diff --git a/src/content/notes/network/ftp.md b/src/content/notes/network/ftp.md new file mode 100644 index 0000000..7e26027 --- /dev/null +++ b/src/content/notes/network/ftp.md @@ -0,0 +1,62 @@ +--- +title: "FTP" +description: "Enumeration, exploitation and post-exploitation techniques for FTP servers." +tags: ["ftp", "network", "service"] +publishDate: 2026-04-29 +--- + +## Overview + +FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive). +Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP. + +## Enumeration + +### Banner grabbing + +```bash +nc -nv $IP 21 +ftp $IP +``` + +The banner often reveals the software version: cross-reference with CVE databases. + +### Nmap + +```bash +nmap -sV -p 21 $IP +nmap -p 21 --script ftp-* $IP +``` + +Key scripts: + +- `ftp-anon`: checks anonymous login +- `ftp-bounce`: tests for FTP bounce attack +- `ftp-brute`: brute-force credentials +- `ftp-syst`: retrieves system info + +## Anonymous Login + +```bash +ftp $IP +# Username: anonymous +# Password: or anonymous@ +``` + +If allowed, list and download everything: + +```bash +ls -la +mget * +``` + +Check for writable directories: you may be able to upload a webshell if FTP root overlaps with a web root. + +## Brute Force + +```bash +hydra -l $user -P /usr/share/wordlists/rockyou.txt ftp://$IP +medusa -h $IP -u $user -P /usr/share/wordlists/rockyou.txt -M ftp +``` + +Try default credentials first: `admin:admin`, `ftp:ftp`, `user:password`. diff --git a/src/content/notes/nmap.md b/src/content/notes/nmap.md deleted file mode 100644 index 9f1b600..0000000 --- a/src/content/notes/nmap.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Notes in comming.." -description: "" -tags: [] -publishDate: 2026-04-24 ---- - -## Notes - -Salut comment ça va ! $test1 - -```bash -nmap -p $port "$Ip" -``` diff --git a/src/content/notes/osint/bluesky.md b/src/content/notes/osint/bluesky.md new file mode 100644 index 0000000..db9b42f --- /dev/null +++ b/src/content/notes/osint/bluesky.md @@ -0,0 +1,97 @@ +--- +title: "Bluesky" +description: "Enumeration, search operators, API endpoints and tools for investigating Bluesky accounts." +tags: ["osint", "bluesky", "social-media", "enumeration"] +publishDate: 2026-04-29 +--- + +## Key Concepts + +Bluesky is built on the **AT Protocol**. Every account has two identifiers: + +- **Handle**: `user.bsky.social` or a custom domain (can change) +- **DID**: `did:plc:ewvi7nxzyoun6zhxrhs64oiz` (permanent, survives handle changes) + +All public content is accessible **without an account**. Follower/following lists are also public by default. + +## Account Enumeration + +### Resolve handle → DID + +``` +https://bsky.social/xrpc/com.atproto.identity.resolveHandle?handle=$HANDLE +``` + +### Resolve DID → history (all past handles, keys, creation date) + +``` +https://plc.directory/$DID +``` + +### Get profile metadata + +``` +https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=$HANDLE +``` + +Returns: DID, display name, description, follower/following count, creation date, avatar URL. + +### Followers / following + +``` +https://public.api.bsky.app/xrpc/app.bsky.graph.getFollowers?actor=$HANDLE&limit=100 +https://public.api.bsky.app/xrpc/app.bsky.graph.getFollows?actor=$HANDLE&limit=100 +``` + +Paginate with the `cursor` field from the response. + +## Search Operators + +Bluesky's full-text search supports these operators (combinable): + +| Operator | Example | Effect | +| ----------- | ----------------------------- | ----------------------------- | +| `"..."` | `"exact phrase"` | Exact match | +| `from:` | `from:handle.bsky.social` | Posts by user | +| `mentions:` | `mentions:handle.bsky.social` | Posts mentioning user | +| `since:` | `since:2024-01-01` | After date (UTC, YYYY-MM-DD) | +| `until:` | `until:2024-06-30` | Before date (UTC, YYYY-MM-DD) | +| `lang:` | `lang:fr` | Language (ISO 639-1) | +| `domain:` | `domain:github.com` | Posts linking to domain | +| `#tag` | `#osint` | Hashtag | + +#### API equivalent + +``` +https://public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q={QUERY}&author={HANDLE}&since=2024-01-01&until=2024-12-31&lang=en&limit=25 +``` + +## Google Dorks + +Bluesky is heavily indexed by Google. Useful for finding profiles and posts without touching the platform: + +``` +site:bsky.app "$TARGET_NAME" +site:bsky.app "$TARGET_NAME" inurl:profile +site:bsky.app "$KEYWORD" since:2024-01-01 +``` + +## Tools + +### BlueSkyNet + +Web app for searching and exporting Bluesky data to CSV. Wraps the public API with a UI for advanced search filters. + +- [github.com/jakecreps/blueskynet](https://github.com/jakecreps/blueskynet) + +### ClearSky + +Shows block lists, blocking history, and who blocked a given account. Useful for mapping relationships and adversarial clusters. + +- [clearsky.app](https://clearsky.app) + +### plc.directory + +Official DID PLC directory. Lookup a DID to get full account history: creation date, all past handles, key rotations. + +- [plc.directory](https://plc.directory) diff --git a/src/content/notes/osint/twitter-x.md b/src/content/notes/osint/twitter-x.md new file mode 100644 index 0000000..691c1a1 --- /dev/null +++ b/src/content/notes/osint/twitter-x.md @@ -0,0 +1,138 @@ +--- +title: "X / Twitter" +description: "Enumeration, search operators, deleted content recovery and tools for investigating X accounts." +tags: ["osint", "twitter", "x", "social-media", "enumeration"] +publishDate: 2026-04-29 +--- + +## Key Concepts + +Every account has two identifiers: + +- **Handle**: `@username` (can change) +- **User ID**: numeric, permanent (survives handle changes and suspensions) + +Unlike [Bluesky](/notes/osint/bluesky), X now requires a login to browse most content in the browser. The free API tier (v2) is severely limited. Most open-source scraping tools that bypassed the API (Twint, snscrape, GetOldTweets3) are broken since the 2023 API lockdown. + +## Account Enumeration + +### Handle to User ID + +The user ID stays constant when someone changes their handle or gets suspended. Several web tools resolve it: + +- [tweeterid.com](https://tweeterid.com/) +- [commentpicker.com/twitter-id.php](https://commentpicker.com/twitter-id.php) + +Or via the profile page source: look for `"id_str"` in the page JSON. + +### Banner last update time + +The profile banner URL contains a Unix timestamp indicating when the banner was last changed: + +``` +https://pbs.twimg.com/profile_banners/{user_id}/{unix_timestamp}/600x200 +``` + +Right-click the banner image and copy the URL, or inspect the page source. Convert the timestamp at [unixtimestamp.com](https://www.unixtimestamp.com/). + +### Timestamp from ID (Snowflake) + +Twitter IDs are Snowflake IDs: the numeric value encodes the exact creation time of a tweet or account. Extract it with: + +```python +tweet_id = 1234567890123456789 +timestamp_ms = (tweet_id >> 22) + 1288834974657 +``` + +`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs — useful to confirm account creation date without needing profile metadata. + +Several online converters exist if you don't want to do it manually — search "snowflake id decoder". + +### Direct profile URL by ID + +Old tweet/profile URLs using numeric IDs still resolve even after handle changes: + +``` +https://x.com/i/user/$USER_ID +``` + +## Search Operators + +Accessible at `x.com/search`. Operators are combinable. + +| Operator | Example | Effect | +| ----------------- | -------------------------- | ------------------------ | +| `"..."` | `"exact phrase"` | Exact match | +| `from:` | `from:handle` | Posts by user | +| `to:` | `to:handle` | Posts directed at user | +| `since:` | `since:2024-01-01` | After date (YYYY-MM-DD) | +| `until:` | `until:2024-06-30` | Before date (YYYY-MM-DD) | +| `lang:` | `lang:fr` | Language (ISO 639-1) | +| `near:` | `near:"Paris" within:10km` | Geo (web only, not API) | +| `geocode:` | `geocode:48.85,2.35,5km` | Geo by coordinates | +| `filter:images` | | Posts with images | +| `filter:videos` | | Posts with videos | +| `filter:links` | | Posts with URLs | +| `filter:verified` | | Verified accounts only | +| `-filter:replies` | | Exclude replies | +| `min_retweets:` | `min_retweets:100` | Engagement threshold | +| `min_faves:` | `min_faves:500` | Engagement threshold | +| `#tag` | `#osint` | Hashtag | +| `-term` | `-spam` | Exclude term | + +Boolean: spaces imply AND, use uppercase `OR` for alternatives, parentheses for grouping. + +#### Direct search URL + +``` +https://x.com/search?q=from%3A$HANDLE+since%3A2024-01-01&f=live +``` + +`f=live` returns chronological results instead of relevance-ranked. + +## Google Dorks + +``` +site:x.com "$TARGET" +site:twitter.com "$TARGET" +site:x.com/i/status "$KEYWORD" +"twitter.com/$HANDLE" OR "x.com/$HANDLE" +``` + +Old `twitter.com` URLs are still indexed separately from `x.com`, search both. + +## Deleted and Archived Content + +### Wayback Machine + +``` +https://web.archive.org/web/*/twitter.com/$HANDLE/status/* +https://web.archive.org/web/*/x.com/$HANDLE/status/* +``` + +Manually browse snapshots, or use [waybacktweets](https://github.com/claromes/waybacktweets) to batch-retrieve CDX data: + +```bash +pip install waybacktweets +waybacktweets $HANDLE +``` + +Outputs CSV/JSON with archived tweet URLs. Useful for deleted posts and suspended accounts. + +### Twayback + +Web tool wrapping the same Wayback CDX API with a UI: + +``` +https://twayback.space/ +``` + +Note: only works if the tweet was crawled before deletion. + +### Profile history + +The Wayback Machine also archives profile pages: past bios, display names, profile photos, header images. Check snapshots at: + +``` +https://web.archive.org/web/*/twitter.com/$HANDLE +``` diff --git a/src/content/notes/test2.md b/src/content/notes/test2.md deleted file mode 100644 index 413e3b4..0000000 --- a/src/content/notes/test2.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "test2" -description: "" -tags: [] -publishDate: 2026-04-24 ---- - -## Notes - -Salut comment ça va ! $test1 - -```bash -nmap -p $test2 "$test3$test4" -``` diff --git a/src/content/notes/test3.md b/src/content/notes/test3.md deleted file mode 100644 index 84f4507..0000000 --- a/src/content/notes/test3.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Bla blablalbal ae aetnaekjta ektae ktklaaek ljbtaekjb taekbt akejbt" -description: "lorem est seot nopsejt soejtosehtose ose toiseht jophs etosh etoshte osehtosht oshe topsh etopshiospehitopsehti." -tags: ["test", "test1", "test2"] -publishDate: 2026-04-24 ---- - -## Notes - -Salut comment ça va ! $test1 - -```bash -nmap -p $port "$Ip" -```