Pentest-Cheat-Sheets

This repo has a collection of snippets of codes and commands to help our lives! The main purpose is not be a crutch, this is a way to do not waste our precious time! This repo also helps who trying to get OSCP. You'll find many ways to do something without Metasploit Framework.

Ninja Tricks

• Recon
  • DNS
  • Nmap
  • NetCat
  • SNMP
  • Mysql
  • MS SQL
  • Web Enumeration
• Exploitation
  • System Network
    • RDP
    • Pass The Hash
    • Windows-Shell
  • Web Application
    • Web Remote Code Execution
    • LFI
    • encode
    • XSS
    • SQLi
      • sqlmap
      • Bare Hands
    • Jekins
• Pos-exploitation
  • Web Reverse Shell
    • PHP Reverse Shell
    • Perl Reverse Shell
    • python Reverse Shell
    • Ruby Reverse Shell
    • bash Reverse Shell
  • Linux
    • Linux Privilege Escalation
    • Data Haversting and Enumeration
    • Linux Pivot
      • Sshutle
      • VPNPivot
      • SSH Tunneling
      • Linux Backdoring
  • Windows
    • Windows Enumeration
    • Windows Privilege Escalation
    • Hashdump
    • Transferring Files Without Metasploit
    • Backdoring
    • Windows Pivot
      • Plink
• Resources
  • Wordlist
    • seclist
    • cotse
    • PacketStorm
  • Default Passwords
    • Default Passoword
    • Router Password
  • Leak
    • Pastebin
  • Tables
• Contribution

Recon

DNS

Nslookup

Resolve a given hostname to the corresponding IP.

nslookup targetorganization.com

Reverse DNS lookup

nslookup -type=PTR IP_address

MX(Mail Exchange) lookup

nslookup -type=MX domain

Zone Transfer

Using nslookup Command

nslookup
server domain.com
ls -d domain.com

Using HOST Command

host -t ns(Name Server) < domain >

host -t ns domain.com

after that test nameservers

host -l < domain > < nameserver >

host -l domain.com ns2.domain.com

Nmap Dns Enumaration

nmap -F --dns-server <dns server ip> <target ip range>

Auto tools

DNSenum

dnsenum targetdomain.com

dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com

DNSmap

dnsmap targetdomain.com -w <Wordlst file.txt>

Brute Force, the file is saved in /tmp

dnsmap targetdomain.com -r

DNSRecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Fierce.pl

fierce -dns targetdomain.com

HostMap

hostmap.rb -only-passive -t <IP>

We can use -with-zonetransfer or -bruteforce-level

Online Tools

• https://dnsdumpster.com/
• https://network-tools.com/nslook/
• https://www.dnsqueries.com/en/
• https://mxtoolbox.com/

Resources

• Wordlists
  • PacketStorm
  • SecList
  • cotse
• Default Password
  • DefaultPassword
  • RouterPassword
• Leak
  • Pastebin
• Tables
  • RainbowCrack

Contribution

HOW TO