Scribd
Upload
24 views

Pentest Cheat Sheet

Pentesting

Uploaded by

vabiran174
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

Pentest Cheat Sheet

Pentesting

Uploaded by

vabiran174
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

💻

Cheat Sheet (Quick Pentest)


by Muhammad Bilal

www.linkedin.com
https://www.linkedin.com/in/muhammad-bilal7276/

Information Gathering
Directory Busting and VHOST Enumeration
Dir Busting
VHOST ENUMERATION
Wordlists
DIR BUSTING
Gobuster
FFUF
Finding Files
Gobuster
FFUF
VHOST Enumeration
Gobuster
FFUF
Passive Reconnaissance with Digital Certificates
Digital Certs search engines
DNS Enumeration
Record Types
Dig
Host

Simplest DNS Enumeration tool


nslookup (A cross platform tool for DNS Enumeration)

Cheat Sheet (Quick Pentest) 1


Zone Transfer
Automated tools for DNS
Scanning
Host Discovery
Identifying Live Hosts
Service and OS Discovery
Service Discovery
Exploitation
Password Brute force
Post Exploitation

Information Gathering
Directory Busting and VHOST Enumeration

Dir Busting
Find Directories and pages of a website

VHOST ENUMERATION

Find subdomains of a website

Wordlists

Sudo apt install seclists

DIR BUSTING

Cheat Sheet (Quick Pentest) 2


Gobuster

gobuster dir ‐u http://10.10.10.10 ‐w /usr/share/wordlists/dirbu

FFUF

ffuf ‐u http://10.10.10.10/FUZZ ‐w /usr/share/wordlists/dirbuste

Finding Files
Gobuster

Cheat Sheet (Quick Pentest) 3


gobuster dir ‐u http://10.10.10.10 ‐w /usr/share/wordlists/dirbu

FFUF can also be used to brute force the files

FFUF

ffuf ‐u http://10.10.10.10/FUZZ ‐w /usr/share/wordlists/dirbuste

VHOST Enumeration

VHOST enumeration is the process of identifying virtual hosts (VHOSTs) on a


web server. A virtual host is a method of hosting multiple domain names
on a single web server. Each domain name is associated with a unique IP
address or port number, and the web server uses this information to route
incoming requests to the appropriate website.

Cheat Sheet (Quick Pentest) 4


Gobuster

gobuster vhost ‐u http://example.com ‐w /usr/share/wordlists/Sec

FFUF

ffuf ‐u http://example.com ‐w /usr/share/seclists/Discovery/DNS/

Passive Reconnaissance with Digital Certificates

Digital certificates are primarily used to ensure the security and


authenticity of websites. They help to establish a secure connection
between a user's browser and the website they are trying to access, by
verifying that the website is legitimate and encrypting the data that is
exchanged between the two parties.
Digital certificates can also be used to discover subdomains of a website.
When a certificate is issued for a specific domain, it is typically issued for
that domain and any of its subdomains. Therefore, by searching for
certificates issued to a particular domain, it is possible to discover
subdomains that are associated with that domain.

Cheat Sheet (Quick Pentest) 5


Digital Certs search engines
Crt.sh

Entrust cert search

Censys

Cheat Sheet (Quick Pentest) 6


DNS Enumeration

DNS enumeration, also known as DNS recon, is the process of gathering


information about a domain name system (DNS) infrastructure and its associated
records. DNS is responsible for translating human-readable domain names (e.g.,
www.example.com) into machine-readable IP
addresses (e.g., 192.168.1.1). DNS enumeration involves querying DNS servers to
obtain various types of DNS records, which can reveal
valuable information about the target domain including hidden or
internal subdomains
The primary purpose of DNS enumeration is to gather intelligence
about a target's DNS infrastructure. It can be used by security
professionals, penetration testers, or malicious actors to identify
potential vulnerabilities, misconfigurations, or targets for further
attacks. By gathering information about the target's DNS
infrastructure, an attacker can potentially identify subdomains, mail
servers, or other potential entry points for further attacks

Cheat Sheet (Quick Pentest) 7


Record Types

Dig
Most common DNS Enumeration tool DNS Enumeration swiss army knife

Cheat Sheet (Quick Pentest) 8


Dig 1.0

Host

Simplest DNS Enumeration tool

Cheat Sheet (Quick Pentest) 9


nslookup (A cross platform tool for DNS Enumeration)

Cheat Sheet (Quick Pentest) 10


Zone Transfer
Zone transfer is a mechanism in DNS for sharing and synchronizing
DNS database information between servers. Pentesters and hackers
can leverage zone transfer to gather intelligence about a target's DNS
infrastructure. Zone transfers provide a comprehensive list of DNS
records, including subdomains, IP addresses, and mail servers

Cheat Sheet (Quick Pentest) 11


s

Automated tools for DNS

Cheat Sheet (Quick Pentest) 12


DNS Recon

DNS ENUM

Cheat Sheet (Quick Pentest) 13


Fierce

Scanning

Host Discovery
Identifying Live Hosts
Host Discovery is the always the first step in any ethical hacking certification
exam and in CTFs. It involves enumeration IP addresses of the systems available
in the test environment

Netdiscover is used to scan for the live hosts on the network

netdiscover -i (network interface name)

Cheat Sheet (Quick Pentest) 14


Ping scan is used to scan for the live hosts on the network

nmap –sn 192.168.18.1/24

Arp scan is another method to scan for the live hosts on the network

nmap -sn -PR 192.168.18.0-255

To find Ip addressed

=> arp-scan -l
=> netdiscover -r 182.14.4.0/24

Nmap has a vast variety of scans aval. Some of the most


useful scans for host discovery are listed below

nmap -sn -PU 192.168.18.110 //UDP ping scan


nmap -sn -PE 192.168.18.1-255 //ICMP Echo Ping scan
nmap -sn -PM 192.168.18.1-255 //Mask Ping scan (use if ICMP is b
nmap -sn -PP 192.168.18.1-255 //ICMP timestamp scan
nmap -sn -PS 192.168.18.1-255 //tcp syn ping scan
nmap -sn -PO 192.168.18.1-255 //IP protocol scan.use different p

Service and OS Discovery


Service Discovery
Identify Open Ports

dentify Services Running on


the ports

Nmap is the go to tool for identifying open ports and services running on these
ports

Cheat Sheet (Quick Pentest) 15


nmap –sS –sV 192.168.18.1/24

Nmap Command

#scan whole subnet

nmap 192.168.17.0/24

# TCP Scan
sudo nmap -T4 -p- -A 192.168.18.73

# UDP Scan

nmap -sU -T4 -p- 192.168.18.73

# For ports only


nmap --script=banner 10.129.228.159

Nikto scan

nikto -h http://192.168.18.73

Exploitation

Password Brute force

Cheat Sheet (Quick Pentest) 16


Hydra

hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords

Post Exploitation

Windows credentials dumps

hashdump

Cheat Sheet (Quick Pentest) 17

You might also like