialized tools
./shcheck.py https://testphp.vulnweb.com
nmap --script http-security-headers -p 80,443 testphp.vulnweb.com

# Test for HSTS
curl -I -s https://testphp.vulnweb.com | grep -i Strict-Transport-Security

# Test for CSP
curl -I -s https://testphp.vulnweb.com | grep -i Content-Security-Policy

# Test for XSS Protection
curl -I -s https://testphp.vulnweb.com | grep -i X-XSS-Protection

# Test for Clickjacking Protection
curl -I -s https://testphp.vulnweb.com | grep -i X-Frame-Options

# Test for MIME Sniffing Protection
curl -I -s https://testphp.vulnweb.com | grep -i X-Content-Type-Options

# Comprehensive security scan
whatweb -a 3 https://testphp.vulnweb.com
Gemini Prompt (English)
prompt.txt 
Analyze the HTTP security headers and provide a comprehensive security assessment:
1. List all present security headers with their configurations
2. Identify missing critical security headers
3. Evaluate the strength of implemented headers (CSP policies, HSTS settings)
4. Explain the security impact of each missing or weak header
5. Recommend specific header configurations for optimal security
6. Assess the overall web application security posture based on headers
7. Provide code examples for implementing missing headers in common web servers (Apache, Nginx)

Include a risk rating for each finding and prioritize remediation steps.

المسارات والملفات

Directories & Files

اكتشاف المسارات المخفية والملفات الحساسة.

أوامر الاكتشاف
directory_scan.sh 
# Using dirsearch
dirsearch -u http://testphp.vulnweb.com -e php,html,js,txt
dirsearch -u http://testphp.vulnweb.com -w /usr/share/wordlists/dirb/common.txt

# Using gobuster
gobuster dir -u http://testphp.vulnweb.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,js,bak,zip
gobuster dir -u http://testphp.vulnweb.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Using ffuf
ffuf -u http://testphp.vulnweb.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://testphp.vulnweb.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.txt,.bak,.zip

# Recursive scanning
gobuster dir -u http://testphp.vulnweb.com -w /usr/share/wordlists/dirb/common.txt -x php -t 50 -r

# Specific file discovery
gobuster dir -u http://testphp.vulnweb.com -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt

# Backup files discovery
gobuster dir -u http://testphp.vulnweb.com -w /usr/share/seclists/Discovery/Web-Content/Common-DB-Backups.txt
Gemini Prompt (English)
prompt.txt 
Classify discovered directories and files by risk level and provide analysis:
1. Categorize findings (administrative interfaces, backup files, sensitive directories)
2. Identify high-risk discoveries (config files, backups, admin panels)
3. Assess information exposure from discovered files
4. Recommend specific testing approaches for each discovery
5. Evaluate directory traversal and file inclusion vulnerabilities
6. Identify potential authentication bypass paths
7. Suggest secure file management practices

Prioritize testing based on risk: Critical (config files, backups), High (admin panels, upload directories), Medium (development files), Low (common directories).

القوة الغاشمة

Brute Force

اختبار قوة آلية تسجيل الدخول (مختبرات فقط).

أوامر Hydra و Medusa
bruteforce.sh 
# HTTP POST Brute Force (Hydra)
hydra -l admin -P /usr/share/wordlists/rockyou.txt testphp.vulnweb.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
hydra -L users.txt -P passwords.txt testphp.vulnweb.com http-post-form "/admin/login.php:user=^USER^&pass=^PASS^:F=incorrect"

# FTP Brute Force
hydra -L users.txt -P passwords.txt ftp://testphp.vulnweb.com
medusa -h testphp.vulnweb.com -u admin -P /usr/share/wordlists/rockyou.txt -M ftp

# SSH Brute Force
hydra -L users.txt -P passwords.txt ssh://testphp.vulnweb.com
medusa -h testphp.vulnweb.com -U users.txt -P passwords.txt -M ssh

# MySQL Brute Force
hydra -L users.txt -P passwords.txt mysql://testphp.vulnweb.com
medusa -h testphp.vulnweb.com -U users.txt -P passwords.txt -M mysql

# Wordpress Brute Force
wpscan --url http://testphp.vulnweb.com --passwords /usr/share/wordlists/rockyou.txt

# Rate limiting and timing (for ethical testing)
hydra -l admin -P passwords.txt -t 4 -w 10 -f testphp.vulnweb.com http-post-form "/login.php:user=^USER^&pass=^PASS^:F=error"
Gemini Prompt (English)
prompt.txt 
Explain how to assess authentication strength without performing destructive exploitation and analyze brute force test results:
1. Evaluate authentication mechanisms for common weaknesses
2. Assess account lockout policies and rate limiting
3. Analyze password complexity requirements
4. Identify default or common credentials
5. Recommend secure authentication practices
6. Explain the risks of weak authentication
7. Provide remediation steps for identified weaknesses
8. Discuss multi-factor authentication implementation

Include specific recommendations for:
- Password policies and complexity requirements
- Account lockout mechanisms
- Rate limiting implementation
- Session management best practices
- Monitoring and alerting for brute force attempts

التقنيات والسيرفر

Technologies & Server

تحديد التقنيات المستخدمة يساعد في ربط الثغرات المعروفة.

أوامر التعرف
tech_detection.sh 
# Using whatweb for technology detection
whatweb -a 3 http://testphp.vulnweb.com
whatweb -v http://testphp.vulnweb.com

# Using wappalyzer (CLI version)
wappalyzer http://testphp.vulnweb.com

# BuiltWith API (if available)
curl https://api.builtwith.com/free1/api.json?LOOKUP=testphp.vulnweb.com

# Server and technology headers analysis
curl -I http://testphp.vulnweb.com | grep -i "server\|x-powered-by\|via"

# CMS detection
cmseek -u http://testphp.vulnweb.com
droopescan scan drupal --url http://testphp.vulnweb.com

# JavaScript library detection
python3 retire.py --jsurl http://testphp.vulnweb.com/js/jquery.js

# Framework detection
nmap --script http-framework -p 80,443 testphp.vulnweb.com

# Database detection
nmap --script mysql-info -p 3306 target_ip
nmap --script pgsql-info -p 5432 target_ip
Gemini Prompt (English)
prompt.txt 
Correlate the identified technologies with known vulnerability categories and provide a comprehensive analysis:
1. Map all identified technologies (web server, frameworks, libraries, CMS, databases)
2. Check versions against known vulnerability databases (CVE, ExploitDB)
3. Identify end-of-life or unsupported software
4. Assess the attack surface for each technology stack component
5. Recommend specific vulnerability checks based on technology versions
6. Identify technology-specific misconfigurations
7. Provide upgrade and patching recommendations
8. Suggest alternative secure technologies where applicable

Create a technology risk matrix with:
- Technology/Component
- Version
- Known Vulnerabilities (Critical/High/Medium/Low)
- Patch Status
- Recommended Actions
- Timeline for Remediation

Include specific checks for:
- Outdated JavaScript libraries with known XSS vulnerabilities
- CMS plugins with security issues
- Web server misconfigurations
- Framework-specific security considerations

فحص الثغرات

Vulnerability Scanning

استخدام أدوات آلية لاكتشاف الثغرات المعروفة.

أوامر الفحص
vuln_scan.sh 
# Nikto web server scanner
nikto -h http://testphp.vulnweb.com
nikto -h http://testphp.vulnweb.com -output nikto_results.html

# Nuclei vulnerability scanner
nuclei -u http://testphp.vulnweb.com -severity low,medium,high,critical
nuclei -u http://testphp.vulnweb.com -t /path/to/templates -o nuclei_results.txt

# OWASP ZAP (command line)
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://testphp.vulnweb.com

# SQLMap for SQL injection testing
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --batch
sqlmap -u "http://testphp.vulnweb.com/login.php" --data="username=admin&password=test" --batch

# XSStrike for XSS testing
python3 xsstrike.py -u "http://testphp.vulnweb.com/search.php?q=test"

# SSRF testing
ssrfmap -r data/request.txt -p url -m portscan

# OpenVAS / Greenbone vulnerability scan
gvm-cli socket --xml ""
gvm-cli socket --xml ""
Gemini Prompt (English)
prompt.txt 
Analyze the vulnerability scan results and provide a comprehensive security assessment:
1. Categorize findings by vulnerability type (SQLi, XSS, CSRF, etc.)
2. Differentiate true positives from false positives with validation steps
3. Prioritize vulnerabilities by CVSS score and exploitability
4. Provide detailed exploitation scenarios for critical findings
5. Recommend specific remediation steps for each vulnerability
6. Assess the overall risk posture of the application
7. Suggest additional manual testing based on automated findings
8. Provide code snippets for fixing identified vulnerabilities

Create a vulnerability summary table with:
- Vulnerability ID/Name
- CVSS Score and Severity
- Affected Component
- Description
- Proof of Concept
- Impact Assessment
- Remediation Steps
- Reference Links (CVE, OWASP)

Include validation methodology for:
- False positive reduction techniques
- Manual verification steps
- Business impact analysis
- Exploitation complexity assessment
- Remediation priority matrix

التقرير النهائي

Reporting

توثيق النتائج وتحويلها إلى تقرير احترافي.

قوالب التقرير
report_template.md 
# Pentest Report Template

## Executive Summary
- Assessment Overview
- Key Findings
- Risk Rating
- Recommendations Summary

## Scope & Methodology
- Test Targets
- Testing Approach
- Tools Used
- Limitations

## Information Gathering
- DNS Records
- Subdomains
- Network Infrastructure
- Technology Stack

## Vulnerability Findings
### Critical
- [VULN-001] SQL Injection
  - Description
  - Evidence
  - Impact
  - Recommendation
  - References

### High
- [VULN-002] Cross-Site Scripting
- [VULN-003] Authentication Bypass

### Medium
- [VULN-004] CSRF
- [VULN-005] Information Disclosure

### Low
- [VULN-006] Security Headers Missing

## Risk Assessment Matrix
| Vulnerability | CVSS | Risk | Impact | Likelihood |
|---------------|------|------|--------|------------|
| SQL Injection | 9.8  | Critical | High | High |

## Remediation Roadmap
- Immediate Actions (24-48 hours)
- Short-term (1-2 weeks)
- Long-term (1-3 months)

## Conclusion
- Overall Security Posture
- Compliance Status
- Recommendations for Improvement

## Appendices
- Tool Outputs
- Screenshots
- References
Gemini Prompt (English)
prompt.txt 
Generate a professional penetration testing report based on all previous findings with the following structure:

1. Executive Summary (1 page max)
   - Assessment overview and dates
   - High-level findings and risk rating
   - Key recommendations
   - Overall security posture

2. Technical Details (Comprehensive)
   - Methodology and tools used
   - Scope of testing
   - Limitations and assumptions

3. Detailed Findings (Organized by risk level)
   For each vulnerability include:
   - Unique ID and title
   - CVSS score and vector
   - Detailed description
   - Affected components
   - Proof of concept/evidence
   - Business impact
   - Remediation steps
   - References (CVE, OWASP, etc.)

4. Risk Assessment Matrix
   - Quantitative risk scoring
   - Impact vs likelihood analysis
   - Prioritized remediation roadmap

5. Appendices
   - Tool outputs and screenshots
   - References and resources
   - Testing methodology details

Requirements:
- Use professional, client-friendly language
- Include both technical details and business impact
- Provide actionable recommendations
- Include evidence for all findings
- Follow industry standards (PTES, OWASP)
- Format for both technical and executive audiences
- Include graphs/charts for risk visualization
- Provide clear remediation timelines

Generate the report in markdown format with appropriate sections, headers, and formatting for easy conversion to PDF or Word document.

إحصائيات الاختبار

9
مراحل اختبار
0
ثغرات مكتشفة
42
أداة مستخدمة
45%
اكتمال الاختبار