📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Wordlists
  • Port mapping
  • Nmap
  • Fuzzing
  • Ffuf
  • PHP Config file defualt positions
  • SNMP
  • Gobuster
  • Directory mode
  • DNS mode
  • FTP
  • Custom Wordlist Generation (CeWL)
  • Others

Enumeration

Enumeration phase tools. Fuzzing, Discovery, ...

PreviousPentesting MachineNextNMAP Scan types explained

Last updated 8 months ago

Wordlists

    • Subdomain enumeration: /Discovery/DNS (subdomain*)

    • Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list*.txt, web-extensions.txt, burp-parameter-names.txt)

    • LFI wordlist: /Fuzzing/LFI

  • Word list generator

Port mapping

Nmap

Flag
Description

-sC

Run scripts

-sV

Version scan

-p <ports>

Specify ports. Can be a list, can contain ranges

-p-

Scan all 65535 ports

--script=<script name> -sC

Run a specific script from usr/share/nmap/scripts

-A

Enable OS detection, version detection, script scanning, and traceroute (Loud)

--open

Show only open ports

-oA <name_of_files>

Save in all output formats with prefix of name_of_files

-sn

Disables port scanning

-iL <file>

Scans a list of hosts from a file

--reason

Displays the reason for specific result.

--packet-trace

Shows all packets sent and received

-F

Fast Scan. Top 100 ports

--top-ports=10

Scans the specified top ports that have been defined as most frequent.

-n

Disable DNS resolution

--disable-arp-ping

Disables ARP ping.

--stats-every=5s

Shows status every 5 seconds

-v or -vv

Verbositiy level, increasing

-A

Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.

--min-rate <number>

Speed optimization parameter

-T <0-5>

Aggressiveness

--source-port 53

Performs the scans from specified source port.

--script-updatedb

Update scripts DB

Some useful nmap scripts (/usr/share/nmap/scripts/):

  • http-enum (example on port -p 80)

Some nmap usages examples:

  • -p 21 --packet-trace -Pn -n --disable-arp-ping to scan port 21 and get a detailed information for the packet as the answer

Scan types

Flag
Description

-PE

Performs the ping scan by using 'ICMP Echo requests' against the target. Usually in combination with --disable-arp-ping to disable ARP Scanning

-sS

(Default as Root) SYN Scan

-sT

(Default as non-Root) TCP Scan

-sU

Performs a UDP scan.

-sV

Performs a service scan.

-sA

TCP ACK scan (hard to filter)

-Pn

Disable the ICMP echo requests (avoid checking if host is alive)

Types of ports states

open

This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.

closed

When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.

filtered

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

unfiltered

This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.

open|filtered

If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.

closed|filtered

This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

XML (-oX) output to HTML tool: xsltproc

Fuzzing

Ffuf

Typical Usage

ffuf -w ./SecLists/example.txt:FUZZ -u http://domain.com/FUZZ

Recursive search

-recursion -recursion-depth 1

File extension

-e .php

Setting and/or fuzz headers (example: VHosts)

-H "Host: FUZZ.domain.com"

Filter or Match

-f*
-m*

Example: Filter (remove) by response size anything of size 600

-fs 600

HTTP Verb

-X POST

Data

-d ""

Ignore comments

-ic

Colorize output

-c

Output to file

-o <file_name>

PHP Config file defualt positions

X.Y is the php version

Nginx: /etc/php/X.Y/fpm/php.ini

Apache: /etc/php/X.Y/apache2/php.ini

SNMP

Simple Networking Management Protocol

Can provide information such as process parameters, routing information, versions and services bound to interfaces

snmpwalk is used to interact with it

  • Example: snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

  • Example with included bruteforce file: onesixtyone -c dict.txt 10.129.42.254

Gobuster

DNS, vhost, and directory brute-forcing

Directory mode

gobuster dir option

Flag
Description

-u <URL>

Defines the target URL

-w <path_to_wordlist>

Defines the wordlist

DNS mode

Flag
Description

-d <domain>

Defines the target domain

-w <path_to_wordlist>

Defines the wordlist (example: SecLists/Discovery/DNS/namelist.txt)

FTP

If it has SSL we can use openssl to connect:

openssl s_client -connect 10.129.14.136:21 -starttls ftp

Custom Wordlist Generation (CeWL)

Others

  • Webserver banner: Find in header, can use curl -IL

  • Whatweb: handy tool and contains much functionality to automate web application enumeration

(usually on -p 445)

can bruteforce the community string names

Seclists
Crunch
smb-os-discovery.nse
onesixtyone
EyeWitness
GitHub - digininja/CeWL: CeWL is a Custom Word List GeneratorGitHub
Logo