Skip to content

Instantly share code, notes, and snippets.

@SergioMiguez

SergioMiguez/pentest cheat sheet

Forked from githubfoam/pentest cheat sheet
Created February 7, 2022 01:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save SergioMiguez/a4b6e24f0c1511ded86952f2abcb41c8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save SergioMiguez/a4b6e24f0c1511ded86952f2abcb41c8 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @githubfoam githubfoam revised this gist Jan 21, 2022. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -270,6 +270,9 @@ nmap -sN 192.168.100.11 #TCP Null scan Does not set any bits (TCP flag header is
    nmap -sF 192.168.100.11 #FIN scan (-sF) Sets just the TCP FIN bit.
    nmap -sW -T4 docsrv.caldera.com #TCP Window Scan

    #identify a web application firewall
    nmap --script=http-waf-fingerprint targetwebsite.com
    ----------------------------------------------------------------------------------------------------
    #web vulnerability scanner
    uniscan -u http://192.169.42.3 -qweds
    ls /usr/share/uniscan/report/
  2. @githubfoam githubfoam revised this gist Jan 8, 2022. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -209,9 +209,11 @@ nmap -sP # “ping scanning,sites now block echo request packets,nmap sends out
    #network discovery scan with OS detction
    nmap -O -PE 192.168.15.1/2
    nmap -sO 62.233.173.90 para #IP protocol scan of a router and a typical Linux 2.4 box
    nmap --open -sO 10.100.0.14
    nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
    nmap -sS -A -P0 moonshine.ecn.purdue.edu #The ’-P0’ option (the second letter is ’zero’),do not use ping whether a machine is up
    nmap -sS 192.168.1.1 # Stealthy scan
    nmap -sS 10.100.0.14 -p-
    nmap -sS localhost #carry out a port scan of your own machine,The “-sS” option carries out a SYN scan
    #If the target machine has the DenyHosts shield running to ward off the dictionary attacks
    #-A’ option turned on, IP address may become quarantined on the target machine,assuming that port 22 is included in the range of the ports scanned
  3. @githubfoam githubfoam revised this gist Dec 14, 2021. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -718,4 +718,5 @@ java -version
    whoami #vagrant user
    wget https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
    unzip VegaBuild-linux.gtk.x86_64.zip # vagrant user home directory
    chown -R vagrant:vagrant vega
    ============================================================================
  4. @githubfoam githubfoam revised this gist Dec 14, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -716,6 +716,6 @@ sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/ja
    java -version

    whoami #vagrant user
    wget --directory-prefix=/tmp https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
    wget https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
    unzip VegaBuild-linux.gtk.x86_64.zip # vagrant user home directory
    ============================================================================
  5. @githubfoam githubfoam revised this gist Dec 14, 2021. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -695,7 +695,7 @@ zeek -C -r tm1t.pcap
    cat dns.log | zeek-cut
    cat dns.log | zeek-cut id.orig_h query answers
    ============================================================================
    #kali vega subgraph fix
    #kali vega subgraph fix, sudo bash kali_vega.sh

    $ cat kali_vega.sh
    #!/bin/sh
    @@ -715,6 +715,7 @@ sudo apt-get install openjdk-8-jdk-headless -qy
    sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java #non-interactive
    java -version

    whoami #vagrant user
    wget --directory-prefix=/tmp https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
    cd /tmp && unzip VegaBuild-linux.gtk.x86_64.zip
    unzip VegaBuild-linux.gtk.x86_64.zip # vagrant user home directory
    ============================================================================
  6. @githubfoam githubfoam revised this gist Dec 13, 2021. 1 changed file with 23 additions and 0 deletions.
    23 changes: 23 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -694,4 +694,27 @@ xargs -I {} grep {} sslblacklist.csv --color
    zeek -C -r tm1t.pcap
    cat dns.log | zeek-cut
    cat dns.log | zeek-cut id.orig_h query answers
    ============================================================================
    #kali vega subgraph fix

    $ cat kali_vega.sh
    #!/bin/sh

    cat <<EOT | sudo tee /etc/apt/sources.list.d/stretch.list
    deb http://deb.debian.org/debian/ stretch main contrib non-free
    deb-src http://deb.debian.org/debian/ stretch main contrib non-free

    deb http://security.debian.org/ stretch/updates main contrib non-free
    deb-src http://security.debian.org/ stretch/updates main contrib non-free
    EOT

    sudo apt-get update -qy && sudo apt-get install libwebkitgtk-1.0 -qy


    sudo apt-get install openjdk-8-jdk-headless -qy
    sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java #non-interactive
    java -version

    wget --directory-prefix=/tmp https://support.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
    cd /tmp && unzip VegaBuild-linux.gtk.x86_64.zip
    ============================================================================
  7. @githubfoam githubfoam revised this gist Dec 3, 2021. 1 changed file with 8 additions and 1 deletion.
    9 changes: 8 additions & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -679,10 +679,17 @@ curl -d @request.json -H "Content-Type: application/json"
    curl --user baeldung:secretPassword http://example.com/ #basic authentication,add the username and password
    curl -H "Authorization: Bearer b1094abc0-54a4-3eab-7213-877142c33fh3" http://example.com/ #use OAuth2 for authentication
    ============================================================================
    #zeek/bro
    bro -C -r [network capture file] local #analysis network capture
    bro -C -r [sample.pcap] local “Site::local_nets += { 10.0.0.0/8 }
    cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5
    #infected by Emotet with Trickbot malware
    cat ssl.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p cert_chain_fuids issuer
    cat ssl.log | bro-cut ts id.orig_h id.orig_p id.resp_h id.resp_p server_name issuer
    #One server X509 certificate sha1 signature is listed on SSL abuse database
    cat intel.log | bro-cut uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator fuid sources
    #the SSL abuse database export file
    cat files.log | bro-cut source sha1 | grep SSL | grep -v \- | sort -u | awk ‘{printf $2”\n”}’ | \
    xargs -I {} grep {} sslblacklist.csv --color

    zeek -C -r tm1t.pcap
    cat dns.log | zeek-cut
  8. @githubfoam githubfoam revised this gist Dec 3, 2021. 1 changed file with 9 additions and 0 deletions.
    9 changes: 9 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -678,4 +678,13 @@ curl -d @request.json -H "Content-Type: application/json"
    #Authentication
    curl --user baeldung:secretPassword http://example.com/ #basic authentication,add the username and password
    curl -H "Authorization: Bearer b1094abc0-54a4-3eab-7213-877142c33fh3" http://example.com/ #use OAuth2 for authentication
    ============================================================================
    #zeek/bro
    bro -C -r [network capture file] local #analysis network capture
    bro -C -r [sample.pcap] local “Site::local_nets += { 10.0.0.0/8 }
    cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5

    zeek -C -r tm1t.pcap
    cat dns.log | zeek-cut
    cat dns.log | zeek-cut id.orig_h query answers
    ============================================================================
  9. @githubfoam githubfoam revised this gist Dec 3, 2021. 1 changed file with 0 additions and 22 deletions.
    22 changes: 0 additions & 22 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -560,28 +560,6 @@ capinfos -TtEs *.pcap
    capinfos -T -m -Q mycapture.pcap #generate a CSV style table form report
    capinfos -TmQ mycapture.pcap
    capinfos -TmQ *.pcap >mycaptures.csv
    ============================================================================
    #Wireshark installation directory: windows
    C:\Program Files (x86)\Wireshark>tshark.exe

    tshark -r nmap_sn.pcap #read pcap file
    tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4)
    tshark -nr nmap_sn.pcap
    tshark -D #list of available interfaces
    tshark -i 2 #start capturing traffic on interface n°2
    tshark -i 2 -a duration:10 #capture for 10 seconds, then stop
    tshark -i 2 -w output_file.pcap #save a caputre to a file
    tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture filter
    #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap
    tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap
    tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is for protocol hierarchy

    #On a fabric interface, all packets coming from or going to a Virtual Machine (VM) will be encapsulated in MPLS over UDP or GRE header
    #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label
    #the encapsulated content (ICMPv6) can be recognized.
    tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls

    tshark -nr input.cap -R "dns" -V #print the DNS packets
    ============================================================================
    # use the SQL, XSS and XXE modules when scanning the target.
    wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe
  10. @githubfoam githubfoam revised this gist Nov 18, 2021. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -224,6 +224,8 @@ nmap -Pn --top-ports 20 62.233.173.90

    nmap -p 1-65535 localhost #Scan specific ports or scan entire port ranges on a local or remote server

    nmap -Pn -T4 --traceroute www.target.com # find IP,reverse-DNS and traceroute scan

    nmap -sX -T2 linuxhint.com #Xmas scan Polite: -T2, neutral.
    nmap -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan
    nmap -sV -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan -sV for version detection on specific ports and distinguish between filtered and filtered ports,
  11. @githubfoam githubfoam revised this gist Nov 17, 2021. 1 changed file with 84 additions and 0 deletions.
    84 changes: 84 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -614,4 +614,88 @@ More Tools- Developer Tools on Google Chrome
    right clicking on the web page,selecting Inspect Element on Mozilla Firefox
    More Tools- Web Developer Tools on Google Chrome
    More Tools- Web Developer Tools on Edge/IE
    ============================================================================
    #How to test a REST api

    #HEAD requests

    #check if a resource is serviceable, what kind of headers it provides
    #and other useful meta-information written in response headers, without having to transport the entire content
    curl -I https://www.codever.land/api/public/bookmarks
    #-i, --include - include the HTTP response headers in the output
    -X, --request - specify a custom request method (GET, PUT, DELETE)
    curl -i -X HEAD https://www.codever.land/api/public/bookmarks

    #GET requests,curl with no parameters on a URL

    curl https://www.codever.land/api/version
    curl -v http://www.example.com/ #verbose mode on
    curl -v http://localhost:8082/spring-rest/foos/9
    curl -o out.json http://www.example.com/index.html #provide the output option to save to a file
    curl -X GET "https://www.codever.land/api/version" -H "accept: application/json"
    curl https://www.codever.land/api/version | jq .
    curl -s https://www.codever.land/api/version | jq .
    #Curl request with multiple headers
    curl -v -H "Accept:application/json" -H "Accept-encoding:gzip" https://www.codever.land/api/version
    #CRUD operation
    curl \
    -d 'client_id=bookmarks' \
    -d 'username=mock' \
    -d "password=mock" \
    -d 'grant_type=password' \
    'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
    | jq .
    #extract just the access_token
    curl -s \
    -d 'client_id=bookmarks' \
    -d 'username=ama' \
    -d "password=ama" \
    -d 'grant_type=password' \
    'http://localhost:8480/auth/realms/bookmarks/protocol/openid-connect/token' \
    | jq -r '.access_token'
    curl -s -X GET "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
    -H "accept: application/json" \
    -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi..." | jq .


    #POST requests

    curl -i -X POST "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks" \
    -H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJ...." \
    -H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"language\":\"en\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\" In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP Requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"public\":true,\"lastAccessedAt\":\"2020-03-06T20:14:28.101Z\",\"likeCount\":0}"
    curl -d 'id=9&name=baeldung' http://localhost:8082/spring-rest/foos/new #send data to a receiving service
    #pass a file containing the request body to the data option
    curl -d @request.json -H "Content-Type: application/json"
    http://localhost:8082/spring-rest/foos/new
    # if service expects JSON content-type, use the -H option
    curl -d @request.json -H "Content-Type: application/json"
    http://localhost:8082/spring-rest/foos/new
    #Windows command prompt has no support for single quotes like the Unix-like shells
    curl -d "{\"id\":9,\"name\":\"baeldung\"}" -H "Content-Type: application/json"
    http://localhost:8082/spring-rest/foos/new


    #PUT requests
    curl -s -X PUT "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741" \
    -H "accept: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiI..." \
    -H "Content-Type: application/json" -d "{\"name\":\"How to test a REST api from command line with curl – CodepediaOrg\",\"location\":\"https://www.codepedia.org/ama/how-to-test-a-rest-api-from-command-line-with-curl/\",\"tags\":[\"rest\",\"curl\",\"api\",\"testing\"],\"publishedOn\":\"2020-03-05T00:00:00.000Z\",\"sourceCodeURL\":\"https://github.com/codeverland/codever\",\"description\":\"In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports [www.codever.land](https://www.codever.land)\",\"public\":true,\"readLater\":false,\"language\":\"en\",\"youtubeVideoId\":null,\"stackoverflowQuestionId\":null,\"descriptionHtml\":\"<p>In this post I will present how to execute GET, POST, PUT, HEAD, DELETE HTTP requests against a REST API. For the purpose of this blog post I will be using the REST api that supports <a href=\\\"https://www.codever.land\\\">www.codever.land</a></p>\",\"updatedAt\":\"2020-03-06T20:42:53.706Z\",\"lastAccessedAt\":\"2020-03-06T20:42:53.706Z\",\"userId\":\"4c617f2b-2bad-498b-a9c6-4e9a8c303798\",\"_id\":\"5e62b18b59770b5487a4c741\"}" | jq .
    curl -d @request.json -H 'Content-Type: application/json'
    -X PUT http://localhost:8082/spring-rest/foos/9

    #Delete requests
    curl -i -X DELETE "http://localhost:3000/api/personal/users/4c617f2b-2bad-498b-a9c6-4e9a8c303798/bookmarks/5e62b18b59770b5487a4c741"
    -H "accept: */*" -H "Authorization: Bearer eyJhbGciOiJS...."
    curl -X DELETE http://localhost:8082/spring-rest/foos/9

    #Custom Headers,replace the default headers or add headers
    curl -H "Host: com.baeldung" http://example.com/ #change the Host header
    curl -H "User-Agent:" http://example.com/ #switch off the User-Agent header,put in an empty value
    #The most common scenario while testing is changing the Content-Type and Accept header
    #prefix each header with the -H option
    curl -d @request.json -H "Content-Type: application/json"
    -H "Accept: application/json" http://localhost:8082/spring-rest/foos/new

    #Authentication
    curl --user baeldung:secretPassword http://example.com/ #basic authentication,add the username and password
    curl -H "Authorization: Bearer b1094abc0-54a4-3eab-7213-877142c33fh3" http://example.com/ #use OAuth2 for authentication
    ============================================================================
  12. @githubfoam githubfoam revised this gist Nov 16, 2021. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -578,6 +578,8 @@ tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is
    #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label
    #the encapsulated content (ICMPv6) can be recognized.
    tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls

    tshark -nr input.cap -R "dns" -V #print the DNS packets
    ============================================================================
    # use the SQL, XSS and XXE modules when scanning the target.
    wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe
  13. @githubfoam githubfoam revised this gist Nov 10, 2021. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -606,4 +606,10 @@ tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmp
    apt-get install -y kali-tools-database
    apt depends kali-tools-database
    apt show kali-tools-top10
    ============================================================================
    right clicking on the web page,selecting Inspect on Google Chrome
    More Tools- Developer Tools on Google Chrome
    right clicking on the web page,selecting Inspect Element on Mozilla Firefox
    More Tools- Web Developer Tools on Google Chrome
    More Tools- Web Developer Tools on Edge/IE
    ============================================================================
  14. @githubfoam githubfoam revised this gist Nov 10, 2021. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -601,4 +601,9 @@ tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmp
    wapiti https://authlab.digi.ninja -u -n 5 -b domain -v 2 -o /tmp/outfile.html
    # scan only for sql and blindsql attacks
    wapiti https://authlab.digi.ninja -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html
    ============================================================================
    #list packages in meta packages ,https://www.kali.org/tools/kali-meta/
    apt-get install -y kali-tools-database
    apt depends kali-tools-database
    apt show kali-tools-top10
    ============================================================================
  15. @githubfoam githubfoam revised this gist Nov 8, 2021. 1 changed file with 22 additions and 1 deletion.
    23 changes: 22 additions & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -579,5 +579,26 @@ tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is
    #the encapsulated content (ICMPv6) can be recognized.
    tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls
    ============================================================================

    # use the SQL, XSS and XXE modules when scanning the target.
    wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe
    # the xss module will apply to requests submitted by the GET method
    wapiti -u http://testphp.vulnweb.com -m “xss: get, blindsql: post, xxe: post”
    #The wapiti-getcookie tool can be used to use authentication
    # use it to generate a cookie that Wapiti will use when scanning
    # At the output,file in JSON format
    wapiti-getcookie -u http://demo.testfire.net/login.jsp -c cookie.json
    # Another option is to add all the required information via the -d parameter
    wapiti-getcookie - http://demo.testfire.net/login.jsp -c cookie.json -d "username=admin&password=admin&enter=submit"
    # -m – connect all modules – not recommended, because will affect testing time and report size
    # -c – use the cookie file generated by wapiti-getcookie
    # -scope – selection of a target for an attack. Selecting the folder option will scan and attack every URL starting from the base one. The base URL must have a forward slash (no filename)
    # -flush-session – allows you to re-scan, which will not take into account previous results
    # -A – own User-Agent
    # -p – proxy server address
    wapiti --level 1 -u http://demo.testfire.net -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Wapiti Scans' -p http://myproxy:3128
    # -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.
    wapiti http://demo.testfire.net -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
    wapiti https://authlab.digi.ninja -u -n 5 -b domain -v 2 -o /tmp/outfile.html
    # scan only for sql and blindsql attacks
    wapiti https://authlab.digi.ninja -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html
    ============================================================================
  16. @githubfoam githubfoam revised this gist Nov 1, 2021. 1 changed file with 0 additions and 233 deletions.
    233 changes: 0 additions & 233 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -280,245 +280,12 @@ sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
    #FreeBSD (pfSense)
    sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
    ----------------------------------------------------------------------------------------------------

    ssldump -A -d -i eth0
    ssldump -i le0 port 443
    ssldump -i le0 port 443 and host 192.169.42.3
    ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
    #wget -p https://192.169.42.3/ -O /dev/null
    ssldump port 443 and host 192.169.42.3

    tcpdump -ni tap55ec3c7f-91 ip6 #locate the ICMPv6 packets

    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)

    tcpdump -D #Print the list of the network interfaces available on the system and on which tcpdump can capture packet
    tcpdump -X -vvv -n -i eth0

    #client-side traffic to a specific SSL virtual server listening on the VLAN external
    # filters on the virtual server's IP address and port
    tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443


    #examine server-side traffic from one client to any pool member,
    #the -i option to specify the VLAN on which the servers reside
    #filter on the client IP address, the server subnet, and the port on which the servers are listening.
    tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host 192.168.22.33 and net 10.1.1.0/24 and port 8080


    tcpdump host 100.111.222.50 and port 443 #Traffic to or from host 100.111.222.50, where the source or destination port is 443
    tcpdump host 100.111.222.50 or host 100.11.12.99 #traffic sent between the two
    tcpdump not host 100.111.222.50 #All traffic except anything to or from host 100.111.222.50
    tcpdump host 100.111.222.50 or host 100.11.12.99 and port 443 #traffic to or from either 100.111.222.50 or 100.11.12.99 will be captured only where the source or destination port is 443

    tcpdump net 100.111.222.0/24 and not host 100.111.222.50 #Traffic to or from any host on the 100.111.222.00/24 network except anything to or from host 100.111.222.50
    tcpdump src net 1.1.1.0/24 #traffic from hosts with addresses in the 1.1.1.0/24 network only
    tcpdump dst net 1.1.1.0/24 #Traffic to hosts with addresses in the 1.1.1.0/24
    tcpdump net 1.1.1.0/24 and 1.1.2.128/32
    tcpdump net 1.1.1.0/24 or net 2.2.2.0/24 #Traffic to or from network 1.1.1.0/24 or to or from network 2.2.2.0/24
    tcpdump net 1.1.1.0/24 or net 2.2.2.0/24 and port 80
    tcpdump net 1.1.1.0/24 or net 2.2.2.0/24 and udp src port 53

    tcpdump -i eth1 ‘tcp[13] = 0x2'
    tcpdump -i eth1 ‘tcp[13] = 0x12'
    tcpdump portrange 21-25
    tcpdump src port 1025

    #The first two bytes of a TCP packet are the source port. If its offset is zero and the length is 2 bytes
    #the filters are: tcp[0:2] for the source and tcp[2:2] for the destination port.
    tcpdump 'tcp[0:2] == tcp[2:2]' #view traffic with the same source and destination
    tcpdump 'tcp[2:2] == 80' #view traffic destination on TCP port 80

    #configure filters for IP header properties using the same logic as the port source and destination filter.
    #The flags section of an IP header is only 3 bits long, and 1 bit is reserved
    #the only 2 bits that you can toggle in this octet are: the 1 bytes 01100000.
    tcpdump 'ip[6] & 64 != 64' #view all traffic with the same source and destination IP
    tcpdump 'ip[12:4] == ip[16:4]' #DF (don't fragment) bit set (IP)
    tcpdump 'ip[6] & 32 != 32' #MF (more fragments) bit set (IP)

    tcpdump 'ip[12:4] == ip[16:4]' #source ip equal to destination ip,classic land attack
    tcpdump (tcp[0:2] = tcp[2:2]) && (ip[12:4] = ip[16:4]) #land attack

    tcpdump src host 1.1.1.1 and dst port 80 or 443
    tcpdump greater 32 #traffic base on packet size
    tcpdump <= 102
    tcpdump -i any #see what happens on the network
    tcpdump -i any -c 20 # -c 20 packets only
    tcpdump -i any -c 5 -vv #more verbose output
    tcpdump -i any -c 5 -vvv #-v more verbose output
    tcpdump -i any -c 5 -vvv -t # -t Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

    tcpdump icmp #traffic of a specific protocol, tcp, udp, icmp etc
    tcpdump udp
    tcpdump tcp

    tcpdump less 32 #packets below or above a certain size (in bytes)
    tcpdump greater 128
    tcpdump > 32
    tcpdump <= 128

    tcpdump -e dst 192.168.0.2 #link-level header output
    tcpdump dst 192.168.0.2 and src net and not icmp #traffic going to 192.168.0.2 that is not ICMP
    tcpdump ip6 #only IPv6 Traffic
    tcpdump -ttttnnvvS #view with verbose output,no host/port resolution,absolute sequence number and human-readable timestamps
    tcpdump -nnvvS src 192.168.122.1 and dst port 4444
    tcpdump -nnvvXSs 1514 #the final “s” increases the snaplength, grabbing the whole packet
    tcpdump host 192.168.122.131 #using host, you can see traffic that’s going to or from 192.168.122.131
    tcpdump -vv src mars and not dst port 22 #traffic from a host that isn’t SSH traffic

    tcpdump dst 192.168.0.2 -vv -A -T snmp
    tcpdump dst 192.168.0.2 -vv -A -T snmp -w snmpv3.pcap
    tcpdump -vv -A -T snmp -s 0 "(dst port 162) or (src port 161) or (dst port 161) and (dst 192.168.0.2)"
    tcpdump -i eno1 -T snmp -n dst portrange 161-162

    tcpdump net 192.168.122.0/24 #Find packets by network
    #raffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution
    tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

    tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0' #icmp echo request and reply
    tcpdump -nnvXSs 0 -c1 icmp #packets with HEX output
    tcpdump port 3389 #Show traffic related to a specific port
    tcpdump -tlni eth1 -n icmp
    tcpdump -i eth1 -c1 -n -s0 -vvvv icmp
    tcpdump -c 1 -X icmp #PAcket Contents with Hex Output
    tcpdump -tlni em0
    # listen for ICMP traffic on em0 network interface
    tcpdump -tlni em0 -n icmp
    # capture one ICMP packet and decode it
    tcpdump -i nfe0 -c1 -n -s0 -vvvv icmp
    tcpdump -i eth1 -c1 -n -s0 -vvvv icmp -w temp.pcap
    tcpdump -r capture_file #read PCAP files

    tcpdump 'src 192.168.122.84 and (dst port 4444 or 22)'

    Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output.
    URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

    URG = (Not Displayed in Flag Field, Displayed elsewhere)
    ACK = (Not Displayed in Flag Field, Displayed elsewhere)
    PSH = [P] (Push Data)
    RST = [R] (Reset Connection)
    SYN = [S] (Start Connection)
    FIN = [F] (Finish Connection)
    SYN-ACK = [S.] (SynAcK Packet)

    #The filter tcp[13] look at offset 13 in TCP HEADER
    #the number represent the location within the byte, the !=0 means that the flag is set to 1
    header[byte #] == value #the expected value for byte 13 of the TCP header

    tcpdump 'tcp[13] == 1' #View only the FIN bit set
    tcpdump 'tcp[13] & 8!=0' #Show all PUSH (PSH) packets
    tcpdump 'tcp[13] & 32!=0' #Show all URGENT (URG) packets

    tcpdump 'tcp[13] & 3 == 3' #View both SYN and FIN set
    tcpdump 'tcp[13] & 3 != 0' #View either SYN or FIN set
    tcpdump 'tcp[13] == 2 or tcp[13] == 1' #View only SYN or only FIN set

    tcpdump 'tcp[13] & 16!=0' #Show all ACKNOWLEDGE( ACK) packets

    tcpdump 'tcp[13] = 6' #Both the SYN and RST Set
    tcpdump 'tcp[13] & 4!=0' #Show all RESET (RST packets
    tcpdump 'tcp[13] & 4 == 4' #View RST set, ignore the others

    tcpdump 'tcp[13] & 2!=0' #Show all SYNCHRONIZE (SYN) packets
    tcpdump -ni internal 'tcp[13] == 2'#only the SYN packets
    tcpdump 'tcp[13] == 2' #View only the SYN bit set
    tcpdump 'tcp[13] & 2 == 2' #View only SYN set, ignore the others
    #looks for the set SYN bit and ignores the rest of the flags in the header
    #perform a logic AND (&) to remove all but the value of the SYN bit and then test it
    #if the TCP flags are 00010010 and the mask for Syn is 00000010(2 in binary) then 00010010 + 00000010 = 00000010.
    tcpdump -ni internal 'tcp[13] & 2 == 2'

    tcpdump 'tcp[13]=18' #packets that have both the SYN and ACK flags set,TCP flag byte equal to 18 (SYN flag set + ACK flag set = 2 + 16 = 18)
    tcpdump -ni internal 'tcp[13] == 18'
    tcpdump 'tcp[13] & 18 == 18' #View SYN set and ACK set, ignore all others
    tcpdump 'tcp[13] & 1!=0' #Show all SYNCRONIZE/ACKNOWLEDGE (SYNACK) packets
    tcpdump -ni internal 'tcp[13] == 18' or 'tcp[13] == 2 #view the SYN packets and the SYN and ACK packets,

    #Alternatively tcpflags syntax, SYN,RST,FIN
    tcpdump 'tcp[tcpflags] == tcp-syn'
    tcpdump 'tcp[tcpflags] == tcp-rst'
    tcpdump 'tcp[tcpflags] == tcp-fin'
    tcpdump 'tcp[tcpflags] == tcp-urg'
    tcpdump 'tcp[tcpflags] == tcp-push'
    tcpdump 'tcp[tcpflags] == tcp-ack'

    #Identifying malformed/malicious packets
    tcpdump 'tcp=[13] = 6' #Packets with both rst and syn flags shouldn't be the case
    tcpdump 'tcp[32:4] = 0x47455420' #Find cleartext http get requests
    tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' #Find ssh connection on any port via (banner text)
    tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)' #group your options using single quotes
    tcpdump -vvAls0 | grep 'User-Agent:' #HTTP User Agents
    tcpdump -vvAls0 | grep 'GET' #Cleartext GET Requests
    tcpdump -vvAls0 | grep 'Host: #Http Host Headers
    tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:' #HTTP Cookies

    tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' #SSH Connections,regardless of what port the connection comes in,getting the banner response
    tcpdump -vvAs0 port 53 #DNS Traffic
    tcpdump -vvAs0 port ftp or ftp-data #FTP traffic
    tcpdump -vvAs0 port 123 # NTP traffic
    #Find Cleartext Passwords
    tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
    tcpdump 'ip[6] & 128 != 0 #bit in the IP header that never gets set by legitimate applications


    C:\Program Files\Wireshark>dumpcap -D
    C:\Program Files\Wireshark>dumpcap -i 9
    C:\Program Files\Wireshark>dumpcap -i 12 -w C:\Users\verona\Downloads\testtrace.pcapng -b filesize:2000

    tcpdump -i eth0 -w dump.pcap
    tcpdump src 192.168.2.3 and tcpport 80
    dumpcap -i eth0 -w dump.pcapng
    #searches either for the strings “pass” or “USER” on all packets going to/or coming from port 80 (TCP or UDP)
    ngrep -q -d eth0 -W byline -wi "pass|USER" port 80 #The “-i” flag instructs ngrep to ignore case when matching

    #HTTP Headers
    tcpdump -vvvs 1024 -l -A host yahoo.com

    #Show OSPF protocol traffic on the interface:
    tcpdump -i eth-s1p1c0 proto ospf
    #Show Telnet traffic on the interface:
    tcpdump -i eth-s1p1c0 port telnet
    tcpudmp -i eth-s1p1c0 port 23
    tcpdump -i eth-s2p1c0 udp port 68
    #Show all traffic on the interface except port 80:
    tcpdump -i eth-s1p1c0 not port 80
    #Show traffic only from specific host:
    tcpdump -i eth-s1p1c0 host 192.168.10.24
    #Show additional information about each packet:
    tcpdump -vv -i eth-s1p1c0
    #Limit the size (in bytes) of captured packets
    tcpdump -s 320 -i eth-s1p1c0

    #Saving a TCP dump in a .pcap file
    tcpdump -w capture.pcap -i eth-s1p2c0 host 10.1.1.1 and host 20.2.2.2
    tcpdump -nni any host 10.1.1.1 -w capture.pcap
    tcpdump -nni any host 10.1.1.1 and host 20.2.2.2 -w capture.pcap
    tcpdump -s 1500 -i eth-s1p1c0 -w /var/log/tcpdump_s1p1c0.cap

    #Saving a TCP dump in a .pcap file
    tcpdump -w capture.pcap -i eth-s1p2c0 host 10.1.1.1 and host 20.2.2.2
    tcpdump -nni any host 10.1.1.1 -w capture.pcap
    tcpdump -nni any host 10.1.1.1 and host 20.2.2.2 -w capture.pcap
    tcpdump -s 1500 -i eth-s1p1c0 -w /var/log/tcpdump_s1p1c0.cap

    tcpdump src host 1.1.1.1 and arp

    tcpdump dst host 1.1.1.1 and not icmp
    tcpdump 'src host 1.1.1.1 and (arp or icmp)'

    tcpdump -vvAls0 | grep 'User-Agent:' #Find HTTP User Agents
    tcpdump -vvAls0 | grep 'GET' #Cleartext GET Requestss
    tcpdump -vvAls0 | grep 'Host:' #Find HTTP Host Headers
    tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:' #Find HTTP Cookies

    tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' #SSH Connections,getting the banner response
    tcpdump -vvAs0 port 53 #DNS Traffic
    tcpdump -vvAs0 port ftp or ftp-data #FTP Traffic

    ----------------------------------------------------------------------------------------------------
    #Saving fw monitor logs to a .pcap file to analyse in wireshark
    #Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark
  17. @githubfoam githubfoam revised this gist Nov 1, 2021. 1 changed file with 71 additions and 9 deletions.
    80 changes: 71 additions & 9 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -280,6 +280,14 @@ sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
    #FreeBSD (pfSense)
    sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
    ----------------------------------------------------------------------------------------------------

    ssldump -A -d -i eth0
    ssldump -i le0 port 443
    ssldump -i le0 port 443 and host 192.169.42.3
    ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
    #wget -p https://192.169.42.3/ -O /dev/null
    ssldump port 443 and host 192.169.42.3

    tcpdump -ni tap55ec3c7f-91 ip6 #locate the ICMPv6 packets

    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)
    @@ -297,13 +305,6 @@ tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 a
    #filter on the client IP address, the server subnet, and the port on which the servers are listening.
    tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host 192.168.22.33 and net 10.1.1.0/24 and port 8080

    ssldump -A -d -i eth0
    ssldump -i le0 port 443
    ssldump -i le0 port 443 and host 192.169.42.3
    ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
    #wget -p https://192.169.42.3/ -O /dev/null
    ssldump port 443 and host 192.169.42.3


    tcpdump host 100.111.222.50 and port 443 #Traffic to or from host 100.111.222.50, where the source or destination port is 443
    tcpdump host 100.111.222.50 or host 100.11.12.99 #traffic sent between the two
    @@ -322,6 +323,22 @@ tcpdump -i eth1 ‘tcp[13] = 0x2'
    tcpdump -i eth1 ‘tcp[13] = 0x12'
    tcpdump portrange 21-25
    tcpdump src port 1025

    #The first two bytes of a TCP packet are the source port. If its offset is zero and the length is 2 bytes
    #the filters are: tcp[0:2] for the source and tcp[2:2] for the destination port.
    tcpdump 'tcp[0:2] == tcp[2:2]' #view traffic with the same source and destination
    tcpdump 'tcp[2:2] == 80' #view traffic destination on TCP port 80

    #configure filters for IP header properties using the same logic as the port source and destination filter.
    #The flags section of an IP header is only 3 bits long, and 1 bit is reserved
    #the only 2 bits that you can toggle in this octet are: the 1 bytes 01100000.
    tcpdump 'ip[6] & 64 != 64' #view all traffic with the same source and destination IP
    tcpdump 'ip[12:4] == ip[16:4]' #DF (don't fragment) bit set (IP)
    tcpdump 'ip[6] & 32 != 32' #MF (more fragments) bit set (IP)

    tcpdump 'ip[12:4] == ip[16:4]' #source ip equal to destination ip,classic land attack
    tcpdump (tcp[0:2] = tcp[2:2]) && (ip[12:4] = ip[16:4]) #land attack

    tcpdump src host 1.1.1.1 and dst port 80 or 443
    tcpdump greater 32 #traffic base on packet size
    tcpdump <= 102
    @@ -333,12 +350,22 @@ tcpdump -i any -c 5 -vvv -t # -t Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #Don't print a timestamp on each dump line.
    tcpdump -i any -c 5 -vvv -t #-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

    tcpdump icmp #traffic of a specific protocol, tcp, udp, icmp etc
    tcpdump udp
    tcpdump tcp

    tcpdump less 32 #packets below or above a certain size (in bytes)
    tcpdump greater 128
    tcpdump > 32
    tcpdump <= 128

    tcpdump -e dst 192.168.0.2 #link-level header output
    tcpdump dst 192.168.0.2 and src net and not icmp #traffic going to 192.168.0.2 that is not ICMP
    tcpdump ip6 #only IPv6 Traffic
    tcpdump -ttttnnvvS #view with verbose output,no host/port resolution,absolute sequence number and human-readable timestamps
    tcpdump -nnvvS src 192.168.122.1 and dst port 4444
    tcpdump -nnvvXSs 1514 #the final “s” increases the snaplength, grabbing the whole packet
    tcpdump host 192.168.122.131 #using host, you can see traffic that’s going to or from 192.168.122.131
    tcpdump -vv src mars and not dst port 22 #traffic from a host that isn’t SSH traffic

    @@ -351,6 +378,7 @@ tcpdump net 192.168.122.0/24 #Find packets by network
    #raffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution
    tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

    tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0' #icmp echo request and reply
    tcpdump -nnvXSs 0 -c1 icmp #packets with HEX output
    tcpdump port 3389 #Show traffic related to a specific port
    tcpdump -tlni eth1 -n icmp
    @@ -365,16 +393,50 @@ tcpdump -i eth1 -c1 -n -s0 -vvvv icmp -w temp.pcap
    tcpdump -r capture_file #read PCAP files

    tcpdump 'src 192.168.122.84 and (dst port 4444 or 22)'

    Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output.
    URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

    URG = (Not Displayed in Flag Field, Displayed elsewhere)
    ACK = (Not Displayed in Flag Field, Displayed elsewhere)
    PSH = [P] (Push Data)
    RST = [R] (Reset Connection)
    SYN = [S] (Start Connection)
    FIN = [F] (Finish Connection)
    SYN-ACK = [S.] (SynAcK Packet)

    #The filter tcp[13] look at offset 13 in TCP HEADER
    #the number represent the location within the byte, the !=0 means that the flag is set to 1
    header[byte #] == value #the expected value for byte 13 of the TCP header

    tcpdump 'tcp[13] == 1' #View only the FIN bit set
    tcpdump 'tcp[13] & 8!=0' #Show all PUSH (PSH) packets
    tcpdump 'tcp[13] & 32!=0' #Show all URGENT (URG) packets
    tcpdump 'tcp[13]=18' #packets that have both the SYN and ACK flags set

    tcpdump 'tcp[13] & 3 == 3' #View both SYN and FIN set
    tcpdump 'tcp[13] & 3 != 0' #View either SYN or FIN set
    tcpdump 'tcp[13] == 2 or tcp[13] == 1' #View only SYN or only FIN set

    tcpdump 'tcp[13] & 16!=0' #Show all ACKNOWLEDGE( ACK) packets
    tcpdump 'tcp[13] & 8!=0' #Show all PUSH (PSH) packets

    tcpdump 'tcp[13] = 6' #Both the SYN and RST Set
    tcpdump 'tcp[13] & 4!=0' #Show all RESET (RST packets
    tcpdump 'tcp[13] & 4 == 4' #View RST set, ignore the others

    tcpdump 'tcp[13] & 2!=0' #Show all SYNCHRONIZE (SYN) packets
    tcpdump -ni internal 'tcp[13] == 2'#only the SYN packets
    tcpdump 'tcp[13] == 2' #View only the SYN bit set
    tcpdump 'tcp[13] & 2 == 2' #View only SYN set, ignore the others
    #looks for the set SYN bit and ignores the rest of the flags in the header
    #perform a logic AND (&) to remove all but the value of the SYN bit and then test it
    #if the TCP flags are 00010010 and the mask for Syn is 00000010(2 in binary) then 00010010 + 00000010 = 00000010.
    tcpdump -ni internal 'tcp[13] & 2 == 2'

    tcpdump 'tcp[13]=18' #packets that have both the SYN and ACK flags set,TCP flag byte equal to 18 (SYN flag set + ACK flag set = 2 + 16 = 18)
    tcpdump -ni internal 'tcp[13] == 18'
    tcpdump 'tcp[13] & 18 == 18' #View SYN set and ACK set, ignore all others
    tcpdump 'tcp[13] & 1!=0' #Show all SYNCRONIZE/ACKNOWLEDGE (SYNACK) packets
    tcpdump -ni internal 'tcp[13] == 18' or 'tcp[13] == 2 #view the SYN packets and the SYN and ACK packets,

    #Alternatively tcpflags syntax, SYN,RST,FIN
    tcpdump 'tcp[tcpflags] == tcp-syn'
  18. @githubfoam githubfoam revised this gist Nov 1, 2021. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -48,9 +48,10 @@ Specify Source Interface
    sudo traceroute -i eth0 yahoo.com
    Autonomous Systems
    traceroute -A yahoo.com
    traceroute -I google.com

    tracepath yahoo.com
    tracepath -n yahoo.com
    tracepath -n yahoo.com
    tracepath -b yahoo.com
    sets the initial packet length
    tracepath -l 28 yahoo.com
  19. @githubfoam githubfoam revised this gist Oct 28, 2021. 1 changed file with 13 additions and 2 deletions.
    15 changes: 13 additions & 2 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -195,17 +195,28 @@ dirb http://192.169.42.33 /usr/share/dirb/wordlists/common.txt
    #web server scanner
    nikto -host 192.169.42.33


    #set mtu size 8
    nmap --mtu 8 192.169.42.3 --packet_trace -n -p 80
    nmap -p80 192.169.42.3 -oG -|nikto -h -
    nmap -p0-65535 192.168.2.7
    ----------------------------------------------------------------------------------------------------
    #To get around this, nmap can also send a TCP ACK packet to (by default) port 80.
    #If the remote machine responds with a RST back, then that machine is up
    #Another possibility is to send the remote machine a SYN packet and wait for an RST or a SYN/ACK
    nmap -sP # “ping scanning,sites now block echo request packets,nmap sends out ICMP echo request packets to every IP address in a network

    #network discovery scan with OS detction
    nmap -O -PE 192.168.15.1/2
    nmap -sO 62.233.173.90 para #IP protocol scan of a router and a typical Linux 2.4 box
    nmap -PO 192.168.1.1 # do not ping before scanning
    nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
    nmap -sS -A -P0 moonshine.ecn.purdue.edu #The ’-P0’ option (the second letter is ’zero’),do not use ping whether a machine is up
    nmap -sS 192.168.1.1 # Stealthy scan
    nmap -sS localhost #carry out a port scan of your own machine,The “-sS” option carries out a SYN scan
    #If the target machine has the DenyHosts shield running to ward off the dictionary attacks
    #-A’ option turned on, IP address may become quarantined on the target machine,assuming that port 22 is included in the range of the ports scanned
    nmap -sS -A moonshine.ecn.purdue.edu #an “aggressive” SYN scan,

    nmap -p 1-1024 -sT moonshine.ecn.purdue.edu #only the first 1024 ports

    nmap -Pn 62.233.173.90 #Host seems down. If it is really up, but blocking our ping probes
    nmap -Pn --top-ports 20 62.233.173.90
  20. @githubfoam githubfoam revised this gist Oct 27, 2021. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -505,6 +505,11 @@ $hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source www.hping3testsite.

    #SYN flood – DoS using HPING3
    hping3 -S --flood -V www.hping3testsite.com
    #-p option is used to set the remote port number for the flood
    #-S option is used to set the flood type for the TCP protocol which is the sync flood
    hping3 -S --flood -p 80 www.wisetut.com

    hping3 --traceroute -v -1 www.wisetut.com #the traceroute feature which is used to identify the intermediate hosts between source and destination

    Advanced SYN flood with random source IP, different data size, and window size
    hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE
  21. @githubfoam githubfoam revised this gist Oct 20, 2021. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -268,6 +268,8 @@ sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
    #FreeBSD (pfSense)
    sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
    ----------------------------------------------------------------------------------------------------
    tcpdump -ni tap55ec3c7f-91 ip6 #locate the ICMPv6 packets

    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)

    tcpdump -D #Print the list of the network interfaces available on the system and on which tcpdump can capture packet
  22. @githubfoam githubfoam revised this gist Oct 20, 2021. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -725,6 +725,11 @@ tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture
    #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap
    tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap
    tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is for protocol hierarchy

    #On a fabric interface, all packets coming from or going to a Virtual Machine (VM) will be encapsulated in MPLS over UDP or GRE header
    #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label
    #the encapsulated content (ICMPv6) can be recognized.
    tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls
    ============================================================================

    ============================================================================
  23. @githubfoam githubfoam revised this gist Oct 20, 2021. 1 changed file with 14 additions and 3 deletions.
    17 changes: 14 additions & 3 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,4 @@
    ----------------------------------------------------------------------------------------------------
    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)
    ----------------------------------------------------------------------------------------------------
    mtr www.google.com
    mtr --report google.com
    mtr -4b google.com #combined IPv4 only and IP addresses
    @@ -269,6 +267,8 @@ ping -j 192.169.42.3 8.8.8.8
    sysctl -w net.ipv4.conf.<interface>.accept_source_route=1
    #FreeBSD (pfSense)
    sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
    ----------------------------------------------------------------------------------------------------
    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)

    tcpdump -D #Print the list of the network interfaces available on the system and on which tcpdump can capture packet
    tcpdump -X -vvv -n -i eth0
    @@ -443,7 +443,7 @@ tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' #SSH Connections,getting the banner r
    tcpdump -vvAs0 port 53 #DNS Traffic
    tcpdump -vvAs0 port ftp or ftp-data #FTP Traffic


    ----------------------------------------------------------------------------------------------------
    #Saving fw monitor logs to a .pcap file to analyse in wireshark
    #Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark
    fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO -o wireshark.pcap
    @@ -699,6 +699,9 @@ C:\Program...\Wireshark> capinfos.exe -A C:\path_to\Name_of_Large_Traffic_Capt
    #Split the large traffic capture file into desired number of smaller files
    C:\Program...\Wireshark> editcap.exe -F pcapng -c <Packets_per_File> C:\path_to\Name_of_Large_Traffic_Capture_File.pcap C:\path_to\Name_of_Smaller_Traffic_Capture_File.pcap
    C:\Program Files\Wireshark> editcap.exe -F pcapng -c 9545 c:\capture\fw_mon.pcap c:\capture\fw_mon_split.pcap

    editcap -d Duplicates.pcap NoDuplicates.pcap #remove duplicate packages
    mergecap 1.pcap 2.pcap #merge two pcap files
    ============================================================================
    capinfos mycapture.pcap #generate a long form report
    capinfos -T mycapture.pcap #generate a TAB delimited table form report
    @@ -714,6 +717,14 @@ C:\Program Files (x86)\Wireshark>tshark.exe
    tshark -r nmap_sn.pcap #read pcap file
    tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4)
    tshark -nr nmap_sn.pcap
    tshark -D #list of available interfaces
    tshark -i 2 #start capturing traffic on interface n°2
    tshark -i 2 -a duration:10 #capture for 10 seconds, then stop
    tshark -i 2 -w output_file.pcap #save a caputre to a file
    tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture filter
    #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap
    tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap
    tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is for protocol hierarchy
    ============================================================================

    ============================================================================
  24. @githubfoam githubfoam revised this gist Oct 13, 2021. 1 changed file with 12 additions and 3 deletions.
    15 changes: 12 additions & 3 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -219,11 +219,20 @@ nmap -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan
    nmap -sV -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan -sV for version detection on specific ports and distinguish between filtered and filtered ports,

    nmap 1.1.1.1 8.8.8.8 #scan multiple IP addresses
    nmap -p 1.1.1.1,2,3,4 #scan consecutive IP addresses
    nmap -p 8.8.8.0/28 #scan entire CIDR IP ranges, from 8.8.8.1 to 8.8.8.14
    nmap 1.1.1.1,2,3,4 #scan consecutive IP addresses
    nmap 8.8.8.0/28 #scan entire CIDR IP ranges, from 8.8.8.1 to 8.8.8.14
    nmap 8.8.8.1-14 #from 8.8.8.1 to 8.8.8.14
    nmap 8.8.8.* #scan 256 IP addresses from 8.8.8.1 to 8.8.8.256
    nmap -p 8.8.8.* --exclude 8.8.8.1
    nmap 8.8.8.* --exclude 8.8.8.1
    nmap 192.168.1.0-255
    nmap 192.168.1.1-255 --exclude 192.168.1.15
    nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
    nmap -Pn 192.168.1.0-255

    $ cat bigmac.txt
    192.168.1.1
    192.168.1.254
    $ nmap --exclude-file bigmac.txt 192.168.1.1-255

    nmap --top-ports 20 192.168.1.106 #scan the top X most common ports for that host

  25. @githubfoam githubfoam revised this gist Oct 8, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -1,5 +1,5 @@
    ----------------------------------------------------------------------------------------------------
    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host
    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host,Troubleshooting Server Message Block (SMB)
    ----------------------------------------------------------------------------------------------------
    mtr www.google.com
    mtr --report google.com
  26. @githubfoam githubfoam revised this gist Oct 8, 2021. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,6 @@
    ----------------------------------------------------------------------------------------------------
    tcpdump -s0 -n -i any -w /tmp/$(hostname)-smbtrace.pcap #if the SMB client or SMB server is a Unix host
    ----------------------------------------------------------------------------------------------------
    mtr www.google.com
    mtr --report google.com
    mtr -4b google.com #combined IPv4 only and IP addresses
  27. @githubfoam githubfoam revised this gist Oct 6, 2021. 1 changed file with 0 additions and 2 deletions.
    2 changes: 0 additions & 2 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -41,8 +41,6 @@ route -V #version
    route -nee #more detailed information
    route -Cn #list kernel’s routing cache information

    netstat -r -n # The flag U indicates that route is up and G indicates that it is gateway
    netstat -alun | grep 161
    routel #list routes
    routel | grep default #default gateway

  28. @githubfoam githubfoam revised this gist Sep 24, 2021. 1 changed file with 7 additions and 1 deletion.
    8 changes: 7 additions & 1 deletion pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -699,6 +699,12 @@ capinfos -T -m -Q mycapture.pcap #generate a CSV style table form report
    capinfos -TmQ mycapture.pcap
    capinfos -TmQ *.pcap >mycaptures.csv
    ============================================================================
    #Wireshark installation directory:
    #Wireshark installation directory: windows
    C:\Program Files (x86)\Wireshark>tshark.exe

    tshark -r nmap_sn.pcap #read pcap file
    tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4)
    tshark -nr nmap_sn.pcap
    ============================================================================

    ============================================================================
  29. @githubfoam githubfoam revised this gist Sep 21, 2021. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -542,6 +542,7 @@ DNS lookups
    $ whois www.alibaba.com

    dig alibaba.com @8.8.8.8 #specify name server 8.8.8.8
    dig @8.8.8.8 +short NS domain.com
    dig www.alibaba.com ANY +noall +answer
    #Find Out TTL Value Using dig
    dig +nocmd +noall +answer a www.alibaba.com
  30. @githubfoam githubfoam revised this gist Sep 8, 2021. 1 changed file with 17 additions and 0 deletions.
    17 changes: 17 additions & 0 deletions pentest cheat sheet
    View file
    Original file line number Diff line number Diff line change
    @@ -263,7 +263,24 @@ sysctls net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute

    tcpdump -D #Print the list of the network interfaces available on the system and on which tcpdump can capture packet
    tcpdump -X -vvv -n -i eth0

    #client-side traffic to a specific SSL virtual server listening on the VLAN external
    # filters on the virtual server's IP address and port
    tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443


    #examine server-side traffic from one client to any pool member,
    #the -i option to specify the VLAN on which the servers reside
    #filter on the client IP address, the server subnet, and the port on which the servers are listening.
    tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host 192.168.22.33 and net 10.1.1.0/24 and port 8080

    ssldump -A -d -i eth0
    ssldump -i le0 port 443
    ssldump -i le0 port 443 and host 192.169.42.3
    ssldump -Ad -k ~/server.pem -p foobar -i le0 host exch #decrypt traffic to to host exch server.pem and the password foobar
    #wget -p https://192.169.42.3/ -O /dev/null
    ssldump port 443 and host 192.169.42.3


    tcpdump host 100.111.222.50 and port 443 #Traffic to or from host 100.111.222.50, where the source or destination port is 443
    tcpdump host 100.111.222.50 or host 100.11.12.99 #traffic sent between the two