Penetration Testing Cheat Sheet

Terms of use

The regular penetration testing could significantly improve the company's security. The auditor shall obtain all necessary rights and permissions to conduct penetration tests from the owner of the target network or from the owner of target system before conducting any audit.

All the content and resources have been provided in the hope that it will be useful. Author does not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.


Linux Security Audit Commands:
-------------------------------------------------------------- Remote Network Commands --------------------------------------------------------------
# Useful commands to be used over network for Linux system
# traceroutetraceroute 8.8.8.8# traceroute using ICMPtraceroute -I 8.8.8.8
# nmap TCP syn scan, all TCP ports with scripts to all nmap output formatsnmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1# nmap reverse DNS resolutionnmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16# update the nmap scriptsnmap --script-updatedb# list nmap scriptsls -la /usr/share/nmap/scripts/# nmap brute force scriptsnmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>nmap --script vmauthd-brute -p <port> <host>nmap --script ftp-brute -p <port> <host># help for scriptnmap --script-help=ssl-heartbleed# scan using scriptnmap -sV –script=ssl-heartbleed.nse -p <port> <host># scan using set of scriptsnmap -sV --script=smb* -p <port> <host># nmap used as vulnerability scannermkdir /usr/share/nmap/scripts/vulscancd /usr/share/nmap/scripts/vulscangit clone https://github.com/scipag/vulscan.gitnmap -sV --script=vulscan/vulscan.nse 127.0.0.1
# ncrackncrack -vv --user root <host>:<port># ncrack RDPncrack -vv -U username.txt -P password.txt <host>:3389# ncrack SSHncrack -vv --user root <host>:22
# crack password used in encrypted zip archivefcrackzip -b -l 1-4 -u ./archive.zip
# hydra# Bruteforce SSHhydra -L <user-list.txt> -P <password-list.txt> ssh://<host># Bruteforce IP router over HTTPhydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080# Bruteforce FTPhydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp# Bruteforce RDPhydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1
# skipfish# basic scanskipfish -o out_dir https://www.host.com# using cookies to access authenticated pagesskipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com
# wfuzz# URL brute forcingwfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php# GET params brute forcingwfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z
# sqlmapsqlmap -u "http://host.com/vulnerable.php?param=12345"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_loginssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
# MySQLmysql -u <username> -p --port <port> -h <host>mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql
# Oraclesqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# --------- sqlplus commands -----------# improve sqlplus console output SET PAGESIZE 50000;
# list tablespacesSELECT TABLESPACE_NAME FROM USER_TABLESPACES;

# list all tables SELECT owner, table_name FROM dba_tables;
# find table with given column nameSELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
# find table and count rows for given column nameSET SERVEROUTPUT ONDECLAREval NUMBER;BEGINFOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOPEXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );END LOOP;END;/
# find string in whole database for columns type NVARCHAR2SET SERVEROUTPUT ON SIZE 100000
DECLAREmatch_count INTEGER;BEGINFOR t IN (SELECT owner, table_name, column_name FROM all_tab_columns WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name || ' WHERE '||t.column_name||' = :1' INTO match_count USING 'SEARCH_TEXT';
IF match_count > 0 THEN dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );END IF;
END LOOP;
END;/# --------------------------------------

# Postgrespsql -h 127.0.0.1 db_name username
# SNMP# SNMPv1snmpwalk -mALL -v1 -cpublic <host>snmpwalk -mALL -v1 -cprivate <host>snmpget -mALL -v1 -cpublic <host> sysName.0# SNMPv2snmpwalk -v2c -cprivate <host>:<port>snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)# SNMPv3snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> system
# LDAPldapsearch -x -b "dc=company,dc=com" -s base -h <host>LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s subldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldifdn: ou=people,dc=company,dc=comobjectClass: topobjectClass: organizationalunitou: people...
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
# Redisredis-cli dbsize# get all keys from DB0redis-cli -n 0 keys "*"
# NFSshowmount -e 127.0.0.1mount -o ro 127.0.0.1:/ /mnt/nfs
# SIP# svmap, send SIP OPTIONSsvmap -p5060,5061,5080-5090 10.0.0.1
# svcracksvcrack -u100 -d dictionary.txt 10.0.0.1
# SMBsmbclient -L <host> -Nsmbclient //<host>/<dir> -N
# SSHFS# mountsshfs user@<host>:/remote/path /mnt/tmp -C -p 22# unmountfusermount -u /mnt/tmp
# redirredir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
# sending HTTP post requestcurl --data "param1=value1&param2=value2" https://host.com/index.php
# sending SOAP request by nc#!/bin/sh
HOST=host.comPORT=8888
nc $HOST $PORT << __EOF__POST /services/ HTTP/1.1Host: host.com:8888Content-Type: text/xml;charset=UTF-8SOAPAction: ""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>__EOF__
# sending SOAP request by curl$ proxychains curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
$ cat data.xml <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/"> <soapenv:Header/> <soapenv:Body> <web:soapRequest> </web:soapRequest> </soapenv:Body></soapenv:Envelope>
# send payload using nping, spoof source IPsudo nping -c 1 --data hexstring --udp -p dest_port -S source_ip -g source_port dest_ip

# Bash like SQL group bycat test.txt | sort | uniq -c | sort -n
# Wireshark over SSHssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)
# HEX to PCAPxxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
# Parse JSONgrep -Po '"field" : .*?[^\\]",' test.json
# tshark to Elasticsearch output./tshark -i any -f tcp -T ek -e "ip.addr" -e "tcp.port"
# tshark display filter to filestshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
# john the ripper over GPU, OpenCL formats, start sessionjohn --session=session_name --format=opencl ~/hash.txt
# john list the GPU OpenCL formatsjohn --list=formats --format=opencl
# john the ripper, continue sessionjohn --restore=session_name
# john the ripper, show the cracked passwordsjohn ~/hash.txt --show
# dynamic formats# edit john/JohnTheRipper/run/dynamic.confjohn --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt

-------------------------------------------------------------- Local Commands --------------------------------------------------------------
# Useful commands running locally on the Linux system# To quickly analyze the system and possibly help to escalate privileges.
# Before connecting to remote system, enable logging record the interactive session. Only after perform e.g. ssh connect.script <filename>
# loginssh username@hostname
# check current shellecho $0
# check current userwhoami
# current folderpwd
# list history of the userhistory
# check systemuname -a
# check uptimeuptime
# check system variablesexport
# processesps -efps auxfps auxfww
# find in filesfind . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null# SUID files owned by rootfind / -uid 0 -perm -4000 -type f 2>/dev/null# SUID files owned by root and world readablefind / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null# SUID filesfind / -perm -4000 -type f 2>/dev/null# world writable directoriesfind / -perm -2 -type d 2>/dev/null
# find passwords in files and ignore errors and filter out the proc and other foldersfind . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null
# find using several patterns read from file (patterns are delimited by new line)find . -type f -exec grep -iHFf patterns.txt {} \;
# find password keyword in small filesfind . -type f -size -512k -exec fgrep -iHn password {} \;
# reverse java jar files and find passwords therefind . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
# check open ports and services listeningnetstat -anp
# check defined hostscat /etc/hosts
# check local IP addresses and interfacesifconfig -a
# check routeroute -v
# check filesystemdf
# check sudo privilegessudo -l
# check crontabcrontab -l
# check inittabcat /etc/inittab
# try to sniff traffictcpdumptcpdump -s0 not port 22 -w trace.pcap
# check known hostscat ~/.ssh/known_hosts
# try access mailshead /var/mail/root
# list groups, userscat /etc/groupcat /etc/passwd# with root privilegescat /etc/shadow
# check shared memoryipcs -mp
# logoutlogout
# close script sessionCtrl + D

-------------------------------------------------------------- SSH tunneling and chaining --------------------------------------------------------------
# Useful to jump or tunnel traffic over several machines
# SSH proxy commandssh config (~/.ssh/config)Host _first_serverHostname XXX.XXX.XXX.XX Port 22 User root
Host _second_server Hostname 127.0.0.1 Port 22 User root # password is "XXXXXXX" ProxyCommand ssh -v -W 127.0.0.1:22 _first_server
Host _third_serverHostname XXX.XXX.XXX.XXX Port 22 User XXXXX ProxyCommand ssh _second_server -W %h:%pHost _host_over_sshpass and ssh key Hostname XXX.XXX.XXX.XXX IdentityFile id_rsa User XXXXX ProxyCommand sshpass -pXXXXXXX ssh -Fssh_config _host_previous_in_chain -W %h:%p# connectssh root@_second_server
# Proxychains# run ssh on background and without executing commandsssh -f -N -D 9050 user@hostproxychains telnet hosts
# using local SSH tunneling to access web server on remote serversudo ssh -F ~/.ssh/ssh_config _host_definition -L 127.0.0.1:8080:127.0.0.1:8080 -L 127.0.0.1:8443:127.0.0.1:8443
# torsockstorsocks sshpass -p '********' ssh -C admin@XXX.XXX.XXX.XXX "sudo tcpdump -i any -U -s0 -w - 'not port 22'" | wireshark -k -i -
# allow internet access on remote server over client SSH (reverse SSH tunnel)sudo apt install tinyproxysudo systemctl disable tinyproxysudo systemctl stop tinyproxysudo vi /etc/tinyproxy/tinyproxy.conf# configure listen port (e.g. Port 3128)sudo systemctl start tinyproxy
ssh -R 3128:127.0.0.1:3128 host$ export http_proxy=http://127.0.0.1:3128$ export https_proxy=http://127.0.0.1:3128

-------------------------------------------------------------- Decompilers --------------------------------------------------------------
# jd-gui (Java decompiler)cd ~/Decompilers/Java/java -jar jd-gui-1.6.2.jar
# ghidra (C decompiler)~/Decompilers/ghidra_9.0.4/ghidraRun
# ffdec (Flash decompiler)sudo update-alternatives --config javaThere are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status------------------------------------------------------------ 0 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 auto mode* 1 /usr/lib/jvm/java-10-openjdk-amd64/bin/java 1 manual mode 2 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 manual mode
Press <enter> to keep the current choice[*], or type selection number:
~/Decompilers/Flash/ffdec_11.2.0_nightly1721./ffdec.sh

-------------------------------------------------------------- Auxiliary --------------------------------------------------------------
# compress & copy over ssh by rsyncrsync --append-verify -avhzpP -e ssh user@host:/source/* dest
# copy locally by rsync, full sync, delete removed filesrsync --append-verify -avhepP --delete /source/* dest
# Grep in csvcat some.csv | awk -F, '$3 == value {print}'
# Find files in exact datefind . -type f -newermt "YYYY-MM-D1" ! -newermt "YYYY-MM-D2"