PenTest-Sheet

🔙 HOME

Todo List

1. SCAN

   • Target Ip discovery
   • RustScan + Nmap
     • TCP port
     • UDP port (Top 20)
       • SNMP
     • Service Detail Scan
     • Service vulnerability Scan
   • Service
   • DNS
     • Change /etc/hosts
     • Subdomain
   • Test Service : nc -nv IP port
     • help (get banner)
     • version
   • Exploit
     • Searchsploit
     • Online Search Exploit

2. WEB Information Gathering

   • Whatweb
   • View Source Code
   • Directory & Directory of Directory
     • Gobuster
     • dirsearch
   • Git
     • git log
     • git leak
   • Page
     • robots.txt
     • readme.txt
     • Changelog
     • VERSION.txt
     • Error Page
   • Steganography
     • binwalk
     • exiftool
   • Public CMS Can find Login page on Internet

3. WEB Interactive

   • Web Parameter Enumeration
     • wfuzz
   • Web System Exploit
   • Local File Inclusion
     • Steal .ssh
       • /home/$user/.ssh/id_rsa
       • /home/$user/.ssh/id_ecdsa
     • /etc/passwd get Users
   • Login Page
     • Weak Password
     • Register
     • SQL Injection
     • Hydra or Script BuruteForce
     • Exploitdb
   • Upload ReverseShell
     • Upload File
     • Upload Arbitrary File
     • Directory Traversal
     • Bypass
       • File Type Bypass
       • with Command Injection
       • Word Trojan
     • Code Edit (404、php code) Trigger Error
   • SQL Injection
     • Command
     • xp_cmdshell
   • Responder
   • HackTrick

4. Get ReverseShell to Privilledge Escalation

   • Enviroment check
     • User
     • dpkg
     • Low Kernel Version Check
     • Routine Task
     • Process
     • Network
     • SUDO
     • SUID
     • Soft Link
     • PATH
     • .bash_history
     • .config
     • backup file
     • In Docker or Not Starting from the domain and IP addresses to explore information connected to the host.
     • Command Injection in ELF file
     • Sensitive directory or file (grep、find)
   • File
     • Writable File
     • Web Config
   • linpeas.sh
   • Activating SSH service sometimes
   • Famous Vulnerability CVE

5. P & DP

   • Chisel
   • SSH Port Forwarding

Common

• Scanning and Data Collection

  • Host scan & Nmap
  • Infomation
  • DNS
  • WAF Scan
  • directory search
  • FUZZING
  • DNS & Domain
  • FILE LEAK
  • Writable Directory
  • Responder

• Initial Control

  • ReverseShell
  • Common Reverse Shell
  • rlwrap
  • PowerShell ReverseShell
  • XXE
  • Shell Bypass
  • Get tty shell
  • Limited Shell Escape
  • FILE PASS
  • Writable Directory
  • GET PUBLIC IP Address
  • SOCAT openssl shell

• Password Crack

  • Weak Password
  • WEB Bruteforce
    • Hydra Bruteforce
    • Python Bruteforce
  • USER & Password
  • ENCODE & DECODE
  • Create Own Dictionary
  • HashCrack Linux User
  • HashIdentifier
  • HashCrack
  • Base64 to ZIP
  • ZIP & RAR crack
  • PDF
  • PFX
  • Generate Password Dictionary

• Metasploit/Msfvenom

  • Metasploit
  • Msfvenom
  • Payload
  • Reference

• Privilege Escalation

  • ENVIRONMENT DIG
  • FILE LEAK
  • Vuln Scan Tool
  • SSH update-motd.d
  • Sudo
  • SUID
  • Getcap
  • Exploit
  • PATH
  • Software Link
  • Command Injection
  • GET ROOT

• Stealth & Backdoor

  • Port Knocking

• Cleaning up Intrusive Traces

  • History Clean
  • Log Clean
  • WEB Clean

CVE

CVE

• DirtyCOW
• Shellshock
• Heartbleed
• Log4Shell

Service

• SMB
  • Common
  • Detect
  • Mount
  • smbclient
  • smbmap
  • SMB enum4linux
  • Crackmapexec
  • nxc
• FTP
• NFS - 2049/tcp
• SSH
• SIP
• SMTP
• SNMP
  • Common
  • snmp-check
  • onesixtyone
  • Nmap Script - SNMP Account
• Other Service
  • RSIP - 4555/tcp
  • POP3 - 110/tcp
  • IMAP - 143/tcp
  • Finger - 79/tcp
  • ident - 113/tcp
  • VNC
  • Redis - 6379/tcp
  • WebDAV
  • unisql - 1978/tcp

WEB

• Wordpress
• Joomscan
• OtherCMS
• Burpsuit & OWASP ZAP
• Serialize & Deserialize
• Microsoft Sharepoint
• MYSQL
• MSSQL
• DataBase
• SQLi
• XXS
• COMMAND Injection

Language

• JAVA
• PHP
• GIT

Linux Command

• Terminal
• EDIT Command
• BASH Script
• VIM
• Find Out
• Pretty Thing

Pivot & Double Pivot

• SSH port forwarding (SSH Tunneling)
  • Local
  • Dynamic Local
  • Remote
  • Dynamic Remote
  • Local Double Pivot
  • sshuttle
  • Windows SSH
  • Windows plink
  • Windows netsh
  • Windows NetSecurity Module
• Port forwarding
  • Datapipe
  • Socat
  • Portproxy
• Meterpreter
  • MSF:Session-Routing
• Deep Packet Inspection
  • DPI
  • Chisel Remote
  • Chisel Reverse
  • DNS Tunneling
  • DNScat2
• Internal Network
  • ip route
  • x-forwarded-for
  • Venom and Proxychains
  • Proxy SwitchyOmega
• Ligolo-ng

ENV

Install kali on your host.

https://www.youtube.com/watch?v=nidXuQ4jE8I

Parrot : Light Kali for Pentest and preinstall IDE(VSCODE)

https://www.youtube.com/shorts/A4D3si8EJiw

Internet about VM

Bridge    : VMnet0
NAT       : VMnet8
Host-Only : VMnet1


有線網卡 : eth0, eth1, eth2...
無線網卡 : wlan0, wlan1, wlan2...
連接線   : ppp0, ppp1...
虛擬網卡 : tun0, tun1...
回環網卡 : lo

Gadget

1. wikit(wiki sumarry)

# https://github.com/KorySchneider/wikit
sudo apt install nodejs
sudo apt install npm
sudo npm install wikit -g
wikit $essential

2. BinaryNinja

# Linux IDApro
# https://binary.ninja/demo/
# https://www.youtube.com/watch?v=Fsf8DPe-Wvw

3. tmux

sudo apt install tmux

vim ~/.tmux.conf
set -g mouse on
source ~/.tmux.conf

# -----

tmux
# Ctrl+b 起手後面加快捷
"       # 進行水平分割
%       # 垂直分割
方向鍵  # 移動到其他panel

space   # 切換布局
o       # 切換布局
z       # 全螢幕再輸一次則回到剛剛的尺寸
Crtl按住 + 方向鍵 # 調整窗口大小

x       # 關閉panel
d       # 離開session

4. Something else

FoxyProxy
AntSword蟻劍

5. Share Login

https://bugmenot.com/

leetspeek

WINDOWS

• Remote
• Local