📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • SMB
  • GUI
  • CMD
  • Powershell
  • Linux
  • Other services
  • Email
  • Databases
  • General Tools

Attacking Common Services

Vulnerabilities are commonly discovered by people who use and understand technology, a protocol, or a service. As we evolve in this field, we will find different services to interact with, and we will need to evolve and learn new technology constantly.

To be successful at attacking a service, we need to know its purpose, how to interact with it, what tools we can use, and what we can do with it. This section will focus on common services and how we can interact with them.

SMB

GUI

Win + R
\\192.168.220.129\Finance\

CMD

dir \\192.168.220.129\Finance\

Mounting using CMD

net use n: \\192.168.220.129\Finance

net use n: \\192.168.220.129\Finance /user:plaintext Password123

With the shared folder mapped as the n drive, we can execute Windows commands as if this shared folder is on our local computer. Let's find how many files the shared folder and its subdirectories contain.

dir n: /a-d /s /b | find /c ":\"

dir command explanation:

Syntax

Description

dir

Application

n:

Directory or drive to search

/a-d

/a is the attribute and -d means not directories

/s

Displays files in a specified directory and all subdirectories

/b

Uses bare format (no heading information or summary)

dir for searching

With dir we can search for specific names in files such as:

  • cred

  • password

  • users

  • secrets

  • key

  • Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.

dir n:\*cred* /s /b

dir n:\*secret* /s /b

findstr for searching contents (grep equivalent)

findstr /s /i cred n:\*.*

Powershell

Get-ChildItem \\192.168.220.129\Finance\

Monting to drive letter

New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Counting files in all drive

N:
(Get-ChildItem -File -Recurse | Measure-Object).Count

Finding files by name

We can use the property -Include to find specific items from the directory specified by the Path parameter.

Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

Select-String to find file contents (grep equivalent)

Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

Linux

Mount

sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance

As an alternative, we can use a credential file (sudo apt install cifs-utils).

mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile

Credentials file:

username=plaintext
password=Password123
domain=.

Find file by name

find /mnt/Finance/ -name *cred*

Find file by content

grep -rn /mnt/Finance/ -ie cred

Other services

Email

Suggested client: evolution

Databases

  • Command Line Utilities (mysql or sqsh)

  • Programming Languages

  • A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio.

Command Line Utilities

  • MSSQL:

    • Linux: sqsh -S 10.129.20.13 -U username -P Password123

    • Windows: sqlcmd -S 10.129.20.13 -U username -P Password123

  • MySQL

    • Linux: mysql -u username -pPassword123 -h 10.129.20.13

    • Windows: mysql.exe -u username -pPassword123 -h 10.129.20.13

Multi-DB GUI

sudo dpkg -i dbeaver-<version>.deb

General Tools

SMB

FTP

Email

Databases

PreviousCracking FilesNextFTP

Last updated 6 months ago

To provide a username and password with Powershell, we need to create a . It offers a centralized way to manage usernames, passwords, and credentials.

is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others,

To install using a Debian package we can download the release .deb package from and execute the following command:

PSCredential object
dbeaver
dbeaver
https://github.com/dbeaver/dbeaver/releases
smbclient
ftp
Thunderbird
mssql-cli
CrackMapExec
lftp
Claws
mycli
SMBMap
ncftp
Geary
mssqlclient.py
Impacket
filezilla
MailSpring
dbeaver
psexec.py
crossftp
mutt
MySQL Workbench
smbexec.py
mailutils
SQL Server Management Studio or SSMS
sendEmail
swaks
sendmail