https://tryhackme.com/room/ccpentesting
Nmap
network mapper -> nmap
See notes on Nmap here.
Netcat
Extremely versatile tool. Allows users to connect to specific ports and send and receive data.Very popular tool to gain a Reverse Shell. One is able to pipe data through nc.
-l
Listen for connections
-v
Verbose mode
-p
Specify port to listen to
-e
Specify which program to execute after you connect to a host
-u
Connect to a udp port
Gobuster
It can find valid directories from a wordlist of possible directories. It can also find valid subdomains.
dir
Directory bruteforcing mode
dns
Dns bruteforcing mode
dir
-x
Specify extension to add to word (for example look for admin.php instead of admin)
-w
Specify wordlist to use
-U
Username for basic authentication
-P
Password for basic authentication
-s
Set status code that gobuster will interpret as valid
-k
Skip SSL certificate verification
-a
Specify User-Agent
-H
Specify HTTP header
-u
Specify URL to bruteforce
Nikto
Popular web scanning tool, allows user to find common web vulnerabilities. It’s used to get common CVE (such as shellshock) and general info about the web server we’re enumerating.
-h
Specify host to use
-nossl
Disables ssl
-ssl
Forces ssl
-id
Specify authentication (username + pass)
-Plugins
Specify which plugins to use
apacheusers
Plugin that checks if you can enumerate apache users
-update
Updates plugins list
list-plugins
Lists all possible plugins to use
See notes on Metasploit here.
Hash Password -> It is important to know how to crack hashed passwords to gain authentication to a website or sometimes even for ssh.
Same format for virtually every tool(file with the hash(es) and they are each separated by a newline). Example:
<hash 1>
<hash 2>
<hash 3>
Same format for salted hashes:
<hash1>:<salt>
<hash2>:<salt>
<hash3>:<salt>
Note: Different hashing algorithms treat salts differently. Some prepend them and some append them. Research what it is you’re trying to crack, and make the distinction.
Salt -> (In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards developed to protect a user’s password against being read from the system. A salt is one of those methods. source wikipedia)
Hashcat
https://hashcat.net/wiki/doku.php?id=example_hashes
-m
Sets the mode
-a
Attack mode
3
Attack mode number 3 brute-force mode
John
One of the best hash cracking tools available.
–wordlist
Specify wordlist to use
–format
Specify the hash format to use (ex: MD5, SHA1, etc…)
–list=formats
See supported formats
–rules
Specify whih rule to use. Enable word mangling rules.
Art of modifying an SQL query to get access to a target’s database. It is one of the most common web vulnerabilities.
SQLmap
Tool that checks for various types of injections.
-u
Specify url to check
-g
Specify google dork to use
-p
Select which parameter to use
–dbms
Sets database in the target’s host’s backend
–level
Select the level of depth sqlmap should use (higher -> more accurate)
-D
Sets the db to enumerate
-T
Sets the table to enumerate
–os-shell
Asks sqlmap to get an interactive os-shell
–dump
Dumps the database
–dump-all
Dumps all data from every table
Manual SQL injection
Sqlmap is not always available. For example,if the target has set up a firewall or a request limit. So it is important to know basic manual SQL injections. List of ways to find SQL injections can be found here.
Mainly found in Windows machine.
smbmap
One of the best ways to enumerate samba, it allows pentesters to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.
-u
Sets the username to authenticate with
-p
Sets the password to authenticate with
-H
Sets the host
-x
Runs a command on the server (assuming you have the permission)
-s
Specify the share to enumerate
-d
Set which domain to enumerate
–download
Downloads a file
–upload
Uploads a file
Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine
smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"
smbclient
Allows the same options as smbmap but also offers an interactive prompt.
-W
Specify which domain(workgroup) to use when connecting to the host
-I
Specify the ip address of the host
-c
Run a command
-U
Specify the username to authenticate with
-P
Specify the password to authenticate with
-N
Tell smbclient to not use a password
-get
Download file
put
Upload file
impacket
impacket is a collection of extremely useful windows scripts. It has many scripts available that use samba to enumerate and even gain shell access to windows machines. All scripts can be found here.
General:
Linux:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ (a bit old but still worth looking at)
https://github.com/rebootuser/LinEnum (popular priv esc scripts)
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh (Another popular script)
https://github.com/mzet-/linux-exploit-suggester (kernel exploits)
Windows:
https://www.fuzzysecurity.com/tutorials/16.html (Dictates some very useful commands and methods to enumerate the host and gain intel)
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp (A bit old but still an incredibly useful script)
https://github.com/411Hall/JAWS (A general enumeration script)
Privilege Escalation
sudo -l
Check privilege as sudo
sudo su
Switch to superuser
If you have any questions or remarks don’t hesitate to reach out on discord to therokdaba#9872.
Go back to the homepage of this website.