Hacking Cheat Sheet 1.0

[ethical hacker]

This post has a collection of snippets of codes and commands to be of assistance in our endeavors!

One will find numerous methods to accomplish tasks without reliance on the Metasploit Framework.

RECON:

- DNS
- SPF
- Nmap
- NetCat
- SNMP
- MySQL
- MS SQL
- Web Enumeration.

DNS
Nslookup
Effectively resolving a specified hostname to its relevant IP address.

Code: Select all

nslookup target.com

Reverse DNS lookup

Code: Select all

nslookup -type=PTR IP_address

MX(Mail Exchange) lookup

Code: Select all

nslookup -type=MX domain

Zone Transfer (Using "nslookup" command)

Code: Select all

nslookup
server domain.com
ls -d domain.com

Using "Host" command (ns = Name Server)

Code: Select all

host -t ns domain.com

Afterward, the name servers subsequent to the test shall be considered. ("< domain > < nameserver >")

Code: Select all

host -l domain.com ns2.domain.com

Nmap DNS Enumaration

Code: Select all

nmap -F --dns-server <dns server ip> <target ip range>

AUTO TOOLS:

DNSenum

Code: Select all

dnsenum targetdomain.com
dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com

DNSmap

Code: Select all

targetdomain.com
dnsmap targetdomain.com -w <Wordlst file.txt>

Brute Force (the file is stored in /tmp).

Code: Select all

dnsmap targetdomain.com -r

DNSRecon DNS Brute Force

Code: Select all

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Fierce.pl

Code: Select all

fierce -dns targetdomain.com

HostMap

Code: Select all

hostmap.rb -only-passive -t <IP>

We can employ -with-zonetransfer or -bruteforce-level.

SPF RECON:

Dig SPF txt

Code: Select all

dig txt target.com

Dmarc

Code: Select all

dig TXT _dmarc.example.org

NMAP:
Designate the IP address as a variable.

Code: Select all

export ip=192.168.1.100 export netw=192.168.1.0/24

Detecting Live Hosts (Only IP)

Code: Select all

nmap -sn -n $netw | grep for | cut -d" " -f5

Stealth Scan

Code: Select all

nmap -sS $ip

Simply unveil the accessible ports and conduct a banner grab.

Code: Select all

nmap -n -Pn -sS $ip --open -sV

Conduct a Stealth scan using a FIN scan.

Code: Select all

map -sF $ip

Agressive scan (without a ping scan, no DNS resolution, display all open ports and assess all T***** ports).

Code: Select all

nmap -n -Pn -sS -A $ip --open -p-

Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and
scripts versus services.

Code: Select all

nmap –v –sS –A –T4 $ip

OS Fingerprint

Code: Select all

nmap -O $ip

Quick Scan

Code: Select all

nmap -T4 -F $netw

Quick Scan Plus

Code: Select all

nmap -sV -T4 -O -F --version-light $netw

Output to a file

Code: Select all

nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip

Output to a file Plus

Code: Select all

nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw

Search NMAP scripts

Code: Select all

ls /usr/share/nmap/scripts/ | grep ftp

NETCAT:

Port Scanner (One port).

Code: Select all

nc -nvz 192.168.1.23 80

Port Range

Code: Select all

nc -vnz 192.168.1.23 0-1000

Send files server

Code: Select all

nc -lvp 1234 > file_name_to_save

Send files client

Code: Select all

nc -vn 192.168.1.33 1234 < file_to_send

Executing remote script server

Code: Select all

nc -lvp 1234 -e ping.sh <IP>

Executing remote script client

Code: Select all

nc -vn 192.168.1.33 1234

Chat with encryption server

Code: Select all

ncat -nlvp 8000 --ssl

Chat with encryption client

Code: Select all

ncat -nv 192.168.1.33 8000

Banner Grabbing Request

Code: Select all

nc target port
HTTP_Verb path http/version
Host: url

Banner Grabbing Response

Code: Select all

nc www.bla.com.br 80
HEAD / HTTP/1.0
Host: www.bla.com.br

If this site employs secure HTTPS, you require the usage of OpenSSL.

Code: Select all

openssl s_client -quiet www.bla.com.br:443

SNMP:

Fixing SNMP output

Code: Select all

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf

OneSixtyone (COMMUNITY_FILE -i Target_ip).

Code: Select all

onesixtyone -c community.txt -i Found_ips.txt

Snmpwalk Walking MIB's (snmpwalk -c COMMUNITY -v VERSION target_ip)

Code: Select all

snmpwalk -c public -v1 192.168.20.70

Specific MIB node snmpwalk -c community -v version Target IP MIB Node Example: USER
ACCOUNTS = 1.3.6.1.4.1.77.1.2.25

Code: Select all

snmpwalk -c public -v1 192.168.20.70 1.3.6.1.4.1.77.1.2.25

snmp-check
(snmp-check -t target_IP
snmp-check -t TARGET -c COMMUNITY).

Code: Select all

snmp-check -t 172.20.10.5

snmp-check -t 172.20.10.5 -c public

Automate the method of listing user names for SNMP version three (SNMPv3).

Code: Select all

apt-get install snmp snmp-mibs-downloader

wget https://tinyurl.com/2b4ksqhg

NMAP SNMPv3 Enumeration

Code: Select all

nmap -sV -p 161 --script=snmp-info 172.20.10.0/24

Default Credentials

Code: Select all

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

MYSQL

Attempt distant default Root access
MySQL Open to wild

Code: Select all

mysql -h Target_ip -u root -p

MSQL Information Gathering

Code: Select all

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql

WEB ENUMERATION

Dirsearch

Code: Select all

dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old
dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist
dirsearch -u https://tinyurl.com/m8pr7fz -e .

dirb

Code: Select all

dirb https://tinyurl.com/c8pn5 /path/to/wordlist

dirb https://tinyurl.com/c8pn5 /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html

Gobuster

Code: Select all

gobuster -u https://tinyurl.com/m8pr7fz -w /usr/share/wordlists/dirb/big.txt